If the substantive offence in Section 3 is the sword of the anti-money-laundering regime, the Know Your Customer (KYC) and Customer Due Diligence (CDD) obligations imposed on banks, financial institutions and intermediaries are its surveillance net. The logic is preventive rather than punitive: launderers thrive on anonymity, so the law conscripts the financial system itself to strip that anonymity away — to verify who a client really is, who ultimately owns or controls the funds, and whether a transaction fits the client's known profile. These duties live in Chapter IV of the Prevention of Money-Laundering Act, 2002 (PMLA), principally Sections 11A, 12, 12A and 12AA, fleshed out by the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005. They are the Indian translation of the Financial Action Task Force (FATF) recommendations on customer due diligence, and the Supreme Court has firmly upheld them as a legitimate, non-punitive regulatory burden. This chapter unpacks the statutory architecture, the beneficial-ownership puzzle, the Aadhaar-driven e-KYC framework and the constitutional limits the courts have set.
Why KYC? The preventive rationale
Money laundering is, at bottom, a problem of disguise — converting tainted money into apparently clean assets through a financial system that does not ask too many questions. The KYC and CDD regime attacks the disguise at its source. By requiring every reporting entity to establish and document the true identity of its clients, trace the beneficial owner behind a faceless company or trust, and monitor transactions for inconsistency, the law turns banks and intermediaries into the first line of defence against the placement and layering of proceeds of crime.
This preventive philosophy is not original to India. It is lifted almost wholesale from the FATF Recommendations, the international anti-money-laundering standards whose adoption history is traced in our chapter on FATF recommendations and the genesis of the Act. FATF Recommendation 10 mandates customer due diligence; Recommendations 11 and 12 deal with record-keeping and politically exposed persons; and Recommendations 20 and 23 require suspicious-transaction reporting. The PMLA's Chapter IV obligations are the domestic statutory mirror of those standards, which is why India's compliance with them is repeatedly assessed in FATF mutual evaluations.
The constitutional legitimacy of casting this burden on private financial institutions was squarely addressed by the Supreme Court in Vijay Madanlal Choudhary v. Union of India, (2022) 10 SCC 1, where a three-judge Bench upheld the Chapter IV obligations as a reasonable regulatory measure bearing a rational nexus with the object of preventing money laundering and honouring India's international commitments. The duties are regulatory, not penal: a reporting entity that complies has nothing to fear, while one that flouts them faces the monetary penalties in Section 13.
Who must comply: the reporting entity
The KYC and CDD obligations bind a defined universe of actors that the Act calls the reporting entity. Under Section 2(1)(wa), a reporting entity means a banking company, a financial institution, an intermediary or a person carrying on a designated business or profession. The component terms are themselves defined — “banking company” in Section 2(1)(e), “financial institution” in Section 2(1)(l) (which incorporates the definition in the Reserve Bank of India Act and extends to chit-fund companies, co-operative banks and housing-finance institutions), and “intermediary” in Section 2(1)(n) (covering stock-brokers, sub-brokers, portfolio managers, mutual funds and other SEBI-registered persons). The interplay of these definitions is examined more closely in our chapter on definitions.
The phrase “person carrying on a designated business or profession” is the expansive frontier of the regime. It has been used to bring casinos, real-estate agents, dealers in precious metals and stones, and — controversially — chartered accountants, company secretaries and cost accountants performing certain financial transactions on behalf of clients within the KYC net. The breadth of the reporting-entity concept reflects the FATF approach of covering both “financial institutions” and “designated non-financial businesses and professions” (DNFBPs). The practical consequence is that the duties discussed below do not stop at the bank counter; they reach deep into the professional and commercial economy.
Section 12: the core record-keeping and verification duties
Section 12 is the spine of the KYC regime. Section 12(1) imposes four cumulative duties on every reporting entity. Clause (a) requires it to maintain a record of all transactions, including the transactions reportable to the Director, in such a manner as to enable reconstruction of individual transactions. Clause (b) requires it to furnish information relating to such transactions to the Director within the prescribed time. Clause (c) requires it to verify the identity of its clients in the prescribed manner and subject to prescribed conditions. Clause (e) requires it to maintain records of documents evidencing the identity of its clients and beneficial owners, as well as account files and business correspondence relating to its clients.
Section 12(2) prescribes the retention periods. Records of transactions under clause (a) must be kept for five years from the date of the transaction between the client and the reporting entity. Records of identity documents and correspondence under clause (e) must be kept for five years after the business relationship has ended or the account has been closed, whichever is later. (Note that the Rules historically prescribed a ten-year period for transaction records, later harmonised to five years by amendment — a point exam candidates should state carefully, anchoring on the five-year statutory baseline in Section 12(2).)
Section 12(3) contains the confidentiality safeguard: every piece of information maintained, furnished or verified, save as otherwise provided under any law in force, shall be kept confidential. This protects the client's data even as it is gathered for AML purposes, and it dovetails with the privacy concerns the Supreme Court emphasised in the Aadhaar litigation discussed below. The detailed manner of compliance — what counts as a transaction, what thresholds trigger reporting, what documents satisfy verification — is left to the Maintenance of Records Rules, 2005.
Section 11A: verification of identity and the e-KYC framework
Section 11A, inserted by the Aadhaar and Other Laws (Amendment) Act, 2019, is the technological heart of modern KYC. It prescribes how a reporting entity may verify the identity of a client or beneficial owner. The permitted modes are: (i) authentication under the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, if the reporting entity is a banking company; (ii) offline verification under the Aadhaar Act; (iii) the use of passport under the Passports Act, 1967; or (iv) any other officially valid document or modes of identification as may be notified by the Central Government.
Crucially, Section 11A(2) provides that if the Central Government is satisfied that a reporting entity other than a banking company complies with the privacy and security standards under the Aadhaar Act, it may — after consultation with the UIDAI and the appropriate regulator — permit that entity to perform Aadhaar authentication. This is why the Government has, by notification, authorised a handful of non-bank entities (such as certain NBFCs and housing-finance companies) to use Aadhaar e-KYC.
Section 11A also underpins the privacy-preserving e-KYC Setu system operated by the National Payments Corporation of India (NPCI). Under this mechanism the full Aadhaar number is never disclosed to the reporting entity; instead NPCI shares only the last four digits of the number along with the client's demographic details, digitally signed, and the entity completes identification on that basis. This design directly answers the privacy objections that animated the Aadhaar judgment.
Section 12AA: enhanced due diligence for specified transactions
Section 12AA, also introduced by the 2019 amendment, layers an enhanced due-diligence (EDD) obligation on top of the baseline KYC of Section 12. Before commencing a “specified transaction” (a category of higher-risk transactions to be prescribed), the reporting entity must do three additional things under Section 12AA(1). First, under clause (a), it must verify the identity of the client undertaking the specified transaction by Aadhaar authentication or other prescribed mode. Second, under clause (b), it must take additional steps to examine the ownership and financial position, including the sources of funds, of the client. Third, under clause (c), it must record the purpose behind conducting the specified transaction and the intended nature of the relationship between the parties to the transaction.
Section 12AA(2) gives this obligation teeth: where the client fails to fulfil these conditions, or where the reporting entity has reasonable grounds to believe that the transaction may involve proceeds of crime, the entity must not allow the specified transaction to be carried out, must increase future monitoring of the business relationship including greater scrutiny, and must consider filing a suspicious transaction report (STR). The statutory bridge between EDD and reporting is thus explicit: due diligence is not an end in itself but a trigger for the reporting machinery that feeds the adjudicating and enforcement apparatus. Section 12AA(3) preserves the confidentiality of information so gathered.
Section 12A: the Director's power to access information
Section 12A, inserted by the Finance Act, 2018, completes the chain by empowering the Director (the head of the Financial Intelligence Unit-India, FIU-IND, or the Enforcement Directorate as designated) to demand information. Under Section 12A(1) the Director may call from any reporting entity any of the records referred to in Section 11A, Section 12(1) and Section 12AA(1), and any additional information he considers necessary for the purposes of the Act. Section 12A(2) obliges the reporting entity to furnish that information within the time and manner specified by the Director, and Section 12A(3) requires that the information so sought be kept confidential.
