Bank KYC Menace: No Penalty on Banks for Failing in KYC Updating, Says RBI
While the harassment, humiliation and mental agony of customers in the name of know-your-customer (KYC) updating continue unabated by banks, the regulator has not penalised any lender for failing to adhere to its KYC updating guidelines. Further, the Reserve Bank of India (RBI) has no information about communication between banks and the regulator for KYC updates of customers in the high-risk, medium-risk and low-risk categories, as shown by a reply received under the Right to Information (RTI) Act.
In the RTI application, I had asked RBI to provide a list of banks against whom it acted and levied a penalty for failing to comply with KYC updating from 1 April 2019 till date. In its reply on 8 March 2021, Abhay Kumar, central public information officer (CPIO) of RBI says, "We have not imposed monetary penalty on any bank for failure to adhere with KYC updating related guidelines, during the period April 2019 till date."
However, in practice, customers are routinely harassed in the name of KYC updating with banks threatening to freeze the account, which has severe consequences on the financial life of the customer. 
According to a top banker, banks are supposed to classify customers on the basis of their risk profile and the KYC harassment is reserved for those who are seen at higher risk. 
However, the nature of complaints that one sees on social media reveal that depositors, who would logically have the lowest risk profile – for instance, senior citizens living on savings and pensions, current accounts of companies that are used for routine business and salary payments – also suffer harassment and threats to freeze accounts. 
Neither banks nor RBI are willing to clarify the basis of risk classification.  Although banks claim that they are harassed by RBI, and the regulator blames the finance ministry’s money laundering regulations for this, victims of such coercive action have no answers or redress.
For example, one of our readers, a senior citizen, has banking relations with a public sector bank (PSB) since the past 50 years. One fine day, he received an SMS saying, "You have not submitted KYC documents in account no. XXxxxx. Please submit KYC document immediately to avoid debit freeze. No withdrawal will be permitted form the above a/c till submission of KYC document."
There is no date mentioned by which time the customer is required to submit his KYC. This customer had opened the bank account while he was staying in the locality. He moved to the suburbs several years ago, and this fact is known to branch officials. Yet they are demanding that this senior citizen to travel all the way from the suburb to the branch during COVID time and update his KYC. How does this customer fit in a higher risk profile requiring updation of KYC, when he is in contact with the bank?
Many depositors have expressed their anguish over bank KYC practices on social media. 
While RBI has allowed online digital channels for customer identification process (CIP) by regulated entities (REs) like banks and other lenders, many, especially PSBs, require the customer to visit the branch and physically submit KYC documents. (Read: RBI Allows Video-based KYC for Regulated Entities like Banks, NBFCs)
Coming back to the RTI reply, which shows that, while a bank can take any measure against its own customers for KYC, there is not much action against banks from RBI.
Interestingly, the reply from the CPIO about RBI imposing no penalty on banks since April 2019 for KYC updating, is not true. On 2 July 2019, RBI imposed a monetary penalty of Rs1.75 crore on four banks for non-compliance with certain provisions of directions on KYC norms, anti-money laundering (AML) standards and opening of current accounts. Punjab National Bank (PNB), Allahabad Bank and UCO Bank were fined Rs50 lakh each, while a penalty of Rs25 lakh was imposed on Corporation Bank, a release from RBI shows.
The updated master direction issued by RBI on KYC mandate periodic updating to be carried out at least once every two years for high-risk customers, once in every eight years for medium-risk customers and once in every 10 years for low-risk customers. In case of low-risk customers when there is no change in status with respect to their identities and addresses, a self-certification to that effect shall be obtained.
Risk categorisation is undertaken based on parameters such as customer’s identity, social and financial status, nature of business activity, and information about the clients’ business and their location. 
Without prejudice to the generality of factors that call for close monitoring, RBI says some types of transactions necessarily should be monitored. This includes large and complex transactions including RTGS transactions, and those with unusual patterns, inconsistent with the normal and expected activity of the customer, which have no apparent economic rationale or legitimate purpose, transactions which exceed the thresholds prescribed for specific categories of accounts, high account turnover inconsistent with the size of the balance maintained and deposit of third-party cheques and drafts in the existing and newly opened accounts followed by cash withdrawals of large amounts.
RBI says, "While considering customer’s identity, the ability to confirm identity documents through online or other services offered by issuing authorities may also be factored in. Provided that various other information collected from different categories of customers relating to the perceived risk, is non-intrusive and the same is specified in the KYC policy." 
In the RTI application, I had also asked RBI to share its correspondence with all banks about KYC update of customers in high-risk, medium-risk and low-risk category. The CPIO of RBI replied in one sentence, "The information sought is not available with us."
Does this mean, there is simply no record of correspondence between RBI and banks about KYC updating? How is this possible, when banks continue to harass customers for KYC updating? When asked, banks point the finger towards mandatory regulatory requirements imposed by RBI. And the regulator says it does not have information. So, which of the two is not telling us, the bank customers, the truth?
Dilip Modi
3 years ago
Dear ML, can you please advise as to what is the way forward (Memorandum, PIL, Consumer court, ??) to get relief from this harassment? In my case, the cell number is deleted under the guise of one account only one cell number and at the same time, the bank asks for attested documents if not uploaded from online login. So how does one send non-attested documents online without a cell number and an OTP for authentification that is a must??? The account holders, doctors, are sitting 4000 miles away fighting Covid 19! Should they be asked to print documents sign them, scan them and send these by registered mail ID? Why cant the bank carry out video verification if they have to carry out KYC for accounts that have been operated about once a year to keep it active for over 9 years!!!!!? Is this a high-risk or even medium-risk category? Why will the bank not answer the category assigned?
Hemant K C
3 years ago
The worst part is when a bank, in its letter, says that you can send in your Re-KYC by post but keeps asking for Re-KYC submission even after you've sent in all the evidence three times.
3 years ago
I wonder if anyone else noted the crisis exacerbating after the Frankling Templeton fiasco. Due to forced redemption, there is a sudden RTGS credit and accounts are frozen without any warning. There was no proactive contact from the bank and it took a week after sending all proof of 'source of funds' to get things back on feet - this for my lucky wife! I'm still stuck as the bank wants KYC to be done again by visiting them in person on top of sending them all that was asked for. This torture might be a good reason why people are so interested in bitcoin :)
Free Helpline
Legal Credit