KYC POLICY 2024-25.pdf

Full Transcript

 KYC-Policy 2024-25

केवल आं तरिक परिचालन हे तु / FOR INTERNAL CIRCULATION ONLY

अपने ग्राहक को जानें पॉलिसी
KNOW YOUR CUSTOMER POLICY
2024-25

By

यूलनयन बैंक ऑफ इं लिया / UNION BANK OF INDIA
ए.एम.एि-सी.एफ.टी. प्रभाग / AML-CFT Division
संव्यवहार अनुश्रवण एवं धोखाधड़ी प्रबंधन लवभाग

Classification: Internal Page 1 of 136
 KYC-Policy 2024-25

Table of Contents

Sl. No Topic Page No.

1. Introduction 9

2. Chapter-I 11

3. Preliminary 11

4. Definitions 12

5. Chapter-II 25

6. General 25

7. Chapter-III 29

8. Customer Acceptance Policy 29

9. Chapter-IV 32

10. Risk Management 32

11. Chapter-V 45

12. Customer Identification Procedure 45

13. Chapter-VI 51

14. Customer Due Diligence (CDD) Procedure 51

15. CDD measures for individuals 51

16. CDD measures for sole proprietary firms 61

17. CDD measures for legal entities 62

18. Identification of Beneficial owner 64

19. Ongoing Due Diligence 65

69
20. Enhanced and Simplified Due Diligence procedure

Classification: Internal Page 2 of 136
 KYC-Policy 2024-25

76
21. Chapter-VII
76
22. Record Management

23. Chapter-VIII 78

24. Reporting requirements to Financial Intelligence Unit India 78

81
25. Chapter-IX
Requirements/obligations under international 81
26.
agreements- Communications from international agencies
27. Chapter-X 91

91
28. Other Instructions
119
29. Annexure-I

30. Annexure-II (A) 129

130
31. Annexure-II (B)
133
32. Annexure-III

33. Annexure-IV 134

Classification: Internal Page 3 of 136
 KYC-Policy 2024-25

Abbreviations
Abbreviation Description

AD Authorized Dealer

AI Artificial Intelligence

AML Anti-Money Laundering

BC Business Correspondents

BF Business Facilitators

BSBDA Basic Saving Bank Deposit Account

BSBDS Basic Saving Bank Deposit Small Account

BOs Beneficial Owner

CAF Customer Application Form

CAP Customer Acceptance Policy

CBDT Central Board of Direct Taxes

CBS Core Banking Solution

CBWTR Cross Border Wire Transfer Report

CCR Counterfeit Currency Report

CDD Customer Due Diligence

CDF Currency Declaration Form

CEO Chief Executive Officer

Central Registry of Securitization Asset Reconstruction
CERSAI
and Security Interest of India

CFT Combating Financing of Terrorism

CIDR Central Identities Data Repository

CID Customer Identification Data

Classification: Internal Page 4 of 136
 KYC-Policy 2024-25

Abbreviation Description

CIP Customer Identification Procedures

CKYCR Central KYC Records Registry

CRS Common Reporting Standards

CST Central Sales Tax

CTCR Division Counter Terrorism and Counter Radicalization Division

CTR Cash Transaction Report

DGFT Director General of Foreign Trade

DIT Department of Information Technology

EDD Enhanced Due Diligence

E-KYC Electronic – Know Your Customer

FATCA Foreign Account Tax Compliance Act

FATF Financial Action Task Force

FCRA Foreign Contribution (Regulation) Act

FEDAI Foreign Exchange Dealers’ Association of India

FEMA Foreign Exchange Management Act

FIU-India Financial Intelligence Unit - India

FPIs Foreign Portfolio Investors

GPS Global Positioning System

GST Goods and Services Tax

IEC Importer Exporter Code

IGA Inter Government Agreement

IMPS Immediate Payment Service

KYC Know Your Customer

Classification: Internal Page 5 of 136
 KYC-Policy 2024-25

Abbreviation Description

KYC-B Know Your Customer Business

KYC-BR Know Your Customer Business Risk

MAAT Mutual Administrative Assistance in Tax Matters

MD Managing Director

MHA Ministry of Home Affairs

ML Money Laundering

MLM Multi-Level Marketing

MTSS Money Transfer Service Scheme

NCCT Non-Co-operative Countries and Territories

NEFT National Electronics Funds Transfer System

NGO Non-Governmental Organizations

NPO Non-Profit Organisation

NREGA National Rural Employment Guarantee Act

NRI Non-Resident Indian

NRO Non-Resident Ordinary

NTR Non-Profit Organisation Transaction Report

ORMC Operational Risk Management Committee

OTP One Time Pin/Password

OVD Officially Valid Document

PAN Permanent Account Number

PEP Politically Exposed Persons

PIO Person of Indian Origin

PIS Portfolio Investment Scheme

Classification: Internal Page 6 of 136
 KYC-Policy 2024-25

Abbreviation Description

PMJDY Pradhan Mantri Jan Dhan Yojna

PMLA Prevention of Money Laundering Act

PO Principle Officer

POS Point of Sale

PPI Prepaid Payment Instrument

PPO Pension Payment Orders

QR Code Quick Response Code

RBI Reserve Bank of India

RBTM Risk-Based Transaction Monitoring

RTGS Real Time Gross Settlement

SDV Safe Deposit Vault

SEBI Securities and Exchange Board of India

SHG Self Help Group

STR Suspicious Transaction Report

TF Terrorist Financing

V-CIP Video based Customer Identification Process

VAT Value Added Tax

VCs Virtual Currencies

UAPA Unlawful Activities (Prevention) Act

UBO Ultimate Beneficial Owner

UCIC Unique Customer Identification Code

UIDAI Unique Identification Authority of India

UN United Nations

Classification: Internal Page 7 of 136
 KYC-Policy 2024-25

Abbreviation Description

UNSCRs United Nations' Security Council Resolutions

USA United State of America

XML Extensible Markup Language

Classification: Internal Page 8 of 136
 KYC-Policy 2024-25

INTRODUCTION
In terms of the guidelines issued by Reserve Bank of India (RBI) vide its notification
DBOD.AML.BL.18/14.01.001/2002/13 dated 6th August 2002; the Bank adopted its first
Policy on Anti Money-Laundering (AML) & Know Your Customer (KYC) on 24th October
2002.
The main purpose of issuing Master Directions on KYC by RBI is to prevent Banks and
other financial institutions from being used as a channel for Money laundering (ML)/
Terrorist Financing (TF) and to ensure the integrity and stability of the financial system.
Financial Action Task Force (FATF) which is an inter-governmental body established in
1989 by the Ministers of its member jurisdictions, sets standards and promotes effective
implementation of legal, regulatory, and operational measures for combating money
laundering, terrorist financing and other related threats to the integrity of the
International financial system.
In India, the Prevention of the Money-Laundering Act, 2002and the Prevention of Money-
Laundering (Maintenance of Records) Rules, 2005, form the legal framework on Anti
Money-Laundering (AML) and countering Financing of Terrorism (CFT). in terms of the
provisions of PML Act, 2002 and the PML Rules, 2005, as amended from time to time by
the Government of INDIA, Bank must follow certain Customer Identification
procedures while undertaking a transaction either by establishing an account-based
relationship or otherwise and monitor their transactions.
Accordingly in exercise of the powers conferred by Banking Regulation Act, 1949,
Reserve Bank of India Act, 1934, Payment and Settlement Systems Act, 2007, Foreign
Exchange Management Act, 1999, Prevention of Money-Laundering (Maintenance of
Records) Rules, 2005 and all other laws enabling the RBI in this regard, the RBI issued
Master Direction- Know your Customer (KYC) Direction, 2016 on February 25, 2016.
In the backdrop of revision in KYC guidelines from time to time, Bank’s Policy on KYC-
AML is given a relook and the present revised comprehensive policy framework covering
KYC standards and AML Measures is framed for the year 2024-25 and is primarily based
on revised Master Direction- Know Your Customer (KYC) Direction, 2016 issued by RBI
and updated as on October 17, 2023 & KYC & AML Guidance notes for Banks issued by
IBA
The objective of the Policy is:
i. To prevent criminal elements from using the Bank for Money-Laundering
activities.

Classification: Internal Page 9 of 136
 KYC-Policy 2024-25
ii. To enable the Bank to know/ understand the customers and their
financial; dealings better, this in turn, would help the Bank to manage
Risks prudently.
iii. To put in place appropriate controls for detection and reporting of
suspicious activities in accordance with applicable laws/ laid down
procedures.
iv. To comply with applicable laws and regulatory guidelines.
v. To take necessary steps to ensure that the relevant staff are adequately
trained in KYC-AML Procedures.

