IIBF AML & KYC ExamComplete Study Guide

Dirty Money, Clean Hands

A Complete Guide to Anti-Money Laundering & KYC

From the basics of financial crime through FATF's global standards, India's enforcement machinery, KYC for every customer type, transaction monitoring, STR reporting, and building a compliance culture — everything the IIBF AML & KYC Certificate Examination requires.

✓ 23/24 syllabus chapters covered✓ Part I (AML) + Part II (KYC)✓ 2025–26 developments included

Syllabus Chapter Coverage

Green = covered in this guide

23/24 chapters

Part I — Anti-Money Laundering

✓Money Laundering — Origin, Definition & Techniques

✓Impact on Banks — Structuring & Integration

✓Preventive Legislations — UK, USA & India

✓Basel Committee on AML standards

✓PMLA 2002 — Objectives & provisions

✓RBI Guidelines — System adequacy to combat ML

✓Anti-terrorism Finance & Financial Intelligence Unit (FIU)

✓Financial Action Task Force (FATF)

✓IBA Working Group & AML Screening Software

✓Money Laundering and Correspondent Banking

11Exchange Companies & Foreign Branches

Part II — Know Your Customer

✓Customer Profile & KYC Policies

✓Countries deficient in KYC — RBI initiatives

✓Organised Financial Crimes & Customer Definition

✓Transaction Profile & Organisational Structure

✓KYC Framework in RBI prescriptions & Operating Guidelines

✓Introduction of new accounts — Companies, Trusts, Firms

✓Client Accounts by Professional Intermediaries

✓Trust / Nominee / Fiduciary Accounts

✓Accounts of Politically Exposed Persons (PEPs)

✓Accounts of non-face-to-face customers

✓Joint accounts, Minor accounts & KYC for low-income group

✓KYC for existing accounts

✓Monitoring Accounts & Suspicious Transaction Reporting

Part I · Ch 1

What Is Money Laundering?

At its core, money laundering is the art of making dirty money look clean. When criminals earn money through illegal activities — drug trafficking, extortion, bribery, arms dealing — that cash is dangerous to hold. It can be traced back to the crime. So they run it through a series of financial tricks to make it appear as though it came from a legitimate source.

Think of it like this: imagine you robbed a bank and stuffed ₹5 crore under your mattress. You can't just walk into a car showroom and buy a Porsche without someone asking questions. Money laundering is the process of creating a convincing story for where that money came from.

Where Did the Term Come From?

The phrase “money laundering” was first used in print by Britain's The Guardian in 1972, connected to the Watergate scandal. The metaphor is apt — just as a washing machine takes dirty clothes and returns them clean, financial criminals put dirty money through transactions and take out what appears to be clean, legal wealth. American gangsters during Prohibition ran cash-intensive laundromat businesses to conceal income from illegal alcohol sales.

Part I · Ch 1–2

How Big Is the Problem?

The United Nations estimates roughly 2–5% of global GDP is laundered every year — between USD 800 billion and USD 2 trillion annually. If money laundering were an economy, it would rank among the world's largest.

📉

Economic Impact

Creates unfair competition, distorts property prices, crowds out honest businesses, and undermines monetary management.

🏛️

Social Impact

Fuels organised crime and corruption. Countries with weak AML controls become havens for criminals, eroding rule of law.

🗳️

Political Impact

Criminal money can buy elections, officials, and even governments — gradually undermining democratic systems.

Part I · Ch 1–2

The Three Stages — How Laundering Actually Works

01Placement

Cash enters the banking system. The riskiest moment for the criminal — physical cash is hard to move quietly.

Common Methods

Smurfing: deposits just below the ₹10 lakh CTR threshold
Front businesses mingling dirty cash with legitimate income
Physical currency smuggling across borders

02Layering

The most complex stage. Transactions are multiplied across jurisdictions to obscure the trail.

Common Methods

Wire transfers through multiple countries
Shell companies in offshore financial centres
Disguising transactions as trade invoices

03Integration

The finish line. Money — now virtually untraceable — enters legitimate assets and blends with legal wealth.

Common Methods

Real estate purchases and resale
Stock market investments
Business ownership or acquisition

Part I · Ch 1

Common Methods Criminals Use

Smurfing / Deposit Structuring

Most common

Breaking large cash amounts into many smaller deposits, each just below the ₹10 lakh CTR threshold. Classic placement-stage technique.

Shell Companies

Corporate

Businesses that exist only on paper. They create fake invoices to give dirty money the appearance of legitimate business income.

Trade-Based Laundering

Cross-border

Manipulating import/export invoices — declaring a shipment at ten times its real value — to move value across borders inside normal trade.

Hawala System

Informal

A trust-based informal network outside the banking system, leaving no paper trail. Brokers settle between themselves through trade or goods.

Real Estate

High-value

Purchasing property with criminal proceeds, then selling it — converting illegal cash into apparently legitimate sale proceeds.

Prepaid Cards & Digital Money

Emerging

Prepaid debit cards and digital wallets are exploited for their anonymity and ease of use across borders. Now regulated under PMLA.

Part I · Ch 7

Terrorism Financing — A Different Beast

Money laundering and terrorism financing work in opposite directions — yet compliance professionals must fight both simultaneously.

Dimension	Money Laundering	Terrorism Financing
Source of funds	Illegal	Can be legal or illegal
Use of funds	Made to appear legal	Criminal / terrorist activity
Goal	Conceal origin	Conceal destination and purpose
Amount needed	Often large	Can be very small

Terrorist organisations often disguise themselves as charities or social welfare groups — hospitals, orphanages, religious organisations, old age homes — to receive donations from unsuspecting contributors. In India, FIU-IND monitors such flows under PMLA 2002 and the Unlawful Activities (Prevention) Act.

Part I · Ch 8

FATF's 40 Recommendations — The Global Rulebook

The Financial Action Task Force (FATF), born at a G-7 Summit in Paris in 1989, is the closest thing the world has to a global financial crime regulator. Its 40 Recommendations are not technically binding law — but countries that ignore them face severe economic consequences through restricted access to international banking.

A — Policies & Coordination

Countries must assess their own ML risks and build a national AML/CFT strategy based on those risks.

B — Money Laundering & Confiscation

Governments must criminalise money laundering for all serious crimes (not just drugs) and give authorities power to freeze and confiscate criminal proceeds.

C — Terrorist Financing

Financing terrorism must be a crime in its own right, and countries must implement targeted financial sanctions in line with UN Security Council resolutions.

D — Preventive Measures

This is where banks live. Covers customer due diligence, record-keeping, PEPs, correspondent banking, wire transfers, and suspicious transaction reporting.

E — Transparency & Beneficial Ownership

Companies must not hide behind complex ownership structures. Governments must maintain accurate, accessible records of who ultimately owns and controls legal entities.

F — Powers of Authorities

FIUs, law enforcement, and supervisors must have the legal tools to investigate, inspect, and sanction — across borders if needed.

G — International Cooperation

Countries must assist each other through mutual legal assistance, extradition, and information sharing.

How FATF Evaluates Countries

FATF assesses member countries on two dimensions. Technical compliance checks whether the right laws are on paper. Effectiveness — more important — checks whether those laws are actually working. A country can have excellent legislation and still score poorly if enforcement is weak or institutions are corrupt.

Grey List

Countries committed to reform but not yet delivered. Being greylisted raises borrowing costs, restricts correspondent banking, and damages foreign investment.

Black List (Public Statement)

Countries like North Korea and Iran whose deficiencies are so severe that FATF calls for active counter-measures. Transactions involving these jurisdictions require extreme scrutiny.

Regional FATF Bodies & Private Sector

APG (Asia/Pacific Group): India joined in 1998 and co-chaired from 2010–12. The regional body applying FATF standards across Asia-Pacific.

EAG (Eurasian Group): India joined in 2010. Covers China, Russia, and Central Asian nations.

