Know Your Customer (“KYC”), as the name suggests, is the mechanism of vetting and verifying the identity of customers either before or at the time of availing financial services, to ensure that the customer enrolling to avail such financial services is genuine and has the right credentials.
As discussed earlier, the KYC mechanism is used as a precautionary measure to curb illegal and fraudulent activities such as, bribery, money laundering, corruption etc., since, it helps in identifying the details of the customer indulged in such fraudulent transaction instantly through KYC database.
The Reserve Bank of India (“RBI”) in order to ensure a seamless, secured, and robust system for financial data sharing, has asked each financial entity to conduct KYC of each customer either before or at the time of enrolling, to avail financial services and has laid down the regulatory mechanisms for KYC vide Master Direction – Know Your Customer (KYC) Direction, 2016 [RBI/DBR/2015-16/18].
The object of enacting the KYC requirement is to deter the use of Regulated Entities (“REs”) as a locus of money laundering, fraud, corruption, and other financial crimes. Further, the KYC mechanism simultaneously protects REs whilst also allowing a seamless exchange of information between the customer and the financial entity.
The KYC requirements are concurrent with Customer Due Diligence (“CDD”) processes, as both mechanisms are indulged in the process of identification to ensure optimum risk management for the financial industries.
In this article, we shall be discussing about the Regulatory Framework and legal compliances of KYC mechanisms to be complied with provided under KYC Master Direction.
WHO ARE REGULATED ENTITIES (REs)?
Before moving towards understanding the required compliances for REs under KYC Master Direction, it is pertinent to learn about its categories and qualification criteria for such categories. Qualification criteria are discussed herewith:
- All Scheduled Commercial Banks, Regional Rural Banks, Local Area Banks, Primary (Urban) Co-operative Banks, State and Central Co-operative Banks, any other entity licensed under Section 22 of Banking Regulation Act, 1949;
- All India Financial Institutions;
- All Non- Banking Finance Companies, Miscellaneous Non- Banking Companies, Residuary Non-Banking Companies;
- All Payment System Providers / System Participants, Prepaid Payment Instrument Issuers;
- All Authorised persons, including agents of Money Transfer Service Scheme.
STAGES OF DILIGENCE IN KYC
The concept of Customer Due Diligence (“CDD”), was introduced under the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 (“PMLA Rules”), which provides different methods for verification of the client’s identity considering the type of client, business relationships, nature of transaction, and so on.
To ensure that KYC diligence occurs in a way that fulfils all of its objectives, a step by step CDD process shall be adopted. The objective behind conducting CDD process is to identify that the customer enrolling to avail any kind of financial services is genuine, contains valid credentials and does not have an agenda to defraud or commit any financial crime.
The process of diligence in KYC has three stages:
1. The first stage of diligence is Simplified Due Diligence (“SDD”).
- SDD is the process of evaluating if an individual is at heightened risk of perpetrating a financial crime or siphoning funds for illegal activities. It is the process of scrutinization of the customer’s footprint in the world.
- The SDD process takes place even before their identification documents are validated. Under this SDD, Sanction Lists by the OFAC, EU, UN, or InterPol need to be checked to ensure the potential customer has not been involved in financial crimes in any jurisdiction.
- Further, under SDD process it is to be checked whether your prospective customer is a Politically Exposed Person (“PEP”) or not. The RBI has defined PEP as individuals who are, or have been, entrusted with prominent public functions in any foreign jurisdiction. These persons could be, inter alia, heads of states or of governments and senior politicians. These PEP’s are considered as high risk.
- The RBI has further asked RE to scrutinize any relatives of PEPs as an additional layer of risk management.
2. The second stage of diligence is Basic Customer Due Diligence (“CDD”).
- Basic CDD is the process of vetting the customer identity, in view of the documents submitted for identification. The CDD measures involve a collection of all the material data on the customer from legitimate sources, for the determination of the object, nature, and beneficiaries of the relationship being created.
- This further allows the institution to monitor the nature of an ongoing relationship and ensure that no discrepancies between the documentation and the identity of the customer take place.
3. The third stage of diligence is Enhanced Due Diligence (“EDD”).
This is an added layer of scrutiny for those customers who have been classified as ‘high-risk’, a much higher level of diligence shall be undertaken to mitigate the factors of risk that arise from the profile of such customer, such as, in case a Customer is a PEP, then such customer falls under the category of high risk and is required to be investigated thoroughly to avail any kind of financial services.
COMPLIANCE TO BE UNDERTAKEN BY REGULATED ENTITIES
Rule 6 of the Master Directions provides that a Designated Director of a RE shall ensure that the entity is in overall compliance with the terms of the provisions of the Prevention of Money Laundering Act, 2002 (“PMLA Act”) and the PMLA Rules. The compliance requirements include –
Firstly, the maintenance of a record of all transactions falling within the ambit of prescribed nature and value. These transactions may be singular or make up a series of transactions towards a singular object.
Secondly, the identities of all clients shall be verified by way of facilitation of KYC documents and shall be made available on an accessible record.
Further, the RE’s are also required to comply with the following measures to ensure a seamless, robust and secured platform for its customers to avail financial services –
a) Constitute a “Senior Management” position with the purpose of ensuring that RE’s are in compliance with the KYC Master Directions;
b) Allocate responsibility to its employees to ensure effective implementation of KYC policies and procedures;
c) Conduct regular independent evaluation and internal audit to verify that KYC polices are complied with and a quarterly audit report to be submitted to the Audit Committee;
d) Ensure that there is no outsourcing of decision making functions in regards of the compliance of KYC norms.
The KYC Master Direction provides a comprehensive list of compliances that were required to be complied in a strict and rigid manner by the REs. However, in 2021 the nature and methodology of the compliance mechanisms were tweaked to provide ease of practice to these REs in light of the unprecedented pandemic.
The RBI eased compliance norms by allowing the REs to use Video based Customer Identification Process (V-CIP). This was done with the agenda of rationalizing and simplifying the KYC process, since it removes the mandate of physical presence of customers for KYC verifications.
The requirement to update KYC data has also been rationalized by requiring REs to adopt a risk based approach. The timelines provided to update the KYC data is as follows:
- High Risk Customers: Customers, who were identified as high risk in the CIP and SDD stage, shall update KYC details at least once in every two years.
- Medium Risk Customers: Customers, who were identified as medium risk during CIP stage, shall update KYC details, once in every eight years.
- Low Risk Customers: Customers, who have been identified as Low risk customers, naturally have the most relaxed timeline to update KYC details as they are required to update KYC details once in every ten years from the date of opening of the account.
In cases, where the REs fail to comply with the aforementioned compliances, then penalty for non-compliance can be imposed by the RBI under Section 47A (1)(c) read with Section 46(4)(i) of the Banking Regulation Act, 1949.
KYC FRAMEWORK UNDER UIDAI
Unique Identification Authority of India (“UIDAI”) is a statutory authority established under the statutory provisions of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (“Aadhaar Act 2016”).
The UIDAI has integrated the Aadhaar with the KYC mechanism to authenticate a customer’s identity, since, Aadhaar is considered as material document for establishment of credentials for identification and diligence. The UIDAI has integrated the Aadhaar with the KYC mechanism in three ways:
1. Online KYC
Under this method, there are two methods to do KYC (i) Aadhaar OTP and (ii) Aadhaar-based Biometric KYC.
a) Aadhaar OTP
It allows customer to authenticate details quite instantly, as it allows the customer to authenticate details vide OTP received on the mobile number registered with the Aadhaar. Thereafter, once the KYC detail is verified by the UIDAI, the KYC registration Agency (KRA) will approve the KYC process.
b) Aadhaar based Biometric KYC Process
Under this method the customer has to apply for KYC online and post applying, an executive from the KRA visits his home/office for biometric verification to whom customer is required to submit his physical documents and biometrics and once the biometric data is verified, the KRA will complete the KYC.
Although, the Aadhaar based Biometric process is more tedious than the OTP based process, a customer under OTP based KYC process is allowed to invest only up to Rs. 50,000 p.a. whereas, if you get your KYC done through Aadhaar based Biometric Authentication or offline, the bar of Rs. 50,000 is lifted and there remains no maximum limit of investment.
2. Offline KYC
Under this process, a customer is required to visit the nearest branch of KRA office and submit the KYC form containing Aadhaar along with physical documents to complete the KYC process.
3. Aadhaar E-KYC
Aadhaar Electronic-Know Your Customer (“Aadhaar e-KYC”) is a mechanism that allows for instantaneous and paperless KYC as it allows the RE’s to authenticate a customer’s Aadhaar details through Aadhaar registry wherein the customer’s Aadhaar detail is stored.
The UIDAI created a robust framework that reduced the time and costs of a customer’s verification by providing the REs with concrete proof of a customer’s identity electronically, negating the requirement of physical documentation.
It is pertinent to note that the Hon’ble Supreme Court of India (“SC”) addressed the privacy concerns arising out of the misuse of Aadhaar data in the notable judgment of Justice K.S.Puttaswamy vs Union Of India, [(2017) 10 SCC 1. In view of the judgment, the SC banned private entities from using Aadhaar e-KYC for verification and authentication purposes, considering the security of the biometric data of the citizen of India.
Thereafter, the RBI has created a mechanism where Non-Banking Finance Companies (‘NBFCs’), has to apply for a license to undertake authentication through means of KYC and upon receipt of the application the Central Government would provide permit to the NBFCs to use Aadhaar for authentication of KYC. However, such authentication should be in compliance of the terms of Section 11A of the PMLA which permits entities to authenticate KYC using a customer’s Aadhaar number provided by the UIDAI.
The mechanism of KYC compliances and regulations so far, can be inferred to be a dynamic and organic process which responds to the changing judicial views, Fin-Tech industry development, and social needs. The layers of diligence process, if pursued diligently will help reduce opacity in transactions all over the country.
The KYC mechanism is posed with the challenge of ensuring that the ease of doing business for the entities is maintained while ensuring no individual is unduly excluded from the formal financial system. Furthermore, considering that the KYC mechanism is a balancing act between the aforementioned rights. The State and the RBI have a mammoth task of development of KYC.
In the next article we shall be discussing about the transformation brought in by the Video-based KYC (“V-CIP”) in authenticating and verifying the credentials of a customer in a much more efficient and effective manner.
– TEAM AMLEGALS, assisted by Ms. Kashish Gupta (Intern)
For any query or feedback, please feel free to connect with email@example.com or firstname.lastname@example.org.