Know Your Customer (KYC)
It is important, in these days of drugs smuggling, terrorism, financial fraud, money laundering and arms dealing that banks know whom their customers are. Banks must be comfortable with the bona fides and the integrity of their customers. The need increases as external people like general selling agents introduce a number of customers. Apart from this, in order to develop a long- term relationship, it is an imperative that the banker knows as much as possible about his customer.
What does KYC mean?
It means that a banker should know his customers. He should know about their business and as far as possible the nature of their earnings and their moral standing. This is why it is recommended that persons known to the bank recommend prospective customers. Even though the introducers cannot be sued or otherwise held responsible, the introducers have a moral responsibility.
A banker loses the statutory protection available under section 131 of the Negotiable Instruments Act if it is proved that he was negligent while opening an account. Actually, this is also reinforced by the concept of relationship banking. How can you offer your client exceptional service if you do not know what he requires? You need to be able to anticipate his requirements. You can do this only if you know your customer well. The second reason is on borrowing customers. It would be very short sighted to lend to someone you do not know.
Although there was some laxity regarding the enforcement of the Know Your customer (KYC) imperative, recent happenings such as terrorism, money laundering and drug smuggling has brought the need of KYC to everyone’s focus. Headquarters of banks, governments and by extension central banks are insisting on KYC policies being strictly adhered to.
Know Your Customer (KYC) Guidelines by Reserve Bank of India
In India, The Reserve Bank of India has been issuing guidelines on KYC regularly. Some of the more important instructions are mentioned below.
It was instructed:
- In August 1976 that applicants for demand drafts, travelers cheques and money transfers should affix their Permanent Account Number (PAN) on the application for transactions of Rs. 10,000 and above.
- In November 1987 it was stated that cash should not be accepted for retirement of import bills. It was also stated that there must be a reasonable time (say 6 months) between the time an introducer opens his account and introduces a prospective account holder. Introduction of an account should enable the proper identification of the person opening the account so that the person can be traced if the account is misused.
- In April 1991, banks were instructed that travelers cheques, demand drafts, mail transfers and telegraphic transfers for Rs. 50,000 and above should be by debit to the customer’s account or against cheques only and not against cash.
- In August 1992 banks were advised to adhere to the prescribed norms and safeguards while opening accounts.
- In December 1992 banks were asked to ensure that when customers withdrew amounts from their cash credit/ overdraft accounts that funds were not diverted for the acquisition of fixed assets, investments in associate companies and acquisition of shares and other capital market investments.
- In September 1993, banks were asked to be vigilant and ensure proper end use of bank funds. They were to keep vigil over heavy cash withdrawals by account holders that may be disproportionate to their normal trade/ business requirements. They were also asked to question unusual trends.
- In November 1993 on account of fraudulent encashment of interest/ dividend warrants banks were asked to not open accounts without proper introduction.
- In December 1993 banks were asked to seek customer identification while opening accounts including the obtaining of photographs of customers.
- In April 1994 the RBI clarified that photographs must be obtained for both residents and non- residents and for those authorized to operate accounts.
- In September 1994 on account of fraudulent operations in deposit accounts, banks were asked to examine every request for opening joint accounts very carefully. “Generally crossed cheques” and payable to “order” were to be collected only on proper endorsement. Banks were also asked to exercise care in the collection of cheques of large amounts and ensure that joint accounts are not used for “benami” transactions.
- In May 1995 banks were asked to introduce a system of close watch of new deposit accounts and monitor cash withdrawals and deposits for Rs. 10 lakhs and above in deposit, cash credit and overdraft accounts.
- In September 1995 banks were asked to report to the RBI all transactions of Rs. 10 lakhs and above.
- In December 2001, banks were asked to keep a watchful eye on transactions that may be by terrorist organizations.
- In April 2002 banks were instructed to freeze accounts of individuals and entities identified by the Security Council Sanctions Committee of the United Nations.
- In May 2002, Banks were asked to ensure no new accounts were opened by banned organizations.
- In August 2002, the Reserve Bank reinforced its instructions stating:
• The key principle of the “know your customer” procedure should be the identification of an individual/ corporate opening an account. This should entail an introductory reference from an existing account holder/ person known to the bank.
• The board of directors must have in place adequate procedures to verify the bona fide identification of individuals. There should also be processes to monitor transactions of a suspicious nature.
• This instruction raised the requirement of giving PAN to transactions of Rs. 50,000 or more (earlier it was Rs. 10,000 – August 1976).
• There must be good control systems plus audits and checks to ensure the bank adheres to its KYC policies.
• There should be a system at branch level to ensure that lists of terrorist entities are circulated so that accounts/ transactions are not opened/ consummated.
• Transactions of a suspicious nature must be reported to the appropriate authorities.
• It should be ensured that all the laws are adhered to.
- In May 2004, it was stated that information collected from the customer for KYC purposes should not be used for cross selling.
• In recent years on account of the proliferation of banks and their opening branches in locations that they had no branches before, it has been difficult to adhere strictly to KYC guidelines. In these instances, introductions by prominent citizens and individuals known to the bank are considered acceptable. The concern is usually with respect to accounts introduced by outsiders retained for this purpose who are remunerated on the basis of the number of accounts they introduce. The consensus in these days of intensive competition is that this is an acceptable risk if proper documentation to verify the antecedents of the person is taken.
• In November 2004, the RBI issued comprehensive guidelines. These reiterated that the objective of Know Your Customer (KYC) guidelines is to prevent banks from being used, intentionally or unintentionally, by criminal elements for money laundering activities or for the financing of terrorism. KYC procedures also enable banks to know / understand their customers and their financial dealings better which in turn help them manage their risks prudently. The guidelines are applicable to foreign currency accounts / transactions and to all new accounts.
• Banks have been asked to frame their KYC policies incorporating the following four key elements:
- Customer Acceptance Policy
- Customer Identification Procedures
- Monitoring of Transactions
- Risk management
• For the purpose of KYC policy, a ‘customer’ has been defined as:
- A person or entity that maintains an account and / or has a business relationship with the bank;
- One on whose behalf the account is maintained (i.e. the beneficial owner). This includes beneficiaries of transactions conducted by professional intermediaries, such as Stock Brokers, Chartered Accountants, Solicitors etc. as permitted under the law, and
- Any person or entity connected with a financial transaction, which can pose significant reputation or other risks to the bank, such as a wire transfer or issue of a high value demand draft as a single transaction.
• Know Your Customer” (KYC) procedure is to be the key principle for identification of an individual / corporate opening an account. The customer identification should entail verification through an introductory reference from an existing account holder / a person known to the bank or on the basis of documents provided by the customer.
• The Board of Directors of the banks are to have in place adequate policies that establish procedures to verify the bona fide identification of the individual / corporate opening an account. Policies to establish processes and procedures to monitor transactions of a suspicious nature in accounts and systems of conducting due diligence and reporting of such transactions must be in place.
Customer Acceptance Policy (CAP)
There must be a clear customer acceptance policy that lays down explicit criteria for acceptance of customers. The Customer Acceptance Policy must ensure that explicit guidelines are in place on the following aspects of customer relationship in the bank.
- No account is opened in anonymous or fictitious/ benami name(s);
- Parameters of risk perception are clearly defined in terms of the nature of business activity, location of customer and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorization of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III); customers requiring very high level of monitoring, e.g. Politically Exposed Persons (PEPs) may, if considered necessary, be categorized even higher;
- Documentation requirements and other information to be collected in respect of different categories of customers depending on perceived risk and keeping in mind the requirements of the Prevention of Money Laundering (PML) Act, 2002 and guidelines issued by Reserve Bank from time to time;
- Accounts should not be opened nor should an existing account be closed where the bank is unable to apply appropriate customer due diligence measures i.e. bank is unable to verify the identity and / or obtain documents required as per the risk categorization due to non cooperation of the customer or non reliability of the data / information furnished to the bank. It may, however, be necessary to have suitable built in safeguards to avoid harassment of the customer. For example, decision to close an account may be taken at a reasonably high level after giving due notice to the customer explaining the reasons for such a decision;
- Circumstances, in which a customer is permitted to act on behalf of another person / entity, should be clearly spelt out in conformity with the established law and practice of banking as there could be occasions when an account is operated by a mandate holder or where an account may be opened by an intermediary in a fiduciary capacity;
- There must be checks before opening a new account so as to ensure that the identity of the customer does not match with any person with known criminal background or with banned entities such as individual terrorists or terrorist organizations etc.
- Banks should prepare a profile for each new customer based on risk categorization. The customer profile must contain information relating to the customer’s identity, social / financial status, nature of business activity, information about his clients’ business and their location etc. The nature and extent of due diligence will depend on the risk perceived by the bank. However, while preparing customer profile banks should take care to seek only such information from the customer, which is relevant to the risk category and is not intrusive. The information provided by the customer for KYC compliance while opening an account is confidential and divulging any details thereof for cross selling or any other purpose would be in breach of customer confidentiality obligations. Any other information from the customer should be sought separately with his/ her consent and after opening the account. Banks are to strictly ensure compliance with their obligations to the customer in this regard.
- For the purpose of risk categorizations, individuals (other than high net worth) and entities whose identities and sources of wealth can be easily identified and transactions in whose accounts by and large conform to the known profile may be categorized as low risk. Illustrative examples of low risk customers could be salaried employees whose salary structures are well defined, people belonging to lower economic strata of the society whose accounts show small balances and low turnover, Government departments & Government owned companies, regulators and statutory bodies etc. In such cases, the policy may require that only the basic requirements of verifying the identity and location of the customer be met. Customers that are likely to pose a higher than average risk to the bank may be categorized as medium or high risk depending on customers background, nature and location of activity, country of origin, sources of funds and his client profile etc. Banks may apply enhanced due diligence measures based on the risk assessment, thereby requiring intensive ‘due diligence’ for higher risk customers, especially those for whom the sources of funds are not clear. Examples of customers requiring higher due diligence may include (a) non-resident customers, (b) high net worth individuals, (c) trusts, charities, NGOs and organizations receiving donations, (d) companies having close family shareholding or beneficial ownership, (e) firms with sleeping partners, (f) politically exposed persons (PEPs) of foreign origin, (g) non-face to face customers, and (h) those with dubious reputation as per public information available, etc.
It is important to bear in mind that the adoption of customer acceptance policy and its implementation should not become too restrictive and must not result in denial of banking services to general public, especially to those, who are financially or socially disadvantaged.
Customer Identification Procedure (CIP)
The policy approved by the board of banks should clearly spell out the Customer Identification Procedure to be carried out at different stages i.e. while establishing a banking relationship; carrying out a financial transaction or when the bank has a doubt about the authenticity / veracity or the adequacy of the previously obtained customer identification data. Customer identification means identifying the customer and verifying his/ her identity by using reliable, independent source documents, data or information. Banks need to obtain sufficient information necessary to establish, to their satisfaction, the identity of each new customer, whether regular or occasional, and the purpose of the intended nature of banking relationship. Being satisfied means that the bank must be able to satisfy the competent authorities that due diligence was observed based on the risk profile of the customer in compliance with the extant guidelines in place. Such risk-based approach is considered necessary to avoid disproportionate cost to banks and a burdensome regime for the customers. Besides risk perception, the nature of information / documents required would also depend on the type of customer (individual, corporate etc.).
• For customers that are natural persons, the banks should obtain sufficient identification data to verify the identity of the customer, his address / location, and also his recent photograph.
• For customers that are legal persons or entities, the bank should:
- Verify the legal status of the legal person/ entity through proper and relevant documents;
- Verify that any person purporting to act on behalf of the legal person / entity is so authorized and identify and verify the identity of that person;
- Understand the ownership and control structure of the customer and determine who are the natural persons who ultimately control the legal person.
• Banks may frame their own internal guidelines based on their experience of dealing with such persons/entities, normal bankers’ prudence and the legal requirements as per established practices.
• It should be noted that wherever banks desire to collect any information about the customer for a purpose other than KYC requirements, it should not form part of the account opening form. Such information may be collected separately, purely on a voluntary basis, after explaining the objectives to the customer and taking his express approval for the specific uses to which such information could be put.
• There must be Know Your Customer procedures for existing customers.
• Banks are expected to have adopted due diligence and appropriate KYC norms at the time of opening of accounts in respect of existing customers. However, in case of any omission, the requisite KYC procedures for customer identification should be completed at the earliest. Additionally, banks must, on the basis of materiality, apply the KYC guidelines to all existing accounts.
• Transactions in existing accounts should be continuously monitored and any unusual pattern in the operation of the account should trigger a review of the customer confidential documentation measures. Banks could apply monetary limits to such accounts based on the nature and type of the account. It may however be ensured that all existing accounts of companies, firms, trusts, charities, religious organizations and other institutions are subjected to minimum KYC standards which would establish the identity of the natural/ legal person and those of the “beneficial owners.” Banks should also ensure that term/ recurring deposit accounts or accounts of similar nature are treated as new accounts at the time of renewal and subjected to revised KYC procedures.
• Where the bank is unable to apply appropriate KYC measures due to non-furnishing of information and or/ non-cooperation by the customer, the bank should close the account or terminate the relationship after issuing due notice to the customer explaining the reasons for taking such a decision. Such decisions need to be taken at a reasonably senior level.
• To ensure that existing small account holders are not inconvenienced and the KYC procedure is completed in time, banks may limit the application of KYC procedures to existing accounts where the credit or debit summation for the financial year ended March 31, 2003 is more than Rs.10 lakh or where unusual transactions are suspected.
• KYC procedures must applied to all existing accounts of trusts, companies/firms, religious/charitable organizations and other institutions or where the accounts are opened through a mandate or power of attorney.
Monitoring of Transactions
• Ongoing monitoring is an essential element of effective KYC procedures. Banks can effectively control and reduce their risk only if they have an understanding of the normal and reasonable activity of the customer so that they have the means of identifying transactions that fall outside the regular pattern of activity. However, the extent of monitoring will depend on the risk sensitivity of the account.
• Banks should pay special attention to all complex, unusually large transactions and all unusual patterns, which have no apparent economic or visible lawful purpose. The bank may prescribe threshold limits for a particular category of accounts and pay particular attention to the transactions which exceed these limits.
• Transactions that involve large amounts of cash inconsistent with the normal and expected activity of the customer should particularly attract the attention of the bank.
• Very high account turnover inconsistent with the size of the balance maintained may indicate that funds are being washed through the account. High-risk accounts have to be subjected to intensified monitoring.
• Every bank should set key indicators for such accounts, taking note of the background of the customer, such as the country of origin, sources of funds, the type of transactions involved and other risk factors. Banks should put in place a system of periodical review of risk categorization of accounts and the need for applying enhanced due diligence measures.
• Banks should ensure that a record of transactions in the accounts is preserved and maintained as required in terms of section 12 of the PML Act, 2002. It may also be ensured that transactions of a suspicious nature and / or any other type of transaction notified under section 12 of the PML Act, 2002, is reported to the appropriate law enforcement authority.
• Banks should ensure that its branches:
- Continue to maintain proper record of all cash transactions (deposits and withdrawals) of Rs.10 lakh and above.
- Have an internal monitoring system that has an inbuilt procedure for reporting of large cash transactions and those of a suspicious nature to controlling/ head office on a fortnightly basis. Early computerization of branch reporting will facilitate prompt generation of such reports.
- Report transactions of a suspicious nature to the appropriate law enforcement authorities designated under the relevant laws governing such activities.
- Have well laid down systems for freezing of suspicious accounts.
- There must be quarterly reporting of suspicious accounts to the audit committee of the board or the board of directors.
• RBI has been circulating lists of terrorist entities notified by the Government of India to banks so that banks may exercise caution if any transaction is detected with such entities. There should be a system at the branch level to ensure that such lists are consulted in order to determine whether a person/organization involved in a prospective or existing business relationship appears on such a list. The authority to whom banks may report accounts suspected to belong to terrorist entities will be advised in consultation with Government.
Adherence to Foreign Contribution Regulation Act (FCRA), 1976
• Banks should also adhere to the instructions on the provisions of the Foreign Contribution Regulation Act, 1976 cautioning them to open accounts or collect cheques only in favor of associations that are registered under the Act by the Government of India. A certificate to the effect that the association is registered with the Government of India should be obtained from the concerned associations at the time of opening of the account or collection of cheques.
• Branches of banks should be advised to exercise due care to ensure compliance and desist from opening accounts in the name of banned organizations and those without requisite registration.
• Banks must ensure that any remittance of funds by way of demand draft, mail/ telegraphic transfer or any other mode and issue of travelers’ cheques for value of Rs50,000 and above is effected by way of debit to the customers’ account or against cheques and not against cash payment.
• Implementation of KYC procedures requires banks to demand certain information from customers which may be of personal nature or which has hitherto never been called for. This can sometimes lead to a lot of questioning by the customer as to the motive and purpose of collecting such information. There is, therefore, a need for banks to prepare specific literature/ pamphlets etc. so as to educate the customer of the objectives of the KYC program. The front desk staff needs to be specially trained to handle such situations while dealing with customers.
Introduction of New Technologies – Credit cards/debit cards/smart cards/gift cards
• Banks should pay special attention to any money laundering threats that may arise from new or developing technologies including internet banking that might favor anonymity, and take measures, if needed, to prevent their use in money laundering schemes.
• Many banks are engaged in the business of issuing a variety of electronic cards that are used by customers for buying goods and services, drawing cash from ATMs, and can be used for electronic transfer of funds. Further, marketing of these cards is generally done through the services of agents. Banks should ensure that appropriate KYC procedures are duly applied before issuing the cards to the customers. It is also desirable that agents are also subjected to KYC measures.
Importance of RBI Guidelines
• It should be noted that RBI guidelines are issued under Section 35 (A) of the Banking Regulation Act, 1949 and any contravention will attract penalties under the relevant provisions of the Act. Banks are advised to bring the guidelines to the notice of their branches and controlling offices.
• RBI guidelines also apply to the branches and majority owned subsidiaries located abroad, especially, in countries that do not or insufficiently apply the Financial Actions Task Force (FATF) recommendations, to the extent local laws permit. When local applicable laws and regulations prohibit implementation of these guidelines, that fact should be brought to the notice of Reserve Bank.
KYC and Lower income Groups
• In October 2005, the RBI stated that these guidelines should not be an excuse for banks to keep the poor away from the banking system. Though the KYC guidelines require an individual opening a new account to produce a number of identification documents, these could be done away with for lower income groups. The RBI has asked banks to ensure that the inability of the lower income group to produce documents to establish their identity and address does not lead to their financial exclusion and denial of banking services. A simplified procedure could be provided for opening of account in respect of those persons who do not intend to keep balances above Rs. 50,000 and whose total credit in one year is not expected to exceed Rs.100,000.