Foreign Exchange Companies and AML/CFT

By

 

The legal framework for administration of foreign exchange transactions in India is provided by the Foreign Exchange Management Act, 1999. Under the Foreign Exchange Management Act, 1999 (FEMA), which came into force with effect from June 1, 2000, all transactions involving foreign exchange have been classified either as capital or current account transactions. All transactions undertaken by a resident that do not alter his / her assets or liabilities, including contingent liabilities, outside India are current account transactions.

In terms of Section 5 of the FEMA, persons resident in India1 are free to buy or sell foreign exchange for any current account transaction except for those transactions for which drawal of foreign exchange has been prohibited by Central Government, such as remittance out of lottery winnings; remittance of income from racing/riding, etc. or any other hobby; remittance for purchase of lottery tickets, banned / proscribed magazines, football pools, sweepstakes, etc.; remittance of dividend by any company to which the requirement of dividend balancing is applicable; payment of commission on exports under Rupee State Credit Route except commission up to 10% of invoice value of exports of tea and tobacco; payment of commission on exports made towards equity investment in Joint Ventures / Wholly Owned Subsidiaries abroad of Indian companies; remittance of interest income on funds held in Non-Resident Special Rupee (Account) Scheme and payment related to “call back services” of telephones.

Foreign Exchange Management (Current Account Transactions) Rules, 2000 - Notification [GSR No. 381(E)] dated May 3, 2000 and the revised Schedule III to the Rules as given in the Notification G.S.R. 426(E) dated May 26, 2015 is available in the Official Gazette as well as, as an Annex to our Master Direction on ‘Other Remittance Facilities’ available on RBI  website www.rbi.org.in.


Chapter VI of the Master Direction - Money Changing Activities (Updated as on May 06, 2026) deals with AML/CFT guidelines for Fx Companies.


KYC/ AML/ CFT Guidelines

(i) Authorised Persons, which are regulated by the Department of Regulation, Reserve Bank of India, shall be governed by the respective 'Know Your Customer' directions as applicable to them.

(ii) Authorised Persons, which are not regulated by the Department of Regulation, Reserve Bank of India, shall be governed by 'Reserve Bank of India (Non-Banking Financial Companies – Know Your Customer) Directions, 2025'.

(iii) Authorised Persons shall ensure compliance of directions, as applicable to them, by their agents/ sub-agents/franchisees.

Master Direction - Money Changing Activities , addressed to All Authorised Persons in Foreign Exchange, RBI/FED/2015-16/17 FED Master Direction No.3/2015-16 dated Jan 1 2016 last updated on May 06, 2026 lays down the guidelines on AML/KYC as follows: 

Reserve Bank of India (Non-Banking Financial Companies – Know Your Customer) Directions, 2025 (Updated as on December 29, 2025)


In India, the Prevention of Money-Laundering Act, 2002, and the Prevention of Money- Laundering (Maintenance of Records) Rules, 2005, form the legal framework on Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT). The provisions of the PML Act, 2002 and the PML Rules, 2005, as amended from time to time by the Government of India, require Regulated Entities (REs) to follow certain customer identification procedures while undertaking a transaction either by establishing an account-based relationship or otherwise, and to monitor their transactions.

Accordingly, in exercise of the powers conferred by sections 45JA, 45K, and 45L of the Reserve Bank of India Act, 1934, section 10(2) read with section 18 of Payment and Settlement Systems Act 2007 (Act 51 of 2007), section 11(1) of the Foreign Exchange Management Act (FEMA), 1999, section 30A of the National Housing Bank Act, 1987, Rule 9(14) of the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005, and all other laws enabling the Reserve Bank in this regard, the RBI being satisfied that it is necessary and expedient in the public interest so to do, hereby issues the Directions hereinafter specified.


 These Directions shall be applicable to all categories of Non-Banking Financial Company (hereinafter collectively referred to as 'NBFCs' and individually as an 'NBFC'), for all layers, unless specified otherwise.

Provided that these directions are not applicable for ‘NBFCs not having any customer interface’.

Note: The applicability under these Directions is in line with the regulatory structure for NBFCs as set out in Reserve Bank of India (Non-Banking Financial Companies – Registration, Exemptions and Framework for Scale Based Regulation) Directions, 2025.

These directions shall also apply to those branches and majority-owned subsidiaries of the NBFC which are located abroad, to the extent they are not contradictory to the local laws in the host country, provided that:

(1) where applicable laws and regulations prohibit implementation of these guidelines, the NBFC shall bring the same to the notice of the RBI. The RBI may advise the NBFC to take further necessary action, including application of additional measures to manage the ML / TF risks.

(2) in case there is a variance in KYC / AML standards prescribed by the RBI and the host country regulators, branches / subsidiaries of the NBFC shall adopt the more stringent regulation of the two.

All definitions are same as in that for banks and financial institutions. However, certain items are culled out for ease of reading along with important paragraphs. For a full reading you are directed to the source link


Source:

Master Directions - Reserve Bank of India


(v) ‘Certified Copy’ – The NBFC obtaining the certified copy shall mean comparing the copy of the proof of possession of Aadhaar number (where offline verification cannot be carried out) or the officially valid document produced by the customer with the original, and an authorised officer of the NBFC shall record the comparison on the copy as per the provisions contained in the Act. Provided that in case of Non-Resident Indians (NRIs) and Persons of Indian Origin (PIOs), as defined in Foreign Exchange Management (Deposit) Regulations, 2016 {FEMA 5(R)}, the NBFC may alternatively obtain the original certified copy, certified by any one of the following:

(a) authorised officials of overseas branches of Scheduled Commercial Banks registered in India,

(b) branches of overseas banks with whom Indian banks have relationships,

(c) Notary Public abroad,

(d) Court Magistrate,

(e) Judge,

(f) Indian Embassy / Consulate General in the country where the non-resident customer resides.

 

(xiii) ‘Non-profit organisations (NPO)’ means any entity or organisation, constituted for religious or charitable purposes referred to in clause (15) of section 2 of the Income-tax Act, 1961 (43 of 1961), that is registered as a trust or a society under the Societies Registration Act, 1860 or any similar State legislation or a company registered under section 8 of the Companies Act, 2013 (18 of 2013).

(xiv) ‘Officially Valid Document (OVD)’ means the passport, the driving licence, proof of possession of Aadhaar number, the Voter's Identity Card that the Election Commission of India issues, the job card that NREGA issues and an officer of the State Government duly signs, and the letter that the National Population Register issues containing details of name and address.

Provided that,

(a) where the customer submits his proof of possession of Aadhaar number as an OVD, he may submit it in such form that the Unique Identification Authority of India (UIDAI) issues.

(b) When the customer furnishes an OVD that does not have an updated address, the NBFC shall deem the following documents or the equivalent e-documents thereof to be OVDs for the limited purpose of proof of address:-


·         utility bill which is not more than two months old of any service provider (electricity, telephone, post-paid mobile phone, piped gas, water bill);

·         property or Municipal tax receipt;

·         pension or family pension payment orders (PPOs) issued to retired employees by Government Departments or Public Sector Undertakings, if they contain the address;

·         letter of allotment of accommodation from employer that is issued by State Government or Central Government Departments, statutory or regulatory bodies, public sector undertakings, scheduled commercial banks, financial institutions and listed companies and leave and licence agreements with such employers allotting official accommodation;

Illustration: If a customer is staying in Chennai but their OVD contains an address in New Delhi, they can open an account in Chennai by submitting a deemed to be OVD for the purpose of proof of address. However, as mentioned below in clause (c), they are required to submit an OVD with current address within a period of three months.

(c) the customer shall submit OVD with current address within a period of three months of submitting the documents specified at (b) above

(d) if the OVD that a foreign national presents does not contain the details of address, the NBFC shall accept documents that Government departments of foreign jurisdictions issue, and a letter that the Foreign Embassy or Mission in India issues, as proof of address.

Explanation: For the purpose of this clause, the NBFC shall deem a document to be an OVD even if there is a change in the name subsequent to its issuance provided that it is supported by a marriage certificate that the State Government issues or a Gazette notification, indicating such a change of name.

(xix) ‘Transaction’ means a purchase, sale, loan, pledge, gift, transfer, delivery or the arrangement thereof and includes:

(a) opening of an account;

(b) deposit, withdrawal, exchange or transfer of funds in whatever currency, whether in cash or by cheque, payment order or other instruments or by electronic or other non-physical means;

(c) the use of a safety deposit box or any other form of safe deposit;

(d) entering into any fiduciary relationship;

(e) any payment made or received, in whole or in part, for any contractual or other legal obligation; or

(f) establishing or creating a legal person or legal arrangement.

 

(xiv) ‘Video based Customer Identification Process (V-CIP)’: an alternative method by which an authorised official of the NBFC conducts customer identification with facial recognition and customer due diligence. This process involves a seamless, secure, live, informed- consent based audio-visual interaction with the customer to obtain identification information required for CDD purpose, and to ascertain the veracity of the information which the customer furnished, through independent verification and by maintaining an audit trail of the processand the NBFC shall treat such processes complying with prescribed standards and procedures on par with face-to-face CIP for the purpose of these Directions.

Chapter II – General

1) The NBFC shall have a KYC policy. The Board of Directors of the NBFC, or any committee to which the Board has delegated power, shall duly approve the KYC policy.

(2) The KYC policy shall include following four key elements:

(i) Customer Acceptance Policy;

(ii) Risk Management;

(iii) Customer Identification Procedures (CIP); and

(iv) Monitoring of Transactions

(3) The KYC policy shall, inter alia, incorporate provisions for the following:

(i) Periodic updation of KYC

(ii) Any exceptional measures for KYC updation, such as requiring a recent photograph, physical presence, or a more frequent updation schedule than the minimum prescribed.

(iii) Obtaining a copy of OVD or deemed OVD, for the purpose of proof of change of address during KYC updation.

(iv) Providing facility of updation / periodic updation of KYC at any branch.

(v) Change of registered Mobile Number for accounts opened in non-face-to-face mode.

10. Money Laundering and Terrorist Financing Risk Assessment by the NBFC:

(1) The NBFC shall carry out ‘Money Laundering (ML) and Terrorist Financing (TF) Risk Assessment’ exercises periodically to identify, assess and take effective measures to mitigate its money laundering and terrorist financing risk for clients, countries or geographic areas, products, services, transactions or delivery channels, etc.

(2) The assessment process shall consider all the relevant risk factors before determining the level of overall risk and the appropriate level and type of mitigation to be applied. While preparing the internal risk assessment, the NBFC shall take cognizance of the overall sector-specific vulnerabilities, if any, that the regulator / supervisor may share with the NBFC from time to time.

(3) The NBFC shall properly document its risk assessment and it shall be proportionate to the nature, size, geographical presence, complexity of activities / structure, etc. of the NBFC. Further, the Board or a committee of the Board to which it has delegated power shall determine the periodicity of the risk assessment exercise, in alignment with the outcome of the risk assessment exercise. However, the NBFC shall review it at least annually.

(4) The NBFC shall present the outcome of the exercise to the Board or any committee of the Board to which the Board has delegated power in this regard. The outcome shall also be made available to competent authorities and self-regulating bodies.

11. The NBFC shall apply a Risk Based Approach (RBA) for mitigation and management of the risks (identified on its own or through national risk assessment) and shall have Board-approved policies, controls and procedures in this regard. The NBFC shall implement a CDD programme, having regard to the ML / TF risks identified and the size of business. Further, the NBFC shall monitor the implementation of the controls and enhance them if necessary.

Chapter III – Customer Acceptance Policy

(9) put in place a suitable system to ensure that the identity of the customer does not match with any person or entity, whose name appears in the sanctions lists indicated in Chapter IX of these Directions.

(10) verify the Permanent Account Number (PAN) (if obtained) from the verification facility of the issuing authority.

(11) verify the customer’s digital signature on the equivalent e-document (if obtained) as per the provisions of the Information Technology Act, 2000 (21 of 2000).

(12) verify the Goods and Services Tax (GST) number from the search / verification facility of the issuing authority, where the GST details are available.

18. The Customer Acceptance Policy shall not result in denial of a financial facility to members of the general public, especially those who are financially or socially disadvantaged, including the Persons with Disabilities (PwDs). The NBFC shall not reject an application for onboarding or periodic updation of KYC without application of mind. The officer concerned shall duly record the reason(s) for rejection.

