Money Laundering and Terrorist Financing Risk Assessment by Company:
- Company shall carry out ‘Money Laundering (ML) and Terrorist Financing (TF) Risk Assessment’ exercise periodically to identify, assess and take effective measures to mitigate its money laundering and terrorist financing risk for clients, countries or geographic areas, products, services, transactions or delivery channels, etc. The assessment process should consider all the relevant risk factors before determining the level of overall risk and the appropriate level and type of mitigation to be applied. While preparing the internal risk assessment, Company shall take cognizance of the overall sector-specific vulnerabilities, if any, that the regulator/supervisor may share with Company from time to time.
- The risk assessment by the Company shall be properly documented and be proportionate to the nature, size, geographical presence, complexity of activities/structure, etc. of the Company. Further, the periodicity of risk assessment exercise shall be determined by the Board of the Company, in alignment with the outcome of the risk assessment exercise. However, it should be reviewed at least annually.
- The outcome of the exercise shall be put up to the Board or any committee of the Board to which power in this regard has been delegated, and should be available to competent authorities and self-regulating bodies.
- Company shall apply a Risk Based Approach (RBA) for mitigation and management of the identified risk and should have Board approved policies, controls and procedures in this regard. Further, Company shall monitor the implementation of the controls and enhance them if necessary.
Designated Director:
- A “Designated Director” means a person designated by the Company to ensure overall compliance with the obligations imposed under Chapter IV of PML Act and nominated by the Board of the Company
- The name, designation and address of the Designated Director, including changes from time to time, shall be communicated to the Director, FIU-IND.
- In no case, the ‘Principal Officer’ shall be nominated as the ‘Designated Director’.
Principal Officer:
- Company shall appoint a “Principal Officer”
- The Principal Officer shall be responsible for ensuring compliance, monitoring transactions, and sharing and reporting information as required under the law/regulations.
- The name, designation and address of the Principal Officer, including changes from time to time, shall be communicated to the Director, Financial Intelligence Unit – India (FIU- IND)
Compliance of KYC policy:
Company shall ensure compliance with KYC Policy through:
- specifying as to ‘Senior Management’ for the purpose of KYC compliance;
- allocation of responsibility for effective implementation of policies and procedures;
- independent evaluation of the compliance functions of Company policies and procedures, including legal and regulatory requirements;
- Concurrent/internal audit system to verify the compliance with KYC/Anti-Money Laundering (AML) policies and procedures;
- submission of quarterly audit notes and compliance to the Audit Committee;
Company shall ensure that decision-making functions of determining compliance with KYC norms are not outsourced.
Customer Acceptance Policy (CAP)
Company shall ensure and place standard procedures on the following aspects of customer relationships in Company, without prejudice:
- no account is opened in anonymous or fictitious/benami name;
- no account is opened where the Company is unable to apply appropriate CDD measures, either due to non-cooperation of the customer or non-reliability of the documents/information furnished by the customer.
- no transaction or account based relationship is undertaken without following the CDD procedure.
- the mandatory information to be sought for KYC purpose while opening an loan account and during the periodic updation, is specified.
- Additional information, where such information requirement has not been specified in the KYC Policy of the Company, shall only be obtained with the explicit consent of the customer.
- Company shall apply the CDD procedure at the Unique Customer Identification Code (UCIC) level. Thus, if an existing KYC compliant customer of a Company desires to open another account with the Company, there shall be no need for a fresh CDD exercise.
- CDD Procedure is followed for all the joint loan account holders, while applying in joint.
- Circumstances in which, a customer is permitted to act on behalf of another person/ entity, is clearly spelt out.
- Suitable system is put in place to ensure that the identity of the customer does not match with any person or entity, whose name appears in the sanctions lists circulated by Reserve Bank of India.
- Where Permanent Account Number (PAN) is obtained, the same shall be verified from the verification facility of the issuing authority.
Where an equivalent e-document is obtained from the customer, Company shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000).
- Where Goods and Services Tax (GST) details are available, the GST number shall be verified from the search/verification facility of the issuing authority.
Customer Acceptance Policy shall not result in denial of banking/financial facility to members of the general public, especially those, who are financially or socially disadvantaged
RISK MANAGEMENT
For Risk Management, Company shall have a risk-based approach which includes the following:
a) Customers shall be categorized as low, medium and high risk category, based on the assessment and Risk perception of the Company.
b) Risk categorization shall be undertaken based on parameters such as customer’s identity, social/ financial status, nature of business activity and information about the clients’ business and their location etc. While considering customer’s identity, the ability to confirm identity documents through online or other services offered by issuing authorities may also be factored in.
The Company shall include Financial Action Task Force (FATF) Public statement, the reports and guidance notes on KYC/AML issued by the Indian Banks Association (IBA) and other agencies etc., in risk assessment.
c) As per KYC policy, for acceptance and identification, Company’s Customers shall be categorized based on perceived risk broadly into three categories – A, B & C.
Category A includes High Risk Customers; Category B contain Medium Risk Customers while Category C Customers include Low Risk Customers. None of the Customers will be exempted from Company’s KYC procedure, irrespective of the status and relationship with Company or its Promoters. The above requirement may be moderated according to the risk perception.
1.) High Risk – (Category A): High Risk Customers typically includes:
- Non Resident Customers.
- NGOs and organizations receiving donations,
- Politically Exposed Persons (PEPs).
- Persons having dubious reputation as per public information available, etc.
2.) Medium Risk (Level II)
- Salaried employees receiving in salary in cash.
- SENP
- Persons in business/industry or trading activity where the area of his residence or place, of business has a scope or history of unlawful trading/business activity.
- Trusts, charities, etc.
- Private Ltd companies.
3.) Low Risk-(Category C):
a. Government Employee.
b. Salaried Employees having salary in bank accounts.
It is important to bear in mind that the adoption of Customer Acceptance Policy and its implementation will not result in denial of Company’s services to the general public, especially to those who are financially or socially disadvantaged. Further, the aforesaid categories shall be reviewed on periodic basis.
The risk categorization of a customer and the specific reasons for such categorization shall be kept confidential and shall not be revealed to the customer to avoid tipping off the customer.
Customer Identification Procedure (CIP)
The Company shall undertake identification of customers in the following cases:
- Commencement of an account-based relationship with the customer.
- Carrying out any international money transfer operations for a person who is not an account holder of the Company.
- When there is a doubt about the authenticity or adequacy of the customer identification data it has obtained.
- Selling third party products as agents, selling their own products, payment of dues of credit cards/sale and reloading of prepaid/travel cards and any other product for more than rupees fifty thousand.
- Carrying out transactions for a non-account-based customer, that is a walk-in customer, where the amount involved is equal to or exceeds rupees fifty thousand, whether conducted as a single transaction or several transactions that appear to be connected.
- When Company has reason to believe that a customer (account- based or walk-in) is intentionally structuring a transaction into a series of transactions below the threshold of rupees fifty thousand.
- Company shall ensure that introduction is not to be sought while opening accounts
For the purpose of verifying the identity of customers at the time of commencement of an account-based relationship, Company, shall at its option, rely on customer due diligence done by a third party, subject to the following conditions:
- Records or the information of the customer due diligence carried out by the third party is obtained within two days from the third party or from the Central KYC Records Registry.
- Adequate steps are taken by Company to satisfy itself that copies of identification data and other relevant documentation relating to the customer due diligence requirements shall be made available from the third party upon request without delay.
