Anti-Money Laundering Guidelines Explained – IRDAI AML/CFT Guidelines

IRDAI Regulations For the Insurance Sector, 2022 – Master AML Guidelines

The Insurance Regulatory and Development Authority of India (IRDAI) regulates the insurance industry in India. In 2013, and 2015, the IRDAI issued Master Guidelines on AML/CFT for General and Life insurers, respectively. Several circulars were subsequently issued on the subject.

On August 1, 2022, IRDAI issued a new set of regulations to safeguard the insurance industry from fraudulent financial activities like money laundering. This was brought into effect in anticipation of updating & consolidating AML/CFT provisions in a single Master Guidelines instrument.

The dedicated guidelines cover the provisions of the PML Act, rules, and other applicable norms (as amended from time to time) and are effective from 1/11/2022.

The guidelines also lay out procedures for insurers to follow during the KYC verification process. The Video-based Identification Program or VBIP is encouraged by IRDAI to enable remote and secure client onboarding.

The Need for Updated IRDAI KYC & AML Regulations

KYC (Know Your Customer) and AML (Anti-Money Laundering) verification for individuals are now obligated prior to onboarding them, under IRDAI’s Master Guidelines for insurers. These onboarding rules have been imposed on all classes of general, health & life insurance businesses in India.

The KYC & AML checks assist insurers in determining whether they can trust an individual with their financial services. They also assist these financial institutions in classifying their customers based on the level of risk (i.e., low, medium, & high).

Key Takeaways For Insurers From the IRDAI Master Guidelines

Insurance businesses including general insurance firms, life insurance companies & health insurers can note major points pertaining to the regulations laid out in the AML/CFT guidelines.

While establishing an account-based relationship/client-based relationship, insurers are required to follow Customer Identification Procedures and monitor their transactions on an ongoing basis.

This requires them to set up a robust AML compliance program & conduct it whenever they transact with a new client/customer.  Insurers must create an AML/CFT program that includes policies and procedures for dealing with ML (money laundering) & TF (terrorist financing) that reflect current legal and regulatory requirements.

A successful AML compliance program must include certain key characteristics mentioned below:

1. Establishing policies & providing relevant training to keep employees up to date on AML laws
2. Performing KYC during onboarding & throughout the customer lifecycle
3. Reporting suspicious activity to regulators
4. Methodical recordkeeping that is auditable
5. Financial transaction monitoring

By incorporating these components insurers can establish an effective AML program

1. 1. Employee Training & Recruitment Policies
      

      Insurers are required to implement adequate screening mechanisms as part of their employee recruitment/hiring process. In addition, a continuous training program has to be enforced to ensure that all employees are adequately trained on the CFT & anti-money laundering guidelines.

      Employees must be specially trained to handle problems caused by a lack of customer education. Additionally, the audit function must be properly staffed with individuals who are competent in the insurance sector’s  AML/CFT policies & guidelines.

   2. Recordkeeping & Internal Audit

      On the basis of an overall risk assessment, the internal audit/inspection departments of insurance businesses are necessitated to verify compliance with existing money laundering policies & procedures on a regular basis.

      Insurers are allowed to maintain records in electronic and/or physical form. They are also obligated to submit audit notes and compliance reports to the audit committee.

KYC During Onboarding & During the Customer Lifecycle

Given the potential risk of money launderers utilizing insurance services, insurers must now make an effort to determine the true identity of their customer. As per its Master Guidelines, IRDAI necessitates insurance providers to conduct customer KYC in the following manner:

KYC For a Juridical Person

A juridical person is a non-human legal person who is not a single natural person but rather a legal entity recognized as a fictitious person. It includes government agencies, non-governmental organizations (NGOs), corporate entities & international organizations.

• In the case where a client is a juridical person, insurers must take steps to identify the client and its beneficial owner(s).
• Insurers must take all appropriate measures to verify the client’s identity to their satisfaction in order to establish beneficial ownership.
• When implementing KYC guidelines on juridical persons, insurers will be required to identify and confirm their legal status using the official documents that are collected in approval of
  • Name, legal form, evidence of the existence
  • Powers that govern and bind juridical persons
  • Address of the registered office/headquarters
  • Authorized individual person(s) claiming to act on the behalf of such a client
  • Determining Beneficial Ownership(s)
  • Insurers must confirm that any person claiming to act on behalf of a client is authorized to do so and confirm that person’s identity.

KYC For Individual Customers

Insurers are required to implement effective KYC procedures for obtaining necessary details for proper identification of new/existing customers. They are also required to take extra precautions to ensure that contracts are not signed under fictitious or anonymous names.

• When a client is an individual, insurance companies must implement KYC to verify the client’s identity, address & recent photograph.
• Collect & verify documents under the KYC norms for individuals as specified in the PML rules [sub rule (4) of Rule 9].
• There is no need for additional documentation for proof of residence if the document of identity presented also includes proof of residence/address.
• When a customer provides Aadhaar for identification & wishes to provide a current address that differs from the address in the Central Identities Data Repository, the customer may render a self-declaration to the insurer.
• Individuals who are unable to undergo Aadhaar authentication due to an injury, illness, or old age, or who do not wish to undergo Aadhaar authentication, can submit their Officially Valid Documents (OVDs) during the commencement of an account-based relationship with the insurance provider.

How Can Insurance Providers Conduct KYC?

The AML guidelines specify the different ways in which insurers can perform KYC procedures. Insurers can choose from either of these procedures to carry out customer verification:

• Aadhaar-based KYC via online authentication

Insurers can conduct online Aadhaar eKYC using either OTP or biometric authentication to verify their customers.

To authenticate Aadhaar, an OTP is sent to the customer’s Aadhaar-registered mobile number, or a scanner is used to read the customer’s fingerprints and retina.

These readings are authenticated with the biometric information recorded for that individual in the UIDAI database & the customer’s details will be successfully verified.

• Aadhaar-based KYC via offline verification

Insurers can verify customers using offline Aadhaar eKYC that allows Aadhaar holders to voluntarily use their Aadhaar number to establish their identity in a paperless and electronic manner while maintaining privacy, security, and inclusion.

Aadhaar paperless offline e-KYC eliminates the need for customers to provide a photocopy of their Aadhaar letter. They can instead download the KYC XML and provide it to the insurance company for offline verification of identification.

The KYC information is in machine-readable XML that will be digitally signed by UIDAI, allowing insurers to verify its authenticity and detect any tampering.

• Digital KYC 

Insurers can carry out Digital KYC in accordance with the PML Rules to verify customer details. This method offers insurers an online verification procedure that can authenticate customer details in real-time.

• CKYC

Another KYC method insurance companies can carry out is by using the Central KYC Records Registry i.e., CKYCR-assigned “KYC identifier”.

Following the submission and verification of the required documents for CKYC, the customer will be sent a 14-digit KYC Identification Number (KIN) via SMS & email. The customer can then use KIN to complete KYC with the insurer.

Every customer’s KYC information is linked to a unique identifier, either the KIN or the cKYC number associated with ID proof. Insurers can use the KIN to retrieve the customer’s verified cKYC from the CKYCR & complete the KYC verification process.

• OVD & PAN/ Form 60 Documents

Insurers can use OVDs or Officially Valid Documents for the purpose of conducting KYC.

The term “Officially Valid Document” (OVD) refers to a passport, a driving license, proof of Aadhaar number possession, a Voter’s Identity Card, a job card issued by NREGA & a letter issued by the National Population Register containing the name and address details.

The IRDAI guidelines also instruct insurers to conduct KYC procedures using the customer’s PAN/Form 60 (if applicable) & any other documents required.

VBIP – Video Based Identification Process 

• Insurance providers can use VBIP as a consent-based substitute method for establishing the customer’s authenticity.
• While performing the VBIP for KYC, the insurer/authorized person has to record a clear live video of the customer/beneficiary present for identification and obtain the identification data through Aadhaar authentication/offline Aadhaar verification/ OVDs.
• This facility may also be used by the insurer to verify PAN (wherever applicable).
• The customer/ beneficiary’s live location (geo-tagging) must be captured (both for online and face-to-face VBIP) to ensure that the customer/beneficiary is present in India.
• The authorized person/insurer has to ensure that the customer/ beneficiary’s photograph & other necessary details in the Aadhaar/Officially Valid Documents/PAN match the customer/beneficiary present for the VBIP.
• The authorized person/insurer must ensure that the sequence and/or type of questions asked during video interactions vary in order to demonstrate that the interactions are real-time and not pre-recorded.
• If the customer/beneficiary voluntarily submits an Aadhaar offline verification using an XML file or an Aadhaar secure QR Code, it must be ensured that the generation of the XML file or QR code is recent and no more than 3 days old from the date of carrying out VBIP.
• All accounts opened or services provided based on VBIP have to be activated only after proper verification by the insurer to ensure that the process’s integrity is maintained and beyond doubt.
• Insurers must ensure that the process involves continuous, real-time, secure, end-to-end encrypted.

Platforms like SignDesk provide insurers with a robust VBIP solution to carry out their customer verification process seamlessly.

How Does SignDesk’s VBIP Platform Help Insurers Verify Customers Seamlessly? 

SignDesk’s AI-powered VBIP & intuitive dashboard help insurers & their customers complete the KYC process more smoothly & with fewer drop-offs. Insurance providers can seamlessly conduct the video-based identification process for their customers by following a few simple steps:

Step 1: Invite the customer for his/her consent to the VBIP & initiate video KYC

Step 2: Aadhaar is validated/ customer uploads & validates OVDs using Aadhaar eSign

Step 3: Authorized insurance official commences an audio-visual interaction with the customer & records the video

Step 4: Live photograph & document images of the customer are captured.

