Friday, September 2023

VOL. 16, ISSUE NO. 6 | September 2023

Expert Eye

KYC challenges for banks

WITH increasing digitisation of banking transactions, traditional banking services like cash deposits and withdrawals, remittances through, or buying against cash of, physical instruments like bank drafts and other cash-based services have all dwindled substantially in usage. In particular, the number of instances of cash handled or cash transactions at the retail level have significantly reduced, since most prefer online transfers and transactions for small value payments. The positive side of this is that the number of incidents of mugging customers taking cash from bank counters or ATMs has been on the lower side. Though precise data on this is not available, it is logical to arrive at this conclusion, particularly based on published generic reports. The total value of cash in circulation has not reduced but that is believed to be largely on account of large volume of cash held at select pockets for unspecified reasons (in the annual report, RBI mentions one of the four reasons for the currency demand paradox as presence of a large informal economy).

However, what is of concern is the equally increasing number of frauds taking place online, without involving physical cash. We also read instances of persons being kidnapped and ransom being asked and paid online and even bribe being paid online, if the person does not have ready cash on hand. We also read reports of instances of huge money collected as recovery of online lending, unpaid tax liability or ineligible royalty or goodwill payments being remitted outside the country from bank accounts, particularly destined to accounts in a non-cooperative neighbouring country. One of the reasons for promoting ‘less cash’ society, if not cashless society, is that money trail can be traced and the culprit can be caught for appropriate legal remedies, when banking transactions are done without involving cash and through bank accounts. Hence the logical inference is that all such cases of online frauds, ransoms, or bribes should result in being tracked and satisfactorily resolved completely and quickly.

That is possible if the bank where the ‘beneficiary’ of such transactions has a control over the transactions happening in the accounts within the bank, the bank ‘knows’ its customers well, and the bank has opened the account after the customer is found suitable to open an account. Whether such entry level requisites are stipulated and adhered to, can be better understood by revisiting the standard regulatory template prescribed and the requisites for opening a bank account, including what is popularly known as KYC.

Historically, bank accounts were permitted to be opened only on introduction by an existing customer, as per the then prevailing practice. The idea was that the new person is worthy of a bank account. Even an RBI circular of August 2002 specified that ‘the customer identification should entail verification through an introductory reference from an existing account holder/a person known to the bank or on the basis of documents provided by the customer.’ In August 2005, RBI modified this introduction as an alternative to submission of stipulated KYC documents by stating that in case a person who wants to open an account is not able to produce mentioned documents, banks may open accounts, subject to introduction from another account holder who has been subjected to full KYC procedure; the introducer’s account with the bank should be at least six months old and should show satisfactory transactions.

RBI even stipulated subsequently that photograph of the customer who proposes to open the account and also his address need to be certified by the introducer. This was obviously restrictive, making the bank customers as a closed user group and did not gel with the ethos of enabling or nudging everyone to have bank accounts. In tune with this expectation, subsequently, e.g. in the master direction of 2016, RBI specifically advised banks that ‘introduction is not to be sought while opening accounts.’

With increased instances of bank accounts being used for money laundering and terror financing, both within the country and across the border, emphasis was on preventing banks and other financial institutions from being used as a channel for money laundering/terrorist financing. Internationally, the Financial Action Task Force, an inter-governmental body established in 1989, started setting standards and promoting effective implementation of legal, regulatory, and operational measures for the above. Prevention of Money-Laundering Act, 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 were enacted in India to achieve these and required Regulated Entities (Res, e.g. banks) to follow prescribed customer identification procedures.

Know Your Customer (KYC) directions were issued or updated from time to time by RBI in pursuance of these objectives. In a different context, RBI had defined regulated entity as any person, other than an individual or HUF, whose business activities are being regulated by any one of the financial regulators in India like RBI, SEBI, etc. It may be noted that the PML Act defines similar sounding acronym ‘Reporting Entity’ as a banking company, financial institution, intermediary or a person carrying on a designated business or profession (who have obligation to report suspicious transactions). In that context, persons carrying on designated business or profession include real estate agents and jewellers; the latest addition being chartered accountants, company secretaries and cost and works accountants.

The offence of money-laundering is defined with examples in Section 3 of the Act. Broadly, it means indulging or knowingly getting involved with proceeds of crime or claiming it as untainted property. Thus, bank accounts could fall directly under this description and hence the need to exercise caution in opening and handling them. RBI, therefore, advised the process for opening bank accounts in its KYC directions to banks based on and in conformity with this Act. It clearly said REs like banks are required to follow certain customer identification procedures while undertaking a transaction either by establishing an account-based relationship or otherwise and monitor their transactions.

RBI refrained from advising a uniform policy on KYC across the system but left it to the individual REs like all types of banks, FIs, NBFCs etc, asking them to have a board-approved KYC policy conforming to the Act, rules, RBI instructions, international best practices like FATF standards and guidance notes, and providing a bulwark against threats arising from money laundering, terrorist financing, proliferation financing, and other related risks.

RBI has advised that such internal KYC policy should have four elements – Customer Acceptance Policy, Customer Identification Procedures, Risk Management, and Monitoring of Transactions. RBI has also given broad guidelines on the first three elements. Contrary to what the name suggests, RBI’s broad guidelines on customer acceptance policy do not specify the types of customers who only will be accepted for opening an account or who will not be allowed to open accounts, except obvious cases like anonymous or fictitious/benami names, where customer due diligence is not done, customers in the global ‘sanctions list’ etc. RBI has emphasised that this policy should not result in denial of banking/financial facility to members of the general public, especially those who are financially or socially disadvantaged.

There is a separate exemption from the rigours of KYC for those who want to open ‘small accounts’ (SB account where total credit does not exceed Rs1 lakh per financial year, total debit does not exceed Rs10,000 per month and balance at any time does not exceed Rs50,000) and hence this cautionary advice on possible denial of banking facility in other generic cases, leads to avoidable decision conflicts between that taken at the bank and subsequently viewed by any another agency. While the underlying intention is noble, this leads to defensive decision-taking at bank or financial institution to ward off future summons or explanations to offer, by the officials of the banks and other REs. Instances of RBI levying penalty on banks for non-compliance of KYC guidelines arise partly due to such differing interpretations, further complicating the KYC implementation at operational levels.

The most used ‘element’ in the KYC policy is the customer identification procedure and generally the entire KYC is understood as submission of prescribed documents for this identification. Identification of customers is required to be done, relying on customer due diligence (CDD) process. CDD is to be undertaken by obtaining different prescribed documents and information. These, as applicable to individuals, are well known and everyone is familiar. We examine here the CDD as applicable to business entities like firms and companies.

Customer due diligence for business entities

For a proprietary firm, CDD of the individual (i.e. obtaining documents as if that person is the account opening person) is to be done and any two of the following documents (in the name of the firm) are to be obtained (discretion to accept only one is available for the bank in some situations):

  • Registration certificate including Udyam Registration Certificate (URC) issued by the government
  • Certificate/licence issued by the municipal authorities under Shops and Establishment Act
  • Sales and income tax returns
  • CST/VAT/GST certificate
  • Certificate/registration document issued by Sales Tax/Service Tax/Professional Tax authorities
  • Importer Exporter Code issued to the firm or licence/certificate of practice issued in the name of the proprietary concern by any professional body incorporated under a statute
  • Complete Income Tax Return (not just the acknowledgement) in the name of the sole proprietor where the firm’s income is reflected, duly authenticated/ acknowledged by the Income Tax authorities
  • Utility bills such as electricity, water, landline telephone bills, etc.

For a partnership firm, certified copies of the following documents are to be obtained:

  • Registration certificate
  • Partnership deed with the names of all partners and addresses
  • Permanent Account Number of the partnership firm
  • KYC documents relating to beneficial owner and authorised officials

For a company, certified copies of the following documents are to be obtained:

  • Certificate of incorporation
  • Memorandum and Articles of Association
  • Permanent Account Number of the company
  • A resolution from the Board of Directors for opening and authorising specified officials to transact
  • KYC documents relating to beneficial owner and authorised officials
  • Names of senior management position holders and the principal place of business if different from registered office.

As can be understood from the above requirements, the bank is able to ‘identify’ the customer, though the process is called ‘knowing’ the customer, IYC rather than KYC. However, RBI has mentioned that ‘REs shall undertake ongoing due diligence of customers to ensure that their transactions are consistent with their knowledge about the customers, customers’ business and risk profile; and the source of funds.’

