KNOW YOUR CUSTOMER (KYC)/ ANTI-MONEY LAUNDERING (AML)/ COMBATING FINANCING OF TERRORISM (CFT) POLICY

Version No.	Date	Drafted by	Reviewed by	Approved by
2.0	21 Apr 2025	Risk & Compliance Team	Risk & Compliance Team	Board of Directors

Other Particulars	Details
Classification	Public
Last Review date	29 Dec 2025

INDEX

1. INTRODUCTION 4

2. OBJECTIVES 4

3. APPLICABILITY: 4

4. KEY DEFINITIONS: 5

5. KEY ELEMENTS OF THE POLICY: 11

7. CUSTOMER ACCEPTANCE POLICY (CAP): 13

8. RISK MANAGEMENT: 14

9. CUSTOMER IDENTIFICATION PROCEDURES (CIP): 17

10. CUSTOMER DUE DILIGENCE (“CDD”) PROCEDURE: 19

11. VIDEO BASED CUSTOMER IDENTIFICATION PROCESS (“V-CIP”): 21

12. DUE DILIGENCE PROCESS: 21

13. MONITORING OF TRANSACTIONS: 27

14. REPORTING  AND REGISTRATIONS WITH FINANCIAL INTELLIGENCE UNIT – INDIA (FIU-IND) 28

15. Reporting to Financial Intelligence Unit-India (FIU-IND): 29

16. RECORD KEEPING REQUIREMENTS: 29

17. REQUIREMENTS/OBLIGATIONS UNDER INTERNATIONAL AGREEMENTS COMMUNICATIONS FROM INTERNATIONAL AGENCIES 30

18. DATA CONFIDENTIALITY, Secrecy Obligations and Sharing of Information: 32

19. SHARING KYC INFORMATION WITH CENTRAL KYC RECORDS REGISTRY (CKYCR): 33

20. MONEY LAUNDERING AND TERRORIST FINANCING RISK ASSESSMENT 34

21. INTERNAL AUDIT 34

22. EMPLOYEE TRAINING 35

23. ALLOTMENT OF UNIQUE CUSTOMER IDENTIFICATION CODE (“UCIC”): 35

24. Quoting of PAN: 35

25. REVIEW AND APPROVAL OF THE POLICY 35

26. Annexure 1: kyc DOCUMENTS 36

27. ANNEXURE 2: vcip 41

28. ANNEXURE 3: rED FLAGS FOR SUSPICIOUS TRANSACTIONS 45

29. Annexure 4: DIGITAL KYC PROCESS 48

1. INTRODUCTION 

R.K. Bansal Finance Private Limited (“the Company”), being a Base Layer Non-Banking Financial Company (NBFC) registered with the Reserve Bank of India (RBI), engaged in the business of Payday Loans, EMI-based Loans, Loan Against Property (LAP) and other business loans, recognizes its responsibility to prevent misuse of its financial services for money laundering, terrorist financing and other unlawful activities. 

R. K. Bansal Finance Private Limited (“the Company”), by means of this Policy, aims to adopt and implement Know Your Customer (KYC), Anti Money Laundering (AML) and Combating of Financing of Terrorism (CFT) standards in its day-to-day practice.  These standards are applied when working with our customers as well as partners.

The Board of Directors has formulated this Policy in line with the Prevention of Money Laundering Act (PMLA), 2002 and related amendments; Prevention of Money Laundering (PML) Rules, 2005 and related amendments; Reserve Bank of India (Non-Banking Financial Companies – Know Your Customer) Directions, 2025, issued vide RBI/DOR/2025-26/361 dated November 28, 2025, as amended from time to time; Centralised KYC Registry (CKYC) Guidelines; as amended from time to time & FATF Recommendations.

This Policy lays down principles, systems, procedures and internal controls to ensure strong customer identification, risk mitigation, due diligence and monitoring.

The Board of Directors has the ultimate responsibility for adoption and implementation of the KYC/AML/CFT framework.

2.  OBJECTIVES 

The objectives of this Policy are: 

• To prevent the Company from being used knowingly or unknowingly for money laundering or terrorist financing activities. 
• To ensure the Company understands its customers, their financial behavior and associated risks. 
• To promote ethical conduct and transparency in business relationships. 
• To comply with legal and regulatory requirements under RBI and PMLA framework. 
• To define procedures for detection and reporting of suspicious activities.

3. APPLICABILITY: 

This policy comes into force on approval by the Board of Directors of the Company. It may be noted that KYC – AML policy as stated in this document shall prevail over anything else contained in any other document / process/circular/letter/instruction of the Company in this regard (KYC-AML). This policy shall be applicable to all verticals/products of the Company whether existing or to be rolled out in future. This note requires the Company and each employees of the Company to:

• Protect the Company from being used for the money laundering or funding terrorist activities;
• Conduct themselves in accordance with the highest ethical standards as per this policy;
• Comply with the letter and spirit of applicable Anti-Money Laundering (AML) Laws and the Company’s KYC and AML procedures;
• Appoint a Designated Director from its Board of Directors for ensuring overall compliance;

• Appoint a Principal Officer, other than the Designated Director, to ensure overall compliance, transaction monitoring and reporting;
• Be alert to and escalate suspicious activity and not knowingly provide advice or other assistance to individuals who attempt to violate or avoid AML laws and
• Co-operate with the Regulatory Authorities as per the applicable laws.

4. KEY DEFINITIONS:

For the purpose of this policy and related process documents, Key Terms have been defined as follows:

1. “Aadhaar number” shall have the meaning assigned to it in clause (a) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016).

2. “Act and Rules” means the Prevention of Money-Laundering Act, 2002 and the Prevention of Money- Laundering (Maintenance of Records) Rules, 2005, respectively and amendments thereto.

3. “Authentication” in the context of Aadhaar authentication, means the process as defined under sub-section (c) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

4. “Beneficial Owner (BO)”:

1. Where the customer is a company, the beneficial owner is the natural person(s), who, whether acting alone or together, or through one or more juridical person, has/have a controlling ownership interest or who exercises control through other means.

For the purpose of this sub-clause:

1. “Controlling ownership interest” means ownership of/entitlement to more than 10 percent of the shares or capital or profits of the company;

2. “Control” shall include the right to appoint majority of the directors or to control the management or policy decisions including by virtue of their shareholding or management rights or shareholders agreements or voting agreements.

2. Where the customer is a partnership firm, the beneficial owner is the natural person(s), who, whether acting alone or together, or through one or more juridical person, has/have ownership of/entitlement to more than 10 percent of capital or profits of the partnership;

Explanation – For the purpose of this sub-clause, “control” shall include the right to control the management or policy decision.

3. Where the customer is an unincorporated association or body of individuals, the beneficial owner is the natural person(s), who, whether acting alone or together, or through 

one or more juridical person, has/have ownership of or entitlement to more than 15 percent of the property or capital or profits of such association or body of individuals;

Explanation: Term ‘body of individuals’ includes societies. Where no natural person is identified under (a), (b) or (c) above, the beneficial owner is the relevant natural person who holds the position of senior managing official.

4. Where the customer is a trust, the identification of beneficial owner(s) shall include identification of the author of the trust, the trustee, the beneficiaries with 10 percent or more interest in the trust and any other natural person exercising ultimate effective control over the trust through a chain of control or ownership.

5. “Certified Copy” – Obtaining a certified copy by the RE shall mean comparing the copy of the proof of possession of Aadhaar number where offline verification cannot be carried out or officially valid document so produced by the customer with the original and recording the same on the copy by the authorised officer of the RE as per the provisions contained in the Act.

Provided that in case of Non-Resident Indians (NRIs) and Persons of Indian Origin (PIOs), as defined in Foreign Exchange Management (Deposit) Regulations, 2016 {FEMA 5(R)}, alternatively, the original certified copy, certified by any one of the following, may be obtained:

• authorised officials of overseas branches of Scheduled Commercial Banks registered in India,
• branches of overseas banks with whom Indian banks have relationships,
• Notary Public abroad,
• Court Magistrate,
• Judge,
• Indian Embassy/Consulate General in the country where the non-resident customer resides.

6. “Central KYC Records Registry” (CKYCR) means an entity defined under Rule 2(1) of the Rules, to receive, store, safeguard and retrieve the KYC records in digital form of a customer.

7. “Designated Director” means a person designated by the RE to ensure overall compliance with the obligations imposed under chapter IV of the PML Act and the Rules and shall include: 

1. the Managing Director or a whole-time Director, duly authorized by the Board of Directors, if the RE is a company,
2. the Managing Partner, if the RE is a partnership firm,
3. the Proprietor, if the RE is a proprietorship concern,
4. the Managing Trustee, if the RE is a trust,
5. a person or individual, as the case may be, who controls and manages the affairs of the RE, if the RE is an unincorporated association or a body of individuals, and

6. a person who holds the position of senior management or equivalent designated as a ‘Designated Director’ in respect of Cooperative Banks and Regional Rural Banks.

Explanation – For the purpose of this clause, the terms “Managing Director” and “Whole-time Director” shall have the meaning assigned to them in the Companies Act, 2013.

8. “Digital KYC” means the capturing live photo of the customer and officially valid document or the proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the RE as per the provisions contained in the Act. 

9. “Digital Signature” shall have the same meaning as assigned to it in clause (p) of subsection (1) of section (2) of the Information Technology Act, 2000 (21 of 2000).

10. “Equivalent e-document” means an electronic equivalent of a document, issued by the issuing authority of such document with its valid digital signature including documents issued to the digital locker account of the customer as per rule 9 of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016. 

11. “Group” – The term “group” shall have the same meaning assigned to it in clause (e) of sub section (9) of section 286 of the Income Tax Act, 1961(43 of 1961).

Note: As per IT Act, “Group” includes a parent entity and all the entities in respect of which, for the reason of ownership or control, a consolidated financial statement for financial reporting purposes, – (i)  is required to be prepared under any law for the time being in force or the accounting standards of the country or territory of which the parent entity is resident; or (ii)  would have been required to be prepared had the equity shares of any of the enterprises were listed on a stock exchange in the country or territory of which the parent entity is resident.

12. “Know Your Client (KYC) Identifier” means the unique number or code assigned to a customer by the Central KYC Records Registry. 

13. “Non-profit organisations” (NPO) means any entity or organisation, constituted for religious or charitable purposes referred to in clause (15) of section 2 of the Income-tax Act, 1961 (43 of 1961), that is registered as a trust or a society under the Societies Registration Act, 1860 or any similar State legislation or a company registered under Section 8 of the Companies Act, 2013 (18 of 2013).

14. “Officially Valid Document” (OVD) means the passport, the driving licence, 13proof of possession of Aadhaar number, the Voter’s Identity Card issued by the Election Commission of India, job card issued by NREGA duly signed by an officer of the State Government and letter issued by the National Population Register containing details of name and address. 

Provided that, 

1. where the customer submits his proof of possession of Aadhaar number as an OVD, he may submit it in such form as are issued by the Unique Identification Authority of India.
2. where the OVD furnished by the customer does not have updated address, the following documents or the equivalent e-documents thereof shall be deemed to be OVDs for the limited purpose of proof of address:- 
3. utility bill which is not more than two months old of any service provider (electricity, telephone, post-paid mobile phone, piped gas, water bill);

2. property or Municipal tax receipt;

3. pension or family pension payment orders (PPOs) issued to retired employees by Government Departments or Public Sector Undertakings, if they contain the address;
4. letter of allotment of accommodation from employer issued by State Government or Central Government Departments, statutory or regulatory bodies, public sector undertakings, scheduled commercial banks, financial institutions and listed companies and leave and licence agreements with such employers allotting official accommodation;

3. the customer shall submit OVD with current address within a period of three months of submitting the documents specified at ‘b’ above;
4. where the OVD presented by a foreign national does not contain the details of address, in such case the documents issued by the Government departments of foreign jurisdictions and letter issued by the Foreign Embassy or Mission in India shall be accepted as proof of address. 

Explanation: For the purpose of this clause, a document shall be deemed to be an OVD even if there is a change in the name subsequent to its issuance provided it is supported by a marriage certificate issued by the State Government or Gazette notification, indicating such a change of name.  

15. “Offline verification” shall have the same meaning as assigned to it in clause (pa) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016).

16. “Person” has the same meaning assigned in the Act and includes: 

1. an individual,
2. a Hindu Undivided Family,
3. a company,
4. a firm,
5. an association of person or a body of individual, whether incorporated or not,
6. every artificial juridical person, not falling within any one of the above persons (a to e), and 
7. any agency, office of branch  owned or controlled by any of the above persons (a to f).

17. “Politically Exposed Persons” (PEPs) are individuals who are or have been entrusted with prominent public functions by a foreign country, including the Heads of States/Governments, senior politicians, senior government or judicial or military officers, senior executives of state-owned corporations and important political party officials.

18. “Principal Officer” means an officer nominated by the RE, responsible for furnishing information as per rule 8 of the Rules. 

19. “Suspicious transaction” means a “transaction” as defined below, including an attempted transaction, whether or not made in cash, which, to a person acting in good faith: 

1. gives rise to a reasonable ground of suspicion that it may involve proceeds of an offence specified in the Schedule to the Act, regardless of the value involved; or
2. appears to be made in circumstances of unusual or unjustified complexity; or

3. appears to not have economic rationale or bona-fide purpose; or 
4. gives rise to a reasonable ground of suspicion that it may involve financing of the activities relating to terrorism.

Explanation: Transaction involving financing of the activities relating to terrorism includes transaction involving funds suspected to be linked or related to, or to be used for terrorism, terrorist acts or by a terrorist, terrorist organization or those who finance or are attempting to finance terrorism.

20. A ‘Small Account‘ means a savings account which is opened in terms of sub-rule (5) of the PML Rules, 2005. Details of the operation of a small account and controls to be exercised for such account are specified in Section 23.

21. “Transaction” means a purchase, sale, loan, pledge, gift, transfer, delivery or the arrangement thereof and includes: 

1. opening of an account;
2. deposit, withdrawal, exchange or transfer of funds in whatever currency, whether in cash or by cheque, payment order or other instruments or by electronic or other non-physical means;
3. the use of a safety deposit box or any other form of safe deposit;
4. entering into any fiduciary relationship; 
5. any payment made or received, in whole or in part, for any contractual or other legal obligation; or
6. establishing or creating a legal person or legal arrangement. 

22. “Customer” it means a ‘person’, as defined, who is engaged in a financial transaction or activity with a company and includes a person on whose behalf the person who is engaged in the transaction or activity, is acting.

23. “Customer Due Diligence” (CDD) means identifying and verifying the customer and the beneficial owner based on information and documents using reliable and independent sources of identification.

Explanation – The CDD, at the time of commencement of an account-based relationship or while carrying out occasional transaction of an amount equal to or exceeding rupees fifty thousand, whether conducted as a single transaction or several transactions that appear to be connected, or any international money transfer operations, shall include:

1. Identification of the customer, verification of their identity using reliable and independent sources of identification, obtaining information on the purpose and intended nature of the business relationship, where applicable;

2. Taking reasonable steps to understand the nature of the customer’s business, and its ownership and control;

3. Determining whether a customer is acting on behalf of a beneficial owner, and identifying the beneficial owner and taking all steps to verify the identity of the beneficial owner, using reliable and independent sources of identification.

20. “Customer Identification” It means undertaking the process of CDD.

21. “KYC Templates” means templates prepared to facilitate collating and reporting the KYC data to the CKYCR, for individuals and legal entities. 

22. “Non-face-to-face customers” means customers who open accounts without visiting the branch/offices of the REs or meeting the officials of REs.

23. “On-going Due Diligence” means regular monitoring of transactions in accounts to ensure that those are consistent with RE’s knowledge about the customers, customers’ business and risk profile, the source of funds / wealth.

24. “Payable-through accounts” the term payable-through accounts refers to correspondent accounts that are used directly by third parties to transact business on their own behalf.

20. “Periodic Updation” means steps taken to ensure that documents, data or information collected under the CDD process is kept up-to-date and relevant by undertaking reviews of existing records at periodicity prescribed by the Reserve Bank. 

21. “Video based Customer Identification Process (V-CIP)”: an alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the RE by undertaking seamless, secure, live, informed-consent based audio-visual interaction with the customer to obtain identification information required for CDD purpose, and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining audit trail of the process. Such processes complying with prescribed standards and procedures shall be treated on par with face-to-face CIP for the purpose of this Master Direction. 

22. “Employees” both full and part-time employees are required to abide by this Policy, as are contingent workers.

23. “Enhanced Due Diligence (“EDD”)” The business may determine that a customer poses a higher risk because of the customer’s business activity, ownership structure, anticipated or actual volume and types of transactions, including those transactions involving higher-risk jurisdictions. Due diligence policies, procedures, and processes would be enhanced as a result. Higher-risk customers and their transactions would be reviewed more closely at account opening and more frequently throughout the term of their relationship with the business. Refer to section 4(2) for more details.

24. “Know Your Client (KYC) records” It means customers who open accounts without visiting the branch/ offices of the company or meeting the officials of company.

25. “Proceeds of Crime” means any property derived or obtained, directly or indirectly, by any person as a result of criminal activity relating to a scheduled offence or the value of any such property or where such property is taken or held outside the country, then the property equivalent in value held within the country.

26. “Property” means any property or assets of every description, whether corporeal or incorporeal, movable or immovable, tangible or intangible and includes deeds and instruments evidencing title to, or interest in such property or assets, wherever located.

27. “Records” include the records maintained in the form of books or stored in computer or such other form as may be prescribed.

28. “Walk-in Customer” means a person who does not have an account-based relationship with the RE, but undertakes transactions with the RE.

All other expressions unless defined herein will have the same meaning as have been assigned to them under the Prevention of Money Laundering Act and Prevention of Money Laundering (Maintenance of Records) Rules, any statutory modification or re-enactment thereto or as used in commercial parlance, as the case may be.

5. KEY ELEMENTS OF THE POLICY:

1. The Know Your Customer (KYC) Process is prepared considering the following 4 (four) elements:

1. To lay down the criteria for Customer Acceptance Policy
2. Risk Management (Customer Due Diligence & Ongoing Due Diligence)
3. To lay down the criteria for Customer Identification Process (“CIP”) and
4. To establish the procedure for Monitoring of Transactions, as may be applicable.
5. Record Maintenance
6. Reporting Mechanism

2. Money Laundering and Terrorist Financing Risk Assessment by the Company:

1. The Company shall carry out ‘Money Laundering (ML) and Terrorist Financing (TF) Risk Assessment’ exercise periodically to identify, assess and take effective measures to mitigate its money laundering and terrorist financing risk for clients, countries or geographic areas, products, services, transactions or delivery channels, etc. 

2. The assessment process should consider all the relevant risk factors before determining the level of overall risk and the appropriate level and type of mitigation to be applied. While preparing the internal risk assessment, the company shall take cognizance of the overall sector-specific vulnerabilities, if any, that the regulator/supervisor may share with the company from time to time.

3. The risk assessment by the Company shall be properly documented and be proportionate to the nature, size, geographical presence, complexity of activities/structure, etc. of the company. Further, the periodicity of risk assessment exercise shall be determined by the Board of the company, in alignment with the outcome of the risk assessment exercise. However, it should be reviewed at least annually.

4. Integrated Risk Management Division shall carry out the above said Risk Assessment exercise on annual basis. 

5. The outcome of the exercise shall be put up to the Board of Directors or the Risk Management Committee of the Board and should be available to competent authorities and self-regulating bodies. The company shall apply a Risk Based Approach (RBA) for mitigation and management of the identified risk and should have Board approved policies, controls and procedures in this regard. Further, the company shall monitor the implementation of the controls and enhance them if necessary.

3. Designated Director: 

A “Designated Director” means a person designated by the RE to ensure overall compliance with the obligations imposed under Chapter IV of the PML Act and the Rules and shall be nominated by the Board.

The name, designation and address of the Designated Director shall be communicated to the FIU-IND and the RBI.

In no case, the Principal Officer shall be nominated as the ‘Designated Director’. 

4. Principal Officer: 

The Principal Officer shall be a Senior Officer of the Company at the management level and shall be responsible for ensuring compliance, monitoring transactions, and sharing reporting information as required under the law/regulations. 

PO shall maintain close liaison with enforcement agencies, NBFCs and any other institution which are involved in the fight against money laundering and CFT. The name of the Principal Officer so designated, his designation and address including changes from time to time, shall be communicated to the Director, FIU-IND and RBI. 

