Cyber Security Requirements for V-CIP under IFSCA AMLKYC Rules
  • March 6, 2026
Post Views: 1

Cyber Security Now Mandatory for V-CIP in GIFT IFSC: IFSCA’s October 2025 AML/KYC Amendment Explained

Introduction: A Major Compliance Shift for IFSC Regulated Entities

The International Financial Services Centres Authority (IFSCA) continues to strengthen the regulatory framework governing entities operating in GIFT IFSC, Gandhinagar, with the objective of ensuring global standards of financial integrity, investor protection, and technological resilience. One of the most significant recent developments is the circular issued on 31 October 2025 modifying the IFSCA (AML, CFT and KYC) Guidelines, 2022.

This amendment fundamentally changes the compliance landscape by mandating that all Video-based Customer Identification Process (V-CIP) infrastructure must comply with the IFSCA Cyber Security and Cyber Resilience Guidelines issued on 10 March 2025.

This means that V-CIP is no longer just an AML and KYC compliance function—it is now also a cyber security, IT governance, and regulatory audit function.

This change reflects the regulator’s recognition of increasing cyber risks, digital identity fraud, and deepfake-based impersonation threats in financial services. It also aligns IFSC with global financial centres such as Singapore, Dubai, and London, where cyber resilience is an integral part of customer onboarding compliance.

For IFSC regulated entities, this amendment introduces critical new responsibilities and requires immediate evaluation of existing digital onboarding systems.

What is V-CIP and Why it is Critical for IFSC Entities

The Video-based Customer Identification Process (V-CIP) is a digital onboarding mechanism that allows financial institutions to verify the identity of customers through secure live video interaction instead of physical presence.

Under the V-CIP framework, customer identification is conducted through real-time video verification, document validation, facial recognition, and liveness detection, enabling entities to onboard clients remotely while maintaining regulatory compliance.

This process plays a vital role in the IFSC ecosystem, particularly for entities serving global clients, including:

  • Broker Dealers
  • Fund Management Entities
  • Investment Advisors
  • Global Access Providers
  • FinTech and TechFin service providers

The primary objective of V-CIP is to facilitate seamless global onboarding while ensuring compliance with anti-money laundering and counter-terrorist financing requirements.

V-CIP enables IFSC entities to operate as fully digital financial institutions, allowing them to onboard international clients efficiently without geographical constraints. This is especially critical for IFSC entities targeting foreign investors, global institutions, and cross-border clients.

However, since V-CIP relies entirely on digital infrastructure, it also exposes institutions to cyber risks, data breaches, identity fraud, and system compromise, making cyber security an essential regulatory concern.

Major Amendment: Cyber Security Compliance Now Mandatory for V-CIP

The October 2025 amendment introduces a crucial regulatory requirement: all V-CIP infrastructure must comply with the IFSCA Cyber Security and Cyber Resilience Guidelines issued on 10 March 2025.

This represents a significant shift in regulatory expectations.

Previously, V-CIP was primarily governed under AML and KYC compliance requirements. However, under the revised framework, V-CIP is now treated as a critical cyber-sensitive system.

This means that IFSC regulated entities must ensure that their V-CIP systems are designed, implemented, and operated in accordance with prescribed cyber security standards.

This includes compliance with requirements relating to:

  • System security architecture
  • Access control and authentication
  • Encryption and data protection
  • Monitoring and incident management
  • Cyber security audit and testing

The regulatory intent behind this amendment is clear.

Financial regulators globally are increasingly concerned about sophisticated fraud techniques, including identity theft, impersonation attacks, and deepfake technologies that can bypass traditional verification methods.

By linking V-CIP compliance with cyber security requirements, IFSCA aims to ensure that digital onboarding systems are secure, reliable, and resistant to cyber threats.

This amendment effectively elevates cyber security from an operational function to a regulatory compliance requirement.

Mandatory Cyber Security Controls for V-CIP Systems

To comply with the revised regulatory framework, IFSC entities must implement robust cyber security controls across multiple areas of their V-CIP infrastructure.

Infrastructure Security

V-CIP systems must operate on secure and controlled infrastructure.

This includes:

  • Secure servers and hosting environments
  • Restricted system access based on defined roles and responsibilities
  • Strong authentication mechanisms
  • Protection against unauthorized access

Entities must maintain a comprehensive inventory of systems involved in the V-CIP process and ensure that appropriate security controls are implemented.

Vulnerability Assessment and Penetration Testing (VAPT) and Cyber Audit

One of the most critical requirements is periodic cyber security testing.

Entities must conduct:

  • Vulnerability Assessment to identify weaknesses in systems
  • Penetration Testing to evaluate system resilience against cyber attacks

These assessments must be conducted by qualified cyber security professionals, preferably CERT-In empanelled auditors.

Cyber security audits are essential to ensure that V-CIP systems remain secure and compliant with regulatory requirements.

These audits help identify security gaps and provide recommendations for strengthening cyber resilience.

Data Protection and Storage Requirements

V-CIP involves collection and storage of sensitive customer data, including video recordings and identification documents.

Therefore, entities must ensure:

  • Secure storage of customer data
  • Protection against data leakage and unauthorized access
  • Integrity and confidentiality of stored information

Entities must also maintain audit logs and system records to demonstrate compliance during regulatory inspections.

Protection Against Identity Fraud and Impersonation

Given the increasing use of artificial intelligence-based impersonation techniques, regulators require institutions to implement safeguards against identity fraud.

This includes:

  • Liveness detection technology
  • Facial recognition and matching
  • Real-time identity verification

These controls help ensure that the person undergoing V-CIP verification is genuine and not a fraudulent or manipulated identity.

Infrastructure Ownership and Outsourcing Responsibilities

Many IFSC entities use third-party technology vendors to provide V-CIP infrastructure.

However, the October 2025 amendment makes it clear that outsourcing does not reduce regulatory responsibility.

Even if the V-CIP process is outsourced, the regulated entity remains fully responsible for ensuring compliance with cyber security requirements.

This means entities must:

  • Conduct due diligence before selecting vendors
  • Ensure vendors follow regulatory cyber security standards
  • Monitor vendor performance and security controls
  • Include cyber security obligations in service agreements

Entities must also ensure that customer data remains secure and under appropriate control.

Regulators will hold the regulated entity accountable for any cyber security failure, regardless of whether the system is operated internally or outsourced.

Audit, Reporting and Compliance Obligations

With the introduction of mandatory cyber security compliance, audit and reporting obligations have become significantly more important.

IFSC entities must ensure that their V-CIP systems are subject to regular cyber security audits and testing.

This includes:

  • Periodic cyber security audit
  • Vulnerability testing
  • Maintenance of audit logs
  • Documentation of system controls

These records must be maintained and made available during regulatory inspections.

Failure to comply with cyber security requirements may result in regulatory action, including:

  • Penalties
  • Compliance directions
  • Restrictions on business operations

Therefore, cyber security compliance is now an essential part of regulatory compliance for IFSC entities.

Conclusion: Cyber Security is Now a Core Regulatory Requirement for IFSC Entities

The October 2025 amendment to the IFSCA AML, CFT and KYC Guidelines marks a major shift in the regulatory approach to digital onboarding in GIFT IFSC.

By mandating compliance with cyber security guidelines for V-CIP infrastructure, the regulator has made it clear that cyber resilience is no longer optional—it is a regulatory necessity.

This change reflects the evolving nature of financial services, where digital systems form the backbone of business operations.

Cyber security is now directly linked to regulatory compliance, operational continuity, and institutional credibility.

IFSC entities must therefore adopt a proactive approach to cyber security compliance by:

  • Evaluating their existing V-CIP systems
  • Conducting cyber security assessments
  • Strengthening IT governance
  • Ensuring audit readiness

Entities that implement robust cyber security frameworks will not only meet regulatory requirements but also enhance client trust and operational resilience.

As IFSC continues to position itself as a global financial hub, adherence to cyber security standards will play a critical role in maintaining its reputation as a secure and reliable international financial centre.

FAQs

  1. Is cyber security compliance mandatory for V-CIP in IFSC?

    Yes. As per the IFSCA circular dated 31 October 2025, all V-CIP systems must comply with the IFSCA Cyber Security Guidelines issued on 10 March 2025.

  1. Can V-CIP be outsourced to third-party vendors?

    Yes, but the regulated entity remains fully responsible for compliance with cyber security requirements.

  1. Is cyber security audit required for V-CIP systems?

    Yes. Entities must conduct periodic cyber security audit and vulnerability assessment.

  1. What happens if an entity does not comply?

    Non-compliance may result in regulatory action, penalties, or operational restrictions.

  1. Why has IFSCA linked cyber security with V-CIP?

    To prevent identity fraud, protect customer data, and ensure secure digital onboarding.

Subscribe on LinkedIn

Leave A Comment

Subscribe to our Updates

Sign up to receive latest news, updates delivered directly to your inbox. No Spams
Not now, May be later
Subscribe to our Updates