*************

Classification: Internal Page 10 of 136
 KYC-Policy 2024-25

CHAPTER-I
PRELIMINARY
1. This revised “Know your Customer (KYC)” Policy will come into force
immediately from the date of its publication and is valid up to June 2025/ till
further instructions. All the Branches/ offices and field functionaries are
advised to comply these guidelines without any deviation.
2. Applicability
2.1. This policy is applicable to all the Branches within India.
2.2. This policy shall also apply to those Branches and majority owned subsidiaries
of the Bank which are located abroad, to the extent they are not contradictory
to the local laws in the host country, provided that
2.2.1. Where applicable laws and regulations prohibit implementation of these
guidelines, the same shall be intimated to Compliance Department which
in turn informs to Reserve Bank of India. RBI may advise further necessary
action by the Bank including application of additional measures to be
taken by the Bank to manage the ML/TF risks.
2.2.2. In case there is a variance in KYC/AML standards prescribed by the
Reserve Bank of India and the host country regulators, branches/
subsidiaries of Bank are required to adopt the more stringent regulation
of the two.
In this regard International Banking Department shall vet the KYC/AML policy of
overseas Branches/Subsidiaries/Correspondents before approval of the policy from
competent authority and if any deviations observed same shall be communicated to
Compliance department.
2.3. Based on this policy, each foreign office is required to put in place a duly
approved Anti Money-Laundering policy which shall also contain the KYC
guidelines and Suspicious Transactions Reporting (STR) procedures as may be
required by the rules and regulations of the host country.
2.4. The provision of the RBI’s MD on KYC, 2016 shall apply to every entity regulated
by RBI, more specifically as defined in 3.2.15, except where specifically
mentioned otherwise.

2.5. The policy shall apply to the following products of the Bank.

(i) Savings account
Classification: Internal Page 11 of 136
 KYC-Policy 2024-25

(ii) Current account

(iii) Term deposit account

(iv) Demat account
(v) Credit cards
(vi) Debit cards

(vii) Prepaid cards/gift cards

(viii) Remittances (including Wire transfers, TCs, Purchase/sale of Foreign
Exchange)
(ix) Loans and Advances

(x) Sale of Third- Party products like insurance, Mutual funds etc.
(xi) Correspondent banking relationships
(xii) Point of Sale (POS) terminals
(xiii) Sale of Bullion and Gold Coins
(xiv) Leasing of safe deposit vault (SDV) and Lockers

(xv) Any other product introduced by Bank from time to time requiring
customer identification.
3. Definitions
In this policy, unless the context otherwise requires, the terms here in shall bear
the meanings assigned to them below:
3.1. Terms bearing meaning assigned in terms of Prevention of Money-
Laundering Act, 2002 and the Prevention of Money-Laundering
(Maintenance of Records) Rules, 2005.
3.1.1. “Aadhaar number” shall have the meaning assigned to it in clause
(a) of section2 of the Aadhaar (Targeted Delivery of Financial and
Other subsidies, Benefits and Services) Act, 2016 (18 of 2016);
means an identification Number issued to individual under sub
section (3) of section 3 of afore said Act.

Classification: Internal Page 12 of 136
 KYC-Policy 2024-25

3.1.2. “Act” and “Rules” means the Prevention of Money-Laundering Act,
2002 and the Prevention of Money-Laundering (Maintenance of
Records) Rules, 2005, respectively and amendments thereto.
3.1.3. “Authentication” in the context of Aadhar authentication, means
the process by which the Aadhaar number along with demographic
information or biometric information of an individual is submitted
to the Central Identities Data Repository for its verification and
such Repository verifies the correctness, or the lack there of, on
the basis of information available with it.
3.1.4. Beneficial Owner (BO)
“Beneficial Owners shall mean the natural person who ultimately owns or
controls a client and/or the person on whose behalf a transaction is being
conducted and includes a person who exercises ultimate effective control over
a juridical person.”
The procedure for determination of the Beneficial Ownership shall be as under:
i. Where the customer is a company, the beneficial owner is the
natural person(s), who, whether acting alone or together, or through
one or more juridical persons, has/have a controlling ownership
interest or who exercise control through other means.
Explanation for the purpose of this sub-clause-
a. “Controlling ownership interest” means ownership
of/entitlement to more than 10 percent of the shares or capital
or profits of the company.
b. “Control” shall include the right to appoint majority of the
directors or to control the management or policy decisions
including by virtue of their shareholding or management rights
or shareholders agreements or voting agreements.
ii. Where the customer is a partnership firm, the beneficial owner is
the natural person(s), who, whether acting alone or together, or
through one or more juridical person, has/have ownership of
entitlement to more than 10 percent of capital or profits of the
partnership or who exercises control through other means.
Explanation- For the purpose of this sub-clause, “Control” shall
include the right to control the management or policy decision.
Classification: Internal Page 13 of 136
 KYC-Policy 2024-25
iii. Where the customer is an unincorporated association or body of
individuals, the beneficial owner is the natural person(s), who,
whether acting alone or together, or through one or more juridical
person, has/have ownership of/entitlement to more than 15
percent of the property or capital or profits of the unincorporated
association or body of individuals.
Explanation: Term ‘body of individuals’ includes societies. Where no
natural person is identified under (i), (ii) or (iii) above, the beneficial
owner is the relevant natural person who holds the position of senior
managing official.
iv. Where the customer is a trust, the identification of beneficial
owner(s) shall include identification of the author of the trust, the
trustee, the beneficiaries with 10 percent or more interest in the
trust and any other natural person exercising ultimate effective
control over the trust through a chain of control or ownership.
The concerned vertical in-charge of account opening process shall ensure
implementation of above guidelines and issue suitable SOP/Process for
identification of beneficial owner duly approved by competent authority.
3.1.5. “Certified Copy” - Obtaining a certified copy by the Bank shall mean
comparing the copy of the proof of possession of Aadhaar number where
offline verification cannot be carried out or officially valid document so
produced by the customer with the original and recording the same on
the copy by the authorised officer of the Bank as per the provisions
contained in the Act.
Provided that in case of Non-Resident Indians (NRIs) and Persons of Indian
Origin (PIOs), as defined in Foreign Exchange Management (Deposit)
Regulations, 2016 {FEMA 5(R)}, alternatively, the original certified copy,
certified by any one of the following, may be obtained:
a. authorised officials of overseas branches of Scheduled Commercial
Banks registered in India,
b. branches of overseas banks with whom Indian banks have
relationships,
c. Notary Public abroad,
d. Court Magistrate,
e. Judge,
Classification: Internal Page 14 of 136
 KYC-Policy 2024-25
f. Indian Embassy/Consulate General in the country where the non-
resident customer resides.
3.1.6. “Central KYC Records Registry” (CKYCR) means an entity defined under
Rule 2(1) of the Rules, to receive, store, safeguard and retrieve the KYC
records in digital form of a customer
3.1.7. “Designated Director" means a person designated by the Bank to ensure
overall compliance with the obligations imposed under chapter IV of the
PML Act and the Rules and shall include:
a. the Managing Director or a whole-time Director, duly
authorized by the Board of Directors.
Explanation - For the purpose of this clause, the terms "Managing
Director" and "Whole-time Director" shall have the meaning assigned to
them in the Companies Act, 2013.
In view of the above, Bank shall ensure nomination of a Designated
Director on Board to ensure compliance with the obligations under the
Prevention of Money Laundering (Amendment) Act, 2012 and the Name,
Designation and address of the Designated Director shall be
communicated to the Director, FIU-IND & RBI.
In no case ‘Principal Officer’ shall be nominated as the ‘Designated
Director’
3.1.8. “Digital KYC” means the capturing live photo of the customer and
officially valid document or the proof of possession of Aadhaar, where
offline verification cannot be carried out, along with the latitude and
longitude of the location where such live photo is being taken by an
authorised officer of the Bank as per the provisions contained in the Act.
3.1.9. “Digital Signature” shall have the same meaning as assigned to it in
clause (p) of sub-section (1) of section (2) of the Information Technology
Act, 2000 (21 of 2000).
3.1.10. “Equivalent e-document” means an electronic equivalent of a
document, issued by the issuing authority of such document with its valid
digital signature including documents issued to the digital locker account
of the client as per rule 9 of the Information Technology (Preservation
and Retention of Information by Intermediaries Providing Digital Locker
Facilities) Rules, 2016.

