KYC POLICY 2024-25.pdf
Document Details
Uploaded by LuxuriantPiano
2024
Tags
Full Transcript
KYC-Policy 2024-25 केवल आं तरिक परिचालन हे तु / FOR INTERNAL CIRCULATION ONLY अपने ग्राहक को जानें पॉलिसी KNOW YOUR CUSTOMER POLICY 20...
KYC-Policy 2024-25 केवल आं तरिक परिचालन हे तु / FOR INTERNAL CIRCULATION ONLY अपने ग्राहक को जानें पॉलिसी KNOW YOUR CUSTOMER POLICY 2024-25 By यूलनयन बैंक ऑफ इं लिया / UNION BANK OF INDIA ए.एम.एि-सी.एफ.टी. प्रभाग / AML-CFT Division संव्यवहार अनुश्रवण एवं धोखाधड़ी प्रबंधन लवभाग Classification: Internal Page 1 of 136 KYC-Policy 2024-25 Table of Contents Sl. No Topic Page No. 1. Introduction 9 2. Chapter-I 11 3. Preliminary 11 4. Definitions 12 5. Chapter-II 25 6. General 25 7. Chapter-III 29 8. Customer Acceptance Policy 29 9. Chapter-IV 32 10. Risk Management 32 11. Chapter-V 45 12. Customer Identification Procedure 45 13. Chapter-VI 51 14. Customer Due Diligence (CDD) Procedure 51 15. CDD measures for individuals 51 16. CDD measures for sole proprietary firms 61 17. CDD measures for legal entities 62 18. Identification of Beneficial owner 64 19. Ongoing Due Diligence 65 69 20. Enhanced and Simplified Due Diligence procedure Classification: Internal Page 2 of 136 KYC-Policy 2024-25 76 21. Chapter-VII 76 22. Record Management 23. Chapter-VIII 78 24. Reporting requirements to Financial Intelligence Unit India 78 81 25. Chapter-IX Requirements/obligations under international 81 26. agreements- Communications from international agencies 27. Chapter-X 91 91 28. Other Instructions 119 29. Annexure-I 30. Annexure-II (A) 129 130 31. Annexure-II (B) 133 32. Annexure-III 33. Annexure-IV 134 Classification: Internal Page 3 of 136 KYC-Policy 2024-25 Abbreviations Abbreviation Description AD Authorized Dealer AI Artificial Intelligence AML Anti-Money Laundering BC Business Correspondents BF Business Facilitators BSBDA Basic Saving Bank Deposit Account BSBDS Basic Saving Bank Deposit Small Account BOs Beneficial Owner CAF Customer Application Form CAP Customer Acceptance Policy CBDT Central Board of Direct Taxes CBS Core Banking Solution CBWTR Cross Border Wire Transfer Report CCR Counterfeit Currency Report CDD Customer Due Diligence CDF Currency Declaration Form CEO Chief Executive Officer Central Registry of Securitization Asset Reconstruction CERSAI and Security Interest of India CFT Combating Financing of Terrorism CIDR Central Identities Data Repository CID Customer Identification Data Classification: Internal Page 4 of 136 KYC-Policy 2024-25 Abbreviation Description CIP Customer Identification Procedures CKYCR Central KYC Records Registry CRS Common Reporting Standards CST Central Sales Tax CTCR Division Counter Terrorism and Counter Radicalization Division CTR Cash Transaction Report DGFT Director General of Foreign Trade DIT Department of Information Technology EDD Enhanced Due Diligence E-KYC Electronic – Know Your Customer FATCA Foreign Account Tax Compliance Act FATF Financial Action Task Force FCRA Foreign Contribution (Regulation) Act FEDAI Foreign Exchange Dealers’ Association of India FEMA Foreign Exchange Management Act FIU-India Financial Intelligence Unit - India FPIs Foreign Portfolio Investors GPS Global Positioning System GST Goods and Services Tax IEC Importer Exporter Code IGA Inter Government Agreement IMPS Immediate Payment Service KYC Know Your Customer Classification: Internal Page 5 of 136 KYC-Policy 2024-25 Abbreviation Description KYC-B Know Your Customer Business KYC-BR Know Your Customer Business Risk MAAT Mutual Administrative Assistance in Tax Matters MD Managing Director MHA Ministry of Home Affairs ML Money Laundering MLM Multi-Level Marketing MTSS Money Transfer Service Scheme NCCT Non-Co-operative Countries and Territories NEFT National Electronics Funds Transfer System NGO Non-Governmental Organizations NPO Non-Profit Organisation NREGA National Rural Employment Guarantee Act NRI Non-Resident Indian NRO Non-Resident Ordinary NTR Non-Profit Organisation Transaction Report ORMC Operational Risk Management Committee OTP One Time Pin/Password OVD Officially Valid Document PAN Permanent Account Number PEP Politically Exposed Persons PIO Person of Indian Origin PIS Portfolio Investment Scheme Classification: Internal Page 6 of 136 KYC-Policy 2024-25 Abbreviation Description PMJDY Pradhan Mantri Jan Dhan Yojna PMLA Prevention of Money Laundering Act PO Principle Officer POS Point of Sale PPI Prepaid Payment Instrument PPO Pension Payment Orders QR Code Quick Response Code RBI Reserve Bank of India RBTM Risk-Based Transaction Monitoring RTGS Real Time Gross Settlement SDV Safe Deposit Vault SEBI Securities and Exchange Board of India SHG Self Help Group STR Suspicious Transaction Report TF Terrorist Financing V-CIP Video based Customer Identification Process VAT Value Added Tax VCs Virtual Currencies UAPA Unlawful Activities (Prevention) Act UBO Ultimate Beneficial Owner UCIC Unique Customer Identification Code UIDAI Unique Identification Authority of India UN United Nations Classification: Internal Page 7 of 136 KYC-Policy 2024-25 Abbreviation Description UNSCRs United Nations' Security Council Resolutions USA United State of America XML Extensible Markup Language Classification: Internal Page 8 of 136 KYC-Policy 2024-25 INTRODUCTION In terms of the guidelines issued by Reserve Bank of India (RBI) vide its notification DBOD.AML.BL.18/14.01.001/2002/13 dated 6th August 2002; the Bank adopted its first Policy on Anti Money-Laundering (AML) & Know Your Customer (KYC) on 24th October 2002. The main purpose of issuing Master Directions on KYC by RBI is to prevent Banks and other financial institutions from being used as a channel for Money laundering (ML)/ Terrorist Financing (TF) and to ensure the integrity and stability of the financial system. Financial Action Task Force (FATF) which is an inter-governmental body established in 1989 by the Ministers of its member jurisdictions, sets standards and promotes effective implementation of legal, regulatory, and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the International financial system. In India, the Prevention of the Money-Laundering Act, 2002and the Prevention of Money- Laundering (Maintenance of Records) Rules, 2005, form the legal framework on Anti Money-Laundering (AML) and countering Financing of Terrorism (CFT). in terms of the provisions of PML Act, 2002 and the PML Rules, 2005, as amended from time to time by the Government of INDIA, Bank must follow certain Customer Identification procedures while undertaking a transaction either by establishing an account-based relationship or otherwise and monitor their transactions. Accordingly in exercise of the powers conferred by Banking Regulation Act, 1949, Reserve Bank of India Act, 1934, Payment and Settlement Systems Act, 2007, Foreign Exchange Management Act, 1999, Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 and all other laws enabling the RBI in this regard, the RBI issued Master Direction- Know your Customer (KYC) Direction, 2016 on February 25, 2016. In the backdrop of revision in KYC guidelines from time to time, Bank’s Policy on KYC- AML is given a relook and the present revised comprehensive policy framework covering KYC standards and AML Measures is framed for the year 2024-25 and is primarily based on revised Master Direction- Know Your Customer (KYC) Direction, 2016 issued by RBI and updated as on October 17, 2023 & KYC & AML Guidance notes for Banks issued by IBA The objective of the Policy is: i. To prevent criminal elements from using the Bank for Money-Laundering activities. Classification: Internal Page 9 of 136 KYC-Policy 2024-25 ii. To enable the Bank to know/ understand the customers and their financial; dealings better, this in turn, would help the Bank to manage Risks prudently. iii. To put in place appropriate controls for detection and reporting of suspicious activities in accordance with applicable laws/ laid down procedures. iv. To comply with applicable laws and regulatory guidelines. v. To take necessary steps to ensure that the relevant staff are adequately trained in KYC-AML Procedures. ************* Classification: Internal Page 10 of 136 KYC-Policy 2024-25 CHAPTER-I PRELIMINARY 1. This revised “Know your Customer (KYC)” Policy will come into force immediately from the date of its publication and is valid up to June 2025/ till further instructions. All the Branches/ offices and field functionaries are advised to comply these guidelines without any deviation. 2. Applicability 2.1. This policy is applicable to all the Branches within India. 2.2. This policy shall also apply to those Branches and majority owned subsidiaries of the Bank which are located abroad, to the extent they are not contradictory to the local laws in the host country, provided that 2.2.1. Where applicable laws and regulations prohibit implementation of these guidelines, the same shall be intimated to Compliance Department which in turn informs to Reserve Bank of India. RBI may advise further necessary action by the Bank including application of additional measures to be taken by the Bank to manage the ML/TF risks. 2.2.2. In case there is a variance in KYC/AML standards prescribed by the Reserve Bank of India and the host country regulators, branches/ subsidiaries of Bank are required to adopt the more stringent regulation of the two. In this regard International Banking Department shall vet the KYC/AML policy of overseas Branches/Subsidiaries/Correspondents before approval of the policy from competent authority and if any deviations observed same shall be communicated to Compliance department. 2.3. Based on this policy, each foreign office is required to put in place a duly approved Anti Money-Laundering policy which shall also contain the KYC guidelines and Suspicious Transactions Reporting (STR) procedures as may be required by the rules and regulations of the host country. 2.4. The provision of the RBI’s MD on KYC, 2016 shall apply to every entity regulated by RBI, more specifically as defined in 3.2.15, except where specifically mentioned otherwise. 