The most common question on the RBI's KYC FAQ: what documents do I need to open a bank account? Why has the answer changed four times in six years — from mandatory Aadhaar to voluntary Aadhaar to OTP-based eKYC with limits to video KYC from your phone. Each change was a regulatory decision that reshaped who can access banking and how.
The Short Answer
Why is Aadhaar accepted? Because over a billion Indians are enrolled, making it the most widely held identity document. Yes, you can open a bank account with Aadhaar as your sole identity document. But what kind of account you get depends on how you use it:
| Method | What You Get | Limits | Duration |
|---|---|---|---|
| Aadhaar + biometric at branch | Full KYC account | No limits | Permanent |
| Aadhaar OTP (remote) | Limited account | Rs 1 lakh balance, Rs 2 lakh annual credit | 1 year (then full KYC needed) |
| Aadhaar offline XML via V-CIP | Full KYC account | No limits (after concurrent audit) | Permanent |
| No Aadhaar, no OVD | Small Account | Rs 50,000 balance, Rs 10,000/month withdrawal | 12 months initially |
What Counts as Proof of Identity
The KYC Directions — originally the 2016 Master Direction, now the entity-specific directions issued in November 2025 — define Officially Valid Documents (OVDs):
- Passport
- Driving licence
- Proof of possession of Aadhaar number
- Voter's Identity Card
- NREGA job card
- Letter from National Population Register
Any one of these is sufficient for identity. For address, the same documents work — plus utility bills (not more than 2 months old), property tax receipts, pension payment orders, or employer accommodation letters as "deemed OVDs" (with the condition that a current-address OVD must be submitted within 3 months).
Is Aadhaar Mandatory?
No. The Supreme Court's September 2018 judgment (Puttaswamy v. Union of India) struck down Section 57 of the Aadhaar Act. The May 2019 amendment RBI/2018-19/190 (since withdrawn) made Aadhaar voluntary for KYC:
"Banks have been allowed to carry out Aadhaar authentication of an individual who voluntarily uses his Aadhaar number for identification purpose."
Why the carve-out for DBT? Because Section 7 of the Aadhaar Act specifically authorises Aadhaar authentication for subsidy delivery — the Supreme Court upheld this even while striking down broader mandatory use. The only exception: if you receive Direct Benefit Transfer (DBT) subsidies, Aadhaar authentication may be required under Section 7 of the Aadhaar Act.
The OTP Account Trap
Opening an account via Aadhaar OTP (without visiting a branch) gives you a limited account with a one-year deadline. The 2016 Master Direction — which superseded the earlier 2008 Master Circular on KYC Norms (Recovery Agents engaged by Banks) (since withdrawn) and consolidated the chain from the original 2002 KYC circular RBI/2005-06/116 (since withdrawn) through successive amendments — prescribed:
"Accounts opened using OTP based e-KYC shall not be allowed for more than one year unless identification as per paragraph 16 or V-CIP is carried out."
Why the one-year limit? Because OTP-based authentication is weaker than biometric — the RBI treats it as a temporary bridge to full identification, not a permanent substitute. Miss the one-year deadline and the account freezes until you complete full KYC.
Video KYC: The COVID-Era Solution That Stayed
The January 2020 V-CIP circular enabled video-based onboarding — a live video call with an authorised bank official who verifies your documents on camera. The bank checks your location (geotagging), confirms you're a real person (liveliness check), and verifies your Aadhaar offline XML is no more than 3 days old.
Why did V-CIP succeed where earlier digital methods didn't? Because it combines live human verification with Aadhaar offline XML and geotagging — addressing the impersonation risk that OTP-only authentication couldn't solve. Introduced as a facilitative measure in January 2020, V-CIP became essential during COVID lockdowns. It's now a permanent feature of every bank's entity-specific KYC Direction — carried forward from the 2016 Master Direction amendments into the November 2025 entity-specific directions that superseded the consolidated Master Direction.
What If I Have No Documents at All?
The Small Account framework — codified in the KYC Directions — exists precisely for this. A self-attested photograph plus the bank officer's certification of your signature or thumb impression is enough. But the account comes with hard limits — Rs 50,000 maximum balance, Rs 10,000 per month withdrawals, Rs 1 lakh annual credits.