Read together, Sections 11A, 12, 12A and 12AA create a closed loop: the reporting entity must identify the client (11A), maintain and verify records and report transactions (12), conduct enhanced diligence on risky transactions (12AA), and surrender that information to the Director on demand (12A). The information thus collected becomes the evidentiary feedstock for proceedings on attachment of property and prosecution for the offence of money laundering.
The Maintenance of Records Rules, 2005
The operational detail of the KYC regime lives in the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005, made under Section 73 of the Act. The Rules prescribe the nature and value of transactions to be recorded, the procedure for maintaining records, the manner of furnishing information to the Director, and the verification of the identity of clients and beneficial owners. They are amended frequently to keep pace with FATF evaluations and RBI/SEBI master directions.
Rule 9 is the workhorse provision. It requires every reporting entity, at the commencement of an account-based relationship, to identify and verify the client and to determine whether the client is acting on behalf of a beneficial owner, identifying that beneficial owner and taking reasonable steps to verify the owner's identity. Rule 9 further mandates ongoing due diligence — the entity must closely examine transactions throughout the relationship to ensure they are consistent with its knowledge of the client, the client's business and the client's risk profile, scrutinising the source of funds where necessary. Rule 9 also requires verification using “officially valid documents” (OVDs) such as the passport, driving licence, voter ID, Aadhaar or other notified documents.
Rule 2 supplies the definitions, including the much-litigated definition of “beneficial owner” and the requirement (introduced by amendment) that the designated Principal Officer be a management-level officer of the reporting entity. The Rules thus convert the broad statutory commands of Chapter IV into concrete, auditable compliance steps.
Beneficial ownership: looking behind the corporate veil
The single most important conceptual contribution of the CDD regime is the duty to identify the beneficial owner — the natural person who ultimately owns or controls a client, or on whose behalf a transaction is conducted, including the person exercising ultimate effective control over a juridical person. Launderers routinely interpose companies, partnerships and trusts to obscure the human being who actually benefits; the beneficial-ownership rule pierces that veil.
The Rules fix numerical thresholds for identifying the controlling natural person. Following the 2023 amendments, the threshold for a company was reduced from ownership or entitlement to 25% to 10% of the shares, capital or profits; for partnerships it was lowered from 15% to ownership or entitlement to more than 10% of the capital or profits; and for trusts the beneficial owner now includes a beneficiary with 10% or more interest, down from 15%. These tightened thresholds materially widen the net of persons whose identity must be traced and documented, and they directly implement FATF's transparency-of-beneficial-ownership recommendations.
The beneficial-ownership exercise is not a one-time formality. Coupled with Rule 9's ongoing-due-diligence mandate, the reporting entity must keep the beneficial-ownership picture current and re-examine it whenever the transactional pattern shifts — for instance, when funds begin flowing to or from previously undisclosed parties.
Risk-based approach and politically exposed persons
Indian CDD law adopts the FATF risk-based approach: the intensity of due diligence is calibrated to the risk posed by the client and the transaction. Low-risk clients may be subjected to simplified due diligence, while high-risk clients attract enhanced due diligence under Section 12AA and Rule 9. The reporting entity must classify clients into risk categories and document the rationale for the classification.
A distinct high-risk category is the politically exposed person (PEP) — an individual entrusted with prominent public functions, typically in a foreign country, together with close relatives and associates. The Rules require additional scrutiny for PEPs of foreign origin, their close relatives, and accounts where a PEP is the ultimate beneficial owner, reflecting FATF Recommendation 12. Such accounts demand senior-management approval, enhanced monitoring and closer examination of the source of wealth and funds, because public office carries a heightened risk of corruption proceeds entering the financial system.
