TL;DR: SEBI-regulated stockbrokers must complete In-Person Verification (IPV) for every new account. Video-based IPV has become the dominant compliant method, but it is not identical to "Video KYC" as used in banking contexts. This guide explains the regulatory framework, the operational distinction between Video KYC and IPV, end-to-end onboarding architecture, audit requirements, and build-versus-buy decisions, written for compliance officers, CTOs, and product leads at Indian broking platforms.
Introduction
Regulatory scrutiny of investor onboarding in India has intensified since SEBI's mandate for uniform KYC standards across the securities ecosystem. For stockbrokers, the stakes are high: a failed audit, KRA rejection, or SEBI inspection finding can result in account suspensions, penalties, and reputational damage that takes years to repair.
Yet many compliance and product teams conflate two separate regulatory constructs, Video KYC and video-based IPV, and build systems that satisfy neither fully. This guide resolves that ambiguity and maps the path to a SEBI video KYC stockbrokers compliance architecture that survives regulatory scrutiny.
Whether you are building a new digital broking platform or retrofitting video verification into a legacy onboarding flow, the frameworks and checklists in this guide apply directly.
SEBI regulatory background
What governs KYC for stockbrokers?
The Securities and Exchange Board of India (SEBI) is the statutory regulator for securities markets in India. SEBI's KYC requirements for brokers derive from several overlapping instruments:
SEBI KYC Registration Agency (KRA) Regulations, 2011 established a centralised KYC infrastructure for the securities market. Under this framework, KYC Registration Agencies (KRAs): KRAs are SEBI-registered entities that store and validate KYC records submitted by market intermediaries. The five recognised KRAs are CAMS KRA, CVL KRA, NDML KRA, DOTEX KRA, and Karvy KRA.
Central KYC (CKYC): CKYC is a centralised repository of KYC records managed by the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI). A 14-digit CKYC identifier is issued to investors who have completed KYC through any regulated financial institution. Stockbrokers can perform a CKYC lookup to retrieve existing KYC data and reduce re-verification burden.
In-Person Verification (IPV): IPV is the process by which a SEBI-registered intermediary, or an authorised representative, physically verifies the original documents of a KYC applicant. SEBI has permitted video-based IPV as a substitute for physical IPV under specific conditions. This is the central mechanism governing what most broking platforms implement as "Video KYC."
Prevention of Money Laundering Act (PMLA), 2002 applies to all market intermediaries. Stockbrokers are classified as reporting entities under PMLA and must comply with its Customer Due Diligence (CDD) and record-keeping obligations in conjunction with SEBI's KYC norms.
Note: SEBI issues periodic circulars updating KYC norms and IPV requirements. Specific circular references should be verified with your compliance counsel against the latest SEBI Master Circular on KYC norms for securities markets, as these are updated regularly. Do not rely solely on this article for circular-level compliance.
Video KYC vs IPV the critical distinction
This is the most consequential conceptual error in broking platform compliance. The terms are used interchangeably in casual discourse but refer to different regulatory constructs with different legal bases.
| Aspect | Video KYC (RBI V-CIP) | Video-based IPV (SEBI framework) |
|---|---|---|
| Regulatory basis | RBI Master Direction on KYC, 2016 (as amended) | SEBI KYC circulars, KRA regulations |
| Applicable entities | Banks, NBFCs, Payment System Providers | SEBI-registered intermediaries including stockbrokers, mutual fund distributors |
| Legal equivalence | Equivalent to full KYC; replaces branch visit entirely | Equivalent to physical IPV; still requires upstream KYC/CKYC records |
| Document requirement | Live capture of PAN + Aadhaar OTP + face match | Live verification of original KYC documents on screen; face match to PAN/Aadhaar photo |
| Agent requirement | Trained bank/NBFC officer | Authorised person of the intermediary (SEBI-registered) |
| Risk level if misconfigured | KYC invalidated by RBI; account freezing | IPV deemed incomplete; KRA rejection; SEBI enforcement |
| Geo/time metadata | Mandatory | Mandatory |
| Recording storage | Mandatory, minimum 5 years | Mandatory, aligned with PMLA retention norms |
The critical point for stockbrokers: You are operating under the SEBI framework, not RBI's V-CIP. Your video session constitutes video-based IPV. The KYC record itself must already exist or be created in parallel through CKYC/KRA. The video session validates the person against that record it does not replace the record.
How SEBI-compliant onboarding works
End-to-end onboarding flow
The onboarding flow for a SEBI-compliant digital broking platform operates in six sequential stages:
Stage 1: Authentication and PAN capture The investor logs in via mobile OTP. PAN is captured and validated against the Income Tax PAN database via NSDL or UTI APIs. An invalid or mismatched PAN halts onboarding immediately.