- The third party is regulated, supervised or monitored for, and has measures in place for, compliance with customer due diligence and record-keeping requirements in line with the requirements and obligations under the PML Act.
- The third party shall not be based in a country or jurisdiction assessed as high risk.
- The ultimate responsibility for customer due diligence and undertaking enhanced due diligence measures, as applicable, will be with the Company.
Customer Due Diligence Procedure (CDD Procedure)
Part- I CDD Procedure in case of individuals
Company shall apply the following procedure while establishing an account-based relationship with an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity:
a. the Aadhaar number where,
- he is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or
- he decides to submit his Aadhaar number voluntarily to a Company notified under first proviso to sub-section (1) of section 11A of the PML Act;
or
- aa) the proof of possession of Aadhaar number where offline verification can be carried out; or
- ab) the proof of possession of Aadhaar number where offline verification cannot be carried out or any OVD or the equivalent e-document thereof containing the details of his identity and address; or
- ac) the KYC Identifier with an explicit consent to download records from CKYCR; and
b. the Permanent Account Number or the equivalent e-document thereof or Form No. 60 as defined in Income-tax Rules, 1962; and
c. such other documents including in respect of the nature of business and financial status of the customer, or the equivalent e-documents thereof as may be required by the Company
Provided that where the customer has submitted,
- Aadhaar number under clause (a) above to a Company notified under first proviso to sub- section (1) of section 11A of the Act, Company shall carry out authentication of the customer’s Aadhaar number using e-KYC authentication facility provided by the Unique Identification Authority of India. Further, in such a case, if customer wants to provide a current address, different from the address as per the identity information available in the Central Identities Data Repository, he may give a self-declaration to that effect to the Company.
- proof of possession of Aadhaar under clause (aa) above where offline verification can be carried out, the COMPANY shall carry out offline verification.
- an equivalent e-document of any OVD, the Company shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000) and any rules issues thereunder and take a live photo as specified under Annex I.
- any OVD or proof of possession of Aadhaar number under clause (ab) above where offline verification cannot be carried out, the Company shall carry out verification through digital KYC as specified under Annex I.
- KYC Identifier under clause (ac) above, the RE shall retrieve the KYC records online from the CKYCR in accordance with Section 56.
Provided that for a period not beyond such date as may be notified by the Government, instead of carrying out digital KYC, the Company pertaining to such class may obtain a certified copy of the proof of possession of Aadhaar number or the OVD and a recent photograph where an equivalent e-document is not submitted.
Provided further that in case e-KYC authentication cannot be performed for an individual desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 owing to injury, illness or infirmity on account of old age or otherwise, and similar causes, COMPANY shall, apart from obtaining the Aadhaar number, perform identification preferably by carrying out offline verification or alternatively by obtaining the certified copy of any other OVD or the equivalent e-document thereof from the customer. CDD done in this manner shall invariably be carried out by an official of the COMPANY and such exception handling shall also be a part of the concurrent audit as mandated in Section 8 of Master direction on KYC. COMPANY shall ensure to duly record the cases of exception handling in a centralised exception database. The database shall contain the details of grounds of granting exception, customer details, name of the designated official authorising the exception and additional details, if any. The database shall be subjected to periodic internal audit/inspection by COMPANY and shall be available for supervisory review.
Explanation 1: Company shall, where its customer submits a proof of possession of Aadhaar Number containing Aadhaar Number, ensure that such customer redacts or blacks out his Aadhaar number through appropriate means where the authentication of Aadhaar number is not required as per proviso (i) above.
Explanation 2: Biometric based e-KYC authentication can be done by bank official/business correspondents/business facilitators.
Explanation 3: The use of Aadhaar, proof of possession of Aadhaar etc., shall be in accordance with the Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act, 2016 and the regulations made thereunder.
Accounts opened using OTP based e-KYC, in non-face-to-face mode, are subject to the following conditions:
- there must be a specific consent from the customer for authentication through OTP.
- The Company shall ensure that transaction alerts, OTP, etc., are sent only to the mobile number of the customer registered with Aadhaar.
- the aggregate balance of all the deposit accounts of the customer shall not exceed rupees one lakh. In case, the balance exceeds the threshold, the account shall cease to be operational, till CDD as mentioned at (e) below is complete.
- the aggregate of all credits in a financial year, in all the deposit accounts taken together, shall not exceed rupees two lakh.
- as regards borrowal accounts, only term loans shall be sanctioned. The aggregate amount of term loans sanctioned shall not exceed rupees sixty thousand in a year.
- accounts, both deposit and borrowal, opened using OTP based e-KYC shall not be allowed for more than one year unless identification as per Section 16 or as per Section 18 (V-CIP) of Master Direction is carried out. If Aadhaar details are used under Section 18, the process shall be followed in its entirety including fresh Aadhaar OTP authentication.
- if the CDD procedure as mentioned above is not completed within a year, in respect of deposit accounts, the same shall be closed immediately. In respect of borrowal accounts no further debits shall be allowed.
- 21A declaration shall be obtained from the customer to the effect that no other account has been opened nor will be opened using OTP based KYC in non-face-to-face mode with any other Regulating Entity (RE). Further, while uploading KYC information to CKYCR, Company shall clearly indicate that such accounts are opened using OTP based e-KYC and other REs shall not open accounts based on the KYC information of accounts opened with OTP based e-KYC procedure in non-face-to-face mode.
- Company shall have strict monitoring procedures including systems to generate alerts in case of any non-compliance/violation, to ensure compliance with the above mentioned conditions.
Company may undertake V-CIP to carry out:
- CDD in case of new customer on-boarding for individual customers, proprietor in case of proprietorship firm, authorised signatories and Beneficial Owners (BOs) in case of Legal Entity (LE) customers. Provided that in case of CDD of a proprietorship firm, Company shall also obtain the equivalent e-document of the activity proofs with respect to the proprietorship firm, as mentioned in Section 28 and Section 29, apart from undertaking CDD of the proprietor.
- Conversion of existing accounts opened in non-face to face mode using Aadhaar OTP based e-KYC authentication as per Section 17.
- Updation/Periodic updation of KYC for eligible customers.
While undertaking V-CIP, Company shall adhere to the following minimum standards:
a.) V-CIP Infrastructure
- Company should have complied with the RBI guidelines on minimum baseline cyber security and resilience framework for banks, as updated from time to time as well as other general guidelines on IT risks. The technology infrastructure should be housed in own premises of COMPANY and the V-CIP connection and interaction shall necessarily originate from its own secured network domain. Any technology related outsourcing for the process should be compliant with relevant RBI guidelines. Where cloud deployment model is used, it shall be ensured that the ownership of data in such model rests with the Company only and all the data including video recording is transferred to the Company’s exclusively owned / leased server(s) including cloud server, if any, immediately after the V-CIP process is completed and no data shall be retained by the cloud service provider or third-party technology provider assisting the V-CIP of the Company.
- The Company shall ensure end-to-end encryption of data between customer device and the hosting point of the V-CIP application, as per appropriate encryption standards. The customer consent should be recorded in an auditable and alteration proof manner.
- The V-CIP infrastructure / application should be capable of preventing connection from IP addresses outside India or from spoofed IP addresses.
