Global Regulations and Requirements for KYC Onboarding
(powered by KYCC small icon KYC-Chain)

Contact us

passportdriving licensepermanent account number cardvoters identity card
passportdriving license
certificate of incorporationMemorandum&Articles of AssociationBoard Resolution
Information Technology Act 2000
The Prevention of Money Laundering Act 2002 (“PMLA”) came into force in Jul 2005. Current Amendment to the PMLA in 2012 became operational with effect from 15 Feb 2013
Reserve Bank of India Financial Intelligence Unit (“RBI FIU”)
Insurance Regulatory and Development Authority (“IRDA”) for Insurance
RBI Master Circular dated 01 Jul 2014 on AML and KYC prescribes the following additional measures: a) full verification of identity at least every two years for high risk customers, every eight years for medium risk customers and every ten years for low risk customers; b) positive confirmation (obtaining KYC related updates through e-mail, letter, telephonic conversation, forms, interviews, visits, etc.) to be completed at least every two years for medium risk and at least every three years for low risk individuals and entities; and c) risk categorisation of accounts needs to be reviewed every six months.
The first Mutual Evaluation report on India was adopted on 24 Jun 2010 and recommended that India be placed in a regular follow-up process for mutual evaluation processes. The 8th Follow Up Report on the Mutual Evaluation of India was published in Jun 2013. The report concluded that India had made sufficient progress for all core and key recommendations and recommended that India be removed from the follow-up procedure. In Jan 2013, the IMF published its update entitled ‘India: Financial System Stability Assessment Update".
In the case of transactions carried out by a non-account based customer (walk-in customer) where the amount of the transaction is lower than INR50,000 (approx. USD750), the customer’s identity and address do not require verification. However, if a bank has reason to believe that a customer is intentionally structuring a transaction into a series of transactions below the threshold of INR50,000 (approx. USD750), the bank should verify the identity and address of the customer and also consider filling in a suspicious transaction report. Verification of identity must be conducted in respect of all cross border payments.
Official valid documents such as passport, driving licence, Permanent Account Number (“PAN”) Card, Voter's Identity Card issued by the Election Commission of India, or any other document.
a) Certificate of Incorporation; b) Memorandum and Articles of Association; c) a resolution from the Board of Directors and power of attorney granted to its managers, officers or employees to transact on its behalf; and d) an official valid document in respect of managers, officers or employees holding an attorney to transact on its behalf.
The banking company, financial institution or intermediary should take reasonable measures to identify the beneficial owner(s) and verify his/her/their identity in a manner so that it is satisfied that it knows who the ultimate beneficial owner(s) is/are.
Customers that are likely to pose a higher than average risk to the bank may be categorised as medium or high risk depending on the customer's background, nature and location of activity, country of origin, source of funds and client profile etc. Banks may apply enhanced due diligence measures based on the risk assessment, thereby requiring intensive due diligence for higher risk customers, especially those for whom the sources of funds is not clear. Examples of customers requiring higher due diligence may include: a) non-resident customers; b) high net worth individuals; c) trusts, charities, NGOs and organisations receiving donations; d) companies having a close family shareholding or beneficial ownership; e) firms with 'sleeping partners'; f) PEPs of foreign origin; g) non-face to face customers; h) those with a high risk reputation as per public information available; and i) correspondent banking relationships.
Banks should gather sufficient information on any person/customer of this category intending to establish a relationship and check all the information available on the person in the public domain. Banks should verify the identity of the person and seek information about their source of funds before accepting the PEP as a customer. The decision to open an account for a PEP should be taken at a senior level which should be clearly identified in the Customer Acceptance policy. Banks should also subject such accounts to enhanced monitoring on an ongoing basis. The above may also be applied to the accounts of the family members or close relatives of PEPs. In the case of an existing customer or the beneficial owner of an existing account subsequently becoming a PEP, banks should obtain senior management approval to continue the business relationship and subject the account to the customer due diligence measures as applicable to the customers of a PEP category including enhanced monitoring on an ongoing basis. These instructions are also applicable to accounts where a PEP is the ultimate beneficial owner. Further, banks should have appropriate ongoing risk management procedures for identifying and applying enhanced customer due diligence to PEPs, customers who are close relatives of PEPs, and accounts of which a PEP is the ultimate beneficial owner.
Banks should gather sufficient information to understand fully the nature of the business of the correspondent/respondent bank. Banks should try to ascertain from publicly available information whether the other bank has been subject to any money laundering or terrorist financing investigation or regulatory action. It should also be satisfied that the respondent bank has verified the identity of the customers having direct access to the accounts and is undertaking ongoing due diligence on them. The correspondent bank should also ensure that the respondent bank is able to provide the relevant customer identification data immediately on request. Additionally, in view of monitoring and reviewing ‘at par’ cheque facility extended to walk-in-customers of cooperative banks through correspondent banking arrangements and to assess the risks including credit risk and reputation risk arising therefrom, banks should retain the right to verify the records maintained by the client cooperative banks/societies for compliance with the extant instructions on KYC and AML under such arrangements.
Yes. Guidance issued by the local regulator prohibits entering into a correspondent relationship with shell banks. Shell banks are not permitted to operate in India. Banks should also guard against establishing relationships with respondent foreign financial institutions that permit their accounts to be used by shell banks.
In the case of non-face-to-face customers, apart from applying the usual customer identification procedures, banks must adopt specific and adequate procedures to mitigate the higher risk involved. Certification of all the documents presented should be insisted upon and, additional documents may be called for in such cases. In the case of cross-border customers, there is the additional difficulty of matching the customer with the documentation and the bank may have to rely on third party certification/ introduction. In such cases, it must be ensured that the third party is a regulated and supervised entity and has adequate KYC systems in place. Additionally, the first transaction should be through a cheque issued from an existing bank account.
Financial Intelligence Unit (FIU-IND
Yes, as per the RBI and FIU guidelines, all banking institutions are required to report all such activities in terms of STR (on occurrence), Cash Transaction Reports and Counterfeit Currency Reports (periodically as per timelines laid down by the regulators) including all transactions involving receipts by non-profit organisations of value more than INR1m (approx. USD15,000) or its equivalent in foreign currency.
Cash transactions below INR50,000 (approx. USD750) need not be reported. However, if there is a suspicion of deliberate effort to structure the transactions in such a way to keep the transaction just below the threshold, then such activities need to be reported as an STR.
There are punitive clauses in the existing PMLA (2002) which were revised in 2013. Penalty schemes for money laundering activities were amended: a) imprisonment term lengthened from at least three years to a maximum of seven years; b) upper limit for fines of INR500,000 (approx. USD7,500) removed (i.e. no upper limit fixed); c) scope of money laundering activities broadened (possession of money received from criminal proceeds is also classified as crime); and d) threshold limit (earlier INR3m (USD45,000)) for initiating money laundering cases removed.
Yes, as per RBI and FIU guidelines.
Internal clearance is required.
Yes. Section 2.17 of the RBI’s Master Circular (01 Jul 2013) on KYC norms/AML standards/Combating of Financing of Terrorism /Obligation of banks under PMLA, 2002 stipulates: “The guidelines contained in this master circular shall apply to the branches and majority owned subsidiaries located abroad, especially, in countries which do not or insufficiently apply the FATF Recommendations, to the extent local laws permit. When local applicable laws and regulations prohibit implementation of these guidelines, the same should be brought to the notice of Reserve Bank. In case there is a variance in KYC/AML standards prescribed by the Reserve Bank and the host country regulators, branches/overseas subsidiaries of banks are required to adopt the more stringent regulation of the two.”
Yes. Section 7 of the RBI’s Master Circular (12 Jul 2013) on KYC norms/AML standards/Combating of Financing of Terrorism /Obligation of banks under PMLA, 2002 stipulates: “Concurrent/Internal auditors should specifically check and verify the application of KYC procedures at the branches and comment on the lapses observed in this regard. The compliance in this regard should be put up before the Audit Committee of the Board on quarterly intervals.”
Yes, once a year the external and internal auditors are mandated by the regulator to specifically report on KYC and AML controls. In addition, the RBI, SEBI and IRDA conduct annual inspections
Yes, they need to include the steps described in Q28 and to report on the findings.
Yes, they are governed by the Personal Data Protection Bill 2006 and Information Technology Act 2000.
