There’s a term that keeps appearing in RBI compliance circulars, payment aggregator directions, and KYC audit checklists — and most people in Indian fintech either gloss over it or quietly assume their current process covers it.
That term is Contact Point Verification. And the gap between what it actually means and how it’s being implemented is wider than most compliance teams would like to admit.
This piece is for risk and compliance professionals at banks, NBFCs, payment aggregators, and fintechs who are trying to understand what contact point verification in banking actually requires — not in theory, but in practice, and under the regulatory expectations that are active right now.
So What Exactly Is Contact Point Verification?
Contact Point Verification — CPV in shorthand — is the process of confirming that a customer or merchant actually exists at the address and phone number they’ve provided, and that those contact details are genuinely theirs.
That sounds deceptively simple. In practice it’s a structured check that involves physically or digitally confirming a residential or business address, validating that a registered phone number is active and belongs to the person in question, and — in more thorough implementations — confirming that a business is operating from the address it claims.
The key word is confirmation. CPV is not the same as collecting contact details. It’s the act of verifying that those details are real, current, and belong to the person they’re supposed to belong to. A customer who provides a cousin’s address to open an account passes document checks. They fail CPV.
Where RBI Mandates It
CPV isn’t a nice-to-have. It’s explicitly required under the RBI’s KYC Master Direction (originally issued in 2016, most recently amended in August 2025) in several specific scenarios that regulated entities need to know cold.
Periodic KYC Address Updates When a customer updates only their postal address during a KYC refresh, the new address must be verified through positive confirmation within two months. The RBI’s direction explicitly lists contact point verification as one of the accepted methods for this confirmation — alongside address-verification letters and deliverables.
Sole Proprietorship Accounts If a sole proprietor cannot furnish two activity-proof documents — a common situation for small business owners who operate informally — a bank may accept just one document. But only if it undertakes CPV to establish that the business genuinely exists and is operating from the declared address. This is one of the most frequently missed requirements in MSME and small business onboarding.
Non-Face-to-Face Account Activation Before a bank allows transactions on a non-face-to-face account, it must confirm the customer’s current address through positive confirmation. CPV is one of the explicitly named methods for meeting this requirement.
Payment Aggregator Merchant Onboarding The RBI’s 2025 Master Directions on Payment Aggregators go further. A streamlined merchant onboarding path exists for smaller merchants — but it explicitly requires PAN verification, an officially valid document, and Contact Point Verification. CPV is hardwired into the simplified track, not the complex one.
Why It Matters More Than It Used To
CPV has always been part of the regulatory framework. What’s changed is the enforcement environment around it.
RBI KYC related enforcement actions have increased significantly since 2023, with several major banks and NBFCs receiving penalties for inadequate periodic KYC and CKYC non-compliance. The direction of travel is clear: the regulator is no longer treating KYC gaps as procedural lapses to be corrected quietly. They’re being treated as compliance failures with financial consequences.
At the same time, the fraud landscape has shifted in ways that make CPV more operationally valuable, not just regulatorily necessary. Address fraud — where a customer or merchant provides a fictitious or misappropriated address — is a consistent feature of mule account networks, lending fraud, and merchant-side payment fraud. A bank or fintech that can demonstrate it ran structured CPV checks isn’t just satisfying an audit requirement. It’s actually catching a category of fraud that pure document verification misses entirely.
The two motivations — compliance and fraud prevention — have converged in a way that makes under-investing in CPV harder to justify than it used to be.
How CPV Actually Gets Done
There are two broad approaches, and most mature institutions use both depending on context.
Field-Based CPV This is the traditional model. A verification agent physically visits the declared address, confirms the customer or business is present there, captures photographic proof, and logs the visit with a timestamp. For high-value accounts, sole proprietorship onboarding, and cases where address discrepancy is suspected, field CPV remains the gold standard. It’s slower and more expensive, but it’s the method most likely to catch a genuinely fabricated address.
Digital CPV This covers a range of checks: IVR calls to the registered number from a known bank number to confirm the customer receives the call at that contact point, OTP dispatch to a mobile number to confirm it’s active and accessible, carrier-level lookups to validate whether a number is active and assigned, and cross-referencing declared addresses against independent datasets like utility records, logistics databases, or government registries.
Digital CPV is faster and scalable, but it has limitations. An active SIM card doesn’t prove address ownership. A successfully delivered OTP confirms the phone is in someone’s hand — not necessarily the right someone’s.
The most defensible compliance posture combines both: digital checks as a first layer that runs at onboarding speed, with field-based verification triggered by risk signals or regulatory requirements that specifically mandate physical confirmation.
The Audit Trail Problem
Here’s the part that gets organisations into trouble even when they’re running CPV checks in some form: documentation.
An RBI inspection doesn’t just ask whether you ran CPV. It asks for evidence. That means timestamped records, carrier-lookup responses, IVR call logs, agent confirmation notes, and a clear link between each check and the customer or merchant record it pertains to.
Organisations that run CPV through manual processes — phone calls logged in a spreadsheet, field visits tracked in a WhatsApp group — may be technically performing the check while being completely unable to demonstrate it to an auditor. The check happened. The evidence didn’t survive in a form that satisfies regulatory scrutiny.
This is why the shift toward structured, API-driven CPV workflows matters beyond operational efficiency. Every verification event needs to be logged, timestamped, and retrievable. That’s not bureaucratic overhead — it’s the difference between a clean inspection and a finding.
What 2026 Compliance Looks Like in Practice
The RBI’s August 2025 KYC amendment introduced Aadhaar Face Authentication as an accepted digital identification method and tightened V-CIP procedural requirements. These changes sit alongside the existing CPV obligations — they don’t replace them.
For regulated entities reviewing their CPV posture in 2026, a few things are worth checking against your current process:
Is CPV being triggered for all the scenarios the Master Direction requires — not just high-risk accounts, but sole proprietorship onboarding, address-only KYC updates, and non-face-to-face account activations?
Is your CPV output producing an auditable trail, or are the results living in a format that won’t survive an inspection?
Are your digital and field CPV methods calibrated to the risk profile of the account type, or are you applying the same thin check to everything?
And critically — is periodic re-verification built into your workflow, or does CPV only happen at onboarding? A customer whose address was verified three years ago and has since moved is a compliance gap, not a completed check.
The Bottom Line
Contact point verification in banking sits at an intersection that most compliance programmes haven’t fully mapped: it’s simultaneously a regulatory requirement, a fraud control, and an audit-visible process that needs to produce evidence, not just outcomes.
The institutions that treat it as a checkbox — something done minimally at onboarding and never revisited — are carrying more exposure than their audit files show.
The ones building structured, documented, risk-calibrated CPV into their KYC workflows aren’t just staying compliant. They’re building the kind of customer and merchant data quality that makes everything downstream — fraud detection, periodic review, AML monitoring — work better.
That’s not a compliance argument. That’s an operations argument. And in 2026, both are pointing the same direction.
Leave a Reply