Akash Avthale

Savitribai Phule Pune University (SPPU)

Editor: Sakshi Soni

Introduction

In today’s globally connected world, it has become a priority to secure the finance sector from various illicit activities such as money laundering, terrorist finance, and other types of fraudulent practices. To this end, it has become a norm for banks and other finance institutions to implement effective Know Your Customer policies and data privacy policies. Such policies aim to help banks identify their various customers and protect their personal information.

The Reserve Bank of India, a major regulatory body in India, has a significant role in establishing and updating these rules. The Master Directions for KYC, established by the Reserve Bank of India, has established a comprehensive mechanism for banks to identify their customers, avoid misuse of accounts, and store secure records. Over the years, rules for KYC compliance have been updated in order to comply with international norms and rising concerns in the wake of technology-based banking.

KYC not only secures a financial institution from being involved in any illegal operation but also enhances customer trust. A bank will be able to identify whom it is doing business with, hence detecting any suspicious transactions early. A customer must, however, provide precise information.

Also, data privacy regulations protect customers from misuse of their information. With the increasing use of online banking, data security has gained significance comparable to customer identification. These are some of the key factors that have shaped India’s policies, which aim for a balance between customer transparency and customer confidentiality.

Courts and other international practices worldwide have further reinforced this structure by reminding banks that compliance and privacy are intertwined. This structure of data protection regulation and KYC regulation has been instrumental in providing a secure and trustworthy financial environment.

RBI KYC norms:

The Reserve Bank of India has formulated Know Your Customer (KYC) rules in February 2005, a revamped version of a draft published in 2004, in line with the recommendations of the Financial Action Task Force (FATF) of a set of worldwide standards. Recommendations from FATF are primarily aimed at Anti-Money Laundering and Combatting Terrorists’ finances, which are now a standard worldwide for every country for secure transactions of finances. This regulatory policy of maintaining a secure worldwide transaction of finances has become a vital necessity for banks, financial institutions, and Non-Banking Financial Companies in India.

The KYC policy of the RBI provides a basis for a secure and transparent banking system. This needs a proper understanding of customers by banks before proceeding with a banking relationship. This will help the bank in making sure that their systems are used for no illicit purposes, like money laundering, tax evasions, and even terrorism, in any form.

The KYC rules are of key significance in realizing various goals. Firstly, these rules help in decreasing cases of financial offense by verifying individual as well as authenticity of every customer, hence decreasing chances of any illegal activities. Secondly, it increases financial stability in order to offer banks a proper estimate of customer and transaction-related risks. Thirdly, it also ensures worldwide compliance, which in turn helps Indian finance institutions comply with global norms, hence increasing their authenticity with their overseas partners. Lastly, it supports customer protection, which guards their customers from issues like identity, personal data, and financial theft.

An important aspect of this regulatory environment forKYC remains Customer Due Diligence. This due diligence involves verifying, verifying, verifying, and monitoring customer data to make certain that all transactions are bona fide, as per the customer. This due diligence assists in detecting early signs of suspicious activities, which are then thereafter reported to the authorities as per regulatory requirements.

Thus, in essence, it can be said that the KYC norms set by the RBI are of key significance for maintaining integrity, transparency, and trust in the Indian finance sector.

What is Customer Due Diligence (CDD) ?

Customer Due Diligence (CDD) is a crucial process under the Master Direction on KYC guidelines issued by the Reserve Bank of India, concerned with customer identification, identification of the beneficial owner, and the entity engaged in financial transactions. Its main objective is to prevent money laundering, terrorist financing, and illegal financial action or activity while taking necessary measures to ensure compliance by financial institutions with the PMLA Act, 2002. CDD acts as a check that maintains transparency, faith, and integrity within the banking system.

According to the RBI, CDD requires FIs to collect, verify, and maintain customer information during their dealings in the course of their relationship. The process involves identifying and verifying, in the first instance, the persons by Aadhaar (with the consent of the client) or such other documents as may be prescribed. Banks have to verify the documents from reliable and independent sources and check the PAN or Form 60 for tax-related identification of the customers. In the case of companies or other non-individual entities, FIs are required to identify the beneficial owners who possess more than 10% ownership and verify the identity of authorized signatories or representatives acting on behalf of the organization.

CDD is all about a risk-based approach; customers can be categorized as low, medium, or high risk on the basis of their occupation, type of business undertaken, geographical location, and associated transaction patterns. High-risk customers will require enhanced due diligence, including deeper background checks and monitoring on a continuous basis, where cross-border transactions are involved or when the customer resides in countries that have weak anti-money laundering standards. Ongoing due diligence implies that the Bank has to monitor the customer transactions from time to time in order to confirm that it represents the customer’s known financial behavior. Reporting to the FIU-IND of suspicious or unusual activity is mandatory. Banks shall also update KYC details, such as addresses and contact information, periodically so that the records are current.

