There’s a compliance conversation happening inside every regulated lending institution right now, and it’s not about whether to do Video KYC — that decision was made years ago. The conversation is about what happens after the call ends.
Specifically: what did you record, where did it go, who can access it, how long does it stay, and can you produce it cleanly if a regulator asks?
These questions sit at the heart of the Video KYC audit trail requirement, and they’re where a surprising number of otherwise well-run institutions are quietly underprepared. The front-end of Video KYC — the customer experience, the agent interface, the liveness check — has received enormous product attention. The back-end — the audit trail, the storage architecture, the retention policy — has often been treated as an IT problem to solve later.
Later has a way of arriving at inconvenient moments.
What RBI Actually Says — And What It Implies
The Reserve Bank of India’s Video-based Customer Identification Process (V-CIP) guidelines, first issued in January 2020 and subsequently clarified through master directions, set out the framework within which regulated entities must operate. The key obligations aren’t buried in footnotes — they’re explicit.
The recording of the Video KYC session must be stored. This includes the full video of the interaction, the live photograph captured during the session, the document images collected (Aadhaar, PAN, and other applicable identity documents), the geolocation data of the customer at the time of the call, and the audit log of the session itself — who conducted it, when, on what device, with what outcome.
On retention, RBI’s master directions on KYC align with PMLA obligations: customer identification records must be maintained for a minimum of five years after the business relationship ends. For a loan customer, that clock typically starts after the loan is closed, not when the KYC was done. In practice, this means Video KYC records for many customers need to be retained for the full loan tenure plus five years — which for a home loan or long-tenure education loan can mean records sitting in storage for fifteen to twenty years.
That’s not a small ask. And it has direct implications for how institutions architect their storage, not just what they put in it.
Breaking Down the Video KYC Audit Trail: What It Must Actually Contain
A compliant Video KYC audit trail isn’t just a video file sitting on a server. It’s a structured evidence package that, taken together, demonstrates that the identification process was conducted correctly, that the customer was who they claimed to be, that the session was live and unmanipulated, and that the agent followed the prescribed process.
The components that need to be captured and stored fall into several distinct categories.
The session recording itself — the full video of the V-CIP interaction, not a compressed or truncated version — is the foundation. RBI expects this to be a clear, complete record of the interaction. Compression that degrades legibility of facial features or document details is a risk: if the recording can’t be used to verify what happened during the session, it doesn’t serve its purpose as evidence.
The live photograph of the customer, captured independently during the session, must be stored separately from the video. This photograph is what gets linked to the customer’s KYC record in the institution’s systems and becomes the reference image for future identity verification.
Document images captured during the session — the Aadhaar XML or masked Aadhaar, PAN, and any other documents collected — need to be stored in a way that preserves legibility and links them unambiguously to the specific session. Chain of custody matters here: a document image that can’t be traced to a specific Video KYC session on a specific date with a specific agent has limited evidentiary value.
Geolocation data of the customer at the time of the call is a required capture. The customer must be within India during the V-CIP session — geolocation is the verification mechanism for this. That data needs to be stored as part of the session record, timestamped and linked.
The session metadata — agent ID, session timestamp, session duration, the platform or system used, the outcome (approved, rejected, referred for review) — forms the audit log layer. This is often where institutions are weakest. The video exists; the document images exist; but the structured log that ties them together into a coherent, searchable record is incomplete or inconsistent.
Consent records also belong in the audit trail. The customer’s explicit consent to the Video KYC process, typically captured at the start of the session, needs to be preserved. If a customer later disputes the process, this is your first line of evidence.
The Storage Architecture Questions That Actually Matter
Once you understand what needs to be stored, the operational questions become specific.
Where does it live? RBI’s data localisation requirements mean customer data — including Video KYC records — must be stored on servers located within India. Cloud storage is permissible, but the data residency requirement isn’t negotiable. Institutions using global cloud providers need to verify that their storage configuration explicitly routes and retains this data within Indian data centres.
Who can access it? The audit trail serves two distinct audiences: internal teams who may need to retrieve records for customer service, dispute resolution, or internal audit purposes; and regulators who may call for records during inspections or investigations. Access controls need to be designed with both in mind — granular enough to prevent unauthorised access, structured enough to enable rapid retrieval when a regulator asks.
How quickly can you produce it? This is the question most institutions haven’t stress-tested. If RBI calls for all Video KYC records for customers onboarded in a specific branch during a specific quarter, how long does it take your team to compile and produce that? If the answer is “we’d have to figure that out,” the storage architecture needs work. Regulators don’t wait long, and the inability to produce records promptly is itself a compliance failure.
Is the integrity of the records verifiable? A stored video file can be altered. A compliant audit trail needs mechanisms — hash verification, tamper-evident logging — that allow you to demonstrate the record hasn’t been modified since it was created. This isn’t hypothetical; it’s the kind of question that comes up in serious regulatory scrutiny.
The Five-Year Clock and What It Actually Means Operationally
The five-years-after-relationship-ends retention requirement sounds straightforward until you map it onto a real customer portfolio.
A customer onboarded via Video KYC in 2021 who takes a personal loan, closes it in 2027, and whose records must therefore be retained until 2032. A business loan customer onboarded in 2022, with a seven-year loan tenure ending in 2029, whose records stay in storage until 2034. An NRI customer whose relationship involves multiple products over fifteen years.
Multiply this across tens of thousands of customers and the storage isn’t just a compliance question — it’s an infrastructure and cost management question. Tiered storage strategies, where recent records sit in hot storage for quick retrieval and older records move to cost-efficient cold storage while remaining retrievable within defined SLAs, are how mature institutions manage this without the economics becoming untenable.
The risk to avoid is treating the retention requirement as simply “keep it forever and sort it out later.” Unstructured long-term storage creates its own compliance exposure: records that can’t be found, retrieved, or verified are functionally the same as records that don’t exist.
What Audit Readiness Actually Looks Like
An institution that is genuinely audit-ready on Video KYC doesn’t scramble when a regulator asks for records. It has a defined retrieval process, tested periodically. It knows exactly what is stored, where, in what format, and under what access controls. It can produce a complete session record — video, photographs, documents, geolocation, metadata, consent — as a coherent package, not a collection of files from three different systems.
Getting there isn’t a one-time project. Storage systems change. Products evolve. Regulatory guidance gets updated. The institutions that stay ahead of this treat Video KYC audit trail management as an ongoing operational discipline, not a setup task that gets checked off and forgotten.
The front-end of Video KYC was always the visible part. The audit trail is what regulators actually look at.
Leave a Reply