The risk-based approach is also temporally dynamic. An account that begins as low-risk can migrate to high-risk if the client's transaction profile changes, obliging the entity to escalate its diligence and, where warranted, file an STR with FIU-IND.
Suspicious transaction and other reporting to FIU-IND
KYC and CDD are not ends in themselves; they exist to generate intelligence. The Rules require reporting entities to file a battery of reports with the Financial Intelligence Unit-India (FIU-IND): the Cash Transaction Report (CTR) for cash transactions above the prescribed threshold (generally ten lakh rupees), the Suspicious Transaction Report (STR) for any transaction the entity has reasonable grounds to suspect involves proceeds of crime regardless of amount, the Counterfeit Currency Report (CCR), the Non-Profit Organisation Transaction Report (NTR) and the Cross-Border Wire Transfer Report.
The STR is the most consequential. It is triggered not by a fixed monetary threshold but by the suspicion standard — the very suspicion that the EDD process under Section 12AA is designed to surface. Once filed, the STR feeds FIU-IND's analysis and may be disseminated to the Enforcement Directorate, becoming the seed of a money-laundering investigation. This is the practical link between the back-office KYC file and front-line enforcement.
Importantly, the law protects the integrity of the reporting channel through a tipping-off prohibition: a reporting entity must not disclose to the client that an STR has been filed, lest the launderer be alerted and dissipate the proceeds. The confidentiality provisions in Sections 12(3), 12A(3) and 12AA(3) reinforce this discipline.
Aadhaar, KYC and the privacy constraint: Puttaswamy
The marriage of Aadhaar to KYC has been the regime's most contested feature. In Justice K.S. Puttaswamy (Retd.) v. Union of India, (2019) 1 SCC 1 (the Aadhaar judgment, delivered 26 September 2018), a five-judge Constitution Bench upheld the constitutional validity of the Aadhaar Act but struck down Section 57 of that Act insofar as it permitted private entities — including banks and telecom companies — to demand Aadhaar authentication for the provision of services. The Court held that compulsory linking of Aadhaar to bank accounts and mobile connections failed the proportionality test and lacked adequate legislative backing, violating the right to privacy recognised in the earlier nine-judge decision in Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
This struck at the heart of mandatory Aadhaar-based e-KYC by private reporting entities. Parliament's legislative response was the Aadhaar and Other Laws (Amendment) Act, 2019, which inserted Section 11A into the PMLA to provide an express statutory basis for Aadhaar verification — mandatory only for banking companies, voluntary and Government-permitted for others, and routed through privacy-preserving mechanisms such as offline verification and the NPCI e-KYC Setu. The lesson for exam candidates is that KYC obligations must be discharged through officially valid documents and cannot, post-Puttaswamy, be reduced to compulsory Aadhaar production by every private entity.
Judicial validation of the CDD regime
The constitutional challenge to the architecture of the PMLA, including its Chapter IV obligations, was comprehensively addressed in Vijay Madanlal Choudhary v. Union of India, (2022) 10 SCC 1 (also reported as 2022 SCC OnLine SC 929), decided on 27 July 2022 by a three-judge Bench. While the headline holdings of that case concern the burden of proof under Section 24, the twin conditions for bail under Section 45, the nature of the ECIR and the power to summon under Section 50, the judgment also affirmed the legitimacy of the preventive obligations cast on reporting entities. The Court characterised the PMLA as sui generis legislation enacted to fulfil India's international obligations under the Vienna Convention and the FATF framework, and held that the regulatory duties of identification, record-keeping and reporting bear a rational nexus with the object of preventing the laundering of proceeds of crime.
The Court was careful to distinguish the regulatory character of these duties from the penal consequences of the offence in Section 3. KYC and CDD obligations do not presume the client guilty; they merely create an audit trail that the State can follow if and when suspicion crystallises. On that footing the Bench rejected the contention that the Chapter IV regime was arbitrary or disproportionate. The decision thus supplies the doctrinal seal of approval that the entire customer-due-diligence edifice now rests upon, even as aspects of the broader judgment remain under reconsideration before larger Benches.
