KNOW YOUR CUSTOMER (KYC), ANTI

MONEY LAUNDERING (AML) & COMBATING

FINANCING OF TERRORISM (CFT) POLICY

Preamble

Reserve Bank of India has issued comprehensive guidelines on Know Your Customer (KYC)

norms and Anti‐ Money Laundering (AML) standards and has advised all NBFCs to ensure that

a proper policy framework on KYC and AML measures be formulated and put in place with the

approval of the Board.

Accordingly, in compliance with the guidelines issued by RBI from time to time, the following

KYC & AML policy of the Company is approved by the Board of Directors of the Company

The Recommendations made by the Financial Action Task Force (FATF) on Anti Money

Laundering (AML) standards and on Combating Financing of Terrorism (CFT) standards have

become the international benchmark for framing Anti Money Laundering and combating

financing of terrorism policies by the regulatory authorities. Compliance with these standards

both by the banks/financial institutions, including MFIs, has become necessary for international

financial relationships. The Reserve Bank of India(RBI) has issued revised set of

comprehensive ‘Know Your Customer' Guidelines to all Non-Banking Financial Companies

(NBFCs), Miscellaneous Non-Banking Companies and Residuary Non-Banking Companies in

the context of the recommendations made by the Financial Action Task Force (FATF) and Anti

Money Laundering (AML) standards and combating financing of terrorism (CFT) policies by the

regulatory authorities and advised all NBFCs to adopt the same with suitable modifications

depending on the activity undertaken by them and ensure that a proper policy framework on

KYC and AML measures are formulated and put in place with the approval of their respective

Boards.

The primary objective is to prevent the Company from being used, intentionally or

unintentionally, by criminal elements for money laundering activities or terrorist financing

activities. This policy also ensures for making reasonable efforts to determine the true

identity and beneficial ownership of accounts, source of funds, the nature of customer’s

business, etc. which in turn helps the Company to manage its risks prudently. The policy

broadly has the following objectives

• To lay down explicit criteria for acceptance of customers

• To establish procedures to verify the bona-fide identification of individuals

for commencement of financial relationship.

• To establish processes and procedures to monitor high value transactions

and/or transactions of suspicious nature.

• To develop measures for conducting due diligence in respect of customers and

reporting of such transactions.

Scope, Objective & Application of policy

Background

(i) “Aadhaar number” shall have the meaning assigned to it in clause (a) of section 2 of the

Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act,

2016 (18 of 2016)

(ii) “Act” and “Rules” means the Prevention of Money-Laundering Act, 2002 and the Prevention

of Money-Laundering (Maintenance of Records) Rules, 2005, respectively and amendments

thereto

(iii) “Authentication”, in the context of Aadhaar authentication, means the process as defined

under sub-section (c) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other

Subsidies, Benefits and Services) Act, 2016

(iv) “Central KYC Records Registry” (CKYCR) means an entity defined under Rule 2(1) of the

Rules, to receive, store, safeguard and retrieve the KYC records in digital form of a

customer.

(v) “Certified Copy” - Obtaining a certified copy by the company shall mean comparing the

copy of the proof of possession of Aadhaar number where offline verification cannot be

carried out or officially valid document so produced by the customer with the original and

recording the same on the copy by the authorised officer of the company as per the

provisions contained in the Act.

(vi) “Designated Director" means a person designated by the company to ensure overall

compliance with the obligations imposed under chapter IV of the PML Act and the Rules

and shall include the Managing Director or a whole-time Director, duly authorized by the

Board of Directors.

Explanation - For the purpose of this clause, the terms "Managing Director" and "Whole-

time Director" shall have the meaning assigned to them in the Companies Act, 2013.

(vii) “Digital KYC” means the capturing live photo of the customer and officially valid document

or the proof of possession of Aadhaar, where offline verification cannot be carried out,

along with the latitude and longitude of the location where such live photo is being taken

by an authorised officer of the company as specified under Part-I of Annexure 3 of this

policy.

(viii) “Digital Signature” shall have the same meaning as assigned to it in clause (p) of

subsection (1) of section (2) of the Information Technology Act, 2000 (21 of 2000).

(ix) “Equivalent e-document” means an electronic equivalent of a document, issued by the

issuing authority of such document with its valid digital signature including documents

issued to the digital locker account of the customer as per rule 9 of the Information

Technology (Preservation and Retention of Information by Intermediaries Providing

Digital Locker Facilities) Rules, 2016.

(x) “Know Your Client (KYC) Identifier” means the unique number or code assigned to a

customer by the Central KYC Records Registry.

“Officially Valid Document” (OVD) means the passport, the driving licence, proof of

possession of Aadhaar number, the Voter's Identity Card issued by the Election

Commission of India, job card issued by NREGA duly signed by an officer of the State

Government and letter issued by the National Population Register containing details of

name and address. Provided that,

a. where the customer submits his proof of possession of Aadhaar number as an OVD,

he may submit it in such form as are issued by the Unique Identification Authority of

India.

b. where the OVD furnished by the customer does not have updated address, the

following documents or the equivalent e-documents thereof shall be deemed to be OVDs

for the limited purpose of proof of address:

Definitions

c. where the OVD furnished by the customer does not have updated address, the following

documents or the equivalent e-documents thereof shall be deemed to be OVDs for the

limited purpose of proof of address: -

i. utility bill which is not more than two months old of any service provider

(electricity, telephone, post-paid mobile phone, piped gas, water bill);

ii. property or Municipal tax receipt;

iii. pension or family pension payment orders (PPOs) issued to retired employees by

Government Departments or Public Sector Undertakings, if they contain the address;

iv. letter of allotment of accommodation from employer issued by State Government or

Central Government Departments, statutory or regulatory bodies, public sector

undertakings, scheduled commercial banks, financial institutions and listed

companies and leave and licence agreements with such employers allotting official

accommodation;

c. the customer shall submit OVD with current address within a period of three months

of submitting the documents specified at ‘b’ above

d. where the OVD presented by a foreign national does not contain the details of address,

in such case the documents issued by the Government departments of foreign jurisdictions

and letter issued by the Foreign Embassy or Mission in India shall be accepted as proof of

address.

Explanation: For the purpose of this clause, a document shall be deemed to be an OVD

even if there is a change in the name subsequent to its issuance provided it is supported

by a marriage certificate issued by the State Government or Gazette notification, indicating

such a change of name.

(xii) “Offline verification” shall have the same meaning as assigned to it in clause (pa) of

section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits

and Services) Act, 2016 (18 of 2016).

(xiii) “Periodic Updation” means steps taken to ensure that documents, data or information

collected under the CDD process is kept up-to-date and relevant by undertaking

reviews of existing records at periodicity prescribed by the Reserve Bank.

(xiv) “Principal Officer” means an officer nominated by the company, responsible for furnishing

information as per rule 8 of the PML Rules.

(xv) “Suspicious transaction” means a “transaction” as defined below, including an attempted

transaction, whether or not made in cash, which, to a person acting in good faith:

a. gives rise to a reasonable ground of suspicion that it may involve proceeds of an

offence specified in the Schedule to the Act, regardless of the value involved; or

b. appears to be made in circumstances of unusual or unjustified complexity; or

c. appears to not have economic rationale or bona-fide purpose; or

d. gives rise to a reasonable ground of suspicion that it may involve financing of the

activities relating to terrorism.

Explanation: Transaction involving financing of the activities relating to terrorism includes

transaction involving funds suspected to be linked or related to, or to be used for terrorism,

terrorist acts or by a terrorist, terrorist organization or those who finance or are attempting

to finance terrorism.

(xvi) “Transaction” means a purchase, sale, loan, pledge, gift, transfer, delivery or the

arrangement thereof and includes:

a. opening of an account;

b. deposit, withdrawal, exchange or transfer of funds in whatever currency, whether in

cash or by cheque, payment order or other instruments or by electronic or other non-

physical means;

c. the use of a safety deposit box or any other form of safe deposit;

d. entering into any fiduciary relationship;

e. any payment made or received, in whole or in part, for any contractual or other legal

obligation; or

f. establishing or creating a legal person or legal arrangement.

