In recent months, Reserve Bank of India has taken the drastic actions against some fintech companies and banks for default in compliance with Know Your Customers (KYC) due diligence. RBI is attempting to ensure the compliance with prudential norms and standards to match the economic ecosystem with the rapid economic growth of the country. In this article, we have explained the reasons for recent actions of RBI and the Master Directions on KYC of individuals.
Why is the Financial Regulator concerned:
1. There are serious violations relating to PMLA rules, standards of KYC processes, funding of illegal activities and violation of loan to value limits.
2. There are instances of a single PAN/identity document linked to over 100 or even 1000 accounts.
3. For some Regulated Entities, customer verification is very lax. They outsource this work to third parties or runners and there are leakages in the process.
4. Fraudsters pay a little Rs. 500/- to the third party or runners and do the identity theft and then dupe the customers through phishing calls from these multiple accounts.
5. Digitally verified accounts need to be tagged as “high risk” till physical or video call-based verification is done. REs was again lax on this process.
How does the regulator come to know about violations?
RBI has ramped up its infrastructure, uses data analytics, machine learning and AI to identify the potential and emerging risks along with the frequent on-site visits by the RBI team.
Master Directions on KYC is being regularly updated by RBI, recent being on 4th January, 2024.
Let us explore the Master Directions on KYC of Individuals:
The main KYC documents are related to Proof of address and Proof of Identity.
- Regulated Entities shall obtain the following documents from individuals during account setup or other dealings related to legal entities like for beneficial ownership or POA or authorized signatory:
(a) Aadhaar number for:
(i) for those receiving benefits or subsidies under schemes per Aadhaar Act
(ii) Voluntarily submitting Aadhaar to banks or REs per PML Act.
(aa) Proof of possession for offline verification.
(ab) Proof of possession for cases where offline verification isn’t possible, or alternative Officially Valid Document (OVD)/e-document with identity and address details.
(ac) KYC Identifier with explicit consent for Central KYC Records Registry (CKYCR) record download.
(b) Permanent Account Number (PAN) or equivalent e-document, or Form No. 60 as per Income-tax Rules, 1962.
(c) Other documents in respect of nature of business, financial status or equivalent e-documents.
- If the customer submits their Aadhaar number to a bank or Regulated Entities, authentication must be conducted using the e-KYC facility provided by UIDAI.
- Customers can provide a self-declaration for a current address different from the one in the Central Identities Data Repository.
- Offline verification is conducted for proof of possession of Aadhaar where applicable.
- Digital signatures on equivalent e-documents are verified according to the provisions of the IT Act, 2000.
- Live photos are taken as specified Annex I.
- For documents where offline verification isn’t possible, digital KYC is conducted as per Annex I.
- For KYC Identifiers, KYC records are retrieved online from the CKYCR in accordance with Section 56.
Conditions for accounts opened using Aadhaar OTP-based e-KYC in non-face-to-face mode:
- Customer consent for OTP authentication is required.
- Transaction alerts and OTPs must be sent only to the Aadhaar-registered mobile number.
- Aggregate balance should not exceed Rs. 1 lakh, account becomes non-operational if it exceeds until full CDD is completed.
- Annual aggregate credit limit across all deposit accounts is Rs. 2 lakhs.
- Only term loans up to Rs. 60,000 per year are allowed for borrower accounts.
- Accounts expire after one year if full identification is not completed; fresh Aadhaar OTP authentication needed if using Section 18.
- Incomplete CDD results in immediate closure for deposit accounts; no further debits allowed for borrowal accounts.
- Customer declaration required stating no other OTP-based accounts opened; CKYCR must indicate such accounts for reference by other RE’s.
- Regulated Entities must have strict monitoring and alert systems for compliance.
Regulated Entities shall undertake Video based customer identification process (V-CIP) for:
(a) New customer onboarding, including individual customers, proprietorships, authorized signatories, and Beneficial Owners (BOs) of Legal Entity (LE) customers.
(b) Conversion of existing accounts opened via Aadhaar OTP-based e-KYC.
(c) Updation/Periodic updation of KYC for eligible customers.
V-CIP Procedure:
- Trained officials ensure liveness check and fraud detection.
- Disruptions prompt fresh sessions, call drops start new sessions.
- Varied real-time questions ensure live interaction.
- Prompting leads to rejection, considering customer status and negative lists.
- Capture audio-video, photograph, and ID using Aadhaar e-KYC or equivalent.
- Confirm current address and economic profile.
- Verify PAN card image from issuing authority and no printed copies accepted.
- Ensure consistency of photograph and details across documents.
- Allow assisted V-CIP by Business Correspondents; maintain BC details.
- Accounts undergo concurrent audit before activation and ensure
Periodic Updation of KYC (Individuals)
1. No change in KYC information: Obtain self-declaration from customer via registered email, mobile number, ATMs, digital channels, or letter.
2. Change in address: Obtain self-declaration of new address via registered email, mobile number, ATMs, digital channels, or letter, and verify within two months.
3. Accounts of customers who were minors: Obtain fresh photographs and ensure current CDD documents are available.
4. Aadhaar OTP-based e-KYC for periodic updation: Declaration of current address differing from Aadhaar does not need positive confirmation. REs must ensure the mobile number used for Aadhaar authentication matches the customer’s profile to prevent fraud. Conditions in Section 17 not applicable.
There are simplified procedures of NBFCs and ‘Small Account’.
Amendment in Master Direction on KYC as on 4 January 2024
- As per the amendment Politically Exposed Persons (PEPs) are individuals who hold or have held significant public positions in foreign countries, such as Heads of States/Governments, senior politicians, government, judicial, or military officers, executives of state-owned corporations, and key political party officials.
- This clarification is now included as an explanation to Section 41, with the removal of the original definition from sub-clause (xvii) of clause (a) of Section 3.
Conclusion: The RBI’s stringent measures in enforcing KYC norms underscore its commitment to maintaining the sanctity of India’s financial ecosystem amidst its economic expansion. By updating the Master Directions on KYC for individuals, the RBI aims to address vulnerabilities in the system, including identity theft, fraud, and the funding of illegal activities. These regulations not only enhance the security of financial transactions but also foster a culture of compliance and trust among banks, fintech companies, and customers. As the financial landscape continues to evolve, these guidelines serve as a critical foundation for protecting the interests of all stakeholders and ensuring the stability of the economic ecosystem. For those navigating the complexities of compliance, understanding the nuances of these directions is crucial for maintaining alignment with the regulatory expectations and contributing to the broader goal of economic security.
In case you have any concern and queries or need any support in compliance/FEMA/FDI, you may like to contact us.
*****
Abhinarayan Mishra, FCA, FCS; Managing Partner, KPAM & Associates, Chartered Accountants, Dwarka, New Delhi; +9910744992, [email protected]
ICICI Bank insists upon Passport for Identity Proof for ReKYC whereas all advanced countries and some agencies like Axis Bank, CAMS accept any document issued by a Govt Agency like Passport, Voters Card, Driver License, Identity Card. What does RBI say on this unduly restrictive requirement for ReKYC.