RBI KYC MD: What It Requires and Who It Applies To

What is RBI KYC MD?

The RBI Master Direction on Know Your Customer is a consolidated regulatory document issued by the Reserve Bank of India on February 25, 2016, under the Banking Regulation Act 1949, the Prevention of Money Laundering Act 2002, and the Foreign Exchange Management Act 1999. It replaced and absorbed dozens of earlier circulars into a single authoritative text that RBI updates in place whenever amendments are issued.

RBI introduced this direction to align India's KYC regime with FATF Recommendation 10 on Customer Due Diligence and to close gaps that on-site examinations had exposed: inconsistent risk categorization, poor beneficial ownership documentation, and fragmented record-keeping across institution types. The direction creates a uniform framework for the full customer lifecycle: identification at onboarding, risk-based ongoing monitoring, periodic re-KYC, and records retention after account closure.

Since 2016, the Master Direction has been amended multiple times. The most consequential changes came in 2021, when RBI authorized Video-based Customer Identification Procedure (V-CIP) as a valid alternative to in-person verification for individual customers, and in 2023, when stricter beneficial ownership disclosure requirements were introduced for legal entity accounts.

The direction is available in full at https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=11566. RBI keeps it a living document, and compliance teams should treat it that way. The version that was current when your policy was last reviewed may not be the version in force today. Institutions that don't track amendments get cited for missing obligations that were unambiguous in the text. That's an avoidable failure.

Who does RBI KYC MD apply to?

The direction covers every entity regulated by the Reserve Bank of India, and the list is wider than many compliance teams assume.

Directly covered entities:

• Scheduled commercial banks: public sector, private sector, small finance banks, payments banks, and foreign bank branches operating in India
• Regional Rural Banks (RRBs) and Local Area Banks (LABs)
• Primary (Urban) Co-operative Banks, State Co-operative Banks, and Central Co-operative Banks
• All India Financial Institutions: NABARD, EXIM Bank, National Housing Bank (NHB), SIDBI
• Non-Banking Financial Companies (NBFCs): deposit-taking, systemically important non-deposit-taking (SI-ND), NBFC-MFIs, NBFC-P2Ps, and account aggregators
• Prepaid Payment Instrument (PPI) issuers licensed under the Payment and Settlement Systems Act
• Credit Information Companies licensed by RBI

There are no asset-size thresholds that reduce the core compliance obligation. A single-license NBFC with ₹50 crore in assets carries the same Customer Identification Procedure and ongoing monitoring duties as a large state-owned bank. The risk-based approach allows proportionate resourcing, but it doesn't create exemptions.

Foreign bank branches in India are fully covered. Indian bank subsidiaries and branches operating abroad are subject to host-country requirements, but the Indian parent remains accountable under this direction for group-level AML risk governance. Correspondent relationships with foreign institutions must also satisfy supplementary requirements aligned with FATF Recommendation 13 on correspondent banking.

One scope point that trips up compliance teams: walk-in customers executing transactions above ₹50,000 must be identified and verified even if they don't hold accounts with the institution.

What does RBI KYC MD require?

The obligations span the full customer lifecycle. These are the core requirements compliance teams must operationalize:

1. Customer Identification Procedure (CIP). Every customer must be identified and verified before the account is opened or the business relationship commences. Verification uses Officially Valid Documents (OVDs) as defined by the Ministry of Finance. Since 2021, V-CIP is an approved channel for individual customers, with mandatory geotagging, live session recording, and randomized questions to prevent scripted responses.

2. Risk categorization. All customers must be classified as Low, Medium, or High risk at onboarding, with documented rationale for the classification. The risk category determines the level of Customer Due Diligence (CDD) applied and the frequency of periodic re-KYC.

3. Enhanced Due Diligence for high-risk accounts. High-risk customers require Enhanced Due Diligence (EDD) documentation, including source of funds, source of wealth, and a documented account purpose. EDD is mandatory for accounts linked to high-risk geographies, complex ownership structures, or transaction patterns inconsistent with the customer's declared profile.