(xvii) “Video based Customer Identification Process (V-CIP)”: an alternate method of customer

identification by an official of the company by undertaking seamless, secure, real-time,

consent based audio-visual interaction with the customer to obtain identification

information including the documents required for CDD purpose, and to ascertain the

veracity of the information furnished by the customer. Such process shall be treated as

face-to-face process of customer identification.

(xviii) “Customer Due Diligence (CDD)” means identifying and verifying the customer and the

beneficial owner.

(xix) “Customer identification” means undertaking the process of CDD.

(xx) “Politically Exposed Persons” (PEPs) are individuals who are or have been entrusted

with prominent public functions in a foreign country, e.g., Heads of

States/Governments, senior politicians, senior government/judicial/military officers,

senior executives of state-owned corporations, important political party officials, etc.

(xxi) “Shell bank” means a bank which is incorporated in a country where it has no

physical presence and is unaffiliated to any regulated financial group.

(xxii) “Customer” means a person who is engaged in a financial transaction or activity with a

Regulated Entity (RE) and includes a person on whose behalf the person who is engaged

in the transaction or activity, is acting.

A. KNOW YOUR CUSTOMER' STANDARDS

KYC procedures enable NBFCs to know/understand their customers and their financial dealings

better which in turn help them manage their risks prudently. The Company has framed its KYC

policies incorporating the following four key elements:

1. Customer Acceptance Policy;

2. Customer Identification Procedures;

3. Monitoring of Transactions; and

4. Risk management.

The Company’s Customer Acceptance Policy, which lays down explicit criteria for acceptance

of customers, ensures the following aspects of the customer relationship:

(i) No account is opened in anonymous or fictitious/ benami name(s);

(ii) The Company shall carry out full scale customer due diligence (CDD) before opening an

account. When the true identity of the borrower is not known or the Company is unable

to apply appropriate CDD measures, due to non-co-operation of the customer or non-

reliability of the data/information furnished no transaction or account-based relationship

will be undertaken with such person / entity. However, the Company will have suitable

built-in safeguards to avoid harassment of the customer.

(iii) The mandatory information to be sought for KYC purpose while opening an account and

during the periodic updation, is specified.

(iv) ‘Optional’/additional information, is obtained with the explicit consent of the customer

after the account is opened.

(v) CDD procedure is applied at the time of allotment of Unique Customer Identification code

(UCIC)/customer identification code or by whatever name called. Thus, if an existing KYC

compliant customer of the company desires to open another account with the company,

there shall be no need for a fresh CDD exercise.

(vi) Suitable system is put in place to ensure that the identity of the customer does not match

with any person or entity, whose name appears in the sanctions lists circulated by Reserve

Bank of India or any other Indian regulator including sanction lists circulated by United

Nations, European Union, France.

(vii) Where Permanent Account Number (PAN) is obtained, the same shall be verified from

the verification facility of the issuing authority.

(viii) Where an equivalent e-document is obtained from the customer, company shall verify the

digital signature as per the provisions of the Information Technology Act, 2000 (21 of

2000)

(ix) Field Officers of the Company will ensure to record the Customer’s accurate information

such as Name, Husband’s Name along with Client’s Mother’s or Father’s Name, House No.,

Village, Post Office, Block/Tehsil, District, Pin Codes etc. as appearing in the identity and

Address Proof produced before him.

The Company will prepare a profile for each new customer which may contain information

relating to the customer's identity, social/financial status, nature of business activity,

information about clients' business and their location, etc. The nature and extent of due

diligence will depend on the risk perceived by the Company. However, while preparing the

customer profile, the Company will seek only such information from the customer which is

relevant and is not intrusive. The customer profile will be a confidential

Customer Acceptance policy

document and details contained therein will not be divulged for cross selling or any other

purpose. The company shall ensure that the adoption of Customer Acceptance Policy and its

implementation will not result in denial of the Company’s services to the general public,

especially to those who are financially or socially disadvantaged.

The Company shall undertake identification of customers before commencement of an

account-based relationship. Customer identification means identifying the customer and

verifying her identity by using reliable and independent source of documents, data or

information to ensure that the customer is not a fictitious/ anonymous/ benami person. The

Company shall obtain sufficient information necessary to establish, to its satisfaction, the

identity of each borrower and the purpose of the intended nature of business relationship.

The Company will follow clear NBFC guidelines on the Customer Identification Procedure to

be carried out at different stages, including establishing a financial relationship; carrying out

a financial transaction, or when the Company has a doubt about the authenticity/veracity

or the adequacy of the previously obtained customer identification data. Apart from the

above the customer identification procedures shall be applied to any transaction which shall

be covered as per the KYC guidelines issued by the Reserve Bank of India from time to time.

The Company shall perform appropriate, specific and where necessary, Enhanced Due

Diligence on its customers that is reasonably designed to know and verify the true identity

of its customers and to detect and report instances of criminal activity, including money

laundering or terrorist financing. The enhanced due diligence process shall also be applied

by the company in case of suspicion of any money laundering or terrorist financing activities.

The procedures, documentation, types of information obtained and levels of KYC due

diligence to be performed shall be dynamic in nature and the parameters shall be changed

based on the element of risk involved and the changes in the regulations as may be

introduced from time to time by the regulatory authorities. The Customer Identification

Procedures shall be done internally by the company, however in case the company opts for

CDD to be done by third parties, then the same shall be done in compliance with the extant

regulations in this regard.

(i) The company shall obtain the following information from an individual while establishing

an account-based relationship or while dealing with the individual who is a beneficial owner:

(aa) the proof of possession of Aadhaar number where offline verification can be carried

out; or

(ab) the proof of possession of Aadhaar number where offline verification cannot be carried

out or any OVD or the equivalent e-document thereof containing the details of his identity

and address; and

(b) the Permanent Account Number or the equivalent e-document thereof or Form No. 60

as defined in Income-tax Rules, 1962; and

of the customer, or the equivalent e-documents thereof as may be required by the company:

Customer Identification Procedure

Customer Due Diligence Procedure (CDD)

Provided that where the customer has submitted,

i) proof of possession of Aadhaar under clause (aa) above where offline verification can be

carried out, the company shall carry out offline verification. The offline verification can

be done in any manner as specified by UIDAI including the sharing of offline generated

XML file or scan of QR code or sharing of masked Aadhar or Virtual ID. Where the

customer submits a proof of possession of Aadhaar Number containing Aadhaar

Number, it shall be ensured that such customer redacts or blacks out his Aadhaar

number through appropriate means.

ii) an equivalent e-document of any OVD, the company shall verify the digital signature as

per the provisions of the Information Technology Act, 2000 (21 of 2000) and any rules

issues thereunder and take a live photo of the customer with latitude and longitude as

per digital KYC procedure specified under Annex I to RBI Master Directions on KYC,

2016.

iii) any OVD or proof of possession of Aadhaar number under clause (ab) above where

offline verification cannot be carried out, the company shall carry out verification

through digital KYC as specified under Annex I to RBI Master Directions on KYC, 2016,

copy of which is annexed to this policy as Part-I of Annexure 3. The company may also

conduct CDD through V-CIP procedure as prescribed by RBI, copy of which is annexed

to this policy as Part-II of Annexure 3.

Provided that the company may obtain a certified copy of the proof of possession of Aadhaar

number or the OVD and a recent photograph where an equivalent e-document is not

submitted.

Provided further those accounts opened, opened using OTP based e-KYC shall not be allowed

for more than one year unless prescribed identification has been carried out.

(iv) Biometric based e-KYC authentication may be done by the company only when acting as

business correspondents/business facilitators for banks.

(v) The use of Aadhaar, proof of possession of Aadhaar etc., shall be in accordance with the

Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act, 2016

and the regulations made thereunder.

(vi) The Company shall allot a Unique Customer Identification Code (UCIC)/ customer identification

code or by whatever name called, while entering into new relationships with individual customers

as also the existing customers.