19. Where the NBFC forms a suspicion of money laundering or terrorist financing, and it reasonably believes that performing the CDD process will tip off the customer, it shall not pursue the CDD process and instead file an STR with FIU-IND.

Chapter IV – Risk Management

20. For risk management, the NBFC shall have a risk-based approach which includes the following.

(1) The NBFC shall categorise customers into low, medium, and high-risk categories, based on its assessment and risk perception.

(2) The NBFC may lay down broad principles for the risk-categorisation of customers.

(3) The NBFC shall undertake risk categorisation based on parameters such as the customer’s identity, social / financial status, nature of business activity, and information about the customer’s business and its location, geographical risk covering customers as well as transactions, type of products / services offered, delivery channel used for delivery of products / services, types of transactions undertaken such as cash, cheque / monetary instruments, wire transfers, forex transactions, etc. The NBFC may also factor in the ability to confirm identity documents through online or other services offered by issuing authorities, while considering customer’s identity.

(4) The NBFC shall keep the risk categorisation of a customer and the specific reasons for such categorisation confidential and shall not reveal this information to the customer to avoid tipping off.

Provided that the NBFC collects various other non-intrusive information from different categories of customers relating to the perceived risk and specifies the same in the KYC policy.

Explanation: The NBFC may also use the FATF Public Statement, the reports and guidance notes on KYC / AML issued by the Indian Banks Association (IBA), and other agencies, etc., in its risk assessment.

Chapter V – Customer Identification Procedure (CIP)

21. The NBFC shall undertake identification of customers in the following cases:

(1) Commencement of an account-based relationship with the customer.

(2) Carrying out any international money transfer operations for a person who is not an account holder of the NBFC.

(3) When there is a doubt about the authenticity or adequacy of the customer identification data it has obtained.

(4) Selling third-party products as agents, selling its own products, payment of dues of credit cards / sale and reloading of prepaid / travel cards and any other product for more than ₹50,000.

(5) Carrying out transactions for a non-account-based customer, i.e., a walk-in customer, where the amount involved is equal to or exceeds ₹50,000 whether conducted as a single transaction or several transactions that appear to be connected.

(6) When the NBFC has reason to believe that a customer (account-based or walk-in) is intentionally structuring a transaction into a series of transactions below the threshold of ₹50,000.

(7) The NBFC shall ensure it does not seek introductions while opening accounts.

 

22. For the purpose of verifying the identity of customers at the time of commencement of an account-based relationship or while carrying out an occasional transaction of an amount equal to or exceeding ₹50,000 whether conducted as a single transaction or several transactions that appear to be connected, or any international money transfer operations, the NBFC, shall at its option, rely on customer due diligence done by a third party, subject to the following conditions:

(1) The NBFC obtains the records or information of the customer due diligence carried out by the third party immediately from the third party or from the Central KYC Records Registry.

(2) The NBFC shall take adequate steps to satisfy itself that the third party will make copies of identification data and other relevant documentation relating to the customer due diligence requirements available, upon request, without delay.

(3) A regulator regulates, supervises, or monitors the third party, and the third party has measures in place for compliance with customer due diligence and record-keeping requirements in line with the requirements and obligations under the PML Act.

(4) The NBFC shall ensure that the third party is not based in a country or jurisdiction assessed as high-risk.

(5) The NBFC will have the ultimate responsibility for customer due diligence and undertaking enhanced due diligence measures, as applicable

Chapter VI – Customer Due Diligence (CDD) Procedure

25. Accounts opened using Aadhaar OTP based e-KYC, in non-face-to-face mode, are subject to the following conditions:

(1) The Customer shall give specific consent for the authentication through OTP.

(2) As a risk-mitigating measure for such accounts, the NBFC shall ensure that it sends transaction alerts, OTP, etc., only to the mobile number of the customer registered with Aadhaar. The NBFC shall have a Board-approved policy delineating a robust process of due diligence for dealing with requests for change of mobile number in such accounts.

(3) The aggregate balance of all the deposit accounts of the customer shall not exceed Rupees One Lakh. In case the balance exceeds the threshold, the NBFC shall cease the account’s operation, until it completes the CDD as mentioned at (6) below.

(4) The aggregate of all credits in a financial year, in all the deposit accounts taken together, shall not exceed Rupees Two Lakh.

(5) As regards borrowal accounts, the NBFC shall sanction only term loans. The aggregate amount of term loans sanctioned shall not exceed ₹60,000 in a year.

(6) The NBFC shall not allow accounts, both deposit and borrowal, opened using OTP based e-KYC to operate for more than one year unless it carries out identification as per paragraph 23 or as per paragraphs 26 and 27 (V-CIP). If the NBFC uses Aadhaar details under paragraph 26 and 27 it shall follow the process in its entirety, including fresh Aadhaar OTP authentication.

(7) If the NBFC does not complete the CDD procedure as mentioned above within a year; (a) in respect of deposit accounts, the NBFC shall close the same immediately, and (b) in respect of borrowal accounts, the NBFC shall allow no further debits.

(8) The NBFC shall obtain declaration from the customer to the effect that no other account has been opened nor will be opened using OTP based KYC in non-face-to-face mode with any other RE. Further, while uploading KYC information to CKYCR, NBFC shall clearly indicate that such accounts are opened using OTP based e-KYC and other REs shall not open accounts based on the KYC information of accounts opened with OTP based e-KYC procedure in non-face- to-face mode.

(9) The NBFC shall have strict monitoring procedures including systems to generate alerts in case of any non-compliance / violation, to ensure compliance with the above-mentioned conditions.

 

E. On-going Due Diligence

39. The NBFC shall undertake ongoing due diligence of customers to ensure that their transactions are consistent with their knowledge about the customers, customers’ business and risk profile, the source of funds / wealth.

40. Without prejudice to the generality of factors that call for close monitoring, the NBFC shall necessarily monitor the following types of transactions:

(1) Large and complex transactions including RTGS transactions, and those with unusual patterns, inconsistent with the normal and expected activity of the customer, which have no apparent economic rationale or legitimate purpose.