If a partnership firm or company opens an account with perfect documentation and details as per above expectation and does not seek any credit facility, it is unlikely to attract anyone’s attention within the bank and the bank is unlikely to seek financial statements or other details of the company on ongoing basis. In the present digital environment, most transactions (both debits and credits) are customer initiated and hence happen without authorisation or even ‘knowledge’ of the bank officials, thus hardly giving any opportunity to bank officials to oversee.

RBI has provided broad guidelines on risk management in KYC. Based on non-intrusive information collected from customers (and without informing), customers are to be categorised as low, medium, and high-risk customers based on principles to be evolved by banks. Parameters used for such categorisation should include social/financial status, nature of business activity, customer’s business, and location. Based on this risk categorisation, KYC is to be updated at a frequency as per internal policy but not later than once in two, eight and ten years in case of high, medium, and low-risk customers. RBI has also reiterated the obvious: ‘High risk accounts have to be subjected to more intensified monitoring.’ Banks should have robust software throwing alerts when the transactions are inconsistent with risk categorisation and updated profile of the customers to effectively identify and report suspicious transactions.

RBI has advised that following types of transactions should be necessarily monitored:

  • Large and complex transactions including RTGS transactions, and those with unusual patterns, inconsistent with the normal and expected activity of the customer, which have no apparent economic rationale or legitimate purpose.
  • Transactions which exceed the thresholds prescribed for specific categories of accounts.
  • High account turnover inconsistent with the size of the balance maintained.
  • Deposit of third-party cheques, drafts, etc followed by cash withdrawals for large amounts.

There are a number of other advices bearing in mind customer convenience, usage of technological advancements including non-face-to-face situations, artificial intelligence and machine learning, specific types of customers like foreign students, politically exposed persons, small accounts, self-help groups etc. These mainly relate to non-business situations.

A money mule is someone who transfers or moves illegally acquired money on behalf of someone else, sometimes unknowingly or without knowing the implications. Money mules add layers of distance between crime victims and criminals, making it harder for law enforcement to accurately trace money trails. Banks are expected to monitor transactions to minimise the operations of ‘money mules’ and if it is established that an account opened and operated is that of a money mule, the bank concerned is deemed to have not complied with the KYC guidelines.

KYC guidelines are now an entry level requirement for bank account opening in almost all countries. However, banks elsewhere do not have mandatory pressure to facilitate banking services or on boarding hitherto unbanked customers. They have greater freedom in choosing customers and in monitoring accounts. As per the Financial Conduct Authority, the UK regulator for financial services firms and financial markets, there are three requirements according to the 2017 updated AML regulations: identify the customer, verify this identity and assess, and where appropriate obtain information on, the purpose and intended nature of the business relationship or occasional transaction. The last requirement will almost mean that before opening a business account, bank need to enquire why the customer wants to open a business account and how it will be used, unthinkable in the Indian context. As part of ongoing due diligence, banks need to monitor the business relationship and scrutinise transactions undertaken throughout the course of that relationship and ensure that the transactions are consistent with the bank’s knowledge of the customer and the business and risk profile, including the source of funds

In USA, to comply with AML directives, financial institutions must comply with customer identification programs that are aimed at identifying customers who may pose a risk of money laundering, terrorist financing, and other criminal activity. Besides, KYC programs require financial institutions to develop an in-depth understanding of their customer’s business activities that could potentially expose them to a risk for money laundering or terrorist financing.

Compared to such requirements prevailing elsewhere, banks in India have an unenvious task of balancing between ensuring business growth, overtly accommodating customers to facilitate availing banking facilities, and complying rigours of KYC guidelines. The task becomes all the more difficult in a fully computerised environment, where bank official does not have a routine reason to visualise the daily transactions, which could have led to triggers. Banks also do not have wherewithal to monitor each account granularly. System-based or sample monitoring may miss identifying that account, which later becomes the black spot as pointed out by agencies subsequently, with hindsight knowledge.

Compared to such requirements prevailing elsewhere, banks in India have an unenvious task of balancing between ensuring business growth, overtly accommodating customers to facilitate availing banking facilities, and complying rigours of KYC guidelines. The task becomes all the more difficult in a fully computerised environment, where bank official does not have a routine reason to visualise the daily transactions, which could have led to triggers. Banks also do not have wherewithal to monitor each account granularly. System-based or sample monitoring may miss identifying that account, which later becomes the black spot as pointed out by agencies subsequently, with hindsight knowledge.