(vii) Where the Company is unable to apply appropriate KYC measures due to non-furnishing of

information and /or non-cooperation by the customer, the Company may consider terminating

the business relationship after issuing due notice to the customer explaining the reasons for

taking such a decision.

(vii) Identification of Beneficial Owner: The Prevention of Money Laundering Rules, 2005 and as

amended in 2013 requires every banking company, and financial institution, to identify the

beneficial owner and take all reasonable steps to verify his identity.

Beneficial Owner (BO) is defined as follows:

a. Where the customer is a company, the beneficial owner is the natural person(s), who,

whether acting alone or together, or through one or more juridical persons, has/have a

controlling ownership interest or who exercise control through other means.

Explanation- For the purpose of this sub-clause-

“Controlling ownership interest” means ownership of/entitlement to more than 25

per cent

of the shares or capital or profits of the company.

“Control” shall include the right to appoint majority of the directors or to control the

management or policy decisions including by virtue of their shareholding or

management rights or shareholders agreements or voting agreements.

b. Where the customer is a partnership firm, the beneficial owner is the natural

person(s), who, whether acting alone or together, or through one or more juridical

person, has/have ownership of/entitlement to more than 15 per cent of capital or profits

of the partnership.

c. Where the customer is an unincorporated association or body of individuals, the

beneficial owner is the natural person(s), who, whether acting alone or together, or

through one or more juridical person, has/have ownership of/entitlement to more than

15 per cent of the property or capital or profits of the unincorporated association or body

of individuals.

Explanation: Term ‘body of individuals’ includes societies. Where no natural person

is identified under (a), (b) or (c) above, the beneficial owner is the relevant natural

person who holds the position of senior managing official.

d. Where the customer is a trust, the identification of beneficial owner(s) shall include

identification of the author of the trust, the trustee, the beneficiaries with 15% or more

interest in the trust and any other natural person exercising ultimate effective control

over the trust through a chain of control or ownership.

V-CIP

The company may undertake V-CIP to carry out:

i) CDD in case of new customer on-boarding for individual customers, proprietor in case of

proprietorship firm, authorised signatories and Beneficial Owners (BOs) in case of Legal Entity

(LE) customers.

ii) Conversion of existing accounts opened in non-face to face mode using Aadhaar OTP

based e-KYC authentication

iii) Updation/Periodic updation of KYC for eligible customers

There exists the possibility that trust/nominee or fiduciary accounts can be used to circumvent

the customer identification procedures. the Company shall determine whether the customer

is acting on behalf of another person as trustee/nominee or any other intermediary. If so, the

Company may insist on receipt of satisfactory evidence of the identity of the intermediaries

and of the persons on whose behalf they are acting, as also obtain details of the nature of the

trust or other arrangements in place. While opening an

account for a trust, the Company takes reasonable precautions to verify the identity of the

trustees and the settlors of trust (including any person settling assets into the trust), grantors,

protectors, beneficiaries and signatories. Beneficiaries should be identified when they are

defined. In the case of a 'foundation', steps are taken to verify the founder managers/ directors

and the beneficiaries, if defined.

The Company is vigilant against business entities being used by individuals as a ‘front’ for

maintaining accounts with banks. The Company examines the control structure of the entity,

determine the source of funds and identify the natural persons who have a controlling interest

and who comprise the management. These requirements may be moderated according to the

risk perception e.g. in the case of a public company it will not be necessary to identify all the

shareholders.

moderated according to the risk perception e.g. in the case of a public company it will not be

necessary to identify all the shareholders.

Illustrative nature of the documents required to be produced are enclosed in the Annexure 1.

(viii) Simplified procedure for opening certain accounts: In case a person who desires to

open an account is not able to produce documents, as specified in point (i) above, the

company may, at its discretion open accounts subject to the following conditions:

a. The company shall obtain a self-attested photograph from the customer.

b. The designated officer of the company shall certify under his signature that the person

opening the account has affixed his signature or thumb impression in his presence.

c. The account shall remain operational initially for a period of twelve months, within

which complete CDD procedure shall be carried out.

d. Balances in all their accounts taken together shall not exceed rupees fifty thousand

at any point of time.

e. The total credit in all the accounts taken together shall not exceed rupees one lakh

in a year.

f. The customer shall be made aware that no further transactions will be permitted until

the full KYC procedure is completed in case Directions (d) and (e) above are breached

by him.

g. The customer shall be notified when the balance reaches rupees forty thousand or the

total credit in a year reaches rupees eighty thousand that appropriate documents for

conducting the KYC must be submitted otherwise the operations in the account shall

be stopped when the total balance in all the accounts taken together exceeds the limits

prescribed in direction (d) and (e) above.

Ongoing monitoring is an essential element of effective KYC procedures. The Company can

effectively control and reduce its risk only if it has an understanding of the normal and

reasonable activity of the customer so that it can identify transactions that fall outside the

regular pattern. However, the extent of monitoring will depend on the risk sensitivity of the

customer.

Since the Company does not have any deposit accounts of its customers, this situation will

hardly arise, but the Company will in any case pay special attention to all complex, unusually

large transactions and all unusual patterns which have no apparent economic or visible lawful

purpose or transactions that involve large amounts of cash inconsistent with the normal and

expected activity of the customer. The Company will put in place a system of periodical review

of risk categorization of accounts and the need for applying enhanced due

Monitoring of Transactions

diligence measures. The Company will ensure that a record of transactions in the accounts is

preserved and maintained as required in terms of section 12 of the PML Act, 2002 (and the

Amended Act, 2009). It will alsoensure that transactions of suspicious nature and/or any other

type of transaction notified under section 12 of the PML Act, 2002 (and the Amended Act,

2009), is reported to the appropriate law enforcement authority.

a) The Company shall follow the risk-based approach wherein the customers shall be

categorized as low, medium or high-risk categories. The Company will define parameters

of risk perception. For this purpose, nature of business activity location of customers,

mode of payment, annual household income, social and financial status may be taken

into account. Given the nature of the company’s business which involves small ticket

loans to low income, informal and financially excluded families are provided, It is highly

unlikely that the Company will have any medium / high risk clients given its focus on

the lower income section of society, but for information, examples of customers

requiring higher due diligence may include non-resident customers, politically exposed

persons (PEPs) of foreign origin, non-face to face customers, and those with dubious

reputation as per public information available, etc.

b) Documentation requirements and other information shall be collected in respect of

different categories of customers depending on perceived risk and keeping in mind the

requirements of PML Act, 2002 and guidelines issued by Reserve Bank from time to

time.

c) The Company shall at all times ensure that an effective KYC program is in place and has

established appropriate procedures and is overseeing its effective implementation. The

program covers proper management oversight, systems and controls, segregation of

duties, training and other related matters. The company shall continue to have an

explicitly allocated responsibility within the Company to ensure that the Company’s

policies and procedures are implemented effectively. As an ongoing process the

Company, shall follow procedures for creating Risk Profiles of their existing and new

customers and applied various Anti Money Laundering measures keeping in view the

risks involved in a transaction or banking/business relationship.

d) The Company’s internal audit and Risk team shall effectively perform their role in

evaluating and ensuring adherence to the KYC policies and procedures. The Risk

department provides an independent evaluation of the Company’s own policies and

procedures, including legal and regulatory requirements.

e) The Company should ensure that internal audit machinery and Risk management team

are staffed adequately with individuals who are well-versed in such policies and

procedures. The compliance in this regard is to put up before the Audit Committee of

the Board on quarterly intervals.

f) The Company will carry out ‘Money Laundering (ML) and Terrorist Financing (TF) Risk

Assessment’ exercise periodically to identify, assess and take effective measures to

mitigate its money laundering and terrorist financing risk for clients, geographic areas,

services, transactions etc. The internal risk assessment shall be carried out by the

Company as per its size, geographical presence, complexity of activities/structure,

Risk management

etc. and shall apply a Risk Based Approach for mitigation and management of the

identified risks. The risk assessment processes shall be reviewed periodically to ensure

its robustness and effectiveness

The implementation of KYC procedures requires the Company to demand certain information

from customers, which may be of personal nature, or which has hitherto never been called

for. This can sometimes lead to a lot of questioning by the customer as to the motive and

purpose of collecting such information. The Company has to create adequate awareness

among the customers as to the need for adherence to KYC norms through appropriate

guidelines in the website. The Company’s front line staffs have to be clearly instructed to

personally discuss this with customers and if required, the Company has to prepare specific

literature/ pamphlets, etc. so as to educate the customer on the objectives of the KYC

program. Detailed records of due diligence undertaken shall be kept.

The Company shall pay adequate attention to any money laundering and financing of terrorism

threats that may arise from new or developing technologies and it shall ensure that appropriate

KYC procedures issued from time to time are duly applied before the introduction of new

products/services/ technologies. The Company neither has deposit accounts nor is it permitted

by RBI to accept deposits from customers, therefore many of the risks presented by the

introduction of new technology such as internet banking, mobile banking or transactions that

do not require physical presence of the parties etc., are not faced by it. However, the Company

pays special attention to any money laundering threats that may arise from new or developing

technologies including internet and mobile banking, on-line transactions that might favour

anonymity, and take measures, if need, to prevent its use in money laundering schemes.

As per guidelines issued by RBI following are the important Software Application controls and

risk mitigation measures that the Company has implemented:

Each application should have an owner which will typically be the concerned

business function that uses the application

Some of the roles of application owners include:

- Prioritizing any changes to be made to the application and authorizing

the changes.

- Deciding on data classification/de-classification and archival/purging

procedures for the data pertaining to an application as per relevant

policies/regulatory/statutory requirements.

- Ensuring that adequate controls are built into the application through active

involvement in the application design, development, testing and change

process

- Ensuring that the application meets the business/functional needs of the users

- Ensuring that the information security function has reviewed the security of

the application

- Taking decisions on any new applications to be acquired / developed or any

oldapplications to be discarded

- Informing the information security team regarding purchase of an

application and assessing the application based on the security policy

requirements

- Ensuring that the Change Management process is followed for any changes

in application

- Ensuring that the new applications being purchased/developed are in

Customer Education

Introduction of New

Technologies

accordance with the Information Security policy

- Ensuring that logs or audit trails, as required, are enabled and monitored

for the applications

All application systems should be tested before implementation in a robust manner

regarding controls to ensure that they satisfy business policies/rules of the Company

and regulatory and legal prescriptions/requirements. Robust controls should be built

into the system and reliance on any manual controls has been minimized. Clear

instructions should be issued to ensure the audit trails and the specific fields that are

required to be captured as part of audit trails and an audit trail or log monitoring

process including personnel responsible for the same.

The Company has to incorporate information security at all stages of software

development to improve software quality and minimize exposure to vulnerabilities.

Besides business functionalities, security requirements relating to system access

control, authentication, transaction, authorization, data integrity, system activity

logging, audit trail, security event tracking and exception handling are clearly specified

at the initial stages of system development/acquisition. A compliance check against

the Company’s security standards and regulatory/statutory requirements should be put

in place.

All application systems need to have audit trails along with policy/procedure of log

monitoring for such systems including the clear allocation of responsibility in this

regard.

Every application affecting critical/sensitive information, for example, impacting

financial, customer, control, regulatory and legal aspects, must provide for detailed

audit trails/ logging capability.

The audit trails need to be stored as per a defined period as per any

internal/regulatory/statutory requirements and it is to be ensured that they are not

tampered with.

Access should be based on the principle of least privilege and “need to know”

commensurate with the job responsibilities. Adequate segregation of duties has to be

enforced.

There should be controls on updating key ‘static’ business information like customer

master

files, parameter changes, etc.

Any changes to an application system/data need to be justified by genuine

business need and approvals supported by documentation and subjected to a robust change

management process. The change management would involve generating a request, risk

assessment,

authorization from an appropriate authority, implementation, testing and verification

of the change done.

Potential security weaknesses / breaches (for example, as a result of analysing

user behaviour or patterns of network traffic) should be identified.

There should be measures to reduce the risk of theft, fraud, error and

unauthorized changesto information through measures like supervision of activities

and segregation of duties.

Applications must not allow unauthorized entries to be updated in the database.

Similarly, applications must not allow any modifications to be made after an entry is

authorized. Any subsequent changes must be made only by reversing the original

authorized entry and passing a fresh entry.

Direct back-end updates to database should not be allowed except during

exigencies, with aclear business need and after due authorization as per the

relevant policy.

Access to the database prompt must be restricted only to the database administrator.

Robust input validation controls, processing and output controls have to be built

into the application.

There is a procedure in place to reduce the reliance on a few key individuals.

Error / exception reports and logs are reviewed and any issues is

remedied /addressed at the earliest.

For all critical applications, either the source code is received from the vendor or a

software escrow agreement is put in place with a third party to ensure source code

availability in the event the vendor goes out of business. It is ensured that product

updates and programme fixes are also included in the escrow agreement.

In the event of data pertaining to Indian operations being stored and/or processed

abroad, for example, by foreign banks, there needs to be suitable controls like

segregation of data and strict access controls based on ‘need to know’ and robust

change controls. The Company should be in a position to adequately prove the same

to the regulator. Regulator’s access to such data/records and other relevant

information should not be impeded in any manner and RBI would have the right to

cause an inspection to be made of the processing centre/data centre and its books and

accounts by one or more of its officers or employees orother persons.

An application security review/testing, initially and during major changes, needs to be

conducted using a combination of source code review, stress loading, exception testing

and compliance review to identify insecure coding techniques and systems

vulnerabilities to a reasonable extent.

Critical application system logs/audit trails also need to be backed up as part of

the application backup policy.

Robust System Security Testing, in respect of critical e-banking systems, needs to

incorporate, inter-alia, specifications relating to information leakage, business logic,

authentication, authorization, input data validation, exception/error handling,

session management, cryptography and detailed logging, as relevant. These need

to be carried out at least on annual basis.

While the KYC guidelines will apply to all new customers, the same would be applied to the

existing customers on the basis of materiality and risk. Periodic up-dation shall be carried

out at least once in every two years for high-risk customers, once in every eight years for

medium risk customers and once in every ten years for low-risk customers. Keeping in view

the business of the company wherein the loan account is repaid in shorter span of time,

and the borrowers falling in low risk, the requirement of up-dation may not arise. However,

in case the company identifies any customer as high risk or medium risk customer, then it

shall comply with the directions of the RBI regarding periodic up-dation, as follows:

a) Individual Customers:

i. No change in KYC information: In case of no change in the KYC information, a self-

declaration from the customer in this regard shall be obtained through customer’s

email-id registered with the RE, customer’s mobile number registered with the

company, mobile application of the company), letter etc.

ii. Change in address: In case of a change only in the address details of the customer,

a self-declaration of the new address shall be obtained from the customer through

customer’s email-id registered with the company, customer’s mobile number registered

with the company, mobile application of the company), letter etc., and the declared

address shall be verified through positive confirmation within two months, by means

such as address verification letter, contact point verification, deliverables etc.

Further, the company, at its option, may obtain a copy of OVD or deemed OVD or the

equivalent e-documents thereof, for the purpose of proof of address, declared by the

customer at the time of periodic updating.

b) Customers other than individuals:

i. No change in KYC information: In case of no change in the KYC information of the

LE customer, a self-declaration in this regard shall be obtained from the LE customer

through its email id registered with the company, mobile application of the company),

letter from an official authorized by the LE in this regard, board resolution etc. Further,

the company shall ensure during this process that Beneficial Ownership (BO)

information available with them is accurate and shall update the same, if required, to

keep it as up-to-date as possible.

ii. Change in KYC information: In case of change in KYC information, the company

shall undertake the KYC process equivalent to that applicable for on-boarding a new

LE customer

c) Additional measures: In addition to the above, the company shall ensure that,

i. The KYC documents of the customer as per the current CDD standards are available

with them. This is applicable even if there is no change in customer information but

the documents available with the company are not as per the current CDD standards.

