Jan 02, 2023
7 min read

How to Comply with KYC/AML Rules in India, a Global Fintech Hub (2024)

This article covers everything you need to know about KYC/AML in India.

India has one of the fastest growing fintech sectors in the world with an adoption rate of 87%. At the moment, India has more than 2,000 officially recognized fintech startups, with a market size estimated at $50 billion in 2021.

India has been continuously working to minimize money laundering. After its Anti-Money Laundering (AML) Law was introduced in 2002, India began integrating with international organizations countering money laundering, joining the Financial Action Task Force (FATF) in 2010.

India still faces a variety of problems in combating money laundering. These include onshore and offshore corporate structures and informal financing networks, which are mostly used in rural areas of the country. According to the FATF’s evaluation, India is fully compliant with four of the FATF’s recommendations, and either partially compliant or non-compliant with five out of six core recommendations. 

 As India continues to improve its AML framework, companies seeking to do business in the country need to understand how to stay compliant. This article covers the essentials.

Who’s affected?

According to the Prevention of Money Laundering Act (PMLA), the following companies and individuals must comply with AML regulations in India:

  • Banks
  • Financial institutions
  • Financial intermediaries
  • Gambling providers
  • Providers of precious stones and other high-value goods.

Who are the regulators?

There are several government bodies ensuring that companies operating in India comply with regulations. 

The Directorate of Enforcement (ED) is the main regulatory authority in India responsible for investigation and prosecution of money laundering activities. It can send requests of launching the proceedings of money laundering offenses to the criminal court. Established under the Prevention of Money Laundering Act (PMLA) in 2002, the ED operates under the Department of Revenue of the Ministry of Finance. 

The Financial Intelligence Unit (FIU) also operates under the Department of Revenue. The organization was established in 2004 as a provision of the PMLA. The institution receives and analyzes reports from financial institutions on suspected money laundering activity.

The Reserve Bank of India (RBI) is the central bank of India, in charge of ensuring economic stability and growth in the country. The RBI also has to confront the spread of money laundering, providing banks in India with guidelines regarding Know Your Customer (KYC) and AML procedures. In cases of non-compliance, the RBI can impose penalties on specific banks. 

The Securities and Exchange Board of India (SEBI), just like the RBI, provides AML and KYC guidelines. However, the SEBI’s guidelines apply to financial intermediaries, rather than to banks operating in India. The SEBI can take action against institutions under its purview, with the ability to revoke operating licenses due to non-compliance. empowered to cancel operating licenses. 

There are several other governmental organizations that supervise institutions in their fields. This includes the Insurance Regulatory and Development Authority of India, Income Tax Department, Central Bureau of Investigation, and Registrar of Companies.

What are the main regulations?

The main AML regulation in India is the Prevention of Money Laundering Act (PMLA). It was first passed in 2002 and amended in 2005 and 2009. The PMLA criminalizes money laundering offenses and provides a list of preventive measures . According to the regulation, all affected institutions are required to maintain records of transactions and, when asked, provide them to the relevant authorities. 

The PMLA includes three main objectives:

  • “Preventing and controlling money laundering activities
  • Confiscating and seizing properties acquired as part of money laundering activities
  • Dealing with other issues related to money laundering.”

A clear description of the PMLA can be found on the Indian Department of Revenue website.

How to establish internal policies

Companies should appoint a designated director and principal officer who will ensure compliance with the governmental regulations. After that, companies should:

  • Specify who constitutes ‘Senior Management’ for the purpose of compliance
  • Allocate responsibility for effective implementation of policies and procedures
  • Provide an independent evaluation of the compliance functions its policies and procedures, including legal and regulatory requirements
  • Conduct an internal audit to verify compliance with KYC/AML policies and procedures
  • Submit quarterly audit notes and compliance to an Audit Committee, which consists of the company’s non-executive directors.


Companies need to establish risk management policies to separate customers by risk level. Depending on their risk level, customers have to submit certain documents and go through specific monitoring processes. Accordingly, a customer coming from a high-risk country will be considered a high-risk customer, similar to customers who are Politically Exposed Persons (PEPs) or listed in sanction lists. 

What is KYC and why is it needed?

KYC is a verification process that allows financial institutions to collect customer information and ensure its authenticity. KYC is needed to minimize criminal activity, such as fraud, identity theft, money laundering, etc. 

What types of KYC are in India?

India permits several types of KYC checks depending on the type of financial institution performing them.

Physical KYC procedure

The physical KYC procedure is most traditional, requiring customers to be physically present at the financial institution in which they wish to register. The documents should be in a physical paper form. 

On the one hand, this method is familiar since it’s been used for ages. On the other, it can take up a significant chunk of resources since verification has to be done by hand. 

Aadhaar KYC process

Aadhaar is a unique 12-digit code issued by the Unique Identification Authority of India (UIDAI). The procedure can be conducted both online and offline. In both cases, the procedure is paperless, unlike physical KYC. 

Citizens can use their Aadhaar to register online with banks. However, this procedure can only be used by banks. Other types of companies can use biometric checks instead, which require new customers to go through face recognition or fingerprinting.

