KYC and AML Norms for Banks: CAIIB BRBL Guide (2026)

CAIIB By Ashish Jain · IIBF STORE Editorial · 19 July 2026 · Updated 19 Jul 2026 · 9 min read · 1 views
KYC and AML Norms for Banks: CAIIB BRBL Guide (2026)

For CAIIB BRBL candidates, KYC and AML norms for banks sit at the intersection of regulation and everyday branch operations — every account opening, every high-value transfer, and every periodic review is governed by them. This guide breaks down the legal basis, the customer due diligence process, and the reporting chain that keeps Indian banks compliant in 2026.

🏦 What Are KYC and AML Norms in Indian Banking?

Know Your Customer (KYC) is the process by which a bank verifies the identity and address of a customer before establishing a banking relationship, while Anti-Money Laundering (AML) refers to the broader set of controls that stop illegal funds from being layered into the formal financial system. The two work together: KYC builds the customer profile, and AML uses that profile to flag transactions that don't fit the expected pattern. In India, the RBI's Master Direction on KYC (updated periodically, most recently refreshed through 2025-26 amendments) is the operating rulebook that every scheduled commercial bank, small finance bank, payments bank, and NBFC must follow. It draws its statutory teeth from the Prevention of Money Laundering Act (PMLA), 2002, which criminalises money laundering and obliges "reporting entities" — banks included — to maintain records and report specified transactions. Read alongside the legal framework of regulation of banks, KYC/AML compliance is really an extension of the RBI's supervisory mandate under the Banking Regulation Act, 1949 — the Act gives RBI the power to issue binding directions, and the KYC Master Direction is one of the most frequently examined of those directions. For CAIIB candidates, the key takeaway is that KYC/AML is not a standalone topic; it is woven into licensing, supervision, and day-to-day regulation of banking business.

📜 Legal and Regulatory Framework Behind KYC/AML

Three layers of law combine to create India's KYC/AML architecture. First, the Banking Regulation Act, 1949 empowers RBI to regulate how banks conduct business, which is the source of RBI's authority to mandate KYC procedures in the first place — this ties directly into the regulation of banking business syllabus area. Second, the PMLA, 2002 (and its 2005 Rules) is the substantive criminal-law layer: it defines money laundering as an offence, requires reporting entities to maintain records for five years, verify client identity, and report Cash Transaction Reports (CTRs) and Suspicious Transaction Reports (STRs) to the Financial Intelligence Unit-India (FIU-IND). Third, RBI's Master Direction on KYC operationalises both statutes into branch-level procedure — customer acceptance policy, customer identification procedure, risk categorisation, and ongoing monitoring. Officers preparing for the exam should also note that KYC obligations extend to non-banking finance companies, which is why the topic overlaps with the NBFC chapter — an NBFC accepting deposits or extending credit is bound by the same PMLA reporting duty as a bank. RBI also empowers itself to inspect and penalise for KYC lapses under its general supervisory control, discussed under control over organisation of banks.

💡 Exam Tip: If a question asks "which law criminalises money laundering," the answer is PMLA, 2002 — not the Banking Regulation Act. RBI's KYC Master Direction is a regulatory instrument, not a standalone statute.
Key Concepts — Banking Regulations and Business Laws
Key Concepts — Banking Regulations and Business Laws

🔍 Customer Due Diligence and Risk Categorisation

Every bank must classify customers into low, medium, and high risk at the time of account opening, based on factors like occupation, income profile, location, and nature of business. Low-risk individual accounts (salaried employees, government departments) require basic Customer Identification Procedure (CIP) documents — typically an Officially Valid Document (OVD) such as Aadhaar, passport, voter ID, driving licence, or NREGA card. High-risk accounts — politically exposed persons (PEPs), non-resident customers, trusts, and cash-intensive businesses — attract Enhanced Due Diligence (EDD), which means more frequent monitoring and senior management approval for the relationship. Periodicity of KYC updation also varies by risk band: high-risk accounts are re-verified every two years, medium-risk every eight years, and low-risk every ten years, unless a trigger event (address change, large unexplained credit) forces an earlier review. Video-based Customer Identification Process (V-CIP) is now a standard RBI-approved route for digital onboarding, letting banks complete CIP remotely with appropriate liveness checks. Correspondent banking relationships and shell-bank prohibitions are a related sub-topic: RBI bars Indian banks from entering into correspondent relationships with shell banks that have no physical presence in any country, a direct AML safeguard against layering of illicit funds through paper entities.

🚨 Suspicious Transaction Reporting and the PMLA Interface

Once a transaction pattern deviates from a customer's declared profile — structuring deposits just below the CTR threshold, rapid movement of funds through multiple accounts, or transactions with no apparent economic rationale — the bank's Principal Officer is duty-bound to file a Suspicious Transaction Report with FIU-IND, generally within seven working days of forming the suspicion. Cash Transaction Reports covering all cash transactions of ₹10 lakh and above (or integrally connected transactions crossing that threshold) must reach FIU-IND by the 15th of the following month. Banks must also report Counterfeit Currency Reports (CCRs) and, since 2015, Non-Profit Organisation Transaction Reports (NTRs) for NGO-linked accounts. Failure to report is itself a compliance breach, independent of whether money laundering is later proven — this is a favourite examiner trap, since candidates often assume liability arises only after conviction. The reporting chain and the underlying PMLA obligations sit close to consumer-facing safeguards too, which is why this topic is frequently tested alongside grievance redressal mechanisms.

⚠️ Common Mistake: Students often confuse the CTR threshold (₹10 lakh, monthly reporting) with the STR trigger (suspicion-based, no fixed amount, reported within 7 working days). The two reports serve different purposes and have different deadlines.
Process & Framework — Banking Regulations and Business Laws
Process & Framework — Banking Regulations and Business Laws

⚖️ Penalties, Governance, and Recent RBI Updates (2026)

RBI has stepped up KYC/AML enforcement through monetary penalties under Section 47A of the Banking Regulation Act for deficiencies such as delayed periodic updation, inadequate risk categorisation, or failure to register on the FIU-IND reporting portal. Boards of banks are now required to review the AML/CFT (Combating Financing of Terrorism) policy annually, and to appoint a Principal Officer of sufficiently senior rank with direct access to top management. Recent RBI clarifications (carried into the 2025-26 update cycle of the Master Direction) tightened rules around re-KYC for dormant accounts, video-KYC audit trails, and beneficial-owner identification for legal entities and trusts — a response to FATF's mutual evaluation recommendations for India. Wilful non-compliance can also trigger restrictions on a bank's ability to open new accounts in a business line until remediation is confirmed, making KYC/AML one of the few compliance areas where RBI has used business-restriction orders rather than fines alone. For CAIIB, expect scenario-based questions testing whether you can identify the correct escalation step — Principal Officer, STR filing, or RBI reporting — for a given fact pattern.

📌 Remember: The Principal Officer is the single point of accountability for STR/CTR filing — not the branch manager and not the compliance department collectively.
RequirementGoverning FrameworkMandatory for Banks?Reporting Authority
Customer Due Diligence (CDD)RBI KYC Master DirectionInternal KYC records
Enhanced Due Diligence (high-risk/PEP)RBI KYC Master DirectionInternal KYC records
Cash Transaction Report (₹10 lakh+)PMLA, 2002FIU-IND
Suspicious Transaction ReportPMLA, 2002FIU-IND
Annual KYC re-verification for all accountsRBI KYC Master Direction❌ (risk-based cycle, not annual)Not applicable

These obligations don't sit in isolation — they connect to how RBI supervises banks more broadly under the control over organisation of banks chapter, and to lending decisions where a customer's risk profile from KYC directly feeds into the credit management lifecycle covered under CAIIB ABM.

In Practice — Banking Regulations and Business Laws
In Practice — Banking Regulations and Business Laws

🧠 Practice MCQs: KYC and AML Norms for Banks

Q1. Which statute makes money laundering a criminal offence in India? (a) Banking Regulation Act, 1949 (b) Prevention of Money Laundering Act, 2002 (c) Negotiable Instruments Act, 1881 (d) SARFAESI Act, 2002

Answer: (b) — PMLA, 2002 defines and criminalises money laundering; RBI's KYC Master Direction only operationalises compliance.

