Last Updated on: 9th July 2026 | Last Reviewed on: 9th July 2026
Key takeaways at a glance
- Who is covered: banks across India, including commercial, small finance, payments, local area, regional rural and cooperative banks, as reporting entities under the PMLA and subject to RBI directions and supervision.
- Governing laws: the PMLA, 2002 and the PML (Maintenance of Records) Rules, 2005; the applicable RBI KYC Directions, 2025; the UAPA 1967 (Section 51A) and the WMD Act, 2005 (Section 12A).
- Regulator: the Reserve Bank of India (RBI). Reports go to the Financial Intelligence Unit – India (FIU-IND); the Enforcement Directorate (ED) enforces the PMLA.
- Core duties: an internal risk assessment, customer due diligence and KYC, beneficial-owner identification, periodic updation (2, 8 and 10 years by risk), monitoring, prescribed transaction reporting, five-year record-keeping, and sanctions screening.
- Latest change: the RBI issued category-specific KYC Directions on 28 November 2025; each bank works from the Direction for its licence category.
This guide is general information on Indian law, not legal advice. For your bank’s specific position, speak to a qualified AML professional.
Banks in India are reporting entities under the PMLA. Their AML, CFT, and CPF obligations stem mainly from the PMLA, the PML Rules, the applicable RBI KYC Directions 2025, Section 51A of the UAPA, Section 12A of the WMD Act, and the FIU-IND reporting requirements. The RBI supervises banks for AML and KYC compliance, while reports are filed with FIU-IND.
Which AML framework applies to each bank type:
Bank type | Applicable AML framework |
Commercial banks | PMLA, PMLR and the RBI Commercial Banks KYC Directions 2025 |
Small finance banks | PMLA, PMLR and the RBI Small Finance Banks KYC Directions 2025 |
Payments banks | PMLA, PMLR and the RBI Payments Banks KYC Directions 2025 |
Local area banks | PMLA, PMLR and the RBI Local Area Banks KYC Directions 2025 |
Regional rural banks | PMLA, PMLR and the relevant RBI Regional Rural Banks KYC Directions 2025 |
Cooperative banks | PMLA, PMLR and the relevant RBI Cooperative Banks KYC Directions 2025 |
Banks in India are reporting entities under the Prevention of Money-laundering Act, 2002, and are regulated for AML through the PMLA, the PML (Maintenance of Records) Rules, 2005, the RBI KYC Directions, 2025, the UAPA and WMD Act sanctions procedures and the FIU-IND reporting framework, under RBI supervision. The compliance lifecycle is common to all banks, but the applicable RBI KYC Directions differ by bank category.
AML Laws and Regulations for the Banking Sector in India
Use this page to understand the common AML, CFT and CPF framework that applies across India’s bank categories. If you need the detailed rulebook for a specific bank type, use the commercial bank, small finance bank, payments bank, local area bank, regional rural bank, or cooperative bank guide instead. It explains the laws, not how to apply them day-to-day; for implementation steps, see the AML Compliance Requirements for the Banking Sector in India guide.
India’s banks sit at the centre of the financial system. They open accounts, hold deposits, move payments and remittances, finance trade and process most of the money in the economy. That same reach is what money launderers try to exploit, which is why every bank in India carries a defined set of anti-money-laundering duties set by law.
This is a sector-level overview. It covers what is common to all banks and then routes you to the rules for your specific bank type. AML stands for anti-money laundering, CFT for countering the financing of terrorism, and CPF for counter-proliferation financing. This is the law behind them. For the step-by-step programme that turns these rules into day-to-day controls, read the companion guide, AML Compliance Requirements for the Banking Sector in India. It sits within the wider AML Laws and Regulations framework in India.
What the banking sector covers and why it is regulated for AML
The banking sector in India comprises several types of banks, all subject to the Reserve Bank of India’s directions and supervision. The main types of banks are commercial banks, small finance banks, payments banks, local area banks, regional rural banks, and cooperative banks, which are further divided into urban and rural cooperative banks. They differ in size, customers, and permitted activities. Still, each is a reporting entity under the anti-money-laundering law, and each must run an AML programme suited to its risk.
Banks are regulated for AML because they are the main gateway into the financial system. Layering, the movement of illicit funds through multiple accounts to disguise their origin, often involves one or more bank accounts, payment channels, or trade-finance arrangements. The law, therefore, asks banks to know who their customers are, to watch how money moves, and to report suspicious or prescribed transactions.
Banks as reporting entities under the PMLA
The Prevention of Money Laundering Act, 2002, known as the PMLA, is India’s parent anti-money-laundering law. It creates the offence of money laundering and imposes core duties on reporting entities; banks fall squarely within the definition, so the PMLA applies to every bank in India. The RBI is the relevant regulator for banks because it licenses, regulates, and supervises banking activity, setting detailed standards and overseeing how banks meet them.
Want to confirm which directions bind your bank?
Bank types carry different licences and different KYC Directions. Talk to an AML consultant if you would like help confirming the framework that applies to your institution.
Supervisory authority for the banking sector in India
The Reserve Bank of India is the supervisor and regulator for the banking sector. It issues the KYC and AML directions banks work from, inspects banks for compliance, and can take supervisory action where a bank falls short. The Financial Intelligence Unit – India (FIU-IND) receives, analyses and disseminates the reports banks file. The Enforcement Directorate (ED) investigates and prosecutes the offence of money laundering under the PMLA. In short, the RBI sets and supervises the rules, FIU-IND receives the intelligence, and the ED enforces the criminal law.
AML Regulatory Requirements for the Banking Sector in India
Read this framework as the banking sector’s common legal basis; the structure is shared across bank types, while the applicable RBI KYC Directions differ by category.
The law that governs a bank does not sit in one place. It is a layered framework, and it helps to see it grouped as the official source set groups it: the core legislation, the overarching infrastructure, the sectoral directions of the supervisor, the miscellaneous official reports, the international standards, and the allied laws. Each category below lists the instruments that apply, with a short note on what each one does.
The framework reads from the core outward. The PMLA is the parent Act; the PML Rules turn it into operational duties; the RBI KYC Directions translate both into instructions that a bank can follow; the UAPA and the WMD Act add counter-terrorism and proliferation-financing sanctions; and the allied laws shape the predicate-offence risk. The risk-based approach is the thread that runs through it all.
Core Legislation
The primary statutes and rules that create the AML, CFT and CPF obligations are grouped into three sub-folders.
AML Legislation
Prevention of Money-Laundering Act, 2002 (PMLA)
The parent anti-money-laundering law. It creates the offence and the core duties on reporting entities, including customer due diligence under Section 11A and record-keeping under Section 12.
The PML (Maintenance of Records) Rules, 2005 (PMLR)
The rules made under the PMLA. They set what to report and when (Rule 3 and Rule 8), how to identify customers and beneficial owners (Rule 9), and the duty to appoint officers (Rule 7). For banks, the RBI is the relevant regulator because it licenses, regulates and supervises banking activity. The PMLR has been amended through 31 Gazette notifications and orders, listed below.
The 31 PMLR amendment notifications, in date order:
Gazette notification and date | Key change or rule touched |
G.S.R. 389(E), 24 May 2007 | The first amendment to the 2005 Rules. It widened the suspicious-transaction definition in rule 2 to cover transactions with no economic rationale or bona fide purpose and those suggesting terrorism financing, and recast rule 3 to capture cash transactions involving forged or counterfeit currency. It also substituted rule 8 on furnishing information to the Director and eased rule 9 from three certified copies to one. |
G.S.R. 816(E), 12 November 2009 | A wide-ranging amendment. It inserted the definitions of non-profit organisation and Regulator, redefined suspicious transaction, and added a reporting clause for NPO receipts over Rs 10 lakh. It set record retention at ten years (rule 6) and overhauled rule 9 to require identification of the beneficial owner, ongoing due diligence, a bar on anonymous accounts, and a Client Identification Programme. |
G.S.R. 76(E), 12 February 2010 | Amended rules 3, 4, 5 and 7 to refine record-keeping and the reporting references. Most notably, it inserted the first Explanation defining the beneficial owner in rule 9(1A), as the natural person who ultimately owns or controls a client or on whose behalf a transaction is conducted. |
G.S.R. 508(E), 16 June 2010 | Amended Rules 2, 9 and 10, the core provisions on definitions, customer due diligence and record-keeping. The changes adjusted how customers are identified and what records a reporting entity must maintain. This was part of the steady tightening of the CDD and records framework through 2010. |
G.S.R. 980(E), 16 December 2010 | Introduced the small-account regime. It defined the Designated Officer and the small account (with capped credits, withdrawals and balance), widened the officially valid documents in rule 2 to include the NREGA job card and the Aadhaar letter, and inserted rule 9(2A) setting out how a small account is opened and monitored. |
G.S.R. 481(E), 24 June 2011 | Created the short title for the Rules. It amended rule 1 to rename the lengthy 2005 title to the Prevention of Money-laundering (Maintenance of Records) Rules, the short form, PMLR, that has been used ever since. |
G.S.R. 576(E), 27 August 2013 | Amended Rules 2 and 3 and inserted provisions after Rule 10. The changes touched definitions, the cash and suspicious transaction reporting duties, and the record framework. It was part of aligning the Rules more closely with the reporting obligations banks operate. |
