While the harassment, humiliation and mental agony of customers in the name of know-your-customer (KYC) updating continue unabated by banks, the regulator has not penalised any lender for failing to adhere to its KYC updating guidelines. Further, the Reserve Bank of India (RBI) has no information about communication between banks and the regulator for KYC updates of customers in the high-risk, medium-risk and low-risk categories, as shown by a reply received under the Right to Information (RTI) Act.
In the RTI application, I had asked RBI to provide a list of banks against whom it acted and levied a penalty for failing to comply with KYC updating from 1 April 2019 till date. In its reply on 8 March 2021, Abhay Kumar, central public information officer (CPIO) of RBI says, "We have not imposed monetary penalty on any bank for failure to adhere with KYC updating related guidelines, during the period April 2019 till date."
However, in practice, customers are routinely harassed in the name of KYC updating with banks threatening to freeze the account, which has severe consequences on the financial life of the customer.
According to a top banker, banks are supposed to classify customers on the basis of their risk profile and the KYC harassment is reserved for those who are seen at higher risk.
However, the nature of complaints that one sees on social media reveal that depositors, who would logically have the lowest risk profile – for instance, senior citizens living on savings and pensions, current accounts of companies that are used for routine business and salary payments – also suffer harassment and threats to freeze accounts.
Neither banks nor RBI are willing to clarify the basis of risk classification. Although banks claim that they are harassed by RBI, and the regulator blames the finance ministry’s money laundering regulations for this, victims of such coercive action have no answers or redress.
For example, one of our readers, a senior citizen, has banking relations with a public sector bank (PSB) since the past 50 years. One fine day, he received an SMS saying, "You have not submitted KYC documents in account no. XXxxxx. Please submit KYC document immediately to avoid debit freeze. No withdrawal will be permitted form the above a/c till submission of KYC document."
There is no date mentioned by which time the customer is required to submit his KYC. This customer had opened the bank account while he was staying in the locality. He moved to the suburbs several years ago, and this fact is known to branch officials. Yet they are demanding that this senior citizen to travel all the way from the suburb to the branch during COVID time and update his KYC. How does this customer fit in a higher risk profile requiring updation of KYC, when he is in contact with the bank?
Many depositors have expressed their anguish over bank KYC practices on social media.
Coming back to the RTI reply, which shows that, while a bank can take any measure against its own customers for KYC, there is not much action against banks from RBI.
Interestingly, the reply from the CPIO about RBI imposing no penalty on banks since April 2019 for KYC updating, is not true. On 2 July 2019, RBI imposed a monetary penalty of Rs1.75 crore on four banks for non-compliance with certain provisions of directions on KYC norms, anti-money laundering (AML) standards and opening of current accounts. Punjab National Bank (PNB), Allahabad Bank and UCO Bank were fined Rs50 lakh each, while a penalty of Rs25 lakh was imposed on Corporation Bank, a release from RBI shows
The updated master direction issued by RBI on KYC
mandate periodic updating to be carried out at least once every two years for high-risk customers, once in every eight years for medium-risk customers and once in every 10 years for low-risk customers. In case of low-risk customers when there is no change in status with respect to their identities and addresses, a self-certification to that effect shall be obtained.
Risk categorisation is undertaken based on parameters such as customer’s identity, social and financial status, nature of business activity, and information about the clients’ business and their location.
Without prejudice to the generality of factors that call for close monitoring, RBI says some types of transactions necessarily should be monitored. This includes large and complex transactions including RTGS transactions, and those with unusual patterns, inconsistent with the normal and expected activity of the customer, which have no apparent economic rationale or legitimate purpose, transactions which exceed the thresholds prescribed for specific categories of accounts, high account turnover inconsistent with the size of the balance maintained and deposit of third-party cheques and drafts in the existing and newly opened accounts followed by cash withdrawals of large amounts.
RBI says, "While considering customer’s identity, the ability to confirm identity documents through online or other services offered by issuing authorities may also be factored in. Provided that various other information collected from different categories of customers relating to the perceived risk, is non-intrusive and the same is specified in the KYC policy."
In the RTI application, I had also asked RBI to share its correspondence with all banks about KYC update of customers in high-risk, medium-risk and low-risk category. The CPIO of RBI replied in one sentence, "The information sought is not available with us."
Does this mean, there is simply no record of correspondence between RBI and banks about KYC updating? How is this possible, when banks continue to harass customers for KYC updating? When asked, banks point the finger towards mandatory regulatory requirements imposed by RBI. And the regulator says it does not have information. So, which of the two is not telling us, the bank customers, the truth?