Classification: Internal Page 15 of 136
 KYC-Policy 2024-25
3.1.11. “Group”- The term Group shall have the same meaning assigned to it in
clause of sub-section (9) of section 286 of the Income-tax Act, 1961 (43
of 1961) i.e.,
“Group” Includes a parent entity and all the entities in respect of which,
for the reason of ownership or control a consolidated financial statement
for financial reporting process –––
a. is required to be prepared under any law for the time being in
force or the accounting standards of the country or territory of
which the parent entity is resident: or
b. Would have been required to be prepared had the equity shares,
of any of the enterprises were listed on a stock exchange in the
country or territory of which the parent entity is resident.
3.1.12. “Know Your Client (KYC) Identifier” means the unique number or code
assigned to a customer by the Central KYC Records Registry.
3.1.13. “Non-profit organization” (NPO) means any entity or organization
constituted for religious or charitable purposes referred to in clause (15)
of section 2 of the Income tax Act, 1961 (43 of 1961), that is registered
as a trust or a society under the Societies Registration Act, 1860 or any
similar State legislation or a company registered under Section 8 of the
Companies Act, 2013 (18 of 2013).
3.1.14. “Officially Valid Document” (OVD) means the passport, the driving
license, proof of possession of Aadhaar number, the Voter’s Identity Card
issued by Election Commission of India, job card issued by NREGA duly
signed by an officer of the State Government and letter issued by the
National Population Register containing details of name and address.
Provided that,
(i) Where the Customer submits his/her proof of possession of Aadhaar
number as an Officially Valid Document, he/she may submit it in such
form as are issued by the Unique Identification Authority of India.
(ii) Where Officially Valid Document (OVD), furnished by the customer
does not have updated address, the following documents or the
equivalent e-documents thereof shall be deemed to be Officially
Valid Documents for the limited purpose of proof of address: -

Classification: Internal Page 16 of 136
 KYC-Policy 2024-25
a. Utility bill which is not more than two months old of any service
provider (electricity, telephone, post-paid mobile phone, piped
gas, water bill);
b. Property or Municipal tax receipt.
c. Pension or family pension payment orders (PPOs) issued to retired
employees by Government Departments or Public Sector
Undertaking if they contain the address.
d. Letter of allotment of accommodation from employer issued by
State Government or Central Government Departments, statutory
or regulatory bodies, public sector undertakings, scheduled
commercial banks, financial institutions and listed companies and
leave and license agreements with such employers allotting
official accommodation
(iii) The customer shall submit OVD with current address within a period
of three months of submitting the documents specified at ‘b’ above.
(iv) Where the OVD submitted by a foreign national does not contain the
details of address, in such case the documents issued by the
Government departments of foreign jurisdictions and letter issued by
the Foreign Embassy or Mission in India shall be accepted as proof of
address.
Explanation: For the purpose of this clause, a document shall also be
deemed to be an OVD even if there is a change in the name
subsequent to its issuance provided it is supported by a marriage
certificate issued by the State Government or Gazette notification,
indicating such a change of name.
3.1.15. “Offline Verification” shall have the same meaning as assigned to it
in clause (pa) of Section 2 of the Aadhaar (Targeted Delivery of
Financial and Other Subsidies, Benefits and Services) Act, 2016 (18 of
2016), wherein the process of verifying the identity of the Aadhaar
number holder without authentication, through such offline modes as
may be specified by the Aadhaar regulations.
3.1.16. “Person” has the same meaning assigned in the Act and includes:
(i) An individual,
(ii) A Hindu undivided family,

Classification: Internal Page 17 of 136
 KYC-Policy 2024-25
(iii) A company,
(iv) A firm,
(v) An association of persons or a body of individuals, whether
incorporated or not
(vi) Every artificial juridical person, not falling within any one of
the above persons (i to v), and
(vii) Any agency, office or branch owned or controlled by any one of
the above persons (i to vi)
3.1.17. “Principal Officer” (PO) means management level Officer nominated
by the Bank, responsible for furnishing information as per rule 8 of the
Rules (PMLA 2005).
3.1.18. “Suspicious transaction” means a “transaction” as defined below,
including an attempted transaction, whether or not made in cash,
which, to a person acting in good faith.
(i) Gives rise to a reasonable ground of suspicion that it may
involve proceeds of an offence specified in the Schedule to the
Act, regardless of the value involved; or
(ii) appears to be made in circumstances of unusual or unjustified
complexity; or
(iii) appears to not have economic rationale or bona-fide purpose;
or
(iv) gives rise to a reasonable ground of suspicion that it may
involve financing or the activities relating to terrorism
Explanation: Transaction involving financing of the activities
relating to terrorism includes transaction involving funds
suspected to be linked or related to, or to be used for
terrorism, terrorism acts or by a terrorist, terrorist organization
or those who finance or are attempting to finance terrorism.
3.1.19. A “small account” means a savings account which is opened in terms
of sub rule (5) of rule 9 of the PML Rules, 2005. Details of the operation
of a small account and controls to be exercised for such account are
specified in section 27.
3.1.20. “Transaction” means, a purchase, sale, loan, pledge, gift, transfer,
delivery, or the arrangement thereof and includes
Classification: Internal Page 18 of 136
 KYC-Policy 2024-25
(i) opening of an account.
(ii) deposits, withdrawal, exchange, or transfer of funds in
whatever currency, whether in cash or by cheque, payment
order or other instruments or by electronic or other non-
physical means.
(iii) the usage of a safety deposit box or any other form of safe
deposit.
(iv) entering into any fiduciary relationship
(v) any payment made or received, in whole or part, for any
contractual or other legal obligation; or
(vi) establishing or creating a legal person or legal arrangement
3.1.21. “Money-Laundering”: Section 3 of the Prevention of Money Laundering
(PML) Act, 2002 has defined the offence of money laundering as
whosoever directly or indirectly attempts to indulge or knowingly
assists or knowingly is a party or is actually involved in any process or
activity connected with the proceeds of crime and projecting it as
untainted property shall be guilty of offence of money laundering.
Money launderers use the banking system for cleansing dirty money
obtained from criminal activities with the objective of hiding/
disguising it source. The process of money laundering involves creating
a web of financial transactions so as to hide the origin and true nature
of these funds.
For the purpose of this document, the term money laundering would
also cover financial transactions where the end use of funds goes for
terrorist financing, irrespective of the source of the funds.
3.2. Terms bearing meaning assigned in this Policy, unless the context otherwise
requires, shall bear the meanings assigned to them below:
3.2.1. “Common Reporting Standards” (CRS) means reporting standards set
for implementation of multilateral agreement signed to automatically
exchange information based on Article 6 of the Convention on Mutual
Administrative Assistance in Tax Matters (MAAT).
3.2.2. Correspondent Banking is the provision of banking services by one bank
(the “correspondent bank”) to another bank (the “respondent bank”).
Respondent banks may be provided with wide range of services,
including cash management, (e.g., interest – bearing accounts in a
Classification: Internal Page 19 of 136
 KYC-Policy 2024-25
variety of currencies), international wire transfers, cheque clearing,
payable through accounts and foreign exchange services.
3.2.3. “Customer” means a person who is engaged in a financial transaction
or activity with the Bank and includes a person on whose behalf the
person who is engaged in the transaction or activity, is acting.
3.2.4. “Walk-in Customer” means a person who does not have an account-
based relationship with the bank but undertakes transactions with bank.
3.2.5. “Customer Due Diligence” means identifying and verifying the
customer and the beneficial owner using reliable and independent
sources of identification.
Explanation- The CDD, at the time of commencement of an account-
based relationship or while carrying out occasional transaction of an
amount equal to or exceeding rupees fifty thousand, whether conducted
as a single transaction or several transactions that appear to be
connected, or any international money transfer operations, shall
include:
(i) Identification of the customer, Verification of their identity
Using reliable and independent sources of identification,
obtaining information on the purpose, and intended nature of
the business relationship, where applicable.
(ii) Taking reasonable steps to understand the nature of the
customers business and its ownership and control.
(iii) Determining whether a customer is acting on behalf of a
beneficial owner and identifying the beneficial owner and taking
all steps to verify the identity of the beneficial owner, using
reliable and independent sources of identification.
3.2.6. “Customer identification” means undertaking the process of CDD.
3.2.7. “Enhanced Due Diligence (EDD)” means any additional measures
undertaken over and above basic CDD can be termed as enhanced due
diligence.
3.2.8. “FATCA.” means Foreign Account Tax Compliance Act of the United
States of America (USA) Which, inter alia requires foreign financial
institutions to report about financial accounts held by U.S Taxpayers or
foreign entities in which U.S. Taxpayers hold an ownership interest.