6. COMPLIANCE WITH KYC POLICY: 

The Company shall ensure compliance with the KYC Policy through: 

1. The below mentioned officials shall constitute as Senior Management and will be responsible for effective implementation of KYC policies and procedures: 

• Directors
• Head – Operations & Collections
• Head – Underwriting
• Head – Business 
• Heads – Product
• Head – Risk
• Head – Compliance  

2. Independent evaluation of the compliance functions of the Company’s policies and procedures, including legal and regulatory requirements will be carried out. 
3. Concurrent/Internal Audit system to verify the compliance with KYC/AML policies and procedures. 
4. Submission of quarterly audit notes and compliance to the Audit Committee. 
5. Training & Awareness Periodic AML/KYC training shall be conducted for employees appropriate to their roles.

The Company shall not outsource the decision-making functions for determining compliance with KYC norms.

7. CUSTOMER ACCEPTANCE POLICY (CAP):

 

The Company’s Customer Acceptance Policy articulates the criteria for the acceptance of customers. The following principles shall be adhered to at the time of customer acceptance:

1. The Company shall not open any account(s) in anonymous or fictitious or benami name.
2. No account opened where the Company is unable to apply appropriate CDD measures, either due to non-cooperation of the customer or non-reliability of the documents/information furnished by the customer. 
3. The Company shall consider filing an STR, if necessary, when it is unable to comply with the relevant CDD measures in relation to the customer.
4. No transaction or account-based relationship is undertaken without following the CDD procedure. 
5. The mandatory information to be sought for KYC purpose while opening an account and during the periodic updation, is specified.
6. Additional information, where such information requirement has not been specified in the internal KYC Policy of the Company, is obtained with the explicit consent of the customer.
7. The Company shall apply the CDD procedure at the UCIC level. Thus, if an existing KYC compliant customer of a Company desires to open another account with the same Company, there shall be no need for a fresh CDD exercise.
8. CDD Procedure is followed for all the joint account holders, while opening a joint account. 
9. Circumstances in which, a customer is permitted to act on behalf of another person/entity, is clearly spelt out.
10. Suitable system is put in place to ensure that the identity of the customer does not match with any person or entity, whose name appears in the sanctions lists indicated in Chapter IX of this MD.
11. Where Permanent Account Number (PAN) is obtained, the same shall be verified from the verification facility of the issuing authority.
12. Where an equivalent e-document is obtained from the customer, RE shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000).
13. Where Goods and Services Tax (GST) details are available, the GST number shall be verified from the search/verification facility of the issuing authority.
14. Accept customers only after verifying their identity, as mentioned under this Policy.
15. Identity of a new customer to be checked to ensure that it does not match with any person with a known criminal background.

1. Loan accounts of persons having relationships with banned persons / entities such as individual terrorists or terrorist organizations etc. are not to be opened.  Further, loan accounts should not be opened for persons convicted of nefarious activities such as money laundering, terrorism, drug trafficking, bank fraud etc.
2. No loan account is opened where identity of the customer matches with any person or entity, whose name appears in the sanctions lists circulated by Reserve Bank of India or United Nations or explicitly prohibited by the RBI.
3. No loan account shall be opened if the Company is of the opinion that the customer may expose the Company to KYC/AML/CFT risks.
4. Customer Acceptance Policy shall not result in denial of banking/financial facility to members of the general public, especially those, who are financially or socially disadvantaged.

Subject to the above-mentioned norms and caution, at the same time all the employees of Company will also ensure that the above norms and safeguards do not result in any kind of harassment or inconvenience to bona fide and genuine customers who should not feel discouraged while dealing with the Company. It is important to bear in mind that the adoption of Customer Acceptance Policy and its implementation should not become too restrictive and must not result in denial of the company’s services to general public, especially to those, who are financially or socially disadvantaged.

8. RISK MANAGEMENT: 

For Risk Management, the Company shall have a Risk-Based Approach which includes the following:

1. Customers shall be categorized as low, medium and high-risk category, based on the assessment and risk perception of the Company.

2. Risk categorization shall be undertaken based on parameters such as:

1. Customer’s identity;
2. Social / Financial status;
3. Nature of Business Activity
4. Nature of employment 
5. Nature and volume of business of the customer, income of customer or employer category etc.
6. Location of customer and his/ its clients 
7. Mode of Payments – cash, cheque / monetary instruments, wire transfers, forex transactions, etc;
8. Credit History; 
9. Geographical risk covering customers as well as transactions;
10. Type of products/services 

While considering customer’s identity, the ability to confirm identity documents through online or other services offered by issuing authorities may also be factored in. It is hereby specified that the various other information collected from different categories of customers relating to the perceived risk, is non-intrusive.

3. The risk categorisation of a customer and the specific reasons for such categorisation shall be kept confidential and shall not be revealed to the customer to avoid tipping off the customer. 

4. The Company may at its discretion identify additional factors that it may wish to utilize for customer acceptance based on risk profile determined by the Company. Provided further that various other information collected from different categories of customers relating to the perceived risk, is non-intrusive.

Explanation: FATF Public Statement, the Reports and Guidance Notes on KYC / AML issued by the Indian Banks Association (IBA), Guidance Note circulated to all Cooperative Banks by the rbi etc., may also be used in Risk Assessment.

The recommendations made by the Financial Action Task Force (FATF) on Anti- Money Laundering (AML) Standards and on Combating Financing of Terrorism (CFT) Standards would also be used in risk assessment.

Low Risk Customer	Medium Risk Customer	High Risk Customer
Low risk customers for the purpose of this policy will be individuals and entities whose identities and sources of wealth can be easily identified, have structured income and transactions in whose accounts by and large conform to the known profile.	Medium risk customers are likely to pose a moderate than average risk to the Company and may be categorized as medium risk depending on customer’s background, nature and location of activity, country of origin, sources of funds and his client profile etc.	High risk customers are likely topose a higher than average risk and may be categorized high risk customers depending on customer’s background, nature and location of activity, country of origin, sources of funds and his client profile, etc. The Company will examine the case in details based on the risk assessment as per our Risk Management & Credit/Loan Policy and guidelinesof Product and Credit Manual.
Illustrative examples of Low Risk customers could be: Salaried applicants with salary paid by chequePeople belonging to government departmentsPeople working with government owned companies, regulators and statutory bodies, etc.People working with Public Sector UnitsPeople working with reputed Public Limited companies & Multinational Companies.	Illustrative examples of Medium Risk customers could be: Salaried applicants with variable income/unstructured income receiving salary in chequeSalaried applicants working with Private limited companiesSelf Employed professionals other than HNIsSelf Employed customers with sound business and profitable track record for a reasonable periodHigh Net worth Individuals with occupational track record of more than 3 years	Illustrative examples of High-Risk customers requiring higher due diligence may include: Non-resident customersHigh net worth individuals, without an occupational track record of more than 3 yearsTrusts, charities, NGOs and organizations receiving donationsCompanies having close family shareholding or beneficial ownershipFirms with ‘sleeping partners’Politically exposed persons (PEPs) or family members and close relatives of PEPsNon-face to face customersThose with dubious reputation as per available public information, etc.Shell Companies which has no physical presence in branch location. The existence simply of a local agent or low level staff does not constitute physical presence.Customer conducting their business relationship or transactions in unusual circumstances, such as significant and unexplained geographic distance between the institution and the location of the customer, frequent and unexplained movement of accounts to different institutions etc.Individuals and Entities specifically identified by the Regulators, RBI, FIU and other competent Authorities as High Risk.Customer engaged in a business which associated with higher level of corruption (e.g. Arm manufacturing, dealer and intermediaries).

9. CUSTOMER IDENTIFICATION PROCEDURES (CIP): 

Customer Identification Procedure means undertaking client due diligence measures while commencing a financing-based relationship including identifying and verifying the customer and the beneficial owner.

Customer identification means identifying and undertaking Customer Due Diligence (CDD) of the Customer and verifying his / her identity by using reliable, independent source documents, data or information. The Company needs to obtain enough information necessary to establish, to their satisfaction and as required by applicable law, the identity of each new customer, whether regular or occasional and the purpose of the intended nature of relationship.

KYC verification may be conducted through: 

∙ Physical Verification 

∙ Video-Based KYC (V-CIP) 

∙ Digital KYC (O-KYC/CKYC)

OVDs and PAN verification shall be mandatory.

1. The Company shall undertake identification of customer in following cases:

1. Commencement of an account-based relationship with the customer.

2. Carrying out any international money transfer operations for a person who is not an account holder of the Company. 

3. When there is a doubt about the authenticity or adequacy of the customer identification data it has obtained.

4. Selling third party products as agents, selling third own products, payment of dues of credit cards/sale and reloading of prepaid/travel cards and any other product for more than INR 50,000/- (Rupees Fifty Thousand).

5. When carrying out any transaction of an amount equal to or exceeding rupees fifty thousand, whether conducted as a single transaction or several transactions that appear to be connected.

6. When there are suspicions of money laundering or financing of activities relating to terrorism, for existing customers.

7. When has reason to believe that a customer (account- based or walk-in) is intentionally structuring a transaction into a series of transactions below the threshold of rupees fifty thousand.

8. The Company shall ensure that introduction is not to be sought while opening accounts.

For the purpose of verifying the identity of customers at the time of commencement of a new relationship, the Company will at its option, rely on customer due diligence done by a third-party, subject to the following conditions:

1. The required information of such customers’ due diligence, carried out by the third-party, is obtained within two days from the third party or from the Central KYC Records Registry (“CKYCR”) by the Company.

2. Adequate steps are taken by the Company to satisfy itself that copies of identification data and other relevant documentation relating to the customer due diligence requirements shall be made available from the third-party upon request immediately.

3. The third-party is regulated, supervised or monitored for, and has measures in place for, compliance with customer due diligence and record-keeping requirements in line with the requirements and obligations under the PML Act.

4. The third-party shall not be based in a country or jurisdiction assessed as high risk.

The ultimate responsibility for customer due diligence and undertaking enhanced due diligence measures, as applicable, will be with the Company.

10. CUSTOMER DUE DILIGENCE (“CDD”) PROCEDURE:

While undertaking customer identification, the Company will ensure that decision making functions of determining compliance with KYC norms shall not be outsourced.  The Company shall apply customer due diligence measures to all clients based on the materiality and risk and conduct due diligence on relationships at appropriate times.

2. CDD Measures for Individuals

The Company shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity:

(a) the Aadhaar number where,

9. he is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or

2. he decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or

(aa) the proof of possession of Aadhaar number where offline verification can be carried out; or 

(ab) the proof of possession of Aadhaar number where offline verification cannot be carried out or   any OVD or the equivalent e-document thereof containing the details of his identity and address; and 

(ac) the KYC Identifier with an explicit consent to download records from CKYCR; and

(b) the Permanent Account Number or the equivalent e-document thereof or Form No. 60 as defined in Income-tax Rules, 1962; and

(c) such other documents including in respect of the nature of business and financial status of the customer, or the equivalent e-documents thereof as may be required by the Company:

Where the customer has submitted, 

i) Aadhaar number under clause (a) above to the Company notified under first proviso to sub-section (1) of section 11A of the PML Act, the Company shall carry out authentication of the customer’s Aadhaar number using e-KYC authentication facility provided by the Unique Identification Authority of India. 

Further, in such a case, if customer wants to provide a current address, different from the address as per the identity information available in the Central Identities Data Repository, he may give a self-declaration to that effect to the Company. 

ii) proof of possession of Aadhaar under clause (aa) above where offline verification can be carried out, the Company shall carry out offline verification. 

iii) an equivalent e-document of any OVD, the Company shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000) and any rules issues thereunder and take a live photo as specified under Annex I of Master Direction – Know Your Customer (KYC) Direction, 2016. 

iv) any OVD or proof of possession of Aadhaar number under clause (ab) above where offline verification cannot be carried out, the Company shall carry out verification through digital KYC as specified under Annex I of Master Direction – Know Your Customer (KYC) Direction, 2016.

v) KYC Identifier under clause (ac) above, the Company shall retrieve the KYC records online from the CKYCR in accordance with Section 56.

Provided that for a period not beyond such date as may be notified by the Government for a class of Banks, instead of carrying out digital KYC, the Bank pertaining to such class may obtain a certified copy of the proof of possession of Aadhaar number or the OVD and a recent photograph where an equivalent e-document is not submitted.

Provided further that in case biometric e-KYC authentication cannot be performed for an individual desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 owing to injury, illness or infirmity on account of old age or otherwise, and similar causes, the Company shall, apart from obtaining the Aadhaar number, perform identification preferably by carrying out offline verification or alternatively by obtaining the certified copy of any other OVD from the customer. 

Explanation 1: Bank shall, where its customer submits his/her a proof of possession of Aadhaar Number containing Aadhaar Number, ensure such customer to redact or blackout his Aadhaar number through appropriate means where the authentication of Aadhaar number is not required under section 7 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act. 

Explanation 2: Biometric based e-KYC authentication can be done by bank official/business correspondents/business facilitators. 

Explanation 3: The use of Aadhaar, proof of possession of Aadhaar etc., shall be in accordance with the Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act, the Aadhaar and Other Law (Amendment) Ordinance, 2019 and the regulations made thereunder.

3. CDD Measures for Legal Entities

For opening of an account, the Company shall obtain the documents and information as specified in Annexure 1 of the Policy from:

1. Sole Proprietary Firm;
2. Company;
3. Partnership Firm;
4. Trust;
5. Unincorporated Association or  a  Body  of Individuals and Juridical Persons not specifically covered in the earlier part, such as Government or its Departments, societies, universities and local bodies like village panchayats. 

4. CDD Measures for Identification of Beneficial Owner:

For opening an account of a Legal Person who is not a natural person, the beneficial owner(s) will be identified and all reasonable steps in terms of Rule 9(3) of the Rules to verify his/her identity will be undertaken keeping in view the following

1. Where the customer or the owner of the controlling interest is an entity listed on a stock exchange, or it is an entity resident in jurisdictions notified by the Central Government and listed on stock exchanges in such jurisdiction or it is a subsidiary of such listed entity; it is not necessary to identify and verify the identity of any shareholder or beneficial owner of such companies.

2. In cases of trust/nominee or fiduciary accounts whether the customer is acting on behalf of another person as trustee/ nominee or any other intermediary is determined. In such cases, satisfactory evidence of the identity of the intermediaries and of the persons on whose behalf they are acting, as also details of the nature of the trust or other arrangements in place will be obtained.

11. VIDEO BASED CUSTOMER IDENTIFICATION PROCESS (“V-CIP”):

The Company may undertake V-CIP to carry out the Customer Due Diligence in terms of procedure prescribed under Annexure 2.

12. DUE DILIGENCE PROCESS:

5. On-Going Due Diligence

1. The Company will undertake on-going due diligence of customers to ensure that their transactions are consistent with its knowledge about the customers, customers’ business and risk profile; and the source of funds/wealth.

2. Without prejudice to the generality of factors that call for close monitoring following types of transactions shall necessarily be monitored: 

1. Large and complex transactions including RTGS transactions, and those with unusual patterns, inconsistent with the normal and expected activity of the customer, which have no apparent economic rationale or legitimate purpose.

2. Transactions which exceed the thresholds prescribed for specific categories of accounts.

3. High account turnover inconsistent with the size of the balance maintained.

4. Deposit of third-party cheques, drafts, etc. in the existing and newly opened accounts followed by cash withdrawals for large amounts.

5. The extent of monitoring will be aligned with the risk category of the customer. A system of periodic review of risk categorization of accounts, with such periodicity as specified in company’s KYC Policy will be put in place.

6. Company may apply enhanced due diligence measures based on the risk assessment, thereby requiring intensive ‘due diligence’ for higher risk customers, especially those for whom the sources of funds are not clear. Examples of customers requiring higher due diligence may include-

• Non-Resident Customers;
• High Net Worth Individuals;
• Trusts, Charities, NGOs and Organizations receiving donations;
• Companies having close family shareholding or beneficial ownership;
• Firms with ‘Sleeping Partners’;
• Politically Exposed Persons (PEPs);
• Non-Face-to-Face customers, and
• those with dubious reputation as per public information available, etc.

Note: For ongoing due diligence, the Company may consider adopting appropriate innovations including artificial intelligence and machine learning (AI & ML) technologies to support effective monitoring.

3. The extent of monitoring shall be aligned with the risk category of the customer. Explanation: High risk accounts have to be subjected to more intensified monitoring:

1. A system of periodic review of risk categorisation of accounts, with such periodicity being at least once in six months, and the need for applying enhanced due diligence measures shall be put in place.

2. The transactions in accounts of marketing firms, especially accounts of Multi-level Marketing (MLM) Companies shall be closely monitored.

Explanation: Cases where a large number of cheque books are sought by the company and/or multiple small deposits (generally in cash) across the country in one bank account and/or where a large number of cheques are issued bearing similar amounts/dates, shall be immediately reported to Reserve Bank of India and other appropriate authorities such as FIU-IND.

6. Updation / Periodic Updation of KYC 

The Company shall adopt a risk-based approach for periodic updation of KYC ensuring that the information or data collected under CDD is kept up-to-date and relevant, particularly where there is high risk.

The Company shall adopt a risk-based approach for periodic updation of KYC. Periodic KYC updation will be carried out at least once in every two (2) years for high-risk customers, once in every eight (8) years for medium risk customers and once in every ten (10) years for low-risk customers, in line with RBI Directions. 

The time limits prescribed above would apply from the date of opening of the account/ last verification of KYC, whichever is more recent.

1. Individual Customers:

1. No change in KYC information: In case of no change in the KYC information, a self-declaration from the customer in this regard shall be obtained through customer’s email-id registered with the Company, customer’s mobile number registered with the Company, ATMs, digital channels (such as online banking/internet banking mobile application of Company), letter etc. 

2. Change in address: : In case of a change only in the address details of the customer, a self-declaration of the new address shall be obtained from the customer through customer’s email-id registered with the Company, customer’s mobile number registered with the Company, ATMs, digital channels (such as online banking/internet banking mobile application of Company), letter etc., and the declared address shall be verified through positive confirmation within two months, by means such as address verification letter, contact point verification, deliverables etc.

2. Customers other than individuals: 

1. No change in KYC information: In case of no change in the KYC information of the LE customer, a self-declaration in this regard shall be obtained from the LE customer through its email id registered with the Company, ATMs, digital channels (such as online banking/internet banking mobile application of Company), letter from an official authorized by the LE in this regard, board resolution etc. Further, the Company shall ensure during this process that Beneficial Ownership (BO) information available with them is accurate and shall update the same, if required, to keep it as up-to-date as possible. 

2. Change in KYC information: In case of change in KYC information, the Company shall undertake the KYC process equivalent to that applicable for on-boarding a new LE customer. 

3. Additional Measures:

In addition to the above, The Company shall ensure that:

1. The KYC documents of the customer as per the current CDD standards are available with them. This is applicable even if there is no change in customer information but the documents available with the Company are not as per the current CDD standards. Further, in case the validity of the CDD documents available with the RE has expired at the time of periodic updation of KYC, RE shall undertake the KYC process equivalent to that applicable for on-boarding a new customer.

2. Customer’s PAN details of customer is verified from the database of the issuing authority at the time of periodic updation of KYC.

3. Acknowledgment is provided to the customer mentioning the date of receipt of the relevant document(s), including self-declaration from the customer, for carrying out periodic updation.

4. The Company shall ensure that the information / documents obtained from the customers at the time of periodic updation of KYC are promptly updated in the records / database of the Company and an intimation, mentioning the date of updation of KYC details, is provided to the customer.

5. In order to ensure customer convenience, the Company may consider making available the facility of periodic updation of KYC at any office from where business is carried out.
6. The Company shall adopt a risk-based approach with respect to periodic updation of KYC. Any additional and exceptional measures, which otherwise are not mandated under the above instructions, adopted by the Company such as requirement of obtaining recent photograph, requirement of physical presence of the customer, requirement of periodic updation of KYC only in the branch of the RE where account is maintained, a more frequent periodicity of KYC updation than the minimum specified periodicity etc., shall be clearly specified in the internal KYC policy duly approved by the Board of Directors of the Company or any committee of the Board to which power has been delegated.

4. The Company shall adopt a risk-based approach with respect to periodic updation of KYC. Any additional shall advise the customers that in order to comply with the PML Rules, in case of any update in the documents submitted by the customer at the time of establishment of business relationship / account-based relationship and thereafter, as necessary; customers shall submit to the Company shall adopt a risk-based approach with respect to periodic updation of KYC. Any additional the update of such documents. This shall be done within 30 days of the update to the documents for the purpose of updating the records at the Company end.

5. In case of existing customers, the Company shall obtain the Permanent Account Number or equivalent e-document thereof or Form No. 60, by such date as may be notified by the Central Government, failing which the Company shall temporarily cease operations in the account till the time the Permanent Account Number or equivalent e-documents thereof or Form No. 60 is submitted by the customer.

Provided that before temporarily ceasing operations for an account, the Company shall give the customer an accessible notice and a reasonable opportunity to be heard. Further, the Company shall include, in its internal policy, appropriate relaxation(s) for continued operation of accounts for customers who are unable to provide Permanent Account Number or equivalent e-document thereof or Form No. 60 owing to injury, illness or infirmity on account of old age or otherwise, and such like causes. Such accounts shall, however, be subject to enhanced monitoring.

Provided further that if a customer having an existing account-based relationship with the Company gives in writing to the Company that he does not want to submit his Permanent Account Number or equivalent e-document thereof or Form No.60, the Company shall close the account and all obligations due in relation to the account shall be appropriately settled after establishing the identity of the customer by obtaining the identification documents as applicable to the customer.

Explanation – For the purpose of this Section, “temporary ceasing of operations” in relation an account shall mean the temporary suspension of all transactions or activities in relation to that account by the Company till such time the customer complies with the provisions of this Section. In case of asset accounts such as loanaccounts, for the purpose of ceasing the operation in the account, only credits shall be allowed.

7. Enhanced Due Diligence (‘EDD’) Measures:
8. Accounts of non-face-to-face customer onboarding (other than Aadhaar OTP based on-boarding):  

Non-face-to-face onboarding facilitates the Company to establish relationship with the customer without meeting the customer physically or through V-CIP. Such non-face-to-face modes for the purpose of this Section includes use of digital channels such as CKYCR, DigiLocker, equivalent e-document, etc.

Following EDD measures shall be undertaken by the Company for non-face-to-face customer onboarding (other than customer onboarding in terms of Section 17 of RBI KYC Master Direction):

1. In case the Company has introduced the process of V-CIP, the same shall be provided as the first option to the customer for remote onboarding. It is reiterated that processes complying with prescribed standards and procedures for V-CIP shall be treated on par with face-to-face CIP for the purpose of this Policy.

2. In order to prevent frauds, transactions shall be permitted only from the mobile number used for account opening. The Company shall have a Board approved policy delineating a robust process of due diligence for dealing with requests for change of registered mobile number.

3. Apart from obtaining the current address proof, The Company shall verify the current address through positive confirmation before allowing operations in the account. Positive confirmation may be carried out by means such as address verification letter, contact point verification, deliverables, etc.

4. The Company shall obtain PAN from the customer and the PAN shall be verified from the verification facility of the issuing authority.

5. The first transaction in such accounts shall be a credit from an existing KYC‑compliant bank account of the customer maintained with a regulated entity in India.

6. Such customers shall be categorised as high‑risk and their accounts shall be subjected to enhanced and more frequent monitoring until the identity of the customer is verified either in a face‑to‑face manner or through V‑CIP in accordance with applicable RBI Directions.
7. Accounts of Politically Exposed Persons (PEPs):

The Company shall have the option of establishing a relationship with PEPs (whether as a customer or beneficial owner) provided that, apart from performing normal CDD:

1. the Company have in place appropriate Risk Management System to determinwhether the customer or the beneficial owner is a PEP;

2. sufficient information including information about the sources of funds accounts of family members and close relatives is gathered on the PEP;

3. the identity of the person will have been verified before accepting the PEP as a customer or as a beneficial owner;

4. the decision to open an account for a PEP is taken at a senior level in accordance with the Company’s Customer Acceptance Policy;

5. all such accounts are subjected to enhanced monitoring on an on-going basis;

6. in the event of an existing customer or the beneficial owner of an existing account subsequently becoming a PEP, senior management’s approval is obtained to continue the business relationship;

These instructions will also be applicable to accounts where a PEP is the beneficial owner.

13. MONITORING OF TRANSACTIONS:

Ongoing transaction monitoring is a core element of the Company’s Know Your Customer (KYC) and Anti-Money Laundering (AML) framework and shall be carried out on a continuous basis, commensurate with the risk profile of each customer/account. The objective of such monitoring is to enable the Company to understand the normal and reasonable activity of customers and to identify transactions that deviate from the expected pattern and may indicate higher risk.

Particular attention shall be paid to transactions that are complex, unusually large, or have no apparent economic or lawful purpose, including but not limited to the following:

1. Transactions or behaviour indicating reluctance or refusal by the customer to provide confirmation of identity or other required information;
2. Utilisation of loan proceeds for purposes other than those disclosed in the loan application or where the real purpose is concealed from the Company;
3. Foreclosure of loans within 180 days of disbursement where the original loan tenure exceeds 12 months;
4. Sudden or substantial partial prepayments after payment of only a few EMIs;
5. Deposit of substantial cash amounts following cheque bounce incidents and/or insistence on cash payments for future repayments;
6. Repayments made through third-party cheques, demand drafts, or other third-party instruments;
7. Unidentified or unexplained customer remittances;
8. Transactions exhibiting unusual patterns or volumes that are inconsistent with the customer’s occupation, income profile, line of business, or stated source of funds, including very high account turnover inconsistent with the known means of the customer.

Supervisory officials shall maintain heightened vigilance over transactions involving large values and ensure that such transactions have a reasonable nexus with the borrower’s profile. In case of doubt or inconsistency, appropriate enquiries shall be made with the borrower and documented accordingly.

The Company may prescribe threshold limits for specific customers, categories of accounts, or products, and shall closely monitor transactions exceeding such limits. Special attention shall be paid to transactions involving large cash amounts that are inconsistent with the normal and expected activity of the customer, as such patterns may indicate potential money laundering or misuse of accounts.

High-risk accounts shall be subjected to enhanced and intensified monitoring. The Company shall put in place a system for periodic review and re-categorisation of customer risk profiles and shall apply enhanced due diligence measures wherever required, in line with regulatory guidelines.

While accepting cheques or instruments for collection, it shall be ensured that the name mentioned in the challan and the name of the beneficiary on the instrument are identical.

All employees are required to adhere to the highest standards of integrity, conduct, and professionalism. Employees shall not engage in any activity that may bring disrepute to the Company and shall strictly refrain from tipping off customers or third parties regarding monitoring processes, reporting mechanisms, or any actions that could undermine KYC, AML, or due diligence norms prescribed by the Reserve Bank of India from time to time.

14. REPORTING AND REGISTRATIONS WITH FINANCIAL INTELLIGENCE UNIT – INDIA (FIU-IND)

1. Designated Director: 
2. A “Designated Director” means a person designated by the RE to ensure overall compliance with the obligations imposed under Chapter IV of the PML Act and the Rules and shall be nominated by the Board.

2. The name, designation and address of the Designated Director shall be communicated to the FIU-IND and the RBI.

3. In no case, the Principal Officer shall be nominated as the ‘Designated Director’. 

2. Principal Officer: 
3. The Principal Officer shall be responsible for ensuring compliance, monitoring transactions, and sharing and reporting information as required under the law/regulations.

2. The name, designation and address of the Principal Officer shall be communicated to the FIU-IND and the RBI.

3. As per the requirement of PML Act, 2002, and the Rules there under, the following information shall be furnished to FIU-IND:

1. all cash transactions of the value of more than INR 10 lakhs or its equivalent in foreign currency;

2. all series of cash transactions integrally connected to each other which have been individually valued below INR 10 lakhs or its equivalent in foreign currency where such series of transactions have taken place within a month and the monthly aggregate exceeds and amount of INR 10 lakhs or its equivalent in foreign currency;

3. all cash transactions where forged or counterfeit currency notes or bank notes have been used as genuine or where any forgery of a valuable security or a document has taken place facilitating the transactions; and

4. all suspicious transactions, as defined previously, whether or not made in cash;

5. The Company shall formulate internal mechanism for detecting transactions as mentioned above and for furnishing information about such transactions as specified by FIU-IND and the RBI.  An iillustrative list with respect to Red Flags / Parameters to identify Suspicious Transactions has been provided in Annexure 3.

15. Reporting to Financial Intelligence Unit-India (FIU-IND):
16. In terms of the provisions of the Rule 7 of the Prevention of Money-laundering (Maintenance of Records) Rules, 2005. Company shall, inter-alia, furnish to the Director FIU-IND as mentioned in above point (Rule 3 of PML (Maintenance of Records) Rules, 2005).

2. A copy of information furnished shall be retained by the ‘Principal Officer’ for the purposes of official record.

3. ‘NIL’ report need not be submitted in case there are no Cash / Suspicious Transactions.

4. Company shall prepare the reporting formats and comprehensive reporting format guide, prescribed/ released by FIU-IND and Report Generation Utility and Report Validation Utility developed by FIU. Company shall use the editable electronic utilities to file electronic Cash Transaction Reports (CTR) / Suspicious Transaction Reports (STR) for extracting CTR /STR from their live transaction data.

5. No restrictions will be put on account operations where an STR has been filed.

6. Robust software/system developments, throwing alerts when the transactions are inconsistent with risk categorization and updated profile of the customers will be put in to use as a part of effective identification and reporting of suspicious transactions.

7. While furnishing of information to the Director FIU-IND, delay of each day in not reporting a transaction or delay of each day in rectifying a misrepresented transaction beyond the time limit as specified in this rule shall constitute a separate violation.

The Company its directors, officers, and all employees shall ensure that the fact of maintenance of records referred to in rule 3 of the PML (Maintenance of Records) Rules, 2005 and furnishing of the information to the Director is confidential. However, such confidentiality requirement shall not inhibit sharing of information under Section 4(b) of the KYC Master Direction of any analysis of transactions and activities which appear unusual, if any such analysis has been done.

16. RECORD KEEPING REQUIREMENTS:

The following steps shall be taken regarding maintenance, preservation, and reporting of customer account information, with reference to provisions of PML Act and Rules. The Company shall:

1. maintain all necessary records of transactions between the Company and the customer at least five years from the date of transaction; 

2. preserve the records pertaining to the identification of the customers and their addresses obtained while opening the account and during the course of business relationship, for at least five years after the business relationship is ended;

3. make available swiftly, the identification records and transaction data to the competent authorities upon request;

4. maintain all necessary information in respect of transactions prescribed under PML Rule 3 so as to permit reconstruction of individual transaction, including the following:
5. the nature of the transactions;

2. the amount of the transaction and the currency in which it was denominated;
3. the date on which the transaction was conducted; and
4. the parties to the transaction.

5. introduce a system of maintaining proper record of transactions prescribed under Rule 3 of Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PML Rules, 2005);

6. evolve a system for proper maintenance and preservation of account information in a manner that allows data to be retrieved easily and quickly whenever required or when requested by the competent authorities;

7. maintain records of the identity and address of their customer, and records in respect of transactions referred to in Rule 3 in hard or soft format.

8. the Company shall ensure that in case of customers who are non-profit organizations, the details of such customers are registered on the DARPAN Portal of NITI Aayog. If the same are not registered, the Company shall register the details on the DARPAN Portal. The Company shall also maintain such registration records for a period of five years after the business relationship between the customer and the Company has ended or the account has been closed, whichever is later.

Explanation– For the purpose of this Section, the expressions “records pertaining to the identification”, “identification records”, etc., shall include updated records of the identification data, account files, business correspondence and results of any analysis undertaken.

17. REQUIREMENTS/OBLIGATIONS UNDER INTERNATIONAL AGREEMENTS COMMUNICATIONS FROM INTERNATIONAL AGENCIES 

The United Nations Security Council (UNSC) periodically circulates lists of individuals and entities, suspected of having terrorist links.  The United Nations Security Council Resolutions (UNSCRs) shall be taken into account.

The Company is required:

• to screen customer names with UN List of terrorist individuals/entities before creation of new customer ID/or financing a customer.

• to ensure that the name(s) of the proposed customer does not match with that of the United Nations list of Terrorist individuals/organization/ entities, before financing a customer.

• The lists shall be verified on daily basis and any modifications to the lists in terms of additions, deletions or other changes shall be taken into account by the REs for meticulous compliance.

• REs shall verify every day Sanctions List of Designated Individuals and Entities to take into account any modifications to the list in terms of additions, deletions or other changes and also ensure compliance with the ‘Implementation of Security Council Resolution on Democratic People’s Republic of Korea Order, 2017.

• The REs shall ensure that they do not have any account of individuals/entities appearing in the sanctions lists of individuals/entities as approved by and periodically circulated.

In order to ensure compliance with the CFT Norms prescribed, the Company will ensure compliance with:

• The Unlawful Activities (Prevention) Act, 1967 (UAPA), its amendments; and

• Order dated August 27, 2009 (the Order) detailing the procedure for implementation of Section 51A  of the Unlawful Activities (Prevention) Act, 1967 relating to the purposes of  prevention of, and for coping with terrorist activities, as issued by the Government of India; and

• RBI guidelines dated September 17, 2009

According to the guidelines dated September 17, 2009, issued by RBI, the entity will ensure meticulous compliance of the Order.

If the particulars of any of any customers matches those appearing in the list, the Company has to report those individuals to RBI/Financial Intelligence Unit-INDIA, New Delhi.

The details of the two lists are as under:

1. The “ISIL (Da’esh) &Al-Qaida Sanctions List”, which includes names of individuals and entities associated with the Al-Qaida. The updated ISIL &Al-Qaida Sanctions List is available at:

https://scsanctions.un.org/ohz5jen-al-qaida.html

2. The “Taliban Sanctions List”, established and maintained pursuant to Security Council Resolution  (2011), which includes names of individuals and entities associated with the Taliban is available at:

https://scsanctions.un.org/ohz5jen-al-qaida.html

3. Details of accounts resembling any of the individuals/entities in the lists shall be reported to FIU-IND apart from advising Ministry of Home Affairs as required under UAPA notification dated March 14, 2019.

4. Freezing of Assets under Section 51A of UAPA, 1967: The procedure laid down in the UAPA Order dated February 2, 2021 (Annex II of RBI KYC Master Direction) shall be strictly followed and meticulous compliance with the Order issued by the Government shall be ensured. The list of Nodal Officers for UAPA is available on the website of MHA.

5. The Company shall ensure meticulous compliance with the “Procedure for Implementation of Section 12A of the Weapons of Mass Destruction (WMD) and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005” laid down in terms of Section 12A of the WMD Act, 2005 vide Order dated January 30, 2023, by the Ministry of Finance, Government of India (Annex III of this Master Direction).

6. The Company shall ensure not to carry out transactions in case the particulars of the individual / entity match with the particulars in the designated list.

7. Further, the Company shall run a check, on the given parameters, at the time of establishing a relation with a customer and on a periodic basis to verify whether individuals and entities in the designated list are holding any funds, financial asset, etc., in the form of bank account, etc.

8. The Company shall verify every day, the ‘UNSCR 1718 Sanctions List of Designated Individuals and Entities‘, as available at https://www.mea.gov.in/Implementation-of-UNSC-Sanctions-DPRK.htm, to take into account any modifications to the list in terms of additions, deletions or other changes and also ensure compliance with the ‘Implementation of Security Council Resolution on Democratic People’s Republic of Korea Order, 2017’, as amended from time to time by the Central Government.

9. Run a check, on the given parameters, at the time of establishing a relation with a customer and on a periodic basis to verify whether individuals and entities in the designated list are holding any funds, financial assets or economic resources or related services, in the form of bank accounts, stocks, Insurance policies etc. In case, the particulars of any of their customers match with the particulars of designated list, REs shall immediately inform full particulars of the funds, financial assets or economic resources or related services held in the form of bank accounts, stocks or insurance policies etc., held on their books to the CNO by email, FAX and by post, without delay

The Company may refer the designated lists, as amended from time to time, available on the portal of FIU-IND.

Details of accounts resembling any of the individuals/entities in the lists shall be reported to FIU-IND apart from advising Ministry of Home Affairs as required under UAPA notification dated March 14, 2019.

18. DATA CONFIDENTIALITY, Secrecy Obligations and Sharing of Information:

1. The Company shall maintain secrecy regarding the customer information which arises out of the contractual relationship between the lender and customer.

2. Information collected from customers for the purpose of opening of account shall be treated as confidential and details thereof shall not be divulged for the purpose of cross selling, or for any other purpose without the express permission of the customer.

3. While considering the requests for data/information from Government and other agencies, the Company shall satisfy themselves that the information being sought is not of such a nature as will violate the provisions of the laws relating to secrecy in the transactions.

4. The exceptions to the said rule shall be as under:
   • Where disclosure is under compulsion of law;
   • Where there is a duty to the public to disclose;
   • The interest of the Company requires disclosure; and
   • Where the disclosure is made with the express or implied consent of the customer.

19. SHARING KYC INFORMATION WITH CENTRAL KYC RECORDS REGISTRY (CKYCR):

1. Government of India has authorised the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI), to act as, and to perform the functions of the CKYCR vide Gazette Notification No. S.O. 3183(E)dated November 26, 2015.

2. The Central KYC Registry (CKYCR) is responsible for electronically storing, safeguarding and retrieving KYC records and making them available online for all registered reporting entities. Reporting entities are required to register with the CKYCR in order to access or retrieve information pertaining to customers. It will issue a KYC identifier ID for all customers. The company will ensure compliance with the CKYC norms as stipulated by the RBI and PML Rules from time to time.

3. REs shall capture the KYC information for sharing with the CKYCR in the manner mentioned in the Rules, as per the KYC templates prepared for ‘Individuals’ and ‘Legal Entities’ (LEs), as the case may be. The templates may be revised from time to time, as may be required and released by CERSAI.

Functions and obligations of the Company –

The Company shall have the following functions and obligations: 

1. Register with the CKYCR in accordance with the processes and instructions issued.
2. While commencing a financing-based relationship, the Company shall verify the identity of the customer and perform the initial due diligence of the customer.  Electronic copy of the customer’s KYC records and information (Individuals and Legal Entities) will be filed with the CKYCR on best effort basis.
3. The Company shall within 10 (Ten) days after the commencement of a financing-based relationship with a client, file the electronic copy of the client’s KYC records and customer information with the Central KYC Registry.
4. Upon receiving the KYC Identifier from the CKYCR, communicate the same to the client by email, letter or any other written communication mode as may be decided from time to time.

Where a customer already possesses and submits a KYC Identifier to the Company, it shall download the KYC records from the Central KYC Registry by using the KYC Identifier and shall not require a customer to submit the documents again unless:

1. There is a change in the information of the customer as existing in the records of Central KYC Registry;

2. The current address of the client is required to be verified;

3. It is necessary in order to verify the identity or address of the client, or to perform enhanced due diligence or to build an appropriate risk profile of the client. 

4. After obtaining additional or updated information from a client as specified above, the Company shall as soon as possible furnish the updated information to the Central KYC Records Registry.

20. MONEY LAUNDERING AND TERRORIST FINANCING RISK ASSESSMENT

1. The Company shall carry out ‘Money Laundering (ML) and Terrorist Financing (TF) Risk Assessment’ exercise, on annual basis, to identify, assess and take effective measures to mitigate its money laundering and terrorist financing risk as per RBI’s guidelines. 
2. The risk assessment should be properly documented. 
3. The outcome of the exercise shall be put up to the Risk Management Committee, constituted by the Board of Directors to which power in this regard has been delegated, and should be available to competent authorities and self regulating bodies, if required.
4. The Company shall apply a Risk Based Approach (RBA) for mitigation and management of the identified risk and should have Board approved policies, controls and procedures in this regard. 

The Company shall monitor the implementation of the controls and enhance them if necessary.

21. INTERNAL AUDIT

The Company’s internal audit department will evaluate and ensure adherence to the KYC policies and procedures. As a general rule, the compliance function will provide an independent evaluation of the Company’s own policies and procedures, including legal and regulatory requirements. Internal Auditors may specifically check and verify the application of KYC procedures at the branches and comment on the lapses observed in this regard. The compliance in this regard will be put up before the Board periodically.

22. EMPLOYEE TRAINING

The Company shall have an ongoing employee training program so that the members of the staff are adequately trained in KYC procedures. Training requirements will have different focuses for frontline staff, compliance staff and staff dealing with new customers so that all those concerned fully understand the rationale behind the KYC policies and implement them consistently. Sales employees would be sensitized about the repercussions of not disclosing information about the Customer in their Verification Reports, tipping off Customers and assisting the Customers to circumvent thresholds for reporting.

23. ALLOTMENT OF UNIQUE CUSTOMER IDENTIFICATION CODE (“UCIC”):

For purposes of identifying Customers, tracking the facilities availed the Customers, monitoring financial transactions of the Customers in a holistic manner and to enable the Company to have a better approach to risk profiling of its Customers, the Company shall allot Unique Customer Identification Code (“UCIC”) while entering into new relationship with individual customer as also the existing individual customer.

24. Quoting of PAN:

Permanent account number (PAN) or equivalent e-document thereof of customers shall be obtained and verified while undertaking transactions as per the provisions of Income Tax Rule 114B, as amended from time to time. Form 60 shall be obtained from persons who do not have PAN or equivalent e-document thereof.

25. REVIEW AND APPROVAL OF THE POLICY

The Company shall review and assess the adequacy of this Policy annually or more frequently if any changes are required by applicable Direction/Rules/Regulations and recommend modification/amendments/changes to the Board of Directors for the Approval(s). Subsequently, any modification/amendments/changes to this Policy must be approved by the Board.

Annexure 1: kyc DOCUMENTS

KYC Documents to be obtained for Opening of various type of Accounts which are based on the RBI KYC Master Directions, PML Acts and Rules and UIDAI Notifications are given below:

Customers/Clients	Documents
Accounts of Individuals	KYC Documents for an Account of INDIVIDUAL, (including BENEFICIAL OWNER, AUTHORIZED SIGNATORY and POWER OF ATTORNEY HOLDER: Any one document from the Officially Valid Documents: Passport (mandatory for non-resident)Voter’s Identity Card Driving License Job Card issued by NREGA duly signed by an officer of the State Government and Letter issued by the Nation Population Register containing details of the name and address Proof of possession Aadhaar number (voluntary submission)The KYC Identifier with an explicit consent to download records from CKYCR If the above documents are not there with the customer, for low-risk customers, following maybe taken for identity proof:  identity card with applicant’s Photograph issued by Central/State Government Departments, Statutory/Regulatory Authorities, Public Sector Undertakings, Scheduled Commercial Banks, and Public Financial Institutions;letter issued by a gazetted officer, with a duly attested photograph of the person.  Where the OVD furnished by the customer does not have updated address, for low/medium risk customers, the following documents may be taken for address proof and shall be deemed to be OVDs for the limited purpose of proof of address (subject to updated document from above list being submitted within 2 months):  Utility bill which is not more than two months old of any service provider (electricity, telephone landline, postpaid mobile phone, piped gas, water bill); Property or Municipal Tax receipt; Bank account or Post Office savings bank account statement; Pension or family pension payment orders (PPOs) issued to retired employees by Government Departments or Public Sector Undertakings, if they contain the address; Letter of allotment of accommodation from employer issued by State or Central Government departments, statutory or regulatory bodies, public sector undertakings, scheduled commercial banks, financial institutions and listed companies. Similarly, leave and license agreements with such employers allotting official accommodation; and Documents issued by Government departments of foreign jurisdictions and letter issued by Foreign Embassy or Mission in India.
Accounts of Companies  Certified copies of each of the following documents or the equivalent e-documents thereof shall be obtained	KYC Documents or equivalent e-documents for an Account of a COMPANY: Certificate of incorporation; Memorandum and Articles of Association;Permanent Account Number (“PAN”) of the CompanyA resolution from the Board of Directors and power of attorney granted to its managers, officers or employees to transact on its behalf; and the names of the relevant persons holding senior management position;Individual KYC relating to beneficial owner, the manager, Wholetime Directors, officers or employees holding an attorney to transact on its behalf. the registered office and the principal place of its business, if it is differentCopy of utility bill which is not more than two months old of any service provider for its principal place of business (electricity, telephone landline);
Accounts of Partnership firms  Certified copies of each of the following documents or the equivalent e-documents thereof shall be obtained	KYC Documents or equivalent e-documents for an Account of PARTNERSHIP FIRM: Registration certificate; Partnership deed; and Individual KYC relating to beneficial owner, manager, Partners, and persons holding an attorney to transact on its behalf. Permanent Account Number (“PAN”) of the partnership firmthe names of the beneficiaries, trustees, settlor, protector, if any and authors of the trust;the address of the registered office, and the principal place of its business, if it is different.
Accounts of Trusts and Foundations  Certified copies of each of the following documents or the equivalent e-documents thereof shall be obtained	KYC Documents or equivalent e-documents for an Account of TRUST: Registration certificate. Trust deed.Permanent Account Number (“PAN”) or Form 60 of trust and List of Trustee along with Individual KYC for those discharging the role as trustee and authorised to transact on behalf of the trust.Bank Account statement issued by a scheduled commercial bank (such statement being not older than one month from the date of application);the names of the beneficiaries, trustees, settlor and authors of the trustthe address of the registered office of the trust; and
Accounts of Unincorporated Association or a Body of Individuals  Certified copies of each of the following documents or the equivalent e-documents thereof shall be obtained	KYC Documents or equivalent e-documents for an Account of an UNINCORPORATED ASSOCIATION OR BODY OF INDIVIDUALS (includes SOCIETIES): Resolution of the managing body of such association or body of individuals; Power of attorney granted to him to transact on its behalf; Permanent Account Number or Form No. 60 of the unincorporated association or a body of individualsIndividual KYC relating to beneficial owners, manager, officers or employees and person holding an attorney to transact on its behalf; and Such information as may be required by the Company to collectively establish the legal existence of such an association or body of individuals.  Explanation 1: Unregistered trusts/partnership firms shall be included under the term ‘unincorporated association’. Explanation 2: Term ‘body of individuals’ includes societies.
Accounts of Proprietorship Concerns Proof of the name, address and activity of the concern  A certified true copy of the documents, duly signed and stamped by the Proprietor	KYC Documents for an Account of SOLE PROPRIETARY FIRMS: Individual KYC of the Proprietor Any two of the following documents in the name of the proprietary concern: Registration certificate (in the case of a registered concern) Certificate/licence issued by the Municipal authorities under Shop & Establishment Act, Sales and income tax returns CST/VAT/ GST certificate Certificate/registration document issued by Sales Tax/Service Tax/Professional Tax authorities Licence/certificate of practice issued in the name of the proprietary concern by any professional body incorporated under a statute. The complete Income Tax return (not just the acknowledgement) in the name of the sole proprietor where the firm’s income is reflected, duly authenticated/ acknowledged by the Income Tax Authorities. Copy of utility bill which is not more than two months old of any service provider for its principal place of business (electricity, telephone landline);  Explanation: In cases where the Company is satisfied that it is not possible to furnish two such documents, REs may, at their discretion, accept only one of those documents as proof of business/activity. Provided the Company undertake contact point verification and collect such other information and clarification as would be required to establish the existence of such firm, and shall confirm and satisfy itself that the business activity has been verified from the address of the proprietary concern.

Note: Permanent Account Number (PAN) shall be obtained from all type of customer and the same shall be verified from the verification facility of the issuing authority

ANNEXURE 2: vcip

VIDEO BASED CUSTOMER IDENTIFICATION PROCESS (“V-CIP”):

1. The Company may undertake V-CIP to carry out:

1. CDD in case of new customer on-boarding for individual customers, proprietor in case of proprietorship firm, authorised signatories and Beneficial Owners (BOs) in case of Legal Entity (LE) customers.

Provided that in case of CDD of a proprietorship firm, the Company shall also obtain the document of the activity proofs with respect to the proprietorship firm.

2. Conversion of existing accounts opened in non-face to face mode using Aadhaar OTP based e-KYC authentication as per Section 17.

3. Updation/Periodic updation of KYC for eligible customers.

2. The Company opting to undertake V-CIP, shall adhere to the following minimum standards:
3. V-CIP Infrastructure
4. The Company should have complied with the RBI guidelines on minimum baseline cyber security and resilience framework, as updated from time to time as well as other general guidelines on IT risks. The technology infrastructure should be housed in own premises of the Company and the V-CIP connection and interaction shall necessarily originate from its own secured network domain. Any technology related outsourcing for the process should be compliant with relevant RBI guidelines.

2. Where cloud deployment model is used, it shall be ensured that the ownership of data in such model rests with the Company only and all the data including video recording is transferred to the Company’s exclusively owned / leased server(s) including cloud server, if any, immediately after the V-CIP process is completed and no data shall be retained by the cloud service provider or third-party technology provider assisting the V-CIP of the RE.

3. The Company shall ensure end-to-end encryption of data between customer device and the hosting point of the V-CIP application, as per appropriate encryption standards. The customer consent should be recorded in an auditable and alteration proof manner.

4. The V-CIP infrastructure / application should be capable of preventing connection from IP addresses outside India or from spoofed IP addresses.

5. The video recordings should contain the live GPS co-ordinates (geo-tagging) of the customer undertaking the V-CIP and date-time stamp. The quality of the live video in the V-CIP shall be adequate to allow identification of the customer beyond doubt.

6. The application shall have components with face liveness / spoof detection as well as face matching technology with high degree of accuracy, even though the ultimate responsibility of any customer identification rests with the Company. Appropriate artificial intelligence (AI) technology can be used to ensure that the V-CIP is robust.

7. Based on experience of detected / attempted / ‘near-miss’ cases of forged identity, the technology infrastructure including application software as well as work flows shall be regularly upgraded. Any detected case of forged identity through V-CIP shall be reported as a cyber-event under extant regulatory guidelines.

8. The V-CIP infrastructure shall undergo necessary tests such as Vulnerability Assessment, Penetration testing and a Security Audit to ensure its robustness and end-to-end encryption capabilities. Any critical gap reported under this process shall be mitigated before rolling out its implementation. Such tests should be conducted be conducted by the empanelled auditors of Indian Computer Emergency Response Team (CERT-In). Such tests should also be carried out periodically in conformance to internal / regulatory guidelines.

9. The V-CIP application software and relevant APIs / webservices shall also undergo appropriate testing of functional, performance, maintenance strength before being used in live environment. Only after closure of any critical gap found during such tests, the application should be rolled out. Such tests shall also be carried out periodically in conformity with internal/ regulatory guidelines.

2. V-CIP Procedure
3. The Company shall formulate a clear work flow and standard operating procedure for V-CIP and ensure adherence to it. The V-CIP process shall be operated only by officials of the Company specially trained for this purpose. The official should be capable to carry out liveliness check and detect any other fraudulent manipulation or suspicious conduct of the customer and act upon it.

2. Disruption of any sort including pausing of video, reconnecting calls, etc., should not result in creation of multiple video files. If pause or disruption is not leading to the creation of multiple files, then there is no need to initiate a fresh session by the Company. However, in case of call drop / disconnection, fresh session shall be initiated.

3. The sequence and/or type of questions, including those indicating the liveness of the interaction, during video interactions shall be varied in order to establish that the interactions are real-time and not pre-recorded.

4. Any prompting, observed at end of customer shall lead to rejection of the account opening process.

5. The fact of the V-CIP customer being an existing or new customer, or if it relates to a case rejected earlier or if the name appearing in some negative list should be factored in at appropriate stage of work flow.

