Amended KYC norms: A move towards faceless KYC

/0 Comments/in , , , /by

RBI amends KYC norms to permit faceless KYC; beneficial owner of 10% or more to be subjected to KYC

– Anita Baid, Vice President | anita@vinodkothari.com

Recognising the increasing trend towards faceless lending, and the use of technology for customer due diligence, the RBI has made much-needed changes in the KYC process, permitting lenders to avoid any of physical interface with borrowers and rely on documents stored in Digilocker or other e-documents. Amendments, immediately effective, were made to the Master Direction – Know Your Customer (KYC) Direction, 2016 vide a notification dated April 28, 2023.

Watch our YouTube video on the topic here – https://www.youtube.com/live/Ewi4FW8G0xk?feature=share

The amendments in the KYC Directions are applicable to every entity regulated by the RBI, including but not limited to banks, cooperative banks, payment system providers, AIFIs  as well as NBFCs intend to achieve the following:

  1. To incorporate the recent amendments dated March 7, 2023, in the Prevention of Money-Laundering Act, 2002 (“PML Act”) and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 (‘PML Rules’);
  2. To align the KYC process with increasing use of non-face-to-face lending transactions;
  3. To incorporate instructions on the procedure for implementation of Section 12A of the Weapons of Mass Destruction (WMD) and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005 (‘WMD Act, 2005’);
  4. To update certain instructions in accordance with FATF Recommendations.

The following article intends to discuss the changes introduced by the RBI vide its notification dated April 28, 2023, on ‘Amendment to the Master Direction (MD) on KYC’.

Changes pursuant to PML Rules

The amendments in the PML Act and PML Rules[1] were majorly pertaining to revised thresholds for ascertainment of beneficial ownership (25% to 10%), implementation of group-wide policies for reporting compliance, expanding the obligations under PMLA to service providers of virtual digital assets, etc. A brief of the changes are listed below:

  1. Insertion of various definitions
    The definitions of “Non-profit organizations” and “Politically Exposed Persons” have been amended to align those with the definitions in the PML Rules. Also, the RE shall be required to ensure the registration of customers, in case of NPO, on the DARPAN Portal of NITI Aayog, if not already registered. Further, the definition of “Group” has been added.
  2. Group-level monitoring
    Section 4 has been amended and a provision has been inserted advising regulated entities to ensure that a group-wide policy is implemented for the purpose of discharging obligations under the provisions of Chapter IV of the PML Rules.
  3. Revised criteria for Beneficial Ownership
    The threshold for “Controlling ownership interest” for the purpose of determination of Beneficial Owner (BO) has been revised to 10 percent for both companies and trusts from the earlier threshold of 25 percent and 15 percent, respectively
  4. Additional documentation requirements
    Additional recognized documents have been specified that are required to be submitted by companies, partnership firms, and trusts for the purposes of conducting client due diligence.
    Further, there are requirements and obligations that have been included based on the Order dated January 30, 2023, titled – Procedure for Implementation of Section 12A of the WMD Act, 2005, issued by the Ministry of Finance, Government of India.

Non-face-to-face mode of KYC

Digital Lending Guidelines have regulated the lending done through the lending application and have also introduced various restrictions on the conduct of the agents or service providers as well as the digital lending app. The onboarding of the customer in the digital journey is facilitated through the lending application. So customer identification and verification are also done on a non-face-to-face mode. The non-face-to-face onboarding would mean there is no physical interaction with the customer. It is important to note that KYC through V-CIP is considered as equivalent to a face-to-face customer identification process. However, in the case of non-face-to-face customers, that are essentially availing the digital lending facilities, the REs may in addition to the Aadhaar OTP-based e-KYC, use digital channels such as CKYCR, DigiLocker, equivalent e-document, etc., as well as non-digital modes such as obtaining a copy of OVD certified by additional certifying authorities as allowed for NRIs and PIOs.

For such non-face-to-face customers, given the increased risk, the due diligence shall also be enhanced. There was already a restriction on customer accounts opened using Aadhaar OTP-based e-KYC, in non-face-to-face mode. However, only a handful of REs, other than bank, have been authorised to carry out Aadhaar OTP-based e-KYC.

Pursuant to the amendment, in case of onboarding a non-face-to-face customer, other than through the Aahaar OTP-based e-KYC mode, the REs have been instructed to ensure additional measures (as discussed below). Considering the intent of the regulator is to enable faceless lending, the requirements should be implemented such that there are no delays or practical difficulties, specifically in the automated and remote lending process.

