Questions and Answers:

‘Know Your Customer’ quick reference guide

Country by country comparison of high level Know Your Customer and Anti-Money Laundering information

India
Key contact: Dhruv Chawla Postal address: PricewaterhouseCoopers Pvt. Ltd. Last updated:
Email: dhruv.chawla@in.pwc.com The Millenia, Tower D, 7th Floor, 1&2 Murphy Road, January 2016
Tel: +91 (0) 8130166550 Ulsoor, Bangalore - 560008 India

Regulatory Environment

Q1. In what year did the relevant AML laws and regulations become effective?

A1. The Prevention of Money Laundering Act 2002 (“PMLA”) came into force in Jul 2005. Current Amendment to the PMLA in 2012 became operational with effect from 15 Feb 2013.

Q2. If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

A2. Amendment to the PMLA was enacted on 17 Dec 2012 and came into effect on 15 Feb 2013. The highlights of the amendments are as follows:
a) the scope of money laundering activities has been broadened to include proceeds of crime including its concealment, possession, acquisition, or use and projecting and claiming, making mere
possession of proceeds of crime an offence;
b) possession of money received from criminal proceeds is also classified as crime;
c) the threshold limit (earlier INR3m (approx. USD45,000)) for initiating money laundering cases has been removed;
d) penalty schemes for money laundering activities have been revisited;
e) the imprisonment term has been lengthened from at least three years to a maximum of seven years; and
f) the upper limit for fines of INR500,000 (approx. USD7,500) has been removed (i.e. there is no upper limit fixed).

Q3. Who is the regulator for AML controls for: (a) Banking; (b) Other financial Services; (c) Non financial sector (e.g. casinos, high value goods etc.). Please include link to the regulator(s) website

A3. a)
b)
Reserve Bank of India Financial Intelligence Unit (“RBI FIU”) for Banks (http://fiuindia.gov.in/);
Insurance Regulatory and Development Authority (“IRDA”) for Insurance: (https://www.irda.gov.in/); and
c) Securities and Exchange Board for India (“SEBI”) for asset management companies. (http://www.sebi.gov.in/).

Q4. Is there any practical guidance provided to firms by public authorities regarding AML requirements, beyond the FATF recommendations and local legislation? Please include link to website, where available.

A4. RBI Master Circular dated 01 Jul 2014 on AML and KYC prescribes the following additional measures:
a) full verification of identity at least every two years for high risk customers, every eight years for medium risk customers and every ten years for low risk customers;
b) positive confirmation (obtaining KYC related updates through e-mail, letter, telephonic conversation, forms, interviews, visits, etc.) to be completed at least every two years for medium risk and at
least every three years for low risk individuals and entities; and
c) risk categorisation of accounts needs to be reviewed every six months.
Questions and Answers:
‘Know Your Customer’ quick reference guide
Country by country comparison of high level Know Your Customer and Anti-Money Laundering information

Q5. Is there a requirement to retrospectively verify the identity of customers before the date the new AML regime was introduced?

A5. No.

Q6. Is a risk based approach approved by the local regulator(s)?

A6. Yes, the local regulators (RBI, IRDA and SEBI) allow banking companies, financial institutions and intermediaries to use a risk based approach. On the basis of a risk based approach, verification of identity is
done for high risk customers every two years, medium risk customers every eight years and low risk customers every ten years. A review of risk categorisation of accounts should be carried out at a
periodicity of not less than once in six months.

Q7. Has the country been the subject of a FATF (of FATF-style) Mutual Evaluation or IMF assessment exercise in the last three years? If yes, please find a link to a relevant report (if publicly available).

A7. The first Mutual Evaluation report on India was adopted on 24 Jun 2010 and recommended that India be placed in a regular follow-up process for mutual evaluation processes. The 8th Follow Up Report on
the Mutual Evaluation of India was published in Jun 2013 and can be found at (http://www.fatf-gafi.org/media/fatf/documents/reports/mer/India_FUR8_2013.pdf). The report concluded that India had made
sufficient progress for all core and key recommendations and recommended that India be removed from the follow-up procedure.

In Jan 2013, the IMF published its update entitled ‘India: Financial System Stability Assessment Update’ which can be found here: http://www.imf.org/external/pubs/ft/scr/2013/cr1308.pdf

Customer Due Diligence

Q8. Are there minimum transaction thresholds, under which customer due diligence is not required?
If Yes, what are the various thresholds in place?