- The video recordings should contain the live GPS co-ordinates (geo-tagging) of the customer undertaking the V-CIP and date-time stamp. The quality of the live video in the V-CIP shall be adequate to allow identification of the customer beyond doubt.
- The application shall have components with face liveness / spoof detection as well as face matching technology with high degree of accuracy, even though the ultimate responsibility of any customer identification rests with COMPANY. Appropriate artificial intelligence (AI) technology can be used to ensure that the V-CIP is robust.
- Based on experience of detected / attempted / ‘near-miss’ cases of forged identity, the technology infrastructure including application software as well as work flows shall be regularly upgraded. Any detected case of forged identity through V-CIP shall be reported as a cyber-security event under extant regulatory guidelines.
- The V-CIP infrastructure shall undergo necessary tests such as Vulnerability Assessment, Penetration testing and a Security Audit to ensure its robustness and end- to-end encryption capabilities. Any critical gap reported under this process shall be mitigated before rolling out its implementation. Such tests should be conducted by the empanelled auditors of Indian Computer Emergency Response Team (CERT-In). Such tests should also be carried out periodically in conformance to internal / regulatory guidelines.
- The V-CIP application software and relevant APIs / web services shall also undergo appropriate testing of functional, performance, and maintenance strength before being used in live environment. Only after closure of any critical gap found during such tests, the application should be rolled out. Such tests shall also be carried out periodically in conformity with internal/ regulatory guidelines.
b.) V-CIP Procedure
- Company shall formulate a clear work flow and standard operating procedure for V-CIP and ensure adherence to it. The V-CIP process shall be operated only by officials of the Company specially trained for this purpose. The official should be capable to carry out liveliness check and detect any other fraudulent manipulation or suspicious conduct of the customer and act upon it.
- Disruption of any sort including pausing of video, reconnecting calls, etc., should not result in creation of multiple video files. If pause or disruption is not leading to the creation of multiple files, then there is no need to initiate a fresh session by the Company. However, in case of call drop / disconnection, fresh session shall be initiated..
- The sequence and/or type of questions, including those indicating the liveness of the interaction, during video interactions shall be varied in order to establish that the interactions are real-time and not pre-recorded.
- Any prompting, observed at end of customer shall lead to rejection of the account opening process.
- The fact of the V-CIP customer being an existing or new customer, or if it relates to a case rejected earlier or if the name appearing in some negative list should be factoredin at appropriate stage of work flow.
- The authorised official of the Company performing the V-CIP shall record audio-video as well as capture photograph of the customer present for identification and obtain the identification information using any one of the following:
- OTP based Aadhaar e-KYC authentication
- Offline Verification of Aadhaar for identification
- KYC records downloaded from CKYCR, in accordance with Section 57, using the KYC identifier provided by the customer
- Equivalent e-document of Officially Valid Documents (OVDs) including documents issued through DigiLocker
Company shall ensure to redact or blackout the Aadhaar number in terms of Section 16.
In case of offline verification of Aadhaar using XML file or Aadhaar Secure QR Code, it shall be ensured that the XML file or QR code generation date is not older than three working days from the date of carrying out V-CIP.
Further, in line with the prescribed period of three days for usage of Aadhaar XML file / Aadhaar QR code, Company shall ensure that the video process of the V-CIP is undertaken within three working days of downloading / obtaining the identification information through CKYCR / Aadhaar authentication / equivalent e-document, if in the rare cases, the entire process cannot be completed at one go or seamlessly. However, the Company shall ensure that no incremental risk is added due to this.
7. If the address of the customer is different from that indicated in the OVD, suitable records of the current address shall be captured, as per the existing requirement. It shall be ensured that the economic and financial profile/information submitted by the customer is also confirmed from the customer undertaking the V-CIP in a suitable manner.
8. Company shall capture a clear image of PAN card to be displayed by the customer during the process, except in cases where e-PAN is provided by the customer. The PAN details shall be verified from the database of the issuing authority including through Digi Locker.
9. Use of printed copy of equivalent e-document including e-PAN is not valid for the V-CIP.
10. The authorised official of the Company shall ensure that photograph of the customer in the Aadhaar/OVD and PAN/e-PAN matches with the customer undertaking the V-CIP and the identification details in Aadhaar/OVD and PAN/e-PAN shall match with the details provided by the customer.
11. Assisted V-CIP shall be permissible when banks take help of Banking Correspondents (BCs) facilitating the process only at the customer end. Banks shall maintain the details of the 5 BC assisting the customer, where services of BCs are utilized. The ultimate responsibility for customer due diligence will be with the bank.
12. All accounts opened through V-CIP shall be made operational only after being subject to concurrent audit, to ensure the integrity of process and its acceptability of the outcome.
13. All matters not specified under the paragraph but required under other statutes such as the Information Technology (IT) Act shall be appropriately complied with by the Company.
c) V-CIP Records and Data Management
- The entire data and recordings of V-CIP shall be stored in a system/systems located in India. Company shall ensure that the video recording is stored in a safe and secure manner and bears the date and time stamp that affords easy historical data search. The extant instructions on record management, as stipulated in this MD, shall also be applicable for V-CIP.
- The activity log along with the credentials of the official performing the V-CIP shall be preserved.
Simplified procedure for opening accounts by Non-Banking Finance Companies (NBFCs):
In case a person who desires to open an account is not able to produce documents, as specified in Section 16, COMPANY may at its discretion open accounts subject to the following conditions:
- The Company shall obtain a self-attested photograph from the customer.
- The designated officer of the Company certifies under his signature that the person opening the account has affixed his signature or thumb impression in his presence.
- The account shall remain operational initially for a period of twelve months, within which CDD as per Section 16 or Section 18 shall be carried out.
- Balances in all their accounts taken together shall not exceed rupees fifty thousand at any point of time.
- The total credit in all the accounts taken together shall not exceed rupees one lakh in a year.
- The customer shall be made aware that no further transactions will be permitted until the full KYC procedure is completed in case Directions (d) and (e) above are breached by him.
- The customer shall be notified when the balance reaches rupees forty thousand or the total credit in a year reaches rupees eighty thousand that appropriate documents for conducting the KYC must be submitted otherwise the operations in the account shall be stopped when the total balance in all the accounts taken together exceeds the limits prescribed in direction (d) and (e) above.
KYC verification once done by one branch/office of Company shall be valid for transfer of the account to any other branch/office of Company, provided full KYC verification has already been done for the concerned account and the same is not due for periodic updation.
Part- II CDD Measures for Sole Proprietary Firms
For opening an account in the name of a sole proprietary firm, identification information as mentioned under Section 14 in respect of the individual (proprietor) shall be obtained.
In addition to the above, any two of the following documents as a proof of business/ activity in the name of the proprietary firm shall also be obtained:
- Registration certificate including Udyam Registration Certificate (URC) issued by the Government
- Certificate/licence issued by the municipal authorities under Shop and Establishment Act.
- Sales and income tax returns.
- CST/VAT/GST certificate.
- Certificate/registration document issued by Sales Tax/Service Tax/Professional Tax authorities.
- lEC (Importer Exporter Code) issued to the proprietary concern by the office of DGFT/Licence/ Certificate of Practice issued in the name of the proprietary concern by any professional body incorporated under a statute.
- Complete Income Tax Return (not just the acknowledgement) in the name of the sole proprietor where the firm’s income is reflected, duly authenticated/acknowledged by the Income Tax authorities.