Stage 2: CKYC/KRA lookup Using the validated PAN, the system performs a CKYC lookup through the CERSAI API. If a CKYC identifier exists, stored KYC data (name, date of birth, address, photo) is fetched and pre-populated. A KRA lookup may be performed simultaneously to check for an existing KRA-validated record.
Stage 3: Aadhaar-based eKYC (where applicable) If no CKYC record exists, or if additional validation is required, Aadhaar OTP-based eKYC may be performed via UIDAI's authentication APIs or through DigiLocker. Note that Aadhaar use for KYC purposes must comply with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act and UIDAI regulations, including restrictions on storing Aadhaar numbers. This step adds identity data but still requires IPV.
Stage 4: Video IPV session This is the compliance core of the process. A live, real-time video session is initiated between the investor and an authorised person of the stockbroker. The investor must:
- Be visible on screen throughout the session
- Hold up original KYC documents (PAN card, address proof) for camera capture
- Read a randomly generated code displayed on screen (liveness check)
- Confirm personal details verbally or via screen interaction
The authorised person must verify the documents on screen and confirm face-match to the stored photo. The session is recorded end-to-end.
Stage 5: Compliance review and KRA upload Completed sessions enter a compliance review queue. The compliance officer or an AI-assisted pre-screening tool reviews flagged sessions. On approval, the KYC record is submitted to the designated KRA. The KRA assigns a KYC reference number, which is linked to the investor's account.
Stage 6: Trading account activation Only after KRA confirmation is the trading account activated. Activation without completed KRA submission is a compliance violation.
Architecture and infrastructure for video IPV
Real-time video layer
WebRTC: WebRTC (Web Real-Time Communication) is an open standard and browser-native protocol that enables peer-to-peer audio, video, and data transmission without plugins. It is the foundational transport layer for real-time video IPV sessions in broking platforms.
A production-grade video IPV infrastructure must address:
Session reliability Video sessions must handle variable network conditions across Tier 2 and Tier 3 Indian cities, where investors may be onboarding on 4G connections with fluctuating bandwidth. Adaptive bitrate encoding, fallback to lower resolutions, and automatic reconnection on network drop are baseline requirements not optional enhancements.
Liveness verification SEBI-aligned IPV requires that the session be provably live. Technical implementations include: randomised OTP codes displayed on screen for the investor to read aloud, blink detection, or head-movement prompts. Static image replay attacks must be detectable.
Concurrent session scaling A growing broking platform may run hundreds of simultaneous IPV sessions during peak hours market open, salary credit days, or promotional campaigns. The video infrastructure must scale horizontally without degrading session quality or recording completeness. Agent allocation systems must match session queues to available authorised persons in real time.
Recording pipeline Every video IPV session must be recorded end-to-end. The recording pipeline must:
- Capture both the investor stream and the agent stream
- Store in a tamper-evident format (checksum or hash on file write)
- Attach session metadata at the point of creation, not post-processing
- Confirm successful recording before the session is marked complete
Failure to record whether due to a server crash, network interruption, or pipeline bug invalidates the IPV session. The system must detect recording failures in real time and require session restart.
Latency expectations End-to-end latency for real-time IPV sessions should stay below 200ms for a conversational experience. Latency above 400ms introduces agent-investor dialogue friction that can increase session abandonment and incomplete verifications.
Failure recovery The session state investor ID, documents captured, agent actions taken must be persisted independently of the video stream. If a session drops mid-flow, the investor should be able to resume from a defined recovery point rather than restart entirely. Full restart requirements increase abandonment rates substantially.
VideoSDK provides real-time video APIs, session handling, and recording capabilities that can serve as the real-time infrastructure layer for video IPV systems. When evaluating infrastructure options, verify that the provider's recording and session reliability documentation matches your compliance storage and audit requirements.
Agent dashboard requirements
The authorised person conducting IPV needs a purpose-built dashboard that:
- Displays the live investor video feed and the document capture feed simultaneously
- Provides a structured checklist of verification steps (face match, document check, liveness code confirmation)
- Logs each agent action with a timestamp
- Allows the agent to flag sessions for compliance review without approving them
- Restricts agent access to sessions based on their authorisation scope
Audit and record-keeping requirements
Session recording requirements Every video IPV session must be recorded in full. Recordings must capture both the investor and agent streams. Partial recordings where only one stream is captured, or where recording began after session start are non-compliant.
Storage duration PMLA regulations require records to be maintained for a minimum of five years from the date of cessation of the business relationship, or from the date of the transaction, whichever is later. For ongoing account relationships, this effectively means records must be accessible throughout the account's active life plus five years. Internal legal counsel should define the precise retention schedule applicable to your entity.