Further, in case the validity of the CDD documents available with the company has

expired at the time of periodic up-dation of KYC, the company shall undertake the KYC

process equivalent to that applicable for on-boarding a new customer.

Periodic Up-dation of KYC for Existing Accounts

ii. Customer’s PAN details, if available with the company, is verified from the database of

the issuing authority at the time of periodic updation of KYC.

iii. Acknowledgment is provided to the customer mentioning the date of receipt of the

relevant document(s), including self-declaration from the customer, for carrying out

periodic updation. Further, it shall be ensured that the information / documents obtained

from the customers at the time of periodic updation of KYC are promptly updated in the

records / database of the company and an intimation, mentioning the date of updation

of KYC details, is provided to the customer.

iv. In order to ensure customer convenience, the company may consider making available

the facility of periodic updation of KYC at any branch.

v. The company shall ensure that its KYC processes on updation / periodic updation of KYC

are transparent and adverse actions against the customers should be avoided, unless

warranted by specific regulatory requirements.

The transactions in existing customers would be continuously monitored for any unusual

pattern in the operation of the accounts. Further if an existing customer is KYC compliant and

she desires to open another account, there shall be no need for any fresh customer due

diligence exercise.

The above guidelines shall also apply to all the branches of the company located in India or

the branches which may be located abroad. However, in case any local applicable laws and

regulations prohibit implementation of these guidelines, the same should be brought to the

notice of Reserve Bank of India.

(a) The Company shall maintain secrecy regarding the customer information which arises

out of the contractual relationship with the customer.

(b) While considering the requests for data/information from Government and other agencies,

the Company shall satisfy themselves that the information being sought is not of such a nature

as will violate the provisions of the laws relating to secrecy in the transactions.

i. Where disclosure is under compulsion of law

ii. Where there is a duty to the public to disclose,

iii. the interest of the company requires disclosure and

iv. Where the disclosure is made with the express or implied consent of the customer.

(d) The Company shall maintain confidentiality of information as provided in Section 45NB of

RBI Act 1934.

Applicability to Branches

Secrecy Obligations and sharing of information

a. Adequate screening mechanism as an integral part of their personnel recruitment/hiring

process shall be put in place.

b. On-going employee training programme shall be put in place so that the members of staff

are adequately trained in AML/CFT policy. The focus of the training shall be different for

frontline staff, compliance staff and staff dealing with new customers. The front desk staff

shall be specially trained to handle issues arising from lack of customer education. Proper

staffing of the audit function with persons adequately trained and well-versed in AML/CFT

policies of the RE, regulation and related issues shall be ensured.

B. PREVENTION OF MONEY LAUNDERING ACT (PMLA), 2002 - OBLIGATIONS OF

THE COMPANY INTERMS OF RULES NOTIFIED THEREUNDER

1. Appointment of Principal Officer

For the purpose of this policy and compliance of KYC/AML/CFT regulations, Mr. Vinay Pratap

Singh, Operations Head shall act as Principal Officer and put in place a system of internal

reporting of suspicious transactions and cash transactions of Rs.10 lakh and above. For the

purpose of this policy and the compliance of KYC/AML/CFT regulations the Risk Head or any

other officer(s) duly authorized by CEO to be designated as ‘Principal Officer' shall act as the

Principal Officer of the company. The name, designation and address of the Principal Officer

has been duly communicated to the Director, Financial Intelligence Unit – India (FIU-IND). As

per the NBFC guidelines, the Principal Officer will be located at the corporate office and will

be responsible for ensuring compliance, monitoring transaction, and reporting of all

transactions and sharing of information as required under the law. The Principal Officer will

maintain close liaison with enforcement agencies, other NBFCs and any other institution which

are involved in the fight against money laundering and combating financing of terrorism.

2. Appointment of Designated Director

For the purpose of this policy and the compliance of KYC/AML/CFT regulations, Mr. Anup

Kumar Singh, Managing Director shall be the Designated Director. The name, designation and

address of the Designated Director has been duly communicated to the Director, Financial

Intelligence Unit – India (FIU-IND). If the Director-FIU, in the course of any inquiry, finds that

a reporting entity or its designated director (Mr. Anup Kumar Singh) on the Board or any of

its employees has failed to comply with the obligations under this Chapter, then, without

prejudice to any other action that may be taken under any other provisions of this Act, he

may—

(a) issue a warning in writing; or

(b) direct such reporting entity or its designated director on the Board or any of its

employees, to comply with specific instructions; or

employees, to send reports at such interval as may be prescribed on the measures it is

taking; or

(d) by an order, levy a fine on such reporting entity or its designated director on the Board

or any of its employees, which shall not be less than ten thousand rupees but may

extend to one lakh rupees for each failure.

Hiring of Employees and Employee

Training

In view of the above, the Company should nominate a Director on their Boards

as “designated Director” to ensure compliance with the obligations under the Prevention of

Money Laundering (Amendment) Act, 2012.

3. Maintenance of records of cash transactions and suspicious transactions

The Company shall maintain proper record of transactions as mentioned below:

(i) all cash transactions of the value of more than rupees ten lakh or its equivalent in

foreign currency;

(ii) all series of cash transactions integrally connected to each other which have to be valued

below rupees ten lakh or its equivalent in foreign currency where such series of

transactions have taken place within a month and the aggregate value of such

transactions exceeds rupees ten lakh;

(iii) all cash transactions where forged or counterfeit currency notes or bank notes have to

be used as genuine and where any forgery of a valuable security has taken place;

(iv) all suspicious transactions whether or not made in cash.

The Company shall maintain the following information in respect of the above cash

transactions:

(i) the nature of the transactions;

(ii) the amount of the transaction and the currency in which it was denominated;

(iii) the date on which the transaction was conducted; and

(iv) the parties to the transaction.

4. Record Retention

The following steps shall be taken for maintaining, preserving and reporting of customer

account information, with reference to provisions of PML Act and Rules. The company shall:

(a) maintain all necessary records of transactions with the customer, for at least five years

from the date of transaction;

(b) preserve the records pertaining to the identification of the customers and their addresses

obtained while opening the account and during the course of business relationship, for at least

five years after the business relationship is ended;

authorities upon request;

(d) evolve a system for proper maintenance and preservation of account information in a

manner that allows data to be retrieved easily and quickly whenever required or when

requested by the competent authorities;

(e) maintain records of the identity and address of their customer, and records in respect of

transactions in hard or soft format.

5. Filing of Suspicious Transaction Report (STR) to FIU-IND

Any suspicious transactions, counterfeit transactions and any cash transactions of Rs.10 lakhs or

above, whether such transactions comprise of a single transaction or a series of transactions

integrally connected to each other, and where such series of transactions take place within a

month, shall be identified. Further, the Principal officer shall, within the prescribed timelines,

furnish information of such transactions to the Director, Financial Intelligence Unit – India (FIU‐

IND) at the following address in the formats prescribed in this regard including the electronic

filing of reports.

Director, FIU-IND,

Financial Intelligence Unit-India,

6th Floor, Hotel Samrat,

Chanakyapuri,

New Delhi-110021

Provided that where the principal officer, has reason to believe that a single transaction or series

of transactions integrally connected to each other have been valued greater than Rs.10 lakhs so

as to defeat the provisions of the PMLA regulations, such officer shall furnish information in

respect of such transactions to the Director within the prescribed time. The Company shall not

put any restriction on operations in the accounts where a suspicious transaction report (STR) has

been filed. The Company shall keep the fact of furnishing of STR strictly confidential and shall

ensure that there is no tipping off to the customer at any level.

Illustrative list of activities which would be construed as suspicious transactions are given in

Annexure 2 to this policy.

6. Uploading of KYC Data on CERSAI Platform

(a) Government of India has authorised the Central Registry of Securitisation Asset

Reconstruction and Security Interest of India (CERSAI), to act as, and to perform the functions

of the CKYCR. In terms of provision of Rule 9(1A) of PML Rules, the company shall capture

customer’s KYC records and upload onto CKYCR within 10 days of commencement of an

account-based relationship with the customer.

(b) The company shall capture the KYC information for sharing with the CKYCR in the manner

mentioned in the Rules, as per the KYC templates prescribed by CERSAI for ‘Individuals’ and

‘Legal Entities’ (LEs), as the case may be.

communicated to the individual/LE as the case may be.

(d) In order to ensure that all KYC records are incrementally uploaded on to CKYCR, the

company shall upload/update the KYC data pertaining to accounts of individual customers and

LEs opened prior to the specified dates, at the time of periodic updation or earlier, when the

updated KYC information is obtained/received from the customer.

(e) the company shall ensure that during periodic updation, the customers are migrated to

the current CDD standard.

(f) Where a customer, for the purposes of establishing an account-based relationship, submits

a KYC Identifier to the company, with an explicit consent to download records from CKYCR,

then the company shall retrieve the KYC records online from the CKYCR using the KYC Identifier

and the customer shall not be required to submit the same KYC records or information or any

other additional identification documents or details, unless –

i. there is a change in the information of the customer as existing in the records of CKYCR;

ii. the current address of the customer is required to be verified;

iii. the company considers it necessary in order to verify the identity or address of the

customer, or to perform enhanced due diligence or to build an appropriate risk profile of

the client.

C. COMBATING FINANCING OF TERRORISM (CFT)

In terms of PMLA Rules, suspicious transaction should include transactions which give rise to

a reasonable ground of suspicion that these may involve financing of the activities relating to

terrorism. Though keeping in view, the size of loan and type of customers the company is

dealing with the chances of accounts with terror links are very low, however the Company has

developed a suitable mechanism through appropriate policy framework for enhanced

monitoring of accounts suspected of having terrorist links and swift identification of the

transactions and making suitable reports to the Financial Intelligence Unit – India (FIU-IND)

on priority.

As and when list of individuals and entities, approved by Security Council Committee

established pursuant to various United Nations' Security Council Resolutions (UNSCRs), are

received from Government of India, Reserve Bank circulates the Company ensures to update

the consolidated list of individuals and entities as circulated by Reserve Bank. The Company

also ensures that before opening any new account the name/s of the proposed customer does

not appear in the list. Further, the Company has put in place procedures to scan all existing

accounts to ensure that no account is held by or linked to any of the entities or individuals

included in the list. Full details of accounts bearing resemblance with any of the

individuals/entities in the list should immediately be intimated to RBI, FIU-IND along with

Ministry of Home Affairs.

The Company shall take into account risks arising from the deficiencies in AML/CFT regime of

the jurisdictions included in the FATF Statement. The Company shall, in addition to FATF

Statements circulated by Reserve Bank from time to time, also consider publicly available

information for identifying such countries, which do not or insufficiently apply the FATF

Recommendations. The Company should give special attention to business relationships and

transactions with persons (including legal persons and other financial institutions) from or in

these countries.

Ongoing monitoring is an essential element of effective KYC procedures. The Company should

examine the background and purpose of transactions with persons (including legal persons

and other financial institutions) from jurisdictions included in FATF Statements and countries

that do not or insufficiently apply the FATF Recommendations. Further, if the

transactions have no apparent economic or visible lawful purpose, the background and purpose

of such transactions should, as far as possible be examined, and written findings together with

all documents be retained and made available to Reserve Bank/other relevant authorities, on

request. The Company applies enhanced due diligence measures on high-risk customers.

The guidelines covered under this policy for opening of accounts and monitoring of transactions

shall be strictly adhered to, in order to minimize the operations of “Money Mules” which are

used to launder the proceeds of fraud schemes (e.g., phishing and identity theft) by criminals

who gain illegal access to deposit accounts by recruiting third parties which act as “money

mules.”

Monitoring

Operation of Bank Accounts and money mules

Customer Due Diligence (CDD) measures to be made applicable to Politically Exposed Person

(PEP) and their family members or close relatives. Before establishing any relationship with

the PEPs sufficient information including information about the sources of funds, accounts of

family members and close relatives shall be gathered and the identity of the person shall be

verified before accepting the PEP as a customer. The decision for entering into any business

relationship with a PEP, shall be taken at a senior level within the scope of Customer

Acceptance policy of the company. In the event of an existing customer or the beneficial

owner of an existing account, subsequently becoming PEP, the Company should obtain senior

management approval to continue the business relationship and subject the account to the

CDD measures as applicable to the customers of PEP category including enhanced monitoring

on an ongoing basis.

The similar procedure shall be applicable in case of accounts of PEP who are resident

outside India.

The instructions are also applicable to accounts where PEP is the ultimate beneficial owner.

Further, in regard to PEP accounts, the Company has appropriate ongoing risk management

procedures for identifying and applying enhanced CDD to PEPs, customers who are close

relatives of PEPs, and accounts of which PEP is the ultimate beneficial owner.

With the introduction of telephone and electronic banking, increasingly accounts are being

opened by banks for customers without the need for the customer to visit the bank branch.

In the case of non-face-to-face customers, apart from applying the usual customer

identification procedures, there must be specific and adequate procedures to mitigate the

higher risk involved. Certification of all the documents presented may be insisted upon and,

if necessary, additional documents may be called for. In such cases, the Company may also

require the first payment to be affected through the customer's KYC Compliant account with

another bank which, in turn, adheres to similar KYC standards. In the case of cross-border

customers, there is the additional difficulty of matching the customer with the

documentation and the bank may have to rely on third party certification/introduction. In

such cases, it must be ensured that the third party is a regulated and supervised entity and

has adequate KYC systems in place.

Correspondent banking is the provision of banking services by one bank (the “correspondent

bank”) to another bank (the “respondent bank”). These services may include cash/funds

management, international wire transfers, drawing arrangements for demand drafts and mail

transfers, payable- through-accounts, cheques clearing, etc. The Company shall gather

sufficient information to understand fully the nature of the business of the

correspondent/respondent bank. Information on the other bank’s management, major

business activities, level of AML/CFT compliance, purpose of opening the account, identity of

any third-party entities that will use the correspondent banking services, and

regulatory/supervisory framework in the correspondent's/respondent’s country may be of

special relevance. Similarly, the Company should try to ascertain from publicly available

information whether the other bank has been subject to any money laundering or terrorist

financing investigation or regulatory action. While it is desirable that such relationships should

be established only with the approval of the Board, in case the Boards wishes to delegate the

power to an administrative authority, they may delegate the power to a committee headed by

the Chairman/CEO the Company while laying down clear parameters for approving such

relationships. Proposals approved by the Committee should invariably be put up to the Board

at its next meeting for post facto approval. The responsibilities of each bank with whom

Accounts of Politically Exposes Persons (PEP)

Accounts of non-face-to-face customers

Correspondent Banking

correspondent banking relationship is established should be clearly documented. In the case

of payable-through-accounts, the correspondent bank should be satisfied that the respondent

bank has verified the identity of the customers having direct access to the accounts and is

undertaking ongoing 'due diligence' on them. The correspondent bank should also ensure that

the respondent bank is able to provide the relevant customer identification data immediately

on request.

The Company shall not enter into a correspondent relationship with a “shell bank” (i.e. a bank

which is incorporated in a country where it has no physical presence and is unaffiliated to any

regulated financial group).

The Company shall ensure that in terms of Section 51A of the Unlawful Activities (Prevention)

(UAPA) Act, 1967, they do not have any account appearing in the lists of individuals and

entities, suspected of having terrorist links, which are approved by and periodically circulated

by the United Nations Security Council (UNSC). The details of the two lists are as under:

(a) The “ISIL (Da’esh) &Al-Qaida Sanctions List”, which includes names of individuals

and entities

associated with the Al-Qaida. The updated ISIL &Al-Qaida Sanctions List is available at

https://scsanctions.un.org/fop/fop?xml=htdocs/resources/xml/en/consolidated.xml&xslt=

htd cos/resources/sly/end/al-qaida-r.xsl

(b) The “1988 Sanctions List”, consisting of individuals (Section A of the consolidated list)

and entities (Section B) associated with the Taliban which is available at

https://scsanctions.un.org/fop/fop?xml=htdocs/resources/xml/en/consolidated.xml&xslt

=htd cos/resources/sly/end/taliban-r.xsl.