Classification: Internal Page 20 of 136
 KYC-Policy 2024-25
3.2.9. “IGA” means Inter Governmental Agreement between the Governments
of India and the USA to improve the international tax compliance and to
implement FATCA of the USA.
3.2.10. “KYC Template" means templates prepared to facilitate collating and
reporting the KYC data to the CKYCR, for individuals and legal entities.
3.2.11. “Non face to face customers" means customers who open accounts
without visiting the branch/ Offices of the bank are meeting the official
of the bank.
3.2.12. “On-going Due Diligence” means regular monitoring of transactions in
accounts to ensure that those are consistent with bank’s knowledge
about the customers, customer’s business and risk profile, the source of
funds/ wealth.
3.2.13. “Payable through accounts” The term Payable through Accounts refers
to correspondent accounts that are used directly by third parties to
transact business on their own behalf.
3.2.14. “Periodic updation” means steps taken to ensure that documents,
data, or information collected under the CD process is kept up to date
and relevant by undertaking reviews of existing records at periodicity
prescribed by the Reserve Bank.
3.2.15. “Regulated entities” (REs) means:
(i) All Scheduled Commercial Banks (SCBs)/ Regional Rural Banks
(RRBs)/ Local Area Banks (LABs)/ All Primary (Urban) Co-
operative Banks (UCBs) /State and Central Co-operative Banks
(StCBs / CCBs) and any other entity which has been licensed
under Section 22 of Banking Regulation Act, 1949, which as a
group shall be referred as ‘banks’
(ii) All India Financial Institutions (AIFIs)
(iii) All Non-Banking Finance Companies (NBFCs), Miscellaneous Non-
Banking Companies (MNBCs) and Residuary Non-Banking
Companies (RNBCs).
(iv) Asset Reconstruction Companies (ARCs)
(v) All Payment System Providers (PSPs)/ System Participants (SPs)
and Prepaid Payment Instrument Issuers (PPI Issuers)

Classification: Internal Page 21 of 136
 KYC-Policy 2024-25
(vi) All authorised persons (APs) including those who are agents of
Money Transfer Service Scheme (MTSS), regulated by the
Regulator.
The concerned verticals which oversee these entities shall ensure
compliance of KYC-AML regulatory guidelines.
3.2.16. “Shell Bank” means a bank that has no physical presence in the country
in which it is incorporated and licensed, and which is unaffiliated with
a regulated Financial Group that is subject to effective consolidated
supervision. Physical presence means meaningful mind and management
located within a country. The existence simply of a local agent or low-
level staff does not constitute physical presence.
3.2.17. “Shell company” means company which is incorporated in a country
where it has no physical presence
3.2.18. “Video based customer identification process(V-CIP)”: An alternate
method of customer identification with facial recognition and customer
due diligence by an authorised official of the Bank by undertaking
seamless, secure, live, informed- consent based audio-visual interaction
with the customer to obtain identification information required for CDD
purpose and to ascertain the veracity of the information furnished by
the customer through independent verification and maintaining audit
trail of the process. Such process complying with prescribed standards
and procedures shall be treated on par with face-to-face PC IP for the
purpose of this. Policy.
3.2.19. Wire Transfer related definitions:
(i) Batch Transfer is a transfer comprised of individual wire transfers
that are being sent to the same financial institutions but may /may
not be ultimately intended for different persons.
(ii) Beneficiary refers to a natural or legal person or legal
arrangement who/which is identified by the originator as the
receiver of the requested wire transfer.
(iii) Beneficiary Bank: it refers to a financial institution, regulated by
the RBI, which receives the wire transfer from the ordering
financial institution directly or through an intermediary RE and
makes the funds available to the beneficiary.

Classification: Internal Page 22 of 136
 KYC-Policy 2024-25
(iv) Cover payment refers to a wire transfer that combines a payment
message sent directly by the ordering financial institution to the
beneficiary financial institution with the routing of the funding
instruction (the cover) from the ordering financial institution to
the beneficiary financial institution through one or more
intermediary financial institutions.
(v) Cross- border wire transfer refers to any wire transfer where the
ordering financial institution and beneficiary financial institution
are located in different countries. This term also refers to any
chain of wire transfer in which at least one of the financial
institutions involved is located in a different country.
(vi) Domestic wire transfer refers to any white transfer where the
ordering financial institution and beneficiary financial institution
are located in India. This term therefore refers to any chain of
wire transfer that takes place entirely within the borders of India,
even though the system used to transfer the payment message
may be located in another country.
(vii) Financial Institution: in the context of wire-transfer instructions,
the term financial institution shall have the same meaning as has
been ascribed to it in the FATF recommendations, as revised from
time to time.
(viii) Intermediary Bank refers to a financial institution or any other
entity, regulated by the RBI, which handles an intermediary
element of the wire transfer, in a serial or cover payment chain
and that receives and transmits a while transfer on behalf of the
ordering financial institution and the beneficiary financial
institution or another intermediary financial institution.
(ix) Ordering Bank refers to the financial institution, regulated by the
RBI, which initiates the wire transfer and transfer the funds upon
receiving the request for a wire transfer on behalf of the
originator.
(x) Originator refers to the account holder who allows the wire
transfer from that account, or where there is no account, the
natural or legal person that places the order with the ordering
financial institution to perform the wire transfer.

Classification: Internal Page 23 of 136
 KYC-Policy 2024-25
(xi) Serial payment refers to a direct, sequential chain of payment
where the wire transfer and accompanying payment message
travel together from the ordering financial institution to the
beneficiary financial institution directly or through one or more
intermediary financial institutions. (e.g., correspondent banks.)
(xii) Straight-through processing refers to payment transactions that
are conducted electronically, without the need for manual
intervention.
(xiii) Unique transaction reference number refers to a combination of
letters, numbers, or symbols determined by the payment service
provider in accordance with the protocols of the payment and
settlement system or messaging system used for the wire transfer.
(xiv) Wire transfer refers to any transaction carried out on behalf of an
originator through a financial institution by electronic means with
a view to making an amount of funds available to a beneficiary at
a beneficiary financial institution, irrespective of whether the
originator and the beneficiary or the same person.
3.2.20. “KYC- B” means know your customer’s nature of business and the
inflows/ outflows associated with that business.
3.2.21. “KYC-BR” means know your customers business risk.
3.2.22. All other expressions, unless defined here in, shall have the same
meaning as have been assigned to them under the Banking Regulation
Act, 1949, the Reserve Bank of India Act, 1935, the Prevention of Money
Laundering Act, 2002, the Prevention of Money Laundering
(Maintenance of Records) Rules, 2005, the Aadhaar (Targeted Delivery
of Financial and Other Subsidies, Benefits and Services) Act, 2016 and
regulations made thereunder, any statutory modification or re-
enactment there to or as used in commercial parlance, as the case may
be.

Classification: Internal Page 24 of 136
 KYC-Policy 2024-25

CHAPTER-II
General
4. “Know Your Customer (KYC)” policy -RBI Master Directions:
4.1. Bank is implementing its KYC Policy in compliance to the Clause 4 (a) of RBI’s
Master Direction - Know Your Customer (KYC) Direction, 2016(updated from
time to time, latest as on 17-10-2023)
4.2. In terms of PMLA rule, groups are required to implement group wide policies for
the purpose of discharging obligations under the provisions of Chapter IV of the
PML Act, 2002. (15 of 2003). Accordingly, Union Bank of India which is a part of
a group shall implement group wide programmes against money laundering, on
terror financing, including group- wide Policies for sharing Information required
for the Purpose of the client, Due Diligence and Money-Laundering and Terror
Finance, risk management and such programmes shall include adequate
safeguards on the confidentiality and use of information exchanged, including
safeguard to prevent tipping off.
In compliance to this direction all the foreign Branches/ offices/
subsidiaries are requested to share the information as per PMLA
Chapter IV to AML-CFT Division, TM & FM Department.
4.3. Bank’s policy framework should seek to ensure compliance with PML Act/Rules
including regulatory instructions in this regard and should provide a bulwark
against threats arising from money laundering, terrorist financing, proliferation
financing and other related risks. While ensuring compliance of the legal/
regulatory requirements as above, Bank may also consider adoption of best
international practices taking into account the FATF standards and FATF
guidance notes for managing risks better.
5. The KYC policy shall include following four key elements:
(i) Customer acceptance policy
(ii) Risk management.
(iii) Customer Identification Procedures (CIP). and
(iv) Monitoring of transactions.
5A. Money Laundering and Terrorist Financing Risk Assessment by the Bank:
I. Bank shall carry out ‘Money-Laundering (ML) and Terrorist Finance (TF) Risk
Assessment’ exercise annually to identify, assess and take effective measures to