A8. In the case of transactions carried out by a non-account based customer (walk-in customer) where the amount of the transaction is lower than INR50,000 (approx. USD750), the customer’s identity and
address do not require verification. However, if a bank has reason to believe that a customer is intentionally structuring a transaction into a series of transactions below the threshold of INR50,000 (approx.
USD750), the bank should verify the identity and address of the customer and also consider filling in a suspicious transaction report. Verification of identity must be conducted in respect of all cross border
payments.
Questions and Answers:
‘Know Your Customer’ quick reference guide
Country by country comparison of high level Know Your Customer and Anti-Money Laundering information

Q9. What are the high level requirements for verification of customer identification information (individuals and legal entities)?

A9. The banking company, financial institution or intermediary must verify and maintain the records in respect of the identity and the current address of the client. The documents required are:

Individuals:
Official valid documents such as passport, driving licence, Permanent Account Number (“PAN”) Card, Voter's Identity Card issued by the Election Commission of India, or any other document.

Corporates:
a) Certificate of Incorporation;
b) Memorandum and Articles of Association;
c) a resolution from the Board of Directors and power of attorney granted to its managers, officers or employees to transact on its behalf; and
d) an official valid document in respect of managers, officers or employees holding an attorney to transact on its behalf.

Association of Persons or Body of Individuals:

a) resolution of the managing body of such association or body of individuals;
b) power of attorney granted to him to transact on its behalf;
c) an official valid document in respect of the person holding an attorney to transact on its behalf; and
d) such information as may be required by the banking company or the financial institution or the intermediary to collectively establish the legal existence of such an association or body of individuals.

Q10. Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

A10. Certified copies of an official valid document may be used. The copies need to be verified by seeing the originals and stamped as ‘originals seen and verified’.

Q11. What are the high level requirements around beneficial ownership (identification and verification)?

A11. The banking company, financial institution or intermediary should take reasonable measures to identify the beneficial owner(s) and verify his/her/their identity in a manner so that it is satisfied that it knows
who the ultimate beneficial owner(s) is/are.

Q12. In what circumstances are reduced/simplified due diligence arrangements available?

A12. Customers can be categorised based on their risk profile. For example, individuals and entities whose identities and sources of wealth can be easily identified may be categorised as low risk. Reduced due
diligence arrangements may be followed by the banking company, financial institution or intermediary in the case of low risk customers. The review of low risk clients’ KYC documents can be performed once
every ten years as per RBI circular dated 23 Jul 2013. In addition, under RBI Circular on KYC dated 10 Dec 2012, norms were further simplified to have only one document for both identity and address if the
address on the document submitted for identity proof is the same as that declared in the account opening form. Introduction from an existing customer of the bank is not mandatory when documents of
identity and address are provided.
Questions and Answers:
‘Know Your Customer’ quick reference guide
Country by country comparison of high level Know Your Customer and Anti-Money Laundering information

Q13. In what circumstances are enhanced customer due diligence measures required?

A13. Customers that are likely to pose a higher than average risk to the bank may be categorised as medium or high risk depending on the customer's background, nature and location of activity, country of origin,
source of funds and client profile etc. Banks may apply enhanced due diligence measures based on the risk assessment, thereby requiring intensive due diligence for higher risk customers, especially those
for whom the sources of funds is not clear. Examples of customers requiring higher due diligence may include:
a) non-resident customers;
b) high net worth individuals;
c) trusts, charities, NGOs and organisations receiving donations;
d) companies having a close family shareholding or beneficial ownership;
e) firms with 'sleeping partners';
f) PEPs of foreign origin;
g) non-face to face customers;
h) those with a high risk reputation as per public information available; and
i) correspondent banking relationships.

Q14. In what circumstances is additional due diligence required for Politically Exposed Persons (‘PEPs’)?

A14. Banks should gather sufficient information on any person/customer of this category intending to establish a relationship and check all the information available on the person in the public domain. Banks
should verify the identity of the person and seek information about their source of funds before accepting the PEP as a customer. The decision to open an account for a PEP should be taken at a senior level
which should be clearly identified in the Customer Acceptance policy. Banks should also subject such accounts to enhanced monitoring on an ongoing basis. The above may also be applied to the accounts
of the family members or close relatives of PEPs. In the case of an existing customer or the beneficial owner of an existing account subsequently becoming a PEP, banks should obtain senior management
approval to continue the business relationship and subject the account to the customer due diligence measures as applicable to the customers of a PEP category including enhanced monitoring on an
ongoing basis. These instructions are also applicable to accounts where a PEP is the ultimate beneficial owner. Further, banks should have appropriate ongoing risk management procedures for identifying
and applying enhanced customer due diligence to PEPs, customers who are close relatives of PEPs, and accounts of which a PEP is the ultimate beneficial owner.

