Master Circular on Know Your Client (KYC) norms for the securities market

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... circulars/directions with the provisions of the Prevention of Money Laundering (Maintenance of Records) Rules, 20051 and the Securities and Exchange Board of India [KYC (Know Your Client) Registration Agency] Regulations, 20112. The provisions of this Master Circular shall come into force from the date of its issue. 3. Any modifications/updation in existing KYC records, shall be effected in line with the provisions of this Circular by December 31, 2023. 4. On and from the date of issue of this Circular, all circulars for the purpose of KYC as listed in Appendix shall stand rescinded/modified as indicated therein. 5. Notwithstanding such rescission, a) Anything done or any action taken or purported to have been done or taken under the rescinded circulars, prior to such rescission, shall be deemed to have been done or taken under the corresponding provisions of this Master Circular; b) Any application made to the Board under the rescinded circulars, prior to such rescission, and pending before it shall be deemed to have been made under the corresponding provisions of this Master Circular; c) The previous operation of the rescinded circulars or anything duly done or suffered .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... n of Money Laundering Act, 2002. g. "Client Due Diligence" shall have the same meaning as assigned to it under Rule 2 (1) (b) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. h. "Designated Director" shall have the same meaning as assigned to it under Rule 2 (1) (ba) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. i. "Digital KYC" shall have the same meaning as assigned to it under Rule 2 (1) (bba) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. j. "Digital Signature" shall have the same meaning as assigned to it under clause (p) of subsection (1) of section (2) of the Information Technology Act, 2000 (21 of 2000). k. "e-KYC authentication facility" shall have the same meaning as assigned to it under clause (j) of sub section (1) of section (2) of Aadhaar (Authentication and Offline Verification) Regulations, 2021. l. "Electronic Signature" shall have the same meaning assigned to it under clause (ta) of subsection (1) of section (2) of the Information Technology Act, 2000 (21 of 2000). m. "Equivalent e-document" shall have the same meaning as assigned to it unde .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... nt shall be divided into two parts. Part I of the AOF shall be the KYC form which shall capture the basic details about the client. For this purpose, all registered intermediaries shall use the KYC templates provided by Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI) for individuals and for legal entities for capturing the KYC information. The CKYCR templates - Individual and Legal Entity provided by CERSAI is available at https://www.ckycindia.in/ckyc/?r=download. 6. Part II of the form shall obtain the additional information specific to the area of activity of the intermediary, as considered appropriate by them. The instant Master Circular deals with the provisions of Part I -KYC form. Requirement of Permanent Account Number (PAN) 7. In order to strengthen the KYC norms and identify every participant in the securities market with their respective PAN thereby ensuring sound audit trail of all the transactions, PAN shall be the unique identification number for all participants transacting in the securities market, irrespective of the amount of transaction. 8. The registered intermediaries shall verify the PAN of their clients onl .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... b card issued by NREGA duly signed by an officer of the State Government; vi. the letter issued by the National Population Register containing details of name address; or vii. any other document as notified by the Central Government in consultation with the Regulator. b. Further, in terms of proviso to the above Rule, where simplified measures are applied for verifying the identity of the clients, the following documents shall also be deemed to be officially valid document: i. Identity card/ document with applicant's photo, issued by the Central/State Government Departments, Statutory/Regulatory Authorities, Public Sector Undertakings, Scheduled Commercial Banks and Public Financial Institutions; ii. Letter issued by a gazetted officer, with a duly attested photograph of the person. 15. The registered intermediaries shall not store/ save the Aadhaar number of client in their system. Further, in terms of PML Rule 9(16), every registered intermediary shall, where the client submits his Aadhaar number, ensure that such client redacts or blacks out his Aadhaar number by appropriate means where the authentication of Aadhaar number is not required under sub rule (15) of PML Ru .