Classification: Internal Page 25 of 136
 KYC-Policy 2024-25
mitigate its money laundering and terrorist financing risk for customers,
countries or geographic area, products, services, transactions, or delivery
channels etc.,
The assessment process should consider all the relevant risk factors before
determining the level of overall risk and the appropriate level and type of
mitigation to be applied. While preparing the internal risk assessment, Bank shall
take cognizance of the overall sector-specific vulnerabilities, if any, that the
regulator/supervisor may share with the Bank from time to time.
II. The Risk assessment by the Bank shall be properly documented and be
proportionate to the nature, size, geographical presence, complexity of
activities/structure, etc. of the Bank. Further, the periodicity of risk assessment
exercise shall be determined by the ORMC/Board or any committee of the Board
of the Bank to which the power in this regard has been delegated, in alignment
with the outcome of the risk assessment exercise. However, it should be
reviewed at least annually.
III. The outcome of the exercise shall be put up to the Board or any committee of
the Board to which power in this regard has been delegated and should be
available to competent authorities and self-regulating bodies.
5B. Risk Mitigation and Management:
I. Bank shall apply a Risk Based Approach (RBA) for mitigation and management of
the risks (identified on their own or through national risk assessment) and should
have Board approved policies, controls, and procedures in this regard.
II. Bank shall implement a CDD programme, having regard to the ML/TF risks
identified and the size of business. Further Bank shall monitor the
implementation of the controls and enhance them if necessary.
III. For effective implementation of ML/TF risk assessment, Operational Risk
Management Cell, Risk Management Department, shall conduct ML/TF risk
assessment and committee meeting on yearly basis not later than 30th June every
year for previous financial year.
Operation, compliance, DFB, TM&FM, RMD and Central Audit and Inspection
Departments are the committee members. Four members quorum including RMD
is mandatory for the committee meeting. Outcome of the aforesaid risk
assessment shall be placed before ‘ORMC’ or the Board and Action Taken Report
shall be sought from respective verticals for compliance.

Classification: Internal Page 26 of 136
 KYC-Policy 2024-25
IV. To assess Money Laundering / Terrorist Financing (ML/TF) Internal Risk
Assessment as per Score card template developed by RMD from time to time,
taking into consideration parameters suggested by RBI & IBA guidance note on
the subject (Chapter IV).
6. Designated Director:
6.1. A “Designated Director” means a person designated by the Bank to ensure
overall Compliance with the obligations imposed under Chapter IV of the PML
Act and the Rules and shall nominated by the Board. Bank has designated one
of the “Executive Director” as Designated Director.
6.2. The name, Designation and address of the Designated Director shall be
communicated to FIU-IND.
6.3. Further the name, designation, address and contact details of the Designated
Director shall also be communicated to the RBI.
6.4. In no case Principal Officer shall be nominated as ‘Designated Director’
7. Principal Officer:
7.1. The Principal Officer shall be responsible for ensuring compliance, monitoring
transactions, and sharing and reporting information as required under the
law/regulations.
7.2. Management level officer at AML-CFT Division, TM &FM Department (AGM/DGM)
shall be appointed as Principal officer by the Bank.
7.3. The name, designation and address of the Principal Officer shall be
communicated to the FIU-India
7.4. Further the name, designation, and address and contact details of the Principal
Officer shall also be communicated to the RBI.
8. Compliance of KYC policy:
8.1. Bank shall ensure compliance with KYC policy through:
8.1.1. ‘Senior Management’ for the purpose of KYC policy compliance means,
Chief General Manager/ General Manager of respective
business/operation verticals and Field General Managers & Regional
Heads.
8.1.2. Allocation of responsibility for effective implementation of policies and
procedures.

Classification: Internal Page 27 of 136
 KYC-Policy 2024-25
8.1.3. Independent evaluation of the compliance functions of Bank’s policies
and procedures, including legal and regulatory requirements.
8.1.4. Concurrent/internal audit/ Management Audit system to verify the
compliance with KYC/AML policies and procedures
8.1.5. Submission of quarterly audit notes and compliance to the Audit
Committee
8.1.6. Deploying Decoy Customer for surprise checking of level of adherence to
KYC norms at branch level.
8.2. Bank shall ensure that decision -making functions of determining compliance
with KYC norms are not outsourced.

Classification: Internal Page 28 of 136
 KYC-Policy 2024-25

CHAPTER-III
Customer Acceptance Policy
9. Bank has put in place a Customer Acceptance Policy (CAP) in compliance to the
clause-9 of the RBIs Master Direction-Know your Customer (KYC) Direction, 2016.
10. Without prejudice to the generality of the aspect that Customer Acceptance Policy
may contain, Bank shall ensure that
(i) No account shall be opened in anonymous or fictitious/ benami name(s).
(ii) No account is opened or close an existing account where the Bank is unable
to apply appropriate CDD measures. i.e., the Bank is unable to verify the
identity and/or obtain documents required as per the risk categorisation
either due to non-cooperation of the customer or non- reliability of the
documents/information furnished by the customer.
❖ The Bank shall consider filing an STR, if necessary, when it is unable
to comply with the relevant CDD measures in relation to the
customer.
(iii) No transaction or account- based relationship is undertaken without
following the CDD procedure.
(iv) The mandatory information to be sought for KYC purpose while opening an
account and during the periodic updation is specified.
❖ In compliance to this clause the documents mentioned in Annexure-I
are to be obtained while opening the account and periodic updation.
(v) Additional information where such information requirement has not been
specified in this KYC policy of the bank, is obtained with the explicit consent
of the customer.
(vi) Bank shall apply the CDD procedure at the UCIC level. Thus, if an existing
KYC compliant customer of the Bank desires to open another account within
the same Branch or other Branch of the Bank, there shall be no need for a
fresh CDD exercise.
(vii) CDD procedure shall be followed for all the joint account holders, while
opening a joint account.
(viii) Circumstances in which, a customer is permitted to act on behalf of another
person/entity, is clearly spelled out.

Classification: Internal Page 29 of 136
 KYC-Policy 2024-25
(ix) Suitable system is put in place to ensure that the identity of the customer
does not match with any person or entity, whose name appears in the
sanctions lists indicated in Chapter IX of this Policy.
(x) Where Permanent Account Number (PAN) is obtained, the same shall be
verified from the verification facility of the issuing authority.
(xi) Where an equivalent e-document is obtained from the customer, Bank shall
verify the digital signature as per the provisions of the Information
Technology Act, 2000 (21 of 2000).
(xii) Where Goods and Services Tax (GST) details are available, the GST number
shall be verified from the Search/Verification facility of the issuing
authority.
(xiii) Where a customer is permitted to act on behalf of another person / entity
in conformity with the established law and practice of banking as there could
be occasions when an account is operated by a mandate holder or where an
account is opened by an intermediary in fiduciary capacity. In such cases
KYC checks shall also be performed on the beneficial owners and mandate
holder, as the case may be.
11. While implementing the KYC-AML Policy, the bank shall ensure that the Customer
Acceptance Policy (CAP) does not become too restrictive and result in the denial of
banking services to the general public, especially to those who are financially or
socially disadvantaged.
12. Where Bank forms a suspicion of money-Laundering or terrorist financing, and it
reasonably believes that performing CDD process will tip-off the customer, it shall
not purse the CDD process, and instead file an STR with FIU-IND.
13. Profile creation for new customer:
(i) The Bank shall prepare a profile for each new customer based on risk
categorization.
(ii) The customer profile will contain information relating to customer’s
identity, social/financial status, nature of business activity,
information about his clients’ business and their location etc.
(iii) The nature and extent of due diligence will depend on the risk
perceived by the Bank. However, while preparing the customer profile
due care shall be taken to seek only such information from the
customer, which is relevant to the risk category and is not intrusive.

Classification: Internal Page 30 of 136
 KYC-Policy 2024-25
(iv) The ‘mandatory’ information required for KYC purpose shall be
obtained at the time of opening the account and during periodic
updation but ‘optional’ customer details, if required may be obtained
separately after the account is opened, only with the explicit consent
of the customer.
(v) The customer profile is a confidential document and details contained
therein shall not be divulged for cross selling or any other purposes
without the express permission of the customer.

Classification: Internal Page 31 of 136
 KYC-Policy 2024-25

CHAPTER-IV
RISK MANAGEMENT
14. Background:
Rule 9 (13) of the PMLR requires Bank to carry out risk assessment to identify, assess
and take effective measures to mitigate its money laundering and terrorist financing
risk for customers, countries or geographic areas, and products, services,
transactions or delivery channels that is consistent with any national risk
assessment conducted by a body or authority duly notified by the Central
Government. In terms of KYC Directions of RBI, bank should adhere to the following
norms in respect of the risk assessment exercise:
(i) To consider all the relevant risk factors
(ii) Take cognizance of the overall sector-specific vulnerabilities advised by
the regulator
(iii) To determine the level of overall risk
(iv) To determine the level and type of mitigation to be applied
(v) To be proportionate to the nature, size, geographical presence, complexity
of activities/structure, etc. of the Bank.
(vi) To be undertaken at a periodicity decided by the Board considering the
outcome of the assessment, to be at least annually
(vii) To be properly documented and put up to the Board or any committee of
the Board
(viii) To be made available to RBI and FIU-IND when asked for
(ix) To adopt risk-based approach for mitigating and managing identified risks
(x) To put in place Board approved policies, controls and procedures in this
regard
(xi) To monitor implementation of controls and enhance them, if required.
15. Risk Based Approach:
RBI Directions also stipulate that bank should follow a ‘risk-based approach’ for
mitigation and management of the identified ML/TF risk. It has also prescribed
certain measures like periodic updation, customer due diligence to be varied as per
customer risk category.