G.S.R. 288(E), 15 April 2015 | Amended Rule 2, the definitions clause. Changes to definitions ripple through the whole framework because they decide who and what the operative rules apply to. This was the first of several 2015 updates to the Rules. |
G.S.R. 544(E), 7 July 2015 | Amended Rules 2, 9 and 10, covering definitions, customer due diligence and record-keeping. It refined how reporting entities identify customers and verify their details and what they must retain. It formed part of a substantial 2015 overhaul of the CDD and records provisions. |
G.S.R. 730(E), 22 September 2015 | Amended Rules 2 and 7, the definitions and the rule requiring a Principal Officer and an internal reporting mechanism. It refined the governance side of the framework, including who runs the reporting function and how. This sat alongside the other 2015 amendments to CDD and records. |
G.S.R. 882(E), 18 November 2015 | Updated definitions and the reporting provisions. The changes affected how key terms are read and how transactions are reported to the FIU. It was the last of the cluster of 2015 amendments. |
G.S.R. 347(E), 12 April 2017 | Amended Rule 2 and inserted Rule 9A, which brought the Central KYC Records Registry into the Rules. This created the duty to file customer KYC records with the central registry and laid the basis for reusing them. It was a major structural addition that underpins the CKYCR a bank uses today. |
G.S.R. 538(E), 1 June 2017 | Amended Rules 2 and 9 to build Aadhaar into the customer due diligence process. It set out how Aadhaar-based identification and authentication fitted into KYC. This was central to how banks verified identity at the time, later reshaped by the Supreme Court’s Aadhaar ruling. |
G.S.R. 1038(E), 21 August 2017 | Amended Rule 2, the definitions clause. The change adjusted defined terms that govern how the operative rules apply. It was one of several definition updates in 2017. |
G.S.R. 1318(E), 23 October 2017 | A further amendment to the Rule 2 definitions later in 2017. Such changes keep the defined terms current as the framework evolves. It continued the run of refinements that year. |
G.S.R. 456(E), 16 May 2018 | Updated definitions and the customer due diligence provisions. The changes refined who is covered and how customers are to be identified and verified. It was part of the continuing adjustment of the CDD framework. |
G.S.R. 1078(E), 31 October 2018 | Amended Rule 9, the customer due diligence rule. It refined the steps reporting entities follow to identify and verify customers and beneficial owners. This was one of a series of Rule 9 changes through 2018 and 2019. |
G.S.R. 108(E), 13 February 2019 | Amended Rules 2 and 9, covering definitions and customer due diligence. It followed the legislative changes to Aadhaar use and adjusted how identification may be carried out. It was the first of several 2019 amendments. |
G.S.R. 381(E), 28 May 2019 | Amended Rule 9, the customer due diligence rule, refining the identification and verification process. It updated the options available for verifying a customer’s identity. It was part of the post-Aadhaar reshaping of CDD. |
G.S.R. 582(E), 19 August 2019 | Amended Rules 2 and 9 and inserted provisions after Rule 11. The changes touched definitions, customer due diligence and the supporting provisions on information and records. It was one of the more wide-ranging 2019 updates. |
G.S.R. 669(E), 18 September 2019 | Amended Rules 2 and 9, again refining definitions and the customer due diligence process. It continued the year’s adjustments to how customers are identified and verified. It sat within the cluster of 2019 CDD amendments. |
G.S.R. 840(E), 13 November 2019 | Amended Rule 9, the customer due diligence rule. It made further refinements to the identification and verification requirements. It closed out the run of 2019 amendments to CDD. |
G.S.R. 228(E), 31 March 2020 | Updated definitions and the reporting provisions. The changes adjusted defined terms and the way transactions are reported. It was the first of three closely spaced 2020 amendments. |
G.S.R. 251(E), 13 April 2020 | Amended Rule 8, which governs the furnishing of transaction reports to the FIU. It refined how and what reporting entities report. It was part of the April 2020 updates to the reporting duty. |
G.S.R. 254(E), 16 April 2020 | A further amendment to Rule 8 on reporting, made days after the previous one. Together these tightened the reporting provisions. They reflected ongoing adjustment of how reports reach the FIU. |
G.S.R. 798(E), 28 December 2020 | Amended Rule 2 to designate further businesses and professions as reporting entities, including real estate agents and other DNFBPs. This widened the perimeter of the regime well beyond banks and financial institutions. It was a significant expansion of who must run an AML programme. |
G.S.R. 575(E), 13 July 2022 | Inserted the International Financial Services Centre (IFSC) definition and a tailored beneficial-owner provision for entities located in an IFSC, where the beneficial owner is taken to be the person heading the reporting entity in India. It also added an IFSC proviso to Rule 9A on the CKYCR. This adapted the Rules to the GIFT City IFSC framework. |
S.O. 1074(E), 7 March 2023 | A major amendment. It inserted definitions of politically exposed persons, non-profit organisations and group, and added Rule 3A requiring group-wide AML policies. Most significantly, it cut the beneficial-ownership threshold for companies from 25 percent to 10 percent and made the matching cut in Rule 9(3)(e). These changes pulled more owners and more entities into the due diligence net. |
G.S.R. 652(E), 4 September 2023 | The second major 2023 amendment. It required the Principal Officer to be at management level, cut the beneficial-ownership threshold for partnerships from 15 percent to 10 percent, and inserted the Explanation clarifying what counts as control. It also required trustees to disclose their status and added the results of any analysis under Rules 3 and 9 to the records a bank must keep. The partnership threshold was cut to 10 percent, while the unincorporated-association threshold stayed at more than 15 percent. |
G.S.R. 745(E), 17 October 2023 | Amended Rules 2, 3, 8 and 9, covering definitions, the reporting duties and customer due diligence. It refined several operative provisions together in one notification. It rounded off the run of 2023 amendments. |
G.S.R. 419(E), 19 July 2024 | Rewrote Rule 9(1C) on the KYC Identifier and required records on the CKYCR to be updated within seven days of any change. It added the duty to retrieve updated records and amended Rule 9A(2)(g) on the filing, retrieval and use of registry records. This sharpened how banks keep central KYC data current. |
The PML (Manner of Receiving the Records Authenticated Outside India) Rules, 2005
Rules for accepting customer records authenticated outside India, relevant for non-resident and cross-border onboarding.
CFT Legislation
The Unlawful Activities (Prevention) Act, 1967 (UAPA)
The counter-terrorism law. Section 51A requires banks to screen customers against designated lists and freeze the funds of listed persons and entities.
Procedure for implementation of Section 51A of the UAPA (order dated 2 February 2021; corrigendum dated 15 March 2023)
The official procedure banks follow to apply Section 51A, including how to act on a designated-list match.
CPF Legislation
The Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005 (WMD Act)
The proliferation-financing law. Section 12A provides the legal basis for targeted financial sanctions relating to the financing of weapons of mass destruction.
Procedure for implementation of Section 12A of the WMD Act (dated 1 September 2023)
The official procedure for applying Section 12A mirrors the screening and freezing steps for proliferation financing.
The WMD and their Delivery Systems (Prohibition of Unlawful Activities) Implementation Rules, 2016
Rules implementing the WMD Act and supporting the proliferation-financing controls.
Not sure which of these laws actually bind your bank?
AML India can talk you through the framework that applies to commercial banks and confirm where your obligations sit.
Overarching
The shared national plumbing that every bank in the sector plugs into, whatever its licence category.
CERSAI Central KYC Records Registry (CKYCR) Operating Guidelines, 2025
The Central KYC Records Registry stores customer KYC records centrally. Banks upload to it and can reuse a customer’s existing record, thereby keeping KYC consistent and reducing duplication.
FINnet 2.0 reporting formats (2024) and the FINGate 2.0 reports manual (June 2023)
The FIU-IND reporting platform and its current formats, through which banks enrol and file their reports.
Sectoral
The supervisory authority and its directions. The Reserve Bank of India is the supervisor and regulator of banks; FIU-IND receives reports, and the Enforcement Directorate enforces the PMLA.
Reserve Bank of India
The RBI KYC Directions, 2025 (one set for each bank type)
The RBI’s detailed KYC and AML rulebook covers customer identification, customer due diligence, beneficial ownership, ongoing due diligence, record management, and reporting. The RBI issues a parallel set for each bank type, for example, the RBI (Commercial Banks – Know Your Customer) Directions, 2025. Read the rules for your bank type for the details that bind you.
RBI Consolidated Master Directions and the KYC Compliance Notification (28 November 2025)
The notification through which the RBI issued the consolidated Master Directions and moved entities to the 2025 KYC framework. Earlier KYC instructions stand repealed or superseded to the extent provided in the relevant 2025 Direction.
RBI Internal Risk Assessment (IRA) Guidance for ML/TF Risks (10 October 2024)
Guidance on building the bank’s enterprise-level risk assessment, which the RBI calls the bedrock of the risk-based approach. The outcome goes to the Board and factors in proliferation-financing risk.
Miscellaneous
Official reports and policy papers that map how the system operates and where today’s risks are concentrated. These are not compliance rules; they sharpen a bank’s view of the threat across the sector.
FIU-IND Annual Report 2024-25
Reports the volume of suspicious, cash and cross-border transaction reports and FIU-IND’s supervisory activity. In FY 2024-25, FIU-IND received more than 2 million reports a month, including 1,73,13,368 cash transaction reports, 4,34,668 suspicious transaction reports, 1,02,73,512 cross-border wire transfer reports and 9,31,548 non-profit transaction reports, and issued 8 compliance orders carrying penalties of more than Rs 30 crore. The source for current reporting statistics.
Directorate of Enforcement Annual Report 2024-25
Records PMLA investigations, attachments and prosecutions by the Enforcement Directorate.
FIU-IND and its Core Functions and FAQs
An official explainer of what FIU-IND does and how reporting works.
MHA National Counter-Terrorism Policy and Strategy
The Ministry of Home Affairs’ statement of national counter-terrorism policy provides context for the CFT obligations.
International Standards
The global standards that India’s framework implements and is measured against.
FATF Recommendations
The international AML, CFT and CPF standards that India’s laws and the RBI Directions implement. In June 2026, FATF updated Recommendation 6 on targeted financial sanctions.
FATF Mutual Evaluation Report on India, 2024 (and Executive Summary)
The Financial Action Task Force assessment of India’s AML/CFT system. The 2024 evaluation found a good general understanding of risk in the financial sector, with preventive measures steadily progressing, and India’s 2022 National Risk Assessment identifies fraud, corruption and drug trafficking as the largest money-laundering risks.
Basel Committee, Sound Management of Risks Related to Money Laundering and Financing of Terrorism (2014, revised July 2020)
International supervisory guidance for banks on managing money-laundering and terror-financing risk.
FATF Risk-Based Approach Guidance for the Banking Sector
Guidance on applying the risk-based approach inside a bank, which underpins the RBI’s expectations.
Allied Laws
These laws do not replace the PMLA, the PMLR or the RBI KYC Directions as a bank’s core AML framework. A bank does not enforce them, but they shape its predicate-offence risk, customer risk assessment, suspicious-transaction indicators and its response to law-enforcement requests.
The Banking Regulation Act, 1949
The foundation of banking law and the source of the RBI’s power to issue the KYC Directions, including under Section 35A.
The Companies Act, 2013
Governs companies and their ownership disclosures, which matters for beneficial-owner checks on corporate customers.
The Foreign Exchange Management Act, 1999 (FEMA)
Governs foreign exchange, cross-border dealings and non-resident accounts.
The Benami Transactions (Prohibition) Act, 1988
Targets assets and accounts held in another person’s name to hide the real owner.
The Prevention of Corruption Act, 1988
Relevant where the proceeds of bribery and corruption move through bank accounts.
The Narcotic Drugs and Psychotropic Substances Act, 1985 (NDPS)
Drug trafficking is a major predicate offence and source of laundered funds.
The Bharatiya Nyaya Sanhita, 2023
The criminal code that replaces the Indian Penal Code, 1860, and defines the predicate offences behind laundered funds.
The Bharatiya Nagarik Suraksha Sanhita, 2023
The Code of Criminal Procedure that replaces the Code of Criminal Procedure, 1973.
The Fugitive Economic Offenders Act, 2018
Allows action against high-value economic offenders who leave the country to avoid prosecution.
The Black Money (Undisclosed Foreign Income and Assets) and Imposition of Tax Act, 2015
Targets undisclosed foreign income and assets.
The Foreign Contribution (Regulation) Act, 2010 (FCRA)
Regulates foreign contributions, relevant to certain customer types such as non-profit organisations.
The Conservation of Foreign Exchange and Prevention of Smuggling Activities Act, 1974 (COFEPOSA)
Provides for preventive detention in smuggling and foreign-exchange cases.
The Smugglers and Foreign Exchange Manipulators (Forfeiture of Property) Act, 1976
Provides for the forfeiture of the property of smugglers and foreign-exchange manipulators.
The Arms Act, 1959
Relevant to arms-related predicate offences.
The Chemical Weapons Convention Act, 2000
Implements the Chemical Weapons Convention and connects to the proliferation-financing context.
The Central Vigilance Commission Act, 2003
Establishes the Central Vigilance Commission within the wider anti-corruption framework.
How the laws fit together
Taken together, these instruments are the AML laws and regulations for the banking sector in India. They form a ladder, each rung resting on the one below: the PMLA creates the offence and the obligation, the PML Rules explain CDD, record-keeping and reporting, the RBI KYC Directions turn those duties into detailed bank rules, FIU-IND receives the reports, the UAPA and the WMD Act impose sanctions duties, and the FATF Recommendations set the global benchmark. The table below maps each authority and instrument to its role.
