India: Amendment To The Master Direction On KYC

1. INTRODUCTION

On April 28, 2023, the Reserve Bank of India ("RBI") amended the Master Direction on Know Your Customer dated February 25, 2016 ("KYC MD")¹, which regulates the customer due diligence process undertaken by entities regulated by the RBI ("REs"). The RBI amended the KYC MD in order to: (i) align its instructions with that of the amendments to the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 ("PMLR")² dated March 7, 2023, (ii) incorporate the instructions of the government under the Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005 ("WMD Act")³, (iii) to align the KYC MD with the recommendations of the Financial Action Task Force ("FATF"), and (iv) to further refine the KYC MD basis the RBI's review.

This article encapsulates the key changes brought about by the amendment to the KYC MD.

2. KEY CHANGES

The key changes introduced under the amendment are as follows:

2.1 Determination of beneficial owners. In line with amendments to the PMLR, the amendment to the KYC MD also lowers the shareholding threshold for REs to identify beneficial owners, where the client is a company or trust acting on behalf of its beneficial owner. The earlier prescribed threshold for identifying a 'beneficial owner' based on controlling ownership interest was 25% (Twenty Five Percent) of shares or capital or profit in the company and 15% (Fifteen Percent) of the interest in the trust, which has been further lowered to 10% (Ten Percent) for both companies and Moreover, the amendments have exempted companies listed on a stock exchange in India, a stock exchange in a foreign jurisdiction notified by the Central Government, or subsidiaries of such listed companies from having to identify any shareholder or beneficial owner. While this change may increase the compliance burden of companies and trusts, this reduced threshold will serve to increase regulatory supervision of RE's, thereby lowering instances of money laundering.

2.2 Enhanced customer due diligence for non-individual customers. In line with the amendments to the PMLR, the customer due diligence documentation requirement for companies, partnership firms and trusts now also includes the submission of details such as names of persons holding senior management position in the company, names of all the partners in the case of a partnership firm and the names of beneficiaries, trustees, settlors, and authors in the case of a trust. Additionally, details of the registered office address and principal place of business must now be submitted by such customer to REs. The amendment seeks to improve the customer due diligence procedure for non-individuals by identifying on whose behalf the entity is acting.

2.3 Politically Exposed Persons ("PEP"). In line with the amendments to the PMLR, the amendment has introduced the definition of PEPs in the KYC Master Directions, which is defined as "individuals who have been entrusted with prominent public functions by a foreign country, including the heads of States or Governments, senior politicians, senior government or judicial or military officers, senior executives of state-owned corporations and important political party officials". While additional requirements such as enhanced monitoring on an ongoing basis were already in place for accounts held by PEPs, the amendment has clarified who will be considered a PEP and for whose accounts the RE's will need to undertake such additional measures.

2.4 NPO registration under DARPAN. In line with the amendments to the PMLR, all REs are required to register the details of its client, in case the client is a non-profit organisation, on the DARPAN Portal of NITI Aayog, if not already registered, and maintain such registration records for a period of 5 (Five) years after the business relationship between the client and the RE has ended or the account has been closed, whichever is later.

2.5 Updation / Periodic Updation of KYC. Aadhaar one time password ("OTP") based electronic Know Your Customer ("e-KYC") in non-face to face mode has been permitted to be used for periodic updation. In this regard REs must ensure that the mobile number provided for Aadhaar authentication by the customer is the same as mentioned in the customer profile. However, if the current address and the address in the Aadhaar details of the customer is not the same, the RE should not require positive confirmation. The provision of e-KYC will serve to simplify the periodic updation process for the customers of RE's.

2.6 Enhanced due diligence in non-face to face customer The amendments have introduced enhanced due diligence requirements when onboarding any and all customers in a non- face to face manner (excluding Aadhaar OTP based e-KYC), including the use of digital channels such as Central KYC Registry ("CKYCR"), DigiLocker and non-digital modes such as obtaining copy of officially valid documents (OVD) certified by relevant authorities. The list of enhanced due diligence measures now also requires: (i) REs to verify the current address through positive confirmation before allowing operation in the customer's account; (ii) collection and verification of permanent account number (PAN); (iii) such customers to be categorised as high-risk customers;(iv) first transaction in such accounts shall be a credit from an existing KYC-complied bank account of the customer, (v) if the RE employs the Video based Customer Identification Process ("V-CIP") method, the same shall be provided as the first option to customers for remote onboarding, while also complying with the requirements specified in para 2.8, and (vi) accounts opened in non-face to face mode shall be subject to enhanced monitoring until the identity of the customer is verified in a face to face manner or through V-CIP etc. The intent of this change seems to be to influence RE's to increase their usage of face-to-face KYC methods by adding more requirements and restrictions to the usage of non-face to face KYC methods, in order to manage the risks associated with non-face to face KYC.

2.7 Instructions on CKYCR. The amendments have clarified that the KYC documents downloaded from the CKYCR, the validity for which has lapsed, should not be used for KYC purposes by the downloading REs.

2.8 V-CIP regulations. The validity of the Aadhaar extensible markup language (XML) file or the Aadhaar Secure quick response (QR) Code generated for the V-CIP process has been changed to 'three working days' from the earlier three days. REs are also required to ensure that the video process of the V-CIP is undertaken within 'three working days' of downloading or obtaining the identification information through the CKYCR, Aadhaar authentication or an equivalent e- document, if in the rare cases, the entire process cannot be completed at one go or This change will help to ensure the authenticity of the V-CIP process by restricting the time period during which the documents and information can be used.

2.9 Unique Customer Identification Code ("UCIC"). All REs are now required to allot a UCIC to its existing as well as new Earlier, this requirement was only applicable to banks and Non- Banking Financial Companies ("NBFC").

2.10 Customer Acceptance Policy ("CAP"). Any additional information that is required from the customer that is not specified in the RE's CAP or internal KYC policy should be obtained with the explicit consent of its customer. Further, where the goods and services tax (GST) number of the customer is available, it should be verified through the verification facility provided by the issuing This change intends to protect customers during the KYC process from having to provide additional unrequired documents.

2.11 Risk The indicative list of parameters for risk categorization has been expanded to also include (i) geographical risk covering customers as well as transactions, (ii) the type of products or services, (iii) the delivery channel used for the delivery of products or services and (iv) the types of transaction undertaken. REs must treat the risk categorisation and reasons for risk categorization of customers as confidential. This introduction will serve to enable RE's to undertake a more risk averse approach to the customer due diligence process by taking into account the additional factors.

2.12 Introduction of new REs are now required to identify and assess the money laundering and terrorist financing risks that may arise in relation to the development or implementation of new products and new business practices as well as the usage of new or developing technologies. REs must undertake risk assessments prior to the launch or use of any such products, practices, services or technologies and must take appropriate measures to manage and mitigate such risks. This can be viewed as a response to the development of cryptocurrencies and block chain technology due to their capacity to circumvent regulatory supervision.

2.13 Udyam Registration Certificate as proof of business. The amendment has clarified that the Udyam Registration Certificate issued by the government to Micro, Small and Medium enterprises ("MSMEs") can be used as proof of business for the customer due diligence process for sole proprietaryy firms.

2.14 Compliance with Government order on WMDs. REs are now required to ensure compliance with the WMD Act in relation to monitoring, freezing and unfreezing of accounts, financial assets, etc. of individuals and entities under the designated list maintained and updated by the Ministry of External Affairs under the WMD Act. REs must, at the time of establishing a relation with a customer and on a periodic basis, verify whether individuals and entities in the designated list are holding any funds or financial asset with the RE. In case of a match, REs must immediately inform the transaction details with full particulars of the funds, financial assets or economic resources involved, to the Central Nodal Officer, established under the WMD Act.

2.15 Adherence to updated sanctions lists. REs should additionally adhere to the sanction lists available under Schedules to the Prevention and Suppression of Terrorism (Implementation of Security Council Resolutions) Order, 2007, which laid down the measures to effectively combat and address the threat of terrorism in accordance with the resolutions adopted by the United Nations Security Council, and other updated lists specified in the KYC MD.

2.16 Shell Bank. The KYC MD requires banks to ensure that correspondent relationships are not entered into with shell banks. Further, banks must not permit their accounts to be used by shell The amendments have now defined 'shell bank' in the KYC MD as "a bank that has no physical presence in the country in which it is incorporated and licensed, and which is unaffiliated with a regulated financial group that is subject to effective consolidated supervision. Physical presence means meaningful mind and management located within a country. The existence simply of a local agent or low-level staff does not constitute physical presence". The introduction of this definition has clarified which entities will be considered Shell banks and has thus aided banks in complying with the KYC MD in this regard.

2.17 Wire Transfer. In order to align with FATF's recommendations, the amendment to the KYC MD has introduced instructions with regard to wire transfers. Wire transfers refer to any transaction carried out wherein a person or an account holder ("Originator") transfers money electronically through a bank or a financial institution to another person or organization ("Beneficiary"), allowing them to access the funds at their own bank or financial institution. Cross border wire transfers now require the furnishing of accurate and complete information pertaining to the Originator and the Beneficiary, such as their name, account number, address, identification number, and transaction Domestic wire transfers, if from an account holder of the transferring financial institution or of value INR 50,000 (Indian Rupees Fifty Thousand) and above, must include Originator and Beneficiary information. The amendment has clarified that any transfer that flows from a transaction carried out using a credit card, debit card or a Prepaid Payment Instrument ("PPI") for the purchase of goods or services will not be considered a wire transfer.

The financial institution involved in processing wire transfers, must keep records of all Originator and Beneficiary information associated with each transfer. If technical limitations prevent this information from being included in a domestic wire transfer, the intermediary entity should retain it separately for at least 5 (Five) years. They should also be able to identify transfers that lack the required information and have policies in place to decide whether to proceed with, reject, or suspend such transfers. If a suspicious transaction is detected, it must be reported to the Financial Intelligence Unit-India.

3. INDUSLAW COMMENTS

The amendments aim to refine the customer due diligence process for entities regulated by the RBI, including determining beneficial owners, enhancing customer due diligence for non-individual customers, introducing definitions of PEP, simplifying the KYC updation process, and introducing enhanced due diligence requirements for non-face to face customer onboarding. These changes will increase regulatory supervision and reduce instances of money laundering. However, the requirement to adhere to enhanced due diligence measures when employing digital KYC methods such as CKYCR, in compliance with the KYC MD, will increase the compliance burden on REs. Further, this amendment indicates the RBI's stance on V-CIP, as the optimal method of KYC. As a whole, the recent amendments to the KYC MD are a significant step towards strengthening compliance for money laundering and terrorist financing. The RBI's efforts to keep up with the changing times and evolving risks are commendable, and the amendments are expected to have a positive impact on the financial system in its entirety.

Footnotes

1. Master Direction - Know Your Customer (KYC) Direction, 2016 (Link)

2. Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (Link)

3. Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.