When a company opens a bank account, the bank doesn't just identify the company — it must identify the human beings who ultimately own or control it. This requirement, buried in Chapter VI of the KYC Master Direction, was first introduced at a 25% ownership threshold in 2013, lowered to 10% in 2016, and now sits at the centre of India's AML architecture. Every company, every partnership, every trust, every unincorporated association that maintains a bank account must have its beneficial owners identified, verified, and periodically updated.
The practical questions for a lawyer advising a corporate client — or a compliance officer opening accounts — are specific: What triggers the BO identification obligation? What's the threshold for each entity type? What happens when beneficial ownership can't be determined? And what about layered structures — holding companies, nominee arrangements, trusts with discretionary beneficiaries?
What is the beneficial ownership threshold — and why did it drop from 25% to 10%?
The 2013 Master Circular for UCBs RBI/2013-14/31 (since withdrawn) set the original threshold:
"Controlling ownership interest means ownership of/entitlement to more than 25 percent of shares or capital or profits of the juridical person, where the juridical person is a company; ownership of/entitlement to more than 15% of the capital or profits where the juridical person is a partnership."
The 2016 Master Direction (Master Direction - Know Your Customer (KYC) Direct) lowered it dramatically:
"Controlling ownership interest means ownership of/entitlement to more than 10 percent of the shares or capital or profits of the company."
For partnerships: more than 10% of capital or profits. For unincorporated associations: more than 15%. For trusts: identification of the author, the trustee, the beneficiaries with 10% or more interest, and "any other natural person exercising ultimate effective control over the trust through a chain of control or ownership."
Why the drop from 25% to 10%? The notification doesn't explain the reasoning explicitly. But the context is FATF Recommendation 24, which requires countries to ensure that "competent authorities can obtain, or have access to, adequate, accurate and current information on the beneficial ownership and control of legal persons." India's 2016 alignment with FATF standards included tightening the BO threshold to demonstrate that its AML framework could identify ownership at a granular level — a direct input into India's FATF mutual evaluation.
The October 2023 amendment RBI/2023-24/69 (since withdrawn) further tightened the framework, citing PML Rules changes and FATF recommendations as two of six triggers. The amendment chain runs: 2013 Master Circular RBI/2013-14/31 (since withdrawn) → 2016 Master Direction (Master Direction - Know Your Customer (KYC) Direct) → October 2023 amendment RBI/2023-24/69 (since withdrawn) → the November 2025 entity-specific KYC Directions that superseded all predecessors. Each step lowered thresholds or expanded the definition of control — a progressive tightening driven by FATF pressure and domestic enforcement experience.
How does BO identification work for different entity types?
The requirements escalate with structural complexity:
Companies: Identify every natural person who owns or is entitled to more than 10% of shares, capital, or profits. If no one meets that threshold, identify the natural person(s) who exercise "control through other means" — meaning the right to appoint majority directors or control management decisions. If even that doesn't identify anyone, the bank must identify the senior managing official of the company.
Partnerships: Same 10% threshold on capital or profits. "Control" includes the right to control management or policy decisions. For a partnership with five equal partners (20% each), all five are beneficial owners. For a partnership where one partner holds 8% but has management control through the partnership deed, that partner is also a beneficial owner under the control test.
Trusts: The broadest identification requirement — the bank must identify the author of the trust, every trustee, every beneficiary with 10% or more interest, and "any other natural person exercising ultimate effective control over the trust through a chain of control or ownership." For discretionary trusts where beneficiaries don't have fixed entitlements, the class of persons in whose interest the trust is established must be identified.
Unincorporated associations: Threshold is 15% of property, capital, or profits — higher than the 10% for companies and partnerships, reflecting the typically simpler ownership structures of associations.
What is a Politically Exposed Person — and why does it matter for account opening?
The Master Direction defines PEPs as "individuals who are or have been entrusted with prominent public functions by a foreign country, including the Heads of States/Governments, senior politicians, senior government or judicial or military officers, senior executives of state-owned corporations and important political party officials."
The definition was carried forward unchanged from the 2016 Master Direction (Master Direction - Know Your Customer (KYC) Direct) into every entity-specific KYC Direction issued in November 2025 — superseding earlier PEP provisions from the 2008 Master Circular era (since withdrawn).
