The Prevention of Money Laundering has become a significant compliance obligation for Non-Banking Financial Companies (NBFCs) due to increasing risks of financial fraud, illicit fund movement and terrorist financing activities. NBFCs, being recognised as “financial institutions” under the Prevention of Money Laundering Act, 2002 (PMLA), are required to comply with the anti-money laundering obligations prescribed under the Act and the Reserve Bank of India (Non-Banking Financial Company – Know Your Customer) Directions, 2025 issued by the Reserve Bank of India.
Section 3 of the PMLA defines the offence of money laundering as any direct or indirect attempt to indulge, assist, or be involved in activities connected with the proceeds of crime and projecting them as untainted property. Further, Section 12 of the PMLA imposes obligations upon financial institutions to maintain transaction records, verify customer identities, preserve KYC records and furnish prescribed information to the authorities.
In furtherance of these obligations, the RBI-KYC Directions, 2025 prescribe compliance measures relating to customer acceptance, risk categorisation, customer due diligence (CDD), beneficial ownership identification, transaction monitoring, sanctions screening, enhanced due diligence for high-risk customers and record management. This checklist provides a structured overview of the key AML compliance measures and preventive controls applicable to NBFCs.
CHECKLIST FOR PREVENTION OF MONEY LAUNDERING ACTIVITIES
NBFC shall formulate and implement a KYC Policy in accordance with the Prevention of Money Laundering Act, 2002 and the RBI-KYC Directions, 2025 to strengthen anti-money laundering controls.
• Customer
Acceptance
Policy
• Risk
Management
• Customer
Identification
Procedure
• Monitoring of
Transaction
Customer Acceptance Policy
No Anonymous or Benami Accounts
NBFC must ensure that no account is opened in anonymous, fictitious, or benami names.
Reject Customers with Unreliable Information
NBFC must not open an account where it is unable to apply the CDD measures, shall consider filing an STR.
Complete Customer Due Diligence (CDD)
NBFC must not undertake a transaction/account-based relationship without following the CDD procedure.
Filing of Suspicious Transaction Reports (STR)
NBFC shall consider filing STR where it is unable to comply with the relevant CDD measures.
Mandatory KYC Information Collection
NBFC shall specify the mandatory information required for KYC purposes while opening an account & during the periodic updation.
Additional Information with Customer Consent
By the consent of the customer, the NBFC shall take additional information which was not specified in their internal KYC Policy.
UCIC-Based Customer Verification
NBFC shall apply the CDD procedure at the UCIC Level in case of any existing customer desires to open another account, so that there will be no need for the repetition of exercising CDD procedure.
Verification of Joint Account Holders
NBFC shall follow the CDD Procedure for all the joint account holders, while opening a joint account.
Acting on Behalf of Another Person or Entity
NBFC shall clearly spell out the circumstances in which a customer is permitted to act on behalf of another person / entity.
Screening Against Sanctions Lists
The NBFC shall ensure that the identity of the customer does not match with any person or entity whose name is in the sanctions list as provided by RBI in Reserve Bank of India (Non-Banking Financial Companies – Know Your Customer) Directions, 2025.
PAN Verification
The NBFC shall verify the PAN, if obtained, from the verification facility of the issuing authority.
Verification of Digital Signatures
The NBFC shall verify the customer’s digital signature on the equivalent e-document, if obtained, as per the provisions of the IT Act, 2000 [21 of 2000].
GST Number Verification
The NBFC shall verify the Goods and Services Tax (GST) number from the search / verification facility of the issuing authority, where the GST details are available.
Risk Management
Customer Risk Categorisation
The NBFC shall categorise customers into low, medium, and high-risk categories, based on its assessment and risk perception.
Risk Categorisation Principles
The NBFC may lay down broad principles for the risk-categorisation of customers.
Assessment Based on Customer Identity & Profile
The NBFC shall undertake risk categorisation based on customer’s identity, social / financial status, nature of business activity, and information about the customer’s business and its location.
Geographical Risk Evaluation
Geographical risk covering customers as well as transactions shall be undertaken by NBFC.
Product & Service Risk Analysis
Type of products / services offered, delivery channel used for delivery of products / services shall be considered by NBFC.
Transaction-Based Risk Monitoring
Types of transactions such as cash, cheque / monetary instruments, wire transfers, forex transactions, etc. must be considered by NBFC.
Confidentiality of Risk Classification
Customer risk categorisation and the reasons for such classification shall remain strictly confidential by the NBFC to avoid tipping off the customer.
Assessment Support
- The NBFC may collect additional information from customers for the purpose of risk assessment but the information collected should not unnecessarily invade the customer’s privacy.
- The NBFC may use the FATF Public Statement, the reports & guidance notes on KYC / AML issued by the Indian Banks Association & other agencies.
Customer Identification Procedure
Verify identity before onboarding customers
The NBFC must verify the identity of customers at the time of opening an account, while carrying out international money transfer transactions for non-account holders, or whenever there is any doubt regarding the authenticity or adequacy of the customer identification information already obtained.
Verify customers for transactions above ₹50,000
The NBFC must undertake the Customer Identification Procedure in case if it deals in high-value financial products and services exceeding ₹50,000.
Monitor connected transactions
In case of walk-in customer, when the transaction equal to or exceeds ₹50,000 whether conducted as single or several transactions that appear to be connected, the NBFC shall undertake identification of customers.
Obtaining the records of CDD from third party
The NBFC shall obtain the records or information of the CDD from the third party / Central KYC Records Registry.
Avoid anonymous or introduction-based onboarding
The NBFC shall ensure it does not seek introductions while opening accounts.
Ensure proper third-party CDD controls
The NBFC shall take adequate steps to satisfy itself that the third party will make copies of identification data and other relevant documentation relating to the customer due diligence requirements available, upon request, without delay.
Reliance only on regulated third parties
The NBFC shall rely on the third party which is regulated, supervised, monitored by their regulator and the third party has measures in place for compliance with customer due diligence and record-keeping requirements in line with the requirements and obligations under the PMLA Act.
Maintain immediate access to KYC records
The NBFC shall satisfy itself that the third party will make relevant records and documentation regarding CDD available, upon request, without delay.
Avoid reliance on entities from high-risk countries
The NBFC shall ensure that the third party is not based in a country or jurisdiction assessed as high-risk.
Ensure ultimate AML responsibility remains with NBFC
The NBFC will have the ultimate responsibility for customer due diligence and undertaking enhanced due diligence measures, as applicable.
Identification of Beneficial Owner
- NBFCs are required to identify and verify the beneficial owners of legal entities to ensure transparency in ownership and control structures.
- This includes identifying the natural persons who ultimately own, control, or benefit from companies, trusts, partnerships, nominee arrangements, or other legal entities.
- In cases involving trustees, intermediaries, or fiduciary relationships, NBFCs must verify both the acting person and the actual beneficiaries behind the arrangement.
- Such measures play a crucial role in preventing the misuse of shell entities, layered ownership structures, benami arrangements, and proxy transactions for money laundering or terrorist financing activities.
Customer Due Diligence Procedure
In case of
Individuals
In case of
Sole
Proprietary
Firms
In case of
Legal
Entities
In Case of Individuals
- NBFCs are required to undertake robust Customer Due Diligence (CDD) measures before establishing customer relationships or carrying out specified transactions.
-
This includes verification of customer identity through any two:
- Aadhaar,
- PAN,
- Officially Valid Documents (OVDs),
- CKYCR records,
- Digital KYC,
- or other RBI-permitted methods.
- NBFCs may also seek additional information relating to the customer’s financial status, business activities, and source of funds based on the risk profile of the customer.
- The framework further mandates secure digital verification mechanisms, proper audit trails, exception handling procedures, and enhanced scrutiny in cases involving high-risk or suspicious customers, thereby strengthening anti-money laundering controls and preventing identity-based financial fraud.
In case of Sole Proprietary firms
-
NBFCs are required to conduct Customer Due Diligence (CDD) of the proprietor and verify the genuineness of the business through documentary evidence such as:
- GST certificates,
- Udyam Registration,
- Tax returns,
- Utility bills,
- or other business-related registrations.
-
Where sufficient documentation is unavailable, NBFCs must undertake enhanced verification measures, including:
- contact point verification &
- confirmation of business operations from the declared address.
- These measures help prevent the misuse of fictitious or shell business entities for money laundering and financial fraud activities.
In case of Legal Entities
- NBFCs must undertake comprehensive Customer Due Diligence (CDD) measures while onboarding legal entities such as companies, partnership firms, trusts, societies, unincorporated associations and other juridical persons.
- This includes verification of incorporation and registration documents, PAN details, constitutional documents, business address, authorisation records, and identification of persons authorised to transact on behalf of the entity.
- NBFCs are also required to identify and verify beneficial owners, trustees, partners, senior management officials and other controlling persons associated with such entities.
- These measures are aimed at ensuring transparency in ownership structures and preventing the misuse of shell entities, proxy arrangements, fictitious businesses and complex organisational structures for money laundering or terrorist financing activities.
Monitoring of Transaction/ On-going Due Diligence
Large and Complex transactions with Unusual Patterns
The NBFC shall monitor the large and complex transaction with unusual patterns, inconsistent with the normal and expected activity of the customer, which have no apparent economic rationale or legitimate purpose.
Transaction Exceeding Prescribed Regulatory Thresholds
The NBFC shall monitor the transactions which exceed the thresholds prescribed for specific categories of accounts.
High Account Turnover Inconsistent with Customer Profile
The NBFC shall monitor the accounts where the transaction volume is very high and inconsistent with the account balance & customer profile.
Third Party Deposits followed by Large Cash Withdrawal
The NBFC shall monitor the deposits of third-party cheques, drafts etc. in the existing and newly opened accounts followed by cash withdrawal for large amounts.
Monitoring of Suspicious RTGS and High-Value Transfers
The NBFC shall monitor the high value RTGS transaction which have no apparent economic rationale or legitimate purpose.
Risk-based Monitoring of Customer Transaction
The NBFC shall align the extent of monitoring with the risk category of the customer.
Enhanced Monitoring of High-Risk Accounts
The NBFC shall establish the need for applying enhanced due diligence measures.
Monitoring of MLM and Multi-level Marketing Firm Accounts
The NBFC shall closely monitor the transactions in accounts of marketing firms, especially accounts of Multi-level Marketing (MLM) companies.
Periodic Review of Customer Risk Categorization
The NBFC shall periodically review the risk categorization of accounts at least once in every six months.
Monitoring of Politically Exposed Persons (PEPs)
- NBFCs dealing with Politically Exposed Persons (PEPs), including their family members and close associates, must implement enhanced due diligence measures in addition to regular KYC procedures.
- This includes identifying whether a customer or beneficial owner qualifies as a PEP, verifying the source of funds and wealth, obtaining senior management approval before establishing or continuing the relationship, and subjecting such accounts to continuous enhanced monitoring.
- These safeguards are intended to mitigate heightened risks of corruption, bribery, abuse of public office and money laundering associated with politically exposed individuals.
Monitoring of Client accounts opened by Professional Intermediaries
- While opening accounts through professional intermediaries, NBFCs must ensure proper identification of the actual clients and beneficial owners behind the transactions.
- Pooled accounts may be permitted for regulated entities like mutual funds or pension funds.
- NBFCs must not allow arrangements where customer identities remain undisclosed due to confidentiality restrictions.
- NBFCs may rely on Customer Due Diligence (CDD) conducted by regulated intermediaries with adequate KYC systems; however, the ultimate responsibility for customer identification and AML compliance continues to remain with the NBFC.
Monitoring Support
The NBFC may consider adopting appropriate innovations including artificial intelligence and machine learning (AI and ML) technologies to support effective monitoring.
Record Management
Customer Transaction Records
- The NBFC shall maintain records of all domestic and international transactions for at least 5 years from the date of transaction.
- The NBFC shall ensure transaction records are sufficient to reconstruct individual transactions whenever required.
-
Maintain details relating to:
- nature of transaction,
- transaction amount,
- currency involved,
- date of transaction,
- parties involved in the transaction.
Customer Identification and DTC Records
- The NBFC shall preserve customer identification and address records obtained during account opening and throughout the business relationship.
- The NBFC shall retain KYC and identification records for at least 5 years after closure of the business relationship.
- The NBFC shall maintain updated customer identification data, account files and business correspondence records.
Record Accessibility and Retrieval
- The NBFC shall establish systems for quick retrieval of customer and transaction records.
- The NBFC shall ensure records can be promptly made available to competent regulatory or investigative authorities upon request.
- The NBFC shall maintain proper audit trails and transaction history for AML investigations.
Maintenance of AML Records
- The NBFC shall maintain records prescribed under Rule 3 of the Prevention of Money Laundering Rules, 2005.
- The NBFC shall preserve records in both physical and electronic formats, wherever applicable.
- The NBFC shall ensure secure storage and integrity of customer and transaction data.
Monitoring and Compliance Systems
- The NBFC shall implement organised record management systems for easy monitoring and regulatory review.
- The NBFC shall ensure record preservation systems support suspicious transaction monitoring and AML compliance.
Non-Profit Organisation (NPO) Compliance
- The NBFC shall verify whether non-profit organisation customers are registered on the DARPAN Portal of NITI Aayog.
- The NBFC shall register NPO customers on the DARPAN Portal if not already registered.
- The NBFC shall preserve NPO registration records for at least 5 years after closure of the account or business relationship.
CONCLUSION
With evolving financial crime techniques and increasing regulatory scrutiny, NBFCs must adopt a proactive and vigilant compliance approach to safeguard the financial ecosystem from misuse. Continuous oversight, accountability and timely identification of suspicious activities remain fundamental to ensuring financial integrity and regulatory resilience.