Wolfsberg Group: 13 of the world's largest private banks (including HSBC, Citi, Deutsche Bank, Barclays, J.P. Morgan, Goldman Sachs, Standard Chartered) formed in 2000 to publish industry best-practice guidelines on correspondent banking, trade finance, prepaid cards, and AML monitoring.

Part I · Ch 3

AML Laws Around the World

United States

Bank Secrecy Act (1970)

Foundation of US AML — established core obligations: recordkeeping, reporting, and KYC.

Money Laundering Control Act (1986)

Made money laundering a federal crime, creating personal criminal liability for individuals.

USA PATRIOT Act (2001)

Post-9/11 expansion: criminalised terrorism financing, strengthened customer identification, prohibited dealings with foreign shell banks, and enabled greater information sharing between institutions and government.

United Kingdom

Proceeds of Crime Act 2002

Defines money laundering as a criminal offence and provides for seizure of criminal assets.

Money Laundering Regulations 2007

Imposed compliance obligations on banks, lawyers, accountants, estate agents, and casinos — a much broader reporting universe than most countries.

Terrorism Act 2000

Addresses the financing of terrorism specifically, separate from money laundering legislation.

European Union

EU AML Directives (1st–6th)

Progressive strengthening of AML rules across member states, culminating in the 6th AMLD (2020) which extended criminal liability to legal persons and harmonised predicate offence lists.

EU AML Authority (AMLA) — 2025

A new EU body established in 2025 to centralise AML enforcement across member states, moving toward direct supervision of high-risk institutions by 2028.

Part I · Ch 3, 5–6

India's AML Legal Architecture

PMLA 2002Prevention of Money Laundering Act, 2002

Enacted in 2003 and brought into force on 1 July 2005, PMLA is India's primary AML legislation. Amended in 2005, 2009, and 2013 to keep pace with FATF standards.

The Core Offence (broad by design)

Anyone who directly or indirectly attempts to be involved in any process connected with the proceeds of crime — including concealment, possession, acquisition, use, or projecting criminal proceeds as legitimate — is guilty. Even a bank employee whose negligence enables laundering could be suspected of complicity.

Punishment

Rigorous imprisonment of minimum 3 years, extendable to 7 years, plus a fine. For drug-related offences, maximum extends to 10 years.

Reporting Entities Under PMLA

Banks, insurance companies, mutual funds, stock brokers, commodity exchanges, pension funds, real estate agents, dealers in precious metals and stones, and — added in 2024–25 — chartered accountants and offshore trust managers. All must:

Maintain transaction records for 5 years
Report STRs and large cash transactions (CTRs) to FIU-IND
Verify customer identity and identify beneficial owners
Maintain confidentiality about FIU requests

Predicate Offences — The PMLA Schedule

156 offences under 28 different laws — from the Indian Penal Code to the Wildlife Protection Act, IT Act, SEBI Act, and Customs Act. Any property derived from these offences constitutes money laundering if it enters the financial system.

Penalties for Non-Compliance

Formal warnings to monetary fines of ₹10,000–₹1,00,000 per failure — applying to both the institution and the designated officer personally.

UAPA 1967Unlawful Activities (Prevention) Act

India's primary counter-terrorism legislation. Amended in 2008 to align with UN SC Resolutions 1267 and 1373 — criminalises raising funds for terrorist organisations. Banks must freeze accounts of any entity on the UAPA Schedule without delay.

RBI KYC DirectionsMaster Direction — KYC Direction, 2016

Translates PMLA requirements into operational reality. Covers customer acceptance, identification procedures, transaction monitoring, risk management, correspondent banking, wire transfers, record preservation, and staff training. Mandatory operating standards for all banks.

Benami Transactions ActBenami Transactions (Prohibition) Act

Targets fictitious ownership arrangements where property is held in someone else's name. Authorities can confiscate benami property — closing a classic money laundering loophole.

Income Tax Act / FEMASupporting AML Legislation

IT Act requires PAN for high-value transactions, creating a paper trail. FEMA governs cross-border fund movements. The NDPS Act addresses drug-related crime at the source.

Part I · Ch 5–6

PMLR — What the Rules Actually Require

The Prevention of Money Laundering (Maintenance of Records) Rules, 2005 are the operational backbone of PMLA. They translate the Act's broad obligations into specific, actionable requirements. Two definitions deserve special attention.

Who Is a “Customer”?

The PMLR definition of “client” is deliberately wide: anyone engaged in a financial transaction with a reporting entity, or anyone on whose behalf such a person is acting. This matters enormously. A company is a customer. The beneficial owner behind that company — the natural person who ultimately controls it — is also a customer for KYC purposes, even if they never walk through the bank's door. A trustee is a customer. So is the beneficiary on whose behalf the trustee acts.

What Counts as a “Transaction”?

The PMLR's definition is far broader than just cash deposits and wire transfers:

Deposits, withdrawals, fund transfers, loans, pledges

Opening an account (the account opening itself is a transaction)

Using a safe deposit locker

Entering into any fiduciary relationship

Any payment made under a legal obligation

Establishing a legal person or arrangement

Casino gaming for cash or kind

This breadth exists because money laundering can happen through any of these channels. A bank cannot claim ignorance because suspicious activity happened through a locker rather than a conventional transfer.

The Legal Suspicious Transaction Test

A transaction is suspicious if a person acting in good faith would reasonably believe it might involve proceeds of a scheduled offence regardless of amount; be of unusual complexity; have no economic rationale; or relate to terrorism financing.

The test is what a reasonable, good-faith person would believe — not what can be proven beyond doubt. Suspicion does not require certainty; it requires a reasonable basis for concern. When in genuine doubt: report.

Part I · Ch 5–6

Record Management & Geographic Reach

The Five-Year Rules

Record Type	Minimum Retention	Counted From
Transaction records	5 years	Date of transaction
Identity and address documents	5 years	Date of account closure / end of relationship
Business correspondence, account files	5 years	Date of account closure / end of relationship
Records linked to ongoing legal proceedings	Until final conclusion of proceedings	Five-year clock does not start while litigation is pending

What Transaction Records Must Contain

It is not sufficient to retain that a transaction occurred — the record must capture enough detail to reconstruct what happened and trace the flow of funds. At minimum, transaction records must include:

Full name and address of the customer

Nature of the transaction (deposit, withdrawal, transfer, locker use)

Amount and currency

Date of transaction

Account number(s) involved

Destination of funds — the beneficiary and their account/institution for wire transfers

IBA 10-Year Standard: While PMLA requires 5-year retention for transaction records, the IBA recommends 10 years for records connected to STR investigation files — because money laundering prosecutions often unfold years after the transactions occurred, and the full investigation file (not just the STR itself) is required for evidence.

Extra-Territorial Reach — India's AML Law Does Not Stop at the Border

The RBI Master Direction (25 Feb 2016) and PMLA explicitly apply to all branches and majority-owned subsidiaries of Indian banks abroad, except where specifically prohibited by host country law. The stricter of the two standards always applies.

Indian standard stricter

Indian bank's overseas branch must apply Indian standard, even if the host country is more permissive.

Host standard stricter

Comply with the host country standard — and ensure it doesn't fall below Indian minimums.

Local law prohibits RBI standard

Must report the conflict to RBI. Failure to report is itself a PMLA violation.

Part I · Ch 7

India's AML Enforcement Architecture

FIU-INDFinancial Intelligence Unit — India

The nerve centre of the system. Established November 2004 under the Ministry of Finance. Receives CTRs, STRs, Cross-Border Wire Transfer Reports, and Immovable Property Transaction Reports from all reporting entities. Analyses these, links with other intelligence, and disseminates actionable information to the ED and Revenue Intelligence. Member of the global Egmont Group (151 national FIUs).

EDEnforcement Directorate

Investigates cases under PMLA and FEMA. Conducts searches, seizures, and arrests, and prosecutes money laundering offences in Special Courts. When you read news reports about property being attached in a financial crime case, it is typically the ED doing the work.