Classification: Internal Page 32 of 136
 KYC-Policy 2024-25
Risk-Based Approach (RBA) is the fundamental principle for adherence to FATF
Recommendations. The objective is that the efforts yield effective results in
mitigating ML/TF risks. The RBA therefore should be the cornerstone of a bank’s
AML program. Fundamental to RBA is the ML/TF risk assessment, which as a starting
point, enables a firm to identify, understand and assess the ML/TF risks to which it
is exposed. These identified risks are then prioritised and mitigated or managed by
the bank, directing resources and controls first to the highest risk identified in line
with RBA
16. Enterprise-Wide Risk Assessment (EWRA):
An Enterprise-Wide Risk Assessment (EWRA) is conducted across the bank to
understand and assess the total ML/TF risks faced by it. Wolfsberg Group guidelines
contained in its ‘Frequently Asked Questions on Risk Assessments for Money
Laundering, Sanctions and Bribery & Corruption (2015)’ are very useful to bank for
undertaking ML/TF risk assessment.
16.1. Inherent Risk and Residual Risk:
Pre-requisites for risk assessment are understanding the nature of risk,
identification of sources of risk and gauging the level of risk for each source.
Risk can be looked at from two perspectives: one, the risk faced from a source
without any mitigating measure viz. Inherent Risk, and two, the risk that
persists even after mitigating measures viz. Residual Risk. The differential
between the Inherent Risk and the Residual Risk reflects the effectiveness of
controls i.e., mitigating measures. What ultimately impacts a bank is the
Residual Risk, however a better appreciation of risk is attained by assessing
risk in three stages, viz.
(i) Assessing inherent risk
(ii) Gauging control effectiveness
(iii) Determining residual risk
16.2. Sources of Risk:
It will be noticed that essentially ML/TF risks manifest through business
transactions, and emanate from following elements connected with a business
activity and related transactions:
(i) Clients
(ii) Products/ Services
(iii) Geography/ Countries

Classification: Internal Page 33 of 136
 KYC-Policy 2024-25
(iv) Delivery Channels
(v) Transactions
There are several risk factors associated with each of these elements that
need to be considered for assessment of inherent risk associated with these.
These risk factors are briefly discussed here.
(i) Clients – The primary source of ML/TF risk for a bank is its clients. Assessment
of inherent risk of a bank or any business division, unit, or business line,
requires assessing its client base and business relationship. Major risk factors
for clients are: Activity, Constitution, Financial Status, Social Status, Turnover
and Linkages. These factors can be used to stratify the client base into different
categories and to identify aspects of client risk.
(ii) Products and Services – Various types of products/ services carry different
level of risk. The major risk factors related to products are: purpose of product,
mode of transactions, nature of restrictions, nature of relationship, range of
values, geographical linkages. Banks could identify its portfolio of main
products/ account types and assign an inherent score (for example, low,
moderate, high or higher) to each, based on its general inherent characteristics
and the degree of money laundering risk present. For example, international
wires, payable-through accounts, or international private banking, etc. could
be considered as high-risk products. For a business division, unit or business
line in question, the data on volume of products/ account types, and associated
account balances and/ or turnover may be determined. Based on this, the risk
wise distribution of business under each business division, unit or business line
is arrived at.
Before rolling out a new product or service, banks should undertake its ML/TF risk
assessment to ensure adequate internal controls are incorporated to mitigate
the assessed risk. The risk category and the mitigating measures should be a
part of the product paper.
(iii) Geography/ Country - Identifying geographic locations that may pose a higher
risk is a core component of any inherent risk assessment and the business
division, unit or business line will seek to understand and evaluate the specific
risks associated with geographic locations relevant for their activities. The
Geography/ Country risk may also be analysed with respect to the location of
a bank’s business division, unit, including its subsidiaries, affiliates, and
offices, both global and domestic. This provides the geographic footprint of a
bank. This element has relevance for clients too. A bank may identify the
number of its clients within each country, in respect of all or some of the
Classification: Internal Page 34 of 136
 KYC-Policy 2024-25
following: country of domicile, incorporation or nationality. In order to map
geographies/ countries into different risk ratings, a bank’s own country risk
model or equivalent third-party vendor product may be used. Risk factors
relevant for a country/ geography are: Political System, Social Environment,
Regulatory Regime, FATF monitoring, UN/ Other sanctions, and Geographical
location.
(iv) Channels - Some delivery channels/ servicing methods may pose increased ML
risk because it may result in the division, unit or business line not truly knowing
or understanding the identity and activities of the client using it. Consequently,
it should be assessed whether, and to what extent, the method of account
origination or account servicing, such as non- face-to-face account opening or
the involvement of third parties, including intermediaries, could increase the
inherent ML risk. Another factor that affects channel risk is the geographies
served by the channel. Business volume analysis of the channels can determine
risk wise distribution for a business division, unit, or business line.
(v) Transactions – Two key aspects related to nature of transactions viz. mode of
transaction (in cash or other modes), and whether inland or cross-border have
direct impact on risk level of a transaction. Besides, various aspects for other
elements as discussed above also influence the risk level. There is thus some
degree of overlap when considering various factors when considering
transactions, and other elements. This aspect should be consciously taken into
account.
16.3. Assessing Inherent Risk
Risk assessment should cover all business activities of a bank, but given
complexity of banking business, it may be undertaken distinctly for different
business lines, units, divisions, etc. The exercise would include various sources
and related factors discussed above.
16.4. Gauging Effectiveness of Controls
Effectiveness of the controls in place should be gauged to determine the extent
to which these result in mitigating the inherent risk. The controls operate at
different levels viz. business policies, business practices, operating systems,
control mechanisms, etc. Evaluating control effectiveness for various elements
separately and for factoring distinctly for each element may provide a better
picture for further actions. One modality used for this purpose is undertaking
a self-assessment by different business units for each element covering all
controls in place.

Classification: Internal Page 35 of 136
 KYC-Policy 2024-25
16.5. Determining Residual Risk:
Finally, for each element inherent risk is modulated by the corresponding
control effectiveness to ascertain the residual risk. This would become the basis
to decide whether or not the residual risk is within the risk appetite of the
bank, whether any further control measures are needed, and if so, the nature
of controls, and the points of controls.
The final residual risk map of the enterprise would also throw up high risk areas
of the bank’s business activities and enable it to focus its AML/ CFT efforts on
those areas.
16.6. Risk Measurement
Risk assessment is predominantly a qualitative exercise, especially so as most
of the input data is also qualitative in nature. The typical method involves using
– Risk Scores and Weights and adopting weighted average method. Using Risk
Scores facilitates clearer distinction of different levels, aggregating effect of
constituent factors, etc. Importance of various risk factors is of differing level
that can be factored in by assigning Weight to each factor. In the weighted
average method, each parameter is assigned a ‘risk score’ and a ‘weight’ is
attached to the parameter depending upon its accuracy and criticality to the
overall risk. Weights should be carefully decided taking care that they do not
result in undue overemphasis of any factor or elimination of high-risk category
and are not influenced by business or profit considerations. There is a need to
ensure that while assigning risk score and weight to various parameters, critical
and more accurate parameters are given their due weightage. The output
weighted score is compared to a final scale to determine the final ‘risk level’.
16.7. Other Aspects:
Several other factors especially significant changes in the bank’s business, the
banking sector activities, the technological developments may affect inherent
risk. Such and other qualitative factors may also be factored in. These could
include IT systems changes, business growth aspects, business diversification/
divestments, etc.
Banks are submitting to RBI detailed periodical data related to AML/KYC risks.
Considering that this data covers the entire spectrum of the bank’s business
and is in highly analytical form, banks may consider using the same for their
own risk assessment exercise.
Modalities of enterprise risk assessment vary widely for different banks
depending on their business activities, size of business, geographical spread,
Classification: Internal Page 36 of 136
 KYC-Policy 2024-25
and customer composition. In its simplest form a bank may adopt simple risk
assessment model based entirely on qualitative factors and risk descriptions.
Certain banks may develop excel templates using score-based model that may
incorporate both qualitative and quantitative factors. Larger banks with
complex business activities may adopt risk assessment software applications
with sophisticated models. A bank may evolve and adopt its own model that
would be apt for it.
17. Regulatory Requirements
RBI Has stipulated certain broad norms to be followed by banks in respect of
ML/TF risk assessment. These are briefly enumerated below.
(i) To be carried out at a periodicity determined by the Board, but at least
annually.
(ii) To consider all the relevant risk factors for assessment.
(iii) To determine overall risk level and appropriate level and type of
mitigation required.
(iv) To take cognizance of sector-specific vulnerabilities advised by the
regulator/ supervisor.
(v) To be proportionate to nature, size, geographical presence,
complexity of activities/structure, etc. of the Bank.
(vi) To be documented, and the outcome to be placed before the Board/
its committee and provided to the competent authorities and
regulating bodies.
(vii) To apply risk-based approach for mitigation/ management of
identified risks.
(viii) To have Board approved policies, controls, and procedures for this
purpose.
(ix) To monitor the controls and take enhancement measures, where
needed.
18. Risk management
For risk management Bank shall have risk-based approach which includes the
following:
(i) Customer Risk Categorisation (CRC)
(ii) Broad principles for customer risk categorisation.
Classification: Internal Page 37 of 136
 KYC-Policy 2024-25
(iii) Risk categorization shall be undertaken based on parameters such as
customer’s identity, social/financial status, nature of business activity,
and information about the customer’s business and their location,
geographical risk covering customers as well as transactions, type of
products/services offered, delivery channel used for delivery of
products/services, types of transaction undertaken – cash,
cheque/monetary instruments, wire transfers, forex transactions, etc.
While considering customer’s identity, the ability to confirm identity
documents through online or other services offered by issuing authorities
may also be factored in.
(iv) The risk categorization of a customer and the specific reasons for such
categorization shall be kept confidential and shall not be revealed to the
customer to avoid tipping off the customer
Provided that various other information collected from different categories of
customers relating to the perceived risk, is non-intrusive and the same is specified
in the KYC policy.
Explanation: FATF Public statement, the reports and guidance notes on KYC/AML
issued by the Indian Banks Association (IBA) and other agencies etc., may also be
used in risk assessment.
18.1. Customer Risk Categorisation (CRC)
As per RBI directions customers are to be categorized as low, medium, and
high-risk category. This has become the basis for adoption of Risk Based
Approach.
(i) What is Customer Risk?
Customer risk in the present context refers to the ML/TF risk
exposure of a bank emanating from a particular customer.
Customer risk may be gauged based on the risk perceptions
associated with the parameters comprising the customer’s
profile, and the level of risk associated with the products or
services, and channels used by him/ her.
(ii) Need for Customer Risk Categorisation
Extant RBI Directions require banks to have differential due
diligence and monitoring standards for its customers based on the
perception of the bank of the risk category of the customers.
Certain regulatory norms contain differentiated prescriptions

Classification: Internal Page 38 of 136
 KYC-Policy 2024-25
based on risk category, especially for periodic updation of KYC
data, and customer profile contents.
Considering that banks have over the years gained experience and
expertise in profiling their customers, RBI requires banks to
determine risk category of individual customers based on their
assessment and not merely based on any group or class they
belong to.
(iii) Approach for Customer Risk Categorization
(A) Parameter Based Categorisation
Regulators expect banks to have a multi-dimensional and dynamic
Customer Risk Categorisation model which considers both static
and dynamic factors to arrive at the customer’s risk classification.
Customers need to be classified into at least three categories, viz.
low, medium, and high-risk categories.
Risk categorisation of customers is based on several parameters
related to the customer, such as:
i. Customer’s identity
ii. Social/ financial status
iii. Nature of business activity
iv. Information about the customer’s business
v. Location of the customer
vi. Business levels/ turnover
vii. Delivery channels
viii. Types of transactions
While considering customer’s identity, the ability to confirm identity documents
through online or other services offered by issuing authorities may also be
factored in. As indicative direction on risk classification, customers who are
likely to pose a higher-than-average risk should be categorized as medium or
high risk depending on various risk parameters stated above.

Classification: Internal Page 39 of 136
 KYC-Policy 2024-25
18.1.1. Low Risk Customers:
Individuals (other than High Net Worth) and entities whose identities and sources
of wealth can be easily identified and transactions in whose accounts by and
large conform to the known profile, shall be categorized as low risk.
Illustrative examples of low-risk customers:
(i) salaried employees whose salary structure are well defined
(ii) people belonging to lower economic strata of the society whose
accounts show small balances and low turnover
(iii) Government Departments and Government owned companies,
regulators, and statutory bodies etc.
(In such cases, only the basic requirements of verifying the identity
and location of the customer are to be met.)
18.1.2. Medium and High-Risk Customers:
(i) Customers that are likely to pose a higher-than-average risk to the Bank
shall be categorized as ‘Medium or High risk’ depending on customer's
background, nature and location of activity, country of origin, sources
of funds and his client profile etc.
(ii) The Bank shall apply enhanced due diligence measures based on the risk
assessment, thereby requiring intensive ‘due diligence’ for higher risk
customers, especially those for whom the sources of funds are not clear.
(iii) In view of the risks involved in cash intensive business, accounts of
bullion dealers (including sub-dealers) & jewellers will be categorized
as ‘high risk’ requiring enhanced due diligence.
(iv) Due to inherent risks and complexity involved in the transactions of Non-
trade/service related cross border remittances in the accounts with
declared nature of business/activity of (i) Logistics service providers/
freight forwarders (ii) Tour and Travel Service Providers (iii) Event
Management (iv) Media/Film production related (v) Advertising services
(vi) IT/Software services shall be categorized under “High risk category”
and transactions in these accounts shall be closely monitored and EDD
to be conducted wherever applicable.
Other examples of customers requiring higher due diligence include:
a) non-resident customers.

Classification: Internal Page 40 of 136
 KYC-Policy 2024-25
b) high net worth individuals.
c) trusts, charities, NGOs, NPOs and organizations receiving
donations.
d) companies having close family shareholding or beneficial
ownership.
e) firms with 'sleeping partners';
f) Multi-Level Marketing (MLM) Agencies.
g) ‘Pooled accounts’ maintained by professional intermediaries
h) accounts of agents/ sub-agents of cross border money transfer
service providers
i) politically exposed persons (PEPs)
j) non-face to face customers
k) those with dubious reputation as per public information available
etc.
(v) However, Non-Profit Organizations (NPOs)/ Non-Governmental
Organizations (NGOs) promoted by the United Nations (UN) or its
agencies will be classified as low risk customers.
18.2. Review of Risk Categorisation:
Customer risk categorisation is a dynamic process, and the risk categories
need to be reviewed as indicated below:
(i) RBI Directions require banks to review customer risk category at a
periodicity of at least once in six months.
(ii) It also needs to be reviewed at the time of periodic updation of
customer data and profile.
(ii) Risk category is also reviewed when any significant development is
noticed in respect of the customer, his business activity, and his
association with the bank. For example, an individual becomes a
Politically Exposed Person (PEP) or a customer enters a new product
line, a customer avails new product/ service with higher
vulnerability, a customer uses new channels, etc.
18.3. Risk Categorisation Model:
Each bank may develop its own model for customer risk categorization based
Classification: Internal Page 41 of 136
 KYC-Policy 2024-25
on available customer/ product information, risk perception, and other
factors such as available technology, etc. A profile of the customer may be
created in the system using available information based on which the risk
category is assigned. Banks may take further guidance from the IBA report on
parameters for risk-based transaction monitoring.
Banks may, if required, deploy suitable software for purpose of risk
categorization. Such software can be used to extract customer data from the
banking software and assign risk rating based on the scoring model selected
by the bank. If a bank chooses and if its core banking application permits, CRC
maybe done in the core banking software as well.
For certain category of customers, FATF has recommended high risk rating,
for example, foreign Politically Exposed Persons (PEPs) and international
correspondent banking relationships. For such and similar situations the
override provision is adopted to assign a specific risk category to concerned
customers.
Further, certain prominent characteristic may determine the risk category to
be higher or lower than that otherwise perceived. For instance:
(i) Loan accounts of non-operative nature having a pre-determined cash
flow (e.g., home loans), and fixed cap accounts like the small deposit
accounts, can be generally regarded as low risk.
(ii) In view of the typologies observed in terrorist financing activities, Small
Deposit accounts may not be considered as low risk.
18.4. Selection of Parameters for Risk Categorization:
Some indicative parameters, which can be used to determine the risk category
of a customer are as follows:
(i) Customer constitution: Individual, Sole Proprietary Firms, Partnership
Firms, Private/Public Limited Companies, Trusts, Societies,
Associations, etc.
(ii) Business segment: Retail, Corporate operation, etc.; Industry Type:
Gems and jewelry, Textiles, Leather and Leather Products, E-
commerce, Shipping, Real estate, Hotels and Restaurants, etc.
(iii) Country of residence/incorporation/nationality: Whether India or any
overseas location/Indian or Foreign national/Entity.
(iv) Product subscription: International wires, trade/export finance, private