2.5. The policy shall apply to the following products of the Bank. (i) Savings account Classification: Internal Page 11 of 136 KYC-Policy 2024-25 (ii) Current account (iii) Term deposit account (iv) Demat account (v) Credit cards (vi) Debit cards (vii) Prepaid cards/gift cards (viii) Remittances (including Wire transfers, TCs, Purchase/sale of Foreign Exchange) (ix) Loans and Advances (x) Sale of Third- Party products like insurance, Mutual funds etc. (xi) Correspondent banking relationships (xii) Point of Sale (POS) terminals (xiii) Sale of Bullion and Gold Coins (xiv) Leasing of safe deposit vault (SDV) and Lockers (xv) Any other product introduced by Bank from time to time requiring customer identification. 3. Definitions In this policy, unless the context otherwise requires, the terms here in shall bear the meanings assigned to them below: 3.1. Terms bearing meaning assigned in terms of Prevention of Money- Laundering Act, 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005. 3.1.1. “Aadhaar number” shall have the meaning assigned to it in clause (a) of section2 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); means an identification Number issued to individual under sub section (3) of section 3 of afore said Act. Classification: Internal Page 12 of 136 KYC-Policy 2024-25 3.1.2. “Act” and “Rules” means the Prevention of Money-Laundering Act, 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005, respectively and amendments thereto. 3.1.3. “Authentication” in the context of Aadhar authentication, means the process by which the Aadhaar number along with demographic information or biometric information of an individual is submitted to the Central Identities Data Repository for its verification and such Repository verifies the correctness, or the lack there of, on the basis of information available with it. 3.1.4. Beneficial Owner (BO) “Beneficial Owners shall mean the natural person who ultimately owns or controls a client and/or the person on whose behalf a transaction is being conducted and includes a person who exercises ultimate effective control over a juridical person.” The procedure for determination of the Beneficial Ownership shall be as under: i. Where the customer is a company, the beneficial owner is the natural person(s), who, whether acting alone or together, or through one or more juridical persons, has/have a controlling ownership interest or who exercise control through other means. Explanation for the purpose of this sub-clause- a. “Controlling ownership interest” means ownership of/entitlement to more than 10 percent of the shares or capital or profits of the company. b. “Control” shall include the right to appoint majority of the directors or to control the management or policy decisions including by virtue of their shareholding or management rights or shareholders agreements or voting agreements. ii. Where the customer is a partnership firm, the beneficial owner is the natural person(s), who, whether acting alone or together, or through one or more juridical person, has/have ownership of entitlement to more than 10 percent of capital or profits of the partnership or who exercises control through other means. Explanation- For the purpose of this sub-clause, “Control” shall include the right to control the management or policy decision. Classification: Internal Page 13 of 136 KYC-Policy 2024-25 iii. Where the customer is an unincorporated association or body of individuals, the beneficial owner is the natural person(s), who, whether acting alone or together, or through one or more juridical person, has/have ownership of/entitlement to more than 15 percent of the property or capital or profits of the unincorporated association or body of individuals. Explanation: Term ‘body of individuals’ includes societies. Where no natural person is identified under (i), (ii) or (iii) above, the beneficial owner is the relevant natural person who holds the position of senior managing official. iv. Where the customer is a trust, the identification of beneficial owner(s) shall include identification of the author of the trust, the trustee, the beneficiaries with 10 percent or more interest in the trust and any other natural person exercising ultimate effective control over the trust through a chain of control or ownership. The concerned vertical in-charge of account opening process shall ensure implementation of above guidelines and issue suitable SOP/Process for identification of beneficial owner duly approved by competent authority. 3.1.5. “Certified Copy” - Obtaining a certified copy by the Bank shall mean comparing the copy of the proof of possession of Aadhaar number where offline verification cannot be carried out or officially valid document so produced by the customer with the original and recording the same on the copy by the authorised officer of the Bank as per the provisions contained in the Act. Provided that in case of Non-Resident Indians (NRIs) and Persons of Indian Origin (PIOs), as defined in Foreign Exchange Management (Deposit) Regulations, 2016 {FEMA 5(R)}, alternatively, the original certified copy, certified by any one of the following, may be obtained: a. authorised officials of overseas branches of Scheduled Commercial Banks registered in India, b. branches of overseas banks with whom Indian banks have relationships, c. Notary Public abroad, d. Court Magistrate, e. Judge, Classification: Internal Page 14 of 136 KYC-Policy 2024-25 f. Indian Embassy/Consulate General in the country where the non- resident customer resides. 3.1.6. “Central KYC Records Registry” (CKYCR) means an entity defined under Rule 2(1) of the Rules, to receive, store, safeguard and retrieve the KYC records in digital form of a customer 3.1.7. “Designated Director" means a person designated by the Bank to ensure overall compliance with the obligations imposed under chapter IV of the PML Act and the Rules and shall include: a. the Managing Director or a whole-time Director, duly authorized by the Board of Directors. Explanation - For the purpose of this clause, the terms "Managing Director" and "Whole-time Director" shall have the meaning assigned to them in the Companies Act, 2013. In view of the above, Bank shall ensure nomination of a Designated Director on Board to ensure compliance with the obligations under the Prevention of Money Laundering (Amendment) Act, 2012 and the Name, Designation and address of the Designated Director shall be communicated to the Director, FIU-IND & RBI. In no case ‘Principal Officer’ shall be nominated as the ‘Designated Director’ 3.1.8. “Digital KYC” means the capturing live photo of the customer and officially valid document or the proof of possession of Aadhaar, where offline verification cannot be carried out, along with the latitude and longitude of the location where such live photo is being taken by an authorised officer of the Bank as per the provisions contained in the Act. 3.1.9. “Digital Signature” shall have the same meaning as assigned to it in clause (p) of sub-section (1) of section (2) of the Information Technology Act, 2000 (21 of 2000). 3.1.10. “Equivalent e-document” means an electronic equivalent of a document, issued by the issuing authority of such document with its valid digital signature including documents issued to the digital locker account of the client as per rule 9 of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016. Classification: Internal Page 15 of 136 KYC-Policy 2024-25 3.1.11. “Group”- The term Group shall have the same meaning assigned to it in clause of sub-section (9) of section 286 of the Income-tax Act, 1961 (43 of 1961) i.e., “Group” Includes a parent entity and all the entities in respect of which, for the reason of ownership or control a consolidated financial statement for financial reporting process ––– a. is required to be prepared under any law for the time being in force or the accounting standards of the country or territory of which the parent entity is resident: or b. Would have been required to be prepared had the equity shares, of any of the enterprises were listed on a stock exchange in the country or territory of which the parent entity is resident. 3.1.12. “Know Your Client (KYC) Identifier” means the unique number or code assigned to a customer by the Central KYC Records Registry. 3.1.13. “Non-profit organization” (NPO) means any entity or organization constituted for religious or charitable purposes referred to in clause (15) of section 2 of the Income tax Act, 1961 (43 of 1961), that is registered as a trust or a society under the Societies Registration Act, 1860 or any similar State legislation or a company registered under Section 8 of the Companies Act, 2013 (18 of 2013). 