(2) Transactions which exceed the thresholds prescribed for specific categories of accounts.

(3) High account turnover inconsistent with the size of the balance maintained.

(4) Deposit of third-party cheques, drafts, etc. in the existing and newly opened accounts followed by cash withdrawals for large amounts.

For ongoing due diligence, the NBFC may consider adopting appropriate innovations including artificial intelligence and machine learning (AI and ML) technologies to support effective monitoring.

41. The NBFC shall align the extent of monitoring with the risk category of the customer.

(1) The NBFC shall put in place a system of periodic review of risk categorisation of accounts, with such periodicity being at least once in every six months and shall establish the need for applying enhanced due diligence measures.

(2) The NBFC shall closely monitor the transactions in accounts of marketing firms, especially accounts of Multi-level Marketing (MLM) companies.

Explanation: The NBFC shall subject high-risk accounts to more intensified monitoring.

42. Updation / Periodic Updation of KYC

(1) The NBFC shall adopt a risk-based approach for periodic updation of KYC ensuring that it keeps the information or data collected under CDD is kept up-to-date and relevant, particularly where there is high risk. However, the NBFC shall carry out periodic updation at least once in every two years for high-risk customers, once in every eight years for medium risk customers and once in every 10 years for low-risk customers from the date of opening of the account / last KYC updation. The NBFC shall document its policy in this regard as part of the NBFC’s internal KYC policy duly approved by the Board of Directors of NBFC or any committee of the Board to which power has been delegated.

(2) Notwithstanding the provisions given above, in respect of an individual customer who is categorised as low-risk, the NBFC shall allow all transactions and ensure the updation of KYC within one year of its falling due for KYC or up to June 30, 2026, whichever is later. The NBFC shall subject accounts of such customers to regular monitoring. This shall also apply to low-risk individual customers for whom periodic updation of KYC has already fallen due.

(3) Individuals:

(i) No change in KYC information: In case of no change in the KYC information, the NBFC shall obtain a self-declaration from the customer in this regard through the customer’s email-id registered with the NBFC, customer’s mobile number registered with the NBFC, digital channels (including mobile application of NBFC) letter, etc.

(ii) Change in address: In case of a change only in the address details of the customer, the NBFC shall obtain a self-declaration of the new address from the customer through customer’s email-id registered with the NBFC, customer’s mobile number registered with the NBFC, ATMs, digital channels (including mobile application of NBFC), letter, etc., and shall verify the declared address through positive confirmation within two months, by means such as address verification letter, contact point verification, deliverables, etc.

(iii) Further, the NBFC at its option, may obtain a copy of OVD or deemed OVD, as defined in sub-clause (xiv) of clause (1) of paragraph 5 or the equivalent e-documents thereof, as defined in sub-clause (x) of clause (1) of paragraph 5 for the purpose of proof of address, declared by the customer at the time of updation / periodic updation. However, the NBFC shall clearly specify such requirement, in its internal KYC policy duly approved by the Board of Directors of the NBFC or any committee of the Board to which power has been delegated.

(iv) Accounts of customers, who were minor at the time of opening account, on their becoming major: In case of customers for whom the NBFC opened an account when they were minors, the NBFC shall obtain fresh photographs upon their becoming a major and, at that time, shall ensure that CDD documents as per the current CDD standards are available. Wherever required, the NBFC may carry out fresh KYC of such customers, i.e., customers for whom it opened account when they were minor, upon their becoming a major.

(v) The NBFC may use Aadhaar OTP based e-KYC in non-face-to-face mode for updation / periodic updation. To clarify, conditions stipulated in paragraph 25 are not applicable in case of updation / periodic updation of KYC through Aadhaar OTP based e-KYC in non-face to face mode.

(vi) Declaration of current address, if the current address is different from the address in Aadhaar, shall not require positive confirmation in this case. The NBFC shall ensure that the mobile number for Aadhaar authentication is same as the one available with them in the customer’s profile, in order to prevent any fraud.

(4) Customers other than individuals:

(i) No change in KYC information: In case of no change in the KYC information of the LE customer, the NBFC shall obtain a self-declaration in this regard from the LE customer through its email id registered with the NBFC, ATMs, digital channels (including mobile application of NBFC), letter from an official authorised by the LE in this regard, board resolution, etc. Further, the NBFC shall ensure during this process that Beneficial Ownership (BO) information available with them is accurate and shall update the same, if required, to keep it as up-to-date as possible.

(ii) Change in KYC information: In case of change in KYC information, the NBFC shall undertake the KYC process equivalent to that applicable for onboarding a new LE customer.

(5) Additional measures: In addition to the above, the NBFC shall ensure that:

(i) The NBFC has customer’s KYC document as per the current CDD standards available with it. This is applicable even if there is no change in customer information but the documents available with the NBFC are not as per the current CDD standards. Further, in case the validity of the CDD documents available with the NBFC has expired at the time of periodic updation of KYC, the NBFC shall undertake the KYC process equivalent to that applicable for onboarding a new customer.

(ii) The NBFC verifies the Customer’s PAN details, if available, from the database of the issuing authority at the time of periodic updation of KYC.

(iii) The NBFC provides an acknowledgment to the customer mentioning the date of receipt of the relevant document(s), including self-declaration from the customer, for carrying out updation / periodic updation. Further, the NBFC shall ensure that it promptly updates the information / documents obtained from the customers at the time of updation / periodic updation of KYC in its records / database and provide an intimation, mentioning the date of updation of KYC details, to the customer.

(iv) In order to ensure customer convenience, the NBFC may consider making available the facility of updation / periodic updation of KYC at any branch, in terms of their internal KYC policy duly approved by the Board of Directors of the NBFC or any committee of the Board to which power has been delegated.

(v) The NBFC shall adopt a risk-based approach with respect to periodic updation of KYC. The NBFC shall clearly specify in its internal policy, duly approved by the Board of Directors of the NBFC or any committee of the Board to which power has been delegated, any additional and exceptional measures, it adopts that are not otherwise mandated under the above instructions, such as requirement of obtaining recent photograph, requirement of physical presence of the customer, requirement of periodic updation of KYC only in the branch of the NBFC where account is maintained, a more frequent periodicity of KYC updation than the minimum specified periodicity etc.

(6) The NBFC shall advise the customers that in order to comply with the PML Rules, in case of any update in the documents submitted by the customer at the time of establishment of business relationship / account-based relationship and thereafter, as necessary; customers shall submit to the NBFC the update of such documents. This shall be done within 30 days of the update to the documents for the purpose of updating the records at the NBFC’s end.

(7) Due Notices for Periodic Updation of KYC: The NBFC shall intimate its customers, in advance, to update their KYC. Prior to the due date of periodic updation of KYC, the NBFC shall give at least three advance intimations, including at least one intimation by letter, at appropriate intervals to its customers through available communication options / channels for complying with the requirement of periodic updation of KYC. Subsequent to the due date, the NBFC shall give at least three reminders, including at least one reminder by letter, at appropriate intervals, to such customers who have still not complied with the requirements, despite advance intimations. The letter of intimation / reminder may, inter alia, contain easy-to-understand instructions for updating KYC, escalation mechanism for seeking help, if required, and the consequences, if any, of failure to update their KYC in time. Issue of such advance intimation / reminder shall be duly recorded in the NBFC’s system against each customer for audit trail. The NBFC shall expeditiously implement the same but not later than January 01, 2026.

43. In case of existing customers, the NBFC shall obtain the PAN or equivalent e-document thereof or Form No. 60, by such date which the Central Government may notify, failing which the NBFC shall temporarily cease operations in the account until the customer submits the PAN or equivalent e-documents thereof or Form No. 60.

Provided that before temporarily ceasing operations for an account, the NBFC shall give the customer an accessible notice and a reasonable opportunity to be heard. Further, the NBFC shall include, in its internal policy, appropriate relaxation(s) for continued operation of accounts for customers who are unable to provide PAN or equivalent e-document thereof or Form No. 60 owing to injury, illness or infirmity on account of old age or otherwise, and such like causes. However, the NBFC shall subject such accounts to enhanced monitoring.

Provided further that if a customer having an existing account-based relationship with a NBFC gives in writing to the NBFC that they do not want to submit their PAN or equivalent e-document thereof or Form No. 60, the NBFC shall close the account and all obligations due in relation to the account shall be appropriately settled after establishing the identity of the customer by obtaining the identification documents as applicable to the customer.

Explanation: For the purpose of this paragraph, ‘temporary ceasing of operations’ in relation to an account shall mean the temporary suspension of all transactions or activities in relation to that account by the NBFC till such time the customer complies with the provisions of this paragraph. In case of asset accounts such as loan accounts, for the purpose of ceasing the operation in the account, only credits shall be allowed.

F. Enhanced Due Diligence Procedure

44. Enhanced Due Diligence (EDD) for non-face-to-face customer onboarding (other than customer onboarding in terms of paragraph 25): Non-face-to-face onboarding facilitates the NBFC to establish a relationship with the customer without meeting the customer physically or through V-CIP. Such non-face-to-face modes for the purpose of this paragraph include use of digital channels such as CKYCR, DigiLocker, equivalent e-document, etc., and non- digital modes such as obtaining copy of OVD certified by additional certifying authorities as allowed for NRIs and PIOs. The NBFC shall undertake the following EDD measures for non-face-to-face customer onboarding (other than customer onboarding in terms of paragraph 25):

(1) If the NBFC has introduced the process of V-CIP, it shall provide the same as the first option to the customer for remote onboarding. It is reiterated that the NBFC shall treat processes complying with prescribed standards and procedures for V-CIP on par with face-to-face CIP for the purpose of these Directions.

(2) In order to prevent frauds, alternate mobile numbers shall not be linked post CDD with such accounts for transaction OTP, transaction updates, etc. The NBFC shall permit transactions only from the mobile number used for account opening. The NBFC shall have a Board-approved policy delineating a robust process of due diligence for dealing with requests for change of registered mobile number.

(3) Apart from obtaining the current address proof, the NBFC shall verify the current address through positive confirmation before allowing operations in the account. The NBFC may carry out the positive confirmation by means of such as address verification letter, contact point verification, deliverables, etc.

(4) The NBFC shall obtain PAN from the customer and the PAN shall be verified from the verification facility of the issuing authority.

(5) First transaction in such accounts shall be a credit from existing KYC-complied bank account of the customer.

(6) The NBFC shall categorise such customers as high-risk customers and shall subject accounts opened in non-face-to-face mode to enhanced monitoring until the identity of the customer is verified in face-to-face manner or through V-CIP.

 

45. Accounts of Politically Exposed Persons (PEPs):

(1) The NBFC shall have the option of establishing a relationship with PEPs (whether as customer or beneficial owner) provided that, apart from performing normal customer due diligence:

(i) The NBFC has in place appropriate risk management systems to determine whether the customer or the beneficial owner is a PEP;

(ii) The NBFC shall take reasonable measures for establishing the source of funds / wealth;

(iii) The NBFC shall obtain approval to open an account for a PEP from the senior management;

(iv) The NBFC subjects all such accounts to enhanced monitoring on an on-going basis;

(v) in the event of an existing customer or the beneficial owner of an existing account subsequently becoming a PEP, the NBFC obtains the senior management’s approval to continue the business relationship;

(2) These instructions shall also apply to family members or close associates of PEPs.

Explanation: For the purpose of this paragraph, ‘Politically Exposed Persons’ (PEPs) are individuals who are or have been entrusted with prominent public functions by a foreign country, including the Heads of States / Governments, senior politicians, senior government or judicial or military officers, senior executives of state-owned corporations and important political party officials.

46. Client accounts opened by professional intermediaries: The NBFC shall ensure while opening client accounts through professional intermediaries, that:

(1) The NBFC shall identify clients when a professional intermediary opens a client account on behalf of a single client.

(2) The NBFC shall have option to hold 'pooled' accounts managed by professional intermediaries on behalf of entities like mutual funds, pension funds or other types of funds.

(3) The NBFC shall not open accounts of such professional intermediaries who are bound by any client confidentiality which prohibits disclosure of the client details to the NBFC.

(4) The NBFC shall identify all the beneficial owners where intermediaries do not co-mingle funds at the level of the NBFC, and there are 'sub- accounts', each of them attributable to a beneficial owner, or where such funds are co-mingled at the level of the NBFC, the NBFC shall look for the beneficial owners.

(5) The NBFC shall, at their discretion, rely on the CDD done by an intermediary, provided that the intermediary is a regulated and supervised entity and has adequate systems in place to comply with the KYC requirements of the customers.

(6) The ultimate responsibility for knowing the customer lies with the NBFC.

 

Chapter VII – Record Management

47. The NBFC shall take the following steps regarding maintenance, preservation and reporting of customer information, with reference to provisions of PML Act and Rules. The NBFC shall,

(1) maintain all necessary records of transactions between the NBFC and the customer, both domestic and international, for at least five years from the date of transaction;

(2) preserve the records pertaining to the identification of the customers and their addresses, obtained while opening the account and during the course of business relationship, for at least five years after the business relationship has ended;

(3) swiftly make available, the identification records and transaction data to the competent authorities upon request;

(4) introduce a system of maintaining proper records of transactions prescribed under Rule 3 of Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PML Rules, 2005);

(5) maintain all necessary information in respect of transactions prescribed under PML Rule 3 to permit the reconstruction of an individual transaction, including the following:

(i) the nature of the transactions;

(ii) the amount of the transaction and the currency in which it was denominated;

(iii) the date on which the transaction was conducted; and

(iv) the parties to the transaction.

(6) evolve a system for proper maintenance and preservation of account information in a manner that allows the NBFC to retrieve data easily and quickly whenever required or when competent authorities request it;

(7) maintain records of the identity and address of its customers, and records in respect of transactions referred to in Rule 3 in hard or soft format.

Explanation: For the purpose of this paragraph, the expressions ‘records pertaining to the identification’, ‘identification records’, etc., shall include updated records of the identification data, account files, business correspondence, and results of any analysis undertaken.

48. The NBFC shall ensure that in case of customers who are non-profit organisations, the NBFC registers details of such customers on the DARPAN Portal of NITI Aayog. If they are not registered, the NBFC shall register the details on the DARPAN Portal. The NBFC shall also maintain such registration records for a period of five years after the business relationship between the customer and the NBFC has ended or the account has been closed, whichever is later.

 

Chapter VIII – Reporting Requirements to Financial Intelligence Unit – India

49. The NBFC shall furnish to the Director, Financial Intelligence Unit-India (FIU-IND), the information referred to in Rule 3 of the PML (Maintenance of Records) Rules, 2005 in accordance with Rule 7 thereof.

Explanation: In terms of Third Amendment Rules notified September 22, 2015 regarding amendment to sub rule 3 and 4 of rule 7, Director, FIU-IND shall have powers to issue guidelines to the REs for detecting transactions referred to in various clauses of sub-rule (1) of rule 3, to direct them about the form of furnishing information and to specify the procedure and the manner of furnishing information.

50. The NBFC shall take note of the reporting formats and comprehensive reporting format guide, prescribed / released by FIU-IND and Report Generation Utility and Report Validation Utility developed to assist reporting entities in the preparation of prescribed reports. The NBFC which is yet to install / adopt suitable technological tools for extracting CTR / STR from its live transaction data shall make use of the editable electronic utilities to file electronic Cash Transaction Reports (CTR) / Suspicious Transaction Reports (STR) which FIU- IND has placed on its website. The Principal Officer of the NBFC, shall have suitable arrangement to cull out the transaction details from branches which are yet to be computerised and to feed the data into an electronic file with the help of the editable electronic utilities of CTR / STR as have been made available by FIU-IND on its website http://fiuindia.gov.in.

51. When furnishing information to the Director, FIU-IND, a delay of each day in not reporting a transaction or delay of each day in rectifying a mis-represented transaction beyond the time limit as specified in the Rule shall constitute as a separate violation. The NBFC shall not put any restriction on operations in the accounts merely on the basis of the STR filed.

52. The NBFC, its directors, officers, and all employees shall ensure that the fact of maintenance of records referred to in rule 3 of the PML (Maintenance of Records) Rules, 2005, and furnishing of the information to the Director is confidential. However, such confidentiality requirement shall not inhibit sharing of information under paragraph 8 of these Directions of any analysis of transactions and activities which appear unusual, if the NBFC has done any such analysis.

53. To identify and report suspicious transactions effectively, the NBFC shall implement robust software that generates alerts when transactions are inconsistent with a customer's risk categorisation and updated profile.

 

Chapter IX – Requirements / obligations under International Agreements - Communications from International Agencies

54. Obligations under the Unlawful Activities (Prevention) (UAPA) Act, 1967:

55. Obligations under Weapons of Mass Destruction (WMD) and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005 (WMD Act, 2005):

59. Jurisdictions that do not or insufficiently apply the FATF Recommendations:

Chapter-X - Other Instructions

61. Secrecy Obligations and Sharing of Information:

(1) The NBFC shall maintain secrecy regarding the customer information that arises out of the contractual relationship between the NBFC and the customer.

(2) The NBFC shall treat information collected from customers for the purpose of opening of account as confidential and shall not divulge details thereof for the purpose of cross-selling, or for any other purpose without the express permission of the customer.

(3) While considering the requests for data / information from Government and other agencies, the NBFC shall satisfy itself that the information being sought is not of such a nature as will violate the provisions of the laws relating to secrecy in the transactions.

(4) The exceptions to the said rule shall be as under:

(i) Where disclosure is under compulsion of law,

(ii) Where there is a duty to the public to disclose,

(iii) Where the interest of the NBFC requires disclosure, and

(iv) Where the disclosure is made with the express or implied consent of the customer.

62. Compliance with the provisions of Foreign Contribution (Regulation) Act, 2010: The NBFC shall ensure adherence to the provisions of Foreign Contribution (Regulation) Act, 2010, and Rules made thereunder. Further, the NBFC shall also ensure meticulous compliance with any instructions / communications on the matter issued from time to time by the RBI based on advice received from the Ministry of Home Affairs, Government of India.

63. CDD Procedure and sharing KYC information with Central KYC Records Registry (CKYCR)

(1) In terms of provision of Rule 9(1A) of the PML Rules, the NBFC shall capture customer’s KYC records and upload onto CKYCR within 10 days of commencement of an account-based relationship with the customer.

(2) Operational Guidelines for uploading the KYC data have been released by CERSAI.

(3) The NBFC shall capture the KYC information for sharing with the CKYCR in the manner mentioned in the Rules, as per the KYC templates prepared for ‘Individuals’ and ‘Legal Entities’ (LEs), as the case may be. The templates may be revised from time to time, as may be required and released by CERSAI.

(4) The ‘live run’ of the CKYCR started from July 15, 2016 in phased manner beginning with new ‘individual accounts’. NBFC shall upload the KYC data pertaining to all new individual accounts opened on or after from April 1, 2017, with CKYCR in terms of the provisions of the Rules ibid.

(5) The NBFC shall upload KYC records pertaining to accounts of LEs opened on or after April 1, 2021, with CKYCR in terms of the provisions of the Rules ibid. The NBFC shall upload KYC records as per the LE Template released by CERSAI.

(6) Once KYC Identifier is generated by CKYCR, the NBFC shall ensure that the same is communicated to the individual / LE as the case may be.

(7) In order to ensure that all KYC records are incrementally uploaded on to CKYCR, the NBFC shall upload / update the KYC data pertaining to accounts of individual customers and LEs opened prior to the above-mentioned dates as per clauses (5) and (6), respectively, at the time of periodic updation as specified in paragraph 42 of these Directions, or earlier, when the updated KYC information is obtained / received from the customer. Also, whenever the NBFC obtains additional or updated information from any customer as per clause (10) below in this paragraph or Rule 9 (1C) of the PML Rules, the NBFC shall within seven days or within such period as may be notified by the Central Government, furnish the updated information to CKYCR, which shall update the KYC records of the existing customer in CKYCR. CKYCR shall thereafter inform electronically all the reporting entities who have dealt with the concerned customer regarding updation of KYC record of the said customer. Once CKYCR informs the NBFC regarding an update in the KYC record of an existing customer, the NBFC shall retrieve the updated KYC records from CKYCR and update the KYC record maintained by the NBFC.

(8) The NBFC shall ensure that during periodic updation, the customers are migrated to the current CDD standard.

(9) For the purpose of establishing an account-based relationship, updation / periodic updation or for verification of identity of a customer, the NBFC shall seek the KYC Identifier from the customer or retrieve the KYC Identifier, if available, from the CKYCR and proceed to obtain KYC records online by using such KYC Identifier and shall not require a customer to submit the same KYC records or information or any other additional identification documents or details, unless–

(i) there is a change in the information of the customer as existing in the records of CKYCR; or

(ii) the KYC record or information retrieved is incomplete or is not as per the current applicable KYC norms; or

(iii) the validity period of downloaded documents has lapsed; or

(iv) the NBFC considers it necessary in order to verify the identity or address (including current address) of the customer, or to perform enhanced due diligence or to build an appropriate risk profile of the customer.

[1Explanation: The RE that has last uploaded or updated the customer’s KYC records in the CKYCR shall be responsible for verifying the identity and / or address of the customer, as applicable. Accordingly, any NBFC downloading and relying on such records from the CKCYR shall not be required to re-verify the authenticity of the customer’s identity and / or address, provided the KYC records downloaded from CKYCR are current and compliant with the PML Act, 2002 / PML Rules, 2005. The NBFC downloading and relying on KYC records downloaded from the CKCYR shall remain responsible for all aspects of CDD procedure and provisions of these Directions, except verification of identity and / or address of the customer.]

64. Reporting requirement under Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standards (CRS): Under FATCA and CRS, the NBFC shall adhere to the provisions of Income Tax Rules 114F, 114G and 114H and determine whether they are a Reporting Financial Institution as defined in Income Tax Rule 114F and if so, shall take following steps for complying with the reporting requirements:

(1) Register on the related e-filing portal of Income Tax Department as Reporting Financial Institutions at the link https://incometaxindiaefiling.gov.in/ post login --> My Account --> Register as Reporting Financial Institution.

(2) Submit online reports by using the digital signature of the ‘Designated Director’ by either uploading the Form 61B or ‘NIL’ report, for which, the schema prepared by Central Board of Direct Taxes (CBDT) shall be referred to.

Explanation: REs shall refer to the spot reference rates published by Foreign Exchange Dealers’ Association of India (FEDAI) on their website at http://www.fedai.org.in/RevaluationRates.aspx for carrying out the due diligence procedure for the purposes of identifying reportable accounts in terms of Rule 114H.

(3) Develop Information Technology (IT) framework for carrying out due diligence procedure and for recording and maintaining the same, as provided in Rule 114H.

(4) Develop a system of audit for the IT framework and compliance with Rules 114F, 114G and 114H of Income Tax Rules.

(5) Constitute a ‘High-Level Monitoring Committee’ under the Designated Director or any other equivalent functionary to ensure compliance.

(6) Ensure compliance with updated instructions / rules / guidance notes / press releases issued on the subject by Central Board of Direct Taxes (CBDT) from time to time and available on the website http://www.incometaxindia.gov.in/Pages/default.aspx. REs may take note of the following:

(i) updated Guidance Note on FATCA and CRS; and

(ii) a press release on ‘Closure of Financial Accounts’ under Rule 114H (8).

65. Operation of accounts and Money Mules: The instructions on opening of accounts and monitoring of transactions shall be strictly adhered to, in order to minimise the operations of “Money Mules” which are used to launder the proceeds of fraud schemes (e.g., phishing and identity theft) by criminals who gain illegal access to accounts by recruiting third parties which act as “money mules.” The NBFC shall undertake diligence measures and meticulous monitoring to identify accounts which are operated as Money Mules and take appropriate action, including reporting of suspicious transactions to FIU-IND. Further, if it is established that an account opened and operated is that of a Money Mule, but no STR was filed by the concerned NBFC, it shall then be deemed that the NBFC has not complied with these directions.

66. The NBFC shall allot UCIC while entering into new relationships with individual customers as also the existing individual customers.

67. The NBFC shall, at their option, not issue UCIC to all walk-in / occasional customers provided it is ensured that there is adequate mechanism to identify such walk-in customers who have frequent transactions with them and ensure that they are allotted UCIC.

