KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

passportdriving licensepermanent account number cardvoters identity card

KYC to onboard international persons

passportdriving license

corporate requirements

certificate of incorporationMemorandum&Articles of AssociationBoard Resolution

National ID card name

Aadhaar

National ID Photo

Does the country have Esignature Laws?

Information Technology Act 2000

E-sig law files

india.pdf

What year did the relevant AML laws and regulations become effective?

2013

Further details on AML regime

The Prevention of Money Laundering Act 2002 (“PMLA”) came into force in Jul 2005. Current Amendment to the PMLA in 2012 became operational with effect from 15 Feb 2013

Who is the regulator for AML controls for Banking

Reserve Bank of India Financial Intelligence Unit (“RBI FIU”)

Link to site

http://fiuindia.gov.in/

Other financial Services

Insurance Regulatory and Development Authority (“IRDA”) for Insurance

Website of Regulator

https://www.irda.gov.in/

Financial Sector regulator

http://www.sebi.gov.in/

Practical Guidance for AML

RBI Master Circular dated 01 Jul 2014 on AML and KYC prescribes the following additional measures: a) full verification of identity at least every two years for high risk customers, every eight years for medium risk customers and every ten years for low risk customers; b) positive confirmation (obtaining KYC related updates through e-mail, letter, telephonic conversation, forms, interviews, visits, etc.) to be completed at least every two years for medium risk and at least every three years for low risk individuals and entities; and c) risk categorisation of accounts needs to be reviewed every six months.

Is there a requirement to verify the identity of customers retroactively?

Retroactive details

Has the country been the subject of FATF mutal evaluation in the last 3 years?

The first Mutual Evaluation report on India was adopted on 24 Jun 2010 and recommended that India be placed in a regular follow-up process for mutual evaluation processes. The 8th Follow Up Report on the Mutual Evaluation of India was published in Jun 2013. The report concluded that India had made sufficient progress for all core and key recommendations and recommended that India be removed from the follow-up procedure. In Jan 2013, the IMF published its update entitled ‘India: Financial System Stability Assessment Update".

PDF of FATF review

Are there minimum transaction thresholds (Y/N)

Yes

More details on minimum transaction thresholds.

In the case of transactions carried out by a non-account based customer (walk-in customer) where the amount of the transaction is lower than INR50,000 (approx. USD750), the customer’s identity and address do not require verification. However, if a bank has reason to believe that a customer is intentionally structuring a transaction into a series of transactions below the threshold of INR50,000 (approx. USD750), the bank should verify the identity and address of the customer and also consider filling in a suspicious transaction report. Verification of identity must be conducted in respect of all cross border payments.

What are the requirements for customer identification information for individuals

Official valid documents such as passport, driving licence, Permanent Account Number (“PAN”) Card, Voter's Identity Card issued by the Election Commission of India, or any other document.

Details to be Collected on Corporates

a) Certificate of Incorporation; b) Memorandum and Articles of Association; c) a resolution from the Board of Directors and power of attorney granted to its managers, officers or employees to transact on its behalf; and d) an official valid document in respect of managers, officers or employees holding an attorney to transact on its behalf.

What are the high level requirements around beneficial ownership (identification and verification)?

The banking company, financial institution or intermediary should take reasonable measures to identify the beneficial owner(s) and verify his/her/their identity in a manner so that it is satisfied that it knows who the ultimate beneficial owner(s) is/are.

What circumstances are enhanced customer due diligence measures required?

Customers that are likely to pose a higher than average risk to the bank may be categorised as medium or high risk depending on the customer's background, nature and location of activity, country of origin, source of funds and client profile etc. Banks may apply enhanced due diligence measures based on the risk assessment, thereby requiring intensive due diligence for higher risk customers, especially those for whom the sources of funds is not clear. Examples of customers requiring higher due diligence may include: a) non-resident customers; b) high net worth individuals; c) trusts, charities, NGOs and organisations receiving donations; d) companies having a close family shareholding or beneficial ownership; e) firms with 'sleeping partners'; f) PEPs of foreign origin; g) non-face to face customers; h) those with a high risk reputation as per public information available; and i) correspondent banking relationships.

How should FI's deal with Politically exposed persons

Banks should gather sufficient information on any person/customer of this category intending to establish a relationship and check all the information available on the person in the public domain. Banks should verify the identity of the person and seek information about their source of funds before accepting the PEP as a customer. The decision to open an account for a PEP should be taken at a senior level which should be clearly identified in the Customer Acceptance policy. Banks should also subject such accounts to enhanced monitoring on an ongoing basis. The above may also be applied to the accounts of the family members or close relatives of PEPs. In the case of an existing customer or the beneficial owner of an existing account subsequently becoming a PEP, banks should obtain senior management approval to continue the business relationship and subject the account to the customer due diligence measures as applicable to the customers of a PEP category including enhanced monitoring on an ongoing basis. These instructions are also applicable to accounts where a PEP is the ultimate beneficial owner. Further, banks should have appropriate ongoing risk management procedures for identifying and applying enhanced customer due diligence to PEPs, customers who are close relatives of PEPs, and accounts of which a PEP is the ultimate beneficial owner.

What enhanced due diligence must be performed for correspondent banking relationships?

Banks should gather sufficient information to understand fully the nature of the business of the correspondent/respondent bank. Banks should try to ascertain from publicly available information whether the other bank has been subject to any money laundering or terrorist financing investigation or regulatory action. It should also be satisfied that the respondent bank has verified the identity of the customers having direct access to the accounts and is undertaking ongoing due diligence on them. The correspondent bank should also ensure that the respondent bank is able to provide the relevant customer identification data immediately on request. Additionally, in view of monitoring and reviewing ‘at par’ cheque facility extended to walk-in-customers of cooperative banks through correspondent banking arrangements and to assess the risks including credit risk and reputation risk arising therefrom, banks should retain the right to verify the records maintained by the client cooperative banks/societies for compliance with the extant instructions on KYC and AML under such arrangements.

Are relationships with banks who might be considered a 'shell' and without substance permitted?

Yes. Guidance issued by the local regulator prohibits entering into a correspondent relationship with shell banks. Shell banks are not permitted to operate in India. Banks should also guard against establishing relationships with respondent foreign financial institutions that permit their accounts to be used by shell banks.

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

In the case of non-face-to-face customers, apart from applying the usual customer identification procedures, banks must adopt specific and adequate procedures to mitigate the higher risk involved. Certification of all the documents presented should be insisted upon and, additional documents may be called for in such cases. In the case of cross-border customers, there is the additional difficulty of matching the customer with the documentation and the bank may have to rely on third party certification/ introduction. In such cases, it must be ensured that the third party is a regulated and supervised entity and has adequate KYC systems in place. Additionally, the first transaction should be through a cheque issued from an existing bank account.

To whom are SAR's made? (suspicious activity reports)

Financial Intelligence Unit (FIU-IND

Link to website of SAR reporting

http://fiuindia.gov.in/

Other Suspicious or unusual transactions obligations.

Yes, as per the RBI and FIU guidelines, all banking institutions are required to report all such activities in terms of STR (on occurrence), Cash Transaction Reports and Counterfeit Currency Reports (periodically as per timelines laid down by the regulators) including all transactions involving receipts by non-profit organisations of value more than INR1m (approx. USD15,000) or its equivalent in foreign currency.

Are there any de-minimis thresholds below which transactions do not need to be reported?

Cash transactions below INR50,000 (approx. USD750) need not be reported. However, if there is a suspicion of deliberate effort to structure the transactions in such a way to keep the transaction just below the threshold, then such activities need to be reported as an STR.

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

There are punitive clauses in the existing PMLA (2002) which were revised in 2013. Penalty schemes for money laundering activities were amended: a) imprisonment term lengthened from at least three years to a maximum of seven years; b) upper limit for fines of INR500,000 (approx. USD7,500) removed (i.e. no upper limit fixed); c) scope of money laundering activities broadened (possession of money received from criminal proceeds is also classified as crime); and d) threshold limit (earlier INR3m (USD45,000)) for initiating money laundering cases removed.

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

Yes, as per RBI and FIU guidelines.

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

Internal clearance is required.

Does the local legislation allow transactions to be monitored outside the jurisdiction?

Yes. Section 2.17 of the RBI’s Master Circular (01 Jul 2013) on KYC norms/AML standards/Combating of Financing of Terrorism /Obligation of banks under PMLA, 2002 stipulates: “The guidelines contained in this master circular shall apply to the branches and majority owned subsidiaries located abroad, especially, in countries which do not or insufficiently apply the FATF Recommendations, to the extent local laws permit. When local applicable laws and regulations prohibit implementation of these guidelines, the same should be brought to the notice of Reserve Bank. In case there is a variance in KYC/AML standards prescribed by the Reserve Bank and the host country regulators, branches/overseas subsidiaries of banks are required to adopt the more stringent regulation of the two.”

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

Yes. Section 7 of the RBI’s Master Circular (12 Jul 2013) on KYC norms/AML standards/Combating of Financing of Terrorism /Obligation of banks under PMLA, 2002 stipulates: “Concurrent/Internal auditors should specifically check and verify the application of KYC procedures at the branches and comment on the lapses observed in this regard. The compliance in this regard should be put up before the Audit Committee of the Board on quarterly intervals.”

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

Yes, once a year the external and internal auditors are mandated by the regulator to specifically report on KYC and AML controls. In addition, the RBI, SEBI and IRDA conduct annual inspections

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

Yes, they need to include the steps described in Q28 and to report on the findings.

Data Protection Laws And Personal Data

Yes, they are governed by the Personal Data Protection Bill 2006 and Information Technology Act 2000.

Do any restrictions on the transfer of credit reports exist?