6. The authorised official of the Company performing the V-CIP shall record audio-video as well as capture photograph of the customer present for identification and obtain the identification information using any one of the following:

1. OTP based Aadhaar e-KYC authentication
2. Offline Verification of Aadhaar for identification
3. KYC records downloaded from CKYCR, in accordance with Section 57, using the KYC identifier provided by the customer
4. Equivalent e-document of Officially Valid Documents (OVDs) including documents issued through Digilocker

The Company shall ensure to redact or blackout the Aadhaar number in terms of Section 16.

In case of offline verification of Aadhaar using XML file or Aadhaar Secure QR Code, it shall be ensured that the XML file or QR code generation date is not older than 3 days from the date of carrying out V-CIP.

Further, in line with the prescribed period of three days for usage of Aadhaar XML file / Aadhaar QR code, The Company shall ensure that the video process of the V-CIP is undertaken within three days of downloading / obtaining the identification information through CKYCR / Aadhaar authentication / equivalent e-document, if in the rare cases, the entire process cannot be completed at one go or seamlessly. However, the Company shall ensure that no incremental risk is added due to this.

7. If the address of the customer is different from that indicated in the OVD, suitable records of the current address shall be captured, as per the existing requirement. It shall be ensured that the economic and financial profile/information submitted by the customer is also confirmed from the customer undertaking the V-CIP in a suitable manner.

8. The Company shall capture a clear image of PAN card to be displayed by the customer during the process, except in cases where e-PAN is provided by the customer. The PAN details shall be verified from the database of the issuing authority including through Digilocker.

9. Use of printed copy of equivalent e-document including e-PAN is not valid for the V-CIP.

10. The authorised official of the Company shall ensure that photograph of the customer in the Aadhaar/OVD and PAN/e-PAN matches with the customer undertaking the V-CIP and the identification details in Aadhaar/OVD and PAN/e-PAN shall match with the details provided by the customer.

11. Assisted V-CIP shall be permissible when banks take help of Banking Correspondents (BCs) facilitating the process only at the customer end. Banks shall maintain the details of the BC assisting the customer, where services of BCs are utilized. The ultimate responsibility for customer due diligence will be with the bank.

12. All accounts opened through V-CIP shall be made operational only after being subject to concurrent audit, to ensure the integrity of process and its acceptability of the outcome.

13. All matters not specified under the paragraph but required under other statutes such as the Information Technology (IT) Act shall be appropriately complied with by the Company.

3. V-CIP Records and Data Management
4. The entire data and recordings of V-CIP shall be stored in a system / systems located in India. The Company shall ensure that the video recording is stored in a safe and secure manner and bears the date and time stamp that affords easy historical data search. The extant instructions on record management, as stipulated in this Master Direction – KYC Direction 2016, shall also be applicable for V-CIP.

2. The activity log along with the credentials of the official performing the V-CIP shall be preserved.

ANNEXURE 3: rED FLAGS FOR SUSPICIOUS TRANSACTIONS

RED FLAGS / PARAMETERS TO IDENTIFY SUSPICIOUS TRANSACTIONS

Red Flag Indicators (‘RFIs’):

Alert No.	Alert Indicators	Indicative Rules / Scenerio
1.	Perospective cusromer left without opening account	The customer who willing to open an account but suddenly backs out after realizing that customer will not be able to provide a specific / basic KYC documents. Note: This must be distinguished from genuine cases where a willing customer may not have certain KYC documents or in the given situation is able to provide justification for absence of certain KYC documents and enquiries for altenate KYC documents to open the account.
2.	(a) Customer Offered fake/forged KYC details (b) Customer offered forged/Non-verifiable Documents	Customer offered false or forged identification documents or documents appear to be counterfeited, fabricated, altered or inaccurate or identity documents are not verifiable eg. Foreign Documents. Insignificant or nil business activity at their stated business premises during EDD, or business set up not being commensurate to the stated financials Address provided by the customer is found to be non-existent/wrong address deliberately given. Note: The EDD should be undertaken in such a manner that it does not lead to tip off and the suspected customer closes the account after due diligence process
3.	Frequent Address change request	Customer frequently requests for change of address without providing any proper/genuine reasons. Note: Receipt of requests for change in addresses frequently is a ground for suspicion. However, there could be situations where customer asks for correction in addresses, e.g., adding a landmark or correcting the pin code without change in the address or location, which may not be considered as change in address.
4.	Customer with suspicious behavioural traits viz. nervous, over cautious, provides incosistent information	Customer is nervous or could not explain source of funds satisfactorily. Customer was over cautious in explaining genuineness of the transaction. Customer intends to change the critical information provided or provides information that seems minimal, possibly false or inconsistent.
5.	Customer wants to avoid reporting	Customer makes enquiries or tries to convince staff to avoid reporting of transactions or account details to Regulator, Tax Authorities, Law Enforcement Agencies etc.
6.	Customer could not explain source of funds	Customer could not explain the funds satisfactorily.
7.	Transaction is unnecessarily complex, has no economic rational/inconsistent with business/profile if the customer	Transaction is unnecessarily complex for its stated purpose. All complex unusually large transactions and all unusual patterns, which have no apparent economic or visible lawful purpose or rationale. Complex or unexplained transactions in newly opened accounts or accounts closed in short duration Note: NBFC to closely examine the transactions of clients and ensure that such transactions are consistent with the business, income and risk profile of the customer.
8.	Customer (including beneficiaries/legal heirs/Nominees/Beneficial Owners, whereever applicable)whose identity matches with any person in the list of designated individuals and entities	Name of the customer, beneficiaries/ legal heirs/Nominee/ Beneficial Owners (wherever applicable) are required to be considered for matching with the list of designated individual and entities from: a) The match/watch lists specified by RBI MEA/UNSC/MHA/UAPA from time to time must be considered for the purpose of screening. b) Match of Customer details with TF suspects/criminals on lists of Interpol, EU, OFAC etc. as circulated from time to time by the regulator i.e. RBI c) Matching of Customer with (i) FIU India order list (FINNET Alerts) (ii) Any alrt issued by FIU-IND (Confidential via email)
9.	High Value Cash Deposits in a Day/Month	Cash Deposits of INR 2,00,000/- in a day and exceeds INR 10,00,000/- in a month for individual/non-individual.
10.	Transactions involving a location with High Terrorist Financing Risk	Transactions involving a location considered to be high risk for Terrorist Financing / Maoist Insurgency/North East Insurgency.
11.	Credits predominantly by way of UPI/IMPS or multiple virtual Ids	Credits to accounts of customers or escrow accounts (wherever applicable) through UPI/IMPS from different IP addresses or using multiple virtual payment IDs and subsequent withdrawal in short duration from the account.
12.	High Value Cash transactions inconsitent with Profile	Customer with low cash requirements with no declared or known source of income such as students, housewife, pensioners, wages/salaried person/minor accounts engaging in cash deposit >50% of the declared income.
13.	Repayment of Loan in cash	Loan repayments in cash greater than INR 1,00,000/- for more than 50% of the instances during a year or repayment period, whichever is earlier.

Annexure 4: DIGITAL KYC PROCESS

Digital KYC Process

1. The Company shall develop an application for digital KYC process which shall be made available at customer touch points for undertaking KYC of their customers and the KYC process shall be undertaken only through this authenticated application of the Company.
2. The access of the Application shall be controlled by the Company and it should be ensured that the same is not used by unauthorized persons. The Application shall be accessed only through login-id and password or Live OTP or Time OTP controlled mechanism given by REs to its authorized officials.
3. The customer, for the purpose of KYC, shall visit the location of the authorized official of the Company or vice-versa. The original OVD shall be in possession of the customer.
4. The Company must ensure that the Live photograph of the customer is taken by the authorized officer and the same photograph is embedded in the Customer Application Form (CAF). Further, the system Application of the Company shall put a water-mark in readable form having CAF number, GPS coordinates, authorized official’s name, unique employee Code (assigned by the Company) and Date (DD:MM:YYYY) and time stamp (HH:MM:SS) on the captured live photograph of the customer.
5. The Application of the Company shall have the feature that only live photograph of the customer is captured and no printed or video-graphed photograph of the customer is captured. The background behind the customer while capturing live photograph should be of white colour and no other person shall come into the frame while capturing the live photograph of the customer.
6. Similarly, the live photograph of the original OVD or proof of possession of Aadhaar where offline verification cannot be carried out (placed horizontally), shall be captured vertically from above and water marking in readable form as mentioned above shall be done. No skew or tilt in the mobile device shall be there while capturing the live photograph of the original documents.
7. The live photograph of the customer and his original documents shall be captured in proper light so that they are clearly readable and identifiable.
8. Thereafter, all the entries in the CAF shall be filled as per the documents and information furnished by the customer. In those documents where Quick Response (QR) code is available, such details can be auto-populated by scanning the QR code instead of manual filing the details. For example, in case of physical Aadhaar/e-Aadhaar downloaded from UIDAI where QR code is available, the details like name, gender, date of birth and address can be auto-populated by scanning the QR available on Aadhaar/e-Aadhaar.
9. Once the above mentioned process is completed, a One Time Password (OTP) message containing the text that ‘Please verify the details filled in form before sharing OTP’ shall be sent to customer’s own mobile number. Upon successful validation of the OTP, it will be treated as customer signature on CAF. However, if the customer does not have his/her own mobile number, then mobile number of his/her family/relatives/known persons may be used for this purpose and be clearly mentioned in CAF. In any case, the mobile number of authorized officers registered with the Company shall not be used for customer signature. The Company must check that the mobile number used in customer signature shall not be the mobile number of the authorized officer.
10. The authorized officer shall provide a declaration about the capturing of the live photograph of customer and the original document. For this purpose, the authorized official shall be verified with One Time Password (OTP) which will be sent to his mobile number registered with the Company. Upon successful OTP validation, it shall be treated as authorized officer’s signature on the declaration. The live photograph of the authorized official shall also be captured in this authorized officer’s declaration.
11. Subsequent to all these activities, the Application shall give information about the completion of the process and submission of activation request to activation officer of the Company, and also generate the transaction-id/reference-id number of the process. The authorized officer shall intimate the details regarding transaction-id/reference-id number to customer for future reference.
12. The authorized officer of the Company shall check and verify that: – (i) information available in the picture of document is matching with the information entered by authorized officer in CAF. (ii) live photograph of the customer matches with the photo available in the document.; and (iii) all of the necessary details in CAF including mandatory field are filled properly.;
13. On Successful verification, the CAF shall be digitally signed by authorized officer of the Company who will take a print of CAF, get signatures/thumb-impression of customer at appropriate place, then scan and upload the same in system. Original hard copy may be returned to the customer.