4. Beneficial ownership identification. For legal entities, banks must identify every Ultimate Beneficial Owner (UBO) holding 25% or more equity interest, or 10% for accounts classified as higher risk. The UBO must be verified, not just declared. This requirement directly implements FATF Recommendation 24 on beneficial ownership.

5. PEP screening. Domestic and foreign Politically Exposed Persons require senior management approval before account opening and mandatory EDD throughout the relationship, consistent with FATF Recommendation 12 on PEPs.

6. Periodic KYC review. Low-risk accounts: every 10 years. Medium-risk: every 8 years. High-risk: every 2 years. Accounts flagged by transaction monitoring are reviewed on an accelerated basis regardless of where they sit in their scheduled review cycle.

7. Ongoing transaction monitoring. Transactions must be monitored against each customer's declared profile and intended account purpose. Suspicious transactions must be reported to the Financial Intelligence Unit-India (FIU-IND) within 7 days of the institution being satisfied the transaction is suspicious.

8. Record retention. All KYC records, account files, and transaction documents must be retained for five years after the account is closed or the business relationship ends, consistent with FATF Recommendation 11 on record keeping. For ongoing relationships, records covering the full active period must be preserved and retrievable on demand.

What evidence do regulators expect?

RBI examiners conduct on-site inspections and thematic reviews. Based on published inspection frameworks and publicly available enforcement orders, here's what they look for on audit day.

Governance and policies:

• A board-approved KYC/AML policy, reviewed at least annually and updated whenever the direction is amended
• A designated Chief Compliance Officer with direct board-level reporting
• A Customer Acceptance Policy that names prohibited customer categories, not just generic risk language

Customer files:

• Complete OVD copies or V-CIP session recordings (with geotagging metadata) for every account
• Signed customer declarations for simplified due diligence accounts
• UBO declaration and verification records for all legal entity customers, covering the full ownership chain
• PEP screening results with senior management approval documentation where applicable
• Source of funds and wealth documentation for all EDD-classified accounts

Risk categorization and periodic review:

• Evidence that each customer's risk category was assigned at onboarding with documented basis
• Scheduled review dates and completion records for every risk tier
• Re-KYC completion rates; RBI has cited banks in published enforcement orders for rates below 95% for overdue accounts

Transaction monitoring systems:

• Configuration logs showing alert rule parameters and thresholds
• Alert disposition records with analyst notes and escalation paths
• STR filing logs with timestamps demonstrating compliance with the 7-day window
• Annual validation results confirming that monitoring rules are calibrated to current risk profiles

Staff training: Completion records for all customer-facing and compliance staff, including refresher training dates and assessment scores.

RBI examiners typically sample 50 to 200 customer files per inspection cycle. Files with incomplete OVDs, missing UBO documentation, or overdue periodic reviews are the most consistent citation triggers. Have them ready, not just retrievable.

Common failure modes

The RBI's published enforcement orders from 2020 to 2024 show a consistent pattern of deficiencies across institution types and sizes.

• Incomplete UBO chains. Banks collect first-level ownership data but miss beneficial owners whose stakes are routed through holding companies, trusts, or nominee arrangements. RBI expects the complete structure, traced to the natural person who ultimately controls or benefits.

• Overdue periodic KYC. High-risk accounts require review every two years. Multiple enforcement orders document cases where high-risk accounts went three to five years without re-KYC. One 2022 order cited a mid-sized private bank for 8,400 overdue high-risk accounts.

• V-CIP process failures. Since the 2021 amendments authorized video-based onboarding, banks have been cited for conducting V-CIP sessions without mandatory geotagging, without live randomized questions, and without retaining session recordings in a form that is retrievable for examination.

• STR filing delays. The 7-day window starts when the institution is satisfied the transaction is suspicious, not when an internal investigation concludes. Banks have been cited for delays of 30 to 90 days, attributing the gap to ongoing review. That's not an acceptable explanation under the direction.

• Shallow correspondent due diligence. Foreign correspondent accounts are regularly flagged for missing CDD at the time the relationship was established and for the absence of documented annual reviews of the respondent bank's AML controls.

• Customer Acceptance Policies that don't actually accept or reject. Policies drafted with only generic risk language and no documented prohibited categories don't satisfy RBI's expectation of a real risk appetite statement. Examiners note the absence specifically.

Penalties for non-compliance

The RBI acts under Section 47A of the Banking Regulation Act 1949 and Section 45-IE of the RBI Act 1934. The direction itself doesn't specify penalty caps; those are set by the governing statutes.

Statutory ranges:

Under the Banking Regulation Act, RBI can impose penalties up to ₹1 crore per violation, or twice the amount involved in a transaction if that figure is larger. Repeat violations can result in business restrictions or license cancellation. NBFCs face penalties under the RBI Act of up to ₹100,000 per violation per day for continuing violations.

Named enforcement actions:

• Bandhan Bank, September 2022: RBI imposed a penalty of ₹29.55 crore for non-compliance with multiple directions, including failure to complete periodic KYC updates within prescribed timelines. (RBI enforcement orders, September 2022)

• HDFC Bank, 2023: ₹10 crore penalty for violations across multiple regulations, including KYC-related customer risk categorization deficiencies. (RBI enforcement orders, 2023)

• Paytm Payments Bank, January 31, 2024: RBI directed the bank to stop accepting new deposits and credit transactions, citing systemic non-compliance with KYC and Customer Identification Procedure requirements at scale. This is the clearest available example of what systemic KYC failure looks like in practice: not a fine, but cessation of most banking operations. (RBI press release, January 31, 2024)

The Paytm case is the benchmark worst case. Any compliance team inclined to treat KYC as a documentation exercise should read that order.

Related regulations and frameworks

RBI KYC MD sits inside a wider stack of obligations. Reading it in isolation produces compliance gaps.

PMLA 2002 and Rules: The Prevention of Money Laundering Act 2002 is the primary AML statute in India. The KYC direction implements PMLA obligations for RBI-regulated entities. Both must be satisfied simultaneously; the direction is subordinate to PMLA, not a replacement for it. The PMLA Maintenance of Records Rules 2005 set out the specific record format and retention requirements that sit alongside the direction.

FATF Recommendations: India is a FATF member, and the direction explicitly implements FATF Recommendation 10 on CDD and FATF Recommendation 11 on record keeping at the national level. India's 2024 FATF Mutual Evaluation found substantial compliance with CDD requirements, with partial compliance noted for legal entity beneficial ownership, which explains why that area is now under intensified enforcement attention. (FATF Mutual Evaluation of India, 2024)

FIU-IND Reporting Guidelines: FIU-IND is the STR and CTR receiving authority. Its reporting format guidelines apply alongside this direction and govern the specific structure of STR filings.

RBI Frauds Master Direction 2024: When a KYC failure contributes to a fraud event, the RBI Master Direction on Frauds 2024 adds supplementary reporting obligations. Both directions interact at the point of suspicious transaction detection.

RBI Cyber Security Framework: Customer data collected under KYC is governed by the RBI Cyber Security Framework for Banks for storage, access controls, and breach response.

International equivalents: Comparable frameworks include MAS Notice 626 in Singapore and the UAE AML Federal Decree 2018. For global banks with Indian operations, the EU AMLR 2024 introduces parallel CDD obligations at the group level that must be reconciled with the RBI's requirements, not run as separate silos.

How FluxForce supports RBI KYC MD compliance

FluxForce's AI agents automate the tasks that generate the most RBI KYC citations: periodic review scheduling, UBO chain resolution, PEP screening across global watchlists, and customer due diligence documentation. Nova Sentinel handles real-time transaction monitoring against each customer's declared profile, with full decision explanations for every alert. Aiden Flux manages the end-to-end KYC and identity verification workflow, from onboarding through re-KYC, with audit trails that meet RBI's evidence expectations. Request a demo to see how FluxForce maps to your specific obligations.