Overview: Know Your Customers (KYC) norms

This post explains Operational Aspects of KYC including Monitoring of Transactions.

The KYC norms in banking and other financial institutions are a set of procedures and rules as outlined by the regulator RBI. The regulated institutions must follow to verify the identity and address of their customers. This process involves collecting and verifying documents that prove a customer’s identity and residential address.

KYC or “Know Your Customer” is the process employed by banks to verify the identity and address of their clients. This process is critical, as it helps prevent the banking sector from being exploited for illegal activities. KYC validation is not a one-off check but an ongoing process to ensure that the bank’s services are not misused.

There are four key elements to the KYC guidelines as set out by RBI

1. Customer Acceptance Policy;
2. Customer Identification Procedures;
3. Monitoring of Transactions; and
4. Risk Management

Customer Acceptance Policy: No account is opened in an anonymous or fictitious/benami name. Parameters of risk perception are clearly defined in terms of the nature of the business activity, location of the customer and his clients, mode of payments, volume of turnover, social and financial status, etc. to enable the bank/FIs to categorizing the customers into low, medium and high-risk ones. Documents and other information are to be collected from different categories of customers depending on perceived risk and the requirements of the PML Act, 2002, and instructions/guidelines issued by the Reserve Bank from time to time. Circumstances, in which a customer is permitted to act on behalf of another person/entity, should be clearly spelled out in conformity with the established law and practice of banking.

Customer Identification Procedures:  

Banks and financial institutions are forbidden to open an account if they are unable to apply appropriate customer due diligence measures [Read:(WHAT IS CUSTOMER DUE DILIGENCE (CDD) UNDER AML RISK MANAGEMENT IN BANKS?)], such as being unable to verify the identity and /or obtain required documents either due to non-cooperation of the customer or non-reliability of the documents/information furnished by the customer. The bank/FI may also consider closing an existing account under similar circumstances. The bank/FI should have suitable systems in place to ensure that the identity of the customer does not match with any person or entity, whose name appears in the sanction lists circulated by the Reserve Bank.

(a) Customer identification means undertaking client due diligence measures while commencing an account-based relationship including identifying and verifying the customer and the beneficial owner based on one of the OVDs. Banks/FIs need to obtain sufficient information to establish, to their satisfaction, the identity of each new customer, whether regular or occasional and the purpose of the intended nature of the banking relationship. The bank/FI must be able to satisfy the competent authorities that due diligence was observed based on the risk profile of the customer in compliance with the extant guidelines in place. Such a risk-based approach is considered necessary to avoid disproportionate costs to the banks/FIs and a burdensome regime for the customers.

Banks/FIs should have a policy approved by their Boards which should clearly spell out the Customer Identification Procedure to be carried out at different stages, i.e.,

1. while establishing a banking relationship;
2. while carrying out a financial transaction;
3. when the bank/FI doubts the authenticity or adequacy of the customer identification data it has obtained;
4. when banks sell third-party products as agents;
5. while selling banks’ products, payment of dues in credit cards/sales, and reloading in prepaid/travel cards and any other product for more than Rs. 50,000/-.
6. when carrying out transactions for a non-account-based customer, that is a walk-in customer, where the amount involved is equal to or exceeds Rs. 50,000/-, whether conducted as a single transaction or several transactions that appear to be connected.
7. when a bank/FI has reason to believe that a customer (account-based or walk-in) is intentionally structuring a transaction into a series of transactions below the threshold of Rs. 50,000/-

Banks/FIs may seek ‘mandatory’ information required for KYC purposes which the customer is obliged to give while opening an account or during periodic updation. Other ‘optional’ customer details/additional information, if required, may be obtained separately after the account is opened only with the explicit consent of the customer.

Monitoring of Transactions:

Constant monitoring is an essential element of effective KYC/AML procedures. Regular exercises of Customer Due diligence should be carried out to closely examine the transactions to ensure that they are consistent with the customer’s profile and source of funds as per extant instructions. Such review of risk categorisation of customers should be carried out at a periodicity of not less than once in six months. The ongoing due diligence may be based on the following principles:

a) The extent of monitoring will depend on the risk category of the account. High-risk accounts have to be subjected to more intensified monitoring.