Tamper-proof logs Recordings must be stored using high-grade encryption and in a tamper-evident manner. At minimum, a cryptographic hash (SHA-256 or equivalent) of the recording file must be generated at the time of write and stored separately. Any post-storage modification of the recording file will produce a hash mismatch detectable during audit.
Geo-tagging and timestamping Each session record must include:
- The investor's device geo-coordinates at session initiation (where available and consented to)
- UTC timestamps for session start, each document capture event, agent action, and session end
- The IP address of both the investor's device and the agent's workstation
- The unique session identifier linking the recording to the KYC record
Audit access Audit retrieval must be role-based. Only designated compliance officers and authorised SEBI/KRA auditors should be able to retrieve session recordings. Every retrieval must itself be logged who accessed, when, and for which session to create a complete chain of custody.
Build vs buy vs hybrid decision framework for video IPV
| Factor | Build | Buy | Hybrid |
|---|---|---|---|
| Time to compliance | 6–18 months | 4–12 weeks | 8–20 weeks |
| Upfront cost | High (infra + engineering) | Low to medium (SaaS) | Medium |
| Ongoing cost | Infra + maintenance | Per-session or subscription | Mixed |
| Customisation | Full | Limited to provider config | Partial |
| Regulatory audit ownership | Fully yours | Shared with provider | Shared for infra, yours for compliance layer |
| Scaling complexity | High | Managed by provider | Depends on split |
| Recording ownership | Full control | Varies by provider contract | Must verify contractually |
| Recommended for | Large platforms with 100k+ monthly onboardings and dedicated infra teams | Early-stage and mid-size brokers prioritising speed | Brokers with existing onboarding systems needing a real-time video layer |
Recommendation: Most mid-size brokers should adopt a hybrid model using a real-time video infrastructure provider for the WebRTC layer, session handling, and recording pipeline, while owning the compliance logic, agent dashboard, KRA integration, and audit storage internally. This separates the infrastructure scaling problem from the compliance ownership problem.
SEBI video KYC compliance checklist
| Requirement | Description | Applies to | Risk if ignored |
|---|---|---|---|
| PAN validation before video session | PAN must be validated against NSDL/UTI before IPV initiation | All brokers | Invalid KYC; KRA rejection |
| CKYC lookup | Check CERSAI for existing CKYC record using validated PAN | All brokers | Duplicate KYC; PMLA audit finding |
| Live video session with authorised person | Session must be with a SEBI-registered intermediary's authorised employee, not a third party | All brokers | IPV invalidated |
| Liveness verification | Randomised on-screen code or equivalent technical liveness check | All brokers | Session replay attacks; IPV deemed incomplete |
| Original document display on camera | PAN card + address proof shown on live feed; not uploaded scan | All brokers | Non-compliant IPV |
| Agent face-match confirmation | Agent must confirm investor face matches CKYC/PAN photo | All brokers | Identity verification failure |
| End-to-end session recording | Both streams recorded from session start to end | All brokers | PMLA audit failure; SEBI penalty |
| Tamper-proof storage | Recording stored with cryptographic hash; hash stored separately | All brokers | Evidence integrity challenged in enforcement |
| Geo-tag and timestamp metadata | Investor device geo-coordinates + UTC timestamps for all events | All brokers | Audit record incomplete |
| KRA upload before account activation | KYC record submitted to designated KRA; reference number received before activation | All brokers | Account opened without valid KYC; SEBI enforcement |
| Minimum 5-year record retention | Recordings and metadata accessible for PMLA-mandated duration | All brokers | PMLA violation |
| Role-based audit access with access logging | Only authorised roles can retrieve recordings; all retrievals logged | All brokers | Chain of custody broken |
| Aadhaar eKYC compliance | If Aadhaar authentication used, comply with UIDAI API terms and data restrictions | Brokers using Aadhaar | UIDAI violation; PMLA finding |
| Agent session capacity management | Authorised persons not overloaded beyond verifiable throughput | All brokers | Session quality degradation; incomplete verifications |
Common compliance mistakes in video IPV implementation
Mistake 1: Using a third-party vendor's staff as the IPV agent SEBI's IPV requirements specify that verification must be conducted by an authorised person of the intermediary meaning an employee or authorised representative of your SEBI-registered entity. Outsourcing the IPV agent role to a technology vendor's staff without ensuring they are formally authorised under your intermediary registration is a compliance gap that will surface in a KRA audit.
Mistake 2: Activating accounts before KRA confirmation Some platforms activate trading accounts upon compliance officer approval of the video session, before the KRA submission is processed and a reference number is returned. This creates a window sometimes 24–48 hours during which the investor can trade without a valid KRA-acknowledged KYC record. SEBI has issued observations on this gap in prior inspection reports.