Details of accounts resembling any of the individuals/entities in the lists shall be reported

to FIU-IND apart from advising Ministry of Home Affairs as required under UAPA notification

dated August 27, 2009.

In addition to the above, other UNSCRs circulated by the Reserve Bank in respect of any

other jurisdictions/ entities from time to time shall also be taken note of.

8. Up-dation in KYC Policy of the Company

The above policy shall be governed by the directions of RBI, Government of India or such

other regulatory authorities and shall be subject to changes issued by these authorities from

time to time.

The above policy has been approved in accordance with the applicable laws and rules

pertaining to KYC/AML/CFT issued by the Reserve Bank of India from time to time. Any

regulatory amendment, in relation to such guidelines/regulations shall have the effect of Suo-

moto amendment of the policy

Shell Banks

Obligations under International Agreements

Up-dation in KYC Policy of the Company

ANNEXURE – 1

Customer Identification Procedure

Features to be verified and documents that may be obtained from customers

Features

Accounts of individuals

Legal name and any

other names used

Documents

Officially Valid Document” (OVD)

a) proof of possession of Aadhaar number; or

b) Copy of Passport

c) Copy of the Driving License

d) Voter’s identity card issued by the Election Commission of

India

e) Job card issued by NREGA duly signed by an officer of the

State Govt.

f) Letter issued by the National Population Register containing

details of name and address

g) an equivalent e-document of any OVD,

Provided that:

1. where the OVD furnished by the customer does not have

updated address, the following documents shall be deemed to

be OVDs for the limited purpose of proof of address, provided

the customer shall submit OVD with current address within a

period of three months of submitting the documents: ‐

i) utility bill which is not more than two months old of

any service provider (electricity, telephone, post‐ paid

mobile phone, piped gas, water bill);

ii) property or Municipal tax receipt;

iii) pension or family pension payment orders (PPOs)

issued to retired employees by Government Departments

or Public Sector Undertakings, if they contain the

address;

iv) letter of allotment of accommodation from employer

issued by State Govt. or Central Govt. Departments,

statutory or regulatory bodies, public sector

undertakings, scheduled commercial banks, financial

institutions and listed companies and leave and licence

agreements with such employers allotting official

accommodation;

2) where the OVD presented by a foreign national does not

contain the details of address, in such case the documents

issued by the Government departments of foreign jurisdictions

and letter issued by the Foreign Embassy or Mission in India

shall be accepted as proof of address.

Accounts of companies/NGO

(i) Certificate of incorporation and Memorandum & Articles of

- Name of the

Association (ii) Resolution of the Board of Directors to open an

account

and

identification

of those

who have authority

- Principal place of business

operate

the

account

(iii)

Power

Attorney

granted

its

- Mailing address

managers, officers or

employees

transact

business

its

- Telephone/Fax Number

behalf (iv) Copy of PAN

allotment letter (v) Copy of the telephone bill

Accounts of partnership

firms

- Legal name

(i)

Registration

certificate,

- Address

registered

- Names of all partners(ii) Partnership deed (iii) Power of Attorney granted to a

and their addresses

partner or an employee of the firm to transact business on its

- Telephone numbers of the behalf

firm and partners

(v) Telephone bill in the name of firm/partners

Accounts of trusts

Certificate

registration,

& foundations

(i)

- Names of trustees,

registered

settlers, beneficiaries and

(ii) Power of

Attorney granted to transact

business on

its

signatories- Names and

behalf

addresses of the founder,

(iii) Any officially valid document to identify the trustees,

the managers/directors

settlors, beneficiaries and those holding Power of Attorney,

and the beneficiaries

founders’/managers/ directors and their addresses

- Telephone/fax numbers

(iv

)

Resolution

the

managing

body

the

foundation/association

(v) Telephone bill

Accounts of

i) Proof of the name, address and activity of the concern, like

Proprietary Concerns

registration certificate (in the case of a registered concern),

- Name, Address and

certificate/licence issued by the Municipal authorities under

Activity of the Proprietary

Shop & Establishment Act, sales and income tax returns, CST /

Concern.

VAT certificate, certificate / registration document issued by

Sales Tax /

Service

Tax

/ Professional

Tax

authorities,

Licence issued by the

Registering authority like Certificate of

Practice issued by

Institute of Chartered Accountants of India, Institute of Cost

Accountants of India, Institute of Company Secretaries of

India, Indian Medical Council, Food and Drug Control

Authorities, etc.

ii) Any registration / licensing document issued in the name of

the proprietary concern by the Central Government or State

Government Authority / Department. NBFCs/RNBCs may also

accept IEC (Importer Exporter Code) issued to the proprietary

concern by the office of DGFT as an identity document for

opening of account.

iii) The complete Income Tax return (not just the

acknowledgement) in the name of the sole proprietor where the

firm's income is reflected, duly authenticated/ acknowledged by

the Income Tax Authorities.

iv) Utility bills such as electricity, water, and landline telephone

bills in the name of the proprietary concern.

v) Any two of the above documents would suffice. These

documents should be in the name of the proprietary concern.

ANNEXURE -2

An Indicative List of Suspicious Activities/Transactions

a) Company transactions, that are denominated by unusually large amounts of cash, rather

than normally associated with the normal commercial operations of the company, e.g.

cheques,

b) Transactions that do not make Economic Sense, activities not consistent with the

Customer's Business

c) Attempts to avoid Reporting/Record-keeping Requirements

(i) A customer who is reluctant to provide information needed for a mandatory report, to

have the report filed or to proceed with a transaction after being informed that the report

must be filed.

(ii) Any individual or group that coerces/induces or attempts to coerce/induce the

Company’s employee not to file any reports or any other forms.

d) Unusual Activities, like Funds coming from the countries/centers which are known

for money laundering.

e) Customer who provides Insufficient or Suspicious Information

(i) A customer/company who is reluctant to provide complete information regarding the

purpose of the business, prior business relationships, officers or directors, or its

locations.

(ii) A customer/company who is reluctant to reveal details about its activities or to

provide financial statements.

(iii) A customer who has no record of past or present employment but makes frequent

large transactions.

(a) Certain Company Employees arousing Suspicion, such as:

(i) An employee whose lavish lifestyle cannot be supported by his or her salary.

(ii) Negligence of employees/wilful blindness is reported repeatedly.

Some examples of suspicious activities/transactions to be monitored by the operating staff-

Large Cash Transactions

Multiple accounts under the same name

Sudden surge in activity level

ANNEXURE -3

PART-I

Digital KYC Process

A. The company shall carry out digital KYC process through an application, which shall be made

available at customer touch points for undertaking KYC of their customers and the KYC process

shall be undertaken only through the authenticated application of the company.

B. The access of the Application shall be controlled by the company and it shall be ensured that

the same is not used by unauthorized persons. The Application shall be accessed only through

its authorized officials.

C. The customer, for the purpose of KYC, shall visit the location of the authorized official of the

company or vice-versa. The original OVD shall be in possession of the customer.

D. The company shall ensure that the Live photograph of the customer is taken by the authorized

officer and the same photograph is embedded in the Loan Application Form. Further, the system

Application of the company shall put a water-mark in readable form having application number,

GPS coordinates, authorized official’s name, unique employee Code (assigned by the company)

and Date (DD:MM: YYYY) and time stamp (HH:MM: SS) on the captured live photograph of the

customer.

E. The Application for digital KYC shall have the feature that only live photograph of the customer

is captured and no printed or video-graphed photograph of the customer is captured. The

background behind the customer while capturing live photograph should be of white colour and

no other person shall come into the frame while capturing the live photograph of the customer.

F. Similarly, the live photograph of the original OVD or proof of possession of Aadhaar where

offline verification cannot be carried out (placed horizontally), shall be captured vertically from

above and water-marking in readable form as mentioned above shall be done. No skew or tilt in

the mobile device shall be there while capturing the live photograph of the original documents.

G. The live photograph of the customer and his original documents shall be captured in proper

light so that they are clearly readable and identifiable.

H. Thereafter, all the entries in the application form shall be filled as per the documents and

information furnished by the customer. In those documents where Quick Response (QR) code is

available, such details can be auto-populated by scanning the QR code instead of manual filing

the details. For example, in case of physical Aadhaar/e-Aadhaar downloaded from UIDAI where

QR code is available, the details like name, gender, date of birth and address can be auto-

populated by scanning the QR available on Aadhaar/e-Aadhaar.

I. Once the abovementioned process is completed, a One Time Password (OTP) message

containing the text that ‘Please verify the details filled in form before sharing OTP’ shall be sent

to customer’s own mobile number. Upon successful validation of the OTP, it will be treated as

customer signature on the application form. However, if the customer does not have his/her own

mobile number, then mobile number of his/her family/relatives/known persons may be used for

this purpose and be clearly mentioned in application form. In any case, the mobile number of

the authorized officer registered with the company shall not be used for customer signature.

J. The authorized officer shall provide a declaration about the capturing of the live photograph

of customer and the original document. For this purpose, the authorized official shall be verified

with One Time Password (OTP) which will be sent to his mobile number registered with the RE.

Upon successful OTP validation, it shall be treated as authorized officer’s signature on the

declaration. The live photograph of the authorized official shall also be captured in this authorized

officer’s declaration.

K. Subsequent to all these activities, the Application shall give information about the completion

of the process and submission of activation request to activation officer of the company, and also

generate the transaction-id/reference-id number of the process. The authorized officer shall

intimate the details regarding transaction-id/reference-id number to customer for future

reference.

L. The authorized officer shall check and verify that: - (i) information available in the picture of

document is matching with the information entered by authorized officer in application form.

(ii) live photograph of the customer matches with the photo available in the document.; and

(iii) all of the necessary details in the application form including mandatory field are filled

properly.;

M. On Successful verification, the application form shall be digitally signed by authorized officer

of the company who will take a print of the form, get signatures/thumb-impression of customer

at appropriate place, then scan and upload the same in system. Original hard copy may be

returned to the customer.

PART-II

Requirements for Video based Customer Identification Process (V-CIP)

The company shall adhere to the following minimum standards in case it opts to undertake V-

CIP:

(a) V-CIP Infrastructure

i) The company shall comply with the RBI guidelines on minimum baseline cyber security and

resilience framework for banks, as updated from time to time as well as other general guidelines

on IT risks. The technology infrastructure should be housed in own premises of the company

and the V-CIP connection and interaction shall necessarily originate from its own secured network

domain. Any technology related outsourcing for the process shall comply with relevant RBI

guidelines.

ii) The company shall ensure end-to-end encryption of data between customer device and the

hosting point of the V-CIP application, as per appropriate encryption standards. The customer

consent should be recorded in an auditable and alteration proof manner.

iii) The V-CIP infrastructure / application shall be capable of preventing connection from IP

addresses outside India or from spoofed IP addresses.

iv) The video recordings shall contain the live GPS co-ordinates (geo-tagging) of the customer

undertaking the V-CIP and date-time stamp. The quality of the live video in the V-CIP shall be

adequate to allow identification of the customer beyond doubt.

v) The application shall have components with face liveness / spoof detection as well as face

matching technology with high degree of accuracy. Appropriate artificial intelligence (AI)

technology can be used to ensure that the V-CIP is robust.

vi) Based on experience of detected / attempted / ‘near-miss cases of forged identity, the

technology infrastructure including application software as well as work flows shall be regularly

upgraded. Any detected case of forged identity through V-CIP shall be reported as a cyber event

under prevailing regulatory guidelines.

vii) The V-CIP infrastructure shall undergo necessary tests such as Vulnerability Assessment,

Penetration testing and a Security Audit to ensure its robustness and end-to-end encryption

capabilities. Any critical gap reported under this process shall be mitigated before rolling out its

implementation. Such tests shall be conducted by suitably accredited agencies as prescribed by

RBI. Such tests should also be carried out periodically in conformance to internal / regulatory

guidelines.

viii) The V-CIP application software and relevant APIs / webservices shall also undergo

appropriate testing of functional, performance, maintenance strength before being used in live

environment. Only after closure of any critical gap found during such tests, the application should

be rolled out. Such tests shall also be carried out periodically in conformity with internal/

regulatory guidelines.

(b) V-CIP Procedure

i) There shall be a clear work flow and standard operating procedure for V-CIP and the company

shall ensure adherence to it. The V-CIP process shall be operated only by officials of the company

specially trained for this purpose. The official should be capable to carry out liveliness check and

detect any other fraudulent manipulation or suspicious conduct of the customer and act upon it.

ii) If there is a disruption in the V-CIP procedure, the same should be aborted and a fresh

session initiated.

iii) The sequence and/or type of questions, including those indicating the liveness of the

interaction, during video interactions shall be varied in order to establish that the interactions

are real-time and not pre-recorded.

iv) Any prompting, observed at end of customer shall lead to rejection of the account opening

process.

v) The fact of the V-CIP customer being an existing or new customer, or if it relates to a case

rejected earlier or if the name appearing in some negative list should be factored in at appropriate

stage of work flow.

vi) The authorised official performing the V-CIP shall record audio-video as well as capture

photograph of the customer present for identification and obtain the identification information

using any one of the following:

a. Offline Verification of Aadhaar for identification

b. KYC records downloaded from CKYCR, using the KYC identifier provided by the

customer

c. Equivalent e-document of Officially Valid Documents (OVDs) including documents

issued through Digi locker

The authorized official shall ensure to redact or blackout the Aadhaar number in terms of Section

16 of the RBI Master Directions.

In case of offline verification of Aadhaar using XML file or Aadhaar Secure QR Code, it shall be

ensured that the XML file or QR code generation date is not older than 3 days from the date of

carrying out V-CIP.

Further, in line with the prescribed period of three days for usage of Aadhaar XML file / Aadhaar

QR code, REs shall ensure that the video process of the V-CIP is undertaken within three days

of downloading / obtaining the identification information through CKYCR / Aadhaar

authentication / equivalent e-document, if in the rare cases, the entire process cannot be

completed at one go or seamlessly. However, the company shall ensure that no incremental risk

is added due to this.

vii) If the address of the customer is different from that indicated in the OVD, suitable records

of the current address shall be captured, as per the existing requirement. It shall be ensured

that the economic and financial profile/information submitted by the customer is also confirmed

from the customer undertaking the V-CIP in a suitable manner.

viii) The authorized official shall capture a clear image of PAN card to be displayed by the

customer during the process, except in cases where e-PAN is provided by the customer. The PAN

details shall be verified from the database of the issuing authority including through Digilocker.

ix) Use of printed copy of equivalent e-document including e-PAN is not valid for the V-CIP.

x) The authorised official of the company shall ensure that photograph of the customer in the

Aadhaar/OVD and PAN/e-PAN matches with the customer undertaking the V-CIP and the

identification details in Aadhaar/OVD and PAN/e-PAN shall match with the details provided by

the customer.

xii) All accounts opened through V-CIP shall be made operational only after being subject to

concurrent audit, to ensure the integrity of process and its acceptability of the outcome.

xiii) All matters not specified under the paragraph but required under other statutes such as

the Information Technology (IT) Act shall be appropriately complied with by the company.

i) The entire data and recordings of V-CIP shall be stored in a system / system located in India.

The company shall ensure that the video recording is stored in a safe and secure manner and

bears the date and time stamp that affords easy historical data search. The extant instructions

on record retention, as stipulated in this policy, shall also be applicable for V-CIP.

ii) The activity log along with the credentials of the official performing the V-CIP shall be

preserved.

//**//**//