The Reserve Bank of India (RBI), as India's central banking institution and primary financial regulator, occupies a critical position in safeguarding the integrity of the nation's financial system against money laundering and terrorist financing threats.
Through its comprehensive regulatory framework, supervisory mechanisms, and enforcement actions, the RBI ensures that banks and financial institutions under its purview maintain robust Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) controls. This article examines the multifaceted role that the RBI plays in enforcing AML/CFT compliance across Indian financial institutions, highlighting the following areas that define critical regulatory aspects of enforcement:
• regulatory architecture
• supervisory practices
• enforcement mechanisms
The RBI's authority to enforce AML/CFT compliance derives from multiple legislative sources, principally the Prevention of Money Laundering Act, 2002 (PMLA) and the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PML Rules). However, it is through the RBI's Master Direction on Know Your Customer (KYC), first issued in February 2016 and continuously updated, that these statutory obligations are translated into operational requirements and obligations for its regulated entities.
The Master Direction represents a consolidation of decades of regulatory evolution, incorporating international standards set by the Financial Action Task Force (FATF), the global standard-setting body for AML/CFT measures. India's membership in FATF since 2010 has necessitated continuous alignment of regulatory requirements with international best practices, a responsibility that falls squarely on the RBI for all entities within its regulatory ambit, many of whom perform the role of gatekeepers to India’s financial ecosystem.
The KYC Master Direction applies comprehensively to all scheduled commercial banks, regional rural banks, cooperative banks, and non-banking financial companies (NBFCs) regulated by the RBI.
Through these directions, the central bank mandates that these institutions implement four key foundational elements: customer acceptance policies, risk management frameworks, customer identification procedures, and transaction monitoring systems. These requirements are not mere administrative obligations; they constitute the operational backbone of India's defence against financial crime.
Central to the RBI's AML/CFT framework is the adoption of a risk-based approach (RBA), which requires financial institutions to conduct comprehensive risk assessments encompassing clients, countries, products, services, transactions, and delivery channels. This approach, strongly advocated by FATF, recognizes that not all customers and transactions pose equivalent money laundering or terrorist financing risks, and therefore demands differentiated levels of scrutiny.
Under current regulations, financial institutions must categorize customers into risk profiles low, medium, and high (you may add more layers) based on multiple parameters, including customer background, country of origin or residence, nature of business activity, and transaction patterns. Enhanced Due Diligence (EDD) measures are mandated for high-risk categories, including Politically Exposed Persons (PEPs), clients from jurisdictions identified by FATF as having strategic AML/CFT deficiencies (a.k.a. the grey and black lists), especially with non-face-to-face customers, and entities with complex or opaque ownership structures.
The November 2024 amendments to the KYC Master Direction introduced significant refinements, particularly the clarification that Customer Due Diligence (CDD) procedures should be conducted at the Unique Customer Identification Code (UCIC) level.
This modification reduces redundancy while maintaining robust oversight over existing customers with completed KYC records, who need not undergo fresh CDD when opening additional accounts or accessing new services with the same institution, thereby balancing compliance rigor with operational efficiency. These KYC records must be uploaded into the Central KYC Records Registry (CKYCR), which becomes a “golden source of truth” as far as a validated KYC record of a client is concerned.
One area of particular supervisory focus has been the identification and verification of beneficial ownership, especially in complex corporate structures. Following amendments to the PML Rules, the threshold for identifying beneficial owners has been progressively lowered—from 25% to 15%, and most recently to 10% of ownership, capital, profits, or voting rights for companies and partnerships. These changes reflect global trends toward greater transparency in corporate ownership structures.
Supervisory findings from regulatory inspections have consistently revealed that beneficial ownership identification remains a significant compliance challenge for many financial institutions. The requirement to identify persons exercising control "through other means" in complex corporate structures has proven particularly difficult to implement consistently.
This challenge has been acknowledged even in FATF's Mutual Evaluation Report of India, which noted concerns about whether CDD processes are sufficiently robust to identify all persons exercising control or acting on behalf of customers.
The RBI's supervisory approach to AML/CFT compliance has evolved significantly from periodic inspections to a model of continuous surveillance. This transformation aligns with the central bank's Utkarsh 2.0 strategy, which emphasizes proactive supervision over reactive enforcement.
The supervisory process encompasses multiple layers. On-site inspections remain a critical tool, during which RBI examination teams conduct detailed reviews of institutions' AML/CFT frameworks, testing both policy adequacy and implementation effectiveness. Effectiveness remains FATF’s core concern with its members and is central in its mutual evaluations. These inspections evaluate the completeness of customer identification records, the appropriateness of (dynamic) risk categorization, the functionality of transaction monitoring systems, the quality of suspicious transaction reporting, and the overall governance of AML/CFT programs.
Off-site surveillance has been substantially enhanced through the deployment of technology-driven monitoring systems. Financial institutions are required to submit regular returns and reports through the Centralized Information Management System (CIMS), enabling the RBI to conduct ongoing analysis of data quality, identify emerging patterns, and detect potential compliance gaps before they escalate into systemic risks.
The establishment of CKYCR represents another dimension of supervisory infrastructure. By centralizing KYC records and assigning unique KYC Identifiers to customers, the system facilitates both efficiency and oversight.
The November 2024 amendments mandate that when KYC records are updated by a customer at any regulated entity, the CKYCR must notify all other entities associated with that customer, ensuring real-time information sharing and reducing the risk of outdated customer information remaining undetected across the financial system.
