All posts

Understanding IFSCA’s V-CIP for Secure and Compliant Digital Onboarding

FinTech
5 min read
Written by
Nidhi Nerli
Published on
January 29, 2026
Introduction

As GIFT City (Gujarat International Finance Tec-City) evolves into India’s global financial gateway, digital onboarding has become central to how banks, fintechs, brokers and insurers operate in IFSCs. To support this growth without compromising regulatory integrity, the International Financial Services Centres Authority (IFSCA) has laid down detailed requirements for the Video-based Customer Identification Process (V-CIP) under its consolidated AML/CFT/KYC Guidelines, effective 02 January 2026.

V-CIP under IFSCA is not just video KYC. It is a regulated, audit-grade process where technology, human judgment and data governance are equally important. This blog explains the complete V-CIP framework, exactly as prescribed, in a practical and readable format.

Why V-CIP Matters in GIFT IFSC?

In an international financial centre handling cross-border flows, NRIs and global clients, physical onboarding is often impractical. However, weak digital onboarding exposes institutions to fraud, impersonation and regulatory action.

IFSCA’s V-CIP framework enables Regulated Entities to:

  • onboard customers remotely with regulatory confidence,
  • prevent deepfakes and identity fraud,
  • maintain tamper-proof, audit-ready KYC records, and
  • support controlled NRI onboarding while preserving data sovereignty.
Applicability and Accountability

IFSCA V-CIP requirements apply to all Regulated Entities licensed, recognised, registered or authorised by IFSCA, unless specifically exempted.

V-CIP may be operated by:

  • authorised officials of the Regulated Entity,
  • Financial Group entities in India are supervised by a financial regulator, or
  • a KYC Registration Agency (KRA) registered under the IFSCA (KRA) Regulations, 2025, under a formal agreement.

Crucially, even where operations are outsourced, the Regulated Entity retains ultimate responsibility for compliance, data protection and identification outcomes.

Infrastructure, Hosting and Network Controls

IFSCA mandates strict control over V-CIP infrastructure:

  • V-CIP systems must be hosted only within the Regulated Entity, its Financial Group in India, or a registered KRA.
  • All sessions must originate from the secured network domain of the Regulated Entity.
  • Uncontrolled or public endpoints are not permitted.
  • If infrastructure is hosted outside India within a Financial Group setup, IFSCA must be informed.
Encryption, Consent and Tamper-proof Recording

Every V-CIP session must ensure:

  • End-to-end encryption between the customer device and server,
  • explicit and auditable customer consent,
  • tamper-proof geo-tagging and date-time stamping, and
  • video quality sufficient for unequivocal identification.

These controls ensure V-CIP recordings remain defensible during audits and inspections.

IP Address, Geolocation and VPN Restrictions

V-CIP systems must actively block:

  • VPNs,
  • proxy servers, and
  • spoofed IP addresses.

For resident Indian customers, the IP must originate from India.
For NRIs, the IP must originate from India or an IFSCA-permitted jurisdiction only.

Face Liveness, Anti-spoofing and Deepfake Detection

To address modern fraud risks, IFSCA requires:

  • face liveness and spoof-detection technology,
  • high-accuracy face matching, and
  • AI-based anti-deepfake and anti-fraud controls with randomness.

Officials conducting V-CIP must be specifically trained to detect suspicious behaviour and coached responses. Randomised liveness questions are mandatory, and prompted answers are grounds for rejection.

Importantly, liveness checks must be inclusive and must not exclude persons with special needs.

Session Integrity and Call Disruptions

IFSCA also governs how sessions are handled:

  • If a pause does not create multiple video files, a fresh session is not required.
  • In case of call drop or disconnection, a new V-CIP session must be initiated.
  • Systems should avoid unnecessary fragmentation of recordings.
Identification and Verification During V-CIP

During V-CIP, live audio-video, photographs and identity verification must be completed using at least one of the following:

  • Offline Aadhaar XML or Secure QR (not older than 3 working days),
  • CKYCR records using KYC Identifier,
  • valid e-documents of Officially Valid Documents (OVDs), including DigiLocker, or
  • biometric e-KYC, including Aadhaar Face Authentication.

Additional mandatory requirements:

  • PAN or e-PAN image capture,
  • online PAN verification or verification via DigiLocker, and
  • printed copies of e-documents are not acceptable.

The V-CIP process must be completed within 3 working days of obtaining identification information.

Data Ownership, Storage and Privacy

IFSCA draws a clear line on data governance:

  • Ownership of all V-CIP data and recordings must rest with the Regulated Entity or its Financial Group.
  • Cloud providers and third parties must not retain recordings after transfer.
  • Secure storage with searchable metadata and activity logs is mandatory.
  • Aadhaar numbers must be redacted as prescribed.
  • Compliance with the IT Act, Digital Personal Data Protection Act, 2023, and Aadhaar regulations is compulsory.
NRI Onboarding via V-CIP

V-CIP is permitted only for low-risk NRIs residing in the following jurisdictions:

USA, Japan, South Korea, UK (excluding British Overseas Territories), Canada, UAE, Singapore, Australia and the EU (excluding Croatia).

Additionally:

  • Jurisdictions must not be flagged by FATF or the Central Government.
  • Bank account details from the resident jurisdiction must be captured.
  • If address verification is incomplete, the account must remain inactive or debit-frozen until verification.
Audit and Go-live Readiness

Before V-CIP rollout:

  • conduct VA/PT and security audits through CERT-IN empanelled or accredited auditors,
  • close all critical gaps, and
  • ensure concurrent audit before accounts opened through V-CIP are made operational.
Fast-track your client onboarding with Elefint!

Elefint helps Regulated Entities design and implement IFSCA-compliant Digital KYC and V-CIP frameworks that are secure, audit-ready and regulator-aligned.

Our Digital KYC platform is purpose-built to address IFSCA AML/CFT/KYC requirements, enabling institutions to meet compliance timelines while delivering seamless onboarding experiences.

Whether you are setting up V-CIP, reviewing an existing process, or preparing for regulatory audit, Elefint helps transform compliance obligations into operational confidence.

Contact Elefint today to simplify your IFSCA KYC and V-CIP compliance journey.

Official References
  1. IFSCA (AML, CFT and KYC) Guidelines, 2022 – updated as on January 02, 2026
    https://www.ifsca.gov.in/CommonDirect/GetFileView?id=38fea9cc5969551d78bf00e670f52a74&fileName=Approved_Amendatory_Circular_20260105_0655.pdf&TitleName=Legal
  2. Modifications under the International Financial Services Centres Authority (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines, 2022.
    https://www.ifsca.gov.in/CommonDirect/GetFileView?id=47a297ad49aaae8fa365313a9138dd3a&fileName=31_10_2025_Circular___Modifications_under_the_IFSCA__AML_CTF__KYC__Guidelines__2022_20251031_0459.pdf&TitleName=Legal
Share this
Financial technology
Digital transformation
Banking innovation
System architecture
Nidhi Nerli
CTO, Elefint