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... by a Marriage Certificate issued by the State Government or a gazette notification, indicating such change of name. 20. For non-residents and foreign nationals, (allowed to trade subject to RBI and FEMA guidelines), copy of passport/Persons of Indian Origin (PIO) Card/Overseas Citizenship of India (OCI) Card and overseas address proof is mandatory. 21. In case the officially valid document presented by a foreign national does not contain the details of address, the documents issued by the Government departments of foreign jurisdictions and letter issued by the Foreign Embassy or Mission in India shall be accepted as proof of address. 22. If any proof of address is in a foreign language, then translation into English shall be required. 23. If correspondence and permanent address is different, then proof for both shall be submitted. Acceptance of third party address as correspondence address 24. A client can authorize to capture address of a third party as a correspondence address, provided that all prescribed 'Know Your Client' norms are also fulfilled for the third party. The intermediary shall obtain proof of identity and proof of address for the third party. The intermedi .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... Entities)7 31. In case of non-individuals, additional documents (certified copies of equivalent e-documents) to be obtained are mentioned below: i. Corporate body: a. Certificate of incorporation. b. Memorandum and Articles of Association. c. Board Resolution for investment in securities market. d. Power of Attorney granted to its managers, officers or employees, as the case may be, to transact on its behalf. e. Authorised signatories list with specimen signatures. f. Copy of the balance sheet for the last financial year (initially for the last two financial years and subsequently for every last financial year). g. Latest share holding pattern including list of all those holding control, either directly or indirectly, in the company in terms of SEBI takeover Regulations, duly certified by the company secretary/whole time director/ MD (to be submitted every year). h. Photograph, POI, POA, PAN and DIN numbers of whole time directors/two directors in charge of day to day operations. i. Photograph, POI, POA, PAN of individual promoters holding control - either directly or indirectly. ii. Partnership firm: a. Certificate of registration (for registered partners .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... gh video, online submission of officially valid document / other documents, using electronic/digital signature, including Aadhaar e-Sign. 34. The client shall visit the website/App/digital platform of the registered intermediary and fill up the online KYC form and submit requisite documents. 35. SEBI registered intermediaries shall obtain the express consent of the client before undertaking online KYC. 36. The PAN, name, photograph, address, mobile number and email ID of the client shall be captured digitally and officially valid document shall be provided as a photo / scan of the original under electronic/digital signature, including Aadhaar e-Sign and the same shall be verified. 37. Any officially valid document other than Aadhaar shall be submitted through Digiocker / using electronic/digital signature, including Aadhaar e- Sign. 38. The mobile number of client accepted as part of KYC should preferably be the one seeded with Aadhaar. 39. Mobile and email shall be verified through One Time Password (OTP) or other verifiable mechanism. 40. Aadhaar shall be verified through UIDAI's authentication/ verification mechanism. Further, in terms of PML Rule 9(16), every interme .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ed signature on the filled KYC form and submit the same to the registered intermediary under electronic/digital signature including Aadhaar e-Sign. c. The "original seen and verified" requirement for officially valid document would be met where the investor provides the officially valid document in the following manner: i. As a clear photograph or scanned copy of the original officially valid document, through the electronic/digital signature including Aadhaar e-Sign, or; ii. As digitally signed document of the officially valid document, issued through the DigiLocker by the issuing authority. Features for online KYC App of the Intermediary 49. SEBI registered intermediary can implement its own App for undertaking online KYC of clients. 50. The App shall facilitate taking photograph, scanning, acceptance of officially valid document through Digilocker, video capturing in live environment and usage of the App only by authorized person of the intermediary. 51. The App shall also have features of random action initiation for client response to establish that the interactions are not pre-recorded along with time stamping and geo-location tagging to ensure the requirement like .