(b) Banks/FIs should pay particular attention to the following types of transactions:

1. large and complex transactions, and those with unusual patterns, that have no apparent economic rationale or legitimate purpose.
2. transactions that exceed the thresholds prescribed for specific categories of accounts.
3. transactions involving large amounts of cash inconsistent with the normal activity of the customer.
4. high account turnover inconsistent with the size of the balance maintained.

It is important to monitor the transactions in accounts of marketing firms, especially accounts of Multi-level Marketing (MLM) Companies. Banks should analyse data in cases where a large number of checkbooks are sought by the company, there are multiple small deposits (generally in cash) across the country in one bank account, and where a large number of cheques are issued bearing similar amounts/dates. Where such features are noticed by the bank and in case they find such unusual operations in their accounts, the matter should be immediately reported to the Reserve Bank and other appropriate authorities such as FIU-IND. [ To know more read: WHAT IS MONEY LAUNDERING AND FINANCING OF TERRORISM RISKS?]

 Risk Management:

Banks/FIs should exercise ongoing due diligence concerning the business relationship with every client and closely examine the transactions to ensure that they are consistent with their knowledge about the clients, their business and risk profile, and where necessary, the source of funds.

The Board of Directors should ensure that an effective AML/CFT programme [read: WHAT ARE CFT AND FATF IN BANKING?], is in place by establishing appropriate procedures and ensuring their effective implementation. It should cover proper management oversight, systems and controls, segregation of duties, training of staff, and other related matters. In addition, the following may also be ensured for effectively implementing the AML/CFT requirements.

1. Using a risk-based approach to address management and mitigation of various AML/CFT risks.
2. Allocation of responsibility for effective implementation of policies and procedures.
3. Independent evaluation by the compliance functions of bank/FI’s policies and procedures, including legal and regulatory requirements.
4. Concurrent/internal audit to verify compliance with KYC/AML policies and procedures.
5. Putting up consolidated notes on such audits and compliance to the Audit Committee at quarterly intervals.

For each new customer, banks shall prepare a customer profile. Banks/FIs should prepare a profile for each new customer based on risk categorization (low, medium, and high risk) containing information relating to the customer’s identity, social/financial status, nature of the business activity, information about the client’s business and their location, etc. The nature and extent of due diligence will depend on the risk perceived by the bank/FI.

The nature and extent of due diligence may be based on the following principles:

1. Individuals (other than High Net Worth) and entities, whose identity and source of income, can be easily identified, and customers whose accounts the transactions conform to the known profile, may be categorised as low risk. Illustrative examples include salaried employees and pensioners, people belonging to lower economic strata, government departments and government owned companies, regulators and statutory bodies, etc. Further, Non-Profit Organisations (NPOs)/ Non-Government Organisations (NGOs) promoted by the United Nations or its agencies, and such international/ multilateral organizations of repute, may also be classified as low-risk customers.
2. Customers who are likely to pose a higher than average risk should be categorised as low, medium, or high risk depending on the background, nature, and location of the activity, country of origin, sources of funds, customer profile, etc. Customers requiring a very high level of monitoring, e.g., those involved in cash-intensive business, Politically Exposed Persons (PEPs) of foreign origin, may, if considered necessary, be categorised as high risk.

[To know more read: WHAT IS CUSTOMER DUE DILIGENCE (CDD) UNDER AML RISK MANAGEMENT IN BANKS?]

RBI guidance states that “The above guidelines for risk categorisation are indicative and banks/FIs may use their judgment in arriving at the categorisation for each account based on their own assessment and risk perception of the customers and not merely based on any group or class they belong to. Banks may use for guidance in their risk assessment, the reports and guidance notes on KYC/AML issued by the Indian Banks Association”.

For documents and other information to be collected from different categories of customers depending on perceived risk and the requirements of the PML Act, 2002, and instructions/guidelines issued by the Reserve Bank from time to time. [Read: KYC POLICY FOR OPENING BANK ACCOUNTS OF ALL VARIETIES (LATEST UPDATE] Circumstances, in which a customer is permitted to act on behalf of another person/entity, should be spelled out in conformity with the established law and practice of banking. The bank/FI should have suitable systems in place to ensure that the identity of the customer does not match with any person or entity, whose name appears in the sanction lists circulated by the Reserve Bank. It is important to bear in mind that the adoption of a customer acceptance policy and its implementation should not be too restrictive which results in the denial of banking facilities to members of the general public, especially those, who are financially or socially disadvantaged.

Related Posts

More Related Posts: