On October 17, 2023, the Reserve Bank of India (“RBI”) for the third time this year, amended the Master Direction – Know Your Customer (KYC) Direction, 2016 (“KYC Directions”). These recent amendments shall be effective immediately and seem to have been introduced with the prime objective to align the KYC Directions with the recent amendments made to the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (“PMLA Rules”) under the Prevention of Money Laundering Act, 2002 (“PMLA”), as well as to incorporate the amendments made to Unlawful Activities (Prevention) Act, 1967 (UAPA) on August 29, 2023 and the Government instructions under its order dated September 1, 2023 in connection with the Weapons of Mass Destruction (WMD) and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005 (WMD Act, 2005).
A. Key highlights of amendments
- Extending the scope of KYC Directions.
(a) The KYC Directions will now also be applicable to the Asset Reconstruction Companies which were not explicitly included within the ambit of Regulated Entities (“REs”) under the erstwhile directions.(b) As the KYC Directions apply to offshore branches and majority owned overseas subsidiaries of REs, the RBI will now have the right to instruct the REs to take actions and additional measures to manage money laundering (ML) / terrorism financing (TF) risks.
- Alignment with the recent amendments to the PMLA Rules in September and October 2023.
Multiple amendments have been made to align the KYC Directions with the recent amendments to the PMLA Rules, including:
(a) Beneficial ownership criteria for partnerships: The criteria for determination of the beneficial owner for partnership firms has now been lowered to 10% (from the erstwhile threshold of 15%). In addition, it has been clarified that the term ‘control’ shall also include the right to control the management or policy decision.
(b) Principal officer: Management level officer should only be appointed/ nominated by the RE as the ‘principal officer’ for furnishing information to the RBI in relation to compliance with the KYC Directions.
(c) Customer due diligence: To manage the growing adoption of the digital payment systems and banking networks, certain supplementary measures have been introduced for REs in connection with customer due diligence process (“CDD”):
(i) CDD should be undertaken by RE using ‘reliable’ and ‘independent sources of identification’.
(ii) REs should undertake all reanable steps to seek information about the ‘purpose’ of transactions, ‘intended nature of business relationship’, and ‘ownership and control’, wherever applicable.
(iii) Undertaking determination (if required), whether the customer is acting on behalf of the beneficial owner.
(iv) Identifying and verifying the identity of the beneficial owner using ‘reliable’ and ‘independent sources of identification’.
Unlike the erstwhile KYC Directions, wherein, REs conducted CDD by seeking officially valid documents (or other documents or information, as applicable) and verifying these documents and information submitted by the customers, the REs will now be required to identify and verify the identity of its customers and/ or the beneficial owners using ‘reliable’ and ‘independent sources of identification’. Presently, there is no clarity on what such processes may encompass under the KYC Directions.
(d) Reliance on third-party CDD: While the KYC Directions already permitted REs to rely on CDD data from third-parties or Central KYC Records Registry, the REs may now only rely on the CDD data obtained ‘immediately‘. This is a departure from the erstwhile provision which permitted RE to rely on CDD data obtained within 2 days.
(e) CDD for trusts: For CDD of trusts, REs will now also be required to obtain the name of the ‘protector’ (if any).
(f) Periodic updation of KYC: REs will now also be required to ensure that information or data collected for CDD is up-to-date and relevant, especially where the customers/ accounts/ transactions are high risk.
(g) Additional measures for CDD of Politically Exposed Persons (“PEPs”): REs should also have in place appropriate risk measures for determining that whether the customer or beneficial owner is the PEP and establishing source of funds/ wealth.
(h) REs to implement CDD programme: REs will now be required to implement CDD programme which should encompass the risks associated with ML/ TF (that RE may by itself or through National Risk Assessment identify) and the size of the business. REs should also monitor the implementation of such policies and suggest enhanced controls, if required.
(i) Group level policies and programmes: Every RE which is part of a group will be required to implement group level policies and programmes for ensuring compliance with the PMLA Rules, including for –
- curbing ML/TF;
- sharing information within the group for CDD and ML/ TF risk management along with adequate safeguards for confidentiality and use of information shared. These confidentiality measures should not inhibit sharing of information and suspicious transactions to Director, FIU-IND; and
- Putting in place measures to prevent tipping-off.
(j) Confidentiality safeguards: Policies and processes should be put in place to ensure that RE itself, its directors, officers and all employees/ personnel should ensure that maintenance of records for furnishing information to Director, FIU-IND is kept confidential.
(k) International compliance: Enhanced compliance requirements have been prescribed for the REs, including undertaking countermeasures, if called upon by any international or inter-governmental organization of which India is a member of and accepted by the Central Government.
- Periodicity of ML / TF risk assessment review. The Board of the RE or a Committee of the Board may determine the periodicity of ML / TF risk assessment.
- Record management of customer information. It is now clarified that REs will be required to maintain records of ‘customer information’ and not just ‘customer account information‘ The amendment now removes ambiguity on requirement to also maintain records of any walk-in customer along with an actual account holder or customer.
- Enhanced due diligence for jurisdictions that are not FATF compliant. REs will now be required to actively undertake due diligence which are proportionate and effective to the risks, business relationships and transactions which may be required per the FATF Recommendations for transactions in such jurisdictions.
- Additional compliances for REs.
(a) Reporting inability to comply with CDD measures: REs must consider filing of suspicious transactions reporting (“STR”) even if it is unable to comply with the CDD measures for a customer.
(b) Accounts with Non-banking Finance Companies: NBFCs will now be required to be more vigilant with respect to accounts opened through simplified process (i.e., without complete CDD) requiring them to continuously monitor activities and transactions attached to such accounts. In the event, there are any suspicion of ML/ TF activities or other high-risk scenarios on these accounts, NBFCs will be required to complete the CDD of such accounts even prior to completion of the permitted 12 months conditional period of operation (i.e., calculated from the date of opening of the account).
(c) Wire transfers: For wire transfers below INR 50,000 from a customer that is not an account holder, the ordering RE is only required to include a unique transaction reference (“UTR”) number, subject to such UTR being able to be traced back to the originator customer or the beneficiary. In addition, the RE should make the originator information (or beneficiary information, as can be tracked back) available to the intermediary RE, beneficiary RE or competent authorities, within 3 days of receiving request. In addition, the provisions for STR filing and reporting to FIU have now been extended to all REs, while earlier the same were only applicable for Money Transfer Service Scheme providers. - Additional measures for Banks.
- Compliance with Foreign Act: To create transparency and coherence within regulators, banks are now also required to ensure meticulous compliance with the provisions of Foreign Contribution Act, 2010 and instructions on the subject-matter from the RBI and Ministry of Home Affairs notified/ communicated/ issued from time to time.
- Identification of Money Mules accounts: Banks are now required to undertake comprehensive and meticulous measures to identify Money Mules accounts and take appropriate actions including reporting to FIU-IND.
- Correspondent banking: Banks in addition to ‘gathering information’ are now also required to understand the nature of business respondent correspondent bank along with using the publicly available information to determine the reputation and the quality of supervision at the respondent bank. Banks are specifically instructed to neither commence nor continue any correspondent banking relationship with shell banks.
- Amendments to obligations under the Government order in relation to the UAPA and the WMD Act.
The processes / procedures under Annexure II and III of the KYC Directions have been updated, in line with the amendments made to Unlawful Activities (Prevention) Act, 1967 (UAPA) on August 29, 2023 and the revised Government instructions under its order dated September 1, 2023 in connection with the Weapons of Mass Destruction (WMD) and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005 (WMD Act, 2005).
B. Takeaways
RBI has been proactively aligning the KYC Directions with the other applicable KYC and ML/ TF laws to avoid any unnecessary regulatory uncertainty that may have been caused in the absence of these amendments. In our view, these amendments are expected to have a significant impact on the processes and procedures of the REs, especially in relation to the CDD processes. This amendment to the KYC Directions re-emphasizes the role played by REs to combat ML / TF related risks and to safeguard their customers and the nation’s financial system against any threats arising therefrom.