  1. If the RE has the option of V-CIP, the same shall be provided as the first option to the customer for remote onboarding. However, for the REs who don’t provide the option of V-CIP, the same shall not be possible. The V-CIP infrastructure and process in addition to being costly is also complex which at times is a reason for customer dropouts and hence, is not very widely being used by REs.
  2. In order to prevent fraud, alternate mobile numbers shall not be linked post-CDD with such accounts for transaction OTP, transaction updates, etc. Transactions shall be permitted only from the mobile number used for account opening. This would ensure that the mobile number provided at the time of onboarding is being used and the same is not changed unless the existing mobile number has become inoperative. There is a similar requirement in the case of account opening using Aadhaar OTP-based e-KYC, in non-face-to-face mode, which requires the regulated entities to ensure that transaction alerts, OTP, etc., are sent only to the mobile number of the customer registered with Aadhaar. Further, it has been instructed to have in place a board-approved policy delineating a robust process of due diligence for dealing with requests for change of mobile number in such accounts.
  3. Apart from obtaining the current address proof, RE shall verify the current address through positive confirmation before allowing operations in the account. Positive confirmation may be carried out by means such as an address verification letter, contact point verification, deliverables, etc. On the face of it, it seems that the positive confirmation about the place of the customer would entail some kind of physical verification by the RE or its agents. However, in case of a loan transaction, it may not be possible to restrict the operations of the loan account since the loan would have already been disbursed. Hence, one view could be that the verification is also done on a remote basis, through tracking of the IP address or geo location and matching with the address proof of the customer. Another view that can be taken is the verification being done physically would be required only in case the current address is different from the permanent address. The former view seems to be a more secure and reliable option.
  4. RE shall obtain PAN from the customer and the PAN shall be verified by the verification facility of the issuing authority. In the absence of PAN, Form 60 of the Income Tax Rules will have to be obtained.
  5. The first transaction in such accounts shall be a credit from the existing KYC-complied bank account of the customer. This requirement was already in the KYC Master Directions, however, the same seems more relevant in the case of a deposit account or in case the customer intends to open a second savings/current account rather than a loan account. For loan transactions, one possibility is that the customer may be asked to deposit 1re from its KYC-compliant bank account before the loan is disbursed to the account.
  6. Such customers shall be categorized as high-risk customers and accounts opened in non-face-to-face mode shall be subjected to enhanced monitoring until the identity of the customer is verified in a face-to-face manner or through V-CIP. The risk classification will also have an impact on the periodicity of KYC updation requirements- every 2 years in the case of high-risk customers.

Use of Artificial Intelligence

An interesting amendment in the KYC Master Directions is the recognition of innovations including artificial intelligence and machine learning (AI & ML) technologies for ongoing due diligence of customers and to support effective monitoring. The use of such technology for conducting the KYC process would largely depend on the RE, its mode of interface with the customer as well as the lending process. It would be the responsibility of the REs to identify and assess the money laundering and terrorist financing risks that may arise in relation to the development of new innovative products and business processes and practices. The risk assessment should be done prior to the launch of any such new product or practice or service or use of technology and appropriate measures must be taken to manage and mitigate the risks.

In this respect, a new Section 54A has been introduced requiring REs to leverage the latest technological innovations and tools for effective implementation of name screening to meet the sanction requirements, that is to check that the name of the proposed customer is not appearing in the list of individuals and entities, suspected of having terrorist links.

Other significant changes impacting the KYC Process

Instructions have been amended to clarify that additional information, where such information requirement has not been specified in the internal KYC Policy of the RE, is obtained with the explicit consent of the customer. Further, it has been clarified that regulated entities can obtain KYC Identifier with explicit customer consent to download KYC records from CKYCR, for the purpose of CDD. Further, instructions have been amended to ensure that KYC documents downloaded from the CKYCR, but whose validity has lapsed, are not used for KYC purposes.

Where the GST number is available and obtained from the customer, the same shall be verified through the search/verification facility provided by the issuing authority. The GST document is a business proof obtained from the customers in addition to the KYC documents and should be verified to ensure authenticity and reliability.

The indicative list of parameters for risk categorization has been expanded to include geographical risk covering customers as well as transactions, type of products/services offered, the delivery channel used for delivery of products/services, types of transactions undertaken, etc. REs have been advised to treat the risk categorization and reasons for risk categorization of customers as confidential.

Certain instructions pertaining to V-CIP infrastructure and disruption in the V-CIP have been amended. Such as the requirement of ‘three days’ for the validity of the Aadhaar XML file / Aadhaar Secure QR Code and to undertake the video process has been amended to ‘three working days’.

[1] Our article covering the changes in detail can be read here- https://vinodkothari.com/2023/03/pml-act-and-rules-recent-changes-may-have-new-compliance-requirements/

Our write-ups on the topic:

Simplifying the KYC process and business identifier – https://vinodkothari.com/2023/02/simplifying-the-kyc-process-and-business-identifier/

Aadhaar based KYC- Acceptance and verification procedures – https://vinodkothari.com/2022/03/aadhaar-based-kyc-acceptance-and-verification-procedures/

NBFCs licensed for KYC authentication: Guide to the new RBI privilege for Aadhaar e-KYC Authentication – https://vinodkothari.com/2021/09/nbfcs-licensed-for-kyc-authentication/

Presentation on Basics of KYC – https://vinodkothari.com/2021/07/presentation-on-basics-of-kyc/

CKYCR becomes fully operational: The long-awaited format for legal entities’ information finally introduced – https://vinodkothari.com/2020/12/ckycr-becomes-fully-operational/

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *