In everyday usage, a customer is simply understood as someone who purchases goods or services from a shop and pays the shopkeeper. However, in high‑risk sectors such as Banking, Financial Services, and Insurance (BFSI), the definition carries greater significance. These industries handle financial transactions that are vulnerable to misuse for terrorist financing and money laundering. To mitigate such risks, it becomes essential to establish and verify the identity of the customer.
In India, the Prevention of Money Laundering Act, 2002 (PMLA) provides the legal framework to combat money laundering and financial terrorism. Complementing this, the Reserve Bank of India (RBI) has issued mandatory directions requiring all registered entities to implement Know Your Customer (KYC) procedures. These measures ensure that financial institutions can track transactions, restrict illicit activities, and safeguard the integrity of the financial system.
The Reserve Bank of India has prescribed four core elements of the Know Your Customer framework, which must be adopted by all registered entities (here in after called as organization) with the Apex Bank. The four core elements are as follows.
i) Customer Acceptance
ii) Risk Management
iii) Customer Identification Procedures
iv) Monitoring of Transactions
i) Customer Acceptance
One of the important aspect of the Know your customer is accepting the customers. Here, based on the parameters of the directions issued by the Reserve Bank of India, the organization shall follow the prescribed procedure for accepting the customer.
There are certain procedures that the organisation (Banks/ NBFC / HFC) shall follow for the identification of the customer, which are mentioned below.
1. No account shall be opened in a benami or fictitious name. Benamirefers to a name used to conceal the true identity of the customer.
2. Accounts shall not be opened if the organization is unable to conduct proper customer due diligence.
3. No transaction shall be undertaken without completion of appropriate customer due diligence.
4. The organization shall clearly specify in its policy the list of documents required to be collected from customers.
5. Any additional information may be obtained only with the explicit consent of the customer.
6. Each customer shall be assigned a Unique Client Identification Code. Once due diligence is completed, it need not be repeated for the same customer.
7. A system shall be in place to identify persons or entities appearing in sanction lists.
8. The organization shall maintain mechanisms to verify the customer’s PAN, digital signatures, and Goods & Services Tax (GST) registration number.
ii) Risk Management
The Organisation shall adopt a risk-based framework to effectively manage risks. This framework will include:
1. Classifying customers into High, Medium, and Low risk categories, based on overall risk perception.
2. Establishing broad principles to ensure uniformity and consistency in risk categorisation.
3. Ensuring strict confidentiality of customer risk classifications at all times.
4. Applying factors such as social background, geographical location, product association, and the nature of customer business to determine the appropriate risk category.
iii) Customer Identification Process
Organizations shall undertake customer identification in the following cases:
1. At the time of initiating any account-based relationship with a customer.
2. When a person who is not an account holder undertakes an international monetary transaction through the organization.
3. If there is any doubt regarding the authenticity or adequacy of customer identification data.
4. For sale of third-party products, own products, or payment of dues (including credit cards, travel cards, etc.) where the value of a single transaction or multiple linked transactions exceeds ₹50,000.
5. Any one-time or aggregated transaction amounting to ₹50,000 or more carried out by a non account holder.
6. Where the organization suspects that a customer is deliberately splitting a single transaction into multiple smaller transactions below ₹50,000 to avoid reporting or identification requirements.
iv) Monitoring or Due Diligence
Monitoring of transactions is necessary to have updated knowledge about the transactions made by the customer. The due diligence process is a part of the regular monitoring of customer transaction.
The customer due diligence may be carried out for the customer including individuals, Sole proprietary firm, Partnership firm, Companies, Trust, Association of person etc.
For due diligence of an individual, an organisation shall collect any of the following documents
1) Aadhaar number or proof of possession of Aadhaar number or KYC Identifier or any other Officially Valid documents like passport, Driving Licence, Voter ID, Job Card of NREGA, Letter Issued by National Population Register.
2) PAN Card, and if PAN card is not available then Form 60.
3) Any other documents required by the organisation to know about the business or Financial Status.
The above mentioned documents shall be obtain for the individual customer, Sole Proprietor for Sole Proprietorship firm, Beneficial Owner in case of Partnership firm, Company, Trust Body of Individual and Juridical Person.
As a part of the ongoing Due Diligence or monitoring process the organisation shall update the KYC documents on a periodic basis as per the interval determined by the organisation.
Risk categorisation of the customer shall be done at the time of establishing account based relation with the customer. If the customer at the time of onboarding is a high risk one the document shall be updated once in every 2 year, for medium risk customer once in every 8 years and for low risk customer once in every 10 years.
Actionable Items
| Sl No | Frequency | Compliance | Comments | Status of Compliance |
| 1 | Yearly | The organisation shall access the risk on Money Laundering and Terrorist Financing, and the report shall be present to the Board or any committee authorised by Board | The frequency of risk assessment may be determine by the Board. But organisation shall review it at least once in a year. | |
| 2. | Yearly | The periodic updating of the KYC shall be presented to the Board or any committee authorised by the board. | The frequency is internal decision of the Company and may be mentioned in the KYC policy. | |
| 3. | Quarterly | The organisation shall submit quarterly audit notes and Compliance to the Audit Committee. | 1)Specifying Senior Management
2) Allocation of responsibility to Senior management 3) Independent Evaluation of Compliance Function 4) Internal Audit System to verify Compliances. |
Basic Board Resolutions for Secretarial Compliances of NBFC
[ON THE LETTER HEAD OF THE COMPANY]
CERTIFIED TRUE EXTRACT OF THE MINUTES OF MEETING OF BOARD OF DIRECTORS OF [NAME OF COMPANY] HELD ON [DATE] AT [TIME] AT [ADDRESS]
TO NOTE THE REPORT ON RISK CATEGORISATION OF CUSTOMERS
RESOLVED THAT in accordance with the Reserve Bank of India (Non Banking Financial Companies – Know Your Customer) Directions, 2025, the Board of Directors hereby notes and records the submission of the report on Risk Categorisation of Customers for the FY- 20XX-XX
RESOLVED FURTHER THAT the Board acknowledges that the categorisation exercise has been duly completed and the customers have been classified under the following categories:
1. High Risk– [Number of customers]
2. Medium Risk– [Number of customers]
3. Low Risk– [Number of customers]
RESOLVED FURTHER THAT this classification be and is hereby taken on record and maintained as part of the Company’s compliance documentation in accordance with applicable regulatory requirements.
Certified True Copy
For [NAME OF COMPANY]
[Name]
[Designation]
[DIN Number]
[Email Address]
Board Resolutions
[ON THE LETTER HEAD OF THE COMPANY]
CERTIFIED TRUE EXTRACT OF THE MINUTES OF MEETING OF BOARD OF DIRECTORS OF [NAME OF COMPANY] HELD ON [DATE] AT [TIME] AT [ADDRESS]
TO NOTE THE UPDATION OF THE KYC DOCUMENT OF CUSTOMERS
RESOLVED THAT pursuant to the Reserve Bank of India (Non‑Banking Financial Companies – Know Your Customer) Directions, 2025, the Board of Directors hereby notes the updation of Know Your Customer (KYC) documents for the Financial Year 20XX-XX.
RESOLVED FURTHER THAT the Board of Directors acknowledges that KYC documents have been updated for customers across the following risk categories:
1. High Risk– [Number of customers]
2. Medium Risk– [Number of customers]
3. Low Risk– [Number of customers]
Certified True Copy
For [NAME OF COMPANY]
[Name]
[Designation]
[DIN Number]
[Email Address]
Basic Audit Committee Resolutions
[ON THE LETTER HEAD OF THE COMPANY]
CERTIFIED TRUE EXTRACT OF THE MINUTES OF MEETING AUDIT COMMITTEE OF [NAME OF COMPANY] HELD ON [DATE] AT [TIME] AT [ADDRESS]
TO NOTE INTERNAL AUDIT REPORT FOR THE QUARTER ENDING [MONTH][YEAR] ON KYC COMPLIANCES
“RESOLVED THAT the Audit Committee of the Board hereby takes on note of the Internal Audit Report for the quarter ending [month] [year], specifically covering the review of Know Your Customer (KYC) compliances, as presented by the management.
RESOLVED FURTHER THAT the Committee places on record its satisfaction with the internal controls and compliance framework implemented to ensure adherence to statutory requirements, and directs the management to continue strengthening oversight mechanisms for sustained regulatory alignment.
Certified True Copy
For [NAME OF COMPANY]
[Name]
[Designation]
[DIN Number]
[Email Address]
Author Bio
