What any bank must do: at a glance
- Register and govern: enrol with FIU-IND on the FINnet 2.0 portal and appoint a Board-nominated Designated Director and a management-level Principal Officer, whatever the category.
- Assess risk: run an internal risk assessment, also called the enterprise-wide risk assessment, and take it to the Board.
- Document and identify: adopt board-approved AML policies, then perform KYC and customer due diligence and identify the beneficial owner (a controlling interest of more than 10 percent).
- Monitor and screen: keep KYC current through periodic updation (2, 8 and 10 years by risk band), watch transactions, and screen against the sanctions lists.
- Report, keep, train, test: file CTRs, STRs and CBWTRs with FIU-IND on time, retain records for five years, train staff by role, and have the programme tested by internal audit, compliance assurance or independent review.
This guide is general information about AML compliance in the Indian banking sector and is not legal advice. Because the controls and the governing KYC Direction vary by bank type, speak to a qualified AML professional about your own institution’s position.
A bank in India becomes AML compliant by building and running a single integrated AML, CFT, and CPF programme. The starting points are enrolment with FIU-IND and the appointment of a Designated Director and a Principal Officer. From there, the bank conducts an internal risk assessment, adopts board-approved policies, and manages KYC, customer due diligence, ongoing monitoring, sanctions screening, and regulatory reporting, all held together by record-keeping, staff training, and independent testing. The framework is common to all bank types; what changes is the weight each control carries.
AML Compliance Requirements for the Banking Sector in India
Use this guide if you are a bank. It covers commercial banks, small finance banks, payments banks, local area banks, regional rural banks, urban cooperative banks and rural cooperative banks. It does not cover NBFCs, securities intermediaries, insurers, DNFBPs or VDA service providers, which have their own guides.
Of all the regulated sectors in India, banking carries the heaviest anti-money-laundering load, because almost every laundering scheme touches a bank account at some stage. That holds whether the institution is a large commercial bank, a small finance bank, a payments bank, a regional rural bank, a cooperative bank or a local area bank. For all of them, compliance is not a project that finishes. It is a programme each bank builds, runs and proves year after year to the Reserve Bank of India and the Financial Intelligence Unit – India.
This guide explains the AML compliance requirements that apply across the banking sector, set out as a practical sequence: enrolling with FIU-IND, appointing officers, assessing risk, drafting policies, performing KYC and customer due diligence, screening, monitoring, reporting, training, record-keeping and independent testing. It is the how-to for banks generally. For the statutory basis behind each duty, read the companion guide, AML Laws and Regulations for banks in India.AML Laws and Regulations for banks in India
Treat this as the sector map rather than the manual for any single bank. Every RBI-regulated bank shares the lifecycle described here. Still, the details of the risk profile, the controls and the governing KYC Direction differ by licence category, so the guide routes you to the dedicated guide for your bank type. Across the sector, the roles are fixed: the RBI is the AML and CFT supervisor, FIU-IND receives and analyses the prescribed reports and acts on reporting compliance, and the Enforcement Directorate investigates and prosecutes money-laundering offences under the PMLA.
Which bank type are you? Find your bank's compliance guide
Every bank in the sector follows the same lifecycle, but no two licence categories carry the same risk in the same measure, and each now has its own 2025 KYC Direction. Select your institution below to navigate from this sector overview to your institution’s compliance guide.
Bank type | Who it covers | Guide |
Commercial banks | Public, private and foreign commercial banks. | |
Small finance banks | Financial-inclusion and small-ticket lenders. | |
Payments banks | Restricted-deposit, payments-focused banks. | |
Local area banks | Small private banks in a limited local area. | |
Regional rural banks | Rural and semi-urban banks, sponsor-backed. | |
Urban cooperative banks | Cooperative banks in urban and semi-urban areas. | |
Rural cooperative banks | State, district and primary cooperative banks. |
What is common across banks, and what differs by bank type
The compliance lifecycle is common to all banks, but the applicable RBI KYC Directions, the risk profile, and the depth of controls vary by bank type.
Common across all banks | Changes by bank type |
FIU-IND registration | Applicable RBI KYC Direction |
Principal Officer and Designated Director | Product restrictions |
Internal risk assessment | Customer base |
CDD and beneficial owner identification | Delivery channels |
Monitoring, screening and reporting | Risk weight and control depth |
Training, records and audit | Inspection focus |
Bank type | Main compliance pressure |
Commercial banks | Volume, corporate accounts, trade finance, correspondent banking, cross-border flows |
Small finance banks | Financial inclusion, thin-file customers, cash and rural exposure |
Payments banks | Digital onboarding, mule accounts, wallet and payment activity |
Local area banks | Lean teams, local concentration, manual controls |
Regional rural banks | Rural customers, sponsor-bank dependency, cash exposure |
Urban cooperative banks | Governance, member and customer overlap, legacy systems |
Rural cooperative banks | Rural credit structure, decentralised records, limited resources |
Sector challenges for banks
The pressures differ in degree across the sector, but they are the same in kind. A large commercial bank wrestles with onboarding and alert volumes in the millions; a payments bank manages wallet and pass-through activity within its product limits; a small finance bank onboards first-time, thin-file customers; and cooperative and local area banks must deliver the same controls with much leaner teams. Digital and non-face-to-face onboarding speeds account opening everywhere but raises identity and impersonation risk. Group structures, sponsor-bank arrangements, correspondent links, and cross-border flows add further complexity. The shared challenge is doing all of it accurately at whatever scale the bank runs.
What changed under the 2025 Directions
On 28 November 2025, the RBI issued the category-specific KYC Directions, 2025, and consolidated its Master Directions. Instead of one rulebook for all banks, each licence category now operates under the Direction written for it, and earlier KYC directions, instructions, and guidelines stand repealed or superseded to the extent stated in the relevant 2025 Direction. Any bank still operating a policy built on the 2016 KYC framework needs to move it to the 2025 Direction for its type. The Commercial Banks KYC Directions, for instance, were further updated as of 29 December 2025, with a clarification on where responsibility sits when a bank relies on records drawn from the Central KYC Records Registry.
The scale of the obligation: statistics
The numbers show the size of the duty. In FY 2024-25, FIU-IND received more than 2 million reports per month and issued 8 compliance orders with penalties exceeding Rs 30 crore (FIU-IND Annual Report 2024-25). The Financial Action Task Force, which evaluated India in 2024, found a generally good understanding of financial sector risks while expecting preventive measures to continue maturing (FATF Mutual Evaluation Report on India, 2024). India’s 2022 National Risk Assessment, as summarised by the FATF, identifies fraud, corruption and drug trafficking as the largest sources of laundered money, and all of them pass through banks of one type or another. A strong, well-evidenced programme is the only dependable defence, however large or small the bank.
“Across every kind of bank, the beneficial owner is where the risk hides. If you cannot see who is really behind the account, you cannot weigh the risk or stand behind the relationship.”
Dipali Vora, CAMS, ACS
The AML compliance lifecycle for a bank
AML compliance is easier to manage when it is seen as a single connected lifecycle rather than a stack of separate rules, and that is true for every bank. Each stage feeds the next, so a gap in one stage surfaces as a failure in another. The sequence that works in practice moves from registration and governance into risk assessment and policy, and on to the daily controls of KYC, monitoring, screening, and reporting, with record-keeping, training, and independent testing wrapped around the whole.
Running through it all is the risk-based approach. A bank does more where risk is higher and less where it is lower, and can show, with evidence, why it judged each case as it did. The same principle allows a payments bank and a commercial bank to apply the same framework yet arrive at very different levels of control intensity.
Register with FIU-IND and set up reporting.
No bank can file a report until it is enrolled with the Financial Intelligence Unit-India. Enrolment occurs on the FINnet platform via the FINGate 2.0 portal, the single channel for all submissions. Getting the setup right, with the correct users and access rights, is the basic precondition for meeting the reporting duty, and it applies equally to the largest commercial bank and the smallest local-area bank.
At the same time, the bank determines how it will generate and file each prescribed report: cash transaction reports, suspicious transaction reports, cross-border wire transfer reports, and the rest. The reporting obligation itself comes from Rule 3 and Rule 8 of the PMLR, while Chapter VIII of the KYC Direction for the bank’s category sets out exactly what that type must report.
Setting up your bank's AML function from scratch?
FINnet enrolment, officer appointments and the reporting workflow all have to line up before day one. AML India helps you stand up a complete, inspection-ready compliance department.
Appoint a Designated Director and a Principal Officer
Under Rule 7 of the PMLR, every bank, of any category, names two officers. The Designated Director is a Board-nominated person carrying overall responsibility for compliance. The Principal Officer is a management-level officer who monitors transactions, decides whether activity is suspicious, and files reports with FIU-IND.
Each category’s 2025 KYC Direction sets out these roles and is firm on one point: the same individual cannot be both the Designated Director and the Principal Officer. The bank must inform FIU-IND and the RBI of the names and details of both and update them on any changes. The function only works if the Principal Officer has real seniority, authority and Board access. In smaller banks, where one person often wears several hats, a Principal Officer with the title but no independence is a frequent reason programmes fail at inspection.
Conduct the internal risk assessment (IRA)
The internal risk assessment, also called the enterprise-wide risk assessment, is the foundation on which the rest of the programme stands. It is the bank’s own study of where its money-laundering, terror-financing and proliferation-financing risks lie. The RBI’s dedicated Internal Risk Assessment Guidance for ML/TF Risks, issued on 10 October 2024, describes this enterprise-level assessment as the bedrock of the risk-based approach, and it applies across bank types.
In practice, a bank weighs risk across four families of factors: its customers, its products and services, the geographies it touches, and the channels it onboards and transacts through. It assigns weights, classifies the risk, sets the controls that answer it, and arrives at a residual risk, with proliferation-financing risk built in as the guidance expects. The outcome goes before the Board or a Board committee and is refreshed at least annually and on any material change. Because the factor mix differs by type, a small finance bank’s assessment reads very differently from a payments bank’s, even though the method is the same; every subsequent control should be sized to what the assessment finds.
Is your risk assessment doing real work, or sitting on a shelf?
If the IRA does not actually drive your controls, the whole programme is pointed in the wrong direction. AML India builds a board-ready internal risk assessment that sets your priorities and stands up to scrutiny.
AML policies, controls and procedures implementation
Once the risk assessment is done, the bank converts it into a written AML policy that the Board approves and owns. Chapter II of the KYC Directions, 2025 places that duty squarely on the Board. The policy becomes the operating manual that the bank and any inspector work from.
A workable policy covers customer acceptance, customer identification and due diligence steps, the treatment of higher- and lower-risk customers, ongoing monitoring, the escalation route to the Principal Officer, reporting, record-keeping, and training. For a banking group, it adds group-wide policies and how overseas branches and subsidiaries apply them, taking the stricter of the Indian and host-country standards where they differ. A regional rural bank that relies on its sponsor bank, or a cooperative bank within a broader structure, still needs a policy that describes how it operates. That is the real test of any policy.
Customer identification and customer due diligence (CDD)
Customer due diligence is the front line of the programme: how a bank satisfies itself that it knows who each customer is and keeps that knowledge up to date. The duty flows from Section 11A of the PMLA, Rule 9 of the PMLR, and Chapters V and VI of the bank’s KYC Direction.
At onboarding, the bank follows the Customer Identification Procedure in Chapter V, collecting and verifying identity through reliable, independent documents or their electronic equivalents, including video-based identification where permitted.
Chapter VI then governs the due diligence itself, with separate routes for individuals, sole proprietors and legal entities. Depth follows risk: lower-risk customers may receive simplified due diligence, while higher-risk customers receive enhanced due diligence, and the rationale is recorded.
For non-profit organisation customers, verify the nature and purpose of the organisation, register the NPO’s details on the NITI Aayog DARPAN Portal where it is not already registered, maintain that registration record for the prescribed period, and monitor donation and foreign-contribution activity on a risk-sensitive basis. The customer mix that drives all this, thin-file inclusion customers, high-value account holders, or the members of a cooperative, varies sharply by bank type.
Beneficial ownership identification (part of CDD)
Behind every company, partnership, or trust stands a real person who owns or controls it, and the bank must identify that person. Beneficial-ownership identification is part of CDD rather than a separate task, and it is where much of the money-laundering risk hides. It is required by Rule 9 of the PMLR and Chapter VI-D of the KYC Directions, 2025.
For a company or a partnership, the beneficial owner is the natural person with a controlling interest of more than 10 per cent of the shares, capital, or profits, or who controls the customer by other means. For an unincorporated association or body of individuals, the threshold is more than 15 per cent. For a trust, the bank identifies the author, the trustees, the beneficiaries holding a 10 per cent or greater interest, and anyone else exercising ultimate control. Where ownership runs through several layers, the bank follows the chain up to the natural person at the top, and screens that beneficial owner against sanctions lists like any other customer. The duty is identical for every bank type, though the entity customers that trigger it cluster in some categories more than others.
Enhanced due diligence for PEPs and high-risk customers (part of CDD)
Higher-risk customers, including politically exposed persons, together with their family members and close associates, receive enhanced due diligence, including establishing the source of funds and wealth, obtaining senior management approval for onboarding, and applying closer ongoing monitoring. This, too, falls within CDD, and it is triggered by the customer’s risk rating from the internal risk assessment, so the share of customers it captures varies from one bank type to the next.
Correspondent banking and wire transfers
Correspondent banking, in which one bank provides services to another, frequently across borders, imports the other institution’s risk and is a well-known laundering channel. It calls for enhanced due diligence on the respondent bank before the relationship opens and at regular intervals afterwards. It mainly applies to commercial banks; categories that do not maintain correspondent relationships will find this step lighter or inapplicable.
Banks must also make sure cross-border wire transfers carry complete originator and beneficiary information, the requirement often called the travel rule, and must neither open nor keep relationships with shell banks. These provisions sit within the applicable RBI KYC Directions, 2025.
Ongoing monitoring and periodic updation
Knowing a customer at onboarding is not enough because risk shifts over the life of the relationship. Ongoing monitoring means monitoring transactions and account behaviour for activity that does not align with the bank’s knowledge of the customer, and escalating any unusual activity to the Principal Officer for a decision on whether to file a suspicious transaction report.
Periodic updation is the scheduled refresh of customer KYC. Under Chapter VI-E of the KYC Directions, 2025, a bank carries it out at least once every 2 years for high-risk customers, every 8 years for medium-risk customers and every 10 years for low-risk customers, and sooner when a trigger occurs. Good monitoring is tuned to the bank’s actual risks rather than left on default settings, and the alerts it raises are genuinely worked on and closed. The bank also reviews each customer’s risk categorisation at least once every six months. The RBI Directions allow a temporary operational concession for low-risk individual customers to update within one year of the due date or by 30 June 2026, whichever is later, subject to monitoring.
Buried in alerts, or behind on periodic updation?
Manual monitoring misses patterns and lets KYC go stale. AML India helps you select and configure monitoring and updation tools that fit your size and clear the backlog.
Sanctions screening and targeted financial sanctions
Every bank must be sure it is not dealing with designated terrorists, their financiers, or those who finance weapons of mass destruction. This is achieved through sanctions screening against the officially designated lists, and it is mandatory under Section 51A of the UAPA, 1967, for terrorism, and under Section 12A of the WMD Act, 2005, for proliferation financing.
The bank screens customers and beneficial owners against the United Nations Security Council lists and India’s domestic designated lists, both at onboarding and continuously as the lists change. In a true match, the bank must freeze the funds and report without delay, in accordance with the implementation procedures issued under Sections 51A and 12A. There is no minimum amount: screening reaches every customer, and relevant payment, and every hit decision is recorded for the audit trail. A clear workflow helps: detect a possible match; pause or freeze where required; escalate; confirm whether the match is genuine; freeze and report on a true match; and document false positives. This duty binds all types of banks without exception.
Regulatory reporting to FIU-IND
Reporting is how a bank’s intelligence reaches the authorities, and it is one of the most closely scrutinised duties. The Principal Officer files with FIU-IND under Rule 8 of the PMLR through FINnet 2.0, and Chapter VIII of the bank’s KYC Direction sets the reporting requirements for its category.
The main report types, fixed by Rule 3 of the PMLR, are the cash transaction report (CTR) for cash over Rs 10 lakh and connected cash transactions over Rs 10 lakh in a month; the suspicious transaction report (STR) for any transaction of any value that raises suspicion, including attempted transactions; the cross-border wire transfer report (CBWTR) for cross-border wire transfers of more than Rs 5 lakh, or the equivalent in foreign currency, where either the origin or destination of the funds is in India; and reports for counterfeit and certain non-profit-organisation transactions.
Timing is exacting. Cash transaction reports, non-profit transaction reports, reports on cash transactions involving counterfeit currency, forged valuable securities, forged documents, and cross-border wire transfer reports are submitted monthly by the 15th day of the following month. Suspicious transaction reports must be filed promptly once the Principal Officer is satisfied the transaction is suspicious, not held back to a monthly cycle. Reports on immovable property transactions under Rule 3(F), where they apply, are filed quarterly. Each report must be produced in the prescribed FINnet 2.0 format, so a bank’s systems must output in that format. Reporting is confidential: a bank must never tip off a customer that a suspicious transaction report has been or may be filed.
Confident every report is complete and on time?
Late or missed reports are an easy, penalised failure. AML India helps you build the reporting function, from FINnet 2.0 filing to the STR decision process, so nothing slips.
Record management, CKYCR and FINnet 2.0
A bank has to be able to prove it did the work, which makes records a control in their own right. Under Section 12 of the PMLA and Chapter VII of the KYC Directions, 2025, the bank keeps transaction records for 5 years from the date of the transaction, and customer identity, account files, and business correspondence for 5 years after the relationship ends or the account closes, whichever is later. The records must be returned quickly when the RBI, FIU-IND, or law enforcement requests them, and the retrieval test is one area where smaller banks fail as often as larger ones.
Two pieces of national infrastructure plug into this. The Central KYC Records Registry (CKYCR), governed by guidelines updated in 2025, is a central repository of customer KYC: the bank uploads each customer’s record, receives a KYC identifier, and can reuse an existing record. The bank files the electronic copy of a customer’s KYC record with the CKYCR within the prescribed timeline, currently 10 days after the account-based relationship commences, and furnishes any updated KYC information to the CKYCR within seven days of obtaining it, or within any period notified.
FINnet 2.0, reached through FINGate 2.0, is the FIU-IND platform for filing reports. Both must be set up correctly and kept current by every bank in the sector.
Training and awareness
Controls only work if the people at the counter and in the back office understand them. The KYC Directions, 2025 expect banks to train their staff, and the strongest programmes are role-based: front-line and onboarding staff learn to spot red flags and complete CDD, while compliance and monitoring staff go deeper into typologies, screening and reporting. Training is refreshed regularly, kept current with new risks and rule changes, and evidenced with records of who was trained and when. In small-team banks, the same person may need several of these modules at once.
Would your branch staff recognise a layered, third-party deposit?
Red flags only help if people remember them. AML India delivers role-based training that turns the PMLA, the RBI Directions and real typologies into scenarios your teams will actually use.
Independent testing and audit
Finally, the bank tests its own programme through an independent review, such as an internal or concurrent audit. The aim is to have someone other than the people operating the controls confirm that they actually work, and to drive every finding through to closure. A useful discipline is to test the way an outsider would: pull a sample of files, follow an alert from generation to the STR decision, and time how long it takes to retrieve a record. Where a category relies on a sponsor or parent for its systems, the audit should extend to those shared arrangements as well.
Evidence to keep ready for inspection
A supervisor tests a programme by asking for proof, so a bank keeps an evidence pack up to date and readily retrievable. Map each requirement to the internal owner and the evidence that demonstrates it:
Requirement | Internal owner | Evidence |
FIU-IND enrolment | Principal Officer / Compliance | FINnet 2.0 registration and user records |
Internal risk assessment | Compliance / Risk / Board | Board-approved IRA report |
CDD and KYC | Operations / Compliance | Customer file, risk rating and beneficial-owner record |
Reporting | Principal Officer | STR, CTR and CBWTR filing records |
Sanctions screening | Compliance | Screening logs and sanctions-hit decisions |
Training | Compliance / HR | Attendance and assessment records |
Audit | Internal audit / independent reviewer | Audit report and closure tracker |
From compliance back to the law: every requirement above rests on a specific provision. For the legal basis, read the companion guide, AML Laws and Regulations for banks in India. To go broader, start with the top-level AML Compliance Requirements in India, or use the bank-type links earlier in this guide to reach the version written for your category.
National and sectoral risk assessment
A bank’s own risk assessment does not sit in isolation. India runs a National Risk Assessment (the most recent completed in 2022 and not public) along with sectoral risk assessments that set out where the country sees the greatest money-laundering and terror-financing risk. The FATF noted in 2024 that these conclusions had been shared with many reporting entities, though a significant number were still to be engaged. Use the national and sectoral assessments to inform and justify the risk ratings in your own internal risk assessment and policy. Because the National Risk Assessment is not public, refer to its existence and the FATF summary rather than quoting figures you cannot verify against a source you hold.
Risk factors a bank should weigh
Use these when building the internal risk assessment and when deciding how much due diligence a particular customer needs. The exact mix tilts towards different rows depending on the bank type.
Risk category | Examples for banks |
Customer | Politically exposed persons and their associates, cash-intensive businesses, non-residents, customers with complex or opaque ownership, first-time customers with thin records, and anyone reluctant to disclose the beneficial owner. |
Product, service, transaction | Correspondent banking and trade finance at commercial banks, cross-border wire transfers, private banking, wallet and prepaid products at payments banks, and other high-value or pass-through services. |
Geography | Customers, funds or counterparties connected to higher-risk jurisdictions, or to areas with elevated predicate-crime activity. |
Delivery channel | Non-face-to-face and digital onboarding, third-party introducers and business correspondents, and accounts operated under power of attorney. |
Red flags to watch
Observable signs that should prompt a closer look or a suspicious transaction report, whatever the bank’s size.
- Cash deposits or withdrawals are deliberately kept just below the Rs 10 lakh reporting threshold.
- A single account receiving numerous third-party credits with no clear link to the account holder.
- An abrupt shift in account behaviour, for example, a long-dormant account turning highly active.
- Activity that does not square with the customer’s known profile or stated line of business.
- Reluctance to share identity or beneficial-ownership details, or the use of nominees and shell entities.
- Funds moving in and out rapidly with no economic rationale, including classic mule-account behaviour.
- A customer or beneficial owner who appears to match a sanctions or designated list.
Money-mule controls
Money-mule accounts, opened or lent out to move the proceeds of fraud, are a current priority right across the sector and are turning up in banks of every category. Helpful controls include tighter onboarding checks for accounts that suddenly begin receiving funds from many unrelated parties, monitoring rules designed for pass-through and fan-in patterns, prompt action on accounts flagged by other banks or law enforcement, and a clear escalation route to the Principal Officer for a suspicious transaction report. The precise typologies and thresholds differ by bank type, so see your bank-type guide for the tailored controls.
Want to know if your programme would pass an inspection today?
An AML Health Check reviews your risk assessment, policies, KYC, screening, reporting and records against the 2025 Directions and the PMLA, and gives you a prioritised fix list.
Best practices
- Let the internal risk assessment drive the policy, and the policy drive the controls, so the programme holds together from end to end.
- Identify the beneficial owner before the account opens, not afterwards.
- Tune monitoring and screening to your real risks, and carry every alert through to a decision.
- Keep a reporting calendar, and file suspicious transaction reports promptly rather than in batches.
- Clear periodic-updation backlogs in risk order, starting with high-risk customers.
- Train staff by role, refresh it regularly, and keep the records to prove it.
- Have the programme tested independently, and close out every finding.
- Keep records retrievable, and rehearse producing a file before a supervisor ever asks.
Common inspection failures
Inspections tend to bite in the same spots across the sector: a Principal Officer with the title but no real authority or Board access, monitoring left on default rules, screening that misses near-matches or works off out-of-date lists, periodic updation that has slipped behind, beneficial-ownership records that stop at the account holder, and decisions taken without a written rationale. Smaller banks tend to be caught by thin resourcing and larger ones by sheer volume, but in both cases, these are failures of evidence rather than intent, which is exactly why a clear audit trail matters.
“The banks that clear an inspection are rarely the ones with the longest policy manual. They are the ones whose risk assessment, screening and reporting visibly line up and can be evidenced on demand.”
Pathik Shah, FCA, CAMS, CISA, CS, DISA, FAFD
Frequently Asked Questions
A bank becomes compliant by building and running a single connected programme, regardless of its category. The usual order is to enrol with FIU-IND and appoint a Designated Director and a Principal Officer, complete an internal risk assessment, write board-approved policies from it, and then operate CDD and KYC, beneficial-ownership checks, ongoing monitoring, periodic updation, sanctions screening and reporting, supported by record-keeping, training and independent testing. Each step ties back to the PMLA, the PMLR and the RBI KYC Directions, 2025 for the bank’s type, and the bank must be able to evidence all of it.
Under Rule 7 of the PMLR, a bank appoints two officers: a Board-nominated Designated Director with overall responsibility, and a management-level Principal Officer who monitors transactions, assesses suspicious activity, and files reports. The 2025 KYC Directions are clear that the same person cannot hold both roles. The bank must inform both FIU-IND and the RBI and keep the details up to date; this applies to banks of any size or category.
The bank identifies and verifies every customer and their beneficial owner, and keeps that information current. The process runs from the Customer Identification Procedure in Chapter V of the KYC Directions, 2025, to customer due diligence in Chapter VI, and rests on Section 11A of the PMLA and Rule 9 of the PMLR. Depth follows risk, with simplified due diligence for low-risk customers and enhanced due diligence for higher-risk ones such as politically exposed persons. The framework is identical across bank types, even though the customer base it is applied to is not.
The beneficial owner is the natural person who ultimately owns or controls a customer, even where the account is held in the name of a company, partnership, or trust. For a company or partnership, the threshold is a controlling interest of more than 10 per cent of shares, capital or profits; for an unincorporated association or body of individuals, it is more than 15 per cent; and for a trust, it covers the author, the trustees, beneficiaries with a 10 per cent or more interest, and anyone exercising ultimate control. Control can also arise through other means, such as the right to appoint a majority of the directors.
KYC is refreshed on a risk-based cycle known as periodic updation. Under Chapter VI-E of the KYC Directions, 2025, this is at least once every 2 years for high-risk customers, every 8 years for medium-risk customers and every 10 years for low-risk customers. The bank also updates sooner whenever a trigger occurs, such as a change in ownership or a noticeable shift in transaction patterns.
Under Rule 3 of the PMLR a bank reports cash transactions over Rs 10 lakh, connected cash transactions exceeding Rs 10 lakh in a month, suspicious transactions of any value, cross-border wire transfers of more than Rs 5 lakh (or the equivalent in foreign currency, where the origin or destination is in India), and reports on cash transactions involving counterfeit currency, forged valuable security or forged documents and on receipts by non-profit organisations above the prescribed threshold. Cash, non-profit, counterfeit and cross-border wire transfer reports are filed monthly, by the 15th of the succeeding month under Rule 8. In contrast, suspicious transaction reports are filed promptly once the Principal Officer is satisfied. Everything goes to FIU-IND through FINnet 2.0.
A cash transaction report (CTR) is filed because a cash transaction crosses a fixed threshold, currently more than Rs 10 lakh, whether or not anything looks wrong. A suspicious transaction report (STR) is filed when a transaction raises suspicion of money laundering or terrorist financing, regardless of its size, including attempts. CTRs follow a monthly cycle, whereas STRs must be filed promptly once the Principal Officer is satisfied.
Five years, under Section 12 of the PMLA and Chapter VII of the KYC Directions, 2025, but on two separate clocks. For transactions, the five-year period runs from the date of the transaction; for identity records, account files and business correspondence, it runs for five years after the relationship ends or the account closes, whichever is later. The records must be retained so the bank can quickly retrieve and produce them upon request.
Yes. The RBI issued category-specific KYC Directions on 28 November 2025, one for each bank type, and earlier KYC directions stand repealed or superseded to the extent provided in the relevant Direction. Every bank should review any policy, procedure, or training built on the old 2016 direction and update it to the current text for its category, because that is the standard a supervisor will apply.
The Reserve Bank of India can levy monetary penalties and order a bank to remediate its controls, and the FIU-IND can issue compliance orders carrying penalties of its own; it issued 8 such orders with penalties exceeding Rs 30 crore in FY 2024-25. Where an account is tied to money laundering, the Enforcement Directorate can attach property and prosecute. The cost of weak compliance is therefore financial, legal and reputational, and it falls on small and large banks alike.
Official sources and review
Last reviewed: June 2026. This guide is grounded in the following primary official sources, linked to their official source where available.
- Prevention of Money-laundering Act, 2002 (India Code)
- Prevention of Money-laundering (Maintenance of Records) Rules, 2005 (India Code)
- RBI category-specific Know Your Customer Directions, 2025
- Unlawful Activities (Prevention) Act, 1967 and Section 51A procedure (MHA)
- WMD Act, 2005 and its Section 12A implementation procedure (India Code)
- FATF Recommendations, including the June 2026 update to Recommendation 6 on targeted financial sanctions
- FATF Mutual Evaluation Report on India, 2024
- Financial Intelligence Unit – India, including the Annual Report 2024-25
- Central KYC Records Registry (CKYCR) Operating Guidelines, 2025 (CERSAI)
- Directorate of Enforcement Annual Report 2024-25
Why work with AML India
| “We are thrilled to have AML India as our compliance partner. Their consultants have immense knowledge in executing the right KYC and CDD processes for our business, and made it easy to onboard new customers without the fear of money-laundering risks.” General Manager, Financial Company (published on amlindia.in) |
Want an expert to pressure-test your programme?
An AML India expert reviews where your programme is strong and where it would fail an inspection, and gives you a prioritised plan.
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.