Posts

NBFCs licensed for KYC authentication: Guide to the new RBI privilege for Aadhaar e-KYC Authentication

-Kanakprabha Jethani (kanak@vinodkothari.com)

Background

On September 13, 2021, the RBI issued a notification[1] (‘RBI Notification’) permitting all NBFCs, Payment System Providers and Payment System Participants to carry out authentication of client’s Aadhaar number using e-KYC facility provided by the Unique Identification Authority of India (UIDAI), subject, of course, to license being granted by MoF. The process involves an application to the RBI, onward submission after screening of the application by the RBI, then a further screening by UIDAI, and final grant of authentication by the MoF,

We discuss below the underlying requirements of the PMLA, Aadhaar Act and regulations thereunder (defined below) and other important preconditions for this new-found authorisation for NBFCs.

Understanding the difference between authentication and verification

As per section 2(c) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (‘Aadhaar Act’)[2] “authentication” means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack thereof, on the basis of information available with it;

Further, Section 2(pa) defines offline verification as the process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by regulations.

Authentication is a process of authenticity of aadhaar information using the authentication facility provided by the UIDAI. The same may be done in any of the following ways:

  • Use of demographic authentication: The Aadhaar number and demographic information of the customer is obtained and matched with the demographic information of the Aadhaar number holder in the CIDR[3].
  • Using one-time pin based authentication: Aadhaar number of customer is obtained. OTP is sent to the registered mobile number and/ or e-mail address. Aadhaar is authenticated when customer shares OTP and is shared with the same generated by UIDAI
  • Using biometric information: The Aadhaar number and biometric information submitted by the customer are matched with the biometric information stored in the CIDR.

Essentially, aadhaar authentication requires the Regulated Entity (RE) to obtain the aadhaar number of the customer. However, owing to the Supreme Court Verdict on Aadhaar, aadhaar number could be obtained only by banks or specific notified entities. Eventually, the concept of offline verification was introduced by virtue of which verification can be done using XML file or QR code which carries minimum details of the customer. RE is not required to obtain aadhaar number in this case.

Understanding the concept of AUA and KUA

The Aadhaar (Authentication) Regulations, 2016 provide the following definitions:

“Authentication User Agency” or “AUA” means a requesting entity that uses the Yes/ No authentication facility provided by the Authority;  

 “e-KYC User Agency” or “KUA” shall mean a requesting entity which, in addition to being an AUA, uses e-KYC authentication facility provided by the Authority;  

 “e-KYC authentication facility” means a type of authentication facility in which the biometric information and/or OTP and Aadhaar number securely submitted with the consent of the Aadhaar number holder through a requesting entity, is matched against the data available in the CIDR, and the Authority returns a digitally signed response containing e-KYC data along with other technical details related to the authentication transaction; 

 To Summarise:

  • AUA’s rights are limited and it gets only a yes or no as a response of aadhaar authentications, i.e. response to whether the aadhaar is authentic or not.
  • KUA’s rights are comparatively broader. It shall receive eKYC details of the customer upon utilising the authentication facility.

Further, there is a concept of sub-AUA and sub-KUA, which utilise the facility of licensed AUAs or KUAs for aadhaar authentication.

Application for AUA/KUA License

Process

The power of granting permission for use of aadhaar authentication facility by entities other than banks is derived from section 11A of the Prevention of Money Laundering Act, 2002[4] (‘PMLA’). It states-

(1) Every Reporting Entity shall verify the identity of its clients and the beneficial owner, by—

(a) authentication under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016) if the reporting entity is a banking company; or

(b) offline verification under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016); or

**

Provided that the Central Government may, if satisfied that a reporting entity other than banking company, complies with such the standards of privacy and security under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016), and it is necessary and expedient to do so, by notification, permit such entity to perform authentication under clause (a):

**

In exercise of powers under the above mentioned provisions, the Ministry of Finance (MoF) issued a notification on May 9, 2019[5], providing the process for permitting entities other than banks for using authentication facilities of the UIDAI. The notification provides for the following process:

  • Step1: Application to be made to the concerned regulator
  • Step 2: Examination of the application by concerned regulator
    • To ensure conditions of section 11A of PMLA and other security and IT related requirements are met
  • Step 3: Examination by UIDAI of applications recommended by the regulator
    • To check standards of privacy and security set out by UIDAI are complied with
    • UIDAI to then send notification to the Department of Revenue, MoF
  • Step 4: Notification as AUA/KUA by MoF
  • Step 5: UIDAI to issue authorisation to use UIDAI’s authentication facility