Since banks collect Sensitive Personal Data or Information (“SPDI”), they need to comply with the Rules, which lay down certain procedures to be followed at the time of collection of data, transfer of data, and disposal of data, and to maintain relevant security practices and procedures. In the event a bank is negligent in implementing and maintaining ''reasonable security practices and procedures'' in relation to SPDI, which causes ''wrongful loss or wrongful gain'' to any person, then the bank is liable to pay compensation to the affected person whose SPDI was compromised. The aggrieved person claiming compensation may approach an adjudicating officer appointed under the Act in the case of damages of up to INR50m (approx. USD750,800) or before the civil court in case the damages claimed are above INR50m (approx. USD750,100). The Personal Data Protection Bill 2006 protects the privacy of individuals, but the bill was not passed into law. In the meantime, the Act was amended in 2008 to include Section 43A and Section 72A to protect personal data (“PI”) and SPDI.

Regulator Acronym

RBI FIU, IRDA

Year of last FATF mutual evaluation

2010

Field 67

certification of all documentsadditional documents

National ID card details

Under citizenship act 2003 amendment national id cards are mandatory.

Compulsory?

National ID source

https://en.wikipedia.org/wiki/Aadhaar

Passport Photo

practical Guidance yes / no

Is there a risk based approach

Legal Requirement

Yes

Regulator allows for monitoring transactions outside jurisdiction

Requirement to proceed

Yes

requirement to use automated suspicious transaction tools

Yes

Who are SARS made to?

FIU-IND

shell banks

EDD for correspondent banking

Yes

PDF of case law

Minimum transactions

INR 50,000

Min transaction USD

750

Personal Data protection

Personal Data Protection Act

http://www.dot.gov.in/sites/default/files/itbill2000_0.pdf

key restrictions

Agreements related to powers of attorney, wills and real estate are exempted from the law. In addition, the requirement that many transactions must use stamped paper hinders adoption.

Summary

With consent. Summary of law India’s laws provide for the enforcement of both simple electronic signatures and digital signatures (sometimes called advanced electronic signatures). It is considered a two-tier jurisdiction because it gives digital signatures the same status as handwritten signatures but also recognizes simple electronic signatures as legal and enforceable. Countries that follow this model give companies the opportunity to select different forms of signatures and customize their business processes based on the form that is most convenient and appropriate for each use case. Electronic signatures are presumed valid unless proof to the contrary is produced. Specifically, section 10A provides that where an agreement is “expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose.” Further, if one obtains consent to use electronic signatures, the courts will be even more likely to uphold their use. When using digital signatures in India, there are additional technical and legal requirements. Section 15 35 in particular specifies standards for entities that issue digital certificates.

Are e-signatures acceptable

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

Amendment to the PMLA was enacted on 17 Dec 2012 and came into effect on 15 Feb 2013. The highlights of the amendments are as follows: a) the scope of money laundering activities has been broadened to include proceeds of crime including its concealment, possession, acquisition, or use and projecting and claiming, making mere possession of proceeds of crime an offence; b) possession of money received from criminal proceeds is also classified as crime; c) the threshold limit (earlier INR3m (approx. USD45,000)) for initiating money laundering cases has been removed; d) penalty schemes for money laundering activities have been revisited; e) the imprisonment term has been lengthened from at least three years to a maximum of seven years; and f) the upper limit for fines of INR500,000 (approx. USD7,500) has been removed (i.e. there is no upper limit fixed).

Non financial sector (e.g. casinos, high value goods etc.)

Securities and Exchange Board for India (“SEBI”) for asset management companies

Does the country have a risk based approach?

Yes, the local regulators (RBI, IRDA and SEBI) allow banking companies, financial institutions and intermediaries to use a risk based approach. On the basis of a risk based approach, verification of identity is done for high risk customers every two years, medium risk customers every eight years and low risk customers every ten years. A review of risk categorisation of accounts should be carried out at a periodicity of not less than once in six months.

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

Certified copies of an official valid document may be used. The copies need to be verified by seeing the originals and stamped as ‘originals seen and verified’.

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

The Personal Data Protection Bill 2006 and Information Technology Act, 2000. The Information Technology Act provides for recognition of electronic signatures, e-documents and e–transactions, and seeks to control offences conducted over the internet. Also, post-2001, the RBI introduced guidelines governing internet banking, confidentiality, anti-money laundering and KYC norms, which may have prompted customers to move towards the e-platform, albeit with some concerns with respect to the privacy and security of their banking transactions.

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

As per the Personal Data Protection Bill 2006, while collecting SPDI, the bank must seek express written consent from the provider of information via a letter, fax or e-mail, or consent given by any mode of electronic communication, in relation to the purpose for which SPDI may be used. The provider of information must also be given an option to withdraw such consent and must have knowledge and/or be provided information as to: a) the fact that information is being collected; b) the purpose for which it is being collected; c) intended recipients of the information; and d) the name and address of the agency that is collecting and/or retaining the information.