- Utility bills such as electricity, water, and landline telephone bills.
In cases where Company is satisfied that it is not possible to furnish two such documents, Company may, at their discretion, accept only one of those documents as proof of business/activity.
Provided Company undertake contact point verification and collect such other information and clarification as would be required to establish the existence of such firm, and shall confirm and satisfy itself that the business activity has been verified from the address of the proprietary concern.
Part- III CDD Measures for Legal Entities
For opening an account of a Company, one certified copy of each of the following documents shall be obtained:
- Certificate of incorporation
- Memorandum and Articles of Association;
- PAN of the Company;
- A resolution from the Board of Directors and power of attorney granted to its managers, officers or employees to transact on its behalf;
- One copy of an OVD containing details of identity and address, one recent photograph and PANs of Form 60 of the managers, officers or employees, as the case may be, holding an attorney to transact on its behalf.
- the names of the relevant persons holding senior management position; and
- the registered office and the principal place of its business, if it is different.
For opening an account of a partnership firm, one certified copy of each of the following documents shall be obtained:
- Registration certificate;
- Partnership deed;
- PAN of the partnership firm;
- One copy of an OVD containing details of identity and address, one recent photograph and Permanent Account Numbers of Form 60 of the managers, officers or employees, as the case may be, holding an attorney to transact on its behalf.
- the names of all the partners and
- address of the registered office, and the principal place of its business, if it is different.
For opening an account of a trust, one certified copy of each of the following documents shall be obtained:
- Registration certificate;
- Trust deed;
- Permanent Account Number or Form No.60 of the trust;
- One copy of an OVD containing details of identity and address, one recent photograph and PANs of Form 60 of the managers, officers or employees, as the case may be, holding an attorney to transact on its behalf.
- the names of the beneficiaries, trustees, settlor and authors of the trust
- the address of the registered office of the trust; and
- List of trustees and documents, as specified in Section 16, for those discharging the role as trustee and authorized to transact on behalf of the trust.
- Copy certifying the registration on the DARPAN Portal of NITI Aayog. If the same are not registered, the Company shall register the details on the DARPAN Portal.
For opening an account of an unincorporated association or a body of individuals, one certified copy of each of the following documents shall be obtained:
- resolution of the managing body of such association or body of individuals;
- PAN or Form No.60 of the unincorporated association or a body of individuals;
- power of attorney granted to transact on its behalf;
- one copy of an OVD containing details of identity and address, one recent photograph and PANs of Form 60 of the managers, officers or employees, as the case may be, holding an attorney to transact on its behalf identification information as mentioned under
Such information as may be required by Company to collectively establish the legal existence of such an association or body of individuals.
Unregistered trusts/partnership firms shall be included under the term ‘unincorporated association’ and the term ‘body of individuals, includes societies.
For opening accounts of juridical persons not specifically covered in the earlier part, such as societies, universities and local bodies like village panchayats etc. one certified copy of the following documents or the equivalent e-documents thereof shall be obtained and verified:
- Document showing name of the person authorised to act on behalf of the entity;
- Aadhaar/PAN/ OVD for proof of identity and address in respect of the person holding an attorney to transact on its behalf and
- Such documents as may be required by COMPANY to establish the legal existence of such an entity/juridical person.
Part-IV Identification of Beneficial Owner
For opening an account of a Legal Person who is not a natural person, the beneficial owner(s) shall be identified and all reasonable steps in terms of Rule 9(3) of the Rules to verify his/her identity shall be undertaken keeping in view the following:
- Where the customer or the owner of the controlling interest is (i) an entity listed on a stock exchange in India, or (ii) it is an entity resident in jurisdictions notified by the Central Government and listed on stock exchanges in such jurisdictions, or (iii) it is a subsidiary of such listed entities; it is not necessary to identify and verify the identity of any shareholder or beneficial owner of such entities..
- In cases of trust/nominee or fiduciary accounts whether the customer is acting on behalf of another person as trustee/nominee or any other intermediary is determined. In such cases, satisfactory evidence of the identity of the intermediaries and of the persons on whose behalf they are acting, as also details of the nature of the trust or other arrangements in place shall be obtained.
Part-V On-going Due Diligence Measures
COMPANY shall undertake on-going due diligence of customers to ensure that their transactions are consistent with their knowledge about the customers, customers’ business and risk profile; and the source of funds.
Without prejudice to the generality of factors that call for close monitoring following types of transactions shall necessarily be monitored:
- large and complex transactions including RTGS transactions, and those with unusual patterns, inconsistent with the normal and expected activity of the customer, which have no apparent economic rationale or legitimate purpose.
- transactions which exceed the thresholds prescribed for specific categories of accounts.
- high account turnover inconsistent with the size of the balance maintained.
- Deposit of third-party cheques, drafts, etc. in the existing and newly opened accounts followed by cash withdrawals for large amounts.
- deposit of third party cheques, drafts, etc. in the existing and newly opened accounts followed by cash withdrawals for large amounts. The extent of monitoring shall be aligned with the risk category of the customer.
Explanation: High risk accounts have to be subjected to more intensified monitoring.
A system of periodic review of risk categorization of accounts, with such periodicity being at least once in six months, and the need for applying enhanced due diligence measures shall be put in place.
The transactions in accounts of marketing firms, especially accounts of Multi-level Marketing (MLM) Companies shall be closely monitored.
Explanation: Cases where a large number of cheque books are sought by the Company and/or multiple small deposits (generally in cash) across the country in one bank account and/orwhere a large number of cheques are issued bearing similar amounts/dates, shall be immediately reported to Reserve Bank of India and other appropriate authorities such as FIU- IND.
Periodic Updation of KYC
The COMPANY shall adopt a risk-based approach for periodic updation of KYC. However, periodic updation shall be carried out at least once in every two years for high risk customers, once in every eight years for medium risk customers and once in every ten years for low risk customers from the date of opening of the account / last KYC updation.
a.) Individual Customers:
- No change in KYC information: In case of no change in the KYC information, a self- declaration from the customer in this regard shall be obtained through customer’s email-id registered with COMPANY, customer’s mobile number registered with COMPANY,
- Change in address: In case of a change only in the address details of the customer, a self-declaration of the new address shall be obtained from the customer through customer’s email-id registered with the Company, customer’s mobile number registered with the Company, letter etc., and the declared address shall be verified through positive confirmation within two months, by means such as address verification letter, contact point verification, deliverables etc.
Further, Company, at its option, may obtain a copy of OVD or deemed OVD or the equivalent e-documents thereof, as defined in Section 3(a)(xiii), 29 for the purpose of proof of address, declared by the customer at the time of periodic updation.
- Accounts of customers, who were minor at the time of opening account, on their becoming major: In case of customers for whom account was opened when they were minor, fresh photographs shall be obtained on their becoming a major and at that time it shall be ensured that CDD documents as per the current CDD standards are available with the Company. Wherever required, Company may carry out fresh KYC of such customers i.e. customers for whom account was opened when they were minor, on their becoming a major.
- Aadhaar OTP based e-KYC in non-face to face mode may be used for periodic updation.