The critical word is "foreign." Indian PEPs are not covered by this definition — the enhanced due diligence applies to foreign PEPs and their family members and close associates. The bank must:
- Have risk management systems to determine if a customer or beneficial owner is a PEP
- Take reasonable measures to establish the source of funds/wealth
- Obtain senior management approval to open the account
- Subject the account to enhanced monitoring on an on-going basis
This matters for lawyers advising foreign clients investing in India — or for Indian banks opening accounts for entities whose beneficial owners include foreign government officials. The enhanced due diligence isn't optional; it's a direction enforceable through the penalty framework.
What about wire transfers — what information must cross borders?
The wire transfer provisions implement FATF Recommendation 16 on transparency:
"All cross-border wire transfers shall be accompanied by accurate, complete, and meaningful originator and beneficiary information: name of the originator; the originator account number; the originator's address, or national identity number, or customer identification number, or date and place of birth; name of the beneficiary; and the beneficiary account number." Master Direction - Know Your Customer (KYC) Direction, 2016...
For domestic wire transfers, the threshold is Rs 50,000: "Domestic wire transfers of rupees fifty thousand and above, where the originator is not an account holder of the ordering RE, shall also be accompanied by originator and beneficiary information."
The wire transfer circulars for co-operative banks (STCBs/DCCBs – Wire Transfers) (since withdrawn) and RRBs (RRBs – Wire Transfers) (since withdrawn) extended these requirements to entity types that handle remittances in rural India — where many transactions are below the Rs 50,000 threshold but cross-border remittances from the diaspora are not.
The money mules angle connects here: the December 2010 circular RBI/2010-11/303 warned banks about accounts being used as conduits for laundering wire transfer proceeds — "With a view to preventing banks from being used, intentionally or unintentionally, by criminal elements for money laundering or terrorist financing activities." Parallel circulars went to NBFCs RBI/2010-11/462, RRBs RBI/2010-11/330, and StCBs/DCCBs (StCBs/DCCBs - Operation of bank accounts and mone).
What happens when KYC fraud targets customers rather than banks?
The RBI has issued repeated public warnings about frauds in the name of KYC updation (PR_57244):
"The modus operandi for such frauds usually involves customers receiving unsolicited communication via phone calls, SMSes, emails or social media messages, asking them to share certain personal details, account details, OTPs for completing KYC updation."
The RBI's position: banks should never ask customers to share OTPs or account credentials for KYC updation. The periodic KYC updation framework allows self-declaration via email, mobile app, or ATM for "no change" updates. Banks that demand OTPs or ask customers to click links are either running a poor process or being impersonated by fraudsters.
The KYC FAQ addresses this: "Customers should exercise caution with SMS/email links — these may be fraudulent." It also clarifies that KYC rejection decisions cannot be automated — "rejection decisions cannot be automated; authorized RE officials must review rejections."
The Rs 5.39 crore lesson: Paytm Payments Bank
The largest KYC penalty in our records is the Rs 5.39 crore fine on Paytm Payments Bank (PR_56541, October 2023) — for non-compliance with the KYC Master Direction, licensing guidelines, the cyber security framework, and mobile banking security guidelines.
The penalty amount — fifty-three times the Rs 99.30 lakh imposed on Jammu & Kashmir Bank for KYC violations — signals that payments banks face heightened scrutiny because they onboard customers digitally at scale. When millions of accounts are opened through mobile apps, a KYC process failure affects millions of customers, not hundreds.
This connects directly to the how the RBI investigates article — the penalty amount is proportionate to the scale of the non-compliance and the entity's customer base.
What does the latest FATF statement mean for Indian banks?
Every six months, the FATF issues a statement identifying high-risk and monitored jurisdictions. The RBI transmits each statement to all regulated entities. The June 2025 statement (PR_60802) maintains:
- DPRK and Iran: Subject to countermeasures (the call remains from February 2020)
- Myanmar: Added to the high-risk list in October 2022, with enhanced due diligence required
For banks, this means: any transaction involving counterparties in DPRK, Iran, or Myanmar triggers enhanced due diligence under the Master Direction provisions. The investment restriction RBI/2016-17/216 prohibits Indian parties from making direct investments in FATF non-compliant jurisdictions. And the correspondent banking provisions require banks to be "cautious of correspondent banking relationships with institutions located in jurisdictions which have strategic deficiencies."
The FATF transmission chain — 197 circulars spanning 2004 to 2026 — is one of the largest single chains in the RBI's regulatory graph. And with India's next FATF mutual evaluation approaching, compliance with these provisions will be under heightened scrutiny.
Last updated: April 2026