RBI recently banned RBI Payments Bank from acquiring new customers. In its notification, the RBI asked the Payments Bank to conduct a Comprehensive Systems Audit of its IT system. The reason given for the action was not specified and the notification simply said that the action is based on “certain material supervisory concerns observed in the bank.”

Reports in various news media suggested that the action was due to violation of the RBI’s KYC – AML guidelines. For the uninitiated, KYC-AML stands for Know Your Customer – Anti-Money Laundering Guidelines. Another report stated that the Bank leaked customer data to Chinese firms who hold a stake in the Bank.

Let us look at what the RBI’s various guidelines and directions related to KYC-AML, payment data storage and tokenization say.

RBI’s KYC-AML Regulations for Banks and other Financial Institutions

The RBI issued Master Directions for Know Your Customer (KYC) in 2016 where it issued detailed guidelines to be followed by all entities regulated by the RBI related to KYC norms in line with the  Prevention of Money-Laundering Act, 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005, as amended from time to time by the Government of India. These regulations deal with the customer identification procedures to be followed by regulated entities while undertaking a transaction either by establishing an account-based relationship or otherwise and monitor their transactions. The basic purpose behind these regulations is to prevent money laundering to foreign countries.

Key Points covered in the guidelines:

1.   It defines the concept of a “Beneficial Owner”. To put it in simple terms, a Beneficial Owner is a person who actually benefits from holding an account with the bank or financial institution. This was done to differentiate those persons who use proxies to operate bank accounts and use such bank accounts and transactions for money laundering and other illegal activities.

2.   Every Regulated Entity (RE) shall have a KYC Policy duly approved by the Board of Directors of REs or any committee of the Board to which power has been delegated and shall include following four key elements:

a.    Customer Acceptance Policy;

b.   Risk Management;

c.    Customer Identification Procedures (CIP); and

d.   Monitoring of Transactions

3.   REs shall carry out ‘Money Laundering (ML) and Terrorist Financing (TF) Risk Assessment’ exercise periodically to identify, assess and take effective measures to mitigate its money laundering and terrorist financing risk for clients, countries or geographic areas, products, services, transactions or delivery channels, etc.

4.   Customer Due Diligence – The guidelines specify Customer Due Diligence procedure which must be followed by REs while accepting customers to ensure that no account is opened in a fictitious / benami name.

5.   Risk Management

Customers shall be categorised as low, medium and high-risk category, based on parameters such as customer’s identity, social/financial status, nature of business activity, and information about the customer’s business and their location etc.

6.   Customer Identification Procedure

REs shall undertake Customer Identification Procedure for account opening and international money transfer operations or where there is a doubt about the authenticity or adequacy of the customer identification data, where transactions are done for walk-in customers.

7.   On-going Due-Diligence:

REs shall undertake on-going due diligence of customers to ensure that their transactions are consistent with their knowledge about the customers, customers’ business and risk profile; and the source of funds.

8.   Following types of transactions shall necessarily be monitored:

a.    Large and complex transactions including RTGS transactions, and those with unusual patterns, inconsistent with the normal and expected activity of the customer, which have no apparent economic rationale or legitimate purpose.

b.   Transactions which exceed the thresholds prescribed for specific categories of accounts.

c.    High account turnover inconsistent with the size of the balance maintained.

d.   Deposit of third party cheques, drafts, etc. in the existing and newly opened accounts followed by cash withdrawals for large amounts.

9.   The extent of monitoring shall be aligned with the risk category of the customer.

10.  It also specifies measures for record keeping, maintenance, preservation and reporting of customer account information, with reference to provisions of PML Act and Rules.

11.  Res are required to report information as per the guidelines to the Director, Financial Intelligence Unit – India

12.  REs shall ensure that in terms of Section 51A of the Unlawful Activities (Prevention) (UAPA) Act, 1967 and, they do not have any account in the name of individuals/entities appearing in the lists circulated by the United Nations Security Council (UNSC) of individuals and entities, suspected of having terrorist links.

13.  The guidelines also impose strict obligations on REs regarding secrecy, security and confidentiality of customers information acquired by them.

 RBI Directions on storage of payment system data

14.  In April 2018, the RBI issued directions relating to storage of payment system data which states that all system providers shall ensure that the entire data relating to payment systems operate by them are stored in a system only in India.

 RBI Directions on Tokenization of Card Data of Customers

On December 23, 2021, the RBI issued directions making it mandatory for all Payment System Providers and Payment System Participants to further secure such data.

 Conclusion

RBI took similar action against American Express for violating data storage localization rules some months back. The proposed Personal Data Protection Bill stresses on Data Localization, i.e. storage of Indian customers data in India itself. There is an important lesson for Payment System Providers and Payment System Participants in these instances, and that is to follow the RBI’s directions and guidelines on KYC-AML, data storage and tokenization, else they shall have to pay a heavy price for non-compliance.