Consequences of non-compliance
Failure to discharge KYC and CDD obligations is itself sanctioned, separately from the substantive offence. Section 13 empowers the Director, on finding that a reporting entity, its designated director or any employee has failed to comply with the obligations under Chapter IV, to issue a warning, direct compliance with specific instructions, direct the furnishing of reports, or impose a monetary penalty on the entity or its responsible officers. The Director must afford an opportunity of being heard before acting, and orders are subject to appeal before the Appellate Tribunal.
The penalty regime is deliberately separate from the criminal liability for money laundering, whose punishment is dealt with elsewhere. A reporting entity that has been negligent in its KYC is not thereby guilty of money laundering, but it is exposed to regulatory penalties and reputational consequences, and its lapse may itself be the gateway through which laundered funds entered the system. This calibrated, two-track design — regulatory penalties for compliance failures, criminal punishment for the offence — is what allows the courts to treat the CDD duties as a proportionate regulatory burden rather than a disguised penal provision.
For a fuller map of how these obligations sit within the Act, return to the PMLA notes hub, which links the preventive Chapter IV duties to the enforcement and adjudicatory chapters.
Frequently asked questions
What is the difference between KYC and Customer Due Diligence under the PMLA?
KYC (Know Your Customer) is the identity-verification component — establishing who the client is using officially valid documents under Section 11A and Rule 9. Customer Due Diligence (CDD) is the broader process that includes KYC plus identifying the beneficial owner, understanding the purpose of the relationship, and conducting ongoing monitoring of transactions. Enhanced Due Diligence (EDD) under Section 12AA is the intensified version applied to higher-risk clients and specified transactions.
Which provisions of the PMLA contain the KYC and CDD obligations?
The core provisions are in Chapter IV: Section 11A (verification of identity, including Aadhaar e-KYC), Section 12 (record-keeping, verification of clients and beneficial owners, five-year retention and confidentiality), Section 12A (the Director's power to demand information), and Section 12AA (enhanced due diligence for specified transactions). These are operationalised by the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005, especially Rule 9.
Who is a 'beneficial owner' and why does it matter for CDD?
A beneficial owner is the natural person who ultimately owns or controls a client, or on whose behalf a transaction is conducted, including a person exercising ultimate effective control over a juridical person. It matters because launderers hide behind companies and trusts. After the 2023 amendments to the 2005 Rules, the identification threshold was tightened to 10% ownership/entitlement for companies and partnerships and 10% interest for trust beneficiaries, widening the duty to trace the real human owner.
Can a private bank compel a customer to give Aadhaar for KYC?
Not automatically. In Justice K.S. Puttaswamy v. Union of India, (2019) 1 SCC 1, the Supreme Court struck down Section 57 of the Aadhaar Act, holding that mandatory Aadhaar-based authentication by private entities (including banks) for bank-account and SIM linking failed the proportionality test. Section 11A of the PMLA, inserted in 2019, now makes Aadhaar authentication mandatory only for banking companies and otherwise voluntary or Government-permitted, with privacy-preserving alternatives such as offline verification and the NPCI e-KYC Setu.
Has the Supreme Court upheld the KYC and reporting obligations on banks?
Yes. In Vijay Madanlal Choudhary v. Union of India, (2022) 10 SCC 1, the Court treated the Chapter IV obligations as regulatory rather than penal and held that the duties of identification, record-keeping and reporting bear a rational nexus with the object of preventing money laundering and honouring India's FATF commitments. A compliant reporting entity faces no liability; only failure attracts the penalties in Section 13.
What happens after a Suspicious Transaction Report (STR) is filed?
An STR is filed with the Financial Intelligence Unit-India (FIU-IND) whenever a reporting entity has reasonable grounds to suspect a transaction involves proceeds of crime, regardless of amount. FIU-IND analyses the report and may disseminate it to the Enforcement Directorate, where it can seed a money-laundering investigation, attachment of property and prosecution. The entity must not 'tip off' the client that an STR has been filed, and the information is kept confidential under Sections 12(3) and 12AA(3).