Q2. Cash Transaction Reports (CTRs) must be filed with FIU-IND for cash transactions of what value? (a) ₹2 lakh and above (b) ₹5 lakh and above (c) ₹10 lakh and above (d) ₹25 lakh and above

Answer: (c) — All cash transactions of ₹10 lakh and above (including integrally connected transactions) must be reported by the 15th of the following month.

Q3. Under RBI's risk-based KYC updation cycle, how often must a low-risk individual account be re-verified? (a) Every 2 years (b) Every 5 years (c) Every 8 years (d) Every 10 years

Answer: (d) — Low-risk accounts are updated every 10 years, medium-risk every 8 years, and high-risk every 2 years, absent a trigger event.

Q4. Within how many working days must a bank file a Suspicious Transaction Report after forming a suspicion? (a) 3 working days (b) 7 working days (c) 15 working days (d) 30 working days

Answer: (b) — STRs must reach FIU-IND within 7 working days of the Principal Officer forming the suspicion.

Q5. Who is the designated single point of accountability for filing STRs and CTRs within a bank? (a) Branch Manager (b) Principal Officer (c) Chief Risk Officer (d) Compliance Committee

Answer: (b) — The Principal Officer, a senior official with direct access to top management, is accountable for STR/CTR filings under the PMLA framework.

Want chapter-wise mock tests with 100+ MCQs? Start practising free →

❓ Frequently Asked Questions

Is KYC compliance mandatory for NBFCs as well as banks?

Yes. RBI's KYC Master Direction and the PMLA reporting obligations apply equally to NBFCs, payments banks, and small finance banks, not just scheduled commercial banks.

What is the difference between CDD and EDD?

Customer Due Diligence (CDD) is the baseline identity and address verification applied to every customer. Enhanced Due Diligence (EDD) adds extra scrutiny — more frequent reviews and senior approval — for high-risk customers such as PEPs or cash-intensive businesses.

Can a bank open an account without completing KYC?

No. Full KYC compliance is a precondition for opening any deposit or loan account; RBI permits only limited, capped small accounts with simplified KYC for a defined period, subject to conditions.

Which authority receives STRs and CTRs filed by banks?

The Financial Intelligence Unit-India (FIU-IND), under the Department of Revenue, Ministry of Finance, is the central agency that receives, processes, and analyses these reports.

Master the KYC and AML norms for banks alongside the rest of the BRBL syllabus with structured chapter tests and mock papers on the CAIIB course page — official guidance is also available directly from the RBI Master Direction on KYC. For more BRBL guides, browse the BRBL tag hub, revisit the banking ombudsman scheme and cheque dishonour under Section 138, or check how KYC failures feed into consumer protection complaints. Ready to test yourself? Take a free CAIIB BRBL mock test now →

Quick quiz

Quick quiz on this topic

5 exam-style questions from our free test bank — check yourself before you move on.

Banking Regulations and Business Laws · 5 questions · instant result
Q1. Under FEMA, the definition of 'foreign exchange' is broader than 'foreign currency'. Which of the following instruments is included in 'foreign exchange' but NOT in 'foreign currency'?
Q2. The Competent Authority under Section 37A of FEMA is required to dispose of the petition within 180 days from the date of seizure. However, if a court grants a stay in the proceedings, how is the computation of 180 days affected under the Act?
Q3. Under FEMA Section 3, certain dealings in foreign exchange are prohibited without RBI's permission. A corporate entity in India receives payment from a foreign party, but the payment is routed through an Indian intermediary without a corresponding inward remittance from abroad. Under FEMA, this is treated as:
Q4. Under FEMA Section 13, when a contravention is quantifiable in money terms, the maximum penalty that can be imposed is:
Q5. Under FEMA Section 37A(4), the seizure of equivalent assets in India continues until disposal of adjudication proceedings. However, what specific action by the aggrieved person can lead to the Competent Authority or Adjudicating Authority setting aside the seizure?
Next step

Practice this topic

Ready to put this into practice?

Take a free mock test, download chapter PDFs, or watch a video class — all included on iibf.store.

Keep reading