Mistake 3: Recording pipeline treated as a secondary system When the recording pipeline fails due to server load, network error, or software bug some platforms continue the session and mark it complete, intending to retroactively recover what was captured. A session without a confirmed end-to-end recording is not a complete IPV. Systems must detect recording failure in real time and halt session completion.
Mistake 4: Storing only the video recording, not the metadata A recording without associated metadata session ID, investor PAN, agent ID, timestamps, geo-coordinates, recording hash is effectively unauditable. Metadata must be written at session time, not reconstructed from logs later. Reconstruction introduces inconsistency risk that undermines the audit trail.
Mistake 5: Conflating SEBI IPV with RBI Video KYC (V-CIP) Platforms that build their system based on RBI's V-CIP framework intended for banks may use incorrect document verification steps, agent qualification criteria, or storage formats. The regulatory basis is different. If your platform also offers banking-adjacent products through a partner, the compliance teams must maintain clear separation between the two regimes.
Key takeaways
- SEBI video KYC for stockbrokers is legally video-based IPV it must be conducted by the intermediary's authorised person and does not replace the underlying CKYC/KRA record; it validates the investor against it.
- The CKYC lookup must occur before or during the video session, not after activating accounts before KRA confirmation is a documented SEBI enforcement risk.
- Recording infrastructure must confirm successful capture before the session is marked complete a partial or failed recording invalidates the IPV.
- PMLA requires a minimum five-year record retention; metadata (geo-coordinates, timestamps, agent actions, recording hash) is as legally significant as the recording itself.
- Most mid-size brokers achieve fastest time-to-compliance through a hybrid model: third-party video infrastructure for the real-time layer, internal ownership for compliance logic, KRA integration, and audit storage.
FAQ
What is the difference between SEBI video KYC and RBI Video KYC?
SEBI video KYC (video-based IPV) applies to SEBI-registered intermediaries such as stockbrokers and mutual fund distributors. RBI Video KYC, formally called Video-based Customer Identification Process (V-CIP), applies to banks and NBFCs regulated by the Reserve Bank of India. The agent qualification standards, document requirements, regulatory circulars, and storage obligations differ between the two frameworks. Stockbrokers must follow SEBI's IPV framework, not RBI's V-CIP.
Does a CKYC record eliminate the need for video IPV?
No. An existing CKYC record reduces data collection effort by allowing pre-population of KYC details, but it does not eliminate the IPV requirement. SEBI mandates that IPV be conducted for every new account regardless of whether the investor has a CKYC record. The video session verifies that the person in front of the camera is the same person whose record exists in CKYC.
Who qualifies as an authorised person for video IPV?
The authorised person must be an employee or formally designated representative of the SEBI-registered intermediary i.e., your broking entity. They must be identifiable by name and employee ID in the session record. Third-party technology vendor staff do not qualify unless they hold a formal authorisation under your entity's SEBI registration, which requires specific legal structuring.
How long must video IPV recordings be retained?
PMLA regulations require records to be retained for a minimum of five years from the cessation of the business relationship or from the date of the relevant transaction, whichever is later. For active accounts, this is an ongoing obligation. Your compliance counsel should define the precise retention schedule, as SEBI may impose additional norms through circulars.
What happens if a video IPV session fails midway?
A mid-session failure whether due to network drop, device issue, or recording pipeline error means the IPV is incomplete. The system should allow the investor to reschedule and complete a fresh session. The incomplete session record should be retained (with its incomplete status noted) for audit purposes. Do not mark a partial session as complete.
Can an investor complete video IPV on a mobile device?
Yes, provided the mobile application delivers sufficient camera quality (minimum 720p recommended), supports the liveness check mechanism, and can transmit the live video stream to the agent's dashboard without unacceptable latency. The WebRTC stack used in the SDK must handle mobile browser or native app contexts with reliable reconnection on mobile network fluctuations.
What are the consequences of non-compliance with SEBI video KYC requirements?
Consequences can include: rejection of KYC records by KRAs (forcing remediation of affected accounts), SEBI inspection findings that result in formal show-cause notices, monetary penalties under SEBI Act provisions, suspension of broking operations in severe cases, and reputational damage from public enforcement disclosures. PMLA violations carry separate consequences including reporting to the Financial Intelligence Unit (FIU-IND).
Does the video IPV system need to be built in-house?
No. Most brokers use a combination of third-party real-time video infrastructure and internally owned compliance and KRA integration layers. The critical requirement is that your entity owns the compliance output the completed IPV record, KRA submission, and audit trail regardless of which infrastructure layer generated the video session.