Authority or instrument | Role |
PMLA, 2002 | The parent anti-money-laundering law. Creates the offence and the core reporting-entity duties. |
PML (Maintenance of Records) Rules, 2005 | Set out customer due diligence, beneficial ownership, record-keeping and reporting. |
Reserve Bank of India | Supervises banks and issues the KYC Directions they follow. |
FIU-IND | Receives, analyses and disseminates the reports banks file. |
Enforcement Directorate | Investigates and prosecutes the offence of money laundering under the PMLA. |
UAPA Section 51A | Imposes counter-terrorism targeted financial sanctions. |
WMD Act Section 12A | Extends targeted financial sanctions to proliferation financing. |
FATF | Sets the international AML, CFT and CPF standards India is measured against. |
The RBI KYC Directions, 2025, for different bank types
The RBI KYC Directions, 2025, are the operating rulebook for a bank’s AML programme. They derive their authority from Section 35A of the Banking Regulation Act, 1949, read with the PMLA and the PMLR, which is why a breach is both a banking law matter and an anti-money-laundering matter.
On 28 November 2025, the RBI issued the category-specific KYC Directions, 2025, and consolidated its Master Directions. Each bank should work from the Direction applicable to its licence category, and earlier KYC directions, instructions and guidelines stand repealed or superseded to the extent provided in the relevant 2025 Direction. The structure of each Direction is common: customer identification, customer due diligence, beneficial ownership, ongoing monitoring, record management and reporting, so the precise chapter and section references depend on your institution. The Commercial Banks KYC Directions, for example, were later updated as of 29 December 2025.
Because the framework changed in 2025, any bank policy that still relies solely on the earlier 2016 KYC framework should be reviewed and updated to align with the 2025 Direction applicable to its licence category. Doing so is the first housekeeping step for any bank.
Core obligations across all banks at a glance
Across that framework, the law requires every bank to do the following. This guide states each duty at the level set by the law; the companion compliance guide explains how to carry each one out.
Assess your risk. Conduct an internal risk assessment of money-laundering, terror-financing and proliferation-financing risk across customers, products, services, delivery channels and geographies. The RBI Internal Risk Assessment Guidance of 10 October 2024 calls this the bedrock of the risk-based approach, and its outcome goes to the Board.
Know your customer. Identify and verify every customer and the beneficial owner under Section 11A of the PMLA, Rule 9 of the PMLR and the RBI KYC Directions 2025. For non-profit organisation customers, register the entity’s details on the NITI Aayog DARPAN Portal where required, and keep that record for 5 years after the relationship ends or the account is closed.
Find the real owner. Identify the beneficial owner, the natural person who ultimately owns or controls the customer. For a company or partnership, the threshold is a controlling interest of more than 10 per cent; for an unincorporated association or body of individuals, it is more than 15 per cent; and for a trust, it covers the author, trustees, beneficiaries with a 10 per cent or more interest and anyone exercising ultimate control.
Keep KYC current. Carry out periodic updation at least once every 2 years for high-risk customers, 8 years for medium-risk and 10 years for low-risk customers, and review each customer’s risk categorisation at least once every six months and decide whether enhanced due diligence is required.
Monitor transactions. Watch accounts on an ongoing basis for unusual or suspicious activity.
Report to FIU-IND. File cash transaction reports for cash above Rs 10 lakh, suspicious transaction reports of any value, cross-border wire transfer reports for transfers of Rs 5 lakh or more, plus reports on receipts by non-profit organisations above the prescribed threshold and on cash transactions involving counterfeit currency, forged valuable security or forged documents, under Rule 3 and Rule 8 of the PMLR. Cash, non-profit, counterfeit and cross-border wire transfer reports are filed monthly, by the 15th of the succeeding month; suspicious transaction reports must be filed promptly once the Principal Officer is satisfied that the transaction is suspicious; and reports on immovable property transactions of Rs 50 lakh or more under Rule 3(F), where applicable, are filed quarterly.
Keep records. Keep transaction records for 5 years from the date of the transaction, and keep identity records, account files, and business correspondence for 5 years after the business relationship ends or the account is closed, whichever is later, under Section 12 of the PMLA.
Appoint officers. Appoint a Board-nominated Designated Director and a management-level Principal Officer under Rule 7 of the PMLR. The same person cannot hold both roles, and the bank must inform both FIU-IND and the RBI.
Run group-wide controls. Where a bank is part of a group, apply AML and counter-financing-of-terrorism programmes at the group level, including for branches and majority-owned subsidiaries.
CFT and CPF: targeted financial sanctions
Anti-money laundering is only part of the duty. A bank must also counter the financing of terrorism (CFT) and the financing of weapons of mass destruction, known as counter-proliferation financing (CPF). Both work through targeted financial sanctions, which means screening customers and transactions against designated lists and freezing any matched funds without delay.
The CFT duty flows from Section 51A of the UAPA, as implemented by the 2 February 2021 procedure and its 15 March 2023 corrigendum. The CPF duty flows from Section 12A of the WMD Act and is applied through the implementation procedure dated 1 September 2023. In practice, a bank screens against the United Nations Security Council lists and the relevant domestic lists, acts on any match, and reports as required. Banks verify the relevant UNSC and domestic designated lists daily and act on any additions, deletions or other changes.