Classification: Internal Page 42 of 136
 KYC-Policy 2024-25
banking, salary account etc.
(v) Economic profile: High Net worth Individual (HNI), Wealth Customer,
etc.
(vi) Account status: Active, inactive, inoperative, dormant.
(vii) Account Vintage and transaction type with volumes, where possible.
(viii) Volume and type of funds flowing through the customer’s account
e.g., cash, forex, on-cash and throughput per month etc.
(ix) Negative Lists: Presence in any negative regulatory/PEP/defaulter/
fraudster lists.
(x) Past Suspicious Transaction Reports (STRs) filed for the customer.
The parameters actually adopted will depend on the type of customer, the nature
and extent of business transacted with the bank, and customer related information
available.
FATF Public Statement, the reports and guidance notes on KYC/AML issued by the
Indian Banks’ Association (IBA), guidance note circulated to all cooperative banks by
the RBI, etc., may also be used in the assessment of risk.
18.5. In addition to what has been indicated above, the bank shall take steps to
identify and assess its Money Laundering (ML) / Terrorist Financing (TF) risk
for customers, countries, and geographical areas and also for
products/services/transactions/delivery channels, to effectively manage
and mitigate risk arising from such customers, countries and from
products/services/transactions/ delivery channels. As a corollary, the bank
shall adopt enhanced measure for products, services, and customers with a
medium or high-risk rating. In this regard bank shall use the Report on
Parameters for Risk-Based Transaction Monitoring (RBTM) dated March 30,
2011, issued by Indian Banks’ Association on May 18, 2011, as a supplement
to their guidance note on Know Your Customer (KYC) Norms / Anti Money
Laundering (AML) standards issued in July 2009, which also provides an
indicative list of high-risk customers, products, services, and geographies.
18.6. While the Bank has adopted a risk-based approach to the implementation of
this Policy, it is necessary to establish appropriate framework covering
proper management oversight, systems, controls, and other related matters.
Bank’s Internal Audit and Compliance functions will provide an independent
evaluation of KYC/AML policies and procedures including legal and

Classification: Internal Page 43 of 136
 KYC-Policy 2024-25
regulatory requirements. Concurrent/ Internal Auditors shall specifically
test check and verify the application of KYC/AML procedures for new
customer as well as periodic updation of KYC at branches and comment on
the lapses observed in this regard.
Management Audit of Regional Offices shall comment on progress under KYC
updation and Re-KYC of the concerned Region. The compliance in this regard
will be put up before the Board / Audit Committee of the Board at quarterly
intervals.
18.7. Board Approved Policy:
Banks need to have clear Board- approved policies for risk categorization
and ensure that the same are meticulously complied with. This may be a
part of overall KYC Policy, if the bank so desires.
18.8. Risk Upgradation in STR& CTR filed accounts:
Pursuant to approval received from ORMC, following modifications have
been approved in implementation of risk-based approach to reflect
appropriate risk categorisation.
18.8.1. Categorisation of all customer accounts into “High Risk category” in
cases wherein Suspicious Transaction Report is filed irrespective of
previous Risk categorisation (i.e., Low Risk/Medium Risk)
18.8.2. Categorisation of all customer accounts having “Low Risk Category” into
“Medium Risk category” wherein Cash Transaction Report (CTR) is filed.

Classification: Internal Page 44 of 136
 KYC-Policy 2024-25

CHAPTER-V
Customer Identification Procedure (CIP)
19. Bank shall undertake identification of customers in the following cases:
(i) Commencement of account-based relationship with the customer
(ii) Carrying out any international money transfer operations for a person who is
not an account holder of the bank.
(iii) When there is doubt about the authenticity or adequacy of the customer
identification data it has obtained.
(iv) Selling third party products as agents, selling own product, payment of dues of
credit cards/ sale and reloading of prepaid/travel cards and any other product
for more than rupees fifty thousand.
(v) Carrying out transactions for a non-account-based customer, i.e., walk-in
customer, where the amount involved is equal to or exceeds rupees Fifty
thousand, whether conducted as a single transaction or several transactions
that appears to be connected.
(vi) When the bank has reason to believe that a customer (account based or walk-
in) is intentionally structuring a transaction into a series of transactions below
the threshold of rupees of Fifty thousand.
(vii) Bank shall ensure that introduction is not to be sought while opening accounts.

The failure or refusal by an applicant to provide satisfactory identification evidence
within a reasonable time period and/or without adequate explanation may lead to
a suspicion that the depositor or investor is engaged in Money-laundering. In such
circumstances, the Branch shall consider making a suspicious activity report and
submit it to the principal officer.
20. Duty to obtain identification:
The first requirement of ‘Knowing Your Customer’ for AML purposes is to be satisfied
that a prospective customer is one who he/she claims to be. It is important to
determine whether an applicant for business is undertaking a one-off transaction or
whether the transaction is, or will be, part of a business relationship as this can
affect the identification requirements.
21. For the purpose of verifying the identity of customers at the time of commencement
of an account-based relationship bank may rely on customer due diligence done by
a third party, subject to the following conditions.

Classification: Internal Page 45 of 136
 KYC-Policy 2024-25
(i) Records or the information of the customer due diligence carried out by the
third party (if empanelled by the Bank) is obtained immediately from the third
party or from the Central KYC Records Registry.
(ii) The bank shall take adequate steps to satisfy itself that copies of identification
data and other relevant documentation relating to the client due diligence
requirements shall be made available from the third party upon request without
delay.
(iii) The bank shall satisfy that such third party is regulated, supervised, or monitored
for, and has measures in place for compliance with client due diligence and
record keeping requirements in line with the requirements and obligations under
the PML Act.
(iv) The third party shall not be based in a country or jurisdiction assessed as high
risk; and
(v) The Bank is ultimately responsible for client due diligence and undertaking
enhanced due diligence measures, as applicable.
22. Customer identification process:
22.1. Customer Identification Data, including Photograph, shall be updated, and
kept on record duly verified at least once in ten years in case of Low-Risk
category customers, once in two years in case of High-Risk customers and
once in eight years for Medium Risk categories. The time limits prescribed
above would apply from the date of opening of the account/last verification
of account. Such verification shall be done irrespective of whether the
account has been transferred from one branch to another branch. However,
Bank shall ensure that:
(i) Branches do not seek fresh proof of identity and address at the
time of periodic updation from ‘low risk’ customers in case there
is no change in status with respect to their identities and
addresses.
(ii) A self-certification by the customer to that effect will suffice in
such cases.
(iii) But in case of change of address of such ‘low risk’ customers,
they could merely forward a certified copy of the document
(proof of address) by mail/post, etc.
(iv) Physical presence of the clients may, however, not be insisted
upon at the time of such periodic updation.
Classification: Internal Page 46 of 136
 KYC-Policy 2024-25
22.2. Whenever there is suspicion of money laundering or terrorist financing or
when other factors give rise to a belief that the customer does not, in fact,
pose a low risk, the branch shall carry out full scale Customer Due Diligence
(CDD) before opening an account.
22.3. When there are suspicions of money laundering or financing of the activities
relating to terrorism or where there are doubts about the adequacy or
veracity of previously obtained Customer Identification Data, the branch shall
review the due diligence measures, including verifying again the identity of
the client, and obtain information on the purpose and intended nature of the
business relationship.
22.4. Customer Identification Procedure – More Information:
The Bank shall ensure that sufficient information is obtained on the nature of
business that the customer expects to undertake and on any expected or
predictable pattern of transactions. A risk-based approach shall be needed in
respect of the extent of the additional information that might be required or
validated for this purpose. In making this assessment, the Bank shall have
regard to the need to protect an applicant’s privacy and shall not seek
information that is irrelevant to the product, service, or account in question or
to the applicant’s involvement in the relationship.
Following the start of the relationship, reasonable steps shall be taken to keep
the information up to date as appropriate and as opportunities arise, e.g., when
an existing customer opens a new account and at least once in ten years in case
of Low-Risk Category customers and once in two years in case of High-Risk
category and once in eight years in case of Medium Risk Category Customers.
Information collected at the outset for Customer Identification purpose shall
generally include:
(i) The purpose and reason for opening the account or establishing
the relationship
(ii) The anticipated level and nature of the activity to be undertaken
(iii) The expected origin of the funds to be used within the relationship
(iv) Details of occupation/employment and sources of wealth or
income

Classification: Internal Page 47 of 136