For Self Help Groups, the rules are even simpler: only the office bearers need full KYC, not all members.
What about frauds in the name of KYC updation?
The RBI has issued repeated public warnings (PR_57244): "The modus operandi for such frauds usually involves customers receiving unsolicited communication via phone calls, SMSes, emails or social media messages, asking them to share certain personal details, account details, OTPs."
The rule is simple: your bank will never ask you to share OTPs, passwords, or account credentials for KYC updation. The periodic updation framework allows self-declaration via email, mobile app, or ATM. If someone contacts you asking for OTPs to "complete your KYC," it's fraud. The KYC FAQ confirms: "Customers should exercise caution with SMS/email links — these may be fraudulent."
And critically: KYC rejection decisions cannot be automated — an authorized bank official must review every rejection personally. If your KYC is rejected by an app without human review, the bank is violating the direction.
The CKYCR Promise
The Central KYC Records Registry — established in 2015 RBI/2015-16/251 — was supposed to make this a one-time exercise. Complete KYC once at any bank, get a KYC Identifier, use it everywhere. The enforcement actions show that banks still struggle with timely CKYCR uploads — but the infrastructure exists, and the 2025 entity-specific KYC Directions mandate it for all regulated entities.
Periodic Updation
KYC is not a one-time event. The RBI requires periodic updates based on your risk category:
- High risk: every 2 years
- Medium risk: every 8 years
- Low risk: every 10 years
Banks must give you advance notice before your updation is due, and send reminders if you don't comply. If you still don't update, the bank may restrict operations on your account — but it cannot close it without due process.
The simplest way to update: a self-declaration via email, mobile app, or ATM saying "no change in my details." For address changes: self-declaration plus the bank verifying within two months. For everything else: V-CIP or a branch visit.
The specific timelines are mandated in the KYC Directions for Commercial Banks (Reserve Bank of India (Commercial Banks – Know You), which state:
"The bank shall adopt a risk-based approach for periodic updation of KYC ensuring that it keeps the information or data collected under CDD is kept up-to-date and relevant, particularly where there is high risk. However, the bank shall carry out periodic updation at least once in every two years for high-risk customers, once in every eight years for medium risk customers and once in every 10 years for low-risk customers from the date of opening of the account."
The clock runs from the date the account was opened -- not from the last updation. A low-risk customer who opened an account in 2015 and never changed any details would have been due for updation by 2025. Missing that deadline does not mean account closure. It means restricted operations -- the bank can freeze debits while keeping credits open, giving the customer time to comply without losing incoming salary or pension deposits.
What if the bank refuses to open your account?
The RBI has addressed this directly. The KYC Directions (Reserve Bank of India (Commercial Banks – Know You) contain a binding instruction on customer acceptance:
"The Customer Acceptance Policy shall not result in denial of a banking / financial facility to members of the general public, especially those who are financially or socially disadvantaged, including the Persons with Disabilities (PwDs). The bank shall not reject an application for onboarding or periodic updation of KYC without application of mind. The officer concerned shall duly record the reason(s) for rejection."
Three things to note. First, the protection is broad -- it covers "members of the general public," not just existing customers. Second, it specifically names financially disadvantaged people and Persons with Disabilities as protected categories. Third, every rejection must be individually reasoned and recorded by a named officer. A branch cannot simply refuse to open your account because you lack a particular document or because you don't meet some informal threshold for "desirable" customers.
If a bank refuses to open your account despite you presenting a valid OVD, the recourse chain is: first, the bank's internal grievance mechanism; second, the RBI Integrated Ombudsman Scheme; third, the RBI's enforcement apparatus. The Jammu and Kashmir Bank penalty (PR_61764, December 2025) demonstrates that the RBI does penalise banks for KYC-related compliance failures -- in that case, Rs 99.30 lakh for multiple violations including failure to maintain face matching technology in V-CIP and failure to escalate rejected complaints to the Internal Ombudsman. The penalty press release stated that the bank "did not send final letters to its customers regarding redressal of their complaints and thereby failed to ensure that customers were made aware of their rights to approach Banking Ombudsman."
The message: banks have obligations not just to follow KYC procedures, but to ensure customers know their rights when those procedures produce a rejection.
Last updated: April 2026