What happens if a bank breaches AML law?
A breach of the AML framework is not a single risk but several, because three different bodies can act, each under its own power. The reporting duties also run continuously, so a missed or incorrect filing can be treated as an ongoing default rather than a one-off.
Body | What it can do on a breach |
Reserve Bank of India | Monetary penalties and supervisory directions on the bank, under the Banking Regulation Act, 1949 and the RBI Act, 1934. |
FIU-IND | Compliance orders, monetary penalties and warnings on the reporting entity and its officers under Section 13 of the PMLA. |
Enforcement Directorate | Investigation, provisional attachment of the proceeds of crime, and prosecution for the offence of money laundering under the PMLA. |
Beyond the formal penalties, a breach carries consequences that often prove more costly: reputational damage, the loss or repricing of correspondent banking relationships when a bank’s controls are questioned, and adverse findings in the next RBI inspection or independent audit. Because the framework runs on the live programme, the cheapest position is always to stay compliant rather than to remediate after an order.
Which bank type are you? Find your bank's guide.
The rules above apply across the banking sector, but the precise directions, licensing laws, and risk profiles differ by bank type. Use the links below to go to the laws and regulations guide for your institution.
Bank type | Who it covers | Guide |
Commercial banks | Scheduled and non-scheduled commercial banks, public and private sector and foreign banks. | |
Small finance banks | Banks focused on financial inclusion and small-ticket lending. | |
Payments banks | Banks that take restricted deposits and offer payments, but do not lend. | |
Local area banks | Small private banks serving a limited local area. | |
Regional rural banks | Banks serving rural and semi-urban customers, sponsored by commercial banks. | |
Urban cooperative banks | Cooperative banks operating in urban and semi-urban areas. | |
Rural cooperative banks | State, district and primary cooperative banks in the rural credit structure. |
From regulation to compliance: your next step
Knowing the law is step one. These obligations only protect a bank when they are built into a working programme of risk assessment, policy, customer due diligence, monitoring, screening, reporting, training and audit. For the step-by-step controls these rules require, read the companion guide, AML Compliance Requirements for the Banking Sector in India. To see how the banking framework fits within the national picture, see AML Laws and Regulations in India.
Want to talk through what the 2025 framework means for your bank?
AML India can walk you through the laws and RBI KYC Directions that apply across bank categories and confirm which one binds yours.
Frequently Asked Questions
Yes. Every bank in India is a reporting entity under the Prevention of Money Laundering Act, 2002. That status places core duties on the bank, including customer due diligence, record-keeping, transaction monitoring and reporting prescribed transactions to FIU-IND. The RBI sets the detailed standards through its KYC Directions. Because banks are the main gateway to the financial system, their AML duties are among the most developed for any reporting entity.
The Reserve Bank of India is the supervisor and regulator of banks and issues the KYC and AML directions that banks follow. The Financial Intelligence Unit – India receives, analyses, and disseminates the reports that banks file, and may take action for non-compliance with reporting obligations under the PMLA framework. The Enforcement Directorate investigates and prosecutes the offence of money laundering under the PMLA. So the RBI sets the rules, the FIU-IND collects intelligence, and the ED enforces criminal law.
They are the RBI’s detailed rulebook for how banks identify customers, carry out due diligence, identify beneficial owners, monitor accounts, keep records and report prescribed transactions. The RBI has issued category-specific KYC Directions for different types of regulated entities, so a bank must refer to the Directions applicable to its licence category. They draw their authority from Section 35A of the Banking Regulation Act, 1949, read with the PMLA and the PMLR, and were
The RBI issued category-specific KYC Directions, 2025, on 28 November 2025. Earlier KYC directions, instructions and guidelines stand repealed or superseded to the extent provided in the relevant 2025 Direction applicable to that bank type. A bank should therefore check the Direction applicable to its licence category and update any policy that still relies only on the earlier KYC framework. This is one of the first housekeeping checks for any bank.
The core laws are the PMLA, 2002, and the PML (Maintenance of Records) Rules, 2005, for anti-money laundering; the UAPA, 1967, Section 51A, for counter-terrorism financing; and the WMD Act, 2005, Section 12A, for counter-proliferation financing. The RBI KYC Directions 2025 turn these into detailed banking rules. Allied laws such as the Banking Regulation Act, FEMA, and the Companies Act shape a bank’s broader risks and obligations.
Yes. Banks file reports with the Financial Intelligence Unit – India through the FINnet 2.0 platform. The main reports are cash transaction reports for cash above Rs 10 lakh, suspicious transaction reports of any value, cross-border wire transfer reports for transfers of Rs 5 lakh or more, and reports on receipts by non-profit organisations above the prescribed threshold and on cash transactions involving counterfeit currency, forged valuable security or forged documents. Monthly reports are due by the 15th of the succeeding month, while suspicious transaction reports are filed promptly once the Principal Officer is satisfied that the transaction is suspicious.