- Declaration of current address, if the current address is different from the address in Aadhaar, shall not require positive confirmation in this case. The Company shall ensure that the mobile number for Aadhaar authentication is same as the one available with them in the customer’s profile, in order to prevent any fraud.
b.) Customers other than individuals:
- No change in KYC information: In case of no change in the KYC information of the Legal Entity (LE) customer, a self-declaration in this regard shall be obtained from the LE customer through its email id registered with the Company, mobile application of Company, letter from an official authorized by the LE in this regard, board resolution etc. Further, Company shall ensure during this process that Beneficial Ownership (BO) information available with them is accurate and shall update the same, if required, to keep it as up-to date as possible.
- Change in KYC information: In case of change in KYC information, COMPANY shall undertake the KYC process equivalent to that applicable for on boarding a new LE customer.
c.) Additional measures: In addition to the above, COMPANY shall ensure that,
- The KYC documents of the customer as per the current CDD standards are available with them. This is applicable even if there is no change in customer information but the documents available with COMPANY are not as per the current CDD standards. Further, in case the validity of the CDD documents available with Company has expired at the time of periodic updation of KYC, COMPANY shall undertake the KYC process equivalent to that applicable for on-boarding a new customer.
- Customer’s PAN details, if available with the Company, is verified from the database of the issuing authority at the time of periodic updation of KYC.
- Acknowledgment is provided to the customer mentioning the date of receipt of the relevant document(s), including self-declaration from the customer, for carrying out periodic updation. Further, it shall be ensured that the information / documents obtained from the customers at the time of periodic updation of KYC are promptly updated in the records / database of the Company and an intimation, mentioning the date of updation of KYC details, is provided to the customer.
- In order to ensure customer convenience, Company may consider making available the facility of periodic updation of KYC at any branch, in terms of their internal KYC policy duly approved by the Board of Directors of Company or any committee of the Board to which power has been delegated.
- Company shall adopt a risk-based approach with respect to periodic updation of KYC. Any additional and exceptional measures, which otherwise are not mandated under the above instructions, adopted by the Company such as requirement of obtaining recent photograph, requirement of physical presence of the customer, requirement of periodic updation of KYC only in the branch of Company where account is maintained, a more frequent periodicity of KYC updation than the minimum specified periodicity etc., shall be clearly specified in the internal KYC policy duly approved by the Board of Directors of Company or any committee of the Board to which power has been delegated.
- Company shall ensure that their internal KYC policy and processes on updation / periodic updation of KYC are transparent and adverse actions against the customers should be avoided, unless warranted by specific regulatory requirements.
- The Company shall advise the customers that in order to comply with the PML Rules, in case of any update in the documents submitted by the customer at the time of establishment of business relationship / account-based relationship and thereafter, as necessary; customers shall submit to the Company, the update of such documents. This shall be done within 30 days of the update to the documents for the purpose of updating the records at Company’s end.
In case of existing customers, Company shall obtain the Permanent Account Number or equivalent e-document thereof or Form No.60, by such date as may be notified by the Central Government, failing which Company shall temporarily cease operations in the account till the time the Permanent Account Number or equivalent e-documents thereof or Form No. 60 is submitted by the customer.
Provided that before temporarily ceasing operations for an account, Company shall give the customer an accessible notice and a reasonable opportunity to be heard. Further, Company shall include, in its internal policy, appropriate relaxation(s) for continued operation of accounts for customers who are unable to provide Permanent Account Number or equivalent e-document thereof or Form No. 60 owing to injury, illness or infirmity on account of old age or otherwise, and such like causes. Such accounts shall, however, be subject to enhanced monitoring.
Provided further that if a customer having an existing account-based relationship with Company gives in writing to Company that he does not want to submit his Permanent Account Number or equivalent e-document thereof or Form No.60, Company shall close the account and all obligations due in relation to the account shall be appropriately settled after establishing the identity of the customer by obtaining the identification documents as applicable to the customer.
Explanation – For the purpose of this Section, “temporary ceasing of operations” in relation an account shall mean the temporary suspension of all transactions or activities in relation to that account by company till such time the customer complies with the provisions of this Section. In case of asset accounts such as loan accounts, for the purpose of ceasing the operation in the account, only credits shall be allowed.
Part VI – Enhanced and Simplified Due Diligence Procedure Enhanced Due Diligence (EDD):
Accounts of non-face-to-face customers (other than Aadhaar OTP based on- boarding): Non-face-to-face onboarding facilitates the Company to establish relationship with the customer without meeting the customer physically or through V-CIP. Such non-face-to- face modes for the purpose of this Section includes use of digital channels such as CKYCR, DigiLocker, equivalent e-document, etc., and non-digital modes such as obtaining copy of OVD certified by additional certifying authorities as allowed for NRIs and PIOs.
Following EDD measures shall be undertaken by REs for non- face-to-face customer onboarding:
- In case Company has introduced the process of V-CIP, the same shall be provided as the first option to the customer for remote onboarding. It is reiterated that processes complying with prescribed standards and procedures for V-CIP shall be treated on par with face-to-face CIP for the purpose of this Master Direction.
- In order to prevent frauds, alternate mobile numbers shall not be linked post CDD with such accounts for transaction OTP, transaction updates, etc. Transactions shall be permitted only from the mobile number used for account opening. r.
- Apart from obtaining the current address proof, the Company shall verify the current address through positive confirmation before allowing operations in the account. Positive confirmation may be carried out by means such as address verification letter, contact point verification, deliverables, etc.
- The Company shall obtain PAN from the customer and the PAN shall be verified from the verification facility of the issuing authority.
- First transaction in such accounts shall be a credit from existing KYC-complied bank account of the customer.
- Such customers shall be categorized as high-risk customers and accounts opened in non-face to face mode shall be subjected to enhanced monitoring until the identity of the customer is verified in face-to-face manner or through V-CIP.
Accounts of Politically Exposed Persons (PEPs):
A. Company shall have the option of establishing a relationship with PEPs provided that:
- sufficient information including information about the sources of funds accounts of family members and close relatives is gathered on the PEP;
- the identity of the person shall have been verified before accepting the PEP;
- The decision to open an account for a PEP is taken at senior level in accordance with the Company’s Customer Acceptance Policy;
- All Such Accounts are subjected to enhanced Monitoring on an on-going basis;
- in the event of an existing customer or the beneficial owner of an existing account subsequently becoming a PEP, senior management’s approval is obtained to continue the business relationship;
- The CDD measures as applicable to PEPs including enhanced monitoring on an on- going basis are applicable.
B. These instructions shall also be applicable to accounts where a PEP is the beneficial owner.
Customer’s accounts opened by Professional Intermediaries:
COMPANY shall ensure while opening customer’s accounts through professional intermediaries, that:
- Customer shall be identified when client account is opened by a professional intermediary on behalf of a single client.
- Company shall have option to hold ‘pooled’ accounts managed by professional intermediaries on behalf of entities like mutual funds, pension funds or other types of funds.
- Company shall not open accounts of such professional intermediaries who arebound by any client confidentiality that prohibits disclosure of the client details to COMPANY.
- All the beneficial owners shall be identified where funds held by the intermediaries are not co-mingled at the level of Company, and there are ‘subaccounts’, each of them attributable to a beneficial owner, or where such funds are co-mingled at the level of Company, Company shall look for the beneficial owners.
- Company shall, at their discretion, rely on the CDD done by an intermediary, provided that the intermediary is a regulated and supervised entity and has adequate systems in place to comply with the KYC requirements of the customers.
- The ultimate responsibility for knowing the customer lies with Company.
Record Management
The following steps shall be taken regarding maintenance, preservation and reporting of customer account information, with reference to provisions of PML Act and Rules.
Company shall:
- maintain all necessary records of transactions between Company and the customer, both domestic and international, for at least five years from the date of transaction;
- preserve the records pertaining to the identification of the customers and their addresses obtained while opening the account and during the course of business relationship, for at least five years after the business relationship is ended;
- make available swiftly, the identification records and transaction data to the competent authorities upon request;
- introduce a system of maintaining proper record of transactions prescribed under Rule 3 of Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PML Rules, 2005);
- maintain all necessary information in respect of transactions prescribed under PML Rule 3 so as to permit reconstruction of individual transaction, including the following:
- the nature of the transactions;
- the amount of the transaction and the currency in which it was denominated;
- the date on which the transaction was conducted; and
- the parties to the transaction.
6. evolve a system for proper maintenance and preservation of account information in a manner that allows data to be retrieved easily and quickly whenever required or when requested by the competent authorities;
7. maintain records of the identity and address of their customer, and records in respect of transactions referred to in Rule 3 in hard or soft format.
Explanation. – For the purpose of this Section, the expressions “records pertaining to the identification”, “identification records”, etc., shall include updated records of the identification data, account files, business correspondence and results of any analysis undertaken
Further the, Company shall ensure that in case of customers who are non-profit organizations, the details of such customers are registered on the DARPAN Portal of NITI Aayog. If the same are not registered, the Company shall register the details on the DARPAN Portal. The Company shall also maintain such registration records for a period of five years after the business relationship between the customer and the RE has ended or the account has been closed, whichever is later.
Reporting Requirements to Financial Intelligence Unit – India
- Company shall furnish to the Director, Financial Intelligence Unit-India (FIU-IND), information referred to in Rule 3 of the PML (Maintenance of Records) Rules, 2005 in terms of Rule 7 thereof.
Explanation: In terms of Third Amendment Rules notified September 22, 2015 regarding amendment to sub rule 3 and 4 of rule 7, Director, FIU-IND shall have powers to issue guidelines to the REs for detecting transactions referred to in various clauses of sub-rule
of rule 3, to direct them about the form of furnishing information and to specify the procedure and the manner of furnishing information.
- The reporting formats and comprehensive reporting format guide, prescribed/ released by FIU-IND and Report Generation Utility and Report Validation Utility developed to assist reporting entities in the preparation of prescribed reports shall be taken note of. The editable electronic utilities to file electronic Cash Transaction Reports (CTR) / Suspicious Transaction Reports (STR) which FIU-IND has placed on its website shall be made us by REs which are yet to install/adopt suitable technological tools for extracting CTR/STR from their live transaction data. The Principal Officers of those REs, whose all branches are not fully computerized, shall have suitable arrangement to cull out the transaction details from branches which are not yet computerized and to feed the data into an electronic file with the help of the editable electronic utilities of CTR/STR as have been made available by FIU-IND on its website http://fiuindia.gov.in.
- While furnishing information to the Director, FIU-IND, delay of each day in not reporting a transaction or delay of each day in rectifying a mis-represented transaction beyond the time limit as specified in the Rule shall be constituted as a separate violation. Company shall not put any restriction on operations in the accounts where an STR has been filed. Company shall keep the fact of furnishing of STR strictly confidential. It shall be ensured that there is no tipping off to the customer at any level.
- Where RE forms a suspicion of money laundering or terrorist financing, and it reasonably believes that performing the CDD process will tip-off the customer, it shall not pursue the CDD process, and instead file an STR with FIU-IND.
- Robust software, throwing alerts when the transactions are inconsistent with risk categorization and updated profile of the customers shall be put in to use as a part of effective identification and reporting of suspicious transactions.
Requirements/obligations under International Agreements Communications from International Agencies:
Obligations under the Unlawful Activities (Prevention) (UAPA) Act, 1967:
- Company shall ensure that in terms of Section 51A of the Unlawful Activities (Prevention) (UAPA) Act, 1967 and amendments thereto, they do not have any account in the name of individuals/entities appearing in the lists of individuals and entities, suspected of having terrorist links, which are approved by and periodically circulated by the United Nations Security Council (UNSC). The details of the two lists are as under:
- The “ISIL (Da’esh) &Al-Qaida Sanctions List”, established and maintained pursuant to Security Council resolutions 1267/1989/2253, which includes names of individuals and entities associated with the Al-Qaida is available at https://scsanctions.un.org/ohz5jen-al- qaida.html
- The “Taliban Sanctions List”, established and maintained pursuant to Security Council resolution 1988 (2011), which includes names of individuals and entities associated with the Taliban is available at https://scsanctions.un.org/3ppp1en- taliban.html
- The Company shall also ensure to refer to the lists as available in the Schedules to the Prevention and Suppression of Terrorism (Implementation of Security Council Resolutions) Order, 2007, as amended from time to time. The aforementioned lists, i.e., UNSC Sanctions Lists and lists as available in the Schedules to the Prevention and Suppression of Terrorism (Implementation of Security Council Resolutions) Order, 2007, as amended from time to time, shall be verified on daily basis and any modifications to the lists in terms of additions, deletions or other changes shall be taken into account by the Company for compliance.
- Details of accounts resembling any of the individuals/entities in the lists shall be reported to FIU-IND apart from advising Ministry of Home Affairs as required under UAPA notification dated 55(Annex II of this Master Direction). February 2, 2021 In addition to the above, other UNSCRs circulated by the Reserve Bank in respect of any other jurisdictions/ entities from time to time shall also be taken note of.
Freezing of Assets under Section 51A of Unlawful Activities (Prevention) Act, 1967
The procedure laid down in the UAPA Order dated February 2, 2021 (Annex II of the Master Direction) shall be strictly followed and meticulous compliance with the Order issued by the Government shall be ensured. The list of Nodal Officers for UAPA is available on the website of Ministry of Home Affairs.
Obligations under Weapons of Mass Destruction (WMD) and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005 (WMD Act, 2005):
- The Company shall ensure meticulous compliance with the “Procedure for Implementation of Section 12A of the Weapons of Mass Destruction (WMD) and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005” laid down in terms of Section 12A of the WMD Act, 2005 vide Order dated January 30, 2023, by the Ministry of Finance, Government of India.
- In accordance with paragraph 3 of the aforementioned Order, the Company shall ensure not to carry out transactions in case the particulars of the individual / entity match with the particulars in the designated list.
- Further, the Company shall run a check, on the given parameters, at the time of establishing a relation with a customer and on a periodic basis to verify whether individuals and entities in the designated list are holding any funds, financial asset, etc., in the form of bank account, etc.
- In case of match in the above cases, the Company shall immediately inform the transaction details with full particulars of the funds, financial assets or economic resources involved to the Central Nodal Officer (CNO), designated as the authority to exercise powers under Section 12A of the WMD Act, 2005. A copy of the communication shall be sent to State Nodal Officer, where the account / transaction is held and to the RBI. REs shall file an STR with FIU-IND covering all transactions in the accounts, covered above, carried through or attempted.
- It may be noted that in terms of Paragraph 1 of the Order, Director, FIU-India has been designated as the CNO.
- Company may refer to the designated list, as amended from time to time, available on the portal of FIU-India.
- In case there are reasons to believe beyond doubt that funds or assets held by a customer would fall under the purview of clause (a) or (b) of sub-section (2) of Section 12A of the WMD Act, 2005, the Company shall prevent such individual/entity from conducting financial transactions, under intimation to the CNO by email, FAX and by post, without delay.
- In case an order to freeze assets under Section 12A is received by the Company from the CNO, Company shall, without delay, take necessary action to comply with the Order.
- The process of unfreezing of funds, etc., shall be observed as per paragraph 7 of the Order. Accordingly, copy of application received from an individual/entity regarding unfreezing shall be forwarded by RE along with full details of the asset frozen, as given by the applicant, to the CNO by email, FAX and by post, within two working days.
The Company shall verify every day, the ‘UNSCR 1718 Sanctions List of Designated Individuals and Entities‘, as available at https://www.mea.gov.in/Implementation-of-UNSC-Sanctions- DPRK.htm, to take into account any modifications to the list in terms of additions, deletions or other changes and also ensure compliance with the ‘Implementation of Security Council Resolution on Democratic People’s Republic of Korea Order, 2017’, as amended from time to time by the Central Government.
In addition to the above, the Company shall take into account – (a) other UNSCRs and (b) lists in the first schedule and the fourth schedule of UAPA, 1967 and any amendments to the same for compliance with the Government orders on implementation of Section 51A of the UAPA and Section 12A of the WMD Act.
Jurisdictions that do not or insufficiently apply the FATF Recommendations
- FATF Statements circulated by Reserve Bank of India from time to time, and publicly available information, for identifying countries, which do not or
insufficiently apply the FATF Recommendations, shall be considered. Risks arising from the deficiencies in AML/CFT regime of the jurisdictions included in the FATF Statement shall be taken into account.
- Special attention shall be given to business relationships and transactions with persons (including legal persons and other financial institutions) from or in countries that do not or insufficiently apply the FATF Recommendations and jurisdictions included in FATF Statements.
Explanation: The process referred to in Section 55 a & b do not preclude REs from having legitimate trade and business transactions with the countries and jurisdictions mentioned in the FATF statement.
The background and purpose of transactions with persons (including legal persons and other financial institutions) from jurisdictions included in FATF Statements and countries that do not or insufficiently apply the FATF Recommendations shall be examined, and written findings together with all documents shall be retained and shall be made available to Reserve Bank/other relevant authorities, on request.
Other Instructions
Secrecy Obligations and Sharing of Information:
- Company shall maintain secrecy regarding the customer information which arises out of the contractual relationship between the Company and customer.
- Information collected from customers for the purpose of opening of account shall be treated as confidential and details thereof shall not be divulged for the purpose of cross selling, or for any other purpose without the express permission of the customer.
- While considering the requests for data/information from Government and other agencies, Company shall satisfy themselves that the information being sought is not of such a nature as will violate the provisions of the laws relating to secrecy in the banking transactions.
- The exceptions to the said rule shall be as under:
- Where disclosure is under compulsion of law
- Where there is a duty to the public to disclose,
- the interest of Company requires disclosure and
- Where the disclosure is made with the express or implied consent of the customer.
5. Company shall maintain confidentiality of information as provided in Section 45NB of RBI Act 1934
CDD Procedure and sharing KYC information with Central KYC Records Registry (CKYCR)
- Government of India has authorised the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI), to act as, and to perform the functions of the CKYCR vide Gazette Notification No. S.O. 3183(E) dated November 26, 2015.
- In terms of provision of Rule 9(1A) of PML Rules, the Company shall capture customer’s KYC records and upload onto CKYCR within 10 days of commencement of an account-based relationship with the customer.
- Operational Guidelines for uploading the KYC data have been released by CERSAI.
- Company shall capture the KYC information for sharing with the CKYCR in the manner mentioned in the Rules, as per the KYC templates prepared for ‘Individuals’ and ‘Legal Entities’ (LEs), as the case may be. The templates may be revised from time to time, as may be required and released by CERSAI.
- The ‘live run’ of the CKYCR started from July 15, 2016 in phased manner beginning with new ‘individual accounts’. Accordingly, Scheduled Commercial Banks (SCBs) are required to invariably upload the KYC data pertaining to all new individual accounts opened on or after January 1, 2017, with CKYCR. SCBs were initially allowed time up-to February 1, 2017, for uploading data in respect of accounts opened during January 2017. REs other than SCBs were required to start uploading the KYC data pertaining to all new individual accounts opened on or after from April 1, 2017, with CKYCR in terms of the provisions of the Rules ibid.
- Company shall upload KYC records pertaining to accounts of LEs opened on or after April 1, 2021, with CKYCR in terms of the provisions of the Rules ibid. The KYC records have to be uploaded as per the LE Template released by CERSAI.
- Once KYC Identifier is generated by CKYCR, Company shall ensure that the same is communicated to the individual/LE as the case may be.
- In order to ensure that all KYC records are incrementally uploaded on to CKYCR, Company shall upload/update the KYC data pertaining to accounts of individual customers and LEs opened prior to the above mentioned dates as per (e) and (f) respectively at the time of periodic updation as specified in Section 38 of this Master Direction, or earlier, when the updated KYC information is obtained/received from the customer.
- Company shall ensure that during periodic updation, the customers are migrated to the current CDD standard.
- Where a customer, for the purposes of establishing an account based relationship, submits a KYC Identifier to Company, with an explicit consent to download records from CKYCR, then such COMPANY shall retrieve the KYC records online from the CKYCR using the KYC Identifier and the customer shall not be required to submit the same KYC records or information or any other additional identification documents or details, unless –
- there is a change in the information of the customer as existing in the records of CKYCR;
- the current address of the customer is required to be verified;
- COMPANY considers it necessary in order to verify the identity or address of the customer, or to perform enhanced due diligence or to build an appropriate risk profile of the client.
- the validity period of documents downloaded from CKYCR has lapsed.
Reporting requirement under Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standards (CRS)
Under FATCA and CRS, Company shall adhere to the provisions of Income Tax Rules 114F, 114G and 114H and determine whether they are a Reporting Financial Institution as defined in Income Tax Rule 114F and if so, shall take following steps for complying with the reporting requirements:
- Register on the related e-filling portal of Income Tax Department as Reporting Financial Institutions at the link https://incometaxindiaefiling.gov.in/ post login –
-> My Account –> Register as Reporting Financial Institution,
- Submit online reports by using the digital signature of the ‘Designated Director’ by either uploading the Form 61B or ‘NIL’ report, for which, the schema prepared by Central Board of Direct Taxes (CBDT) shall be referred to.
Explanation: Company shall refer to the spot reference rates published by Foreign Exchange Dealers’ Association of India (FEDAI) on their website at http://www.fedai.org.in/RevaluationRates.aspx for carrying out the due diligence procedure for the purposes of identifying reportable accounts in terms of Rule 114H.
- Develop Information Technology (IT) framework for carrying out due diligence procedure and for recording and maintaining the same, as provided in Rule 114H.
- Develop a system of audit for the IT framework and compliance with Rules 114F, 114G and 114H of Income Tax Rules.
- Constitute a “High Level Monitoring Committee” under the Designated Director or any other equivalent functionary to ensure compliance.
- Ensure compliance with updated instructions/ rules/ guidance notes/ Press releases/ issued on the subject by Central Board of Direct Taxes (CBDT) from time to time and available on the web site http://www.incometaxindia.gov.in/Pages/default.aspx. REs may take note of the following:
- updated Guidance Note on FATCA and CRS
- press release on ‘Closure of Financial Accounts’ under Rule 114H (8).
