What is KYC norms?

Updated as per RBI amended Master Direction dated June 04, 2024

KYC stands for “Know Your Customer”. It’s a process to prevent banks and other financial institutions from being used as a channel for Money Laundering (ML)/ Terrorist Financing (TF) and to ensure the integrity and stability of the financial system, efforts are continuously being made both internationally and nationally, by way of prescribing various rules and regulations. Internationally, the Financial Action Task Force (FATF) which is an inter-governmental body established in 1989 by the Ministers of its member jurisdictions, sets standards and promotes effective implementation of legal, regulatory, and operational measures for combating money laundering, terrorist financing, and other related threats to the integrity of the international financial system. India, being a member of FATF, is committed to upholding measures to protect the integrity of the international financial system.
Know Your Customer (KYC) norms are a set of guidelines that banks and financial institutions use to verify a customer’s identity and protect themselves from fraud, money laundering, and other financial crimes. KYC norms include:
Prevents financial crime: KYC helps to prevent banks from being used for money laundering and other illegal activities.
Improves customer service: KYC helps banks understand their customers and their financial dealings, which can help them provide better service.
Risk management: KYC helps banks to manage their risks more prudently.
Account opening: KYC is mandatory for opening and maintaining a bank account.

RBI amended the Master Direction on Know Your Customer (KYC) further to leverage the Video-based Customer Identification Process (V-CIP) and simplify and rationalise the periodic updating of KYC.

Banks and other regulated entities have to undertake Customer Due Diligence (CDD) while dealing with the customers as per the process laid out in the Master Direction (MD) of RBI on KYC as amended from time to time. As per prevailing provisions, REs shall adopt a risk-based approach for periodic updation of KYC and carry out at least once every two years for high-risk customers, once every eight years for medium-risk customers, and once every ten years for low-risk customers from the date of opening of the account / last KYC updation.

Video-based Customer Identification Process (V-CIP) is an alternate method of customer identification with facial recognition and customer due diligence by an authorized official of the regulated entity by undertaking seamless, secure, and live, informed-consent-based audio-visual interaction with the customer to obtain identification information required for CDD purpose and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining an audit trail of the process.  According to the amended provision clause (xx) of Section 3 of KYC norms, such processes complying with prescribed standards and procedures shall be treated on par with face-to-face Customer Identification Process. In case of individual customers, proprietor in case of proprietorship firm, authorised signatories and Beneficial Owners (BOs) in case of Legal Entity (LE) customers, Customer Due Diligence (CDD), the V-CIP to be carried out by the regulated entities d in terms of amended Section 18. In the case of Customer Due Diligence (CDD) of a proprietorship firm, REs shall obtain the equivalent e-document of the activity proofs concerning the proprietorship firm, as mentioned in Section 28, apart from undertaking the CDD of the proprietor.

The amended Section 17 Clause (v), states that accounts, both deposit and borrowal, opened using OTP-based e-KYC shall not be allowed for more than one year unless identification as per Section 16 or as per Section 18 (V-CIP) is carried out. If Aadhaar details are used under Section 18, the process shall be followed in its entirety including fresh Aadhaar OTP authentication. The above rule also applies to the conversion of existing accounts opened in non-face-to-face mode using Aadhaar OTP-based e-KYC authentication/  Updation/Periodic updation of KYC for eligible customers. The central bank has also specified certain minimum standards that regulated entities will have to follow while opting to undertake V-CIP. “The technology infrastructure should be housed in own premises of the RE and the V-CIP connection and interaction shall necessarily originate from its own secured network domain. Any technology-related outsourcing for the process should be compliant with relevant RBI guidelines,” it said. The authorized official performing the V-CIP shall record audio-video as well as capture photographs of the customer present for identification and obtain the identification information using any one of the following, it said.

• OTP-based Aadhaar e-KYC authentication
• Offline Verification of Aadhaar for identification
• KYC records downloaded from CKYCR, in accordance with Section 57, using the KYC identifier provided by the customer
• Equivalent e-document of Officially Valid Documents (OVDs) including documents issued through DigiLocker.

The V-CIP infrastructure/application should be capable of preventing connection from IP addresses outside India or from spoofed IP addresses, it said. The amended sections further specify that video recordings should contain the live GPS coordinates (geo-tagging) of the customer undertaking the V-CIP and date-time stamp. The quality of the live video in the V-CIP shall be adequate to allow identification of the customer beyond doubt. Any detected case of forged identity through V-CIP shall be reported as a cyber security event under extant regulatory guidelines. Also, the RE should ensure end-to-end encryption of data between the customer device and the hosting point of the V-CIP application, as per appropriate encryption standards. The customer consent has to be recorded in an auditable and alteration-proof manner.RE shall ensure to redact or blackout the Aadhaar number in terms of Section 16.

In case of offline verification of Aadhaar using an XML file or Aadhaar Secure QR Code, Banks, and other regulated entities are required to ensure that the XML file or QR code generation date is not older than 3 days from the date of carrying out V-CIP. Further, REs shall ensure that the video process of the V-CIP is undertaken within three days of downloading/obtaining the identification information through CKYCR / Aadhaar authentication / equivalent e-document if in rare cases, the entire process cannot be completed in one go or seamlessly. However, REs shall ensure that no incremental risk is added due to this.

Wherever the address of the customer is different from that indicated in the OVD, suitable records of the current address shall be captured, as per the existing requirement. The economic and financial profile/information submitted by the customer shall be confirmed by the customer suitably undertaking the V-CIP. A clear image of the PAN card shall be displayed during the process, except in cases where an e-PAN is provided by the customer. It is important to note that the use of printed copies of equivalent e-documents including e-PAN is not valid for the V-CIP. The PAN details shall be verified from the database of the issuing authority including through DigiLocker.

The authorised official of the RE shall ensure that photograph of the customer in the Aadhaar/OVD and PAN/e-PAN matches with the customer undertaking the V-CIP and the identification details in Aadhaar/OVD and PAN/e-PAN shall match with the details provided by the customer. However, Assisted V-CIP shall be permissible when banks take the help of Banking Correspondents (BCs) facilitating the process only at the customer end. Banks shall maintain the details of the BC assisting the customer, where services of BCs are utilized. The ultimate responsibility for customer due diligence will be with the bank.

“All accounts opened through V-CIP shall be made operational only after being subject to concurrent audit, to ensure the integrity of the process and its acceptability of the outcome. All matters not specified under the paragraph but required under other statutes such as the Information Technology (IT) Act shall be appropriately complied with by the RE” said RBI.

“Customer Due Diligence (CDD)” means identifying and verifying the customer and the beneficial owner using reliable and independent sources of identification.

Explanation – The CDD, at the time of commencement of an account-based relationship or while carrying out occasional transactions of an amount equal to or exceeding rupees fifty thousand, whether conducted as a single transaction or several transactions that appear to be connected, or any international money transfer operations, shall include:

Identification of the customer, verification of their identity using reliable and independent sources of identification, obtaining information on the purpose and intended nature of the business relationship, where applicable;

Taking reasonable steps to understand the nature of the customer’s business, and its ownership and control;

Determining whether a customer is acting on behalf of a beneficial owner, identifying the beneficial owner, and taking all steps to verify the identity of the beneficial owner, using reliable and independent sources of identification.

On-going Due Diligence” means regular monitoring of transactions in accounts to ensure that those are consistent with RE’s knowledge about the customers, customers’ business and risk profile, and the source of funds/wealth.