68. Introduction of New Technologies: The NBFC shall identify and assess the ML / TF risks that may arise in relation to the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and existing products.

Further, the NBFC shall ensure:

(1) to undertake the ML / TF risk assessments prior to the launch or use of such products, practices, services, technologies; and

(2) adoption of a risk-based approach to manage and mitigate the risks through appropriate EDD measures and transaction monitoring, etc

70. Quoting of PAN: PAN or equivalent e-document thereof of customers shall be obtained and verified while undertaking transactions as per the provisions of Income Tax Rule 114B applicable to NBFCs, as amended from time to time. Form 60 shall be obtained from persons who do not have PAN or equivalent e-document thereof.

71. Selling Third party products: The NBFC acting as agent while selling third party products as per regulations in force from time to time shall comply with the following aspects for the purpose of these directions:

(1) the identity and address of the walk-in customer shall be verified for transactions above ₹50,000 as required under clause (5) of paragraph 21 of these Directions.

(2) transaction details of sale of third-party products and related records shall be maintained as prescribed in paragraph 47 of Chapter VII.

(3) AML software capable of capturing, generating and analysing alerts for the purpose of filing CTR / STR in respect of transactions relating to third party products with customers including walk-in customers shall be available.

(4) transactions involving ₹50,000 and above shall be undertaken only by:

(i) debit to customers’ account or against cheques; and

(ii) obtaining and verifying the PAN given by the account-based as well as walk-in customers.

(5) Instruction at (4) above shall also apply to sale of the NBFC’s own products, payment of dues of credit cards / sale and reloading of prepaid / travel cards and any other product for ₹50,000 and above.

72. Hiring of Employees and Employee training:

(1) The NBFC shall put in place an adequate screening mechanism, including Know Your Employee / Staff policy, as an integral part of its personnel recruitment / hiring process.

(2) The NBFC shall endeavour to ensure that the staff dealing with / being deployed for KYC / AML / CFT matters have high integrity and ethical standards, good understanding of extant KYC / AML / CFT standards, effective communication skills and ability to keep up with the changing KYC / AML / CFT landscape, nationally and internationally. The NBFC shall also strive to develop an environment which fosters open communication and high integrity amongst the staff.

(3) The NBFC shall put in place an on-going employee training programme so that the members of staff are adequately trained in KYC / AML / CFT policy. The focus of the training shall be different for frontline staff, compliance staff and staff dealing with new customers. The NBFC shall specially train the front desk staff to handle issues arising from lack of customer education. The NBFC shall ensure the proper staffing of the audit function with persons adequately trained and well-versed in KYC / AML / CFT policies of the NBFC, regulation and related issues.



Whatever is applicable to banks & FIs are applicable to NBFCs ; only the context is different. And when it comes to the FX companies, the applicable reports under FEMA are also enforced.




Those who read this also read:

1. NBFCs and AML/CFT: RBI, India

2. NBFCs and e-KYC : RBI, India

3, Fraud Risk Management - RBI Master Direction 16 July 2024

4. Reports to be submitted to FIU-Ind by different REs

5. Reports by RE under RBI: PMLA2002




Formerly Faculty for Finance & Associate Dean, IBS-Kochi MBA (Banking & Finance – CUSAT);CFA. Accredited Management Teacher from CME of AIMA, Delhi has been in Management Education from 1988. Exposure is in the field of Mutual Funds, Market Research, Project Report preparation & evaluation, Advertising & NGO Activities. This Chief Manager, UTI Asset Management Co Pvt. Ltd(1992-2003), Mumbai. Undergone training in Case Study method of teaching under Mr. Trevor Williams and Mr. Scott M Andrews conducted by the ECCH, UK . Published Books & Book Review, Series of academic articles and maintains a column on MFs under "Fund scan" in Business Manorama since January 2007,Contributes "Portfolio Doctor" column for 'Sampadyam' a wealth mgt publication in Malayalam from manorama group since February 2007, Listed her case studies at asiacase.com.Presented papers in national & international conferences on Mutual Funds. Faculty Member @ ASIET, Kalady from 2010 to June 2019. Dean @ SNGIST, N Paravur, Ernakulam from Sep 2019 -Jan 2021, I continue my efforts to spread the knowledge in area of Finance and contribute to Management Education

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

By
  India's National Risk Assessment (NRA) is  an ongoing exercise to identify sectors that are vulnerable to money laundering and terrorist financing (ML/TF) .  The NRA is based on recommendations from the Financial Action Task Force (FATF) and helps inform policy-making, resource allocation, and the implementation of effective AML/CFT measures. The NRA also ensures that national strategies address both domestic and international threats. The NRA provides a foundation for informed policy-making, resource allocation, and the implementation of effective AML/CFT measures . It ensures that national strategies are aligned with the specific risk landscape of the country and that they address both domestic and international threats. The subject matter of NRA  was discussed in the Anti-Money Laundering Steering Committee (AMLSC) set up with the approval of Finance Minister, and it was decided to conduct the NRA following the World Bank methodology. The Methodology requi...
Read more

Customer Due Diligence(CDD) : Individuals

By
Image
This post is based on RBI Master Circular dated Feb 25, 2016 updated on Jan 04, 2024  Part I - Customer Due Diligence (CDD) Procedure in case of Individuals For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity: (a)     the Aadhaar number where,   (i) He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or (ii) He decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or (ab) the proof of possession of Aa...
Read more

Global Measures on ML/FT: Global Financial Market Regulators

By
  Core Principles and Guidelines of  Financial Sector Supervision  in Support of AML–CFT Regimes The Basel Committee on Banking Supervision (Basel Committee), International Association of Insurance Supervisors (IAIS), and International Organization of Securities Commissioners (IOSCO) have each issued broad supervisory standards and guidelines on a wide range of supervisory issues, including money laundering as it relates to banking, insurance, and securities. FATF incorporates those standards and guidelines in its 40 recommendations. The Basel Committee on Banking Supervision (Basel Committee) The Basel Committee has issued three documents covering money-laundering issues: • Statement on Prevention of Criminal Use of the Banking System for the Purpose of Money Laundering—This statement contains essentially four principles that should be used by banking institutions: – Proper customer identification – High ethical standards and compliance with laws and regulations – Cooper...
Read more