SFIOSerious Frauds Investigation Office

Handles complex corporate fraud and white-collar crime with a team of accountants, forensic auditors, IT specialists, and legal experts. Investigates cases with significant public interest implications.

NIANational Investigation Agency

India's central counter-terrorism law enforcement agency. Handles cases with national and international terrorism linkages — including terrorist financing — under the NIA Act, 2008.

Part I · Ch 7

UAPA Section 51A — The 24-Hour Freeze Protocol

The most time-sensitive compliance obligation in Indian banking. When a customer's details match any entry on the UN Security Council's designated lists (Al-Qaida/ISIL or Taliban lists), the bank must act within hours — not days.

On discovering a matchWithin 24 hours — simultaneously

1Inform the Joint Secretary (IS-I), Ministry of Home Affairs by fax, telephone, and email simultaneously

2Send copies to the state UAPA nodal officer, the relevant regulator (RBI), and FIU-IND

3If the match is confirmed beyond doubt, prevent the designated person from conducting any financial transactions

4File an STR with FIU-IND for all transactions in the matched account

Government Verification Process

Government conducts verification within 5 working days. If confirmed, a freeze order is issued within 24 hours of that verification — without prior notice to the person whose assets are frozen.

Unfreezing a False Match

Affected person applies to the bank/institution → forwarded to MHA within 2 working days → MHA must issue unfreezing order within 15 working days if the error is confirmed.

Three Simultaneous Sanctions Regimes

Indian banks must comply with UN, US OFAC, and EU sanctions simultaneously. Dollar-denominated transactions passing through US clearing systems fall under US OFAC jurisdiction even for Indian banks without US branches. Euro transactions via European banks may attract EU sanctions. A transaction can be legal under Indian law but still violate US or EU sanctions — non-compliance can result in multi-billion dollar penalties from foreign regulators.

Part I · Ch 9

IBA Working Group & AML Screening Software

Given the scale of modern banking — millions of customers, billions of transactions, dozens of product types — comprehensive manual monitoring is impossible. The IBA Working Group on AML/CFT produced India-specific guidance on scenarios banks should configure into their screening software.

IBA-Recommended Alert Scenarios for Indian Banks

Cash or non-cash transactions unusually high relative to the customer's declared profile

Splitting of cash deposits just below the ₹10 lakh CTR threshold (smurfing)

Funds routed through multiple accounts in a hub-and-spoke pattern

One-to-many or many-to-one fund transfers in short time windows

Repeated small ATM withdrawals in sensitive or high-risk geographic locations

Large repayments of loans in cash

Frequent locker operations inconsistent with the customer's profile or occupation

Inward remittances inconsistent with a client's declared business or turnover

Trade-Based Money Laundering Indicators

For import/export accounts, additional red flags include:

Import payments against very old bills of lading

Vague or generic descriptions of goods on shipping documents

Remittances structured just below the USD 100,000 threshold above which import documents become mandatory

Repeated amendments to letters of credit without commercial justification

Identical goods being repeatedly imported and exported between the same parties

Managing False Positives

Broad detection rules inevitably generate false positives — alerts on legitimate transactions. Managing them well requires white-listing accounts that are routinely flagged but consistently legitimate, and refining rules based on accumulated experience. The goal is to focus analyst time on real suspicion, not on explaining why a regular customer made a large but entirely legitimate transfer.

Part I · Ch 9

Name Screening — How Banks Match Suspects

Name screening is the process of matching every customer, counterparty, and employee against prohibited lists. It is the mechanism that turns legal obligations (e.g., UAPA Section 51A) into operational reality. Done poorly, it creates either dangerous false negatives (criminals slip through) or floods analysts with false positives (legitimate customers flagged continuously).

Which Lists Must Be Screened?

UN UNSCR 1267 / 1373 Lists

Al-Qaida / ISIL and Taliban designated individuals and entities — triggers UAPA Section 51A 24-hour freeze obligation.

Indian UAPA Schedule

Entities declared unlawful by the Government of India — mandatory freeze without prior notice.

US OFAC SDN List

Specially Designated Nationals — any dollar-clearing transaction touching a listed entity attracts US penalties even for Indian banks without US branches.

EU Consolidated Sanctions List

Required for Euro transactions and relationships with EU-regulated counterparties.

Internal Watch-Lists

Bank's own list of suspected, former-fraudster, or court-ordered exclusion customers. Maintained and updated by the AML unit.

Who Gets Screened?

New customers

At account opening / onboarding

Existing customers

Periodic re-screening and on list updates

Employees

At hiring and on-going (especially for UAPA list)

Transaction counterparties

Beneficiaries and remitters on each wire transfer

Fuzzy Matching — Why Exact Spelling Is Not Enough

Criminals routinely misspell, transliterate, or alter names to evade screening. AML software uses two main algorithms to catch variants:

Levenshtein Distance

Counts the minimum number of single-character edits (insertions, deletions, substitutions) required to transform one string into another. A distance of 1 or 2 typically generates an alert. Example: “Osama” vs. “Usama” = distance 1.

Soundex Phonetic Matching

Encodes names by their phonetic pronunciation rather than spelling, catching transliteration variants. “Mohammed”, “Muhammad”, and “Mohamad” all generate the same Soundex code — and all match a listed name.

Managing Match Accuracy

True Positive

Alert correctly identifies a genuinely listed / prohibited entity. Requires immediate action.

False Positive

Alert flags a legitimate customer who is not prohibited. The overwhelming majority of screening alerts. Requires analyst review and documented rationale before clearing.

True Negative

Legitimate customer correctly passes through without triggering an alert. Ideal outcome for clean relationships.

False Negative

Most dangerous outcome: listed entity slips through undetected. Caused by thresholds set too high or inadequate list coverage.

Threshold calibration:Setting the match threshold too low floods analysts with false positives and causes “alert fatigue” — real hits buried in noise. Too high, and genuine matches are missed. The right threshold is calibrated through historical testing and reviewed when list compositions change.

Confirmed True Positive — What Happens Next

Immediately prevent the designated person from conducting any financial transactions

Report simultaneously to MHA, RBI, and FIU-IND within 24 hours (UAPA Section 51A protocol)

File an STR with FIU-IND covering all transactions in the matched account

Preserve all records — the investigation file must be maintained for 10 years

Part I · Ch 10

Correspondent Banking & Wire Transfers

Correspondent Banking — When Banks Bank With Each Other

When an Indian bank needs to facilitate an international wire transfer to a European bank, it does so through correspondent banking — where one bank (the correspondent) provides services to another (the respondent). Essential for global commerce but also a major ML risk, because criminals exploit the chain of trust between banks.

Before establishing a relationship: Gather information about the respondent bank's AML/CFT policies, quality of supervision, customer mix, and jurisdictions it operates in. Senior management approval is required.

Shell banks — never accepted: Banks that exist only on paper with no physical presence and no regulatory oversight must never be correspondent partners.

Annual due diligence: Repeated AML concerns, wire transfers lacking proper originator information, or evasive responses to requests — all warrant exiting the relationship.

Wire Transfers — The Highest-Risk Remittance Product

Wire transfers are simultaneously the most important tool for legitimate international commerce and one of the most abused channels for money laundering.

Domestic Transfers (≥ ₹50,000)

Must carry accurate originator information — name, address, and account number. Originating bank handles remitter KYC; beneficiary bank handles recipient KYC.

Cross-Border Transfers

Complete originator and beneficiary information must accompany the transfer throughout the entire payment chain. No bank in the chain may strip, alter, or omit this information.

