On April 28, 2023, the Reserve Bank of India (“RBI”) introduced certain amendments to the Master Direction – Know Your Customer (KYC) Direction, 2016 (“KYC Directions”) with an objective to align the KYC Directions with the recent changes carried out to the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (“PMLA Rules”) under the Prevention of Money Laundering Act, 2002 (“PMLA”), the Government Order and instructions titled “Procedure for Implementation of Section 12A of the Weapons of Mass Destruction (WMD) and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005 (WMD Act, 2005)” and the FATF Recommendations.

A.      Key highlights of amendments

1. Alignment with the Amendment to the PMLA Rules

Amongst the amendments, several changes have been made to align the KYC Directions with the recent amendments to the PMLA Rules, including:

• The percentage of controlling ownership for determination of the beneficial owner for both company and trust have been lowered to 10% from the erstwhile thresholds of 25% and 15%, respectively.
• The definitions of Politically Exposed Persons, and Non-profit organization (“NPO”) have been aligned with the PMLA Rules.
• A new concept of “group” has been proposed under the KYC Directions. Regulated Entities (“REs”) are required to implement group wide policy for discharging their obligations under the PMLA and rules issued thereunder, including to combat money laundering, terrorist financing, and other related risks.
• Other obligations include the requirement for REs to submit details of the designated director and principal officer to RBI, registration of NPO customers on the DARPAN Portal of NITI Aayog and maintenance of such registration records.

2. Customer Due Diligence through CKYCR registry

A welcome addition has been an enablement for REs to retrieve records and/ or information online by downloading them from the Central KYC Records Registry (“CKYCR”), subject to receipt of explicit consent from the customer along with the KYC identifier. While the KYC Directions already prescribed the process for the REs to download the customer due diligence (“CDD”) data from CKYCR and allowed the REs to rely on such CDD data obtained through another RE from the said CYCYR registry, it has now been made abundantly clear that such data can be retrieved by the RE itself, for the purpose of opening customer account.

3. Cloud deployment for Video based Customer Identification Process (V-CIP)

Apart from the earlier requirement for REs to house their V-CIP technology infrastructure in their own premises and ensuring that interaction in connection with V-CIP originates from RE’s own secured network domain, the REs deploying cloud-based model need to also ensure: (a) ownership of the CDD data is at all times with the RE; (b) all customer data including the video recordings are transferred to the REs exclusive owned/ leased server; and (c) no customer data is retained by the cloud and/ or technology service provider assisting the RE with the V-CIP.

4. Periodic updation of KYC

REs are now permitted to undertake periodic updation of the customer KYC information by using Aadhaar OTP based e-KYC (through mobile number attached to customer profile) in non-face to face mode. However, the conditions applicable to customer accounts opened with Aadhaar OTP based process are not applicable to such periodic updation using Aadhaar OTP based e-KYC.

5. Enhanced due diligence for non-face to face customer accounts

The RBI has introduced incremental due diligence requirements for REs onboarding customers without any physical verification (i.e., onboarding customers through CKYCR, DigiLocker, equivalent e-document, etc.), on a non-face to face basis (excluding CDD vide OTP based e-KYC), as follows:

• V-CIP, if available, should be offered as the first option to the customer for remote onboarding;
• Post CDD completion, no alternate mobile numbers should be added to the customer account for transaction OTP, updates etc. except in line with Board approved policy of the RE for dealing with requests for change of registered mobile number;
• REs need to verify the current address through positive confirmation before any operations are commenced in the customer account. Such verification of the current address can be undertaken by means of address verification letter, contact point verification, deliverables, etc.;
• Customers’ PAN obtained by the RE needs to be verified (through Protean eGov Technologies Limited website);
• The first transaction in such customer account should be a credit transaction from an existing KYC compliant customer bank account of the customer; and
• REs are required to undertake enhanced monitoring for accounts (opened in non-face to face mode) until such accounts are verified through face-to-face customer identification process or V-CIP.

It appears that some of the above requirements have been prescribed keeping in mind the influx of digital lending applications and onboarding of customers through such digital platforms without any physical verification. 

6. Adoption of technology and innovation

As part of the amended KYC Directions, REs are expected to adopt technology innovations for risk monitoring and implementation of sanctions requirements screening on a daily basis. It has also been suggested that REs should consider using and/ or develop technology solutions for product delivery, risk assessment and management, and undertaking enhanced due diligence measures for non-face to face customer accounts.

7. Adoption of obligations under the Government order in relation to the WMD Act

REs are now required to ensure due compliance with the requirements under the Government order dated January 30, 2023 in furtherance of the Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005 (“WMD Act”), including restricting any transaction in relation to the individuals/ entity on the sanctions list under WMD Act and intimating the complete details of such attempted transactions to the Central Nodal Office (along with a copy of the State Nodal Officer) and the RBI, verifying the customer by reference to the sanctions list (including any updates) and, taking appropriate actions for freezing and unfreezing of assets.

8. Additional compliances for REs

REs will also now be required to undertake the following:

• Adopt best practices by referencing to the FATF standards and guidance.
• Identify principles for risk-based categorization of customers based on parameters such as geographical risk emanating from the customers and transactions, type of products, services, delivery channels, nature of transactions, etc. and keep such customer risk categorization and the associated reasons for such categorization confidential (to avoid tipping off the customer).
• Ensure customers timely update their KYC details (within 30 days from the date of KYC details utilized for CDD of the customer being updated).
• Continuous monitoring and compliance of the UNSC Sanctions list, UNSCR ‘1718 Sanctions List of Designated Individuals and Entities‘ and ‘Implementation of Security Council Resolution on Democratic People’s Republic of Korea Order, 2017’.
• Extending the provisions for allotment of Unique Customer Identification Codes to all individual customers (new and existing), which was earlier restricted to banks and non-banking financial companies.
• Include provisions under the customer acceptance policy for GST verification of the customer from issuing authorities and filing of STR instead of undertaking the CDD process in instances that the RE believes that the CDD would tip-off the customer.

B.  Way Forward

While these amendments provide much-needed clarity to the industry on some critical aspects related to KYC/ AML compliance, we expect the REs to take steps to:

• Develop innovative technological processes for compliance with the sanctions requirements, ongoing due diligence and monitoring.
• Revisit the V-CIP processes and ensure compliance with the incremental requirements, especially those that relate to deployment of cloud and use of technology service providers for undertaking V-CIP.
• Revise their internal KYC Policy and facility documentation for provisioning of the enhanced due diligence measures, additional obligations, periodic updation of KYC etc.
• Ensure that the employees dealing with KYC matters are required to be tested against high standards for ethics and integrity, knowledge for KYC requirements and AML/ CFT guidelines, effective communication skills, and have the ability to evolve with changing regulatory requirements.