While low-risk or small accounts are allowed only limited operations, Simplified Due Diligence is possible with relaxed KYC requirements. These accounts are kept under close vigil through a stipulated limit on balance (₹ 50,000) and a total of annual credits (₹ 1,00,000). The CDD has to be necessarily done while opening the account, using high-value or suspicious transactions, or even updating customer records periodically. The key highlights of the major improvement under RBI's KYC Master Direction, 2024, include advanced V-CIP with facial recognition, GPS tagging, encryption, and timestamping for secure verification. It also mandated that customer data should be stored within India, integrated CKYCR for centralized records, enhanced digital KYC processes, and promoted strengthening oversight of high-risk profiles. These updates will go a long way in making the financial system more secure, efficient, and compliant in the increasingly digital era.

THE DPDP ACT, 2023 And THE INDIAN BANKING SECTOR

The Digital Personal Data Protection Act, 2023, is one of the major steps toward protection related to personal data in India, particularly in banking. Banks deal with a lot of sensitive information given by customers; hence, the law makes sure that such information is handled in a judicious and responsible manner.

According to this Act, Banks are considered Data Fiduciaries, meaning they were under the legal obligation to safeguard customer data, use it only for valid purposes, and avoid its misuse. This new development placed more power in the hands of the customers regarding their personal information. They could now ask banks how their information was being put to use, correct any incorrect details, and even request deletion of data under specific circumstances. Banks were also supposed to clearly justify the collection of personal data and seek the consent of the customer whenever that was needed.

Another key aspect of the DPDP Act is data security. Banks need to establish solid systems and mechanisms that will prevent data leakage or breach. In case of serious events, they have to inform the Data Protection Board of India immediately. For failure to act on behalf of banks, huge fines will be considered. Certain banks come under the ambit of Significant Data Fiduciaries and, as such, are also entrusted with other responsibilities: designation of a DPO and periodic review of policies for the management of customers' personal data.

The DPDP Act complements the existing cybersecurity-related directions of the RBI, which already require banks to maintain a high standard of security. This new legislation has, however, enhanced such requirements by providing greater legal enforcement thereto and ensuring uniformity in practice across all sectors.

In other words, the DPDP Act made banking safer because it gave consumers stronger rights over their information and held banks more accountable. This, indeed, is welcome news, but the banks have to cautiously adjust these new rules with the many older regulations-a process that will no doubt produce some kinks along the way.

Banking Secrecy and the Right to Information :

A major area where a lot of debate has been raised between banking secrecy and transparency occurred in a prominent case, which was “State Bank of India v. Reserve Bank of India” in 2021. Here, it was requested that the Reserve Bank of India, which was a major banking institution, reveal information pertaining to banks that were penalized for violating banking rules. This move was opposed by State Bank of India, which stated that it would violate customer as well as banking secrecy.

Nevertheless, it was held by the Supreme Court that, though it is significant from a banking perspective to maintain banking secrecy, it would not prevail over the right to information, especially in matters pertaining to finances. This verdict has also reinforced that it has become all the more important in banking transactions to maintain transparency in order to instill trust among people.

Protection of Financial Information :

Another important case related to this was Google India Pvt. Ltd. vs. Visakha Industries in 2020. This related to the liability of online intermediaries in cases of misuse of finance-related data. The question that arose in this case was whether online platforms could be made liable for hosting any such content that led to finance-related frauds.

The Supreme Court stated that it is necessary for intermediaries to use due diligence in order to thwart any kind of monetary trickery as well as the misuse of private information. On this precedent, it appears that stricter norms were imposed by the Reserve Bank of India, taking into consideration fintech firms as well as other online financial service businesses.

These cases, taken together, reveal that the Indian judiciary has a very important role in shaping data protection policies and banking transparency. With their observations on individual privacy, institution confidentiality, and country security, it seems that these cases are paving their way towards establishing a secure, a transparent, and accountable online banking system, in line with technological advancements.

Reference

1. Reserve Bank of India. Master Direction - Know Your Customer (KYC) Direction, 2016

   Reserve Bank of India, Department of Regulation. https://www.rbi.org.in/commonman/English/scripts/notification.aspx?id=2607

2. State Bank of India v. Reserve Bank of India, (2021) SCC Online SC 407. https://indiankanoon.org/doc/12397485/

3. Google India Pvt. Ltd. v. Visakha Industries & Ors., (2020) 4 SCC 162. https://indiankanoon.org/doc/97017195/

4. MeitY. Data Protection Board of India - Roles and Responsibilities, 2023. https://www.pib.gov.in/PressReleseDetailm.aspx?PRID=2190014&reg=3&lang=2

5. The Digital Personal Data Protection Act, 2023. Ministry of Electronics and Information Technology, Government of India. https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf