HomeServicesFEMA & RBIKYC / AML & Fit-and-Proper Compliance Advisory

FEMA & RBI · NBFC & Financial Services Licensing

KYC / AML & Fit-and-Proper Compliance Advisory

Every entity regulated by the Reserve Bank of India — NBFCs, banks, payment system operators, money changers, Account Aggregators — must run a Board-approved Know Your Customer (KYC) and Anti-Money Laundering (AML) programme under the RBI Master Direction on KYC and the Prevention of Money-Laundering Act, 2002, and every director and key managerial person of such an entity must independently satisfy 'fit and proper' criteria that RBI can and does scrutinise at licensing, at every subsequent director appointment, and on an ongoing annual basis.

Chartered Accountants · Chennai · Hyderabad · Bangalore · Dubai · Since 1986

2,000+Clients since 1986
42 yrsCA practice
4Offices · India & UAE
24 hrsResponse time

Every entity regulated by the Reserve Bank of India — NBFCs, banks, payment system operators, money changers, Account Aggregators — must run a Board-approved Know Your Customer (KYC) and Anti-Money Laundering (AML) programme under the RBI Master Direction on KYC and the Prevention of Money-Laundering Act, 2002, and every director and key managerial person of such an entity must independently satisfy 'fit and proper' criteria that RBI can and does scrutinise at licensing, at every subsequent director appointment, and on an ongoing annual basis. Getting either wrong does not produce a late fee — it produces licence-threatening supervisory action, personal disqualification of directors, and reputational damage that outlasts the compliance gap itself. At PNPC Global, we have advised regulated and about-to-be-regulated financial entities across India and the UAE since 1986. Our KYC/AML & Fit-and-Proper Compliance Advisory service designs the policy framework, builds the supporting governance structure, and keeps it defensible under RBI inspection and FIU-IND scrutiny — not as a one-time document, but as a living compliance system.

What it costs

Govt. feesGovernment & statutory fees as applicable to your case
Professional feeFixed professional fee — confirmed in writing before we start

No hidden charges. The exact figure is set in your engagement letter.

What KYC / AML & Fit-and-Proper Compliance Advisory is

KYC/AML & Fit-and-Proper Compliance Advisory is a structured advisory engagement covering two distinct but interlinked regulatory obligations that apply to every RBI-regulated entity — NBFCs (including microfinance and housing finance companies), banks, payment system operators, Full-Fledged Money Changers, Account Aggregators, and P2P lending platforms. The first obligation is customer-facing: a Board-approved KYC policy and AML programme, built around the RBI Master Direction – Know Your Customer (KYC) Direction, 2016 (as amended from time to time) and the Prevention of Money-Laundering Act, 2002 (PMLA) read with the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005. This policy must address customer acceptance, customer identification (including Aadhaar-based e-KYC and Video-based Customer Identification Process — V-CIP — where permitted for the entity's category), risk categorisation of customers into low, medium, and high risk, ongoing due diligence and periodic KYC updation at RBI-prescribed intervals tied to risk category, enhanced due diligence for politically exposed persons (PEPs) and non-face-to-face customers, monitoring of transactions for suspicious patterns, and the maintenance of records for the periods PMLA prescribes.

The second obligation is entity-facing: 'fit and proper' criteria applicable to directors and, in many categories, to key managerial personnel and shareholders holding significant equity or control. For NBFCs, this arises under Section 45-IA of the Reserve Bank of India Act, 1934 read with the RBI Master Direction – Non-Banking Financial Company – Scale Based Regulation (NBFC-SBR) Directions, 2023, and applies at the point of registration (RBI examines the fit-and-proper status of promoters and proposed directors before granting a Certificate of Registration), at every subsequent change in directorship or shareholding pattern, and through an annual self-certification the Board must obtain from each director. Fit-and-proper assessment looks at integrity, reputation, financial soundness, and the absence of any conviction, pending criminal proceeding, or history of default that RBI's Master Directions treat as disqualifying. Equivalent fit-and-proper frameworks apply, with entity-specific variations, to payment system operators under the Payment and Settlement Systems Act, 2007, to Account Aggregators under the NBFC-AA Master Direction, and to Full-Fledged Money Changers under FEMA-linked authorisation conditions.

Both obligations converge at the same governance point: the Board of the regulated entity is accountable for both the design and the operating effectiveness of the KYC/AML programme, and for the ongoing fitness of its own directors. RBI inspections — whether the periodic Annual Supervisory inspection for larger NBFCs or the risk-based supervision applied more broadly — routinely test both dimensions together, because a weak KYC/AML control environment and a governance gap at Board level are, in RBI's supervisory experience, frequently found in the same institutions. The Financial Intelligence Unit-India (FIU-IND) is the second regulator in this picture: regulated entities are 'reporting entities' under PMLA and must register on the FIU-IND FINnet 2.0 portal, appoint a Principal Officer, and file Cash Transaction Reports (CTRs), Suspicious Transaction Reports (STRs), Cross-Border Wire Transfer Reports, and Counterfeit Currency Reports as applicable to the entity's business — none of which are optional or discretionary once the entity is a reporting entity.

PNPC's role is to translate this layered, cross-referencing regulatory framework — RBI Master Directions, PMLA and its Rules, FIU-IND reporting formats, and entity-specific licensing conditions — into a Board-approved policy document, an operating procedure your compliance team can actually execute, a Principal Officer function that is properly constituted and resourced, and a fit-and-proper certification process that survives RBI scrutiny at inspection. We work with entities at three stages: pre-licensing (building the KYC/AML policy RBI expects to see before granting registration), post-licensing steady state (periodic policy review, staff training, and annual fit-and-proper certification), and remediation (where an RBI inspection, FIU-IND query, or internal audit has already flagged a gap that needs to be closed with a credible action plan).