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... be stored for easy retrieval. b) The VIPV shall be in a live environment. c) The VIPV shall be clear and still, the client in the video shall be easily recognisable and shall not be covering their face in any manner. d) The VIPV process shall include random question and response from the investor including displaying the officially valid document, KYC form and signature or could also be confirmed by an OTP. e) The intermediary shall ensure that photograph of the client downloaded through the Aadhaar authentication / verification process matches with the investor in the VIPV. f) The VIPV shall be digitally saved in a safe, secure and tamper-proof, easily retrievable manner and shall bear date and time stamping. g) The intermediary may have additional safety and security features other than as prescribed above. 61. IPV shall not be required in the cases where: a) the KYC of the client has been completed using the Aadhaar authentication/ verification of UIDAI. b) the KYC form has been submitted online, documents have been provided through Digilocker or any other source which could be verified online. Adaptation of Aadhaar based e-KYC process and e-KYC Authentication .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... Money-laundering Act, 2002. The notifications can be accessed at the links (Govt. Notification dated July 13, 2022 and Govt Notification dated Jan 30, 2023.pdf). These entities shall act as Sub-KUA. 69. The KUAs shall facilitate the onboarding of these entities as Sub-KUAs to provide the services of Aadhaar authentication with respect to KYC. Onboarding process of Sub-KUA by UIDAI 70. As provided in the DoR circular dated May 09, 2019, SEBI after scrutiny of the application forms of KUAs shall forward the applications along with its recommendation to UIDAI. 71. For appointment of SEBI registered intermediary as Sub-KUAs, KUA shall send list of proposed Sub-KUAs to SEBI and SEBI would forward the list of recommended Sub-KUAs to UIDAI for onboarding. 72. An agreement shall be signed between KUA and Sub-KUA, as prescribed by UIDAI. Sub-KUA shall also comply with the Aadhaar Act, 2016, regulations, circulars, guidelines etc. issued by UIDAI from time to time. 73. Each sub-KUA shall be assigned a separate Sub-KUA code by UIDAI. 74. The KUA/sub-KUA shall be guided by the above for use of Aadhaar authentication services of UIDAI for e-KYC. 75. The KUAs and sub KUAs shall adopt t .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ing an application in this regard. Such permissible sharing of e-KYC details by KUA can be allowed with their associated Sub-KUAs only. ii. KUA shall not share UIDAI digitally signed e-KYC data with other KUAs. However, KUAs may share data after digitally signing it using their own signature for internal working of the system. iii. e-KYC data received as response upon successful Aadhaar authentication from UIDAI shall be stored by KUA and Sub-KUA in the manner prescribed by Aadhaar Act/Regulations and circulars issued by UIDAI time to time. iv. KUA/Sub-KUA shall not store Aadhaar number in their database under any circumstances. It shall be ensured that Aadhaar number is captured only using UIDAI's Aadhaar Number Capture Services (ANCS). v. The KUA shall maintain auditable logs of all such transactions where e- KYC data has been shared with sub-KUA, for a period specified by the Authority. vi. It shall be ensured that full Aadhaar number is not stored and displayed anywhere in the system and wherever required only last 4 digits of Aadhaar number may be displayed. vii. As per Regulation 14(i) of the Aadhaar (Authentication) Regulation, 2016, requesting entity shall imple .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ient. No proof is required to be submitted for such correspondence/residence address. In the event of change in this address due to relocation or any other reason, client may intimate the new address for correspondence to the intermediary within two weeks of such a change. The residence/ correspondence address and any such change thereof may be verified by the intermediary through 'positive confirmation' such as (i) acknowledgment of receipt Welcome Kit/ dispatch of contract notes / any periodical statement, etc. (ii) telephonic conversation; (iii) visits, etc. c. The registered intermediaries shall forward the KYC completion intimation letter through registered post/ speed post or courier, to the address of the client in cases where the client has given address other than as given in the officially valid document. In such cases of return of the intimation letter for wrong / incorrect address, addressee not available etc, no transactions shall be allowed in such account and intimation shall also sent to the Stock Exchange and Depository. d. The registered intermediaries and KRAs shall flag such accounts in their records/systems Confidentiality of client information 81. Regis .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... that a comprehensive audit of its systems, controls, procedures, safeguards and security of information and documents is carried out annually by an independent auditor. The Audit Report along with the steps taken to rectify the deficiencies, if any, shall be placed before its Board of Directors. Thereafter, the KRA shall send the Action Taken Report to SEBI within 3 months. 95. KRA systems shall clearly indicate the status of clients falling under PAN exempt categories viz. investors residing in the state of Sikkim, UN entities / multilateral agencies exempt from paying taxes / filing tax returns in India, etc. Rationalisation of Risk Management Framework at KRAs 96. As a part of risk management framework, the KRAs shall verify the following attributes of records of all clients within 2 days of receipt of KYC records: a. PAN (including PAN Aadhaar linkage, as referred to in rule 114AAA of the Income-tax Rules, 1962) b. Name c. Address 97. Additionally, the KRAs shall verify the client's mobile number and email id. 98. In case of PAN exempt records, the other attributes i.e. name, address, mobile number and email id shall be verified by the KRAs. 99. Clients in whose c .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ecurities market have highlighted the need for maintaining robust Cyber Security and Cyber Resilience framework to protect the integrity of data and guard against breaches of privacy. 109. A robust Cyber Security and Cyber Resilience framework should identify the plausible sources of operational risk, both internal and external, and mitigate the impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of its obligation in the event of cyber-attack. 110. Since KRAs perform important function of maintaining KYC records of the clients in the securities market, the KRAs shall have robust Cyber Security and Cyber Resilience framework in order to provide essential facilities and perform systemically critical functions relating to securities market. 111. The framework placed at Annexure A shall be complied by the KRAs with regard to Cyber Security and Cyber Resilience. 112. The KRAs shall conduct comprehensive cyber audit at least twice .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... and Availability refers to guarantee of reliable access to the systems and information by authorized users).Cyber security framework includes measures, tools and processes that are intended to prevent cyber-attacks and improve cyber resilience. Cyber Resilience is an organisation's ability to prepare and respond to a cyber-attack and to continue operation during, and recover from, a cyber-attack. Governance 2. As part of the operational risk management framework to manage risk to systems, networks and databases from cyber-attacks and threats, KRAs shall formulate a comprehensive Cyber Security and Cyber Resilience policy document encompassing the framework mentioned hereunder. The policy document shall be approved by the Board of KRAs, and in case of deviations from the suggested framework, reasons for such deviations shall also be provided in the policy document. The policy document shall be reviewed by the Board of KRAs at least annually with the view to strengthen and improve its Cyber Security and Cyber Resilience framework. 3. The Cyber Security and Cyber Resilience policy shall include the following process to identify, assess, and manage cyber security risk associated wi .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... Cyber Security and Cyber Resilience framework. 10. KRAs shall define responsibilities of its employees, outsourced staff, and employees of vendors, members or participants and other entities, who may have access or use KRA's systems / networks, towards ensuring the goal of cyber security. Identification 11. KRAs shall identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management. The critical assets shall include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc. All the ancillary systems used for accessing/communicating with critical systems either for operations or maintenance shall also be classified as critical system. The Board of the KRAs shall approve the list of critical systems. To this end, KRAs shall maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows. 12. KRAs shall accordingly identify cyber risks (t .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... nnect using online/internet facility. 22. KRAs shall formulate an Internet access policy to monitor and regulate the use of internet and internet based services such as social media sites, cloud-based internet storage sites, etc. 23. Proper 'end of life' mechanism shall be adopted to deactivate access privileges of users who are leaving the organization or whose access privileges have been withdrawn. Physical security 24. Physical access to the critical systems shall be restricted to minimum. Physical access of outsourced staff/visitors shall be properly supervised by ensuring at the minimum that outsourced staff/visitors are accompanied at all times by authorised employees. 25. Physical access to the critical systems shall be revoked immediately if the same is no longer required. 26. KRAs shall ensure that the perimeter of the critical equipment room are physically secured and monitored by employing physical, human and procedural controls such as the use of security guards, CCTVs, card access systems, mantraps, bollards, etc. where appropriate. Network Security Management 27. KRAs shall establish baseline standards to facilitate consistent application of security configu .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... security patches. An implementation timeframe for each category of security patches shall be established to implement security patches in a timely manner. 38. KRAs shall perform rigorous testing of security patches before deployment into the production environment so as to ensure that the application of patches do not impact other systems. Disposal of systems and storage devices 39. KRAs shall frame suitable policy for disposals of the storage media and systems. The data / information on such devices and systems shall be removed by using methods viz. wiping / cleaning / overwrite, degauss and physical destruction, as applicable. Vulnerability Assessment and Penetration Testing (VAPT) 40. KRAs shall carry out periodic vulnerability assessment and penetration tests(VAPT) which inter-alia include critical assets and infrastructure components like Servers, Networking systems, Security devices, load balancers, other IT systems pertaining to the activities done as KRAs etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks. KRAs shall c .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... tive (RPO) as specified by SEBI for Market Infrastructure Institutions vide SEBI circular CIR/MRD/DMS/17/20 dated June 22, 2012 as amended from time to time. 48. The response plan shall define responsibilities and actions to be performed by its employees and support / outsourced staff in the event of cyber attacks or breach of cyber security mechanism. 49. Any incident of loss or destruction of data or systems shall be thoroughly analysed and lessons learned from such incidents shall be incorporated to strengthen the security mechanism and improve recovery planning and processes. 50. KRAs shall also conduct suitable periodic drills to test the adequacy and effectiveness of response and recovery plan. Sharing of information 51. All Cyber-attacks, threats, cyber-incidents and breaches experienced by KRAs shall be reported to SEBI within 6 hours of noticing / detecting such incidents or being brought to notice about such incidents. The incident shall also be reported to Indian Computer Emergency Response team (CERT-In) in accordance with the guidelines / directions issued by CERT-In from time to time. Additionally, the KRAs, whose systems have been identified as "Protected syst .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... - Type of intermediary - 2. Reporting Periodicity Year- __ Quarter 1 (Apr-Jun) __ Quarter 2 (Jul-Sep) __ Quarter 3 (Oct-Dec) __ Quarter 4 (Jan-Mar) 3. Designated Officer (Reporting Officer details) - Name: Organization: Title: Phone / Fax No: Mobile: Email: Address: Cyber-attack / breach observed in Quarter: (If yes, please fill Annexure C) ( If no, please submit the NIL report) Date & Time Brief information on the Cyber-attack / breached observed Annexure C: Form for reporting Cyber attack/breach by KRA 1. Physical location of affected computer / network and name of ISP - 2. Date and time incident occurred - Date: Time: 3. Information of affected system - IP Address: Computer / Host Name: Operating System (incl. Ver. / release No.): Last Patched/ Updated: Hardware Vendor/ Model: 4. Type of incident - __ Phishing __ Network scanning /Probing Break-in/Root Compromise __ Virus/Malicious Code __ Website Defacement __ System Misuse __ Spam __ Bot/Botnet __ Email Spoofing __ Denial of Service (DoS) __ Distributed Denial of Service(DDoS) __ User Account Compromise __ Website Intrusion __ Social Engineering __ Technical Vulnerability __ IP Spo .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... he Existing Clients' KYC Details In The KYC Registration Agency (KRA) System by The Intermediaries 6. CIR/MIRSD/09/2012 dated 13- Aug-12 Aadhaar Letter As Proof of Address For Know Your Client (KYC) Norms 7. CIR/MIRSD/12/2012 dated 21-Sep-12 Processing of investor complaints against KRA {KYC (Know Your Client) Registration Agency} in SEBI Complaints Redress System (SCORES) 8. CIR/MIRSD/01/2013 dated 04- Jan-13 Rationalisation Process For Obtaining PAN by Investors 9. CIR/MIRSD/2/2013 dated 24- Jan-13 Guidelines On Identification of Beneficial Ownership 10. CIR/MIRSD/ 4 /2013 dated 28- Mar-13 Amendment to SEBI {(Know Your Client) Registration Agency} Regulations, 2011 and relevant circulars 11. CIR/MIRSD/09/2013 dated 08- Oct-13 For Know Your Client Requirements 12. CIR/MIRSD/13/2013 dated 26-Dec-13 For Know Your Client Requirements 13. CIR/MIRSD/1/2015 dated 04- Mar-15 Saral Account Opening Form For Resident Individuals 14. CIR/MIRSD/29/2016 dated 22- Jan-16 Know Your Client Requirements - Clarification On Voluntary Adaptation of Aadhaar Based E-KYC Process 15. CIR/MIRSD/66/2016 dated 21- Jul-16 Operationalisation of Central KYC Records Registry (CKYCR .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X