The Reserve Bank of India, being the financial sector regulator, has issued the notification permitting all NBFCs, Payment System Providers and Payment System Participants to carry out authentication of client’s Aadhaar number using e-KYC facility. The Application form seeks various details about the applicant, including a confirmation that the entity is meeting the standards of complying with the Data Security Regulations 2016 of UIDAI and other related guidance / circular issued by UIDAI from time to time with regard to the privacy and security norms.

Eligibility

The most crucial aspect of eligibility for availing AUA/KUA license is the capability of meeting the standards of privacy and security set out by UIDAI. The requirement for meeting the said standards arises from section 4(4) of the Aadhaar Act[6], which states-

(4) An entity may be allowed to perform authentication, if the Authority is satisfied that the requesting entity is—

(a) compliant with such standards of privacy and security as may be specified by regulations; and

(b) (i) permitted to offer authentication services under the provisions of any other law made by Parliament; or

(ii) seeking authentication for such purpose, as the Central Government in consultation with the Authority, and in the interest of State, may prescribe.

 Additionally, the Aadhaar (Authentication) Regulations, 2016[7] provide for the eligibility criteria for appointment as AUA/KUA. As per the said regulations, the following requirements must be met by the applicant:

  • Backend infrastructure, such as servers, databases etc. of the entity, required specifically for the purpose of Aadhaar authentication, should be located within the territory of India.

  • Entity should have IT Infrastructure owned or outsourced capable of carrying out minimum 1 Lakh Authentication transactions per month.

  • Organisation should have a prescribed Data Privacy policy to protect beneficiary privacy.

  • Organisation should have adopted data security requirements as per the IT Act 2000.

Understanding standards of privacy and security

The regulations surrounding data protection and privacy issued by the UIDAI are:

  • Aadhaar (Data Security) Regulations, 2016
  • Aadhaar (Sharing of Information) Regulations, 2016
  • Miscellaneous circulars issued by the UIDAI from time to time

Major requirements under the said regulations are as follows:

  • Applicant to adopt an information security policy outlining information security framework of the applicant developed in line with applicable guidelines issued by UIDAI;
  • Applicant to designate an officer as Chief Information Security Officer (CISO) for ensuring compliance with information security policy and other security-related programmes and initiatives of UIDAI
  • Operations of applicant to be audited by information systems auditor
  • Applicant to ensure that biometric information is not stored, except for buffer during authentication;
  • Applicant to ensure identity information is not shared with anyone else except with prior approval

Conclusion

Pursuant to the said notification, the NBFCs or Payment System Providers or Payment System Participants shall be eligible to make application with the RBI, subject to compliance with the privacy and security norms issued by UIDAI. The notification is a much-awaited relaxation for the eligible non-banking entities to undertake Aadhaar authentication of their customers. However, the criteria for granting approval have not been laid down specifically and may be based on the evaluation conducted by the RBI along with UIDAI. For those who receive the approval, this would be an addition to the modes in which CDD of a customer can be conducted.

[1] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12161&Mode=0

[2] https://uidai.gov.in/images/targeted_delivery_of_financial_and_other_subsidies_benefits_and_services_13072016.pdf

[3] Central Identities Data Repository (CIDR) means a centralised database containing all Aadhaar numbers issued to Aadhaar number holders along with the corresponding demographic information and biometric information of such individuals and other information related thereto

[4] https://www.indiacode.nic.in/bitstream/123456789/2036/1/A2003-15.pdf

[5] https://dor.gov.in/sites/default/files/circular%20dated%2009.05.2019%20of%20PMLA.pdf

[6] https://uidai.gov.in/images/news/Amendment_Act_2019.pdf

[7] Refer Schedule A to Aadhaar (Authentication) Regulations, 2016 (Page 19)- https://uidai.gov.in//images/resource/CompendiumMay2020Updated.pdf

 

Related articles:

 

Workshop on Effective Regulatory interface: Preparing for and handling RBI’s NBFC inspections

Registeration for the workshop have been closed. You may register your interest for a repeat workshop here here: https://forms.gle/RmwXa13DjuLBqhMU9

brochure-Training-on-KYC-1-1

Rationalisation of KYC- Measures for relief or technical advancement?

-Kanakprabha Jethani and Anita Baid (finserv@vinodkothari.com)

Background

Considering the resurgence of the Covid-19 pandemic on the economy, the RBI Governor, on May 5, 2021, announced several measures with a view to infuse liquidity in the economy, avoid another wave of borrower defaults[1] as well as aid in ease of business during the lockdown.

Out of the several measures announced by the Governor, one was to simplify the KYC process, which is the initial step of any lending transaction. Some of the amendments seem to provide immediate relief from compliance requirements and some are intended to encourage carrying out KYC compliances electronically, given the social distancing norms.

In this regard, the RBI has issued the following notifications:

  1. Periodic Updation of KYC – Restrictions on Account Operations for Non-compliance dated May 5, 2021[2]
  2. Amendment to the Master Direction (MD) on KYC dated May 10, 2021[3]

In this article we intend to discuss the prima facie implications of the amendments introduced by the aforesaid notifications. Read more

CKYCR becomes fully operational: The long-awaited format for legal entities’ information finally introduced

-Kanakprabha Jethani (kanak@vinodkothari.com)

Background

The Central KYC Registry (CKYCR) is a registry that serves as a central record for KYC information of all the customers of financial institutions. In India, the Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI) has been authorised to carry out the functions of CKYCR. It was operationalised in 2016 beginning with collecting information on ‘individual’ accounts. Until now, the CKYCR did not have a feature to collect KYC information of legal entities.

The CERSAI has, in consultation with the RBI, prepared a template for submission of KYC information of legal entities (the same is yet to be published by CERSAI). The RBI has, through a notification dated December 18, 2020[1] (‘Notification’) directed financial institutions to begin submitting KYC information of legal entities w.e.f April1, 2021 (‘Notified Date’). The Master Direction – Know Your Customer (KYC) Direction, 2016 (‘KYC Directions’) have been updated in line with the said notification.

In this note we have discussed the implications for NBFCs, having customer interface, specifically.

Actionables for financial entities

In compliance with the existing KYC provisions on CKYCR and the Notification, NBFCs shall be required to take the following steps:

For customer who are legal entities, other than individuals and FPIs

  • Ensure uploading KYC data of legal entities whose loan account has been opened after the Notified Date; within 10 days of commencement of an account-based relationship with the customer. It is to be noted that the existing time limit for uploading the documents of individual accounts was 3 days.
  • Ensure uploading KYC records of legal entities on CKYCR, whose accounts are opened before the Notified Date, while undertaking periodic updation[2] or otherwise on receipt of updated KYC information from the customers. (When KYC information is uploaded during periodic updation or otherwise, it must be ensured that the same is in accordance with the CDD process as prevailing at such time.) Such uploading may not be required for loan accounts that are closed before undertaking the first periodic updation after the Notified Date.
  • Communicate the KYC identifier generated after uploading of KYC information to the customer.

 For individuals

  • Ensure that the existing KYC records of individual customers pertaining to loan accounts opened prior to April 01, 2017, should be incrementally uploaded on CKYCR at the time of periodic updation or earlier when the updated KYC information is obtained/received from the customers. (When KYC information is uploaded during periodic updation or otherwise, it must be ensured that the same is in accordance with the CDD process as prevailing at such time.) Such uploading may not be required for loan accounts that are closed before undertaking the first periodic updation after the Notified Date.
  • Ensure uploading KYC data of individual loan account opened after the Notified Date; within 10 days of commencement of an account-based relationship with the customer.
  • Communicate the KYC identifier generated after uploading of KYC information to the customer.

Clarification with respect to identity verification through CKYCR

There has been a confusion regarding validity of identity verification done by fetching KYC details from the CKYCR. While the provisions of the Prevention of Money Laundering Act, 2002 (PMLA) and rules thereunder as well as the operating guidelines clearly state that if the customer submits KYC identifier for identity and address verification, no other documents need to be obtained.

The KYC Directions have remained silent on the same for long. The Notification also clarified that-

“Where a customer, for the purpose of establishing an account based relationship, submits a KYC Identifier to a RE, with an explicit consent to download records from CKYCR, then such RE shall retrieve the KYC records online from CKYCR using the KYC Identifier and the customer shall not be required to submit the same KYC records or information or any other additional identification documents or details, unless –

  • there is a change in the information of the customer as existing in the records of CKYCR;
  • the current address of the customer is required to be verified;
  • the RE considers it necessary in order to verify the identity or address of the customer, or to perform enhanced due diligence or to build an appropriate risk profile of the client.”

Hence, for the purpose of verification, what is necessary is the KYC Identifier and an explicit consent from the customer to download his/her KYC information from the CKYCR.

Conclusion

The template for uploading KYC information of legal entities on the CKYCR portal has been formulated and shall be live on CERSAI Platform shortly. Financial institutions shall be required to ensure uploading of KYC information of legal entities w.e.f. the Notified Date. Further, additional obligations have been placed on financial institutions in terms of uploading KYC documents for existing customers and intimation of KYC identifier to all customers. Clarification regarding the validity of KYC verification using data from CKYCR is a welcome move.

 

[1] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12008&Mode=0

[2] As per para 38 of the KYC Directions- Periodic updation shall be carried out at least once in every two years for high risk customers, once in every eight years for medium risk customers and once in every ten years for low risk customers as per the prescribed procedure.

Guidance on money laundering and terrorist financing risk assessment

-Financial Services Division (finserv@vinodkothari.com)

Background

The Reserve Bank of India (RBI) introduced an amendment[1] to Master Direction – Know Your Customer (KYC) Direction, 2016 (‘KYC Directions’)[2] requiring Regulated Entities (REs) to carry out money laundering (ML) and terrorist financing (TF) risk assessment exercises periodically. This requirement shall be applicable with immediate effect and the first assessment has to be carried out by June 30, 2020.

Carrying out ML and TF risk assessment is a very subjective matter and there is no thumb rule to be followed for the same. There is no uniformity on procedures of risk assessment, however, they may be guided by a set of broad principles. The following write-up intends to explore guidance principles enumerated by international bodies and suggest principles to be followed by financial institutions in India, specifically NBFCs, for carrying out risk assessment exercise.

Origin of the concept

The concept of ML and TF risk assessment arises from the recommendations of Financial Action Task Force (FATF). FATF has also provided detailed guidance on TF Risk Assessment[3]. Due to the inter-linkage between ML and TF, the guidelines also serve the purpose of guiding ML risk assessment. TF risk is defined as-

A TF risk can be seen as a function of three factors: threat, vulnerability and consequence. It involves the risk that funds or other assets intended for a terrorist or terrorist organisation are being raised, moved, stored or used in or through a jurisdiction, in the form of legitimate or illegitimate funds or other assets.”

Global practices for ML/TF risk assessment

Based on FATF recommendations, many jurisdictions have prepared and published risk assessment procedures. India is yet to come up with the same.

For example, the National risk assessment of money laundering and terrorist financing[4] is the guidance published by the UK government. It provides sector specific guidance for risk assessment. The sector specific guidance is further granulated keeping in view the specific threats to certain parts of the sector.

The guidance provided by the Republic of Serbia[5] is a generalised one providing broad guidance to all sectors for risk assessment.

In Germany, financial institutions are classified on the basis of potential risk of ML/TF identified by them (considering the factors such as location, scope of business, product structure, customers’ profile and distribution structure) and the intensity of supervision by regulator is based on such risk categorisation.

Risk assessment process by NBFC

The risk assessment of a financial sector entity such as an NBFC, need not be complex, but should be commensurate with the nature and size of its business. For smaller or less complex NBFCs where the customers fall into similar categories and/or where the range of products and services are very limited, a simple risk assessment might suffice. Conversely, where the loan products and services are more complex, where there are multiple subsidiaries or branches offering a wide variety of products, and/or their customer base is more diverse, a more sophisticated risk assessment process will be required.

Based on the guiding principles provided by the FATF and specific guidance issued by FATF for banking and financial sector[6], the process of risk assessment by NBFCs may be divided into following stages:

Stage 1: Collection of information

The risk assessment shall begin with collecting of information on a wide range of variables including information on the general criminal environment, TF and terrorism threats, TF vulnerabilities of specific sectors and products, and the jurisdiction’s general AML capacity

The information may be collected externally or internally. In India, Directorate of Enforcement is the body which deals with ML and TF matters and has collection of information and list of terrorists. Further, the information may also be obtained from Central Bureau of Investigation.

Stage 2: Threat identification

Based on the information collected, jurisdiction and sector specific threats should be identified. Threat identification should be based on the risks identified on the national level, however, shall not be limited to the same. It should also be commensurate to the size and nature of business of the entity.

For individual NBFCs, it should take into account the level of inherent risk including the nature and complexity of their loan products and services, their size, business model, corporate governance arrangements, financial and accounting information, delivery channels, customer profiles, geographic location and countries of operation. The NBFC should also look at the controls in place, including the quality of the risk management policy, the functioning of the internal oversight functions etc.

Stage 3: Assessment of ML/TF vulnerabilities

This stage involves determination of the how the identified threats will impact the entity. The information obtained should be analysed in order to assess the probability of risks occurring. Based on the assessment, ML/TF risks should be classified as low, medium and high impact risks.

While assessing the risks, following factors should be considered:

  • The nature, scale, diversity and complexity of their business;
  • Target markets;
  • The number of customers already identified as high risk;
  • The jurisdictions the entity is exposed to, either through its own activities or the activities of customers, especially jurisdictions with relatively higher levels of corruption or organised crime, and/or deficient AML/CFT controls and listed by RBI or FATF;
  • The distribution channels, including the extent to which the entity deals directly with the customer or relies third parties to conduct CDD;
  • The internal audit and regulatory findings;
  • The volume and size of its transaction.

The NBFCs should complement this information with information obtained from relevant internal and external sources, such as operational/business heads and lists issued by inter-governmental international organisations, national governments and regulators.

The risk assessment should be approved by senior management and form the basis for the development of policies and procedures to mitigate ML/TF risk, reflecting the risk appetite of the NBFC and stating the risk level deemed acceptable. It should be reviewed and updated on a regular basis. Policies, procedures, measures and controls to mitigate the ML/TF risks should be consistent with the risk assessment.

Stage 4: Analysis of ML/TF threats and vulnerabilities

Once potential TF threats and vulnerabilities are identified, the next step is to consider how these interact to form risks. This could include a consideration of how identified domestic or foreign TF threats may take advantage of identified vulnerabilities. The analysis should also include assessment of likely consequences.

Stage 5: Risk Mitigation

Post the analysis of threats and vulnerabilities, the NBFC must develop and implement policies and procedures to mitigate the ML/TF risks they have identified through their individual risk assessment. Customer due diligence (CDD) processes should be designed to understand who their customers are by requiring them to gather information on what they do and why they require financial services. The initial stages of the CDD process should be designed to help NBFCs to assess the ML/TF risk associated with a proposed business relationship, determine the level of CDD to be applied and deter persons from establishing a business relationship to conduct illicit activity.

Focus on CDD procedure

While entering into a relationship with the customer, carrying out Customer Due Diligence (CDD) is the initial step. It is during the CDD process that the identity of a customer is verified and risk based assessment of the customer is done. While assessing credit risks, financial entities should also assess ML/TF risks. The CDD procedures and policies should suitably include checkpoints with respect to ML and TF.

The risk classification of the customer, as discussed above, should also be done based on the CDD carried out. The CDD procedure, apart from verifying the identity of the customer, should also go a few steps further to understand the nature of business or activity of the customer. Measures should be taken to prevent the misuse of legal persons for money laundering or terrorist financing.

In case of medium or high risk customers, or unusual transactions, the entities should also carry out transaction due diligence to identify source and application of funds, beneficiary of the transaction, purpose etc.

NBFCs should document and state clearly the criteria and parameters used for customer segmentation and for the allocation of a risk level for each of the clusters of customers. Criteria applied to decide the frequency and intensity of the monitoring of different customer segments should also be transparent. Further, the NBFC must maintain records on transactions and information obtained through the CDD measures. The CDD information and the transaction records should be made available to competent authorities upon appropriate authority.

Some examples of enhanced and simplified due diligence measures are as follows:

Enhanced Due Diligence (EDD)

  • obtaining additional identifying information from a wider variety or more robust sources and using the information to inform the individual customer risk assessment
  • carrying out additional searches (e.g., verifiable adverse media searches) to inform the individual customer risk assessment
  • commissioning an intelligence report on the customer or beneficial owner to understand better the risk that the customer or beneficial owner may be involved in criminal activity
  • verifying the source of funds or wealth involved in the business relationship to be satisfied that they do not constitute the proceeds from crime
  • seeking additional information from the customer about the purpose and intended nature of the business relationship

Simplified Due Diligence (SDD)

  • obtaining less information (e.g., not requiring information on the address or the occupation of the potential client), and/or seeking less robust verification, of the customer’s identity and the purpose and intended nature of the business relationship
  • postponing the verification of the customer’s identity
Ongoing CDD and Monitoring

Ongoing monitoring means the scrutiny of transactions to determine whether the transactions are consistent with the NBFC’s knowledge of the customer and the nature and purpose of the loan product and the business relationship.

Monitoring also involves identifying changes to the customer profile (for example, their behaviour, use of products and the amount of money involved), and keeping it up to date, which may require the application of new, or additional, CDD measures. Monitoring transactions is an essential component in identifying transactions that are potentially suspicious. Monitoring should be carried out on a continuous basis or triggered by specific transactions. It could also be used to compare a customer’s activity with that of a peer group. Further, the extent and depth of monitoring must be adjusted in line with the NBFC’s risk assessment and individual customer risk profiles

Reporting

The NBFCs should have the ability to flag unusual movement of funds or transactions for further analysis. Further, it should have appropriate case management systems so that such funds or transactions are scrutinised in a timely manner and a determination made as to whether the funds or transaction are suspicious. Funds or transactions that are suspicious should be reported promptly to the FIU and in the manner specified by the authorities. There must be adequate processes to escalate suspicions and, ultimately, report to the FI.

Internal Controls

Adequate internal controls are a prerequisite for the effective implementation of policies and processes to mitigate ML/TF risk. Internal controls include appropriate governance arrangements where responsibility for AML/CFT is clearly allocated and there are controls to test the overall effectiveness of the NBFC’s policies and processes to identify, assess and monitor risk. It is important that responsibility for the consistency and effectiveness of AML/CFT controls be clearly allocated to an individual of sufficient seniority within the NBFC to signal the importance of ML/TF risk management and compliance, and that ML/TF issues are brought to senior management’s attention.

Recruitment and Training

NBFCs should check that personnel they employ have integrity and are adequately skilled and possess the knowledge and expertise necessary to carry out their function, in particular where staff are responsible for implementing AML/CFT controls. The senior management who is responsible for implementation of a risk-based approach should understand the degree of discretion an NBFC has in assessing and mitigating its ML/TF risks. In particular, it must be ensured that the employees and staff have been trained to assess the quality of a NBFC’s ML/TF risk assessments and to consider the adequacy, proportionality and effectiveness of the NBFC’s AML policies, procedures and internal controls in light of this risk assessment. Adequate training would allow them to form sound judgments about the adequacy and proportionality of the AML controls.

Stage 6: Follow-up and maintaining up-to-date risk assessment

Once assessed, the impact of the risk shall be recorded and measures to mitigate the same should be provided for. The information that forms basis of the risk assessment process should be timely updated and the entire risk assessment procedure should be carried out in case of major change in the information.

The compliance officer of the NBFC should have the necessary independence, authority, seniority, resources and expertise to carry out these functions effectively, including the ability to access all relevant internal information. Additionally, there should be an independent audit function carried out to test the AML/CFT programme with a view to establishing the effectiveness of the overall AML/CFT policies and processes and the quality of NBFC’s risk management across its operations, departments, branches and subsidiaries, both domestically and, where relevant, abroad.

 

 

[1] https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11873&Mode=0

[2] https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566

[3] https://www.fatf-gafi.org/media/fatf/documents/reports/Terrorist-Financing-Risk-Assessment-Guidance.pdf

[4] https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/655198/National_risk_assessment_of_money_laundering_and_terrorist_financing_2017_pdf_web.pdf

[5] https://www.nbs.rs/internet/english/55/55_7/55_7_4/procena_rizika_spn_e.pdf

[6] http://www.fatf-gafi.org/media/fatf/documents/reports/Risk-Based-Approach-Banking-Sector.pdf

 

Our other write-ups on NBFCs may be viewed here: http://vinodkothari.com/nbfcs/

Write-rps relating to KYC and Anti-money laundering may also be referred: