On June 9, 2025, the Reserve Bank of India updated its FAQs on the Master Direction on KYC — thirty-seven questions that answer the issues banks and their customers fight about most often. Can a bank refuse to open your account? Is Aadhaar mandatory? What counts as proof of identity? When can a bank freeze your account for non-completion of KYC? The answers are precise, cite the underlying Master Direction on KYC dated February 25, 2016 (Master Direction - Know Your Customer (KYC) Direct), and in several cases directly contradict what bank branches tell customers at the counter.
The KYC Master Direction has been updated fourteen times since its original issuance — most recently on August 14, 2025. Each update responded to a specific problem: the Supreme Court's Aadhaar verdict, the digital KYC push, the Video-based Customer Identification Process, the Central KYC Registry. The November 2025 consolidation then superseded the Master Direction with entity-specific KYC Directions — one for each regulated entity type — replacing a single consolidated direction with ten parallel ones. The FAQ distils these iterations into questions a compliance officer or branch manager would actually encounter.
See also: Can I Open a Bank Account With Just Aadhaar? | The Aadhaar Moment | Who Owns This Company? How Indian Banks Must Trace Beneficial Ownership | Why Did It Take India 14 Years to Write One KYC Rule Book?
Can a bank refuse to open your account?
This is the question that generates the most complaints — and the FAQ's answer is unambiguous. A bank cannot deny services to the general public, especially to financially or socially disadvantaged persons, including persons with disabilities. The FAQ Answer to Question 34 addresses automated rejections specifically:
"Rejection decisions must be reviewed by authorized RE officials and cannot be automated."
The KYC Master Direction (Master Direction - Know Your Customer (KYC) Direct) requires every Regulated Entity to have a Customer Acceptance Policy that "must not deny services to general public, especially financially or socially disadvantaged persons, including PWDs." If a customer presents a valid Officially Valid Document, the bank must process the account opening. If there is a concern — incomplete documentation, inconsistent information — the rejection must be reviewed by an authorised official, not generated by an algorithm.
Why does this matter? Because the push toward digital onboarding has created systems where applications can be rejected by software before any human reviews them. A mismatch in the name spelling between Aadhaar and PAN, an address format that does not match the system's expectations, a photograph that fails automated quality checks — all of these can trigger automatic rejections that exclude the very populations the RBI's financial inclusion mandate is designed to serve. The FAQ's insistence on human review is a guardrail against algorithmic exclusion.
The Financial Inclusion vs. KYC tension that runs through Indian banking regulation is visible in this single FAQ answer. Stringent KYC serves anti-money laundering objectives. Account access serves financial inclusion objectives. When these collide — when a daily wage labourer in rural India cannot open an account because the system rejects their documentation — the FAQ says the bank must find a way to serve the customer, not a reason to reject them.
Is Aadhaar mandatory for KYC?
No. And the FAQ says so clearly, citing both the statutory framework and the Supreme Court judgment that rewrote the rules. The FAQ Answer to Question 10 states:
"Aadhaar is mandatory only if receiving benefits under schemes under section 7 of the Aadhaar Act, 2016. Otherwise, customers may provide it voluntarily."
This answer has its origin in the September 26, 2018 Supreme Court judgment in Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India, which struck down Section 57 of the Aadhaar Act and severed the mandatory link between Aadhaar and banking. Before the judgment, the Prevention of Money-laundering (Maintenance of Records) Second Amendment Rules, 2017 had made Aadhaar mandatory for all bank accounts. After the judgment, the government amended the PML Rules through the May 2019 amendment, making Aadhaar voluntary for KYC purposes.
The practical consequence: a bank cannot refuse to open an account because a customer does not have an Aadhaar number. The customer can present any of the other five Officially Valid Documents instead. Bank branches that insist on Aadhaar as a mandatory document are violating the Master Direction.
That said, Aadhaar remains the most operationally convenient KYC document. It enables e-KYC (electronic verification through UIDAI's authentication system), which allows instant account opening. A customer who presents a passport instead of Aadhaar will get their account — but the process may take longer because the bank cannot use the electronic verification infrastructure. The distinction between mandatory and operationally preferred has caused persistent confusion at the branch level.
For the full story of how the Supreme Court judgment reshaped KYC overnight, see The Aadhaar Moment.
What documents count as Officially Valid Documents?
The KYC Master Direction (Master Direction - Know Your Customer (KYC) Direct) defines six OVDs:
"'Officially Valid Document' (OVD) means the passport, the driving licence, proof of possession of Aadhaar number, the Voter's Identity Card issued by the Election Commission of India, job card issued by NREGA duly signed by an officer of the State Government and letter issued by the National Population Register containing details of name and address."
Six documents. Any one of them is sufficient for identity and address verification. The FAQ makes clear that a customer need only provide one OVD — not two, not three, and certainly not the combination of Aadhaar plus PAN plus voter ID that some bank branches demand.
In addition to OVDs, the Master Direction defines "deemed OVDs" for the limited purpose of address proof when the primary OVD does not contain the current address. The FAQ Answer to Question 7 lists these:
"Deemed OVDs include: (1) utility bills not exceeding two months old; (2) property or municipal tax receipts; (3) pension payment orders with address; (4) employer accommodation allotment letters or leave-and-license agreements."
The catch: a customer using a deemed OVD must submit an OVD with their current address within three months. The deemed OVD is a bridge document, not a permanent substitute. This is relevant for migrant workers, students, and transferring government employees who may have valid identity documents showing their permanent address but need to open an account in their current city.
The FAQ Answer to Question 9 addresses name changes — a common friction point. If a customer's name has changed (most often after marriage) and the OVD shows the earlier name, the customer can submit the OVD along with either a Gazette notification or a marriage certificate showing the name change. The bank cannot reject the application simply because the name on the OVD does not match the current name.
What is a "small account" — and who is it designed for?
The small account is India's answer to the global challenge of banking the undocumented. It recognises that millions of Indians lack any OVD at all — no passport, no driving licence, no Aadhaar, no voter ID — and creates a pathway to basic banking with reduced documentation.
The KYC Master Direction (Master Direction - Know Your Customer (KYC) Direct) defines a small account as a savings account "opened in terms of sub-rule (5) of rule 9 of the PML Rules, 2005." The FAQ Answer to Question 6 specifies how it works:
"Customers without an OVD can open a Small Account by providing a self-attested photograph. The bank's designated officer certifies the person signed or affixed thumb impression in their presence."
The constraints are deliberate: aggregate credits in a financial year cannot exceed Rs 1 lakh. The balance at any point cannot exceed Rs 50,000. The total withdrawals and transfers in a month cannot exceed Rs 10,000. The account is valid for twelve months, renewable for twelve more if the customer applies for an OVD and provides evidence of having done so.
Why these specific limits? Because the small account balances two competing objectives. The anti-money laundering framework requires that banks know who their customers are — that is the entire point of KYC. But the financial inclusion mandate requires that banks serve everyone, including those who cannot produce identity documents. The small account is the compromise: banking access with transaction limits that make the account unattractive for money laundering. A criminal who wants to launder crores is not going to do it through an account capped at Rs 10,000 per month in withdrawals.
The small account framework originated from the RBI's January 2006 simplified KYC circular (Advisory Committee on Flow of Credit) (since withdrawn), which first introduced reduced documentation for basic accounts. The PML Rules formalised it. The Master Direction codified the current version.
Can KYC updation be done by self-declaration?
Yes — and this is one of the most practically useful answers in the FAQ, because most bank customers do not know it. The FAQ Answer to Question 24 specifies the modes available for periodic KYC updation:
"Self-declaration via email, mobile, ATMs, digital channels, or letters when 'no change' or 'address-only change,' verified within two months."
If nothing has changed in a customer's KYC information — same name, same address, same identity document — the customer can submit a self-declaration to that effect. The customer does not need to visit a branch. The customer does not need to re-submit photocopies of their Aadhaar or passport. A simple declaration saying "my information has not changed" is sufficient, and it can be submitted digitally.
For address-only changes, the customer can submit a self-declaration with the new address and a supporting document. The bank must verify the declaration within two months. If the bank fails to complete verification within that period, the onus is on the bank, not the customer — the account cannot be frozen for the bank's failure to process a timely submission.
The KYC Master Direction (Master Direction - Know Your Customer (KYC) Direct) specifies the frequency of periodic KYC updation by risk category: every two years for high-risk customers, every eight years for medium-risk customers, and every ten years for low-risk customers. The FAQ Answer to Question 22 confirms these intervals and explains the basis:
"REs must update KYC records for ongoing due diligence to keep collected information current and relevant. Periodic updation frequency depends on risk categorization: high-risk (every 2 years), medium-risk (every 8 years), low-risk (every 10 years)."
The risk categorisation itself depends on parameters including "customer identity, social/financial status, nature of business activity, business information and location, geographical risk, product/service types, delivery channels, transaction types, and identity document verification ability." Most retail savings account holders fall into the low-risk category — meaning they need to update KYC once every ten years.
What if your KYC application is rejected — and what happens if you do not update?
The FAQ creates a procedural safeguard that many bank customers do not know exists. No KYC application can be rejected by an algorithm alone. The FAQ Answer to Question 34 states:
"REs' Customer Acceptance Policy must not deny services to general public, especially financially or socially disadvantaged persons, including PWDs. Rejection decisions must be reviewed by authorized RE officials and cannot be automated."
This means that if a customer's account opening or KYC updation is rejected, the rejection must be the result of a human decision by an authorised official — not a system error, not an algorithmic mismatch, not a default setting. The practical implication for compliance officers: every rejection must have a trail showing which official reviewed the application and why it was declined.
For customers who fail to complete periodic KYC updation, the consequences are real but bounded. The FAQ Answer to Question 28 references the Prevention of Money-Laundering Rules 2005, which "enable REs to close customer accounts if identity records aren't obtained after providing due notice." But the bank must provide notice first — and must offer the customer every reasonable opportunity to comply.
The FAQ also addresses a growing fraud vector. The FAQ Answer to Question 29 warns:
"Customers should exercise extreme caution before clicking embedded links, as these may be fraudulent. The public is advised not to fall prey to KYC-named fraud schemes."
KYC-update phishing — fraudsters sending SMS or email messages claiming the customer's account will be frozen unless they "update KYC" through a link — is one of the most common banking frauds in India. The RBI's FAQ explicitly warns against it. Banks should never send links asking customers for OTPs, passwords, or other credentials under the guise of KYC updation. Any such communication is fraudulent. The fraud reporting framework requires banks to report such fraud attempts to the RBI.
What is the KYC Identifier — and how does the Central KYC Registry work?
The Central KYC Records Registry (CKYCR) was created to solve a simple problem: a customer who opens accounts at multiple banks should not need to submit KYC documents separately to each one. The KYC Identifier is a unique number assigned by the CKYCR that allows any Regulated Entity to download the customer's KYC records from the central database.
The FAQ Answer to Question 14 defines it:
"KYC Identifier is the unique number or code assigned to a customer of an RE by the Central KYC Records Registry."
The FAQ Answer to Question 18 explains that REs must now seek the KYC Identifier and retrieve records from CKYCR before asking the customer to submit documents again. Customers need not resubmit documents unless: the information has changed, the records are incomplete or non-compliant, the document's validity has lapsed, or the RE deems additional verification necessary.
The CKYCR system, operationalised through the KYC Master Direction's CKYCR provisions (Master Direction - Know Your Customer (KYC) Direct), represents the RBI's attempt to reduce the compliance burden on customers without reducing the compliance standard. The burden shifts from the customer (who previously had to carry documents to every institution) to the institutions (who must check the central registry first). The customer's consent is required — no RE can download records without explicit authorisation — but the process is designed to be frictionless.
For a deeper analysis of how digital KYC infrastructure — including e-KYC, Video-based Customer Identification, and the CKYCR — transformed the onboarding process, see Digital KYC, Aadhaar, Video KYC, and the Central KYC Registry.
What about beneficial ownership for companies?
When a company opens a bank account, KYC does not stop at the company's name and registration certificate. The bank must identify the natural persons who ultimately own or control the company — the beneficial owners. The KYC Master Direction (Master Direction - Know Your Customer (KYC) Direct) defines the threshold:
"'Controlling ownership interest' means ownership of/entitlement to more than 10 percent of the shares or capital or profits of the company."
The 10% threshold was reduced from 25% — a significant tightening. Any natural person who owns more than 10% of a company's shares, capital, or profits must be identified as a beneficial owner. If no natural person meets this threshold, the bank must identify the natural person who exercises control through "the right to appoint majority of the directors or to control the management or policy decisions."
For partnership firms, the same 10% threshold applies to capital or profits. For trusts, the beneficial owner identification extends to the author of the trust, the trustee, the beneficiaries, and any other natural person exercising ultimate effective control. For unincorporated associations or bodies of individuals, the direction requires identification of persons exercising ultimate effective control.
The beneficial ownership requirement is one of the most compliance-intensive aspects of KYC for banks dealing with corporate customers. It requires piercing the corporate veil — tracing through layers of holding companies, nominee arrangements, and voting agreements to find the human being at the end of the ownership chain. The Companies (Significant Beneficial Owners) Rules, 2018 work in parallel with the KYC direction, creating a dual reporting obligation for companies.
For the full framework of how Indian banks must trace beneficial ownership, including the FATF context and the enforcement implications, see Who Owns This Company?.
The practical hierarchy: what compliance officers must take from the FAQ
The thirty-seven questions in the RBI's KYC FAQ are not abstract regulatory commentary. They are the RBI's answer to the disputes that actually arise — between customers and branches, between compliance teams and business teams, between the anti-money laundering mandate and the financial inclusion mandate. When a branch manager says Aadhaar is mandatory, the FAQ says it is not. When a system automatically rejects a KYC application, the FAQ says a human must review it. When a customer receives an SMS asking them to "update KYC" through a link, the FAQ says it is a fraud.
The underlying KYC Master Direction (Master Direction - Know Your Customer (KYC) Direct) is the law. The FAQ is how the RBI explains the law to the people who must live with it. Both documents should be read together — because the direction provides the rules, and the FAQ provides the RBI's interpretation of what those rules actually mean in practice.
Governing Direction(s): Master Direction — Know Your Customer (KYC) Direction, 2016 (Master Direction - Know Your Customer (KYC) Direct)
Last updated: April 2026