KYC / AMLJune 2026 · 9 min read

KYC Master Direction 2025 — What Changed and What Your NBFC Must Update Now

The RBI Master Direction on KYC was updated in July 2025 — the most significant revision in several years. Changes to customer due diligence, beneficial ownership, re-KYC timelines, CKYC upload obligations, and video KYC now intersect directly with DPDPA's purpose-based consent requirements, creating a compliance design challenge for every NBFC.

Five Key Changes in the July 2025 Update

Beneficial Ownership Threshold

The threshold for identifying beneficial owners in legal entities has been revised. NBFCs must now identify and verify natural persons who ultimately own or control 10% or more of a company (previously 25% in some contexts). This increases the due diligence burden for NBFC customers that are corporate entities — particularly HNI-owned investment companies, group holding structures, and family-controlled businesses.

CKYC Upload Obligations

NBFCs must upload KYC records to the Central KYC Registry (CKYCR) for all new individual customers within 10 days of account opening. For existing customers whose KYC is updated, upload within 10 days of the update. NBFCs that are not currently uploading consistently to CKYC are now in non-compliance.

Video KYC — Expanded Scope and Standards

Video KYC (V-CIP) has been expanded — NBFCs can now use V-CIP for a broader range of customer onboarding scenarios. However, the standards for V-CIP infrastructure have also been tightened: the video and audio quality standards, the AI-based liveness detection requirements, and the auditor verification requirements are all more prescriptive.

Re-KYC Periodicity

Re-KYC timelines have been clarified: High-risk customers — every 2 years. Medium-risk customers — every 8 years. Low-risk customers — every 10 years. NBFCs must have a systematic re-KYC tracking mechanism — relying on ad-hoc processes or customer-initiated updates does not satisfy the obligation.

KYC–DPDPA Intersection

The July 2025 update was designed before DPDPA Rules were finalised, but the Rules notified in November 2025 create a direct tension: KYC data collected under mandatory RBI directions must be handled with purpose-specific consent under DPDPA. The solution is layered consent architecture — mandatory KYC collection is lawful processing, but downstream uses (credit bureau submission, marketing, analytics) each require separate DPDPA-compliant consent.

What Your LOS/LMS Must Now Capture

The 2025 KYC update has direct implications for lending origination systems. The LOS must now capture beneficial ownership information for corporate borrowers at the 10% threshold, trigger CKYC upload within 10 days of account opening, support video KYC workflows that meet the 2025 technical standards, and track re-KYC due dates by customer risk category.

NBFCs whose LOS was configured before July 2025 should conduct a gap assessment against the updated requirements. Most off-the-shelf LOS platforms have not automatically updated to reflect the July 2025 changes — customisation and testing will be required.

Related Articles
DPDPA
DPDPA Rules 2025 — What Banks and NBFCs Must Complete Before November 2026
 DPDPA
DPDPA Consent Management for Digital Lending
 CIC
The 21 RBI Circulars on Credit Information Every NBFC Must Know

Has your KYC programme been updated for the July 2025 changes?

A KYC compliance review will assess your CDD standards, CKYC upload process, V-CIP infrastructure, re-KYC tracking, and DPDPA consent architecture against the 2025 Master Direction.

Book a KYC Compliance Review