Q15. What enhanced due diligence must be performed for correspondent banking relationships (cross-border banking and similar relationships)?

A15. Banks should gather sufficient information to understand fully the nature of the business of the correspondent/respondent bank. Banks should try to ascertain from publicly available information whether the
other bank has been subject to any money laundering or terrorist financing investigation or regulatory action. It should also be satisfied that the respondent bank has verified the identity of the customers
having direct access to the accounts and is undertaking ongoing due diligence on them. The correspondent bank should also ensure that the respondent bank is able to provide the relevant customer
identification data immediately on request. Additionally, in view of monitoring and reviewing ‘at par’ cheque facility extended to walk-in-customers of cooperative banks through correspondent banking
arrangements and to assess the risks including credit risk and reputation risk arising therefrom, banks should retain the right to verify the records maintained by the client cooperative banks/societies for
compliance with the extant instructions on KYC and AML under such arrangements.

Q16. Are relationships with shell banks specifically prohibited?

A16. Yes. Guidance issued by the local regulator prohibits entering into a correspondent relationship with shell banks. Shell banks are not permitted to operate in India. Banks should also guard against
establishing relationships with respondent foreign financial institutions that permit their accounts to be used by shell banks.
Questions and Answers:
‘Know Your Customer’ quick reference guide
Country by country comparison of high level Know Your Customer and Anti-Money Laundering information

Q17. In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

A17. In the case of non-face-to-face customers, apart from applying the usual customer identification procedures, banks must adopt specific and adequate procedures to mitigate the higher risk involved.
Certification of all the documents presented should be insisted upon and, additional documents may be called for in such cases. In the case of cross-border customers, there is the additional difficulty of
matching the customer with the documentation and the bank may have to rely on third party certification/ introduction. In such cases, it must be ensured that the third party is a regulated and supervised entity
and has adequate KYC systems in place. Additionally, the first transaction should be through a cheque issued from an existing bank account.

Reporting

Q18. To whom are Suspicious Activity Reports (SARs) made? Please include a link to their website.

A18. Financial Intelligence Unit (FIU-IND): (http://fiuindia.gov.in/).

In India SARs are known as “STRs” (Suspicious Transaction Reports).

Q19. What was the volume of SARs made to the authorities in the most recent year? Please state the GDP for the equivalent year.

A19. Volume of SARs:

2013-14 - 54,000 (Source: FIU India Annual Report 2013-14).

Comparative GDP data is not available for this specific period.

Q20. Are there any obligations to report anything more than suspicious transactions e.g. unusual transactions, cash transactions above a certain threshold, international wire transfers, other transactions etc.?

A20. Yes, as per the RBI and FIU guidelines, all banking institutions are required to report all such activities in terms of STR (on occurrence), Cash Transaction Reports and Counterfeit Currency Reports
(periodically as per timelines laid down by the regulators) including all transactions involving receipts by non-profit organisations of value more than INR1m (approx. USD15,000) or its equivalent in foreign
currency.

Q21. Are there any de-minims thresholds below which transactions do not need to be reported?

A21. Cash transactions below INR50,000 (approx. USD750) need not be reported. However, if there is a suspicion of deliberate effort to structure the transactions in such a way to keep the transaction just below
the threshold, then such activities need to be reported as an STR.
Questions and Answers:
‘Know Your Customer’ quick reference guide
Country by country comparison of high level Know Your Customer and Anti-Money Laundering information

Q22. Are there any penalties for non compliance with reporting requirements e.g. tipping off?

A22. There are punitive clauses in the existing PMLA (2002) which were revised in 2013. Penalty schemes for money laundering activities were amended:
a) imprisonment term lengthened from at least three years to a maximum of seven years;
b) upper limit for fines of INR500,000 (approx. USD7,500) removed (i.e. no upper limit fixed);
c) scope of money laundering activities broadened (possession of money received from criminal proceeds is also classified as crime); and
d) threshold limit (earlier INR3m (USD45,000)) for initiating money laundering cases removed.

Q23. Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

A23. Yes, as per RBI and FIU guidelines.

Q24. Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

A24. Internal clearance is required.

Q25. Does the local legislation allow transactions to be monitored outside the jurisdiction?

A25. Yes. Section 2.17 of the RBI’s Master Circular (01 Jul 2013) on KYC norms/AML standards/Combating of Financing of Terrorism /Obligation of banks under PMLA, 2002 stipulates: “The guidelines contained
in this master circular shall apply to the branches and majority owned subsidiaries located abroad, especially, in countries which do not or insufficiently apply the FATF Recommendations, to the extent local
laws permit. When local applicable laws and regulations prohibit implementation of these guidelines, the same should be brought to the notice of Reserve Bank. In case there is a variance in KYC/AML
standards prescribed by the Reserve Bank and the host country regulators, branches/overseas subsidiaries of banks are required to adopt the more stringent regulation of the two.”

AML Audits

Q26. Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

A26. Yes. Section 7 of the RBI’s Master Circular (12 Jul 2013) on KYC norms/AML standards/Combating of Financing of Terrorism /Obligation of banks under PMLA, 2002 stipulates: “Concurrent/Internal auditors
should specifically check and verify the application of KYC procedures at the branches and comment on the lapses observed in this regard. The compliance in this regard should be put up before the Audit
Committee of the Board on quarterly intervals.”

Q27. If an external report on the bank’s AML systems and controls is required:
a) how frequently must the report be provided?
b) to whom should the report be submitted?
c) is it part of the financial statement audit?

A27. Yes, once a year the external and internal auditors are mandated by the regulator to specifically report on KYC and AML controls. In addition, the RBI, SEBI and IRDA conduct annual inspections.
Questions and Answers:
‘Know Your Customer’ quick reference guide
Country by country comparison of high level Know Your Customer and Anti-Money Laundering information

Q28. What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require:
a) sample testing of KYC files?
b) sample testing of SAR reports?
c) examination of risk assessments?

A28. Yes, they need to include the steps described in Q28 and to report on the findings.

Data Privacy

Q29. Does the country have established data protection laws? If so:
a) does the definition of “personal data” cover material likely to be held for KYC purposes?
b) how do the laws apply to corporate data?
c) does this country have a separate definition of “sensitive data”? How it defined and what are the additional protections?

A29. Yes, they are governed by the Personal Data Protection Bill 2006 and Information Technology Act 2000.

Q30. Are there any prohibitions on the transfer of credit reports (for KYC and credit risk analysis purposes), criminal records (for KYC and crime prevention purposes) and medical data (for KYC and pension
benefits purposes)?

A30. Since banks collect Sensitive Personal Data or Information (“SPDI”), they need to comply with the Rules, which lay down certain procedures to be followed at the time of collection of data, transfer of data,
and disposal of data, and to maintain relevant security practices and procedures. In the event a bank is negligent in implementing and maintaining ''reasonable security practices and procedures'' in relation to
SPDI, which causes ''wrongful loss or wrongful gain'' to any person, then the bank is liable to pay compensation to the affected person whose SPDI was compromised. The aggrieved person claiming
compensation may approach an adjudicating officer appointed under the Act in the case of damages of up to INR50m (approx. USD750,800) or before the civil court in case the damages claimed are above
INR50m (approx. USD750,100).

The Personal Data Protection Bill 2006 protects the privacy of individuals, but the bill was not passed into law. In the meantime, the Act was amended in 2008 to include Section 43A and Section 72A to
protect personal data (“PI”) and SPDI.

Q31. Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

A31. The Personal Data Protection Bill 2006 and Information Technology Act, 2000. The Information Technology Act provides for recognition of electronic signatures, e-documents and e–transactions, and seeks
to control offences conducted over the internet. Also, post-2001, the RBI introduced guidelines governing internet banking, confidentiality, anti-money laundering and KYC norms, which may have prompted
customers to move towards the e-platform, albeit with some concerns with respect to the privacy and security of their banking transactions.
Questions and Answers:
‘Know Your Customer’ quick reference guide
Country by country comparison of high level Know Your Customer and Anti-Money Laundering information

Q32. Does this jurisdiction have bank secrecy laws or other obligations of confidentiality (other than those that may have been accepted expressly under contract e.g. in account opening documentation)? If so,
what data is subject to regulation?

A32. As per the Personal Data Protection Bill 2006, while collecting SPDI, the bank must seek express written consent from the provider of information via a letter, fax or e-mail, or consent given by any mode of
electronic communication, in relation to the purpose for which SPDI may be used. The provider of information must also be given an option to withdraw such consent and must have knowledge and/or be
provided information as to:
a) the fact that information is being collected;
b) the purpose for which it is being collected;
c) intended recipients of the information; and
d) the name and address of the agency that is collecting and/or retaining the information.

At PwC United Kingdom, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 208,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us
what matters to you by visiting us at www.pwc.com/UK.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation
or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability,
responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2016 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to the UK member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
160303-092639-LA-OS