3.1.14. “Officially Valid Document” (OVD) means the passport, the driving license, proof of possession of Aadhaar number, the Voter’s Identity Card issued by Election Commission of India, job card issued by NREGA duly signed by an officer of the State Government and letter issued by the National Population Register containing details of name and address. Provided that, (i) Where the Customer submits his/her proof of possession of Aadhaar number as an Officially Valid Document, he/she may submit it in such form as are issued by the Unique Identification Authority of India. (ii) Where Officially Valid Document (OVD), furnished by the customer does not have updated address, the following documents or the equivalent e-documents thereof shall be deemed to be Officially Valid Documents for the limited purpose of proof of address: - Classification: Internal Page 16 of 136 KYC-Policy 2024-25 a. Utility bill which is not more than two months old of any service provider (electricity, telephone, post-paid mobile phone, piped gas, water bill); b. Property or Municipal tax receipt. c. Pension or family pension payment orders (PPOs) issued to retired employees by Government Departments or Public Sector Undertaking if they contain the address. d. Letter of allotment of accommodation from employer issued by State Government or Central Government Departments, statutory or regulatory bodies, public sector undertakings, scheduled commercial banks, financial institutions and listed companies and leave and license agreements with such employers allotting official accommodation (iii) The customer shall submit OVD with current address within a period of three months of submitting the documents specified at ‘b’ above. (iv) Where the OVD submitted by a foreign national does not contain the details of address, in such case the documents issued by the Government departments of foreign jurisdictions and letter issued by the Foreign Embassy or Mission in India shall be accepted as proof of address. Explanation: For the purpose of this clause, a document shall also be deemed to be an OVD even if there is a change in the name subsequent to its issuance provided it is supported by a marriage certificate issued by the State Government or Gazette notification, indicating such a change of name. 3.1.15. “Offline Verification” shall have the same meaning as assigned to it in clause (pa) of Section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of 2016), wherein the process of verifying the identity of the Aadhaar number holder without authentication, through such offline modes as may be specified by the Aadhaar regulations. 3.1.16. “Person” has the same meaning assigned in the Act and includes: (i) An individual, (ii) A Hindu undivided family, Classification: Internal Page 17 of 136 KYC-Policy 2024-25 (iii) A company, (iv) A firm, (v) An association of persons or a body of individuals, whether incorporated or not (vi) Every artificial juridical person, not falling within any one of the above persons (i to v), and (vii) Any agency, office or branch owned or controlled by any one of the above persons (i to vi) 3.1.17. “Principal Officer” (PO) means management level Officer nominated by the Bank, responsible for furnishing information as per rule 8 of the Rules (PMLA 2005). 3.1.18. “Suspicious transaction” means a “transaction” as defined below, including an attempted transaction, whether or not made in cash, which, to a person acting in good faith. (i) Gives rise to a reasonable ground of suspicion that it may involve proceeds of an offence specified in the Schedule to the Act, regardless of the value involved; or (ii) appears to be made in circumstances of unusual or unjustified complexity; or (iii) appears to not have economic rationale or bona-fide purpose; or (iv) gives rise to a reasonable ground of suspicion that it may involve financing or the activities relating to terrorism Explanation: Transaction involving financing of the activities relating to terrorism includes transaction involving funds suspected to be linked or related to, or to be used for terrorism, terrorism acts or by a terrorist, terrorist organization or those who finance or are attempting to finance terrorism. 3.1.19. A “small account” means a savings account which is opened in terms of sub rule (5) of rule 9 of the PML Rules, 2005. Details of the operation of a small account and controls to be exercised for such account are specified in section 27. 3.1.20. “Transaction” means, a purchase, sale, loan, pledge, gift, transfer, delivery, or the arrangement thereof and includes Classification: Internal Page 18 of 136 KYC-Policy 2024-25 (i) opening of an account. (ii) deposits, withdrawal, exchange, or transfer of funds in whatever currency, whether in cash or by cheque, payment order or other instruments or by electronic or other non- physical means. (iii) the usage of a safety deposit box or any other form of safe deposit. (iv) entering into any fiduciary relationship (v) any payment made or received, in whole or part, for any contractual or other legal obligation; or (vi) establishing or creating a legal person or legal arrangement 3.1.21. “Money-Laundering”: Section 3 of the Prevention of Money Laundering (PML) Act, 2002 has defined the offence of money laundering as whosoever directly or indirectly attempts to indulge or knowingly assists or knowingly is a party or is actually involved in any process or activity connected with the proceeds of crime and projecting it as untainted property shall be guilty of offence of money laundering. Money launderers use the banking system for cleansing dirty money obtained from criminal activities with the objective of hiding/ disguising it source. The process of money laundering involves creating a web of financial transactions so as to hide the origin and true nature of these funds. For the purpose of this document, the term money laundering would also cover financial transactions where the end use of funds goes for terrorist financing, irrespective of the source of the funds. 3.2. Terms bearing meaning assigned in this Policy, unless the context otherwise requires, shall bear the meanings assigned to them below: 3.2.1. “Common Reporting Standards” (CRS) means reporting standards set for implementation of multilateral agreement signed to automatically exchange information based on Article 6 of the Convention on Mutual Administrative Assistance in Tax Matters (MAAT). 3.2.2. Correspondent Banking is the provision of banking services by one bank (the “correspondent bank”) to another bank (the “respondent bank”). Respondent banks may be provided with wide range of services, including cash management, (e.g., interest – bearing accounts in a Classification: Internal Page 19 of 136 KYC-Policy 2024-25 variety of currencies), international wire transfers, cheque clearing, payable through accounts and foreign exchange services. 3.2.3. “Customer” means a person who is engaged in a financial transaction or activity with the Bank and includes a person on whose behalf the person who is engaged in the transaction or activity, is acting. 3.2.4. “Walk-in Customer” means a person who does not have an account- based relationship with the bank but undertakes transactions with bank. 3.2.5. “Customer Due Diligence” means identifying and verifying the customer and the beneficial owner using reliable and independent sources of identification. Explanation- The CDD, at the time of commencement of an account- based relationship or while carrying out occasional transaction of an amount equal to or exceeding rupees fifty thousand, whether conducted as a single transaction or several transactions that appear to be connected, or any international money transfer operations, shall include: (i) Identification of the customer, Verification of their identity Using reliable and independent sources of identification, obtaining information on the purpose, and intended nature of the business relationship, where applicable. (ii) Taking reasonable steps to understand the nature of the customers business and its ownership and control. (iii) Determining whether a customer is acting on behalf of a beneficial owner and identifying the beneficial owner and taking all steps to verify the identity of the beneficial owner, using reliable and independent sources of identification. 3.2.6. “Customer identification” means undertaking the process of CDD. 3.2.7. “Enhanced Due Diligence (EDD)” means any additional measures undertaken over and above basic CDD can be termed as enhanced due diligence. 3.2.8. “FATCA.” means Foreign Account Tax Compliance Act of the United States of America (USA) Which, inter alia requires foreign financial institutions to report about financial accounts held by U.S Taxpayers or foreign entities in which U.S. Taxpayers hold an ownership interest. Classification: Internal Page 20 of 136 KYC-Policy 2024-25 3.2.9. “IGA” means Inter Governmental Agreement between the Governments of India and the USA to improve the international tax compliance and to implement FATCA of the USA. 3.2.10. “KYC Template" means templates prepared to facilitate collating and reporting the KYC data to the CKYCR, for individuals and legal entities. 3.2.11. “Non face to face customers" means customers who open accounts without visiting the branch/ Offices of the bank are meeting the official of the bank. 3.2.12. “On-going Due Diligence” means regular monitoring of transactions in accounts to ensure that those are consistent with bank’s knowledge about the customers, customer’s business and risk profile, the source of funds/ wealth. 3.2.13. “Payable through accounts” The term Payable through Accounts refers to correspondent accounts that are used directly by third parties to transact business on their own behalf. 3.2.14. “Periodic updation” means steps taken to ensure that documents, data, or information collected under the CD process is kept up to date and relevant by undertaking reviews of existing records at periodicity prescribed by the Reserve Bank. 3.2.15. “Regulated entities” (REs) means: (i) All Scheduled Commercial Banks (SCBs)/ Regional Rural Banks (RRBs)/ Local Area Banks (LABs)/ All Primary (Urban) Co- operative Banks (UCBs) /State and Central Co-operative Banks (StCBs / CCBs) and any other entity which has been licensed under Section 22 of Banking Regulation Act, 1949, which as a group shall be referred as ‘banks’ (ii) All India Financial Institutions (AIFIs) (iii) All Non-Banking Finance Companies (NBFCs), Miscellaneous Non- Banking Companies (MNBCs) and Residuary Non-Banking Companies (RNBCs). (iv) Asset Reconstruction Companies (ARCs) (v) All Payment System Providers (PSPs)/ System Participants (SPs) and Prepaid Payment Instrument Issuers (PPI Issuers) Classification: Internal Page 21 of 136 KYC-Policy 2024-25 (vi) All authorised persons (APs) including those who are agents of Money Transfer Service Scheme (MTSS), regulated by the Regulator. The concerned verticals which oversee these entities shall ensure compliance of KYC-AML regulatory guidelines. 3.2.16. “Shell Bank” means a bank that has no physical presence in the country in which it is incorporated and licensed, and which is unaffiliated with a regulated Financial Group that is subject to effective consolidated supervision. Physical presence means meaningful mind and management located within a country. The existence simply of a local agent or low- level staff does not constitute physical presence. 3.2.17. “Shell company” means company which is incorporated in a country where it has no physical presence 3.2.18. “Video based customer identification process(V-CIP)”: An alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the Bank by undertaking seamless, secure, live, informed- consent based audio-visual interaction with the customer to obtain identification information required for CDD purpose and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining audit trail of the process. Such process complying with prescribed standards and procedures shall be treated on par with face-to-face PC IP for the purpose of this. Policy. 3.2.19. Wire Transfer related definitions: (i) Batch Transfer is a transfer comprised of individual wire transfers that are being sent to the same financial institutions but may /may not be ultimately intended for different persons. (ii) Beneficiary refers to a natural or legal person or legal arrangement who/which is identified by the originator as the receiver of the requested wire transfer. (iii) Beneficiary Bank: it refers to a financial institution, regulated by the RBI, which receives the wire transfer from the ordering financial institution directly or through an intermediary RE and makes the funds available to the beneficiary. Classification: Internal Page 22 of 136 KYC-Policy 2024-25 (iv) Cover payment refers to a wire transfer that combines a payment message sent directly by the ordering financial institution to the beneficiary financial institution with the routing of the funding instruction (the cover) from the ordering financial institution to the beneficiary financial institution through one or more intermediary financial institutions. (v) Cross- border wire transfer refers to any wire transfer where the ordering financial institution and beneficiary financial institution are located in different countries. This term also refers to any chain of wire transfer in which at least one of the financial institutions involved is located in a different country. (vi) Domestic wire transfer refers to any white transfer where the ordering financial institution and beneficiary financial institution are located in India. This term therefore refers to any chain of wire transfer that takes place entirely within the borders of India, even though the system used to transfer the payment message may be located in another country. (vii) Financial Institution: in the context of wire-transfer instructions, the term financial institution shall have the same meaning as has been ascribed to it in the FATF recommendations, as revised from time to time. (viii) Intermediary Bank refers to a financial institution or any other entity, regulated by the RBI, which handles an intermediary element of the wire transfer, in a serial or cover payment chain and that receives and transmits a while transfer on behalf of the ordering financial institution and the beneficiary financial institution or another intermediary financial institution. (ix) Ordering Bank refers to the financial institution, regulated by the RBI, which initiates the wire transfer and transfer the funds upon receiving the request for a wire transfer on behalf of the originator. (x) Originator refers to the account holder who allows the wire transfer from that account, or where there is no account, the natural or legal person that places the order with the ordering financial institution to perform the wire transfer. Classification: Internal Page 23 of 136 KYC-Policy 2024-25 (xi) Serial payment refers to a direct, sequential chain of payment where the wire transfer and accompanying payment message travel together from the ordering financial institution to the beneficiary financial institution directly or through one or more intermediary financial institutions. (e.g., correspondent banks.) (xii) Straight-through processing refers to payment transactions that are conducted electronically, without the need for manual intervention. (xiii) Unique transaction reference number refers to a combination of letters, numbers, or symbols determined by the payment service provider in accordance with the protocols of the payment and settlement system or messaging system used for the wire transfer. (xiv) Wire transfer refers to any transaction carried out on behalf of an originator through a financial institution by electronic means with a view to making an amount of funds available to a beneficiary at a beneficiary financial institution, irrespective of whether the originator and the beneficiary or the same person. 3.2.20. “KYC- B” means know your customer’s nature of business and the inflows/ outflows associated with that business. 3.2.21. “KYC-BR” means know your customers business risk. 3.2.22. All other expressions, unless defined here in, shall have the same meaning as have been assigned to them under the Banking Regulation Act, 1949, the Reserve Bank of India Act, 1935, the Prevention of Money Laundering Act, 2002, the Prevention of Money Laundering (Maintenance of Records) Rules, 2005, the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 and regulations made thereunder, any statutory modification or re- enactment there to or as used in commercial parlance, as the case may be. Classification: Internal Page 24 of 136 KYC-Policy 2024-25 CHAPTER-II General 4. “Know Your Customer (KYC)” policy -RBI Master Directions: 4.1. Bank is implementing its KYC Policy in compliance to the Clause 4 (a) of RBI’s Master Direction - Know Your Customer (KYC) Direction, 2016(updated from time to time, latest as on 17-10-2023) 4.2. In terms of PMLA rule, groups are required to implement group wide policies for the purpose of discharging obligations under the provisions of Chapter IV of the PML Act, 2002. (15 of 2003). Accordingly, Union Bank of India which is a part of a group shall implement group wide programmes against money laundering, on terror financing, including group- wide Policies for sharing Information required for the Purpose of the client, Due Diligence and Money-Laundering and Terror Finance, risk management and such programmes shall include adequate safeguards on the confidentiality and use of information exchanged, including safeguard to prevent tipping off. In compliance to this direction all the foreign Branches/ offices/ subsidiaries are requested to share the information as per PMLA Chapter IV to AML-CFT Division, TM & FM Department. 4.3. Bank’s policy framework should seek to ensure compliance with PML Act/Rules including regulatory instructions in this regard and should provide a bulwark against threats arising from money laundering, terrorist financing, proliferation financing and other related risks. While ensuring compliance of the legal/ regulatory requirements as above, Bank may also consider adoption of best international practices taking into account the FATF standards and FATF guidance notes for managing risks better. 5. The KYC policy shall include following four key elements: (i) Customer acceptance policy (ii) Risk management. (iii) Customer Identification Procedures (CIP). and (iv) Monitoring of transactions. 5A. Money Laundering and Terrorist Financing Risk Assessment by the Bank: I. Bank shall carry out ‘Money-Laundering (ML) and Terrorist Finance (TF) Risk Assessment’ exercise annually to identify, assess and take effective measures to Classification: Internal Page 25 of 136 KYC-Policy 2024-25 mitigate its money laundering and terrorist financing risk for customers, countries or geographic area, products, services, transactions, or delivery channels etc., The assessment process should consider all the relevant risk factors before determining the level of overall risk and the appropriate level and type of mitigation to be applied. While preparing the internal risk assessment, Bank shall take cognizance of the overall sector-specific vulnerabilities, if any, that the regulator/supervisor may share with the Bank from time to time. II. The Risk assessment by the Bank shall be properly documented and be proportionate to the nature, size, geographical presence, complexity of activities/structure, etc. of the Bank. Further, the periodicity of risk assessment exercise shall be determined by the ORMC/Board or any committee of the Board of the Bank to which the power in this regard has been delegated, in alignment with the outcome of the risk assessment exercise. However, it should be reviewed at least annually. III. The outcome of the exercise shall be put up to the Board or any committee of the Board to which power in this regard has been delegated and should be available to competent authorities and self-regulating bodies. 5B. Risk Mitigation and Management: I. Bank shall apply a Risk Based Approach (RBA) for mitigation and management of the risks (identified on their own or through national risk assessment) and should have Board approved policies, controls, and procedures in this regard. II. Bank shall implement a CDD programme, having regard to the ML/TF risks identified and the size of business. Further Bank shall monitor the implementation of the controls and enhance them if necessary. III. For effective implementation of ML/TF risk assessment, Operational Risk Management Cell, Risk Management Department, shall conduct ML/TF risk assessment and committee meeting on yearly basis not later than 30th June every year for previous financial year. Operation, compliance, DFB, TM&FM, RMD and Central Audit and Inspection Departments are the committee members. Four members quorum including RMD is mandatory for the committee meeting. Outcome of the aforesaid risk assessment shall be placed before ‘ORMC’ or the Board and Action Taken Report shall be sought from respective verticals for compliance. Classification: Internal Page 26 of 136 KYC-Policy 2024-25 IV. To assess Money Laundering / Terrorist Financing (ML/TF) Internal Risk Assessment as per Score card template developed by RMD from time to time, taking into consideration parameters suggested by RBI & IBA guidance note on the subject (Chapter IV). 6. Designated Director: 6.1. A “Designated Director” means a person designated by the Bank to ensure overall Compliance with the obligations imposed under Chapter IV of the PML Act and the Rules and shall nominated by the Board. Bank has designated one of the “Executive Director” as Designated Director. 6.2. The name, Designation and address of the Designated Director shall be communicated to FIU-IND. 6.3. Further the name, designation, address and contact details of the Designated Director shall also be communicated to the RBI. 6.4. In no case Principal Officer shall be nominated as ‘Designated Director’ 7. Principal Officer: 7.1. The Principal Officer shall be responsible for ensuring compliance, monitoring transactions, and sharing and reporting information as required under the law/regulations. 7.2. Management level officer at AML-CFT Division, TM &FM Department (AGM/DGM) shall be appointed as Principal officer by the Bank. 7.3. The name, designation and address of the Principal Officer shall be communicated to the FIU-India 7.4. Further the name, designation, and address and contact details of the Principal Officer shall also be communicated to the RBI. 8. Compliance of KYC policy: 8.1. Bank shall ensure compliance with KYC policy through: 8.1.1. ‘Senior Management’ for the purpose of KYC policy compliance means, Chief General Manager/ General Manager of respective business/operation verticals and Field General Managers & Regional Heads. 8.1.2. Allocation of responsibility for effective implementation of policies and procedures. Classification: Internal Page 27 of 136 KYC-Policy 2024-25 8.1.3. Independent evaluation of the compliance functions of Bank’s policies and procedures, including legal and regulatory requirements. 8.1.4. Concurrent/internal audit/ Management Audit system to verify the compliance with KYC/AML policies and procedures 8.1.5. Submission of quarterly audit notes and compliance to the Audit Committee 8.1.6. Deploying Decoy Customer for surprise checking of level of adherence to KYC norms at branch level. 8.2. Bank shall ensure that decision -making functions of determining compliance with KYC norms are not outsourced. Classification: Internal Page 28 of 136 KYC-Policy 2024-25 CHAPTER-III Customer Acceptance Policy 9. Bank has put in place a Customer Acceptance Policy (CAP) in compliance to the clause-9 of the RBIs Master Direction-Know your Customer (KYC) Direction, 2016. 10. Without prejudice to the generality of the aspect that Customer Acceptance Policy may contain, Bank shall ensure that (i) No account shall be opened in anonymous or fictitious/ benami name(s). (ii) No account is opened or close an existing account where the Bank is unable to apply appropriate CDD measures. i.e., the Bank is unable to verify the identity and/or obtain documents required as per the risk categorisation either due to non-cooperation of the customer or non- reliability of the documents/information furnished by the customer. ❖ The Bank shall consider filing an STR, if necessary, when it is unable to comply with the relevant CDD measures in relation to the customer. (iii) No transaction or account- based relationship is undertaken without following the CDD procedure. (iv) The mandatory information to be sought for KYC purpose while opening an account and during the periodic updation is specified. ❖ In compliance to this clause the documents mentioned in Annexure-I are to be obtained while opening the account and periodic updation. (v) Additional information where such information requirement has not been specified in this KYC policy of the bank, is obtained with the explicit consent of the customer. (vi) Bank shall apply the CDD procedure at the UCIC level. Thus, if an existing KYC compliant customer of the Bank desires to open another account within the same Branch or other Branch of the Bank, there shall be no need for a fresh CDD exercise. (vii) CDD procedure shall be followed for all the joint account holders, while opening a joint account. (viii) Circumstances in which, a customer is permitted to act on behalf of another person/entity, is clearly spelled out. Classification: Internal Page 29 of 136 KYC-Policy 2024-25 (ix) Suitable system is put in place to ensure that the identity of the customer does not match with any person or entity, whose name appears in the sanctions lists indicated in Chapter IX of this Policy. (x) Where Permanent Account Number (PAN) is obtained, the same shall be verified from the verification facility of the issuing authority. (xi) Where an equivalent e-document is obtained from the customer, Bank shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000). (xii) Where Goods and Services Tax (GST) details are available, the GST number shall be verified from the Search/Verification facility of the issuing authority. (xiii) Where a customer is permitted to act on behalf of another person / entity in conformity with the established law and practice of banking as there could be occasions when an account is operated by a mandate holder or where an account is opened by an intermediary in fiduciary capacity. In such cases KYC checks shall also be performed on the beneficial owners and mandate holder, as the case may be. 11. While implementing the KYC-AML Policy, the bank shall ensure that the Customer Acceptance Policy (CAP) does not become too restrictive and result in the denial of banking services to the general public, especially to those who are financially or socially disadvantaged. 12. Where Bank forms a suspicion of money-Laundering or terrorist financing, and it reasonably believes that performing CDD process will tip-off the customer, it shall not purse the CDD process, and instead file an STR with FIU-IND. 13. Profile creation for new customer: (i) The Bank shall prepare a profile for each new customer based on risk categorization. (ii) The customer profile will contain information relating to customer’s identity, social/financial status, nature of business activity, information about his clients’ business and their location etc. (iii) The nature and extent of due diligence will depend on the risk perceived by the Bank. However, while preparing the customer profile due care shall be taken to seek only such information from the customer, which is relevant to the risk category and is not intrusive. Classification: Internal Page 30 of 136 KYC-Policy 2024-25 (iv) The ‘mandatory’ information required for KYC purpose shall be obtained at the time of opening the account and during periodic updation but ‘optional’ customer details, if required may be obtained separately after the account is opened, only with the explicit consent of the customer. (v) The customer profile is a confidential document and details contained therein shall not be divulged for cross selling or any other purposes without the express permission of the customer. Classification: Internal Page 31 of 136 KYC-Policy 2024-25 CHAPTER-IV RISK MANAGEMENT 14. Background: Rule 9 (13) of the PMLR requires Bank to carry out risk assessment to identify, assess and take effective measures to mitigate its money laundering and terrorist financing risk for customers, countries or geographic areas, and products, services, transactions or delivery channels that is consistent with any national risk assessment conducted by a body or authority duly notified by the Central Government. In terms of KYC Directions of RBI, bank should adhere to the following norms in respect of the risk assessment exercise: (i) To consider all the relevant risk factors (ii) Take cognizance of the overall sector-specific vulnerabilities advised by the regulator (iii) To determine the level of overall risk (iv) To determine the level and type of mitigation to be applied (v) To be proportionate to the nature, size, geographical presence, complexity of activities/structure, etc. of the Bank. (vi) To be undertaken at a periodicity decided by the Board considering the outcome of the assessment, to be at least annually (vii) To be properly documented and put up to the Board or any committee of the Board (viii) To be made available to RBI and FIU-IND when asked for (ix) To adopt risk-based approach for mitigating and managing identified risks (x) To put in place Board approved policies, controls and procedures in this regard (xi) To monitor implementation of controls and enhance them, if required. 15. Risk Based Approach: RBI Directions also stipulate that bank should follow a ‘risk-based approach’ for mitigation and management of the identified ML/TF risk. It has also prescribed certain measures like periodic updation, customer due diligence to be varied as per customer risk category. Classification: Internal Page 32 of 136 KYC-Policy 2024-25 Risk-Based Approach (RBA) is the fundamental principle for adherence to FATF Recommendations. The objective is that the efforts yield effective results in mitigating ML/TF risks. The RBA therefore should be the cornerstone of a bank’s AML program. Fundamental to RBA is the ML/TF risk assessment, which as a starting point, enables a firm to identify, understand and assess the ML/TF risks to which it is exposed. These identified risks are then prioritised and mitigated or managed by the bank, directing resources and controls first to the highest risk identified in line with RBA 16. Enterprise-Wide Risk Assessment (EWRA): An Enterprise-Wide Risk Assessment (EWRA) is conducted across the bank to understand and assess the total ML/TF risks faced by it. Wolfsberg Group guidelines contained in its ‘Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption (2015)’ are very useful to bank for undertaking ML/TF risk assessment. 16.1. Inherent Risk and Residual Risk: Pre-requisites for risk assessment are understanding the nature of risk, identification of sources of risk and gauging the level of risk for each source. Risk can be looked at from two perspectives: one, the risk faced from a source without any mitigating measure viz. Inherent Risk, and two, the risk that persists even after mitigating measures viz. Residual Risk. The differential between the Inherent Risk and the Residual Risk reflects the effectiveness of controls i.e., mitigating measures. What ultimately impacts a bank is the Residual Risk, however a better appreciation of risk is attained by assessing risk in three stages, viz. (i) Assessing inherent risk (ii) Gauging control effectiveness (iii) Determining residual risk 16.2. Sources of Risk: It will be noticed that essentially ML/TF risks manifest through business transactions, and emanate from following elements connected with a business activity and related transactions: (i) Clients (ii) Products/ Services (iii) Geography/ Countries Classification: Internal Page 33 of 136 KYC-Policy 2024-25 (iv) Delivery Channels (v) Transactions There are several risk factors associated with each of these elements that need to be considered for assessment of inherent risk associated with these. These risk factors are briefly discussed here. (i) Clients – The primary source of ML/TF risk for a bank is its clients. Assessment of inherent risk of a bank or any business division, unit, or business line, requires assessing its client base and business relationship. Major risk factors for clients are: Activity, Constitution, Financial Status, Social Status, Turnover and Linkages. These factors can be used to stratify the client base into different categories and to identify aspects of client risk. (ii) Products and Services – Various types of products/ services carry different level of risk. The major risk factors related to products are: purpose of product, mode of transactions, nature of restrictions, nature of relationship, range of values, geographical linkages. Banks could identify its portfolio of main products/ account types and assign an inherent score (for example, low, moderate, high or higher) to each, based on its general inherent characteristics and the degree of money laundering risk present. For example, international wires, payable-through accounts, or international private banking, etc. could be considered as high-risk products. For a business division, unit or business line in question, the data on volume of products/ account types, and associated account balances and/ or turnover may be determined. Based on this, the risk wise distribution of business under each business division, unit or business line is arrived at. Before rolling out a new product or service, banks should undertake its ML/TF risk assessment to ensure adequate internal controls are incorporated to mitigate the assessed risk. The risk category and the mitigating measures should be a part of the product paper. (iii) Geography/ Country - Identifying geographic locations that may pose a higher risk is a core component of any inherent risk assessment and the business division, unit or business line will seek to understand and evaluate the specific risks associated with geographic locations relevant for their activities. The Geography/ Country risk may also be analysed with respect to the location of a bank’s business division, unit, including its subsidiaries, affiliates, and offices, both global and domestic. This provides the geographic footprint of a bank. This element has relevance for clients too. A bank may identify the number of its clients within each country, in respect of all or some of the Classification: Internal Page 34 of 136 KYC-Policy 2024-25 following: country of domicile, incorporation or nationality. In order to map geographies/ countries into different risk ratings, a bank’s own country risk model or equivalent third-party vendor product may be used. Risk factors relevant for a country/ geography are: Political System, Social Environment, Regulatory Regime, FATF monitoring, UN/ Other sanctions, and Geographical location. (iv) Channels - Some delivery channels/ servicing methods may pose increased ML risk because it may result in the division, unit or business line not truly knowing or understanding the identity and activities of the client using it. Consequently, it should be assessed whether, and to what extent, the method of account origination or account servicing, such as non- face-to-face account opening or the involvement of third parties, including intermediaries, could increase the inherent ML risk. Another factor that affects channel risk is the geographies served by the channel. Business volume analysis of the channels can determine risk wise distribution for a business division, unit, or business line. (v) Transactions – Two key aspects related to nature of transactions viz. mode of transaction (in cash or other modes), and whether inland or cross-border have direct impact on risk level of a transaction. Besides, various aspects for other elements as discussed above also influence the risk level. There is thus some degree of overlap when considering various factors when considering transactions, and other elements. This aspect should be consciously taken into account. 16.3. Assessing Inherent Risk Risk assessment should cover all business activities of a bank, but given complexity of banking business, it may be undertaken distinctly for different business lines, units, divisions, etc. The exercise would include various sources and related factors discussed above. 16.4. Gauging Effectiveness of Controls Effectiveness of the controls in place should be gauged to determine the extent to which these result in mitigating the inherent risk. The controls operate at different levels viz. business policies, business practices, operating systems, control mechanisms, etc. Evaluating control effectiveness for various elements separately and for factoring distinctly for each element may provide a better picture for further actions. One modality used for this purpose is undertaking a self-assessment by different business units for each element covering all controls in place. Classification: Internal Page 35 of 136 KYC-Policy 2024-25 16.5. Determining Residual Risk: Finally, for each element inherent risk is modulated by the corresponding control effectiveness to ascertain the residual risk. This would become the basis to decide whether or not the residual risk is within the risk appetite of the bank, whether any further control measures are needed, and if so, the nature of controls, and the points of controls. The final residual risk map of the enterprise would also throw up high risk areas of the bank’s business activities and enable it to focus its AML/ CFT efforts on those areas. 16.6. Risk Measurement Risk assessment is predominantly a qualitative exercise, especially so as most of the input data is also qualitative in nature. The typical method involves using – Risk Scores and Weights and adopting weighted average method. Using Risk Scores facilitates clearer distinction of different levels, aggregating effect of constituent factors, etc. Importance of various risk factors is of differing level that can be factored in by assigning Weight to each factor. In the weighted average method, each parameter is assigned a ‘risk score’ and a ‘weight’ is attached to the parameter depending upon its accuracy and criticality to the overall risk. Weights should be carefully decided taking care that they do not result in undue overemphasis of any factor or elimination of high-risk category and are not influenced by business or profit considerations. There is a need to ensure that while assigning risk score and weight to various parameters, critical and more accurate parameters are given their due weightage. The output weighted score is compared to a final scale to determine the final ‘risk level’. 16.7. Other Aspects: Several other factors especially significant changes in the bank’s business, the banking sector activities, the technological developments may affect inherent risk. Such and other qualitative factors may also be factored in. These could include IT systems changes, business growth aspects, business diversification/ divestments, etc. Banks are submitting to RBI detailed periodical data related to AML/KYC risks. Considering that this data covers the entire spectrum of the bank’s business and is in highly analytical form, banks may consider using the same for their own risk assessment exercise. Modalities of enterprise risk assessment vary widely for different banks depending on their business activities, size of business, geographical spread, Classification: Internal Page 36 of 136 KYC-Policy 2024-25 and customer composition. In its simplest form a bank may adopt simple risk assessment model based entirely on qualitative factors and risk descriptions. Certain banks may develop excel templates using score-based model that may incorporate both qualitative and quantitative factors. Larger banks with complex business activities may adopt risk assessment software applications with sophisticated models. A bank may evolve and adopt its own model that would be apt for it. 17. Regulatory Requirements RBI Has stipulated certain broad norms to be followed by banks in respect of ML/TF risk assessment. These are briefly enumerated below. (i) To be carried out at a periodicity determined by the Board, but at least annually. (ii) To consider all the relevant risk factors for assessment. (iii) To determine overall risk level and appropriate level and type of mitigation required. (iv) To take cognizance of sector-specific vulnerabilities advised by the regulator/ supervisor. (v) To be proportionate to nature, size, geographical presence, complexity of activities/structure, etc. of the Bank. (vi) To be documented, and the outcome to be placed before the Board/ its committee and provided to the competent authorities and regulating bodies. (vii) To apply risk-based approach for mitigation/ management of identified risks. (viii) To have Board approved policies, controls, and procedures for this purpose. (ix) To monitor the controls and take enhancement measures, where needed. 18. Risk management For risk management Bank shall have risk-based approach which includes the following: (i) Customer Risk Categorisation (CRC) (ii) Broad principles for customer risk categorisation. Classification: Internal Page 37 of 136 KYC-Policy 2024-25 (iii) Risk categorization shall be undertaken based on parameters such as customer’s identity, social/financial status, nature of business activity, and information about the customer’s business and their location, geographical risk covering customers as well as transactions, type of products/services offered, delivery channel used for delivery of products/services, types of transaction undertaken – cash, cheque/monetary instruments, wire transfers, forex transactions, etc. While considering customer’s identity, the ability to confirm identity documents through online or other services offered by issuing authorities may also be factored in. (iv) The risk categorization of a customer and the specific reasons for such categorization shall be kept confidential and shall not be revealed to the customer to avoid tipping off the customer Provided that various other information collected from different categories of customers relating to the perceived risk, is non-intrusive and the same is specified in the KYC policy. Explanation: FATF Public statement, the reports and guidance notes on KYC/AML issued by the Indian Banks Association (IBA) and other agencies etc., may also be used in risk assessment. 18.1. Customer Risk Categorisation (CRC) As per RBI directions customers are to be categorized as low, medium, and high-risk category. This has become the basis for adoption of Risk Based Approach. (i) What is Customer Risk? Customer risk in the present context refers to the ML/TF risk exposure of a bank emanating from a particular customer. Customer risk may be gauged based on the risk perceptions associated with the parameters comprising the customer’s profile, and the level of risk associated with the products or services, and channels used by him/ her. (ii) Need for Customer Risk Categorisation Extant RBI Directions require banks to have differential due diligence and monitoring standards for its customers based on the perception of the bank of the risk category of the customers. Certain regulatory norms contain differentiated prescriptions Classification: Internal Page 38 of 136 KYC-Policy 2024-25 based on risk category, especially for periodic updation of KYC data, and customer profile contents. Considering that banks have over the years gained experience and expertise in profiling their customers, RBI requires banks to determine risk category of individual customers based on their assessment and not merely based on any group or class they belong to. (iii) Approach for Customer Risk Categorization (A) Parameter Based Categorisation Regulators expect banks to have a multi-dimensional and dynamic Customer Risk Categorisation model which considers both static and dynamic factors to arrive at the customer’s risk classification. Customers need to be classified into at least three categories, viz. low, medium, and high-risk categories. Risk categorisation of customers is based on several parameters related to the customer, such as: i. Customer’s identity ii. Social/ financial status iii. Nature of business activity iv. Information about the customer’s business v. Location of the customer vi. Business levels/ turnover vii. Delivery channels viii. Types of transactions While considering customer’s identity, the ability to confirm identity documents through online or other services offered by issuing authorities may also be factored in. As indicative direction on risk classification, customers who are likely to pose a higher-than-average risk should be categorized as medium or high risk depending on various risk parameters stated above. Classification: Internal Page 39 of 136 KYC-Policy 2024-25 18.1.1. Low Risk Customers: Individuals (other than High Net Worth) and entities whose identities and sources of wealth can be easily identified and transactions in whose accounts by and large conform to the known profile, shall be categorized as low risk. Illustrative examples of low-risk customers: (i) salaried employees whose salary structure are well defined (ii) people belonging to lower economic strata of the society whose accounts show small balances and low turnover (iii) Government Departments and Government owned companies, regulators, and statutory bodies etc. (In such cases, only the basic requirements of verifying the identity and location of the customer are to be met.) 18.1.2. Medium and High-Risk Customers: (i) Customers that are likely to pose a higher-than-average risk to the Bank shall be categorized as ‘Medium or High risk’ depending on customer's background, nature and location of activity, country of origin, sources of funds and his client profile etc. (ii) The Bank shall apply enhanced due diligence measures based on the risk assessment, thereby requiring intensive ‘due diligence’ for higher risk customers, especially those for whom the sources of funds are not clear. (iii) In view of the risks involved in cash intensive business, accounts of bullion dealers (including sub-dealers) & jewellers will be categorized as ‘high risk’ requiring enhanced due diligence. (iv) Due to inherent risks and complexity involved in the transactions of Non- trade/service related cross border remittances in the accounts with declared nature of business/activity of (i) Logistics service providers/ freight forwarders (ii) Tour and Travel Service Providers (iii) Event Management (iv) Media/Film production related (v) Advertising services (vi) IT/Software services shall be categorized under “High risk category” and transactions in these accounts shall be closely monitored and EDD to be conducted wherever applicable. Other examples of customers requiring higher due diligence include: a) non-resident customers. Classification: Internal Page 40 of 136 KYC-Policy 2024-25 b) high net worth individuals. c) trusts, charities, NGOs, NPOs and organizations receiving donations. d) companies having close family shareholding or beneficial ownership. e) firms with 'sleeping partners'; f) Multi-Level Marketing (MLM) Agencies. g) ‘Pooled accounts’ maintained by professional intermediaries h) accounts of agents/ sub-agents of cross border money transfer service providers i) politically exposed persons (PEPs) j) non-face to face customers k) those with dubious reputation as per public information available etc. (v) However, Non-Profit Organizations (NPOs)/ Non-Governmental Organizations (NGOs) promoted by the United Nations (UN) or its agencies will be classified as low risk customers. 18.2. Review of Risk Categorisation: Customer risk categorisation is a dynamic process, and the risk categories need to be reviewed as indicated below: (i) RBI Directions require banks to review customer risk category at a periodicity of at least once in six months. (ii) It also needs to be reviewed at the time of periodic updation of customer data and profile. (ii) Risk category is also reviewed when any significant development is noticed in respect of the customer, his business activity, and his association with the bank. For example, an individual becomes a Politically Exposed Person (PEP) or a customer enters a new product line, a customer avails new product/ service with higher vulnerability, a customer uses new channels, etc. 18.3. Risk Categorisation Model: Each bank may develop its own model for customer risk categorization based Classification: Internal Page 41 of 136 KYC-Policy 2024-25 on available customer/ product information, risk perception, and other factors such as available technology, etc. A profile of the customer may be created in the system using available information based on which the risk category is assigned. Banks may take further guidance from the IBA report on parameters for risk-based transaction monitoring. Banks may, if required, deploy suitable software for purpose of risk categorization. Such software can be used to extract customer data from the banking software and assign risk rating based on the scoring model selected by the bank. If a bank chooses and if its core banking application permits, CRC maybe done in the core banking software as well. For certain category of customers, FATF has recommended high risk rating, for example, foreign Politically Exposed Persons (PEPs) and international correspondent banking relationships. For such and similar situations the override provision is adopted to assign a specific risk category to concerned customers. Further, certain prominent characteristic may determine the risk category to be higher or lower than that otherwise perceived. For instance: (i) Loan accounts of non-operative nature having a pre-determined cash flow (e.g., home loans), and fixed cap accounts like the small deposit accounts, can be generally regarded as low risk. (ii) In view of the typologies observed in terrorist financing activities, Small Deposit accounts may not be considered as low risk. 18.4. Selection of Parameters for Risk Categorization: Some indicative parameters, which can be used to determine the risk category of a customer are as follows: (i) Customer constitution: Individual, Sole Proprietary Firms, Partnership Firms, Private/Public Limited Companies, Trusts, Societies, Associations, etc. (ii) Business segment: Retail, Corporate operation, etc.; Industry Type: Gems and jewelry, Textiles, Leather and Leather Products, E- commerce, Shipping, Real estate, Hotels and Restaurants, etc. (iii) Country of residence/incorporation/nationality: Whether India or any overseas location/Indian or Foreign national/Entity. (iv) Product subscription: International wires, trade/export finance, private Classification: Internal Page 42 of 136 KYC-Policy 2024-25 banking, salary account etc. (v) Economic profile: High Net worth Individual (HNI), Wealth Customer, etc. (vi) Account status: Active, inactive, inoperative, dormant. (vii) Account Vintage and transaction type with volumes, where possible. (viii) Volume and type of funds flowing through the customer’s account e.g., cash, forex, on-cash and throughput per month etc. (ix) Negative Lists: Presence in any negative regulatory/PEP/defaulter/ fraudster lists. (x) Past Suspicious Transaction Reports (STRs) filed for the customer. The parameters actually adopted will depend on the type of customer, the nature and extent of business transacted with the bank, and customer related information available. FATF Public Statement, the reports and guidance notes on KYC/AML issued by the Indian Banks’ Association (IBA), guidance note circulated to all cooperative banks by the RBI, etc., may also be used in the assessment of risk. 18.5. In addition to what has been indicated above, the bank shall take steps to identify and assess its Money Laundering (ML) / Terrorist Financing (TF) risk for customers, countries, and geographical areas and also for products/services/transactions/delivery channels, to effectively manage and mitigate risk arising from such customers, countries and from products/services/transactions/ delivery channels. As a corollary, the bank shall adopt enhanced measure for products, services, and customers with a medium or high-risk rating. In this regard bank shall use the Report on Parameters for Risk-Based Transaction Monitoring (RBTM) dated March 30, 2011, issued by Indian Banks’ Association on May 18, 2011, as a supplement to their guidance note on Know Your Customer (KYC) Norms / Anti Money Laundering (AML) standards issued in July 2009, which also provides an indicative list of high-risk customers, products, services, and geographies. 18.6. While the Bank has adopted a risk-based approach to the implementation of this Policy, it is necessary to establish appropriate framework covering proper management oversight, systems, controls, and other related matters. Bank’s Internal Audit and Compliance functions will provide an independent evaluation of KYC/AML policies and procedures including legal and Classification: Internal Page 43 of 136 KYC-Policy 2024-25 regulatory requirements. Concurrent/ Internal Auditors shall specifically test check and verify the application of KYC/AML procedures for new customer as well as periodic updation of KYC at branches and comment on the lapses observed in this regard. Management Audit of Regional Offices shall comment on progress under KYC updation and Re-KYC of the concerned Region. The compliance in this regard will be put up before the Board / Audit Committee of the Board at quarterly intervals. 18.7. Board Approved Policy: Banks need to have clear Board- approved policies for risk categorization and ensure that the same are meticulously complied with. This may be a part of overall KYC Policy, if the bank so desires. 18.8. Risk Upgradation in STR& CTR filed accounts: Pursuant to approval received from ORMC, following modifications have been approved in implementation of risk-based approach to reflect appropriate risk categorisation. 18.8.1. Categorisation of all customer accounts into “High Risk category” in cases wherein Suspicious Transaction Report is filed irrespective of previous Risk categorisation (i.e., Low Risk/Medium Risk) 18.8.2. Categorisation of all customer accounts having “Low Risk Category” into “Medium Risk category” wherein Cash Transaction Report (CTR) is filed. Classification: Internal Page 44 of 136 KYC-Policy 2024-25 CHAPTER-V Customer Identification Procedure (CIP) 19. Bank shall undertake identification of customers in the following cases: (i) Commencement of account-based relationship with the customer (ii) Carrying out any international money transfer operations for a person who is not an account holder of the bank. (iii) When there is doubt about the authenticity or adequacy of the customer identification data it has obtained. (iv) Selling third party products as agents, selling own product, payment of dues of credit cards/ sale and reloading of prepaid/travel cards and any other product for more than rupees fifty thousand. (v) Carrying out transactions for a non-account-based customer, i.e., walk-in customer, where the amount involved is equal to or exceeds rupees Fifty thousand, whether conducted as a single transaction or several transactions that appears to be connected. (vi) When the bank has reason to believe that a customer (account based or walk- in) is intentionally structuring a transaction into a series of transactions below the threshold of rupees of Fifty thousand. (vii) Bank shall ensure that introduction is not to be sought while opening accounts. The failure or refusal by an applicant to provide satisfactory identification evidence within a reasonable time period and/or without adequate explanation may lead to a suspicion that the depositor or investor is engaged in Money-laundering. In such circumstances, the Branch shall consider making a suspicious activity report and submit it to the principal officer. 20. Duty to obtain identification: The first requirement of ‘Knowing Your Customer’ for AML purposes is to be satisfied that a prospective customer is one who he/she claims to be. It is important to determine whether an applicant for business is undertaking a one-off transaction or whether the transaction is, or will be, part of a business relationship as this can affect the identification requirements. 21. For the purpose of verifying the identity of customers at the time of commencement of an account-based relationship bank may rely on customer due diligence done by a third party, subject to the following conditions. Classification: Internal Page 45 of 136 KYC-Policy 2024-25 (i) Records or the information of the customer due diligence carried out by the third party (if empanelled by the Bank) is obtained immediately from the third party or from the Central KYC Records Registry. (ii) The bank shall take adequate steps to satisfy itself that copies of identification data and other relevant documentation relating to the client due diligence requirements shall be made available from the third party upon request without delay. (iii) The bank shall satisfy that such third party is regulated, supervised, or monitored for, and has measures in place for compliance with client due diligence and record keeping requirements in line with the requirements and obligations under the PML Act. (iv) The third party shall not be based in a country or jurisdiction assessed as high risk; and (v) The Bank is ultimately responsible for client due diligence and undertaking enhanced due diligence measures, as applicable. 22. Customer identification process: 22.1. Customer Identification Data, including Photograph, shall be updated, and kept on record duly verified at least once in ten years in case of Low-Risk category customers, once in two years in case of High-Risk customers and once in eight years for Medium Risk categories. The time limits prescribed above would apply from the date of opening of the account/last verification of account. Such verification shall be done irrespective of whether the account has been transferred from one branch to another branch. However, Bank shall ensure that: (i) Branches do not seek fresh proof of identity and address at the time of periodic updation from ‘low risk’ customers in case there is no change in status with respect to their identities and addresses. (ii) A self-certification by the customer to that effect will suffice in such cases. (iii) But in case of change of address of such ‘low risk’ customers, they could merely forward a certified copy of the document (proof of address) by mail/post, etc. (iv) Physical presence of the clients may, however, not be insisted upon at the time of such periodic updation. Classification: Internal Page 46 of 136 KYC-Policy 2024-25 22.2. Whenever there is suspicion of money laundering or terrorist financing or when other factors give rise to a belief that the customer does not, in fact, pose a low risk, the branch shall carry out full scale Customer Due Diligence (CDD) before opening an account. 22.3. When there are suspicions of money laundering or financing of the activities relating to terrorism or where there are doubts about the adequacy or veracity of previously obtained Customer Identification Data, the branch shall review the due diligence measures, including verifying again the identity of the client, and obtain information on the purpose and intended nature of the business relationship. 22.4. Customer Identification Procedure – More Information: The Bank shall ensure that sufficient information is obtained on the nature of business that the customer expects to undertake and on any expected or predictable pattern of transactions. A risk-based approach shall be needed in respect of the extent of the additional information that might be required or validated for this purpose. In making this assessment, the Bank shall have regard to the need to protect an applicant’s privacy and shall not seek information that is irrelevant to the product, service, or account in question or to the applicant’s involvement in the relationship. Following the start of the relationship, reasonable steps shall be taken to keep the information up to date as appropriate and as opportunities arise, e.g., when an existing customer opens a new account and at least once in ten years in case of Low-Risk Category customers and once in two years in case of High-Risk category and once in eight years in case of Medium Risk Category Customers. Information collected at the outset for Customer Identification purpose shall generally include: (i) The purpose and reason for opening the account or establishing the relationship (ii) The anticipated level and nature of the activity to be undertaken (iii) The expected origin of the funds to be used within the relationship (iv) Details of occupation/employment and sources of wealth or income Classification: Internal Page 47 of 136