Non-Delegable Responsibilities Across the Chain

Ordering Bank

Conduct full KYC and due diligence on the remitter before initiating the transfer
Include complete originator information in the message: full name, account number, address (or DOB/national ID as alternative)
Include complete beneficiary information where available
Verify the customer is not on any applicable sanctions list before transmitting

Intermediary Bank(s)

Pass through all originator and beneficiary information intact — may not strip, alter, or truncate any field
Screen both parties against applicable sanctions lists at each hop in the chain
If originator information is missing or incomplete, either seek it from the preceding bank or consider refusing to process
Maintain records of all transfers processed for 5 years (IBA standard: 10 years)

Beneficiary Bank

Identify and conduct due diligence on the recipient — own KYC obligation, not delegated to the sending bank
Screen the beneficiary and originator against sanctions lists on receipt
Flag incoming transfers with incomplete or missing originator information as potentially suspicious — consider filing an STR
Assess whether the received funds are consistent with the beneficiary's known profile and declared business

Sanctions Awareness

US OFAC administers the SDN (Specially Designated Nationals) list — any transaction touching the US dollar clearing system falls under US jurisdiction, even for Indian banks without US branches. UK and EU run parallel sanctions regimes. Non-compliance can result in multi-billion dollar penalties.

Part II · Ch 1–3

KYC — The First Line of Defence

If money laundering is the disease, KYC is the immune system. The Vienna Convention (1988) and FATF's original 40 Recommendations (1990) first introduced CDD as a core requirement; BCBS published detailed CDD guidance in 2001. In India, RBI requires every bank to have a formal, board-approved KYC Policy — board-level approval signals that AML compliance is a governance priority, not just an operations function.

📋

Customer Acceptance Policy (CAP)

Part II · Ch 1

Defines who the bank will and won't deal with. Sets prohibitions (no anonymous accounts, no benami accounts, no sanctioned entities), document requirements, risk categories, and approval authorities. Must not be so restrictive that it denies banking to financially vulnerable populations.

🪪

Customer Identification Procedure (CIP)

Part II · Ch 1

Specifies exactly how customers are identified, which documents are acceptable (OVDs), and how beneficial owners are determined for complex entities including companies, trusts, and partnerships.

📊

Transaction Monitoring

Part II · Ch 13

Establishes how ongoing account activity is watched for suspicious patterns, what triggers a flag, and how flags are escalated to the Principal Officer. A vegetable vendor making international wire transfers would immediately raise a flag.

🔴

Risk Management

Part II · Ch 1

Sets the overall risk-based approach — how different risk levels translate into different levels of scrutiny, how risk is assessed at onboarding and reviewed periodically.

Part II · Ch 3, 5–6

Customer Identification in Practice

For KYC purposes, a “customer” is broader than just the account holder — it includes anyone on whose behalf a transaction is being conducted, anyone who benefits from it, and anyone who controls the entity involved.

Officially Valid Documents (OVDs)

For individuals, identity and address verification requires one of six OVDs:

Passport

Driving Licence

PAN Card (identity only — no address)

Voter's Identity Card

NREGA Job Card

Letter from UIDAI (Aadhaar)

Note: PAN card alone is not sufficient for address — it carries no address field. e-KYC through Aadhaar biometric authentication is treated as an OVD and has transformed rural onboarding.

Beneficial Ownership Thresholds

Identifying who truly owns or controls an entity — not just who nominally signs the documents — is now one of the most scrutinised aspects of bank compliance.

Companies> 25% of shares/capital, or control through appointing directors

Partnership firms & unincorporated assoc.> 15% of capital or profits

TrustsAuthor, all trustees, and any beneficiary with > 15% interest

No identifiable individualMost senior managing official treated as BO by default

Capital market entities (SEBI-regulated)> 10% — lowered from 25% in 2024

Part II · Ch 6, 7, 8

KYC for Legal Entities — Not Everyone Gets the Same Treatment

Different legal structures carry different risks and present different opportunities for abuse. A risk-based approach means the KYC process is calibrated to match the specific ways each structure is typically exploited.

CompaniesCh 6 — Separating owners from managers

Documents required: Certificate of Incorporation, Memorandum & Articles of Association, board resolution authorising specific individuals, and OVDs for those authorised signatories. Beneficial owner determination is mandatory unless the company is listed on a stock exchange.

Why they are targeted: The person walking into a branch may be a paid executive who genuinely does not know the real business. Shareholders and beneficial owners stay hidden. Common abuses: hawala, trade-based laundering, routing hacked RTGS payments, fraudulent government subsidy claims.

Partnership FirmsCh 6 — Similar risk profile to companies

Documents: registration certificate, partnership deed, OVDs for authorised signatories. Beneficial owners are anyone with more than 15% ownership of capital or profits. Risks are similar to companies — particularly for hawala and trade-based laundering.

TrustsCh 6, 8 — High risk, hidden money

Documents: registration certificate, trust deed, OVDs for the person authorised to transact. All three categories of beneficial owner must be identified: the author (who created and funded the trust), trustees (who manage it), and beneficiaries with more than 15% interest.

Why they are targeted: The structure — accepting donations from the public — makes it easy to funnel criminal money as a “donation.” Hospitals, orphanages, religious organisations, and old age homes can all be used as fronts for terrorism financing.

Proprietary FirmsCh 6 — Highest abuse rate

Owned by a single individual, requiring no formal registration — anyone can set one up, and one person can have an unlimited number of them. This makes proprietary firms the most commonly abused structure for fraud and money laundering.

Beyond normal individual KYC, banks must obtain two activity proofs from a prescribed list — including trade licences, GST/VAT certificates, income tax returns, or professional body registrations. If only one activity proof exists, a field visit to verify the business is operating from its stated address is mandatory.

Common abuses: routing hacked RTGS payments, collecting fake duty drawbacks, running MLM schemes, operating fake import/export businesses.

Professional IntermediariesCh 7 — When the account isn't really yours

Stock brokers, lawyers, and accountants often maintain bank accounts that hold their clients' money. When a bank account is used as a conduit for third-party funds, identifying whose money it really is becomes critical.

For accounts holding specific client funds: each beneficial owner must be identified individually, even if funds are pooled in one account.
For pooled accounts (mutual funds, pension funds): verify that the entity has proper regulatory registration and approvals.
For stock brokers and other intermediaries: banks may rely on the intermediary's own KYC — but the bank remains ultimately responsible.

Part II · Ch 9–10

Politically Exposed Persons & Non-Face-to-Face Customers

PEPs — Enhanced Scrutiny by Default

FATF defines foreign PEPs as those who are or have been entrusted with prominent public functions by a foreign country — heads of state, senior politicians, military officials, state-owned corporation executives, and senior judiciary members. The same approach now applies to domestic PEPs where high-risk business relationships are involved.

The PEP process requires four actions:

A system to identify existing customers who become PEPs — not just flagging them at account opening

Senior management approval before the account is opened or the relationship continued

Information gathering about the source of funds and wealth

Enhanced ongoing monitoring — family members and close associates are subject to the same requirements

Non-Face-to-Face — When the Bank Never Meets the Customer

Digitally opened accounts, NRI accounts, and remotely onboarded customers carry higher risk because the bank cannot physically verify identity. Mitigation measures include: insisting on certified copies of all documents, requiring the first payment to flow from another bank account (demonstrating an established banking relationship), and for overseas customers, requiring certification by a regulated entity in the relevant country. V-CIP (Video-based Customer Identification Process) and Aadhaar eKYC are accepted alternatives.

Part II · Ch 11

Small Accounts, Minor Accounts & SHGs

KYC must not become a barrier to financial inclusion. Simplified provisions exist for customers who cannot provide standard OVDs — but each comes with specific restrictions that prevent abuse.

Small Accounts — Financial Inclusion Without Compromising Integrity

For people who cannot provide any OVD, the Small Account facility provides a limited savings account. The restrictions are significant:

Max credits

₹1 lakh / year

Max withdrawals

₹10,000 / month

Max balance

₹50,000 at any time

Foreign remittances

Not permitted

Valid for 12 months, extendable by another 12 if the holder has applied for an OVD. If after 24 months no OVD has been provided, the account is reviewed and may be closed.

Self Help Groups (SHGs) — Simplified for Rural Inclusion

SHGs do not require KYC for every member — just the office bearers. No separate KYC is needed at the time of credit linking either. This simplification is deliberate: SHGs play a critical role in rural financial inclusion, and excessive documentation requirements would defeat the purpose.

Part II · Ch 1, 4

Customer Risk Categorisation

A risk-based approach allows banks to concentrate compliance resources where risk is highest. Risk categories are dynamic, not static — life changes like becoming a PEP or moving to a high-risk country trigger an immediate reassessment.

Low Risk

Examples

Salaried employees, pensioners, hawkers, housewives (low/middle income)

Procedure

Simplified due diligence — lighter acceptable documents, fewer information requirements

KYC Updation

Every 10 years

Medium Risk

Examples

Real estate agents, restaurants, travel agencies, electronic goods merchants

Procedure

Standard due diligence — full OVD verification, source of funds inquiry

KYC Updation

Every 8 years

High Risk

Examples

Diamond merchants, arms dealers, real estate developers, PEPs, NGOs, importers/exporters

Procedure

Enhanced due diligence — financials, business licences, media research, senior management approval

KYC Updation

Every 2 years

IBA GuidanceCustomers Always Classified High Risk

Regardless of how other parameters score, these categories are treated as high risk by default:

Non-Resident Indians and foreign nationals

High Net Worth Individuals (HNIs)

Trusts, charities, and NGOs (other than UN-promoted)

Companies with closed/opaque shareholding structures

Firms with sleeping or dormant partners

Politically Exposed Persons (PEPs)

Non-face-to-face customers

Customers with connections to high-risk countries

Persons with adverse media coverage or dubious reputation

Diamond, bullion, and jewellery dealers (RBI-mandated)

Money exchange bureaux and antique dealers

Building a CRC System — The IBA Four-Step Process

Step 1

Select Parameters

Choose characteristics that genuinely differentiate ML/TF risk: customer constitution (individual/proprietorship/company), business segment, country, products used, economic profile, account status and vintage, presence on PEP/negative/defaulter lists, whether an STR has previously been filed, and whether AML alerts have been generated.

Step 2

Choose Classification Approach

Manual classification suits smaller banks. Automated rules-based classification in the core banking system suits larger institutions. Most banks use a combination — automated for the bulk portfolio, manual override for complex or borderline cases.

Step 3

Weighted Average Methodology

Assign a risk score and a weight to each parameter based on how accurately and importantly it predicts actual ML/TF risk. Critical parameters like customer constitution and product type receive higher weights. The aggregate weighted score places the customer in a risk bucket. Allow manual override where a single dominant parameter (e.g., diamond trader) undersells algorithmic risk.

Step 4

Assign, Connect, Review

Assign Low/Medium/High. Review at least every six months. Crucially, connect the risk category to differential monitoring: high-risk accounts should trigger lower software alert thresholds, more frequent manual review, and lower tolerance for unexplained transaction deviations. CRC without differential action is just paperwork.

Part II · Ch 5, 12

Partial Freezing — The Phased Compliance Process

When an existing account fails to meet KYC requirements, banks cannot simply close it without notice. The Master Direction mandates a graduated six-step process that protects both the bank's regulatory position and the customer's right to notice and an opportunity to comply.

Month 0Notice

Issue a written notice giving the customer 3 months to comply with KYC requirements.

Month 3Reminder

If no compliance, issue a reminder giving a further 3 months (total of 6 months from first notice).

Month 6Partial Freeze

Allow credits (customer can receive legitimate funds) but disallow all debits. Account is not closed.

Month 12Full Freeze

After a further 6 months of partial freeze with no compliance: disallow both credits and debits entirely.

Any timeRevival

The account holder retains the right to revive the account at any stage by finally providing KYC documents.

Part II · Ch 12

KYC Updation — Keeping Information Fresh

Customer profiles go stale quickly. RBI mandates periodic re-verification based on risk category. For high-risk customers, this is a frequent, active exercise. For low-risk customers, a self-declaration of “no change in details” is often sufficient — an example of proportionate compliance.

Risk Category	Frequency	Typical Method
High	At least every 2 years	Active re-verification — financials, fresh OVDs, media screening
Medium	At least every 8 years	Document refresh, address verification
Low	At least every 10 years	Self-declaration of “no change” often sufficient

Part II · Ch 12

Central KYC Registry — Solving the Repetition Problem

One of the most frustrating customer experiences is being asked for the same identity documents every time they open a new account or buy a new financial product. The Central KYC Records Registry (CKRC), managed by CERSAI, addresses this.

File within 3 days

Within 3 days of opening any account, reporting entities must file the customer's KYC records with the CKRC.

KYC Identifier issued

The registry deduplicates the data and issues a KYC Identifier — a unique code for each customer across the entire financial sector.

Reuse at any institution

When a customer opens a subsequent account anywhere and provides their KYC Identifier, the new institution retrieves records directly — no fresh documents required.

PMLR Rule	What It Requires
Rule 9(1A)	Within 3 days of opening any account-based relationship, file an electronic copy of KYC records with CKRC.
Rule 9(1C)	Once a KYC Identifier exists, retrieve records from CKRC rather than re-asking the customer — except when: (1) information has changed, (2) current address needs independent verification, or (3) enhanced due diligence is warranted.
Rule 9(1F)	Privacy safeguard: KYC records obtained from CKRC may only be used for identity and address verification. They cannot be shared with third parties or used for any other purpose (including marketing) without explicit customer authorisation or regulatory direction.

AML Value of CKRC

When the same individuals appear as directors or shareholders of multiple companies — as in shell entity laundering typologies — the central deduplication process can flag this pattern across the entire financial sector, making it much harder for networks of related entities to escape detection.

Part II · Ch 5

FATCA & Common Reporting Standards (CRS)

A less-discussed but mandatory requirement in the RBI Master Direction is compliance with FATCA (Foreign Account Tax Compliance Act) and CRS — a global transparency initiative that banks must embed into their KYC processes.

FATCA (US)

Requires identification of accounts held by US taxpayers. Indian banks must report financial information about those accounts to Indian tax authorities, who share it with the US IRS.

CRS (100+ countries)

Requires identification of accounts held by residents of any CRS-participating country. Information flows automatically to the relevant tax authority, eliminating the information gap that enables offshore tax evasion.

What Banks Must Do (IT Rule 114F)

Submit Form 61B annual reports identifying reportable accounts

Build IT systems for due diligence procedures under Rule 114H

Constitute a High Level Monitoring Committee under the Designated Director for FATCA/CRS compliance oversight

Part II · Ch 13

The Five FIU Reports — What Banks Must File

Indian banks are legally required to submit five types of reports to FIU-IND under PMLA. Four are rule-based — triggered automatically by thresholds. The fifth, the STR, is judgment-based — requiring a bank official to form a view that a transaction is suspicious, regardless of size or mode. Every day of late submission is treated as a separate violation — no grace period.

Report	Trigger	Type	Deadline
CTRCash Transaction Report	Cash transactions ≥ ₹10 lakh (single or integrally connected in a month)	Rule-based	15 days after month-end
NTRNon-Profit Org. Transaction	Transactions by non-profit organisations above the prescribed threshold	Rule-based	15 days after month-end
CBTRCross Border Transfer Report	Cross-border transfers ≥ ₹5 lakh equivalent per transaction	Rule-based	15 days after month-end
STRSuspicious Transaction Report	Any suspicious transaction — any amount, any mode, including attempted transactions	Judgment-based	7 working days of forming suspicion
CCRCounterfeit Currency Report	Any counterfeit currency notes received	Rule-based	15 days after month-end

What Makes a Transaction “Suspicious”?

A suspicious transaction is one that a person acting in good faith would reasonably believe may involve the proceeds of a scheduled offence, appears to have unusual complexity or no economic rationale, or may be related to terrorism financing. Several things make this definition unusual:

Amount does not matter

A ₹500 transaction can be suspicious.