Citizens can either create a password-protected file with all UIDAI information, which can be shared offline (via USB, for example) or via the QR code on an Aadhar card. 

One of the issues with the Aadhaar KYC system is that it is not considered full KYC. Therefore, customers can only use this type of verification only for one year. After that, full KYC verification should be performed.

Digital KYC procedure

The digital KYC is a form of an online verification, during which individuals provide necessary documents for verification.. According to the Reserve Bank of India, the digital KYC procedure still requires a person from the financial institution to be present during the process. Therefore, this procedure isn’t entirely digital and it still takes a lot of time to be conducted. 

Video KYC procedure

This procedure is similar to digital KYC except that the representative of the company doesn’t physically meet with the customer, but rather conducts a video call. After the call, another representative of the company reviews the recording to ensure that the customer and documents provided during the call are authentic and match the data provided earlier. 

Central KYC procedure

The Central KYC (CKYC) procedure was introduced by the Indian government in 2012 as a once-and-for-all verification method. Instead of getting verified at each institution separately, people can register all their information to the Central KYC Registry (CKYCR), from which Financial institutions will be able to extract data to register new customers.

Non-Doc Verification 

Sumsub has recently launched a fast and easy solution to onboard more users from certain countries and securely verify their identities in just one click. 

Non-Doc Verification is designed for businesses in the fintech, crypto, trading, marketplace and transportation industries, as well as for global online businesses that onboard customers in emerging markets. The new solution allows companies to instantly onboard users from India and Brazil without requesting their ID documents.

What are BRI KYC norms?

The RBI has issued a list of KYC norms and policies that financial institutions need to employ when working with customers. The KYC norms and policies include the following key elements:

  • Customer Acceptance Policy
  • Risk Management
  • Customer Identification Procedures (CIP)
  • Monitoring of Transactions.

The complete description of each norm can be found in the RBI’s Master Direction.

What is a KYC form?

A KYC form is a document filed by an individual applying to become a customer/investor of a financial or similar institution in India. The form usually contains a selection of verification data and documents. For example, a person may be requested to provide and proof their name, address, marital status, and job. The KYC application form can be found here.

What are KYC documents?

People filling the KYC form also have to submit supporting KYC documents that prove the information provided. The required documents vary depending on whether the client is a private individual or a non-individual investor.

Documents for private individuals include: 

  • Proof of identity: passport, driving license, Voters’ Identity Card, PAN Card, Aadhaar Card issued by UIDAI, NREGA Card, Letter from the National Population Register containing details of name and address;
  • Proof of address: utility bill, a copy of the employer’s address, bank account statement received by mail or courier along with signature verification by the Banker Ration card, letter from employer, bank manager of scheduled commercial banks, a land receipt or a municipal tax receipt, or a monthly pension payment order.

Documents for companies include:

  • Certificate of Incorporation
  • Memorandum and Articles of Association
  • Resolution of the Board of Directors
  • A list of authorized signatories.

New investors should submit the new CKYC form alongside the investment application form or enclose a supplementary CKYC form.

An individual can either do this via the financial institution or download the registration form from the KYC Registration Agencies (KRAs) website, fill it in, and submit it alongside the required documents. There are five KRAs in India: CAMS, CLV, NSE, KARVY, and NSDL, each offering a similar form that you can download and submit.

Ongoing monitoring

After the initial KYC procedure takes place, companies need to start the ongoing monitoring process to keep the customer’s information up to date. This means that information on customers should be updated regularly. 

Depending on the customer’s risk level, they might be subjected to different checking procedures. Information on high-risk customers will get updated every two years, medium-risk customers get updated every eight years, and information on low-risk customers is renewed every ten years. 

How to report suspicious activities

If a company notices suspicion activity conducted through their platform, they should report it to FIU India within seven business days. Additionally, the company should provide reports on transactions of immovable properties that exceed INR 5 million (approximately $ 60,000) and in-cash transactions that exceed INR 500,000 (approximately $ 6,000). Such reports should be sent no later than the 15th day of the following month. 


Companies are required to keep records of all the transactions their customers make for five years. Companies are also required to keep the records of customers’ personal data for five years from the date of their final last transaction ( or official end of business relations). 

What are the penalties?

According to the PMLA, the penalties for non-complying with the regulations vary depending on the type of actions. Both legal entities and individuals may be subjected to the penalties.

The fines may vary between INR 10,000 and 100,000 (approximately $ 121 and $ 1,211) in cases if the affected institutions fail to report the suspicion of illegal activities to respective authorities. For situations when an entity commits a money laundering offense, the penalty will be three years imprisonment,may be extended up to seven years, plus a monetary fine. 


 AML requirements and KYC specifics in India should be taken into account when opening a company there. Companies need to establish proper internal policies and risk management procedures to smoothly onboard customers. 

Without a sufficient KYC solution, companies may fail to spot a criminal registering as a customer. Furthermore, failure to employ proper KYC solutions may lead to proliferation of money laundering activities in a company. This will result in various fines and other penalties. To avoid this, companies should employ a KYC provider.

If you want to stay compliant with regulations in India, try our automated AML/KYC solution today. Contact us for a demo. 

AMLFinancial InstitutionsIndiaKYCPenaltiesRisk Management