When this advisory is the right engagement

You are applying for, or have recently received, an RBI Certificate of Registration as an NBFC, Payment System Operator, Account Aggregator, or FFMC and need a Board-approved KYC/AML policy in place before commencing customer-facing operations

Your existing KYC/AML policy has not been reviewed since the last RBI Master Direction amendment and you are not confident it reflects current risk-categorisation, periodic updation, and V-CIP requirements

You are appointing a new director, CEO, or significant shareholder and need a defensible fit-and-proper assessment completed and documented before the appointment is finalised or reported to RBI

Your annual Board process for obtaining fit-and-proper self-certification from existing directors is informal, undocumented, or inconsistently applied across directors

RBI's Annual Supervisory inspection, a scrutiny visit, or an FIU-IND query has flagged a gap in your KYC/AML programme, your Principal Officer function, or your STR/CTR filing discipline, and you need a credible, documented remediation plan

You are scaling customer onboarding volume — particularly digital or non-face-to-face onboarding — and need your risk-categorisation and enhanced due diligence framework to keep pace without becoming a compliance bottleneck

You are a fintech or payment aggregator entering a partnership with a bank or NBFC and the partner's due diligence requires evidence of a functioning KYC/AML programme and Principal Officer designation

Your Principal Officer role is vacant, informally assigned, or held by someone without the seniority or independence RBI and FIU-IND expect for that function

You operate across India and the UAE and need KYC/AML and beneficial-ownership frameworks that are coherent across both jurisdictions rather than designed in isolation by separate advisors

When a different PNPC service is the better starting point

You have not yet decided whether to seek an NBFC Certificate of Registration at all — start with our NBFC Registration, Annual Compliance & Takeover Advisory service, which covers the full licensing decision and process, of which KYC/AML policy design is one downstream component

You need only the mechanical filing of a specific FC-GPR or FC-TRS transaction with no KYC/AML or fit-and-proper element — our FC-GPR/FC-TRS Filing service is the narrower, correctly scoped engagement

Your business has no customer-facing financial activity and is not an RBI reporting entity under PMLA — a KYC/AML programme is not applicable to your entity type

You are a Full-Fledged Money Changer or fintech entity still evaluating which RBI licence category applies to your business model — our FFMC Licence & Fintech Regulatory Advisory service addresses that upstream question first

You need a general FEMA cross-border compliance health check unrelated to customer KYC or director fit-and-proper status — our FEMA Compliance Advisory & Review or RBI Compliance Health Check services are scoped for that broader review

Structure Comparison

KYC/AML & Fit-and-Proper Advisory vs related PNPC FEMA/RBI services

FeatureKYC/AML & Fit-and-Proper AdvisoryNBFC Registration & Annual ComplianceRBI Compliance Health CheckFFMC Licence & Fintech Advisory
Primary purposeDesign and maintain the KYC/AML policy and fit-and-proper certification processObtain and maintain the RBI Certificate of Registration itselfBroad periodic review of overall RBI/FEMA compliance postureDetermine and obtain the correct fintech/money-changing licence
Typical triggerPre-licensing policy build, new director appointment, inspection findingDecision to start or restructure a regulated lending/finance businessPeriodic self-assessment, pre-audit, pre-funding-round reviewNew fintech or forex business model needing licence clarity
Core deliverableBoard-approved KYC/AML policy, Principal Officer setup, fit-and-proper file for each directorCertificate of Registration application and ongoing NBFC compliance calendarFindings report across FEMA, RBI, and sectoral compliance areasLicence category recommendation and application support
FIU-IND registration and reportingSets up Principal Officer, FINnet 2.0 registration, STR/CTR processReferenced as a compliance requirement but not the deliverableReviewed as one line item among manyAddressed if the licence category requires it
Fit-and-proper director assessmentCore deliverable — individual assessment and annual certification processAssessed once at initial registration stageReviewed at a high level as part of governance checkAssessed if directors are also NBFC/PSO promoters
Best suited forAny RBI-regulated entity needing a defensible KYC/AML and governance frameworkEntities deciding on or holding an NBFC licence specificallyEntities wanting a full compliance picture across all RBI/FEMA obligationsEntities unsure which RBI/FEMA licence category fits their model
Typical engagement length3–6 weeks for policy build; ongoing annual retainer for certification cycle8–16 weeks for registration; annual retainer thereafter2–4 weeks per review cycle4–10 weeks depending on licence category

These services are frequently engaged together — a new NBFC registration typically requires a KYC/AML policy before RBI grants the Certificate of Registration, and an RBI Compliance Health Check often surfaces a KYC/AML or fit-and-proper gap that becomes its own engagement. PNPC scopes and quotes each engagement on its own facts; a short conversation with our FEMA & RBI advisory team will clarify which combination applies to your entity.

How it works
#Stage & What PNPC DoesWhat Generic Advisors MissTimeline
1Entity & Regulatory Category ScopingWe first confirm exactly which RBI Master Direction and PMLA obligations apply to your entity — an NBFC-ICC, an NBFC-MFI, a Payment System Operator, an Account Aggregator, and an FFMC each sit under a different Master Direction with different customer risk-categorisation nuances and different periodic KYC updation intervals. Generic advisors frequently apply a generic 'bank-style' KYC template that does not match the entity's actual regulatory category.Week 1
2Gap Assessment Against Current Master DirectionsWe review your existing KYC/AML policy (if one exists) line by line against the current RBI Master Direction – KYC Direction, 2016 as amended, checking specifically for outdated periodic updation intervals, missing Video-based Customer Identification Process (V-CIP) provisions, absent Politically Exposed Person (PEP) screening steps, and beneficial-ownership identification thresholds under the current Rules — areas RBI amends periodically and that older policies frequently miss.Week 1–2
3Customer Risk Categorisation Framework DesignWe design or refine the risk-categorisation matrix — low, medium, high risk — with entity-specific criteria (geography, customer type, product, transaction pattern, PEP status) rather than a generic three-tier label with no underlying logic. This matrix drives the periodic KYC updation frequency RBI expects your compliance team to actually follow, not just document.Week 2–3
4Principal Officer Function & FIU-IND RegistrationEvery reporting entity under PMLA must designate a Principal Officer at a senior enough level to have genuine authority, and register on the FIU-IND FINnet 2.0 portal. We review whether your Principal Officer designation is properly minuted by the Board, whether the person has the independence and access RBI/FIU-IND expect, and complete or correct the FINnet 2.0 registration and reporting entity profile.Week 2–4
5Suspicious Transaction Monitoring & Reporting ProcessWe design or review the process by which transactions are screened for patterns triggering a Suspicious Transaction Report (STR), the internal escalation path from front-line staff to the Principal Officer, and the record of Cash Transaction Reports (CTRs) and Cross-Border Wire Transfer Reports where applicable. Generic advisors often draft the policy language on STR triggers without building the operational workflow that actually generates timely reports.Week 3–4
6Board Approval & Policy RatificationThe KYC/AML policy, the AML/CFT (Combating the Financing of Terrorism) programme, and the Principal Officer appointment must each be placed before and approved by the Board — not merely issued by management. We prepare the Board agenda, the explanatory note, and the resolution language, and attend or brief the Board meeting where useful.Week 4–5
7Fit-and-Proper Documentation — Existing DirectorsFor each existing director, we compile the fit-and-proper declaration in the format RBI's applicable Master Direction prescribes — covering personal details, professional background, any pending or past criminal proceedings, any history of default with banks or NBFCs, disqualifications under the Companies Act, and net worth declarations where the entity category requires them. This is prepared as a defensible file, not a signature-only form.Week 3–5, in parallel
8Fit-and-Proper Assessment — Proposed New DirectorsBefore a new director is appointed or before RBI is notified of the change, we conduct the same fit-and-proper review proactively — so any concern (a past default, an undisclosed proceeding, a conflicting directorship) surfaces before the appointment is announced or reported, not after RBI queries it.As triggered by appointments
9Staff Training & Awareness ProgrammeRBI Master Directions require KYC/AML training for relevant staff, not just a policy document sitting in a folder. We design a training module appropriate to your entity's customer-facing roles and help schedule the first training cycle, with a record of attendance and coverage for audit purposes.Week 5–6
10Annual Fit-and-Proper Certification Cycle SetupWe set up the recurring annual process by which each director re-affirms their fit-and-proper status to the Board — a standing item RBI expects and that is easy to let lapse into a formality. We provide the certification format and the compliance calendar reminder for this to happen every year without being missed.Week 6, then annually
11Inspection & FIU-IND Query Readiness ReviewWe conduct a dry-run review of how your entity would respond to an RBI Annual Supervisory inspection question or an FIU-IND query on a specific customer file or transaction — checking that the underlying records (KYC documents, risk rating rationale, transaction monitoring logs) are actually retrievable and internally consistent, not just that the policy document reads well.Week 6–7
12Ongoing Retainer — Policy Review & Regulatory UpdatesRBI amends KYC and sectoral Master Directions periodically, and PMLA Rules are updated by the Department of Revenue from time to time. PNPC's ongoing retainer tracks these amendments, flags what changes your policy needs, and updates the fit-and-proper certification format as RBI's prescribed format evolves.Ongoing, annual review minimum

For entities building a KYC/AML programme from scratch ahead of NBFC or PSO registration, realistic timeline to a Board-approved policy and functioning Principal Officer setup is 5–7 weeks. For entities remediating a gap flagged at inspection, timeline depends on the scope of the finding and is scoped individually — PNPC provides a written remediation timeline after the gap assessment stage.

Document Checklist
For the KYC/AML Policy Build

Existing KYC/AML policy document, if any, along with the date of last Board approval and last substantive revision

Copy of the entity's RBI Certificate of Registration or licence, confirming the precise regulatory category (NBFC-ICC, NBFC-MFI, NBFC-HFC, PSO, Account Aggregator, FFMC, etc.)

Customer onboarding process documentation — online, offline, or hybrid — including whether Aadhaar e-KYC or Video-based Customer Identification Process (V-CIP) is currently used or planned

Sample customer risk-categorisation criteria currently in use, if any, and the customer segments the entity serves (retail, MSME, corporate, cross-border)

Details of any third-party KYC utility, credit bureau, or identity verification vendor currently engaged, including the data-sharing and retention terms of that arrangement

For Principal Officer & FIU-IND Setup

Proposed or existing Principal Officer's name, designation, seniority within the organisation, and reporting line to the Board or a Board committee

Board resolution (existing or draft) formally designating the Principal Officer under the PMLA reporting entity framework

Organisation chart showing where the AML/compliance function sits relative to business/customer-facing teams — RBI and FIU-IND expect functional independence

Any prior FIU-IND FINnet registration credentials or correspondence, if the entity has previously registered or attempted to register as a reporting entity

For Fit-and-Proper Assessment — Each Director

PAN card and Aadhaar (or passport for NRI/foreign directors), along with a recent photograph

Detailed professional background — employment history, other directorships held currently and in the past 5 years, and professional qualifications

Self-declaration of any pending or past criminal proceeding, any conviction, and any regulatory or disciplinary action by RBI, SEBI, IRDAI, or any other financial regulator

Self-declaration of any history of default in repayment to any bank, NBFC, or financial institution, and of any declared insolvency or bankruptcy

Declaration of relationship (if any) with other directors, promoters, or significant shareholders of the entity, for related-party and concentration-of-control assessment

Net worth declaration where the entity's applicable Master Direction requires a minimum net worth threshold for directors or promoters

Confirmation of DIN status under the Companies Act (not disqualified under Section 164) for directors who also hold company directorships

For Existing Customer Base & Transaction Monitoring

Sample of existing customer KYC files across risk categories, to test current documentation completeness against the Master Direction requirements

Current process (manual or system-based) for flagging transactions for review — thresholds used, escalation path, and record of any Suspicious Transaction Reports filed to date

Record of periodic KYC updation completed to date, mapped against the risk category and prescribed updation interval for each customer segment

Details of any Politically Exposed Person (PEP) identification process currently in place, if the entity has PEP customers or the customer base could plausibly include them

For Training & Governance Evidence

Record of any prior KYC/AML staff training conducted — dates, attendees, and content covered

Minutes of Board or Board-committee meetings where KYC/AML policy, Principal Officer appointment, or fit-and-proper certification has previously been discussed or approved

Internal audit or compliance function's most recent report touching on KYC/AML, if the entity has an internal audit function

Any correspondence from RBI, FIU-IND, or an Authorised Dealer bank raising a KYC/AML query, observation, or inspection finding in the past 3 years

For Entities Operating Across India and the UAE

Details of any UAE-incorporated affiliate, parent, or subsidiary, and whether it is itself a regulated financial entity under UAE Central Bank or DFSA/FSRA rules

Beneficial ownership structure across the India-UAE group, for consistency between Indian PMLA beneficial-ownership disclosure and UAE AML/CFT beneficial-ownership register requirements

Any UAE AML/CFT compliance certificate, licence, or registration already held by the group, for cross-referencing against the Indian entity's own KYC/AML framework

Ongoing obligations
PhaseTriggered ByPNPC CA GuidanceRisk If Ignored
Pre-Licensing Policy BuildApplying for RBI Certificate of RegistrationDraft the Board-approved KYC/AML policy and Principal Officer designation ahead of the RBI application — RBI reviews the governance and compliance framework as part of the registration decision, not only the financial and promoter criteria.Incomplete or template policy delays registration approval; RBI may query the adequacy of the compliance framework before granting the Certificate of Registration.
Post-Licensing Steady StateCertificate of Registration granted, operations commenceOperationalise the policy — customer risk categorisation applied in practice, Principal Officer actively monitoring, staff trained, FIU-IND FINnet registration completed and reporting cadence established.A policy that exists on paper but is not operationally followed is treated by RBI inspection as equivalent to no policy at all — supervisory action and reputational exposure follow the same path.
Annual Fit-and-Proper CertificationEvery financial year, standing Board itemEach director re-affirms fit-and-proper status in the prescribed format; PNPC maintains the compliance calendar reminder and reviews declarations for any change in circumstance since the prior year.A lapsed or missed annual certification is a governance gap RBI inspection specifically checks for; a director whose changed circumstances go undisclosed exposes the entity to a fit-and-proper challenge later.
New Director or Significant Shareholder ChangeBoard appointment, share transfer crossing significant-ownership thresholdFit-and-proper assessment conducted before the change is finalised and before RBI is notified, so any concern is identified and addressed proactively rather than surfacing as an RBI query after the fact.RBI can direct removal of a director found not fit-and-proper after appointment — a costly and reputationally damaging reversal compared to pre-appointment screening.
Periodic Policy ReviewRBI Master Direction amendment or PMLA Rules updatePNPC's retainer tracks regulatory amendments and updates the policy, risk-categorisation matrix, and reporting formats to remain current — RBI and FIU-IND periodically revise thresholds, updation intervals, and reporting form formats.An outdated policy that no longer reflects current Master Directions is a straightforward inspection finding, even where no actual customer harm has occurred.
RBI Inspection or FIU-IND QueryAnnual Supervisory inspection, scrutiny visit, or specific transaction queryPNPC supports the entity through the inspection or query — reviewing the underlying records before submission, drafting the response, and building the remediation plan if a gap is confirmed.An unprepared or inconsistent response to an inspection finding escalates supervisory concern and can trigger a more intensive follow-up inspection or restriction on business activity.
Confirmed Gap Requiring RemediationInspection finding, self-discovered lapse, or FIU-IND observationPNPC designs and documents a credible remediation action plan with realistic timelines, and helps present this to RBI or FIU-IND where a formal response is required.An unaddressed or superficially addressed finding can lead to escalated supervisory action, restrictions on new customer onboarding, monetary penalty, or in serious cases cancellation of the Certificate of Registration.
Business Model ExpansionNew product line, new customer segment, cross-border expansionReview whether the existing KYC/AML framework and risk-categorisation logic extend correctly to the new activity — a new digital onboarding channel or a new cross-border customer segment often needs a policy addendum, not just an operational tweak.Scaling a new customer channel without extending KYC/AML coverage creates an unmonitored population of customers that becomes a serious finding at the next inspection cycle.
Frequently asked
What exactly does 'KYC/AML compliance' mean for an RBI-regulated entity, in plain terms?

It means your entity has a Board-approved written policy for how you identify who your customers are, assess how risky each customer relationship is, verify their identity documents, watch their transactions for suspicious patterns, and report specific transaction types to the Financial Intelligence Unit-India. It is governed primarily by the RBI Master Direction on KYC and the Prevention of Money-Laundering Act, 2002. It is not a one-time document — it is a living operational process that your compliance team follows every day and that RBI inspects periodically.

Practitioner noteThe single most common gap we find is a KYC/AML policy that was well-drafted at licensing and never touched again. RBI amends the Master Direction periodically — a policy frozen at incorporation date is almost always out of step with current requirements within 2–3 years.
What does 'fit and proper' mean for a director of an NBFC or other RBI-regulated entity?

It is RBI's assessment of a director's integrity, reputation, financial soundness, and track record — whether they have any conviction, pending criminal proceeding, history of default with a bank or NBFC, or other disqualifying factor that would make their continued directorship a risk to the entity or its stakeholders. For NBFCs it arises specifically under Section 45-IA of the RBI Act, 1934 read with the applicable NBFC Master Direction, and it is assessed both at initial registration and on an ongoing annual basis.

Practitioner noteFit-and-proper is not a one-time box to tick at incorporation. RBI expects an annual re-certification process — a director's circumstances can change, and the Board is expected to know if they have.
Which RBI-regulated entities actually need a formal KYC/AML programme?

Any entity that is a 'reporting entity' under PMLA and its Rules — this includes NBFCs of every category (asset finance, investment/credit companies, microfinance institutions, housing finance companies), banks, Payment System Operators, Account Aggregators, Full-Fledged Money Changers, and P2P lending platforms. If your entity onboards customers, holds or moves customer funds, or facilitates financial transactions under an RBI authorisation, a KYC/AML programme applies to you.

Practitioner noteWe sometimes see fintech founders assume KYC/AML obligations only bite once they are large. They apply from the day the entity is licensed and begins onboarding its first customer — regardless of scale.
What is the Financial Intelligence Unit-India (FIU-IND) and why does our entity need to register with it?

FIU-IND is the central national agency under the Department of Revenue, Ministry of Finance, responsible for receiving, analysing, and disseminating information on suspicious financial transactions. Every reporting entity under PMLA — which includes RBI-regulated financial entities — must register on the FIU-IND FINnet 2.0 portal, designate a Principal Officer, and file the reports PMLA requires (Cash Transaction Reports, Suspicious Transaction Reports, and others applicable to the entity's business). This is a separate registration and reporting obligation from your RBI Certificate of Registration.

Practitioner noteEntities frequently treat the RBI licence as the finish line and forget FIU-IND registration is a distinct, mandatory second step. We check this explicitly during our engagement scoping call.
What is a Principal Officer and who should hold that role?

The Principal Officer is the senior individual within a reporting entity responsible for ensuring compliance with PMLA obligations — reviewing flagged transactions, deciding whether a Suspicious Transaction Report should be filed, liaising with FIU-IND, and overseeing the KYC/AML programme's operation. RBI and FIU-IND expect this person to hold sufficient seniority and independence from purely commercial or sales functions to make these judgment calls without undue business pressure.

Practitioner noteWe advise against appointing someone from the sales or business development function as Principal Officer, even if convenient. The independence expectation is real, and RBI inspection specifically probes whether the Principal Officer has genuine authority or is a title without teeth.
How often must customer KYC information be updated?

The periodic KYC updation interval depends on the customer's risk category as assessed under your entity's own risk-categorisation framework — high-risk customers require more frequent updation than low-risk customers, in line with the intervals set out in the RBI Master Direction on KYC. The exact interval your entity applies should be documented in your Board-approved policy and consistently followed, not decided case by case.

Practitioner noteA defensible risk-categorisation matrix with a clear rationale for each tier is what RBI inspection actually tests — not just whether an interval number exists in your policy document.
What is Video-based Customer Identification Process (V-CIP) and can our entity use it?

V-CIP is a digital, non-face-to-face customer identification method — a live video interaction combined with document verification — that RBI has permitted as an alternative to in-person or physical KYC verification for eligible entity categories and customer types, subject to conditions set out in the Master Direction on KYC. Whether your entity can use V-CIP, and for which customer segments, depends on your specific regulatory category and the conditions RBI has prescribed for that category.

Practitioner noteV-CIP eligibility and the specific technical/process conditions attached to it are refined periodically by RBI. We confirm current eligibility for the client's specific entity category before recommending it be built into the onboarding flow, rather than assuming blanket applicability.
What happens if RBI finds our KYC/AML programme deficient during an inspection?

Outcomes range depending on severity — from a formal observation requiring a written remediation plan within a specified timeline, to restrictions on new customer onboarding, to monetary penalty, and in serious or repeated cases, action affecting the entity's Certificate of Registration itself. RBI's supervisory approach is generally proportionate to severity and repeat-offence pattern, but a credible, well-documented remediation response materially affects how the finding is resolved.

Practitioner noteThe single biggest factor in how an inspection finding resolves is the quality and credibility of the entity's remediation response. A vague promise to 'do better' reads very differently to RBI than a documented action plan with named owners and dates.
Can a director with a past loan default serve on the Board of an NBFC?

It depends on the nature, amount, and recency of the default, and how it is disclosed and assessed under the fit-and-proper framework — a past default is not automatically disqualifying in every case, but it is a factor RBI's Master Direction expects the Board (and RBI, at registration or on query) to specifically assess. Non-disclosure of a known default is a materially more serious issue than the default itself.

Practitioner noteWe tell clients plainly: disclose fully and let the fit-and-proper assessment run its course. We have seen far more serious consequences flow from an undisclosed default discovered later than from a disclosed default that was properly assessed and documented at the time.
Does a Politically Exposed Person (PEP) require different KYC treatment?

Yes. Customers who are or have been entrusted with prominent public functions — domestically or in a foreign country — along with their family members and close associates, require enhanced due diligence under the RBI Master Direction on KYC, including senior management approval for establishing the relationship and more frequent ongoing monitoring than a standard customer.

Practitioner noteMany entities have a PEP clause in their policy document but no actual operational screening process to identify a PEP at onboarding. We build the screening step into the workflow, not just the policy language.
What is beneficial ownership identification and why does it matter for KYC?

Beneficial ownership identification means looking through a corporate or legal-entity customer's registered ownership structure to identify the natural person(s) who ultimately own or control it, above a threshold set out in the PML Rules. This prevents a customer from using layered corporate structures to obscure who is actually behind a transaction or account relationship — a core anti-money-laundering safeguard.

Practitioner noteBeneficial ownership checks are frequently the weakest link in an otherwise well-documented KYC file, particularly for corporate and trust customers with multi-layer ownership. We test this specifically during gap assessments.
How is a KYC/AML policy different from an internal audit or compliance function?

The KYC/AML policy is the Board-approved document defining what your entity must do — customer acceptance criteria, risk categorisation, monitoring, and reporting rules. The compliance function (led by the Principal Officer) is the team that operationalises the policy day to day. Internal audit is a separate, independent function that periodically tests whether the policy is actually being followed in practice. All three are distinct and RBI expects to see evidence of each functioning independently.

Practitioner noteSmaller NBFCs sometimes conflate the compliance function and internal audit into one person or team. RBI inspection specifically checks for independence between the two — we advise on a structure appropriate to the entity's size that still preserves this separation in substance.
Do foreign or NRI directors of an NBFC go through the same fit-and-proper process as resident directors?

Yes — fit-and-proper assessment applies to every director regardless of residency status, though the supporting documentation differs. Foreign or NRI directors typically need apostilled or notarised identity and address proof, and declarations covering any regulatory or criminal proceedings in their country of residence in addition to India, since RBI's assessment is not limited to India-based history.

Practitioner noteOur Dubai office regularly handles the document collection and notarisation coordination for UAE-based directors of Indian NBFCs and payment entities, so the India-side fit-and-proper file is complete without the director needing to manage cross-border paperwork alone.
Is the KYC/AML policy the same across all NBFC categories, or does it differ by licence type?

The core PMLA and RBI Master Direction on KYC framework applies across categories, but the specific Master Direction governing your entity — NBFC-ICC, NBFC-MFI, NBFC-HFC, Payment System Operator, Account Aggregator, or FFMC — layers additional entity-specific requirements on top. An NBFC-MFI's customer risk profile and documentation norms, for instance, differ from a Payment System Operator's transaction-monitoring emphasis. A generic one-size-fits-all policy template misses these category-specific nuances.

Practitioner noteWe have reviewed policies clearly adapted from a bank's KYC template with minimal changes for the NBFC's actual customer base and risk profile. RBI inspection tends to notice this quickly — a policy needs to reflect your actual business, not a generic template.
What records must be maintained under PMLA, and for how long?

The Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 prescribe the categories of records reporting entities must maintain — customer identification records, transaction records, and records supporting any Suspicious Transaction Report filed — for the periods specified in the Rules, which can extend well beyond the closure of the customer relationship. The exact retention period should be confirmed against the current Rules at the time of policy drafting, as retention requirements are a specific area regulators periodically revisit.

Practitioner noteWe build record retention into the policy with explicit reference to the current PML Rules provision rather than a rounded estimate — this is one of the areas where a stale policy quietly falls out of compliance without anyone noticing until an inspection asks for a record that was already purged.
What is a Suspicious Transaction Report (STR) and when must one be filed?

An STR is a report a reporting entity files with FIU-IND when a transaction — or a pattern of transactions — appears inconsistent with the customer's known profile, lacks an apparent lawful purpose, or otherwise raises a reasonable suspicion of money laundering or terrorist financing, as assessed under the entity's internal monitoring process and the PMLA framework. The Principal Officer is responsible for the internal decision to escalate a flagged transaction into a filed STR.

Practitioner noteA functioning STR process requires clear internal escalation criteria — otherwise front-line staff either over-report trivial transactions or, more dangerously, under-report genuinely suspicious ones because there is no clear threshold to act on.
Our entity has never received foreign investment or dealt with a PEP — do we still need the full KYC/AML framework?

Yes. The KYC/AML and PMLA reporting obligations apply based on your entity's regulatory category and customer-facing activity, not on whether a specific higher-risk scenario (foreign investment, PEP customer) has actually occurred yet. The framework must be built and ready to correctly handle such scenarios if and when they arise — RBI does not accept 'we have not encountered this yet' as a substitute for having the policy provision in place.

Practitioner noteWe have seen entities argue this exact point during an inspection and it does not hold. The policy needs to cover the full range of scenarios your licence category permits you to encounter, not just the scenarios you have encountered so far.
How does PNPC approach a KYC/AML policy build differently from a generic compliance consultant?

We start from your entity's actual RBI Certificate of Registration and regulatory category — not a generic template — and build the risk-categorisation logic, onboarding workflow references, and reporting process to match how your business actually operates. As a practising CA firm with FEMA and RBI advisory experience since 1986, we also connect the KYC/AML build to adjacent obligations — FEMA reporting where the entity has foreign shareholders, transfer pricing where there is a cross-border group structure, and annual RBI compliance filings — so the policy is not designed in isolation from the entity's broader regulatory footprint.

Practitioner noteWe regularly find that a KYC/AML policy built in isolation from the entity's FEMA and corporate compliance position creates internal inconsistencies — for example, a beneficial-ownership disclosure in the KYC file that does not match the shareholding pattern reported to RBI under FEMA. We check for this cross-consistency specifically.
What triggers RBI to review our fit-and-proper compliance outside of the annual cycle?

Common triggers include a new director appointment, a significant shareholding change, an Annual Supervisory inspection, a specific complaint or adverse media report concerning a director, or information RBI receives from another regulator or enforcement agency. RBI can also request fit-and-proper re-certification at any time it considers warranted, independent of the entity's own annual cycle.

Practitioner noteWe advise clients to treat any adverse development involving a director — a legal notice, a business dispute becoming public, a regulatory action at another entity where they also serve — as a trigger for an internal fit-and-proper review, rather than waiting for RBI to ask first.
Is a written KYC/AML policy alone sufficient, or does RBI expect evidence of implementation?

A written policy alone is not sufficient. RBI inspection tests operational evidence — actual customer files showing the risk-categorisation and documentation the policy describes, records of staff training, minutes showing Board approval and periodic review, and evidence that flagged transactions were actually escalated and assessed. A policy that reads well but has no supporting operational trail is treated as a significant gap.

Practitioner noteWe always build the implementation evidence trail alongside the policy document itself — training attendance records, a sample of properly risk-categorised customer files, and Board minutes — because a policy without evidence of use is, from an inspection standpoint, close to having no policy at all.
How does PNPC price this engagement?

PNPC scopes and quotes each KYC/AML & Fit-and-Proper engagement individually, based on the entity's regulatory category, the current state of its policy and governance documentation, the number of directors requiring fit-and-proper assessment, and whether the engagement is a fresh policy build, a periodic review, or inspection remediation. A written scope and fee letter is provided before any work begins.

Practitioner noteWe are not the cheapest option for a policy template. What we deliver is a policy and fit-and-proper file built specifically for your entity's regulatory category and actual operations — one that is designed to hold up under RBI inspection, not just look complete on first read.
Can PNPC act as our ongoing Principal Officer or must that role sit within our own organisation?

RBI and FIU-IND expect the Principal Officer to be an internal appointment — a senior individual within the regulated entity with genuine authority over compliance decisions — rather than an outsourced advisory function. PNPC advises on selecting and structuring this role correctly, trains the appointee, and remains available for ongoing guidance, but does not itself hold the Principal Officer designation on the entity's behalf.

Practitioner noteWe are occasionally asked whether we can simply be named Principal Officer to save the entity the trouble of an internal appointment. We do not take on that role — it needs to be someone inside the organisation with real day-to-day authority, and we say so plainly during scoping.
What is the difference between AML and CFT, and does our entity need to address both?

Anti-Money Laundering (AML) addresses the concealment of the origin of illegally obtained funds; Combating the Financing of Terrorism (CFT) addresses the movement of funds — which may themselves be legitimately sourced — toward terrorist activity. RBI's Master Directions and PMLA's framework require reporting entities to address both within the same policy and monitoring framework, since the customer due diligence and transaction monitoring mechanisms largely overlap.

Practitioner noteWe draft a combined AML/CFT policy rather than two separate documents — the operational controls (customer due diligence, transaction monitoring, reporting) are largely the same mechanism serving both purposes, and RBI expects to see them addressed together.
Does a change in ultimate beneficial ownership of our NBFC require RBI approval before it happens?

A change in shareholding pattern or control of an NBFC — particularly one crossing thresholds defined in the applicable Master Direction — typically requires prior RBI approval or, at minimum, timely intimation, and triggers a fresh fit-and-proper assessment of the incoming significant shareholder or director. The precise threshold and approval requirement depends on the entity's specific NBFC category and the current Master Direction governing it.

Practitioner noteWe flag this early to clients considering a change in ownership — attempting the change first and seeking RBI's view afterward is a common and avoidable misstep. The fit-and-proper and approval process should run before the transaction closes, not after.
Our entity operates as both an NBFC in India and has an affiliate in the UAE. Does the KYC/AML framework need to be coordinated across both?

While the Indian entity's KYC/AML programme is governed by RBI and PMLA and the UAE affiliate's by UAE Central Bank or relevant UAE regulator's AML/CFT framework, beneficial-ownership consistency, group-level risk assessment, and cross-border customer or fund flows between the two entities benefit from coordinated review — inconsistent beneficial-ownership disclosure between the two jurisdictions is a red flag either regulator can independently identify.

Practitioner noteOur Chennai and Dubai teams review India-UAE group structures together specifically to catch this kind of cross-jurisdiction inconsistency before either regulator does. Most single-jurisdiction advisors cannot see the full picture.
What happens if a director fails the fit-and-proper assessment after they are already serving on the Board?

RBI can direct the entity to remove a director found not to meet fit-and-proper criteria, and in serious cases can take supervisory action against the entity for having permitted or continued the appointment. The entity's Board bears responsibility for identifying and acting on a fit-and-proper concern proactively — through its own annual certification and monitoring process — rather than waiting for RBI to identify it.

Practitioner noteThis is precisely why the annual re-certification process matters — it gives the Board (and the entity) the opportunity to identify and address a fit-and-proper concern on its own terms, rather than have RBI direct a forced removal, which is a materially worse outcome for the entity's reputation and governance standing.
Do all directors need to go through fit-and-proper assessment, or only the Managing Director and whole-time directors?

Fit-and-proper criteria under the applicable RBI Master Direction typically apply to all directors on the Board — not only executive or whole-time directors — since the framework is concerned with the integrity and competence of the Board's collective oversight, not only its day-to-day management. Independent and non-executive directors are equally within scope.

Practitioner noteWe occasionally encounter the assumption that independent directors are somehow exempt from fit-and-proper scrutiny because they are not involved in daily operations. That is not correct — we apply the same assessment rigour to every director regardless of their executive or non-executive status.
How does periodic KYC updation work for a dormant or low-activity customer account?

Even a dormant or low-transaction-volume customer account remains within the periodic KYC updation cycle applicable to its assigned risk category — inactivity does not exempt an account from updation, though it may influence the risk categorisation applied. The entity's policy should specify how dormant accounts are handled within the broader KYC updation and monitoring framework.

Practitioner noteDormant accounts are an easy category to overlook operationally because nobody is actively transacting on them, but they still need to appear in the periodic updation tracking — we specifically test this category during gap assessments.
What role does the Board play beyond approving the initial KYC/AML policy?

The Board's role is ongoing, not a one-time approval — it includes periodic review of the policy's continued adequacy, receiving reports from the Principal Officer or compliance function on the programme's operation (including any STRs filed and any inspection or FIU-IND correspondence), and overseeing the annual fit-and-proper certification of its own members. RBI expects to see this as a standing item in Board or Board-committee minutes, not an occasional discussion.

Practitioner noteWe recommend a standing KYC/AML and compliance update as a fixed agenda item at a defined frequency — not something raised only when a problem surfaces. This is precisely the kind of governance discipline RBI inspection specifically looks for evidence of.
Can an NBFC or payment entity outsource its KYC verification process to a third-party vendor?

Yes, in many cases KYC verification steps can be outsourced to a third-party technology or verification vendor, but the regulated entity retains ultimate responsibility for KYC/AML compliance — outsourcing the mechanical verification step does not transfer regulatory accountability. The entity's policy should clearly document the vendor arrangement, the data protection and retention terms, and the entity's own oversight process over the vendor's work.

Practitioner noteWe review third-party KYC vendor agreements specifically for this accountability gap — a vendor contract that is silent on data retention periods matching PMLA requirements, or that does not give the entity adequate audit rights over the vendor's process, is a common weakness we flag.
Does PNPC help with the actual RBI application or only the policy documentation?

For entities where the KYC/AML and fit-and-proper engagement is tied to a fresh NBFC, PSO, or other RBI licence application, PNPC coordinates the KYC/AML policy and fit-and-proper documentation as part of the broader registration engagement — our NBFC Registration, Annual Compliance & Takeover Advisory service covers the full application process, with this service providing the specific compliance-framework component RBI expects to see.

Practitioner noteWe scope these as a combined engagement whenever the trigger is a fresh licence application, since the KYC/AML policy and the registration application are evaluated by RBI together, not as separate submissions.
What is the realistic cost range for building a KYC/AML policy and completing fit-and-proper documentation for a small NBFC?

Cost depends materially on the entity's complexity — number of directors requiring fit-and-proper assessment, whether an existing policy needs revision or a fresh build is required, and whether FIU-IND registration and Principal Officer setup are also in scope. PNPC provides a written, fixed-fee quote after the initial scoping call rather than a generic published rate, since a one-director NBFC-ICC and a multi-branch NBFC-MFI require materially different effort.

Practitioner noteWe avoid quoting a headline number without first understanding the entity's actual complexity — a quote given before scoping is usually wrong in one direction or the other, and we would rather give an accurate written quote after a short call than a misleading one upfront.
How quickly can PNPC respond if RBI raises an urgent KYC/AML query or inspection finding?

For existing retainer clients, PNPC prioritises urgent regulatory queries and typically begins review within days of being notified, given the time-sensitivity RBI and FIU-IND queries usually carry. For new clients approaching us with an active inspection finding, we conduct an expedited scoping call to understand the finding and the RBI-set response deadline before proposing a remediation timeline.

Practitioner noteAn RBI inspection finding almost always comes with a response deadline. We treat these as priority engagements — the first conversation focuses on understanding exactly what RBI has asked for and by when, before anything else.
Why PNPC Global

PNPC KYC/AML & Fit-and-Proper Advisory vs generic compliance consultants

DimensionPNPC GlobalGeneric Compliance Consultant / Portal
Regulatory groundingPolicy built against your entity's specific RBI Master Direction category, cross-checked with PMLA and FIU-IND requirementsGeneric bank-style template adapted with minimal entity-specific customisation
Cross-functional consistencyKYC/AML policy checked against your FEMA reporting, corporate compliance, and shareholding position for internal consistencyPolicy drafted in isolation, often inconsistent with FEMA/RBI filings maintained elsewhere
Fit-and-proper depthIndividual assessment file per director with documented rationale — not a signature-only declaration formTemplate form circulated for signature with limited underlying review
Principal Officer supportAdvises on correct internal appointment, seniority, and independence; trains the appointeeOften silent on Principal Officer independence requirements
Implementation evidenceBuilds the operational evidence trail — training records, sample risk-categorised files, Board minutes — alongside the policyDelivers the policy document only; implementation is left to the client
Ongoing regulatory trackingRetainer tracks RBI Master Direction and PMLA Rules amendments and updates the policy accordinglyOne-time engagement; policy goes stale as regulations amend
Cross-border capabilityChennai, Bangalore, Hyderabad, and Dubai offices coordinate India-UAE beneficial ownership and group-level consistencySingle-jurisdiction focus; India-UAE inconsistencies go unnoticed
Inspection supportReviews records before RBI/FIU-IND submission and helps draft the formal remediation responseNot typically available to support an active inspection or query

What the PNPC package includes

  1. 01

    Gap assessment of existing KYC/AML policy against the current RBI Master Direction applicable to your entity's category

  2. 02

    Board-approved KYC/AML and combined AML/CFT policy drafted for your specific regulatory category and customer base

  3. 03

    Customer risk-categorisation framework design with entity-specific criteria, not a generic three-tier label

  4. 04

    Principal Officer role structuring, FIU-IND FINnet 2.0 registration, and reporting entity profile setup

  5. 05

    Individual fit-and-proper assessment file for each existing and proposed director, in RBI's prescribed format

  6. 06

    Annual fit-and-proper re-certification process design, with compliance calendar reminders built in

  7. 07

    Staff KYC/AML training module design and first-cycle scheduling support

  8. 08

    Suspicious Transaction Report escalation workflow design, from front-line flag to Principal Officer decision

  9. 09

    Inspection and FIU-IND query readiness review — a dry-run test of your records before an actual regulator asks

  10. 10

    Ongoing retainer option covering periodic policy review as RBI Master Directions and PMLA Rules are amended

Speak directly with a PNPC Chartered Accountant who has advised RBI-regulated entities on KYC/AML governance and director fit-and-proper compliance since 1986 — not a compliance portal that hands you a template and disappears after the invoice. We build the policy your Board can defend at inspection, and we stay engaged through every director appointment, every regulatory amendment, and every regulator query after that.

← Back to FEMA & RBI
Talk to a CA