Mode does not matter

Cash, cheque, NEFT, RTGS, locker use — all count.

Attempted transactions count

If a customer asks about moving large cash amounts and leaves without transacting after being questioned, that inquiry may itself be reportable. The Cobrapost sting — journalists posing as clients — resulted in bank penalties for not filing STRs based on conversations alone.

Filing an STR does not restrict the account

The account continues to operate normally. The bank is explicitly prohibited from tipping off the customer. Restricting the account would destroy the intelligence value for law enforcement.

Integrally connected transactions

Ten deposits of ₹1.5 lakh each in a month = one CTR for ₹15 lakh. Same customer, same nature, same month, aggregate ≥ ₹10 lakh — counted together even if individually below threshold.

Part II · Ch 13

Writing an STR — The Grounds of Suspicion

Filing an STR is not a box-ticking exercise — it is the transmission of actionable intelligence to FIU-IND. A poorly written STR provides little value to investigators; a well-written one can unlock entire networks. The “Grounds of Suspicion” narrative is the soul of the STR — and the most examined element in any regulatory review of an STR.

What the Grounds of Suspicion Must Cover

The narrative is written in the voice of the reporting officer and must answer four questions for the investigator reading it cold:

Who is the customer?

Brief customer profile — declared business, account vintage, economic profile, prior transaction history, and any prior STRs. The context that makes the transaction stand out.

What is the mismatch?

The specific transaction or pattern, and exactly how it deviates from the customer's profile, declared occupation, or prior behaviour. Numbers, amounts, frequencies — be specific.

What explanation was offered?

Document any explanation given by the customer, and why that explanation was found unconvincing or unverifiable. If the customer was not approached (tipping-off concern), explain why.

What remains suspicious?

After considering the explanation (if any), state precisely what continues to create a reasonable belief that the transaction may involve proceeds of a scheduled offence or terrorism financing.

STR Priority Ratings

P1 — Urgent

Terrorism financing, imminent threat, ongoing fraud. File within hours. Telephone FIU-IND before submitting electronic STR.

P2 — Standard

Serious ML concerns, significant amounts, known typologies. File within 7 working days of forming suspicion.

P3 — Low

Completed transactions where suspicion forms retrospectively. Standard 7-day deadline still applies.

Key STR Rules

Attempted transactions are reportable — include them with the flag "attempted: yes"

STR source code identifies the product or channel (e.g., savings, trade finance, locker)

File within 7 working days — every additional day of delay is a separate violation

Do not tip off — do not restrict the account or alert the customer

STR records (the entire investigation file) must be retained for 10 years — not just the 5-year PMLA minimum

Part II · Ch 4, 13

How Banks Detect Suspicious Transactions

Effective transaction monitoring works through three complementary layers. No single layer is sufficient — together they cover the full range of suspicious patterns.

Layer 1Human Observation

Branch staff are the first line of detection, especially for behavioural indicators that software cannot see. A customer who leaves without opening an account after being told about KYC requirements. Someone accompanied by a person who seems to be directing what the customer says. Documents that look slightly off. A customer who seems nervous when asked standard questions about source of funds. A wealthy-looking individual claiming to be a simple salaried employee. These patterns require alert, trained humans — not algorithms.

Layer 2Exception Reports

Core banking systems generate reports of transactions that fall outside defined parameters — accounts with activity well above their expected profile, sudden spikes in dormant accounts, accounts receiving funds from a large number of different sources. AML analysts examine these reports in the context of the customer's full profile and transaction history.

Layer 3AML Software

AML software applies hundreds of rules simultaneously to every transaction, generating alerts when patterns match known laundering typologies. The value depends entirely on the quality of the rules — good rules are specific enough to flag genuine suspicious patterns, but not so broad that they flood analysts with false positives. Typically deployed alongside white-listing for known-legitimate high-volume accounts.

Part II · Ch 4, 13

IBA Alert Categories & Alert Management

The IBA Working Group classifies alerts into nine categories based on their trigger source. Understanding the category tells an analyst which investigation path to follow and what additional information to gather.

Code	Category	Description
CV	Customer Verification	Alert raised because a KYC document could not be verified, a field visit found no business at the stated address, or identification appears forged.
LQ	Law Enforcement Query	Regulator, law enforcement, or court has asked for information about a customer. Any account mentioned in an LQ must be reviewed for STR filing.
MR	Media Report	Adverse media coverage — newspaper, TV, or credible online source — naming the customer in connection with financial crime, fraud, or reputational concerns.
EI	Employee Initiated	Branch or operations staff have flagged suspicious customer behaviour or transactions. These are often the earliest and most specific indicators.
PC	Public Complaint	Complaint received from the public that the account has been used to collect funds under a scam (job offer, lottery, investment fraud).
WL	Watch List	Customer name has matched an entry on a sanctions list (UN, UAPA, OFAC, EU, or internal watch-list).
TM	Transaction Monitoring	AML software rule has generated an alert based on a transaction pattern (e.g., smurfing, hub-and-spoke, dormant account activation with large inflow).
TY	Typology Based	Transaction pattern matches a known ML/TF typology identified in IBA guidance, FATF red flag lists, or FIU-IND typology reports.
RM	Risk Management	Periodic risk review of a high-risk customer has revealed activity inconsistent with their updated profile or risk category.

Alert Management Process — Analyst to Principal Officer

Alert Generated

Software, branch, or external trigger creates an alert in the AML case management system. Analyst assigned based on alert category and product type.

Preliminary Investigation

Analyst reviews full transaction history, customer profile, previous alerts/STRs, CKRC data, and any publicly available information (media search, company registry). Documents all findings.

Decision — Clear or Escalate

If analysis shows the transaction is explainable and consistent with the customer's known profile: clear the alert with documented rationale. If suspicion remains: escalate to the Principal Officer with a complete case file.

Principal Officer Review

PO reviews the case file and analyst recommendation. May request additional investigation, approve clearing, or direct the analyst to file an STR with FIU-IND. Maintains final accountability.

White-List (if applicable)

For accounts routinely flagged but consistently legitimate after investigation (e.g., high-volume cash businesses with known customers): PO may approve white-listing that specific alert rule for that account. White-listing requires documented rationale, is scenario-specific (not blanket), and is reviewed periodically.

Part II · Ch 13

STR Typologies — What Actual Laundering Looks Like

The most effective way to train the eye for suspicious transactions is to study what has already been seen. These are the most common laundering patterns encountered in Indian banking, with their key detection indicators.

CorporateShell Entity Networks

Key Indicators

Multiple companies, all controlled by the same individuals, at the same address, with the same email. Cash deposits just below ₹10 lakh. Funds channelled into one central account, then immediately remitted outward. Directors' ID documents turn out to be fake or non-existent. None of the companies can be found at their stated addresses.

ProprietorshipBenami Proprietary Firms

Key Indicators

Turnover exceeds declared annual turnover by six times within 18 months. Thousands of small-value cheques deposited — many in round amounts — with a high bounce rate. Nearly all withdrawals are in cash. The firm cannot be found at its stated address. The proprietor turns out to be a salaried employee of another company.

Import/ExportTrade-Based Laundering

Key Indicators

Newly opened account of an import/export firm receives heavy RTGS inflows from multiple entities. Immediately followed by outward foreign remittances, all below USD 100,000. No bill of entry ever submitted. Account becomes inactive within three months. All remittances go to a single entity in one country.

IndividualsMoney Mules

Key Indicators

Transactions always conducted by third parties. Account holder is uncontactable or refuses to meet the bank. Transaction patterns completely inconsistent with the declared occupation. Bank receives public complaints claiming these accounts were used to collect money in response to job offers, lottery notices, or award notifications.

Fraud overlapMLM / Ponzi Scheme Collection

Key Indicators

Very large numbers of small, identically-valued cheques deposited from many different sources. Account holder is nominally in an unrelated business. Funds withdrawn immediately — often 80%+ in cash. Internet searches reveal the entity connected to the account has multiple public complaints against it.

Part II · Ch 4

Organisational Structure — Who Does What

A bank's AML obligations cover every part of the organisation. Accountability must be clear at every level — from the boardroom to the branch counter.

Board of Directors

Approves the KYC Policy, reviews compliance regularly, and appoints the Designated Director. Carries responsibility for ensuring the bank has an appropriate policy and organisational setup.

Designated Director

The Managing Director or a whole-time director authorised by the Board. Personally responsible under PMLA for ensuring all legal obligations are fulfilled — KYC Policy exists and is updated, Principal Officer is appointed, FIU reporting is covered, compliance and audit are genuinely monitoring adherence. Personal liability for systemic failures.

Principal Officer

The nodal point for day-to-day AML compliance. Formulates and maintains the KYC Policy, coordinates all business and operations units for KYC compliance, puts in place software arrangements for FIU reporting, ensures detection mechanisms for suspicious transactions, and files STRs with FIU-IND. Reports periodically to the Board's Audit Committee.

AML Monitoring Units

Examine alerts generated by software, conduct detailed case analysis, prepare STR recommendations, maintain white-lists, and coordinate with branches on suspicious transaction leads. In large banks, separate units may exist for retail, trade finance, and cross-border remittances — all reporting functionally to the Principal Officer.

Branches & Field Units

The eyes on the ground. Watch account activity, notice customer behaviour changes, report suspected and attempted transactions to the AML unit, and investigate alerts sent back from the centre. Often the first to notice that a customer is making a suspicious inquiry — and they must know that an inquiry itself can be reportable.

Compliance & Audit

The independent assurance layer. Compliance monitors that the KYC Policy is current and that new products have been reviewed for AML/CFT requirements before launch. Audit independently examines whether KYC/AML requirements are actually being followed in practice — at least annually across all relevant functions.

Part II · Ch 5

Training & Customer Awareness

PMLA explicitly makes training a legal obligation — not optional. Regulators examining a bank after any compliance failure will ask what training was provided, to whom, and how recently. Records must be maintained.

Differentiated Training by Level

Branch tellers & cashiers

Recognise smurfing, structured deposits, and behavioural red flags.

Relationship managers

Conduct enhanced due diligence on PEPs without alarming legitimate customers.

Product heads

Incorporate ML risk assessment into every new product design before launch.

Principal Officer

Deep expertise in typologies, software configuration, and regulatory reporting.

Board members

Enough understanding to meaningfully oversee the entire framework.

Rationale-Based Training — Not Just “The Rules Say So”

The most common failure in bank AML training is communicating what the rule is, without explaining why it matters. Staff who understand the rationale make better judgments in novel situations — exactly the situations where rules give out.

Obligation vs. Why

Don't just tell a teller to ask for source-of-funds. Explain that proceeds from drug trafficking, extortion, and trafficking in persons get laundered through bank accounts — and that their vigilance is what breaks the chain.

Real Consequences

Use real case studies — BCCI, the PSU bank trade case, the Cobrapost sting — to demonstrate that compliance failures have personal consequences for bank employees, not just institutional fines.

Judgment Over Checklists

Train staff to notice what looks wrong, not just what a checklist says to look for. A customer who is evasive, nervous, or accompanied by someone else directing their answers is a red flag even if all documents are in order.

Customer Awareness — Channels and Messages

Genuine customers are the bank's allies in the fight against financial crime — but only if they understand why KYC information matters. Customer awareness must use channels customers actually see, with messages they can act on:

Passbook Inserts / Statements

Explains KYC requirements and what to expect during re-verification

SMS / Email Alerts

Notifies of upcoming KYC renewal, what documents to bring

Internet Banking Banners

Targeted messages to customers whose KYC is due for renewal

Branch Notices

Posters explaining what constitutes a suspicious approach and how to report it

Part I · Ch 2

Real Bank Failures — Lessons the Hard Way

BCCI1991

Bank of Credit and Commerce International operated across 70 countries and deliberately served drug traffickers, arms dealers, and dictators. When regulators finally acted, over USD 12 billion in assets were seized. It remains one of the largest financial crime scandals in history.

Lesson →

Deliberate complicity, not just negligence, is possible. Compliance culture matters as much as controls.

Riggs Bank2004

Washington DC bank helped Chile's former dictator Augusto Pinochet hide millions stolen from the Chilean people by concealing his accounts from US federal regulators. The bank and its owners paid USD 9 million to victims.

Lesson →

PEP accounts without EDD — source of funds verification, senior management sign-off — are a direct path to institutional collapse.

Indian PSU Bank — Trade-based2015

ED and CBI investigations revealed approximately 8,000 illegal remittances worth ₹6,000 crore routed through a single branch over one year — all structured below CTR thresholds, all ostensibly for imports that never happened. Ten arrests including three bank officials.

Lesson →

Branch-level bankers face personal criminal liability. Structured transactions below thresholds are a red flag, not a safe harbour.

IBA Working Group42 Case Studies — Six Pattern Groups

The IBA Working Group analysed 42 actual suspicious transaction cases from Indian banks and distilled them into six recurring pattern groups. These patterns appear repeatedly in STR filings and are the basis for many of the IBA-recommended software alert scenarios.

1 — Activity Inconsistent With Known Business

Transactions that have no relationship to the customer's declared occupation or business. A schoolteacher receiving large inward remittances. A small kirana store with RTGS turnover exceeding its declared annual revenue by multiples. A salaried employee making frequent international wire transfers. The mismatch between who the customer claims to be and what the account actually does is the primary indicator.

Turnover inconsistent with declared economic profileProducts used (e.g., trade finance) mismatched with declared occupationCounterparties unrelated to declared business activity

2 — Multiple Accounts and Shell Structures

Multiple entities — companies, proprietary firms, partnerships — controlled by the same individuals, operating in hub-and-spoke or pass-through patterns. Funds deposited into multiple accounts and quickly consolidated into one before remittance. Directors and signatories appear across multiple entities at the same registered address.

Same directors/address across multiple entitiesFunds move from many accounts to one then immediately outEntities cannot be found at registered addresses on field verification

3 — Dormant Account Reactivation

Accounts with little or no activity suddenly reactivated with large transactions. Classic money laundering technique — the account appears to have an established history, which can provide a false legitimacy to incoming funds. The reactivation itself, especially with unexplained large inflows, is the red flag.

Zero or near-zero activity for 12+ monthsSudden large inflow with no prior notice or business justificationRapid transfer of inflow to third parties or cash withdrawal

4 — Attempted Transactions and Unusual Inquiries

A customer asks about moving large amounts, wire transfer procedures, or CTR thresholds — and then leaves without transacting after being asked about source of funds. Customers who ask specifically how to avoid triggering reports. The Cobrapost sting demonstrated that a conversation in a branch — even if no transaction occurs — can generate reportable suspicion.

Customer leaves without transacting after KYC/source-of-funds questionsQuestions specifically about CTR/STR thresholds or reporting triggersAttempted transactions — flag as attempted in STR

5 — Cross-Border and Trade-Based

Import/export accounts receiving heavy inflows followed by rapid outward remittances below threshold. No corresponding trade documents (bill of entry, shipping documents) ever submitted. Counterparties concentrated in high-risk jurisdictions. Identically valued remittances suggesting structured payments to evade cross-border reporting thresholds.

Outward remittances structured below USD 100,000 thresholdNo trade documents presented for import paymentsAll remittances to a single entity in one jurisdiction

6 — Entry Business Typology (Indian Context)

A phenomenon particularly prevalent in India: newly incorporated proprietary firms or companies, opened primarily to provide a banking channel. Account opened, used intensively for 3–6 months with high-value transactions, then abandoned. The entity cannot be found on follow-up. This typology accounts for a disproportionate share of STR filings from branches in urban commercial centres.

Account history < 6 months with intense usage then sudden inactivityAccount holder unreachable after initial transactionsBusiness model cannot be verified even at time of account opening

Five Principles From Case Law

Never tip off

The portfolio manager who warned his drug-trafficking client about a customs investigation — and arranged to transfer assets to a new trust — was prosecuted for tipping off as a separate offence. Even well-intentioned loyalty to a long-standing client can cross the line.

Wilful blindness is not a defence

The bank that accepted bulk cashier's cheques all just under the USD 10,000 reporting threshold, all subsequently transferred back to the US, ultimately pleaded guilty when internal audits revealed the obvious pattern. Courts have consistently held that deliberately ignoring obvious signs of wrongdoing is not protected ignorance.

Transaction patterns > customer relationships

The chemist who started making cash deposits and buying bank drafts to a chemical company in Italy — after years of completely different business activity — was linked to a drug ring. Long relationship history does not override suspicious transaction patterns.

Know the activity, not just the identity

The most dangerous approach is verifying who the customer is without building a transaction profile. When actual transactions don't match the declared business, that gap is the signal.

KYC is not harassment

Customers who resist KYC requirements should raise, not lower, suspicion. Explain the requirements, make a genuine effort to accommodate genuine difficulties — but ultimately close accounts where required information cannot be obtained. Never relax standards to retain business.

2025–26 Updates

Recent Developments

Cut-off date for IIBF exams: 31 Dec 2025 (for Mar–Aug 2026 sittings).

India's FATF Mutual Evaluation (2024)

Broadly positive assessment — good results in risk understanding, financial intelligence use, and asset confiscation. However, beneficial ownership identification flagged as a persistent weak spot in commercial banks and forex dealers. RBI has responded with enhanced inspection protocols and stronger UBO verification guidance.

Beneficial Ownership Threshold Lowered to 10%

SEBI reduced its BO threshold to 10% for capital market entities. Banks handling capital market transactions must now apply this lower threshold when identifying who controls corporate customers.

Crypto Entities Now Under PMLA

Virtual Asset Service Providers (VASPs) — cryptocurrency exchanges — must now conduct full KYC on users, file STRs for suspicious transactions, and maintain records. A significant expansion of the PMLA reporting universe.

AI-Powered Transaction Monitoring

Indian banks are deploying ML-based monitoring systems that analyse millions of transactions in real time, dramatically reducing false positives from older rule-based systems and freeing compliance teams to focus on genuine suspicious activity.

FATF 2025: Proportionate KYC & Financial Inclusion

FATF updated its Standards to explicitly recognise that overly aggressive KYC can exclude legitimate low-income customers. Banks must now demonstrate that their KYC processes do not exclude marginalised populations. India's Jan Dhan Yojana simplified KYC model is cited internationally as a good-practice example.

EU's AMLA — Direct Supervision from 2028

With its first Executive Director appointed July 2025, the EU AML Authority has begun issuing convergence reviews and moves toward direct supervision of high-risk financial institutions by 2028.

Exam-Ready Summary

25 Key Takeaways

Money laundering is a 3-stage process: Placement → Layering → Integration. Each stage requires different detection methods; detection is hardest at the final stage.

FATF's 40 Recommendations are the global gold standard. Countries are assessed on technical compliance (laws in place) AND effectiveness (laws actually working) — greylisting causes real economic harm.

India's PMLA 2002 is broad: the offence covers not just laundering but any attempt, assistance, or negligence connected to proceeds of crime. Punishment is 3–7 years rigorous imprisonment.

The PMLR 'transaction' definition is extraordinarily wide: locker use, fiduciary arrangements, establishing a legal entity, and even opening an account are all 'transactions' for compliance purposes.

The suspicious transaction test is a reasonable-person standard, not an evidence standard. Any amount, any mode, including attempted transactions. When genuinely in doubt: report.

FIU-IND is India's intelligence hub — receives CTRs, STRs, CBTRs, NTRs, and CCRs from all reporting entities, and disseminates to the ED and Egmont Group partners worldwide.

Terrorism financing is the mirror image of ML: it hides where money is going, not where it came from, and can involve very small, ordinary-looking transactions from entirely legal sources.

KYC rests on four pillars: Customer Acceptance Policy, Customer Identification Procedure, Transaction Monitoring, and Risk Management — all board-approved.

Different customer types require different KYC: companies need board resolutions and BO identification; trusts need author/trustee/beneficiary verification; proprietary firms need two activity proofs or a field visit.

10.

Beneficial ownership: >25% for general entities; >15% for partnerships and trusts; >10% for SEBI-regulated entities since 2024.

11.

Risk categories are dynamic — a salaried employee who becomes a PEP must be immediately reassessed. IBA default always-high-risk categories include PEPs, trusts/NGOs, NRIs, HNIs, diamond/bullion dealers, and non-face-to-face customers.

12.

Customer Risk Categorisation must connect to differential monitoring intensity — lower software alert thresholds, more frequent review, and lower tolerance for unexplained deviations for high-risk accounts.

13.

STRs are the crown jewels of AML reporting — judgment-based, any amount, any mode, include attempted transactions, filed within 7 working days, must never tip off the customer. Filing an STR does not restrict the account.

14.

Every day of late submission of any FIU report (CTR, NTR, CBTR, STR, CCR) is treated as a separate violation — no grace period.

15.

Partial freezing follows a graduated process: notice (3 months) → reminder (3 months) → partial freeze (debits only blocked) → full freeze. The customer can revive at any stage by providing documents.

16.

CKRC Rule 9(1F): KYC records retrieved from the registry may only be used for identity verification. Using them for marketing or sharing without authorisation is a regulatory violation.

17.

UAPA Section 51A: when a match with a designated entity is found, reporting to MHA must happen within 24 hours — simultaneously by fax, phone, and email. This is not a next-business-day obligation.

18.

India's AML laws extend to overseas branches of Indian banks with the stricter of Indian or local standards always applying. Where local law conflicts with RBI guidelines, RBI must be notified.

19.

The Designated Director and Principal Officer carry personal legal liability under PMLA — compliance failure is not just an institutional risk.

20.

Training is a legal obligation. Wilful blindness is never a defence. Banks have a moral responsibility: the proceeds being laundered often originate from drug trafficking, extortion, and trafficking in persons.

21.

Name screening must use fuzzy matching (Levenshtein distance and Soundex phonetic algorithms) because criminals routinely misspell or transliterate names. A confirmed true-positive match triggers UAPA Section 51A's 24-hour simultaneous reporting protocol.

22.

IBA alert categories: CV (customer verification), LQ (law enforcement query), MR (media report), EI (employee initiated), PC (public complaint), WL (watch list), TM (transaction monitoring), TY (typology), RM (risk management). Each category determines the investigation pathway.

23.

The 'Grounds of Suspicion' is the soul of the STR — it must answer: who is the customer, what is the mismatch, what explanation was offered, and what remains suspicious. STR investigation files must be kept for 10 years (exceeds the 5-year PMLA minimum).

24.

Wire transfer responsibilities are non-delegable: ordering bank verifies the remitter; intermediary banks pass information intact and screen at each hop; beneficiary bank conducts its own due diligence on the recipient — it cannot rely on the sending bank's KYC.

25.

IBA's six case study pattern groups: activity inconsistent with known business, multiple-account/shell structures, dormant account reactivation, attempted transactions/unusual inquiries, cross-border/trade-based patterns, and 'entry business' typology (intense short-duration use then abandonment).

Syllabus reference: IIBF Rules & Syllabus — Certificate Examination in AML & KYC (2026). Verify at iibf.org.in.← Back to AML & KYC Exam Page

Dirty Money, Clean Hands

Syllabus Chapter Coverage

What Is Money Laundering?

Where Did the Term Come From?

How Big Is the Problem?

Register free to read the full guide