June 30, 2026 is eight weeks away. Your compliance team is re-verifying millions of customers. You have deepfake detection on the roadmap, Video KYC in the sprint, and a vendor stack that seems to grow every fortnight.
And your timeline is still at risk. Not from synthetic fraud. From name mismatches, stale Aadhaar records, and CKYC integration gaps that cause legitimate, low-risk customers to fail automated checks and pile into your manual review queue while your deadline window closes.
This is the failure mode most Indian banks discover too late. The industry conversation has fixated on deepfakes and liveness detection. But when you trace where remediation volume actually stalls, the bottleneck is infrastructural, not technological. Your identity data sources do not speak to each other. Until they do, no deepfake tooling will get you to June 30 on time.
Despite increasing compliance spending by up to 10% annually in some advanced markets, the financial industry detects only about 2% of global financial crime flows. The productivity problem and the data fragmentation problem are the same problem. (Interpol, cited by McKinsey, 2025)
The banks hitting the deadline cleanly are not the ones with the best fraud detection stack. They are the ones that diagnosed their data fragmentation problem in week one, not week ten.
Two RBI amendments. Two different problems.
The market keeps treating two recent RBI actions as one. They are not.
The June 30, 2026 deadline comes from RBI's June 2025 circular (RBI/2025-26/51), which amended the KYC Master Direction to extend the periodic re-verification window for low-risk customers. Banks must complete KYC updates within one year of the due date, or by June 30, 2026, whichever is later. The January 1, 2026 systems implementation requirement applied to this circular.
The August 2025 amendment was a separate action, focused entirely on Video KYC. It tightened V-CIP requirements to mandate active deepfake and spoof detection in all video onboarding sessions. Basic face movement prompts are no longer compliant.
These obligations share a regulatory context but they are not the same challenge. The June 30 deadline is a data and operations problem: re-verify millions of existing customers accurately and at speed. The August 2025 V-CIP requirement is a technology problem for a specific onboarding channel used for a specific customer segment.
RBI issued the June 2025 deadline precisely because it had observed what it described as 'large pendency' in periodic KYC updation across the market, specifically flagging Jan Dhan accounts and DBT-linked accounts as the most affected. The problem was already systemic before the deadline was set. The deadline is the response to it, not the cause of it.
The scale of the data problem
To understand why data fragmentation drives remediation delays, start with the numbers that are publicly known.
As of July 2025, 13.05 crore of India's 56.04 crore Jan Dhan accounts were classified as inoperative, roughly 23% of the total. Each inoperative account requires fresh KYC to reactivate. These are not high-risk customers. They are predominantly rural, low-income account holders who have not transacted recently, many of whom receive DBT payments that have been interrupted as a result (Outlook Money, citing PMJDY government data, September 2025).
These 13 crore accounts are not an edge case. They are the core of the June 30 remediation backlog. And the re-verification challenge for each one is the same: identity records that were captured years ago, formatted inconsistently across systems, and have not been kept current.
Over 103 crore individuals are registered with the Central KYC Records Registry (CKYCR). The infrastructure exists. The data quality inside it does not match the verification requirements of today's automated KYC systems.
RBI imposed penalties aggregating to 54.78 crore across 353 regulated entities in FY 2024-25, with violations spanning KYC lapses, exposure reporting failures, and IT framework deficiencies (RBI Annual Report 2024-25). These penalties reached cooperative and regional banks, not just large private institutions. The enforcement posture is broad and it is active.
Three failure modes behind most remediation delays
When Indian bank remediation projects run over, the causes trace to the same structural problems. Understanding each before you start is the difference between a 12-week project and a six-month one.
Name mismatches: legitimate customers failing at the highest volume
A single customer's name appears formatted differently across every identity source you check. Aadhaar follows UIDAI rules: all caps, no special characters. PAN follows ITD rules: title case, special characters permitted. CKYC aggregates from both, inconsistently. State-issued documents follow their own conventions. Your bank's internal CIF may hold yet another variation, entered at a different time by a different system.
These are not typos or fraud signals. They are structural format differences built into India's identity infrastructure. When your KYC system runs rigid string-matching logic across those sources, legitimate customers fail, even when every document belongs to the same person. A customer whose EPF record shows 'Rajiv K Sharma' and whose Aadhaar shows 'Rajeev Kumar Sharma' will be rejected automatically. To the system, they are different people. To any compliance officer looking at both records, they obviously are not.
The Income Tax Department's own guidance acknowledges this directly: even minor name mismatches between Aadhaar and PAN trigger linking failures and require manual correction through separate processes at UIDAI and Protean (Income Tax Department FAQ, UIDAI). At the scale of a mass remediation exercise, every one of those cases becomes a queue item.
Financial institutions globally spend an average of nearly US$73 million per firm annually on AML and KYC operations, yet 70% still lost clients in the past year due to slow and inefficient onboarding (Fenergo Financial Crime Industry Trends 2025, survey of institutions in the UK, US, and Singapore). Format-driven false failures are a direct, fixable driver of that cost.
Stale Aadhaar records: address mismatches that look like risk signals
Aadhaar is the primary identity source for KYC in India. It is also one of the most consistent generators of false flags in periodic re-verification, for a straightforward reason: millions of customers have never updated their Aadhaar record since original issuance.
A customer who moved cities five years ago may still show their old address on Aadhaar. When your KYC check runs and finds the address does not match your internal CIF, it flags the customer for review. The customer has not moved recently and poses no risk. They simply never initiated an Aadhaar address update, a process that was free online until June 2026 and costs 75 rupees offline at a UIDAI enrolment centre (UIDAI, 2025).
The inoperative Jan Dhan account data puts this problem in sharp relief. Many of those 13 crore dormant accounts belong to customers in rural and semi-urban areas who have moved, changed family circumstances, or simply not kept Aadhaar current because no one required them to. RBI directed banks to hold KYC update camps specifically in branches with high pendency, acknowledging the geography of the problem.
Each stale-record failure generates an outreach requirement. A meaningful share of customers will not self-remediate without direct follow-up. Each one that does not becomes a manual review item on top of your core verification load.
CKYC integration gaps: conflicting records across institutions
Central KYC Records (CKYC) was designed to eliminate the need for repeated KYC submission across institutions. In practice, multiple institutions hold conflicting records for the same customer. One bank may have a customer recorded as a sole proprietor while CKYC shows multiple beneficial interests. Under AML law, each institution must verify independently regardless.
CKYC submission failures come from several well-documented sources: data inconsistencies between the form and supporting documents, incorrect formatting, incomplete mandatory fields, and poor document scan quality are the primary causes cited by CKYC automation providers (Manipal Business Solutions, 2025). Without a centralised reconciliation layer, your engineering team ends up rebuilding the same reconciliation logic separately for each use case, burning weeks of development time on infrastructure rather than remediation.
The CERSAI operating guidelines themselves acknowledge that CKYC data requires de-duplication on upload based on demographics, which signals that conflicting records are a known, systemic issue in the registry rather than an edge case.
Where deepfakes actually fit in this picture
V-CIP deepfake detection is a genuine, mandatory requirement. The August 2025 amendment is unambiguous: active spoof and presentation attack detection must be in place for all video onboarding sessions. Basic liveness prompts are not sufficient. If your V-CIP provider has not updated to this standard, you have a compliance gap that needs closing now.
But the customer segment V-CIP applies to is specific. Video KYC is required for high-value product onboarding: lending above 1 lakh, wealth products, full-feature current accounts, insurance above relevant thresholds. The bulk of your June 30 remediation volume is a different population: standard accounts, dormant customers, periodic re-KYC for existing low-risk relationships. Most of them do not go through V-CIP at all.
That is not a reason to deprioritise deepfake compliance. It is a reason to run it as a parallel workstream rather than the primary one. Banks that have collapsed both obligations into a single programme consistently under-resource the data fragmentation side, because deepfake compliance is more visible, easier to explain to a board, and comes with a clear technology vendor to point at.
Your high-value customers need deepfake-proof Video KYC. Your 13 crore dormant and low-risk customers need identity data that resolves cleanly on first pass. These are not the same problem, and treating them as one is why timelines slip.
What an orchestration layer changes
The structural issue is not that your individual KYC controls are weak. Each one was built to answer a specific question accurately. The problem is that they were designed in isolation and stop communicating with each other once a customer clears initial onboarding.
An orchestration layer coordinates the signals those controls produce. For name matching, that means configurable fuzzy matching with field-level confidence thresholds instead of rigid string comparison. The system evaluates name, date of birth, and address signals from Aadhaar, PAN, and CKYC simultaneously, auto-resolves cases where the combined signal is conclusive, and escalates only genuine discrepancies. Your compliance team's attention goes to cases that actually need human judgment, not format mismatches a system should resolve automatically.
For stale Aadhaar records, orchestration connects customer outreach workflows directly to the verification pipeline. A customer who completes a UIDAI update is automatically re-checked and cleared, rather than sitting in a queue waiting for manual follow-up.
For CKYC reconciliation, centralised logic runs once and feeds every downstream process. No more teams rebuilding the same reconciliation code independently.
FrankieOne connects banks to 350+ global KYC and AML data sources through a single API. Banks and fintechs on the platform see an average 15% or greater uplift in pass rates and a 53% reduction in fraud losses. Those improvements come from the same mechanism as the remediation fix: orchestrating the signals that already exist rather than stacking more controls on top of fragmented infrastructure.
How to find your real bottleneck before it finds you
If you are not certain whether data fragmentation or V-CIP compliance is your larger June 30 exposure, the fastest way to find out costs you a few days, not weeks.
Run a pilot batch of 5,000 to 10,000 customers through your current remediation workflow without manual intervention. Track two numbers: your first-pass failure rate, and the failure reason for each case. What proportion is failing on name or address mismatch versus genuine risk signals?
If the majority of failures are data quality issues rather than risk flags, your bottleneck is orchestration and reconciliation. Knowing that in week one gives you time to act. If your first-pass failure rate is low, your constraint is more likely throughput or outreach capacity, a different problem with a different solution.
Either outcome tells you where to focus. Finding out you have a data fragmentation problem in week ten of a twelve-week project is a far more expensive discovery.
Talk to us about your timeline
If your bank is re-verifying one to three million customers before June 30 and you want to understand whether data fragmentation, V-CIP compliance, or throughput is your primary risk, get in touch.
We will walk through your vendor stack, your current failure points, and what an orchestration layer would change for your specific remediation volume and timeline.
Book a call to assess your KYC remediation readiness before the deadline.