-Kanakprabha Jethani and Anita Baid (email@example.com)
Considering the resurgence of the Covid-19 pandemic on the economy, the RBI Governor, on May 5, 2021, announced several measures with a view to infuse liquidity in the economy, avoid another wave of borrower defaults as well as aid in ease of business during the lockdown.
Out of the several measures announced by the Governor, one was to simplify the KYC process, which is the initial step of any lending transaction. Some of the amendments seem to provide immediate relief from compliance requirements and some are intended to encourage carrying out KYC compliances electronically, given the social distancing norms.
In this regard, the RBI has issued the following notifications:
- Periodic Updation of KYC – Restrictions on Account Operations for Non-compliance dated May 5, 2021
- Amendment to the Master Direction (MD) on KYC dated May 10, 2021
In this article we intend to discuss the prima facie implications of the amendments introduced by the aforesaid notifications. Read more
-Kanakprabha Jethani (firstname.lastname@example.org)
The Central KYC Registry (CKYCR) is a registry that serves as a central record for KYC information of all the customers of financial institutions. In India, the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI) has been authorised to carry out the functions of CKYCR. It was operationalised in 2016 beginning with collecting information on ‘individual’ accounts. Until now, the CKYCR did not have a feature to collect KYC information of legal entities.
The CERSAI has, in consultation with the RBI, prepared a template for submission of KYC information of legal entities (the same is yet to be published by CERSAI). The RBI has, through a notification dated December 18, 2020 (‘Notification’) directed financial institutions to begin submitting KYC information of legal entities w.e.f April1, 2021 (‘Notified Date’). The Master Direction – Know Your Customer (KYC) Direction, 2016 (‘KYC Directions’) have been updated in line with the said notification.
In this note we have discussed the implications for NBFCs, having customer interface, specifically.
Actionables for financial entities
In compliance with the existing KYC provisions on CKYCR and the Notification, NBFCs shall be required to take the following steps:
For customer who are legal entities, other than individuals and FPIs
- Ensure uploading KYC data of legal entities whose loan account has been opened after the Notified Date; within 10 days of commencement of an account-based relationship with the customer. It is to be noted that the existing time limit for uploading the documents of individual accounts was 3 days.
- Ensure uploading KYC records of legal entities on CKYCR, whose accounts are opened before the Notified Date, while undertaking periodic updation or otherwise on receipt of updated KYC information from the customers. (When KYC information is uploaded during periodic updation or otherwise, it must be ensured that the same is in accordance with the CDD process as prevailing at such time.) Such uploading may not be required for loan accounts that are closed before undertaking the first periodic updation after the Notified Date.
- Communicate the KYC identifier generated after uploading of KYC information to the customer.
- Ensure that the existing KYC records of individual customers pertaining to loan accounts opened prior to April 01, 2017, should be incrementally uploaded on CKYCR at the time of periodic updation or earlier when the updated KYC information is obtained/received from the customers. (When KYC information is uploaded during periodic updation or otherwise, it must be ensured that the same is in accordance with the CDD process as prevailing at such time.) Such uploading may not be required for loan accounts that are closed before undertaking the first periodic updation after the Notified Date.
- Ensure uploading KYC data of individual loan account opened after the Notified Date; within 10 days of commencement of an account-based relationship with the customer.
- Communicate the KYC identifier generated after uploading of KYC information to the customer.
Clarification with respect to identity verification through CKYCR
There has been a confusion regarding validity of identity verification done by fetching KYC details from the CKYCR. While the provisions of the Prevention of Money Laundering Act, 2002 (PMLA) and rules thereunder as well as the operating guidelines clearly state that if the customer submits KYC identifier for identity and address verification, no other documents need to be obtained.
The KYC Directions have remained silent on the same for long. The Notification also clarified that-
“Where a customer, for the purpose of establishing an account based relationship, submits a KYC Identifier to a RE, with an explicit consent to download records from CKYCR, then such RE shall retrieve the KYC records online from CKYCR using the KYC Identifier and the customer shall not be required to submit the same KYC records or information or any other additional identification documents or details, unless –
- there is a change in the information of the customer as existing in the records of CKYCR;
- the current address of the customer is required to be verified;
- the RE considers it necessary in order to verify the identity or address of the customer, or to perform enhanced due diligence or to build an appropriate risk profile of the client.”
Hence, for the purpose of verification, what is necessary is the KYC Identifier and an explicit consent from the customer to download his/her KYC information from the CKYCR.
The template for uploading KYC information of legal entities on the CKYCR portal has been formulated and shall be live on CERSAI Platform shortly. Financial institutions shall be required to ensure uploading of KYC information of legal entities w.e.f. the Notified Date. Further, additional obligations have been placed on financial institutions in terms of uploading KYC documents for existing customers and intimation of KYC identifier to all customers. Clarification regarding the validity of KYC verification using data from CKYCR is a welcome move.
 As per para 38 of the KYC Directions- Periodic updation shall be carried out at least once in every two years for high risk customers, once in every eight years for medium risk customers and once in every ten years for low risk customers as per the prescribed procedure.
-Financial Services Division (email@example.com)
The Reserve Bank of India (RBI) introduced an amendment to Master Direction – Know Your Customer (KYC) Direction, 2016 (‘KYC Directions’) requiring Regulated Entities (REs) to carry out money laundering (ML) and terrorist financing (TF) risk assessment exercises periodically. This requirement shall be applicable with immediate effect and the first assessment has to be carried out by June 30, 2020.
Carrying out ML and TF risk assessment is a very subjective matter and there is no thumb rule to be followed for the same. There is no uniformity on procedures of risk assessment, however, they may be guided by a set of broad principles. The following write-up intends to explore guidance principles enumerated by international bodies and suggest principles to be followed by financial institutions in India, specifically NBFCs, for carrying out risk assessment exercise.
Origin of the concept
The concept of ML and TF risk assessment arises from the recommendations of Financial Action Task Force (FATF). FATF has also provided detailed guidance on TF Risk Assessment. Due to the inter-linkage between ML and TF, the guidelines also serve the purpose of guiding ML risk assessment. TF risk is defined as-
“A TF risk can be seen as a function of three factors: threat, vulnerability and consequence. It involves the risk that funds or other assets intended for a terrorist or terrorist organisation are being raised, moved, stored or used in or through a jurisdiction, in the form of legitimate or illegitimate funds or other assets.”
Global practices for ML/TF risk assessment
Based on FATF recommendations, many jurisdictions have prepared and published risk assessment procedures. India is yet to come up with the same.
For example, the National risk assessment of money laundering and terrorist financing is the guidance published by the UK government. It provides sector specific guidance for risk assessment. The sector specific guidance is further granulated keeping in view the specific threats to certain parts of the sector.
The guidance provided by the Republic of Serbia is a generalised one providing broad guidance to all sectors for risk assessment.
In Germany, financial institutions are classified on the basis of potential risk of ML/TF identified by them (considering the factors such as location, scope of business, product structure, customers’ profile and distribution structure) and the intensity of supervision by regulator is based on such risk categorisation.
Risk assessment process by NBFC
The risk assessment of a financial sector entity such as an NBFC, need not be complex, but should be commensurate with the nature and size of its business. For smaller or less complex NBFCs where the customers fall into similar categories and/or where the range of products and services are very limited, a simple risk assessment might suffice. Conversely, where the loan products and services are more complex, where there are multiple subsidiaries or branches offering a wide variety of products, and/or their customer base is more diverse, a more sophisticated risk assessment process will be required.
Based on the guiding principles provided by the FATF and specific guidance issued by FATF for banking and financial sector, the process of risk assessment by NBFCs may be divided into following stages:
Stage 1: Collection of information
The risk assessment shall begin with collecting of information on a wide range of variables including information on the general criminal environment, TF and terrorism threats, TF vulnerabilities of specific sectors and products, and the jurisdiction’s general AML capacity
The information may be collected externally or internally. In India, Directorate of Enforcement is the body which deals with ML and TF matters and has collection of information and list of terrorists. Further, the information may also be obtained from Central Bureau of Investigation.
Stage 2: Threat identification
Based on the information collected, jurisdiction and sector specific threats should be identified. Threat identification should be based on the risks identified on the national level, however, shall not be limited to the same. It should also be commensurate to the size and nature of business of the entity.
For individual NBFCs, it should take into account the level of inherent risk including the nature and complexity of their loan products and services, their size, business model, corporate governance arrangements, financial and accounting information, delivery channels, customer profiles, geographic location and countries of operation. The NBFC should also look at the controls in place, including the quality of the risk management policy, the functioning of the internal oversight functions etc.
Stage 3: Assessment of ML/TF vulnerabilities
This stage involves determination of the how the identified threats will impact the entity. The information obtained should be analysed in order to assess the probability of risks occurring. Based on the assessment, ML/TF risks should be classified as low, medium and high impact risks.
While assessing the risks, following factors should be considered:
- The nature, scale, diversity and complexity of their business;
- Target markets;
- The number of customers already identified as high risk;
- The jurisdictions the entity is exposed to, either through its own activities or the activities of customers, especially jurisdictions with relatively higher levels of corruption or organised crime, and/or deficient AML/CFT controls and listed by RBI or FATF;
- The distribution channels, including the extent to which the entity deals directly with the customer or relies third parties to conduct CDD;
- The internal audit and regulatory findings;
- The volume and size of its transaction.
The NBFCs should complement this information with information obtained from relevant internal and external sources, such as operational/business heads and lists issued by inter-governmental international organisations, national governments and regulators.
The risk assessment should be approved by senior management and form the basis for the development of policies and procedures to mitigate ML/TF risk, reflecting the risk appetite of the NBFC and stating the risk level deemed acceptable. It should be reviewed and updated on a regular basis. Policies, procedures, measures and controls to mitigate the ML/TF risks should be consistent with the risk assessment.
Stage 4: Analysis of ML/TF threats and vulnerabilities
Once potential TF threats and vulnerabilities are identified, the next step is to consider how these interact to form risks. This could include a consideration of how identified domestic or foreign TF threats may take advantage of identified vulnerabilities. The analysis should also include assessment of likely consequences.
Stage 5: Risk Mitigation
Post the analysis of threats and vulnerabilities, the NBFC must develop and implement policies and procedures to mitigate the ML/TF risks they have identified through their individual risk assessment. Customer due diligence (CDD) processes should be designed to understand who their customers are by requiring them to gather information on what they do and why they require financial services. The initial stages of the CDD process should be designed to help NBFCs to assess the ML/TF risk associated with a proposed business relationship, determine the level of CDD to be applied and deter persons from establishing a business relationship to conduct illicit activity.
Focus on CDD procedure
While entering into a relationship with the customer, carrying out Customer Due Diligence (CDD) is the initial step. It is during the CDD process that the identity of a customer is verified and risk based assessment of the customer is done. While assessing credit risks, financial entities should also assess ML/TF risks. The CDD procedures and policies should suitably include checkpoints with respect to ML and TF.
The risk classification of the customer, as discussed above, should also be done based on the CDD carried out. The CDD procedure, apart from verifying the identity of the customer, should also go a few steps further to understand the nature of business or activity of the customer. Measures should be taken to prevent the misuse of legal persons for money laundering or terrorist financing.
In case of medium or high risk customers, or unusual transactions, the entities should also carry out transaction due diligence to identify source and application of funds, beneficiary of the transaction, purpose etc.
NBFCs should document and state clearly the criteria and parameters used for customer segmentation and for the allocation of a risk level for each of the clusters of customers. Criteria applied to decide the frequency and intensity of the monitoring of different customer segments should also be transparent. Further, the NBFC must maintain records on transactions and information obtained through the CDD measures. The CDD information and the transaction records should be made available to competent authorities upon appropriate authority.
Some examples of enhanced and simplified due diligence measures are as follows:
Enhanced Due Diligence (EDD)
- obtaining additional identifying information from a wider variety or more robust sources and using the information to inform the individual customer risk assessment
- carrying out additional searches (e.g., verifiable adverse media searches) to inform the individual customer risk assessment
- commissioning an intelligence report on the customer or beneficial owner to understand better the risk that the customer or beneficial owner may be involved in criminal activity
- verifying the source of funds or wealth involved in the business relationship to be satisfied that they do not constitute the proceeds from crime
- seeking additional information from the customer about the purpose and intended nature of the business relationship
Simplified Due Diligence (SDD)
- obtaining less information (e.g., not requiring information on the address or the occupation of the potential client), and/or seeking less robust verification, of the customer’s identity and the purpose and intended nature of the business relationship
- postponing the verification of the customer’s identity
Ongoing CDD and Monitoring
Ongoing monitoring means the scrutiny of transactions to determine whether the transactions are consistent with the NBFC’s knowledge of the customer and the nature and purpose of the loan product and the business relationship.
Monitoring also involves identifying changes to the customer profile (for example, their behaviour, use of products and the amount of money involved), and keeping it up to date, which may require the application of new, or additional, CDD measures. Monitoring transactions is an essential component in identifying transactions that are potentially suspicious. Monitoring should be carried out on a continuous basis or triggered by specific transactions. It could also be used to compare a customer’s activity with that of a peer group. Further, the extent and depth of monitoring must be adjusted in line with the NBFC’s risk assessment and individual customer risk profiles
The NBFCs should have the ability to flag unusual movement of funds or transactions for further analysis. Further, it should have appropriate case management systems so that such funds or transactions are scrutinised in a timely manner and a determination made as to whether the funds or transaction are suspicious. Funds or transactions that are suspicious should be reported promptly to the FIU and in the manner specified by the authorities. There must be adequate processes to escalate suspicions and, ultimately, report to the FI.
Adequate internal controls are a prerequisite for the effective implementation of policies and processes to mitigate ML/TF risk. Internal controls include appropriate governance arrangements where responsibility for AML/CFT is clearly allocated and there are controls to test the overall effectiveness of the NBFC’s policies and processes to identify, assess and monitor risk. It is important that responsibility for the consistency and effectiveness of AML/CFT controls be clearly allocated to an individual of sufficient seniority within the NBFC to signal the importance of ML/TF risk management and compliance, and that ML/TF issues are brought to senior management’s attention.
Recruitment and Training
NBFCs should check that personnel they employ have integrity and are adequately skilled and possess the knowledge and expertise necessary to carry out their function, in particular where staff are responsible for implementing AML/CFT controls. The senior management who is responsible for implementation of a risk-based approach should understand the degree of discretion an NBFC has in assessing and mitigating its ML/TF risks. In particular, it must be ensured that the employees and staff have been trained to assess the quality of a NBFC’s ML/TF risk assessments and to consider the adequacy, proportionality and effectiveness of the NBFC’s AML policies, procedures and internal controls in light of this risk assessment. Adequate training would allow them to form sound judgments about the adequacy and proportionality of the AML controls.
Stage 6: Follow-up and maintaining up-to-date risk assessment
Once assessed, the impact of the risk shall be recorded and measures to mitigate the same should be provided for. The information that forms basis of the risk assessment process should be timely updated and the entire risk assessment procedure should be carried out in case of major change in the information.
The compliance officer of the NBFC should have the necessary independence, authority, seniority, resources and expertise to carry out these functions effectively, including the ability to access all relevant internal information. Additionally, there should be an independent audit function carried out to test the AML/CFT programme with a view to establishing the effectiveness of the overall AML/CFT policies and processes and the quality of NBFC’s risk management across its operations, departments, branches and subsidiaries, both domestically and, where relevant, abroad.
Our other write-ups on NBFCs may be viewed here: http://vinodkothari.com/nbfcs/
Write-rps relating to KYC and Anti-money laundering may also be referred: