Last Updated and Reviewed on: 7th July 2026

Key takeaways at a glance

  • Who is covered: public sector, private sector and foreign banks operating in India and covered by the RBI (Commercial Banks – Know Your Customer) Directions, 2025, not the small finance, payments, local area, regional rural or co-operative banks the RBI regulates separately. They are reporting entities under the Prevention of Money Laundering Act, 2002 (PMLA).
  • Governing laws: the PMLA 2002 and the PML (Maintenance of Records) Rules, 2005 (PMLR); the RBI (Commercial Banks – Know Your Customer) Directions, 2025; the UAPA 1967 (Section 51A) and the WMD Act, 2005 (Section 12A).
  • Regulator: the Reserve Bank of India (RBI). Reports go to the Financial Intelligence Unit – India (FIU-IND); the Enforcement Directorate (ED) enforces the PMLA.
  • Core duties: an internal risk assessment, customer due diligence and KYC, beneficial-owner identification, including the more-than-10-percent threshold for companies and partnerships, with separate tests for trusts and unincorporated bodies, periodic updation (2, 8 and 10 years by risk), transaction monitoring, prescribed transaction reporting (CTR, STR, NPO transaction reports, reports on cash transactions involving counterfeit currency, forged valuable security or forged documents and CBWTR), five-year record-keeping, and sanctions screening.
  • Latest change: the RBI issued category-specific KYC Directions on 28 November 2025. For commercial banks, the RBI (Commercial Banks – Know Your Customer) Directions, 2025 apply, and earlier KYC directions stand repealed or superseded to the extent provided in that Direction.

Commercial banks in India are reporting entities under the PMLA. They must comply with the PMLA, the PMLR, the RBI (Commercial Banks – Know Your Customer) Directions, 2025, the UAPA Section 51A, and the WMD Act Section 12A. The RBI supervises banks for AML and KYC compliance, while prescribed transaction reports are filed with FIU-IND.

Commercial banks sit at the centre of India’s financial system, and that is exactly why they sit at the centre of its anti-money-laundering defences. Every salary, loan, remittance and business payment runs through them, so they are the first place criminals try to move and hide illicit money. India’s law recognises this and places banks among the most closely supervised reporting entities under its AML, CFT and CPF framework.

This guide sets out the money laundering laws in India and the wider AML, CFT and CPF regulations that apply to commercial banks. AML means anti-money-laundering, CFT means countering the financing of terrorism, and CPF means countering proliferation financing, which is the funding of weapons of mass destruction. Because AML in banking is among the most closely supervised areas of compliance, we cover who is regulated, the full body of law that binds banks, the Reserve Bank of India as the supervisor, and the core duties imposed by the regulations.

This article is the commercial banks’ guide in our banking series. It explains the law for commercial banks only. Other bank types, such as small finance banks, payments banks, regional rural banks and cooperative banks, follow the same core framework but have their own guides. For the step-by-step controls a bank must build, read the companion guide, AML Compliance Requirements for Commercial Banks in India. For the wider context, start with the AML Laws and Regulations for the Banking Sector in India or the top-level AML Laws and Regulations in India.

The core instruments at a glance

Instrument

Applies to banks?

What it controls

PMLA, 2002

Yes

Reporting-entity duties, CDD, records and enforcement

PMLR, 2005 (PMLR)

Yes

Reporting categories, timelines, CDD, beneficial ownership and officers

RBI KYC Directions 2025

Yes

Bank-specific KYC and AML operating requirements

UAPA Section 51A

Yes

Terrorism-related targeted financial sanctions

WMD Act Section 12A

Yes

Proliferation-financing targeted financial sanctions

FINnet 2.0 / FINGate 2.0

Yes

Reporting and regulatory communication with FIU-IND

Not every source carries the same legal weight. The instruments above directly bind a commercial bank. The following shapes the framework but does not bind the bank in the same way:

Source

Legal force

FATF Recommendations

International standards, not directly binding; they take effect through Indian law and RBI directions

FIU-IND and ED annual reports

Enforcement and reporting context, not a source of obligation

Quick answer: Commercial banks in India are reporting entities under the Prevention of Money-laundering Act, 2002. They must comply with the PMLA, the PML (Maintenance of Records) Rules, 2005 (PMLR), the RBI Commercial Banks KYC Directions, 2025, Section 51A of the UAPA and Section 12A of the WMD Act, file the prescribed reports with FIU-IND, and operate under RBI supervision. The core obligations are customer due diligence, beneficial ownership checks, ongoing monitoring, sanctions screening, prescribed reporting, recordkeeping, training, and independent testing.

What counts as a commercial bank in India?

For this guide, a commercial bank is a bank that accepts deposits from the public, lends, and holds a banking licence from the Reserve Bank of India under section 22 of the Banking Regulation Act, 1949. In everyday terms, these are the banks most people use for a salary account, a home loan or a business current account. For this guide specifically, commercial banks are those covered by the RBI (Commercial Banks – Know Your Customer) Directions, 2025: public-sector, private-sector, and foreign banks operating in India. It does not cover the categories the RBI regulates under separate KYC Directions, namely small finance banks, payments banks, local area banks, regional rural banks and co-operative banks.

In the formal terms of the Direction, this means banking companies, corresponding new banks, and the State Bank of India, and not small finance banks, payments banks, or local area banks that the RBI regulates under its own KYC Directions.

Commercial banks in India fall into three broad groups:

  1. public sector banks, which the government majority owns;
  2. private sector banks;
  3. and foreign banks operating in India through branches or wholly owned subsidiaries.

All three are covered by the same core Indian AML framework, though foreign banks may also need to align with group and home-country standards where these are more stringent. Other bank types, such as small finance banks, payments banks, regional rural banks and cooperative banks, follow the same core framework but have their own guides in this series.

For anti-money-laundering purposes, what matters is not the label but the activity. A bank holds customer money, moves it, and can therefore be used to launder the proceeds of crime or to move funds to terrorists. That is why the law brings every commercial bank into the net.

Are commercial banks reporting entities under the PMLA?

Yes. Commercial banks are reporting entities under the Prevention of Money Laundering Act, 2002. A reporting entity is a business that the law requires to implement AML controls, maintain records, and report certain transactions. Banking companies were among the first institutions brought under the PMLA, and they remain among the most closely supervised.

Being a reporting entity is not optional. It means the bank must verify who its customers are, watch how they transact, keep detailed records, and report cash, suspicious and cross-border transactions to the authorities.

Supervisory authority for commercial banks in India

In short, the Reserve Bank of India supervises commercial banks for AML and KYC, and FIU-IND is the financial intelligence unit that receives their reports.

The Reserve Bank of India is the supervisor and regulator for commercial banks on AML matters. It licenses banks, issues the KYC Directions they must follow, and inspects them to assess how well they run their AML programme, with the power to impose penalties where controls are weak. Banks file their reports with the Financial Intelligence Unit – India (FIU-IND), and the Enforcement Directorate investigates and prosecutes money laundering under the PMLA. You can read more about the Reserve Bank of India and about reporting at FIU-IND.

AML Regulatory Requirements for Commercial Banks in India

Read this framework from the perspective of a commercial bank, where the key differentiator is the RBI Commercial Banks KYC Directions 2025, which govern public-sector, private-sector, and foreign banks.

The law that governs a commercial bank does not sit in one place. It is a layered framework: the core legislation, the overarching infrastructure, the sectoral directions of the supervisor, miscellaneous official reports, international standards, and allied laws. Each category below lists the instruments that apply, with a short note on what each one does.

The framework reads from the core outward. The PMLA is the parent Act; the PMLR turns it into operational duties; the RBI KYC Directions translate both into instructions a bank can follow; the UAPA and the WMD Act add counter-terrorism and proliferation-financing sanctions; and the allied laws shape the predicate-offence risk a bank must understand. Read together, they tell a bank who to identify, what to monitor, what to report and what to keep.

The risk-based approach is the thread that runs through it all. A bank calibrates every control to the risks identified in its internal risk assessment, so a low-risk customer is handled simply. At the same time, a higher-risk one attracts enhanced due diligence. The same principle decides how often KYC is refreshed and how closely transactions are watched.

Core Legislation

The primary statutes and rules that create the AML, CFT and CPF obligations. Everything else builds on them and is grouped into three sub-folders.

AML Legislation

Prevention of Money-Laundering Act, 2002 (PMLA)

The Prevention of Money-Laundering Act, 2002, is the parent anti-money-laundering law on which the entire framework is built. It defines the offence of money laundering, provides for the attachment and confiscation of the proceeds of crime, and creates the special courts and the Enforcement Directorate that investigate and prosecute. For a bank, the operative parts are the reporting-entity duties: customer due diligence under Section 11A and record-keeping and reporting under Section 12. Every rule, direction and report below ultimately draws its authority from this Act.

The PML (Maintenance of Records) Rules, 2005 (PMLR)

The Maintenance of Records Rules turn the PMLA’s broad duties into day-to-day operating instructions for a bank. They fix what must be reported and by when (Rule 3 and Rule 8 cover cash, suspicious, cross-border and other transaction reports), how customers and beneficial owners are to be identified (Rule 9), what records to keep and for how long (Rule 10), and the duty to appoint a Principal Officer and run an internal mechanism (Rule 7). Because laundering methods keep changing, the Rules have been amended many times since 2005. Those amendments are listed in date order below, with the main change each one made.

The table below is included as a legal-history timeline. It helps banks and compliance teams understand how India’s reporting, CDD, beneficial ownership, CKYCR, and record-keeping framework has evolved under the PMLR.

The PMLR amendment notifications, in date order:
Gazette notification and date Key change or rule touched
G.S.R. 389(E), 24 May 2007 The first amendment to the 2005 Rules. It widened the suspicious-transaction definition in rule 2 to cover transactions with no economic rationale or bona fide purpose and those suggesting terrorism financing, and recast rule 3 to capture cash transactions involving forged or counterfeit currency. It also substituted rule 8 on furnishing information to the Director and eased rule 9 from three certified copies to one.
G.S.R. 816(E), 12 November 2009 A wide-ranging amendment. It inserted the definitions of non-profit organisation and Regulator, redefined suspicious transaction, and added a reporting clause for NPO receipts over Rs 10 lakh. It set record retention at ten years (rule 6) and overhauled rule 9 to require identification of the beneficial owner, ongoing due diligence, a bar on anonymous accounts, and a Client Identification Programme.
G.S.R. 76(E), 12 February 2010 Amended rules 3, 4, 5 and 7 to refine record-keeping and the reporting references. Most notably, it inserted the first Explanation defining the beneficial owner in rule 9(1A), as the natural person who ultimately owns or controls a client or on whose behalf a transaction is conducted.
G.S.R. 508(E), 16 June 2010 Amended Rules 2, 9 and 10, the core provisions on definitions, customer due diligence and record-keeping. The changes adjusted how customers are identified and what records a reporting entity must maintain. This was part of the steady tightening of the CDD and records framework through 2010.
G.S.R. 980(E), 16 December 2010 Introduced the small-account regime. It defined the Designated Officer and the small account (with capped credits, withdrawals and balance), widened the officially valid documents in rule 2 to include the NREGA job card and the Aadhaar letter, and inserted rule 9(2A) setting out how a small account is opened and monitored.
G.S.R. 481(E), 24 June 2011 Created the short title for the Rules. It amended rule 1 to rename the lengthy 2005 title to the Prevention of Money-laundering (Maintenance of Records) Rules, the short form, PMLR, that has been used ever since.
G.S.R. 576(E), 27 August 2013 Amended Rules 2 and 3 and inserted provisions after Rule 10. The changes touched definitions, the cash and suspicious transaction reporting duties, and the record framework. It was part of aligning the Rules more closely with the reporting obligations banks operate.
G.S.R. 288(E), 15 April 2015 Amended Rule 2, the definitions clause. Changes to definitions ripple through the whole framework because they decide who and what the operative rules apply to. This was the first of several 2015 updates to the Rules.
G.S.R. 544(E), 7 July 2015 Amended Rules 2, 9 and 10, covering definitions, customer due diligence and record-keeping. It refined how reporting entities identify customers and verify their details and what they must retain. It formed part of a substantial 2015 overhaul of the CDD and records provisions.
G.S.R. 730(E), 22 September 2015 Amended Rules 2 and 7, the definitions and the rule requiring a Principal Officer and an internal reporting mechanism. It refined the governance side of the framework, including who runs the reporting function and how. This sat alongside the other 2015 amendments to CDD and records.
G.S.R. 882(E), 18 November 2015 Updated definitions and the reporting provisions. The changes affected how key terms are read and how transactions are reported to the FIU. It was the last of the cluster of 2015 amendments.
G.S.R. 347(E), 12 April 2017 Amended Rule 2 and inserted Rule 9A, which brought the Central KYC Records Registry into the Rules. This created the duty to file customer KYC records with the central registry and laid the basis for reusing them. It was a major structural addition that underpins the CKYCR a bank uses today.
G.S.R. 538(E), 1 June 2017 Amended Rules 2 and 9 to build Aadhaar into the customer due diligence process. It set out how Aadhaar-based identification and authentication fitted into KYC. This was central to how banks verified identity at the time, later reshaped by the Supreme Court’s Aadhaar ruling.
G.S.R. 1038(E), 21 August 2017 Amended Rule 2, the definitions clause. The change adjusted defined terms that govern how the operative rules apply. It was one of several definition updates in 2017.
G.S.R. 1318(E), 23 October 2017 A further amendment to the Rule 2 definitions later in 2017. Such changes keep the defined terms current as the framework evolves. It continued the run of refinements that year.
G.S.R. 456(E), 16 May 2018 Updated definitions and the customer due diligence provisions. The changes refined who is covered and how customers are to be identified and verified. It was part of the continuing adjustment of the CDD framework.
G.S.R. 1078(E), 31 October 2018 Amended Rule 9, the customer due diligence rule. It refined the steps reporting entities follow to identify and verify customers and beneficial owners. This was one of a series of Rule 9 changes through 2018 and 2019.
G.S.R. 108(E), 13 February 2019 Amended Rules 2 and 9, covering definitions and customer due diligence. It followed the legislative changes to Aadhaar use and adjusted how identification may be carried out. It was the first of several 2019 amendments.
G.S.R. 381(E), 28 May 2019 Amended Rule 9, the customer due diligence rule, refining the identification and verification process. It updated the options available for verifying a customer’s identity. It was part of the post-Aadhaar reshaping of CDD.
G.S.R. 582(E), 19 August 2019 Amended Rules 2 and 9 and inserted provisions after Rule 11. The changes touched definitions, customer due diligence and the supporting provisions on information and records. It was one of the more wide-ranging 2019 updates.
G.S.R. 669(E), 18 September 2019 Amended Rules 2 and 9, again refining definitions and the customer due diligence process. It continued the year’s adjustments to how customers are identified and verified. It sat within the cluster of 2019 CDD amendments.
G.S.R. 840(E), 13 November 2019 Amended Rule 9, the customer due diligence rule. It made further refinements to the identification and verification requirements. It closed out the run of 2019 amendments to CDD.
G.S.R. 228(E), 31 March 2020 Updated definitions and the reporting provisions. The changes adjusted defined terms and the way transactions are reported. It was the first of three closely spaced 2020 amendments.
G.S.R. 251(E), 13 April 2020 Amended Rule 8, which governs the furnishing of transaction reports to the FIU. It refined how and what reporting entities report. It was part of the April 2020 updates to the reporting duty.
G.S.R. 254(E), 16 April 2020 A further amendment to Rule 8 on reporting, made days after the previous one. Together these tightened the reporting provisions. They reflected ongoing adjustment of how reports reach the FIU.
G.S.R. 798(E), 28 December 2020 Amended Rule 2 to designate further businesses and professions as reporting entities, including real estate agents and other DNFBPs. This widened the perimeter of the regime well beyond banks and financial institutions. It was a significant expansion of who must run an AML programme.
G.S.R. 575(E), 13 July 2022 Inserted the International Financial Services Centre (IFSC) definition and a tailored beneficial-owner provision for entities located in an IFSC, where the beneficial owner is taken to be the person heading the reporting entity in India. It also added an IFSC proviso to Rule 9A on the CKYCR. This adapted the Rules to the GIFT City IFSC framework.
S.O. 1074(E), 7 March 2023 A major amendment. It inserted definitions of politically exposed persons, non-profit organisations and group, and added Rule 3A requiring group-wide AML policies. Most significantly, it cut the beneficial-ownership threshold for companies from 25 percent to 10 percent and made the matching cut in Rule 9(3)(e). These changes pulled more owners and more entities into the due diligence net.
G.S.R. 652(E), 4 September 2023 The second major 2023 amendment. It required the Principal Officer to be at management level, cut the beneficial-ownership threshold for partnerships from 15 percent to 10 percent, and inserted the Explanation clarifying what counts as control. It also required trustees to disclose their status and added the results of any analysis under Rules 3 and 9 to the records a bank must keep. The partnership threshold was cut to 10 percent, while the unincorporated-association threshold stayed at more than 15 percent.
G.S.R. 745(E), 17 October 2023 Amended Rules 2, 3, 8 and 9, covering definitions, the reporting duties and customer due diligence. It refined several operative provisions together in one notification. It rounded off the run of 2023 amendments.
G.S.R. 419(E), 19 July 2024 Rewrote Rule 9(1C) on the KYC Identifier and required records on the CKYCR to be updated within seven days of any change. It added the duty to retrieve updated records and amended Rule 9A(2)(g) on the filing, retrieval and use of registry records. This sharpened how banks keep central KYC data current.
The PML (Manner of Receiving the Records Authenticated Outside India) Rules, 2005

These short rules govern how a bank may accept customer documents that have been certified or authenticated outside India, for example by an Indian mission abroad, a notary, or an authorised official in the customer’s country. They set the chain of authentication that makes a foreign document acceptable for KYC purposes in India. They matter most when onboarding non-resident customers, foreign nationals and entities incorporated overseas, where in-person verification of originals is not possible.

CFT Legislation

The Unlawful Activities (Prevention) Act, 1967 (UAPA)

The Unlawful Activities (Prevention) Act is India’s principal counter-terrorism law. For a bank the key provision is Section 51A, which requires it to screen customers and transactions against the lists of individuals and entities designated by the Central Government and by the United Nations Security Council. Where a customer matches a designated name, the bank must freeze the funds and accounts without delay and allow no dealing in them. It then reports the match through the prescribed channel so the funds stay blocked until the authorities decide otherwise.

Procedure for implementation of Section 51A of the UAPA (order dated 2 February 2021; corrigendum dated 15 March 2023)

This is the official, step-by-step procedure that tells banks exactly how to give effect to Section 51A. It explains how the designated lists are circulated, how to confirm whether an apparent match is genuine, and how quickly funds must be frozen once a match is established. It also sets out who to inform, in what form, and how a wrongly matched customer can seek to have a freeze lifted. The corrigendum of 15 March 2023 refined parts of that process.

CPF Legislation

The Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005 (WMD Act)

The Weapons of Mass Destruction Act is India’s proliferation-financing law. Section 12A extends targeted financial sanctions to anyone involved in financing weapons of mass destruction and their delivery systems. In practice, it places a screen-and-freeze duty on banks similar to that under the UAPA, but aimed at proliferation rather than terrorism. It is the legal anchor for the counter-proliferation-financing part of a bank’s programme.

Procedure for implementation of Section 12A of the WMD Act (dated 1 September 2023)

This procedure mirrors the UAPA process but applies to proliferation financing. It explains how a bank acts on a designated-list match under the WMD Act, including confirming the match, freezing the relevant funds, and reporting to the designated authority. Issued on 1 September 2023, it gives banks a clear operating method for a risk that was previously much harder to action.

Procedure for implementation of Section 12A of the WMD Act (dated 1 September 2023)

This procedure mirrors the UAPA process but applies to proliferation financing. It explains how a bank acts on a designated-list match under the WMD Act, including confirming the match, freezing the relevant funds, and reporting to the designated authority. Issued on 1 September 2023, it gives banks a clear operating method for a risk that was previously much harder to action.

The WMD and their Delivery Systems (Prohibition of Unlawful Activities) Implementation Rules, 2016

These rules support the WMD Act by setting out the machinery for implementing its prohibitions. They underpin the proliferation-financing controls a bank applies and sit alongside the Section 12A procedure. Together, they form the legal basis for the counter-proliferation-financing screening that a bank is expected to run.

Not sure which of these laws actually bind your bank?

AML India can talk you through the framework that applies to commercial banks and confirm where your obligations sit.

Overarching

National infrastructure that sits across the framework and that every bank must connect to.

CERSAI Central KYC Records Registry (CKYCR) Operating Guidelines, 2025

The Central KYC Records Registry, run by CERSAI, is a single national store of customer KYC records. When a bank completes KYC on a new customer it uploads the record and receives a KYC Identifier; when that customer approaches another regulated entity, the record can be retrieved and reused instead of repeating the whole exercise. The 2025 Operating Guidelines set the current rules for uploading, updating, and downloading records, including the duty to push any changes to a customer’s details to the registry. This keeps KYC consistent across the financial system and cuts duplication for both banks and customers.

FINnet 2.0 reporting formats (2024) and the FINGate 2.0 reports manual (June 2023)

FINnet 2.0 is the Financial Intelligence Unit’s online platform through which banks file their regulatory reports, and the FINGate 2.0 reports manual explains how to use it. Between them, they cover the bank’s enrolment and its users, the reporting formats to follow, and the request-and-response process for queries and feedback from the FIU. A bank must be correctly enrolled and using the current formats for its cash, suspicious and cross-border reports to be accepted. This is the practical channel that turns a reporting duty into a filed report.

Sectoral

The supervisory authority and its directions. The Reserve Bank of India is the supervisor and regulator of commercial banks; the Financial Intelligence Unit – India receives reports, and the Enforcement Directorate enforces the PMLA.

Reserve Bank of India RBI (Commercial Banks - Know Your Customer) Directions, 2025

This is the Reserve Bank’s detailed KYC and AML rulebook for commercial banks, the instrument banks work from day to day. It covers customer acceptance, customer identification and due diligence, beneficial ownership checks, risk categories, ongoing due diligence and monitoring, and record management and reporting. It translates the PMLA and the PMLR into instructions that a bank can actually operate under. Issued on 28 November 2025 (RBI/DOR/2025-26/169) and updated as of 29 December 2025, it is the current version that supersedes the earlier KYC Master Direction.

RBI Consolidated Master Directions and the KYC Compliance Notification (28 November 2025)

This is the press release and notification through which the RBI consolidated its scattered directions and moved banks onto the 2025 KYC framework. It explains the transition, including the extent to which earlier KYC directions are repealed or superseded by the 2025 Direction. For a bank it is the reference that confirms which rulebook now applies and from when. It matters mainly for compliance teams updating their policies and internal cross-references.

RBI Internal Risk Assessment (IRA) Guidance for ML/TF Risks (10 October 2024)

This guidance tells a bank how to build the enterprise-wide internal risk assessment that the RBI calls the bedrock of the risk-based approach. The assessment looks across the bank’s customers, products, channels and geographies to work out where money-laundering and terror-financing risk is highest, so controls can be set in proportion. Its findings go to the Board and now also have to take proliferation-financing risk into account. Issued on 10 October 2024, it is the reference a bank uses when designing or refreshing its risk assessment.

RBI (Commercial Banks) Responsible Business Conduct Directions, 2025

These directions consolidate the RBI’s customer. service and fair-conduct rules in one place. They are not an AML-specific instrument, so they do not create KYC or reporting duties. They are listed because they sit alongside the KYC framework and bear on the broader governance and customer conduct controls that a bank runs. A compliance team should be aware of them but should not treat them as part of the core AML obligations.

Miscellaneous

Official reports and policy documents that explain how the system works and where the current risks lie. They are not rules to comply with, but they inform a bank’s understanding of risk.

FIU-IND Annual Report 2024-25

This report sets out how much reporting flows through the system and what the Financial Intelligence Unit does with it. It records the volume of suspicious, cash, and cross-border transaction reports, as well as the FIU’s own supervisory and enforcement activity. In 2024-25, the FIU recorded more than 2 million reports a month and issued 8 compliance orders carrying penalties exceeding Rs 30 crore. It is the source to cite for current reporting statistics and for the enforcement risk a weak reporting programme carries.

Directorate of Enforcement Annual Report 2024-25

The Directorate of Enforcement is the agency that investigates and prosecutes money laundering under the PMLA. Its annual report records the year’s investigations, the value of the attached proceeds, and the prosecutions and convictions secured. For a bank it gives a sense of how the Act is actually enforced and the kinds of cases that draw action. It is context for understanding risk, not a rule to comply with.

FIU-IND and its Core Functions and FAQs

This is the FIU’s own explainer of what it does and how reporting works. It describes the FIU’s role as the central agency that receives, analyses and disseminates financial intelligence, and answers common questions about the reporting process. It is a useful orientation document for staff who are new to reporting. Like the other items here, it informs understanding rather than imposing a separate duty.

MHA National Counter-Terrorism Policy and Strategy

This is the Ministry of Home Affairs’ statement of national counter-terrorism policy and strategy. It sets out how the country approaches the terrorism threat across its agencies. For a bank it provides the policy backdrop to the counter-terrorism-financing duties under the UAPA. It explains the reasoning behind the screening and freezing obligations rather than adding new ones.

International Standards

The global standards that India’s framework implements and is measured against.

FATF Recommendations

The Financial Action Task Force Recommendations are the international standards for anti-money laundering, counter-terrorism financing, and counter-proliferation financing. They are what India’s laws and the RBI Directions are built to implement, and what India is measured against in its evaluations. They are not directly binding on banks, but they explain the logic behind domestic rules. In June 2026, FATF updated Recommendation 6 on targeted financial sanctions.

FATF Mutual Evaluation Report on India, 2024 (and Executive Summary)

This is the FATF’s peer assessment of how well India’s AML and CFT system works in law and in practice. The 2024 evaluation found a good general understanding of risks and obligations across the financial sector, with preventive measures steadily progressing. It also flags the areas India needs to strengthen. For a bank it signals where supervisory attention is likely to focus.

Basel Committee, Sound Management of Risks Related to Money Laundering and Financing of Terrorism (2014, revised July 2020)

This is the Basel Committee’s international supervisory guidance on how banks should manage money-laundering and terror-financing risk. It covers sound practices for customer due diligence, group-wide risk management, and the role of the board and senior management. First issued in 2014 and revised in July 2020, it complements the FATF standards from a banking supervision perspective. It informs what good practice looks like inside a bank.

FATF Risk-Based Approach Guidance for the Banking Sector

This guidance explains, in practical terms, how to apply the risk-based approach inside a bank. It shows how to identify and assess risk and then allocate controls in proportion, rather than treating every customer the same. It underpins the RBI’s expectation that a bank calibrates its controls to its own risk assessment. It is a helpful reference when designing a risk-based programme.

Allied Laws

These laws do not replace the PMLA, PMLR or RBI KYC Directions as the bank’s core AML framework. A bank does not enforce them, but they shape its predicate-offence risk, customer risk assessment, suspicious-transaction indicators and its response to law-enforcement requests.

The Banking Regulation Act, 1949

These laws do not replace the PMLA, PMLR or RBI KYC Directions as the bank’s core AML framework. A bank d

This is the foundational statute for banking in India. It defines the banking business, licenses banks, and gives the Reserve Bank the powers to regulate and supervise them. It is the source of the RBI’s authority to issue the KYC Directions a bank must follow. For AML purposes it is the legal backbone on which the supervisor’s rulebook rests.

oes not enforce them, but they shape its predicate-offence risk, customer risk assessment, suspicious-transaction indicators and its response to law-enforcement requests.

The Companies Act, 2013

This Act governs how companies are formed, owned and run, and what they must disclose. Its rules on shareholding, significant beneficial owners and registers of members are central to checking who really controls a corporate customer. A bank relies on these disclosures when it verifies beneficial ownership during due diligence. Weak or hidden ownership in a company file is a common red flag for laundering.

The Foreign Exchange Management Act, 1999 (FEMA)

The Foreign Exchange Management Act governs foreign-exchange dealings, cross-border payments and the accounts of non-residents. It sets the lawful boundaries for moving money in and out of India. For a bank, it shapes how it handles inward and outward remittances and non-resident accounts, where cross-border laundering risk is concentrated. A FEMA breach can also point to underlying laundering.

The Benami Transactions (Prohibition) Act, 1988

A benami transaction is one in which property or an account is held in one person’s name but actually belongs to and is funded by another, to hide the true owner. This Act prohibits such arrangements and allows the property to be attached and confiscated. It is directly relevant to a bank because nominee and front accounts are a classic laundering technique. Spotting accounts operated for someone other than the named holder is part of due diligence.

The Prevention of Corruption Act, 1988

This Act criminalises bribery and corruption by and of public servants. Corruption is a major predicate offence, meaning the proceeds it generates are exactly what money laundering seeks to disguise. A bank most often meets this risk through politically exposed persons and accounts that receive unexplained payments linked to public contracts. It is part of the backdrop to enhanced due diligence on higher-risk customers.

The Narcotic Drugs and Psychotropic Substances Act, 1985 (NDPS)

The Narcotic Drugs and Psychotropic Substances Act criminalises drug trafficking and related dealings. Drug trafficking is one of the largest sources of laundered money worldwide, which makes it a major predicate offence under the PMLA. For a bank, cash-intensive activity inconsistent with a customer’s profile can be a sign of drug-proceeds laundering. It is part of the predicate-offence risk a bank must understand.

The Bharatiya Nyaya Sanhita, 2023

The Bharatiya Nyaya Sanhita is the new criminal code that replaces the Indian Penal Code, 1860. It defines the core criminal offences, many of which are predicate offences whose proceeds can be laundered through the banking system. A bank does not enforce it, but its offences sit behind the suspicious activity a bank is meant to detect. It is part of the criminal-law foundation of the AML regime.

The Bharatiya Nagarik Suraksha Sanhita, 2023

The Bharatiya Nagarik Suraksha Sanhita is the new criminal procedure code that replaces the Code of Criminal Procedure, 1973. It governs how offences are investigated and prosecuted, including search, seizure and the powers used to gather evidence. For a bank, it is relevant mainly when it responds to law enforcement requests for information or to freezing and seizure orders. It is a procedural context rather than a compliance duty.

The Fugitive Economic Offenders Act, 2018

This Act lets the authorities act against high-value economic offenders who leave India to avoid prosecution. It permits the attachment and confiscation of their property, including assets held through others. For a bank, it matters because such persons often move funds through accounts and entities before fleeing. Accounts linked to a declared fugitive economic offender carry obvious heightened risk.

The Black Money (Undisclosed Foreign Income and Assets) and Imposition of Tax Act, 2015

This Act targets undisclosed foreign income and assets held by Indian residents. It taxes and penalises wealth kept abroad outside the tax net. For a bank, it connects to the risk of funds linked to undisclosed offshore assets flowing through its accounts. It forms part of the wider picture of illicit-finance risk that a bank should be alert to.

The Foreign Contribution (Regulation) Act, 2010 (FCRA)

The Foreign Contribution (Regulation) Act regulates the receipt and use of foreign contributions, particularly by non-profit organisations. It requires eligible recipients to be registered and to route foreign donations through designated accounts. For a bank, it is directly relevant when servicing NPO customers. Some NPO structures may be vulnerable to misuse for terror financing, so banks should apply a risk-based approach rather than treating every NPO as automatically high risk. Foreign funding that does not follow the FCRA route is a clear warning sign.

The Conservation of Foreign Exchange and Prevention of Smuggling Activities Act, 1974 (COFEPOSA)

This Act provides for the preventive detention of people involved in smuggling and foreign-exchange violations. It is aimed at stopping such activity before it causes further harm. For a bank, it sits in the background of trade-based and foreign-exchange laundering risk. It signals the seriousness with which smuggling and forex abuse are treated.

The Smugglers and Foreign Exchange Manipulators (Forfeiture of Property) Act, 1976

The Smugglers and Foreign Exchange Manipulators (Forfeiture of Property) Act allows the forfeiture of property held by smugglers and foreign-exchange manipulators, including assets held in others’ names. It works alongside COFEPOSA to strip the gains from such activity. For a bank, it is part of the legal response to the proceeds of smuggling and forex crime. Accounts connected to persons covered by this Act warrant care.

The Arms Act, 1959

The Arms Act regulates the manufacture, sale and possession of firearms and ammunition. Illegal arms dealing is a predicate offence and can be linked to organised crime and terrorism financing. For a bank, it forms part of the predicate offence and terror-financing risk picture. Transactions suggesting illicit arms activity feed into suspicious-transaction monitoring.

The Chemical Weapons Convention Act, 2000

This Act implements India’s obligations under the Chemical Weapons Convention by prohibiting the development, production and use of chemical weapons. It connects to the proliferation-financing context that the WMD Act addresses. For a bank, it is part of the backdrop to counter-proliferation-financing controls. It reinforces why screening for proliferation links matters.

The Central Vigilance Commission Act, 2003

This Act establishes the Central Vigilance Commission, the apex body that oversees vigilance and anti-corruption work in the central government. It strengthens the wider framework against corruption, a major predicate offence for money laundering. For a bank, it is part of the anti-corruption environment rather than a direct duty. It supports the integrity backdrop within which AML controls operate.

Core AML/CFT/CPF Obligations for Commercial Banks in India

Across that framework, the regulations require a commercial bank to do the following. This article keeps each at the level required by law; the compliance requirements guide explains how to do each.

Register with FIU-IND. Enrol with the Financial Intelligence Unit – India on the FINnet 2.0 / FINGate 2.0 portal so the bank can file its reports.

Appoint officers. Appoint a Board-nominated Designated Director and a management-level Principal Officer under Rule 7 of the PMLR. The same person cannot hold both roles, and both are informed to FIU-IND and the RBI.

Conduct the internal risk assessment. Assess money-laundering, terror-financing and proliferation-financing risk. The RBI Internal Risk Assessment Guidance of 10 October 2024 calls this the bedrock of the risk-based approach, and its outcome goes to the Board.

Document AML policy, controls and procedures. Adopt a board-approved policy that turns the risk assessment into operating procedures.

Customer identification and CDD. Identify and verify every customer and the beneficial owner (a controlling interest of more than 10 percent for a company or partnership, and more than 15 percent for an unincorporated association or body of individuals), with enhanced due diligence for PEPs and high-risk customers, under Section 11A of the PMLA, Rule 9 of the PMLR and the RBI KYC Directions 2025. For non-profit organisation customers, register the entity’s details on the NITI Aayog DARPAN Portal if not already registered, and keep that record for five years after the relationship ends or the account is closed, whichever is later.

Ongoing monitoring and periodic updation. Monitor transactions on an ongoing basis, and refresh KYC at least once every 2, 8 and 10 years for high, medium and low-risk customers. Review each customer’s risk categorisation at least once every six months and decide whether enhanced due diligence is required.

Sanctions screening. Screen customers and beneficial owners against the designated lists under Section 51A of the UAPA and Section 12A of the WMD Act, and freeze and report any match. Verify the relevant UNSC and domestic designated lists on a daily basis and act on any additions, deletions or other changes.

Regulatory reporting. File cash transaction reports for cash over Rs 10 lakh and for connected cash transactions adding up to more than Rs 10 lakh in a month, reports on receipts by non-profit organisations of more than Rs 10 lakh, reports on cash transactions involving counterfeit currency, forged valuable security or forged documents, suspicious transaction reports of any value, and cross-border wire transfer reports for transfers of more than Rs 5 lakh, or its equivalent in foreign currency, where either the origin or destination of funds is in India, under Rule 3 and Rule 8 of the PMLR. Cash transaction reports, NPO transaction reports, counterfeit currency or forged-document reports and cross-border wire transfer reports are filed monthly, by the 15th day of the succeeding month.

Suspicious transaction reports must be filed promptly once the Principal Officer is satisfied that the transaction is suspicious. Reports relating to immovable property transactions under Rule 3(F), where applicable, are filed quarterly by the 15th day of the month succeeding the quarter.

Record management, CKYCR and FINnet 2.0. Keep transaction records for five years from the date of the transaction, and keep identity records, account files and business correspondence for five years after the business relationship ends or the account is closed, whichever is later, under Section 12 of the PMLA. Upload customer KYC records to the Central KYC Records Registry (CKYCR) under Rule 9A of the PMLR, retrieve and reuse an existing record where applicable, push any updated customer details to the registry within the prescribed timeline, and file all prescribed reports through FINnet 2.0.

Training and awareness. Train staff by role to apply the controls and recognise red flags.

Independent testing and audit. Test the programme through internal audit, compliance assurance or independent review, and close every finding.

Correspondent banking and wire transfers. Apply enhanced due diligence to correspondent relationships and ensure cross-border wire transfers carry complete originator and beneficiary information (the travel rule).

From regulation to compliance: your next step

Knowing the law is the first half of the job. The second half is building a programme that delivers it: a risk assessment, a board-approved policy, a working KYC and due diligence process, screening, monitoring, reporting, training, records and audit. That is the subject of the companion guide, AML Compliance Requirements for Commercial Banks in India.

If you want the wider context, start with the AML Laws and Regulations for the Banking Sector in India or the top-level AML Laws and Regulations in India. Whichever way you read, the destination is the same: a bank that can show, with evidence, that it knows its customers, watches its transactions and reports what it should.

Want to talk through what the 2025 regulations mean for your bank?

AML India can walk you through the laws that apply to commercial banks and what they require, with no obligation.

Frequently Asked Questions

Yes. The Prevention of Money Laundering Act, 2002, treats banking companies as reporting entities, and banks were among the first institutions brought under the Act. Being a reporting entity means the bank has legal duties to verify its customers, monitor how they transact, keep records and report cash, suspicious and cross-border transactions. The Reserve Bank of India supervises how banks meet these duties, and they are mandatory, not a matter of choice.

Yes. This guide covers the commercial banks regulated under the RBI (Commercial Banks – Know Your Customer) Directions, 2025, which are the public sector banks, the private sector banks and the foreign banks operating in India. They share the same legal base and the same RBI Commercial Banks Direction. It does not cover small finance banks, payments banks, local area banks, regional rural banks or cooperative banks, which have their own directions and their own guides.

They are the RBI’s detailed instructions to banks on know-your-customer and anti-money-laundering work. Issued on 28 November 2025 as part of the RBI’s consolidated Master Directions, they rest on Section 35A of the Banking Regulation Act, 1949, read with the PMLA and the PMLR. They cover customer identification, customer due diligence, beneficial ownership, ongoing due diligence, record management and reporting, and they are the documents a bank’s compliance team works from.

No. Those are separate bank categories with their own RBI KYC Directions, 2025 and their own guides. A small finance bank, payments bank, local area bank, regional rural bank or cooperative bank should read the guide for its own category, not this one. This page is read from the position of a commercial bank, and applying it to another bank type would point you to the wrong Direction.

The everyday business of a commercial bank is where the exposure sits: opening and operating accounts, accepting deposits, lending, trade finance, correspondent banking, and domestic and cross-border payments and remittances. Each is a channel that can be misused for laundering or terror financing, which is why the PMLA, the PMLR and the RBI Commercial Banks KYC Directions 2025 require customer due diligence, ongoing monitoring, sanctions screening and reporting across all of them.

The beneficial owner is the natural person who ultimately owns or controls a customer, even when a company, partnership or trust holds the account. For a company or a partnership, the threshold is a controlling interest of more than 10 percent of the shares, capital or profits. For an unincorporated association or body of individuals it is more than 15 percent. For a trust it covers the author, the trustees, beneficiaries with a 10 percent or more interest, and anyone exercising ultimate effective control. Control can also be exercised through other means, such as the right to appoint most of the directors, so the bank must look beyond the paperwork to the real person in charge.

The bank refreshes customer KYC on a risk-based cycle called periodic updation. Under the KYC Directions 2025, this is at least once every 2 years for high-risk customers, once every 8 years for medium-risk customers and once every 10 years for low-risk customers. The bank can and should update sooner if something changes, such as a change in ownership or unusual activity on the account.

Under Rule 3 of the PMLR a bank reports cash transactions over Rs 10 lakh, a series of connected cash transactions adding up to more than Rs 10 lakh in a month, cash transactions involving counterfeit currency, forged valuable security or forged documents, receipts by non-profit organisations of more than Rs 10 lakh, all suspicious transactions of any value including attempted ones, and cross-border wire transfers of more than Rs 5 lakh, or its equivalent in foreign currency, where either the origin or destination of funds is in India. These are filed with FIU-IND as cash transaction reports, suspicious transaction reports and cross-border wire transfer reports, among others.

Banks keep records for five years under Section 12 of the PMLA, but on two clocks. Transaction records run for five years from the date of the transaction. Identity records, account files and business correspondence run for five years after the business relationship ends or the account is closed, whichever is later. The records must be retained so the bank can produce them quickly when the RBI, FIU-IND or law enforcement requests them.

The RBI can impose monetary penalties and order the bank to fix its controls, and FIU-IND can issue compliance orders with penalties of its own. In FY 2024-25, FIU-IND issued 8 compliance orders with penalties exceeding Rs 30 crore. Where an account is linked to money laundering, the Enforcement Directorate can also attach property and prosecute, so weak compliance carries both financial and reputational costs.

For a partnership firm, the beneficial owner is the natural person who holds a controlling interest of more than 10 percent of the capital or profits of the partnership, or who otherwise controls it. This 10 percent partnership threshold was introduced by the 2023 amendment to the PMLR, down from the earlier 15 percent. Where no such natural person can be identified, the bank identifies whoever exercises control through other means.

Reports on cash transactions involving counterfeit currency, forged valuable security or forged documents are filed monthly, by the 15th day of the succeeding month, under Rule 3 and Rule 8 of the PMLR. They follow the same monthly cycle as cash transaction reports and cross-border wire transfer reports, unlike suspicious transaction reports, which are filed promptly once the Principal Officer is satisfied.

Official sources and review

Why work with AML India

AML India helps banks and other regulated entities meet their PMLA and RBI obligations, from risk assessment and policy through to training, software selection and independent review.

Industries we serve: banks and financial institutions, insurance companies, securities intermediaries, payments and fintech businesses, real estate agents, dealers in precious metals and stones, virtual asset service providers, and IFSC and GIFT City entities.

“We are thrilled to have AML India as our compliance partner. Their consultants have immense knowledge in executing the right KYC and CDD processes for our business, and made it easy to onboard new customers without the fear of money-laundering risks.”

General Manager, Financial Company

About the Author

Pathik Shah

FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)

Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.

 

Reach Out to Pathik