Important KYC Framework in RBI Prescriptions - Operating Guidelines

By

 

Purpose

 

Banks and financial institutions (FIs) have been advised to follow certain customer identification procedure for opening of accounts and monitor transactions of suspicious nature for the purpose of reporting the same to appropriate authority. These ‘Know Your Customer’ (KYC) guidelines have been revisited in the context of the recommendations made by the Financial Action Task Force (FATF) on Anti Money Laundering (AML) standards and on Combating Financing of Terrorism (CFT). Detailed guidelines based on the recommendations of FATF and the paper issued on Customer Due Diligence (CDD) for banks by the Basel Committee on Banking Supervision (BCBS), with suggestions wherever considered necessary, have been issued. Banks/FIs have been advised to ensure that a proper policy framework on ‘Know Your Customer’ and Anti-Money Laundering measures is formulated and put in place with the approval of their Boards.The objective of KYC/AML/CFT guidelines is to prevent banks/FIs from being used, intentionally or unintentionally, by criminal elements for money laundering or terrorist financing activities. KYC procedures also enable banks/FIs to know/understand their customers and their financial dealings better and manage their risks prudently.



 

Application

 

The instructions, contained in the Master Circular, are applicable to All India Financial Institutions, all Scheduled Commercial Banks (including RRBs), Local Area Banks,/ All Primary (Urban) Co-operative Banks /State and Central Co-operative Banks.

These guidelines are issued under Section 35A of the Banking Regulation Act, 1949 and Rule 9(14) of Prevention of Money-Laundering (Maintenance of Records) Rules, 2005. Any contravention thereof or noncompliance shall attract penalties under Banking Regulation Act. The objective of KYC/AML/CFT guidelines is to prevent banks/FIs from being used, intentionally or unintentionally, by criminal elements for money laundering or terrorist financing activities. KYC procedures also enable banks/FIs to know/understand their customers and their financial dealings better and manage their risks prudently.

An obligation has been cast on the banking companies, financial institutions and intermediaries, by the Prevention of Money Laundering Act, 2002 (Chapter IV), to comply with certain requirements in regard to maintenance of record of the transactions of prescribed nature and value, furnishing of information relating to those transactions and verification and maintenance of the records of identity of all its clients in prescribed manner.


The Prevention of Money Laundering Act (PMLA) 2002 has several key provisions aimed at preventing and controlling money laundering. Some of the essential provisions are discussed below: 

  1. Reporting obligations: The PMLA 2002 imposes reporting obligations on various entities, including banks, financial institutions, and intermediaries. These entities are required to maintain records of transactions, report suspicious transactions to the Financial Intelligence Unit (FIU), and comply with the KYC (Know Your Customer) norms.
  2. Punishment for money laundering: The PMLA 2002 provides for rigorous imprisonment for a term ranging from three years to seven years and a fine for committing the offence of money laundering. The punishment can be increased to ten years if the proceeds of crime involved are more than one crore rupees.
  3. Attachment and confiscation of property: The PMLA 2002 allows for attachment and confiscation of property involved in money laundering. The attachment can be made at any stage of the investigation, and the confiscated property can be sold by the government. 
  4. International cooperation: The PMLA 2002 provides for international cooperation in the investigation and prosecution of money laundering offences. The government can enter into agreements with other countries for mutual legal assistance and exchange of information

Officially Valid Documents (OVDs) are those that can be accepted for establishing the legal name and current address of Individuals. Self-attested copy of the following Officially Valid document (duly updated with your current residence address) are accepted for CDD.

 

1. Copy of Masked Aadhaar /Virtual ID Card* (mask first 8-digits of Aadhaar Number).

2. Passport.

3. Voter ID Card.

4. Driving License** (both sides)

5. Job Card issued by NREGA & duly signed by an officer of the state Government.

6. Letter issued by the National Population Register containing details of name and address

 

* For Aadhaar Card, please mask/black-out first 8-digits of your Aadhaar number. Only last four digits should be readable. You can also download the masked Aadhaar through official website: https://www.uidai.gov.in – by going on home page and clicking on ‘download Aadhaar’ filling the required details and selecting the option given as “Masked Aadhaar”.

 **For Driving Licenses issued in states where it is specifically mentioned that the document cannot be used as address proof, the same will not be acceptable as an address proof KYC document

 

Simplified KYC Measures 

Measures taken for simplification:

1. Single document for proof of identity and proof of address

There is now no requirement of submitting two separate documents for proof of identity and proof of address. If the officially valid document submitted for opening a bank account has both, identity and address of the person, there is no need for submitting any other documentary proof.

Officially valid documents (OVDs) for KYC purpose include: Passport, driving licence, voters’ ID card, PAN card, Aadhaar letter issued by UIDAI and Job Card issued by NREGA signed by a State Government official.

To further ease the process, the information containing personal details like name, address, age, gender, etc., and photographs made available from UIDAI as a result of e-KYC process can also be treated as an ‘Officially Valid Document’.

2. No separate proof of address is required for current address

Since migrant workers, transferred employees, etc., often face difficulties while submitting a proof of current address for opening a bank account, such customers can submit only one proof of address (either current or permanent) while opening a bank account or while undergoing periodic updation. If the current address is different from the address mentioned on the proof of address submitted by the customer, a simple declaration by her/him about her/his current address would be sufficient.

3. No separate KYC documentation is required while transferring accounts from one branch to another of the same bank

Once KYC is done by one branch of the bank, it is valid for transfer of the account to any other branch of the same bank. The customer would be allowed to transfer her/his account from one branch to another branch without restrictions and on the basis of declaration of his/her local address for communication.

4. Small Accounts

Those persons who do not have any of the ‘officially valid documents’ can open ‘small accounts’ with banks. A ‘small account’ can be opened on the basis of a self-attested photograph and putting her/his signature or thumb print in the presence of an official of the bank. Such accounts have limitations regarding the aggregate credits (not more than Rupees one lakh in a year), aggregate withdrawals (not more than Rupees ten thousand in a month) and balance in the accounts (not more than Rupees fifty thousand at any point in time). These small accounts would be valid normally for a period of twelve months. Thereafter, such accounts would be allowed to continue for a further period of twelve more months, if the account holder provides a document showing that she/he has applied for any of the officially valid document, within twelve months of opening the small account.

5. Relaxation regarding officially valid documents (OVDs) for low risk customers

If a person does not have any of the ‘officially valid documents’ mentioned above, but if is categorised as ‘low risk’ by the banks, then she/he can open a bank account by submitting any one of the following documents:

(a) identity card with applicant's photograph issued by Central/State Government Departments, Statutory/Regulatory Authorities, Public Sector Undertakings, Scheduled Commercial Banks, and Public Financial Institutions;

(b) letter issued by a gazetted officer, with a duly attested photograph of the person.

6. Periodic updation of KYC

Time intervals for periodic updation of KYC for existing low/medium and high risk customers have been increased from 5/2 years to 10/8/2 years, respectively.

7. Other relaxations

        i.            KYC verification of all the members of Self Help Groups (SHGs) is not required while opening the savings bank account of the SHG and KYC verification of only the officials of the SHGs would suffice. Separate KYC verification is needed at the time of credit linking the SHG[wef 2019]

      ii.            Foreign students have been allowed a time of one month for furnishing the proof of local address.

    iii.            In case a customer categorised as low risk is unable to submit the KYC documents due to genuine reasons, she/he may submit the documents to the bank within a period of six months from the date of opening account.

8. Transaction

 

“Transaction” means a purchase, sale, loan, pledge, gift, transfer, delivery or the arrangement thereof and includes-

(i)              Opening of an account;

(ii)            Deposits, withdrawal, exchange or transfer of funds in whatever currency, whether in cash or by cheque, payment order or other instruments or by electronic or other non-physical means;

(iii)          The use of a safety deposit box or any other form of safe deposit;

(iv)             entering into any fiduciary relationship;

(v)              Any payment made or received in whole or in part of any contractual or other legal obligation; or

(vi)            Establishing or creating a legal person or legal arrangement





9. Key Steps in the KYC Process

1. Customer Identification

Businesses collect comprehensive information about their customers, ensuring accuracy and completeness. This step is pivotal in creating a unique customer profile within the organization's database.

2. Document Verification

Customers are required to submit official documents supporting the provided information. This might involve documents like passports, driver's licenses, or utility bills, essentially official papers issued by the government. To confirm their authenticity, businesses often use advanced verification tools.

3. Risk Assessment

KYC also involves assessing the risk level associated with a customer. High-risk customers, such as politically exposed persons (PEPs) or individuals from countries with a high incidence of financial crimes, undergo enhanced due diligence, involving more rigorous scrutiny.

4. Regulatory Compliance

KYC processes are designed to comply with various national and global regulations. Adherence to these regulations ensures that businesses are operating within legal boundaries and helps in preventing money laundering and terrorist financing.


10. Relationship Between KYC and CDD



KYC and CDD are not isolated processes; they are interlinked threads in the fabric of financial security. KYC provides the initial identity verification, creating the customer's profile. CDD then takes this profile and subjects it to constant evaluation, ensuring that it remains accurate and reliable. The symbiotic relationship between KYC and CDD is what makes them formidable. Together, they create a seamless continuum of security, enabling businesses to not only comply with regulatory standards but also protect their assets and reputation.

Risk-Based Approach to KYC


A risk-based approach is about understanding the risks your organization faces and creating controls for these risks based on prioritizing the damage they can do. Often used by compliance teams, the approach focuses efforts based on the level of risk.

Regulators are increasingly turning toward a risk-based approach, as opposed to prescriptive measures, for many areas of compliance. When it comes to Anti-Money Laundering (AML), the Financial Action Task Force (FATF), an inter-governmental body that sets international goals for AML, stated in 2012 that “the risk-based approach (RBA) is central to the effective implementation of the FATF Recommendations.”


The risk-based approach for KYC offers several advantages to financial institutions and the broader financial ecosystem:

  • Resource Allocation: Institutions can allocate their resources more efficiently by focusing their efforts and investments on high-risk customers, reducing the burden on low-risk ones.
  • Enhanced Effectiveness: By customizing KYC procedures based on risk, institutions can better detect and prevent financial crimes.
  • Improved Customer Experience: Low-risk customers can enjoy a more convenient onboarding process, while high-risk customers receive the thorough scrutiny they require.
  • Regulatory Compliance: Adhering to the risk-based approach aligns financial institutions with the latest RBI regulations, reducing the risk of penalties and legal issues.

Challenges and Considerations

While the risk-based approach offers numerous benefits, it also presents some challenges:

  • Data Accuracy: The accuracy of risk assessments heavily depends on the quality and availability of data. Institutions must ensure their data sources are reliable and up-to-date.
  • Consistency: Maintaining consistency in risk categorization and due diligence can be challenging, as it requires continuous monitoring and adjustment.
  • Staff Training: Employees involved in KYC processes must be adequately trained to apply the risk-based approach effectively.

In today's digital age, where financial transactions occur at the speed of light and borders are no barriers, the collaborative efforts of KYC and CDD are indispensable. By understanding the nuances of KYC and CDD, businesses can not only navigate the complex landscape of financial regulations but also forge enduring relationships with their customers, built on a foundation of integrity and transparency.

The RBI's latest Master Directions said the risk-based approach for periodic updation of KYC has been amended to be read as: "REs shall adopt a risk-based approach for periodic updation of KYC ensuring that the information or data collected under CDD is kept up-to-date and relevant, particularly where there is high-risk".

It further said the instructions on opening accounts and monitoring of transactions should be strictly adhered to, in order to minimise the operations of "Money Mules", which are used to launder the proceeds of fraud schemes (like, phishing and identity theft) by criminals, who gain illegal access to deposit accounts.[Oct 17, 2023]


CDD classification on the basis of Risk of the Customer

 

Those deemed to carry less risk may be subject to simplified due diligence; those deemed to carry average risk will be subject to standard due diligence; and those deemed to carry more risk will be subject to enhanced due diligence


Different CDD Levels based on the Profile change of Customer over period of time

1. Basic CDD

Basic CDD is applied to customers categorized as low-risk. These are typically individuals or entities with straightforward financial activities and backgrounds. Basic CDD involves essential identity verification, such as confirming the customer's name, address, and other pertinent details. While the scrutiny is less intensive compared to higher levels of CDD, it still plays a critical role in ensuring the accuracy of customer information.



2. Enhanced CDD

Enhanced CDD comes into play when dealing with customers of moderate risk. This could include individuals with complex financial transactions, high net worth, or those from countries with a high incidence of financial crimes. Enhanced CDD involves a more comprehensive analysis, delving deeper into the customer's background, transaction patterns, and potential red flags. This level of scrutiny helps businesses identify and assess any unusual activities, ensuring that they are promptly investigated.

3. Periodic CDD

Even after the initial KYC process, customer profiles can change over time. Periodic CDD is crucial for maintaining the accuracy of customer information in the long term. Businesses conduct regular reviews of customer profiles, ensuring that they remain up-to-date and reflective of any changes in financial behavior or risk factors. By periodically revisiting customer profiles, businesses can adapt to evolving risks and promptly address any discrepancies.

On-going Due Diligence” means regular monitoring of transactions in accounts to ensure that those are consistent with RE’s knowledge about the customers, customers’ business and risk profile, the source of funds / wealth.

“Periodic Updation” means steps taken to ensure that documents, data or information collected under the CDD process is kept up-to-date and relevant by undertaking reviews of existing records at periodicity prescribed by the Reserve Bank of India.


If there is no change in KYC information, a self-declaration to that effect from the individual customer is sufficient to complete the re-KYC process. The banks have been advised to provide facility of such self-declaration to the individual customers through various non-face-to-face channels such as registered email-id, registered mobile number, ATMs, digital channels (such as online banking / internet banking, mobile application), letter, etc., without need for a visit to bank branch. Further, if there is only a change in address, customers can furnish revised / updated address through any of these channels after which, the bank would undertake verification of the declared address within two months.

As the banks are mandated to keep their records up-to-date and relevant by undertaking periodic reviews and updations, a fresh KYC process / documentation may have to be undertaken in certain cases including where the KYC documents available in bank records do not conform to present list of the Officially Valid Documents (viz., passport, driving license, proof of possession of Aadhaar number, the Voter's Identity Card, job card issued by NREGA and letter issued by the National Population Register) or where the validity of the KYC document submitted earlier may have expired. In such cases, the banks are required to provide an acknowledgement of the receipt of the KYC documents / self-declaration submitted by the customer.

Fresh KYC process can be done by visiting a bank branch, or remotely through a Video based Customer Identification Process (V-CIP) (wherever the same has been enabled by the banks), as provided in Section 18 of the Master Direction on KYC.

Individual customers of banks are encouraged to get more information on the different options available to them from their bank for (a) completing re-KYC (such as submission of self-declaration through various non-face–to-face channels mentioned in para 2); OR (b) completing fresh KYC by visiting a bank branch or remotely through V-CIP.

Customer Verification

Manual verification has long been the mainstay of the banking industry. The only issue is this method demands the customer’s physical presence. It also involves inspecting tangible IDs and sifting through stacks of paperwork.

Some institutions even adopted a “hybrid” approach to digital verification—customers submit photos of themselves, their IDs, and other proofs of address online. But here’s the catch: they’re then told to “wait x number of days” for someone at a branch to manually verify their identity from the submitted photos. 

It’s an “almost there” solution that unfortunately bottlenecks onboarding. While it has merits—like offering a personal touch—it’s often a drawn-out, tedious process that not only delays access to funds for clients but also defers revenue for businesses.. The dependence on human judgment also introduces the potential for oversights and inaccuracies. 

Enter automatic, or as some might call it, passive verification. This modern approach harnesses the power of technology to streamline the entire verification process. Instead of manual scrutiny, systems and algorithms quickly scan, analyze, and authenticate a customer’s identity. 

Not only does this drastically cut down verification time, but it also mitigates the chances of human-induced errors. With passive verification, banks are better equipped to deliver a quicker and more reliable verification experience, increasing accuracy and customer satisfaction.

KYC, a cornerstone in the banking world, primarily revolves around knowledge-based authentication (KBA). Traditionally, KBA posed security questions users would have unique answers to. Questions could range from the name of your first pet to the model of your first car. 

However, with the proliferation of social media and the vast amount of personal information accessible online, the effectiveness of KBA is being scrutinized. Fraudsters can sometimes mine answers from a user’s digital footprint. They don’t always have to be who they say they are, making it crucial for banks to constantly evaluate and refine their security questions and step up their game to include more secure methods.

Multi-factor authentication (MFA)

MFA, often interchangeably used with Two-Factor Authentication (2FA), is a game-changer in digital security. It functions on a simple principle: users must provide two or more verification methods before being granted access. 

This could be something they know (like a password), something they have (a one-time passcode sent to a mobile device), or something they are (biometric data). The layered approach significantly reduces the chances of unauthorized access, even if one of the verification methods gets compromised.

Biometrics verification

One of the most advanced verification methods, biometrics, dives deep into an individual’s unique physical characteristics. It could be the ridges on a fingerprint, an iris pattern, or a face’s contours. 

Facial recognition, especially, has seen a surge in popularity due to its integration into mobile devices. While biometrics offers a high level of security, it also sparks discussions about privacy. How is this sensitive data stored? What happens if there’s a data breach? Such questions underline the importance of handling biometric data with the utmost care.

Document verification

A method as old as banking itself, ID document verification is all about validating physical or digital identity documents. These identification documents, from driver’s license numbers to passports, carry unique data points that can be cross-referenced for authenticity. 

With advancements in AI-driven technologies, this process can now be automated. Documents are scanned, and data points are extracted and compared against established databases to guarantee higher accuracy.

Customer Verification API and SDK

An API, short for application programming interface, is the silent connector for software components, making real-time data sharing possible. However, its cloud-based nature means it leans heavily on a constant internet connection. There’s an alternative with the self-hosted API, offering more control at the expense of direct management and maintenance.

The SDK, or software development kit, is a comprehensive developer toolkit. Designed for deep integration into apps, it offers many features, including the vital ability to operate offline. 


Freezing and closure of accounts

 

(i)In case of non-compliance of KYC requirements by the customers despite repeated reminders by banks/FIs, banks/FIs may impose ‘partial freezing’ on such KYC non-compliant accounts in a phased manner.

(ii) During the course of such partial freezing, the account holders can revive their accounts by submitting the KYC documents as per instructions in force.

(iii) While imposing ‘partial freezing’, banks/FIs have to ensure that the option of ‘partial freezing’ is exercised after giving due notice of three months initially to the customers to comply with KYC requirements to be followed by a reminder giving a further period of three months.

 

(iv) Thereafter, banks/FIs may impose ‘partial freezing’ by allowing all credits and disallowing all debits with the freedom to close the accounts.

 

(v) If the accounts are still KYC non-compliant after six months of imposing initial ‘partial freezing’ banks/FIs should disallow all debits and credits from/to the accounts thereby, rendering them inoperative.

 

(vi) Further, it would always be open to the bank/FI to close the account of such customers after issuing due notice to the customer explaining the reasons for taking such a decision. Such decisions, however, need to be taken at a reasonably senior level. In the circumstances when a bank/FI believes that it would no longer be satisfied about the true identity of the account holder, the bank/FI should file a Suspicious Transaction Report (STR) with Financial Intelligence Unit – India (FIU-IND) under Department of Revenue, Ministry of Finance, Government of India.



Happy Reading,


Those who read this, also read:

1. RBI Guidelines on AML/CFT & PMLA 2002

2. Know Your Customer (KYC) Policy 

3. Customer Due Diligence






Formerly Faculty for Finance & Associate Dean, IBS-Kochi MBA (Banking & Finance – CUSAT);CFA. Accredited Management Teacher from CME of AIMA, Delhi has been in Management Education from 1988. Exposure is in the field of Mutual Funds, Market Research, Project Report preparation & evaluation, Advertising & NGO Activities. This Chief Manager, UTI Asset Management Co Pvt. Ltd(1992-2003), Mumbai. Undergone training in Case Study method of teaching under Mr. Trevor Williams and Mr. Scott M Andrews conducted by the ECCH, UK . Published Books & Book Review, Series of academic articles and maintains a column on MFs under "Fund scan" in Business Manorama since January 2007,Contributes "Portfolio Doctor" column for 'Sampadyam' a wealth mgt publication in Malayalam from manorama group since February 2007, Listed her case studies at asiacase.com.Presented papers in national & international conferences on Mutual Funds. Faculty Member @ ASIET, Kalady from 2010 to June 2019. Dean @ SNGIST, N Paravur, Ernakulam from Sep 2019 -Jan 2021, I continue my efforts to spread the knowledge in area of Finance and contribute to Management Education

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

By
  India's National Risk Assessment (NRA) is  an ongoing exercise to identify sectors that are vulnerable to money laundering and terrorist financing (ML/TF) .  The NRA is based on recommendations from the Financial Action Task Force (FATF) and helps inform policy-making, resource allocation, and the implementation of effective AML/CFT measures. The NRA also ensures that national strategies address both domestic and international threats. The NRA provides a foundation for informed policy-making, resource allocation, and the implementation of effective AML/CFT measures . It ensures that national strategies are aligned with the specific risk landscape of the country and that they address both domestic and international threats. The subject matter of NRA  was discussed in the Anti-Money Laundering Steering Committee (AMLSC) set up with the approval of Finance Minister, and it was decided to conduct the NRA following the World Bank methodology. The Methodology requi...
Read more

Customer Due Diligence(CDD) : Individuals

By
Image
This post is based on RBI Master Circular dated Feb 25, 2016 updated on Jan 04, 2024  Part I - Customer Due Diligence (CDD) Procedure in case of Individuals For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity: (a)     the Aadhaar number where,   (i) He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or (ii) He decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or (ab) the proof of possession of Aa...
Read more

Periodic Updation of Customer Risk Profile

By
1. Preparation of Customer Profile from KYC Data In the initial years of KYC, RBI has been following a handholding approach as can be seen from their circular dated July 2009 and that of Feb 25, 2016 as updated on Jan 04, 2024. RBI requires REs to conduct risk profiling and risk categorization and periodic updation.  Extracts from RBI MD dated July 01, 2009 under Customer Acceptance Policy a)ii) Parameters of risk perception are clearly defined in terms of the nature of business activity , location of customer  and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorisation of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III). Customers requiring very high level of monitoring, e.g. Politically Exposed Persons (PEPs) may, if considered necessary, be categorised even higher; b). Banks should prepare a profile for each new customer based on risk categorisatio...
Read more