Since banks collect Sensitive Personal Data or Information (“SPDI”), they need to comply with the Rules, which lay down certain procedures to be followed at the time of collection of data, transfer of data, and disposal of data, and to maintain relevant security practices and procedures. In the event a bank is negligent in implementing and maintaining ''reasonable security practices and procedures'' in relation to SPDI, which causes ''wrongful loss or wrongful gain'' to any person, then the bank is liable to pay compensation to the affected person whose SPDI was compromised. The aggrieved person claiming compensation may approach an adjudicating officer appointed under the Act in the case of damages of up to INR50m (approx. USD750,800) or before the civil court in case the damages claimed are above INR50m (approx. USD750,100). The Personal Data Protection Bill 2006 protects the privacy of individuals, but the bill was not passed into law. In the meantime, the Act was amended in 2008 to include Section 43A and Section 72A to protect personal data (“PI”) and SPDI.
certification of all documentsadditional documents
Under citizenship act 2003 amendment national id cards are mandatory.
INR 50,000
Agreements related to powers of attorney, wills and real estate are exempted from the law. In addition, the requirement that many transactions must use stamped paper hinders adoption.
With consent. Summary of law India’s laws provide for the enforcement of both simple electronic signatures and digital signatures (sometimes called advanced electronic signatures). It is considered a two-tier jurisdiction because it gives digital signatures the same status as handwritten signatures but also recognizes simple electronic signatures as legal and enforceable. Countries that follow this model give companies the opportunity to select different forms of signatures and customize their business processes based on the form that is most convenient and appropriate for each use case. Electronic signatures are presumed valid unless proof to the contrary is produced. Specifically, section 10A provides that where an agreement is “expressed in electronic form or by means of an electronic record, such contract shall not be deemed to be unenforceable solely on the ground that such electronic form or means was used for that purpose.” Further, if one obtains consent to use electronic signatures, the courts will be even more likely to uphold their use. When using digital signatures in India, there are additional technical and legal requirements. Section 15 35 in particular specifies standards for entities that issue digital certificates.
Amendment to the PMLA was enacted on 17 Dec 2012 and came into effect on 15 Feb 2013. The highlights of the amendments are as follows: a) the scope of money laundering activities has been broadened to include proceeds of crime including its concealment, possession, acquisition, or use and projecting and claiming, making mere possession of proceeds of crime an offence; b) possession of money received from criminal proceeds is also classified as crime; c) the threshold limit (earlier INR3m (approx. USD45,000)) for initiating money laundering cases has been removed; d) penalty schemes for money laundering activities have been revisited; e) the imprisonment term has been lengthened from at least three years to a maximum of seven years; and f) the upper limit for fines of INR500,000 (approx. USD7,500) has been removed (i.e. there is no upper limit fixed).
Securities and Exchange Board for India (“SEBI”) for asset management companies
Yes, the local regulators (RBI, IRDA and SEBI) allow banking companies, financial institutions and intermediaries to use a risk based approach. On the basis of a risk based approach, verification of identity is done for high risk customers every two years, medium risk customers every eight years and low risk customers every ten years. A review of risk categorisation of accounts should be carried out at a periodicity of not less than once in six months.
Certified copies of an official valid document may be used. The copies need to be verified by seeing the originals and stamped as ‘originals seen and verified’.
The Personal Data Protection Bill 2006 and Information Technology Act, 2000. The Information Technology Act provides for recognition of electronic signatures, e-documents and e–transactions, and seeks to control offences conducted over the internet. Also, post-2001, the RBI introduced guidelines governing internet banking, confidentiality, anti-money laundering and KYC norms, which may have prompted customers to move towards the e-platform, albeit with some concerns with respect to the privacy and security of their banking transactions.
As per the Personal Data Protection Bill 2006, while collecting SPDI, the bank must seek express written consent from the provider of information via a letter, fax or e-mail, or consent given by any mode of electronic communication, in relation to the purpose for which SPDI may be used. The provider of information must also be given an option to withdraw such consent and must have knowledge and/or be provided information as to: a) the fact that information is being collected; b) the purpose for which it is being collected; c) intended recipients of the information; and d) the name and address of the agency that is collecting and/or retaining the information.