The beneficial owner is the natural person who ultimately owns or controls a customer. For a company or partnership, the threshold is a controlling interest of more than 10 per cent; for an unincorporated association or body of individuals, it is more than 15 per cent; and for a trust, it covers the author, trustees, beneficiaries with a 10 per cent or more interest, and anyone exercising ultimate control. Banks must identify the beneficial owner under the PMLA, the PMLR and the RBI KYC Directions, not just the person opening the account.
Banks carry out periodic updation based on the customer’s risk rating: at least once every 2 years for high-risk customers, every 8 years for medium-risk customers and every 10 years for low-risk customers. The point is to keep customer information current so monitoring stays meaningful, and updation may also be triggered by a change in the customer’s circumstances. The detail sits in the RBI KYC Directions 2025.
A bank must appoint a Designated Director, who is Board-nominated and carries overall responsibility for compliance, and a Principal Officer, a management-level officer who monitors transactions and files reports with FIU-IND. These appointments are required under Rule 7 of the PMLR, and the same person cannot hold both roles. The bank must inform FIU-IND and the RBI of both appointments and any changes.
Yes. Urban and rural cooperative banks are reporting entities under the PMLA and are supervised by the RBI, so they carry the same core AML duties as other banks. The RBI issues KYC Directions for cooperative banks, and the precise references differ from those for commercial banks. The risk profile of a cooperative bank also differs, which shapes how it applies the risk-based approach.
The PMLA, 2002, and the PML (Maintenance of Records) Rules, 2005, are the parent law and the rules that establish a bank’s anti-money-laundering duties. The RBI (Know Your Customer) Directions, 2025, are the Reserve Bank’s detailed instructions that translate those duties into day-to-day requirements for each type of bank. A bank must follow both the PMLA and the PMLR, which set the statutory obligations, and the RBI Directions, which set the supervisory expectations against which the RBI inspects.
Yes. The RBI issues the KYC Directions under powers including Section 35A of the Banking Regulation Act, 1949 and Rule 9(14) of the PML Rules, so they are binding on the banks to which they apply. A bank that does not follow them can face supervisory action and monetary penalties from the RBI, separate from any enforcement under the PMLA.
The Reserve Bank of India is the AML and CFT supervisor and regulator for banks: it issues the KYC Directions, inspects banks and takes supervisory action. The Financial Intelligence Unit – India (FIU-IND) is the central agency that receives, analyses and disseminates the reports banks file, and acts on reporting compliance. In short, the RBI sets and supervises the rules, while FIU-IND receives the intelligence; the Enforcement Directorate then enforces the money-laundering offence under the PMLA.
No. The FATF Recommendations are international standards, not law in themselves. They bind India, as a member, to implement measures. Still, a bank complies with Indian law, the RBI Directions, and the government’s sanctions procedures, not directly with the Recommendations. They matter because India’s framework is assessed against them and is updated to reflect them, as with the June 2026 update to Recommendation 6 on targeted financial sanctions.
Official sources and review
Last reviewed: June 2026. This guide is grounded in the following primary official sources, linked to their official source where available.
- Prevention of Money-laundering Act, 2002 (India Code)
- Prevention of Money-laundering (Maintenance of Records) Rules, 2005 (India Code)
- RBI category-specific Know Your Customer Directions, 2025
- Unlawful Activities (Prevention) Act, 1967 and Section 51A procedure (MHA)
- WMD Act, 2005 and its Section 12A implementation procedure (India Code)
- FATF Recommendations, including the June 2026 update to Recommendation 6 on targeted financial sanctions
- FATF Mutual Evaluation Report on India, 2024
- Financial Intelligence Unit – India, including the Annual Report 2024-25
- Central KYC Records Registry (CKYCR) Operating Guidelines, 2025 (CERSAI)
- Basel Committee, Sound Management of Risks Related to Money Laundering and Financing of Terrorism (2014, revised July 2020)
- Directorate of Enforcement Annual Report 2024-25
Why work with AML India
AML India helps banks of every type meet their PMLA and RBI obligations, from risk assessment and policy through to CDD, screening, monitoring, reporting, training, software selection and independent review.
Industries we serve: banks and financial institutions, insurance companies, securities intermediaries, payments and fintech businesses, real estate agents, dealers in precious metals and stones, virtual asset service providers, and IFSC and GIFT City entities.
“We are thrilled to have AML India as our compliance partner. Their consultants have immense knowledge in executing the right KYC and CDD processes for our business, and made it easy to onboard new customers without the fear of money-laundering risks.” General Manager, Financial Company (published on amlindia.in) |
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.