A Unique Customer Identification Code (UCIC) shall be allotted while entering into new relationships with individual customers as also the existing customers by banks and NBFCs.
The Company shall, at its option, not issue UCIC to all walk-in/occasional customers such as buyers of pre-paid instruments/purchasers of third party products provided it is ensured that there is adequate mechanism to identify such walk-in customers who have frequent transactions with them and ensure that they are allotted UCIC.
Quoting of PAN
Permanent account number (PAN) or equivalent e-document thereof of customers shall be obtained and verified while undertaking transactions as per the provisions of Income Tax Rule 114B applicable to banks, as amended from time to time. Form 60 shall be obtained from persons who do not have PAN or equivalent e-document thereof.
Selling Third party products
Company acting as agents while selling third party products as per regulations in force from time to time shall comply with the following aspects for the purpose of these directions:
- the identity and address of the walk-in customer shall be verified for transactions above rupees fifty thousand as required under Section 13(e) of this Directions.
- transaction details of sale of third party products and related records shall be maintained as prescribed in Chapter VII Section 46 of this Direction
- AML software capable of capturing, generating and analysing alerts for the purpose of filing CTR/STR in respect of transactions relating to third party products with customers including walk-in customers shall be available.
- transactions involving rupees fifty thousand and above shall be undertaken only by:
- debit to customers’ account or against cheques; and
- obtaining and verifying the PAN given by the account-based as well as walk-in customers.
- Instruction at ‘d’ above shall also apply to sale of Companys’ own products, payment of dues of credit cards/sale and reloading of prepaid/travel cards and any other product for rupees fifty thousand and above.
Issuance of Prepaid Payment Instruments (PPIs)
PPI issuers shall ensure that the instructions issued by Department of Payment and Settlement System of Reserve Bank of India through their Master Direction are strictly adhered to.
Hiring of Employees and Employee training
- Adequate screening mechanism, including Know Your Employee / Staff policy, as an integral part of their personnel recruitment/hiring process shall be put in place.
- The Company shall ensure that the staff dealing with / being deployed for KYC/AML/CFT matters have: high integrity and ethical standards, good understanding of extant KYC/AML/CFT standards, effective communication skills and ability to keep up with the changing KYC/AML/CFT landscape, nationally and internationally.
- On-going employee training programme shall be put in place so that the members of staff are adequately trained in AML/CFT (Combating of financing of terrorism) policy. The focus of the training shall be different for frontline staff, compliance staff and staff dealing with new customers. The front desk staff shall be specially trained to handle issues arising from lack of customer education. Proper staffing of the audit function with persons adequately trained and well- versed in AML/CFT policies of the Company, regulation and related issues shall be ensured.
Adherence to Know Your Customer (KYC) guidelines by Company and persons authorised by Company.
- Persons authorised by Company for collecting the deposits and their brokers/agents or the like, shall be fully compliant with the KYC guidelines applicable to NBFCs/RNBCs.
- All information shall be made available to the Reserve Bank of India to verify the compliance with the KYC guidelines and accept full consequences of any violation by the persons authorised by NBFCs/RNBCs including brokers/agents etc. who are operating on their behalf.
- The books of accounts of persons authorised by NBFCs/RNBCs including brokers/agents or the like, so far as they relate to brokerage functions of the Company, shall be made available for audit and inspection whenever required.
Modification of Policy
The Board of Directors of the Company provide for periodical review of the compliance at various levels of management. A consolidate report of such reviews (if required) may be submitted to the Board at regular intervals, as may be prescribe by it.
The Company reserves to itself the right to alter/delete/add to these codes at any time without prior individual notice and such alterations /deletion/addition shall be binding.
Annexure 1
Digital KYC Process
- Company shall develop an application for digital KYC process which shall be made available at customer touch points for undertaking KYC of their customers and the KYC process shall be undertaken only through this authenticated application of Company.
- The access of the Application shall be controlled by Company and it should be ensured that the same is not used by unauthorized persons. The Application shall be accessed only through login-id and password or Live OTP or Time OTP controlled mechanism given by Company to its authorized officials.
- The customer, for the purpose of KYC, shall visit the location of the authorized official of the Company or vice-versa. The original OVD shall be in possession of the customer.
- Company must ensure that the Live photograph of the customer is taken by the authorized officer and the same photograph is embedded in the Customer Application Form (CAF). Further, the system Application of Company shall put a water-mark in readable form having CAF number, GPS coordinates, authorized official’s name, unique employee Code (assigned by Company) and Date (DD:MM:YYYY) and time stamp (HH:MM:SS) on the captured live photograph of the customer.
- The Application of Company shall have the feature that only live photograph of the customer is captured and no printed or video-graphed photograph of the customer is captured. The background behind the customer while capturing live photograph should be of white colour and no other person shall come into the frame while capturing the live photograph of the customer.
- Similarly, the live photograph of the original OVD or proof of possession of Aadhaar where offline verification cannot be carried out (placed horizontally), shall be captured vertically from above and water-marking in readable form as mentioned above shall be done. No skew or tilt in the mobile device shall be there while capturing the live photograph of the original documents.
- The live photograph of the customer and his original documents shall be captured in proper light so that they are clearly readable and identifiable.
- Thereafter, all the entries in the CAF shall be filled as per the documents and information furnished by the customer. In those documents where Quick Response (QR) code is available, such details can be auto-populated by scanning the QR code instead of manual filing the details. For example, in case of physical Aadhaar/e-Aadhaar downloaded from UIDAI where QR code is available, the details like name, gender, date of birth and address can be auto-populated by scanning the QR available on Aadhaar/e- Aadhaar.
- Once the above mentioned process is completed, a One Time Password (OTP) message containing the text that ‘Please verify the details filled in form before sharing OTP’ shall be sent to customer’s own mobile number. Upon successful validation of the OTP, it will be treated as customer signature on CAF. However, if the customer does not have his/her own mobile number, then mobile number of his/her family/relatives/known persons may be used for this purpose and be clearly mentioned in CAF. In any case, the mobile number of authorized officer registered with Company shall not be used for customer signature. Company must check that the mobile number used in customer signature shall not be the mobile number of the authorized officer.
- The authorized officer shall provide a declaration about the capturing of the live photograph of customer and the original document. For this purpose, the authorized official shall be verified with One Time Password (OTP) which will be sent to his mobile number registered with Company. Upon successful OTP validation, it shall be treated as authorized officer’s signature on the declaration. The live photograph of the authorized official shall also be captured in this authorized officer’s declaration.
- Subsequent to all these activities, the Application shall give information about the completion of the process and submission of activation request to activation officer of Company, and also generate the transaction-id/reference-id number of the process. The authorized officer shall intimate the details regarding transaction-id/reference-id number to customer for future reference.
- The authorized officer of Company shall check and verify that:-
- information available in the picture of document is matching with the information entered by authorized officer in CAF.
- live photograph of the customer matches with the photo available in the document.; and
- all of the necessary details in CAF including mandatory field are filled properly.;
On Successful verification, the CAF shall be digitally signed by authorized officer of Company who will take a print of CAF, get signatures/thumb-impression of customer at appropriate place, then scan and upload the same in system. Original hard copy may be returned to the customer.