The RBI's enforcement arsenal extends far beyond monetary penalties, encompassing a spectrum of interventions designed to compel compliance and remediate deficiencies.
In fiscal year 2024-25 alone, the central bank imposed 353 penalties totaling approximately 54.78 crore across various categories of regulated entities - a significant increase compared to enforcement actions over prior periods. Analysis of penalty patterns reveals that Know Your Customer and Anti-Money Laundering violations constitute the most frequent category of enforcement action.
Common deficiencies identified through inspections also include inadequate systems for monitoring suspicious transactions, poor customer risk categorization, insufficient ongoing due diligence, failures in beneficial ownership identification and verification, delegation of critical KYC functions to unqualified third parties, and inadequate record retention practices.
However, the RBI's enforcement approach increasingly extends beyond monetary sanctions to operational restrictions that directly impact business continuity. The high-profile case of a major payments bank exemplifies this approach.
Following persistent non-compliances and material supervisory concerns, the RBI barred the institution from accepting fresh deposits, facilitating credit transactions, and allowing top-ups. This action, which followed earlier monetary penalties for KYC and AML control failures, demonstrates the regulator's willingness to impose severe consequences when compliance failures persist or systemic risks emerge.
Additional enforcement tools include directions to cease specific business activities, restrictions on customer onboarding, requirements for third-party audits, mandatory remediation plans with specific timelines, removal of key managerial personnel in cases of serious violations, and, in extreme cases, cancellation of banking licenses.
The RBI's AML/CFT supervisory and enforcement framework continues to evolve in response to emerging risks and international developments. Several trends are apparent in the regulator's current priorities.
First, there is heightened emphasis on technology and data governance. The RBI has published guidance for regulated entities on conducting internal money laundering and terrorist financing risk assessments (October 2024), providing a clearer framework for institutions to structure their risk assessment processes in alignment with international standards, including Basel Committee principles. Supervisory reviews increasingly examine the quality of data governance frameworks, the effectiveness of automated transaction monitoring systems, and the use of technology for sanctions screening and adverse media monitoring.
Second, the RBI is moving toward principle-based regulation that emphasizes governance and judgment rather than purely checklist compliance. This major shift, evident in the consolidation of multiple circulars into comprehensive Master Directions, requires institutions to demonstrate not merely policy adoption but effective implementation and continuous improvement. The establishment of a Regulatory Review Cell within the RBI, tasked with conducting systematic reviews of regulatory frameworks every five to seven years, reflects this commitment to maintaining current and coherent requirements.
Third, there is a growing focus on group-wide AML/CFT policies for financial conglomerates. The October 2023 amendments to the KYC Master Direction clarified that group-wide AML policies must be adopted by regulated entities that are part of financial groups, with appropriate mechanisms for information sharing while maintaining confidentiality safeguards. This requirement recognizes that money laundering risks are not restricted to corporate boundaries and that consolidated oversight is essential for effective control.
Fourth, consumer protection considerations are being integrated more explicitly into AML/CFT supervision. The RBI increasingly evaluates whether compliance measures are implemented with appropriate regard for customer experience, fairness, and privacy rights, seeking to prevent situations where legitimate customers face undue burden while ensuring that compliance objectives are achieved.
FATF's evaluation of India raised concerns that penalties imposed by supervisors, including the RBI, may not be sufficiently dissuasive relative to the seriousness of violations. They were noted as potentially insufficient to drive behavioral change, particularly for larger institutions where such amounts might be treated as a routine cost of business rather than a meaningful deterrent.
The recommendation that penalties should be proportionate to the seriousness and impact of specific failures, rather than primarily driven by the size of the institution, represents an important evolution in enforcement philosophy. Increasingly, the RBI's actions suggest movement in this direction and witness the substantial penalties on payment system operators and the operational restrictions imposed on entities with persistent compliance failures.
The Reserve Bank of India's role in enforcing Anti-Money Laundering and Combating the Financing of Terrorism compliance extends across the entire spectrum of regulatory functions - from establishing comprehensive requirements through the KYC Master Direction, conducting risk-based supervision through on-site and off-site mechanisms, imposing enforcement actions ranging from monetary penalties to operational restrictions, and continuously refining expectations in response to evolving risks and international standards.
For banks and financial institutions operating under RBI oversight, the message is unmistakable: AML/CFT compliance is definitely not a tick-in-the-box activity nor a peripheral administrative function, but a core operational and governance imperative. The shift from periodic supervision to continuous monitoring, from checklist compliance to principle-based governance, and from purely monetary penalties to operational consequences reflects a maturation of India's regulatory approach.
Institutions that treat compliance proactively, embedding robust controls into business processes, investing in technology and expertise, maintaining strong governance, and demonstrating continuous improvement, position themselves not merely to avoid regulatory sanctions but to contribute meaningfully to the integrity and stability of India's financial system.
As India continues its journey toward full alignment with international AML/CFT standards, more now with its newfound elite status of being placed in the “regular follow-up” category, the RBI's supervisory and enforcement role will remain central. This will ensure that the country's banks and financial institutions serve as effective gatekeepers against money laundering and terrorist financing, thereby protecting both the national financial system and India's standing in the global financial community.
All the above mentioned governance initiatives augur well for the advancement towards a Viksit Bharat by 2047.