Step 5: Machine Learning techniques are utilized to match the customer’s photo with the pictures on the customer’s IDs

Step 6: AI and OCR verification extract visual data and validate it against a standard database.

Step 7: Geo-tagging is used to determine the customer’s location.

Step 8: Customer is successfully verified using the video-based identification process

Client Due Diligence (CDD) 

The AML guidelines issued by IRDAI instruct insurers to undertake Customer Due Diligence (CDD) procedures in accordance with the provisions of PML Rule 9. 

Customer due diligence (CDD) is the act of conducting background checks and other screening processes on customers to ensure that they are properly risk-assessed prior to onboarding. CDD is central to anti-money laundering (AML) and know-your-customer (KYC) initiatives that insurers are directed to set up.

• Knowing a New Client/Customer

Insurance providers have to perform the necessary CDD with the client/customer’s valid KYC documents while initiating an account-based relationship.

• Knowing Existing Clients/Customer

Insurers need to perform the necessary CDD with KYC (as per existing PML Rules) on an ongoing basis for their existing customers, based on the efficacy of previously obtained data.

In the event that the existing clients’ KYC is not available, insurers have to collect the same within two years for low risk customers and within one year for all other customers (including high risk customers) as per the PML Rules.

• Ongoing/Continuous Due Diligence 

Apart from verifying the customer’s identity at the time of contract issuance, insurers must perform ongoing due diligence & risk assessment at times when supplemental financial transactions are made.

Any change that is inconsistent with the customer’s normal and expected activity requires insurers to perform further ongoing due diligence processes and action as deemed necessary.

• Verification at the Payout Claim Stage

Prior to making payouts, the policyholders/beneficiaries/legal heirs/assignees must undergo the necessary due diligence.

Risk Evaluation & Categorization

IRDAI’s guidelines on AML/CFT instructs insurance businesses to conduct ML and TF risk assessment exercises on a regular basis, based on risk exposure, to recognize, evaluate, record & take appropriate measures to mitigate ML and TF risk

As the number of insurance customers is very large & there are significant differences in the extent of the risk posed by them, insurers are required to classify customers as high risk or low risk. This enables them to determine the extent of due diligence & the type of mitigation that needs to be undertaken.

Risk categorization shall be carried out based on factors such as the customer’s identity, financial status, social status, nature of the business activity, and information about the client’s business and location, among others.

Low Risk Profiles: 

• Individuals (other than High Net Worth) & entities whose identities & sources of wealth can be recognized, & transactions whose policies generally conform to the known profile, may be classified as low risk.
• In such cases, only the basic requirements of validating the customer’s identity and location are to be met.
• If the situation warrants, for example, the customer profile is inconsistent with investment through top-ups, insurers have to carry out a re-look at the customer profile

Examples of low risk customers include:

• Salaried employees with well-defined salary structures
• Government departments and government-owned businesses
• Regulators and statutory bodies
• People from lower economic strata of society.

High Risk Profiles

• According to the provisions of the AML guidelines, customers with a high risk profile need a higher level of due diligence.
• KYC and underwriting procedures for them should include more checks & higher KYC verification.

Examples of high risk customers include:

• Non-residents
• High net worth individuals
• Trusts
• Charities
• NGOs & organizations receiving donations
• Companies having close family shareholding or beneficial ownership
• Firms with sleeping partners
• Politically exposed persons (PEPs)
• Customers with dubious reputations based on publicly available information

Simplified Due Diligence (SDD)

• Simplified due diligence is a less stringent customer verification process that only requires customers to provide basic information such as their name, address, and a valid form of identification.
• Insurers are directed to use simplified due diligence measures In the case of individual policies where the aggregate insurance premium is less than Rs 10000/- per annum.
• Simplified CDD measures are not acceptable when there is a suspicion of money laundering or terrorist financing, or when specific high-risk scenarios apply, according to the insurers’ risk assessment/categorization policy.

Enhanced Due Diligence (EDD)

• Insurance providers are required to carry out enhanced due diligence procedures for high-risk client categories.
• They should investigate the background and purpose of all complex, unusual patterns of transactions that have no apparent economic or legal purpose.
• Where there is a higher risk of money laundering or terrorist financing, insurers should conduct EDD measures in accordance with the risks identified.
• Insurers must
• Verify the identity of the clients, preferably using Aadhaar with the customer’s consent, or
• Verify the client using other modes/methods of KYC
• Insurers have to examine the client’s ownership and financial position, including the source of funds, in proportion to the risks identified & the product profile

Sharing KYC Data with the Central KYC Registry (CKYCR)

CKYCR is a single database in which all customer KYC information is verified and retained. To access various financial services, the customer must complete cKYC only once.

• Insurers must retrieve KYC records from CKYCR when a customer submits a “KYC identifier” for KYC. In such a scenario, the customer is not required to submit the KYC records unless the KYC information required by insurers changes.
• If the client/customer does not submit the KYC identifier, insurers are required to search (using specific credentials) for it on the CKYCR portal and document the client/KYC customer’s identifier, if it is available.
• If the client/customer does not submit the KYC identifier or it is not available in the CKYCR portal, the insurer must capture the KYC information in the prescribed KYC template for “Individuals” or “Legal Entities,” as the situation may be.
• Within 10 days of the start of an account-based relationship with a client/customer (both individuals and legal entities), insurers must file an electronic copy of the client’s KYC records with CKYCR.
• Once the “KYC Identifier” is generated/allocated by CKYCR, the Insurers must ensure that it is communicated instantly and confidentially to the respective policyholder.
• If Aadhaar is used for verification/authentication, insurance providers must upload the following information to CKYCR:
  • • For online verification
      1. Redacted Aadhaar number (last four digits)
      2. Demographic information 
      3. The fact that authentication was performed
    • For offline verification
      1. KYC data
      2. Redacted Aadhaar number

• It must be ensured by insurers that all existing KYC records of individual/legal entity customers are incrementally uploaded in accordance with the current CDD standards during periodic updates.

Contracts with Politically Exposed Persons (PEPs)

• Insurers are directed to implement better ongoing risk management procedures for identifying and applying enhanced due diligence measures to PEPs and customers who are close relatives of PEPs on a continuous basis.
• These regulations will also apply to insurance contracts in which a PEP is the ultimate beneficial owner(s).

Contracts Originating in Countries Identified as Having a Deficient AML/CFT Regime

• Insurance companies are required to exercise increased caution when taking insurance risk exposure to individuals or entities associated with countries identified by FATF as having deficiencies in their AML/CFT regime.
• Insurers must pay special attention to business relationships and transactions, particularly those that lack an evident economic or legal purpose.
• In all such cases, the background & purpose of such transactions must be investigated & written findings must be kept for the benefit of competent authorities.
• Insurance companies must take similar precautions in countries deemed high risk for terrorist financing or money laundering based on prior experiences/transaction history/other factors.

3. Reporting of Suspicious Activities 

• When insurers are not satisfied with the true identity or the transaction made by a customer, they are required to file a Suspicious Transaction Report (STR) with the Financial Intelligence Unit – India (FIU-IND).
• In such cases, insurers have to furnish an STR to the Director, Financial Intelligence Unit-India (FIU-IND).
• Insurers must keep the fact that Suspicious Transaction Reports (STR) were provided strictly confidential.
• Insurers must ensure that no customer information is leaked at any level.

4. Record Keeping

• Insurers are required to retain information/records of all transactions, as well as those relating to client identity verification, for a period of five years.
• Records can be stored in both electronic and/or physical formats.
• Insurers should incorporate procedures for retaining internal records of domestic & global transactions in order to respond quickly to information requests from the appropriate authorities.
• Records relating to ongoing investigations or transactions that have been the subject of disclosure should be retained until it is clarified that the case has been closed.
• Account files and business correspondence containing customer identification data obtained through the customer due diligence process should be retained (physically or electronically) for at least five years after the business relationship has ended.

5. Transaction Monitoring 

If insurers understand their clients’ normal activities, they can identify any discrepancies in their transactions/activities. To do so;

• Insurers must scrutinize customers’ transactions on a regular basis to ensure the effectiveness of AML/CFT procedures.
• They must pay close attention to any complex large transaction or patterns that appear to serve no economic purpose.
• All documents/office records/memorandums/clarifications pertaining to such transactions and their purpose should be carefully examined, & findings are to be documented in writing.
• These documents must be made available to auditors as well as IRDAI/ FIU-IND/ other relevant authorities during audits, inspections, etc.
• Suspicious transactions must be reported to the Director, FIU-IND on a regular basis.
• Further, insurers are directed to examine a random sample of client transactions to comment on their nature, i.e. whether they are suspicious transactions or not.

SignDesk’s Automated VBIP Solution For Insurers 

The improvements to the IRDAI CFT & AML guidelines guarantee proper KYC for insurance customers across India. Establishing a robust AML program complete with all the requisites enables insurance providers to understand their clients/customers better & ensure no money laundering or terrorist financing takes place in the insurance businesses.

KYC is an integral component in this regard & establishing a strong customer verification system is essential for insurers. SignDesk’s smart VBIP solution is tailor-made for this purpose & provides insurers with a robust video-based customer identification & verification solution.

Book a demo with our KYC experts to understand & implement VBIP for your customers today.