TaxTMI 
TaxTMI 
Master Circular on Know Your Client (KYC) norms for the securities market
X X X X Extracts X X X X
X X X X Extracts X X X X
....culars/directions with the provisions of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 and the Securities and Exchange Board of India [KYC (Know Your Client) Registration Agency] Regulations, 2011. The provisions of this Master Circular shall come into force from the date of its issue. 3. Any modifications/updation in existing KYC records, shall be effected in line with the provisions of this Circular by December 31, 2023. 4. On and from the date of issue of this Circular, all circulars for the purpose of KYC as listed in Appendix shall stand rescinded/modified as indicated therein. 5. Notwithstanding such rescission, a) Anything done or any action taken or purported to have been done or taken under the rescinded circulars, prior to such rescission, shall be deemed to have been done or taken under the corresponding provisions of this Master Circular; b) Any application made to the Board under the rescinded circulars, prior to such rescission, and pending before it shall be deemed to have been made under the corresponding provisions of this Master Circular; c) The previous operation of the rescinded circulars or anything duly done or suffered there....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ney Laundering Act, 2002. g. "Client Due Diligence" shall have the same meaning as assigned to it under Rule 2 (1) (b) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. h. "Designated Director" shall have the same meaning as assigned to it under Rule 2 (1) (ba) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. i. "Digital KYC" shall have the same meaning as assigned to it under Rule 2 (1) (bba) of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. j. "Digital Signature" shall have the same meaning as assigned to it under clause (p) of subsection (1) of section (2) of the Information Technology Act, 2000 (21 of 2000). k. "e-KYC authentication facility" shall have the same meaning as assigned to it under clause (j) of sub section (1) of section (2) of Aadhaar (Authentication and Offline Verification) Regulations, 2021. l. "Electronic Signature" shall have the same meaning assigned to it under clause (ta) of subsection (1) of section (2) of the Information Technology Act, 2000 (21 of 2000). m. "Equivalent e-document" shall have the same meaning as assigned to it under Rule 2 (1) (cb) of Prevention ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....of the AOF shall be the KYC form which shall capture the basic details about the client. For this purpose, all registered intermediaries shall use the KYC templates provided by Central Registry of Securitisation Asset Reconstruction and Security Interest of India (CERSAI) for individuals and for legal entities for capturing the KYC information. The CKYCR templates - Individual and Legal Entity provided by CERSAI is available at https://www.ckycindia.in/ckyc/?r=download. 6. Part II of the form shall obtain the additional information specific to the area of activity of the intermediary, as considered appropriate by them. The instant Master Circular deals with the provisions of Part I -KYC form. Requirement of Permanent Account Number (PAN) 7. In order to strengthen the KYC norms and identify every participant in the securities market with their respective PAN thereby ensuring sound audit trail of all the transactions, PAN shall be the unique identification number for all participants transacting in the securities market, irrespective of the amount of transaction. 8. The registered intermediaries shall verify the PAN of their clients online at the Income Tax website without insis....
X X X X Extracts X X X X
X X X X Extracts X X X X
....r of the State Government; vi. the letter issued by the National Population Register containing details of name address; or vii. any other document as notified by the Central Government in consultation with the Regulator. b. Further, in terms of proviso to the above Rule, where simplified measures are applied for verifying the identity of the clients, the following documents shall also be deemed to be officially valid document: i. Identity card/ document with applicant's photo, issued by the Central/State Government Departments, Statutory/Regulatory Authorities, Public Sector Undertakings, Scheduled Commercial Banks and Public Financial Institutions; ii. Letter issued by a gazetted officer, with a duly attested photograph of the person. 15. The registered intermediaries shall not store/save the Aadhaar number of client in their system. Further, in terms of PML Rule 9(16), every registered intermediary shall, where the client submits his Aadhaar number, ensure that such client redacts or blacks out his Aadhaar number by appropriate means where the authentication of Aadhaar number is not required under sub rule (15) of PML Rule 9. Proof of Address (PoA)4 16. At the time ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....vernment or a gazette notification, indicating such change of name. 20. For non-residents and foreign nationals, (allowed to trade subject to RBI and FEMA guidelines), copy of passport/Persons of Indian Origin (PIO) Card/Overseas Citizenship of India (OCI) Card and overseas address proof is mandatory. 21. In case the officially valid document presented by a foreign national does not contain the details of address, the documents issued by the Government departments of foreign jurisdictions and letter issued by the Foreign Embassy or Mission in India shall be accepted as proof of address. 22. If any proof of address is in a foreign language, then translation into English shall be required. 23. If correspondence and permanent address is different, then proof for both shall be submitted. Acceptance of third party address as correspondence address 24. A client can authorize to capture address of a third party as a correspondence address, provided that all prescribed 'Know Your Client' norms are also fulfilled for the third party. The intermediary shall obtain proof of identity and proof of address for the third party. The intermediary shall also ensure that client due diligence n....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ional documents (certified copies of equivalent e-documents) to be obtained are mentioned below: i. Corporate body: a. Certificate of incorporation. b. Memorandum and Articles of Association. c. Board Resolution for investment in securities market. d. Power of Attorney granted to its managers, officers or employees, as the case may be, to transact on its behalf. e. Authorised signatories list with specimen signatures. f. Copy of the balance sheet for the last financial year (initially for the last two financial years and subsequently for every last financial year). g. Latest share holding pattern including list of all those holding control, either directly or indirectly, in the company in terms of SEBI takeover Regulations, duly certified by the company secretary/whole time director/ MD (to be submitted every year). h. Photograph, POI, POA, PAN and DIN numbers of whole time directors/two directors in charge of day to day operations. i. Photograph, POI, POA, PAN of individual promoters holding control - either directly or indirectly. ii. Partnership firm: a. Certificate of registration (for registered partnership firms only). b. Copy of partnership deed. ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ment / other documents, using electronic/digital signature, including Aadhaar e-Sign. 34. The client shall visit the website/App/digital platform of the registered intermediary and fill up the online KYC form and submit requisite documents. 35. SEBI registered intermediaries shall obtain the express consent of the client before undertaking online KYC. 36. The PAN, name, photograph, address, mobile number and email ID of the client shall be captured digitally and officially valid document shall be provided as a photo / scan of the original under electronic/digital signature, including Aadhaar e-Sign and the same shall be verified. 37. Any officially valid document other than Aadhaar shall be submitted through Digiocker/using electronic/digital signature, including Aadhaar e- Sign. 38. The mobile number of client accepted as part of KYC should preferably be the one seeded with Aadhaar. 39. Mobile and email shall be verified through One Time Password (OTP) or other verifiable mechanism. 40. Aadhaar shall be verified through UIDAI's authentication/ verification mechanism. Further, in terms of PML Rule 9(16), every intermediary shall, where the client submits his Aadhaar numb....
X X X X Extracts X X X X
X X X X Extracts X X X X
....o the registered intermediary under electronic/digital signature including Aadhaar e-Sign. c. The "original seen and verified" requirement for officially valid document would be met where the investor provides the officially valid document in the following manner: i. As a clear photograph or scanned copy of the original officially valid document, through the electronic/digital signature including Aadhaar e-Sign, or; ii. As digitally signed document of the officially valid document, issued through the DigiLocker by the issuing authority. Features for online KYC App of the Intermediary 49. SEBI registered intermediary can implement its own App for undertaking online KYC of clients. 50. The App shall facilitate taking photograph, scanning, acceptance of officially valid document through Digilocker, video capturing in live environment and usage of the App only by authorized person of the intermediary. 51.6[The App shall also have features of random action initiation for client response to establish that the interactions are not pre-recorded along with time stamping and geo-location tagging to ensure the requirement like physical location being in India etc. are also implemen....
X X X X Extracts X X X X
X X X X Extracts X X X X
....idual investor through their App. The following process shall be adopted in this regard: a) Intermediary through their authorised official, specifically trained for this purpose, may undertake live VIPV of an individual client, after obtaining his/her informed consent. The activity log along with the credentials of the person performing the VIPV shall be stored for easy retrieval. b) The VIPV shall be in a live environment. c) The VIPV shall be clear and still, the client in the video shall be easily recognisable and shall not be covering their face in any manner. d) The VIPV process shall include random question and response from the investor including displaying the officially valid document, KYC form and signature or could also be confirmed by an OTP. e) The intermediary shall ensure that photograph of the client downloaded through the Aadhaar authentication/verification process matches with the investor in the VIPV. f) The VIPV shall be digitally saved in a safe, secure and tamper-proof, easily retrievable manner and shall bear date and time stamping. g) The intermediary may have additional safety and security features other than as prescribed above. 61. IPV shal....
X X X X Extracts X X X X
X X X X Extracts X X X X
....service of UIDAI in Securities Market as sub-KUA 68. Department of Revenue (DoR), Ministry of Finance (MoF), Government of India, vide Gazette Notification Nos. S.O. 3187(E) dated July 13, 2022 and S.O. 446 (E) dated January 30, 2023 has notified reporting entities to use Aadhaar authentication services of UIDAI under section 11A of the Prevention of Money-laundering Act, 2002. The notifications can be accessed at the links (Govt. Notification dated July 13, 2022 and Govt Notification dated Jan 30, 2023.pdf). These entities shall act as Sub-KUA. 69. The KUAs shall facilitate the onboarding of these entities as Sub-KUAs to provide the services of Aadhaar authentication with respect to KYC. Onboarding process of Sub-KUA by UIDAI 70. As provided in the DoR circular dated May 09, 2019, SEBI after scrutiny of the application forms of KUAs shall forward the applications along with its recommendation to UIDAI. 71. For appointment of SEBI registered intermediary as Sub-KUAs, KUA shall send list of proposed Sub-KUAs to SEBI and SEBI would forward the list of recommended Sub-KUAs to UIDAI for onboarding. 72. An agreement shall be signed between KUA and Sub-KUA, as prescribed by UIDAI....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ered device. vii. Client shall also provide the additional detail as required. 76. The KUA/ sub-KUA while performing the Aadhaar authentication shall comply with the following: i. For sharing of e-KYC data with Sub-KUA under Regulation 16(2) of Aadhaar (Authentication) Regulations, 2016, KUA shall obtain special permission from UIDAI by submitting an application in this regard. Such permissible sharing of e-KYC details by KUA can be allowed with their associated Sub-KUAs only. ii. KUA shall not share UIDAI digitally signed e-KYC data with other KUAs. However, KUAs may share data after digitally signing it using their own signature for internal working of the system. iii. e-KYC data received as response upon successful Aadhaar authentication from UIDAI shall be stored by KUA and Sub-KUA in the manner prescribed by Aadhaar Act/Regulations and circulars issued by UIDAI time to time. iv. KUA/Sub-KUA shall not store Aadhaar number in their database under any circumstances. It shall be ensured that Aadhaar number is captured only using UIDAI's Aadhaar Number Capture Services (ANCS). v. The KUA shall maintain auditable logs of all such transactions where e- KYC data has been ....
X X X X Extracts X X X X
X X X X Extracts X X X X
.... a trading account and/or demat account or while undergoing updation. b. In case the proof of address furnished by the said client is not the address where the client is currently residing, the intermediary may take a declaration of the residence/correspondence address on which all correspondence shall be made by the intermediary with the client. No proof is required to be submitted for such correspondence/residence address. In the event of change in this address due to relocation or any other reason, client may intimate the new address for correspondence to the intermediary within two weeks of such a change. The residence/ correspondence address and any such change thereof may be verified by the intermediary through 'positive confirmation' such as (i) acknowledgment of receipt Welcome Kit/ dispatch of contract notes/any periodical statement, etc. (ii) telephonic conversation; (iii) visits, etc. c. The registered intermediaries shall forward the KYC completion intimation letter through registered post/speed post or courier, to the address of the client in cases where the client has given address other than as given in the officially valid document. In such cases of return of th....
X X X X Extracts X X X X
X X X X Extracts X X X X
....other, to prevent duplication of entry of KYC details of a client and to ensure uniformity in formats of uploading/modification/downloading of KYC data by the intermediary. 93. KRA shall maintain an audit trail of the upload/modifications/downloads made in the KYC data, by the intermediary in its system. 94. KRA shall ensure that a comprehensive audit of its systems, controls, procedures, safeguards and security of information and documents is carried out annually by an independent auditor. The Audit Report along with the steps taken to rectify the deficiencies, if any, shall be placed before its Board of Directors. Thereafter, the KRA shall send the Action Taken Report to SEBI within 3 months. 95. KRA systems shall clearly indicate the status of clients falling under PAN exempt categories viz. investors residing in the state of Sikkim, UN entities/multilateral agencies exempt from paying taxes/filing tax returns in India, etc. Rationalisation of Risk Management Framework at KRAs 96. As a part of risk management framework, the KRAs shall verify the following attributes of records of all clients within 2 days of receipt of KYC records: a. PAN (including PAN Aadhaar linkage, ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....iable for penal action. 107. KRAs are advised to: a. develop the monitoring mechanism through internal audit and inspections. b. encourage investor to use SCORES for lodging their grievances. Cyber Security & Cyber Resilience framework for KYC Registration Agencies (KRAs) 108. Rapid technological developments in securities market have highlighted the need for maintaining robust Cyber Security and Cyber Resilience framework to protect the integrity of data and guard against breaches of privacy. 109. A robust Cyber Security and Cyber Resilience framework should identify the plausible sources of operational risk, both internal and external, and mitigate the impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of its obligation in the event of cyber-attack. 110. Since KRAs perform important function of maintaining KYC records of the clients in the securities market, the KRAs shall have robust Cyber Security and Cyber Resili....
X X X X Extracts X X X X
X X X X Extracts X X X X
....s 1. Cyber-attacks and threats attempt to compromise the confidentiality, integrity and availability (CIA) of the computer systems, networks and databases (Confidentiality refers to limiting access of systems and information to authorized users, Integrity is the assurance that the information is reliable and accurate, and Availability refers to guarantee of reliable access to the systems and information by authorized users).Cyber security framework includes measures, tools and processes that are intended to prevent cyber-attacks and improve cyber resilience. Cyber Resilience is an organisation's ability to prepare and respond to a cyber-attack and to continue operation during, and recover from, a cyber-attack. Governance 2. As part of the operational risk management framework to manage risk to systems, networks and databases from cyber-attacks and threats, KRAs shall formulate a comprehensive Cyber Security and Cyber Resilience policy document encompassing the framework mentioned hereunder. The policy document shall be approved by the Board of KRAs, and in case of deviations from the suggested framework, reasons for such deviations shall also be provided in the policy document....
X X X X Extracts X X X X
X X X X Extracts X X X X
....acilitate communication of unusual activities and events to CISO or to the senior management in a timely manner. 9. The aforementioned committee and the senior management of the KRAs, including the CISO, shall periodically review instances of cyber attacks, if any, domestically and globally, and take steps to strengthen Cyber Security and Cyber Resilience framework. 10. KRAs shall define responsibilities of its employees, outsourced staff, and employees of vendors, members or participants and other entities, who may have access or use KRA's systems/networks, towards ensuring the goal of cyber security. Identification 11. KRAs shall identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management. The critical assets shall include business critical systems, internet facing applications/systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc. All the ancillary systems used for accessing/communicating with critical systems either for operations or maintenance shall also be classified as critical system. The Board of the....
X X X X Extracts X X X X
X X X X Extracts X X X X
....h as employees of vendors or service providers, who may be given authorised access to the KRA's critical systems, networks and other computer resources, shall be subject to stringent supervision, monitoring and access restrictions. 21. Two-factor authentication at log-in shall be implemented for all users that connect using online/internet facility. 22. KRAs shall formulate an Internet access policy to monitor and regulate the use of internet and internet based services such as social media sites, cloud-based internet storage sites, etc. 23. Proper 'end of life' mechanism shall be adopted to deactivate access privileges of users who are leaving the organization or whose access privileges have been withdrawn. Physical security 24. Physical access to the critical systems shall be restricted to minimum. Physical access of outsourced staff/visitors shall be properly supervised by ensuring at the minimum that outsourced staff/visitors are accompanied at all times by authorised employees. 25. Physical access to the critical systems shall be revoked immediately if the same is no longer required. 26. KRAs shall ensure that the perimeter of the critical equipment room are physic....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ented. The scope of tests shall cover business logic, security controls and system performance under various stress-load scenarios and recovery conditions. Patch Management 37. KRAs shall establish and ensure that the patch management procedures include the identification, categorisation and prioritisation of security patches. An implementation timeframe for each category of security patches shall be established to implement security patches in a timely manner. 38. KRAs shall perform rigorous testing of security patches before deployment into the production environment so as to ensure that the application of patches do not impact other systems. Disposal of systems and storage devices 39. KRAs shall frame suitable policy for disposals of the storage media and systems. The data/information on such devices and systems shall be removed by using methods viz. wiping/cleaning/overwrite, degauss and physical destruction, as applicable. Vulnerability Assessment and Penetration Testing (VAPT) 40. KRAs shall carry out periodic vulnerability assessment and penetration tests(VAPT) which inter-alia include critical assets and infrastructure components like Servers, Networking systems, ....
X X X X Extracts X X X X
X X X X Extracts X X X X
....ncident of cyber attack or breach, mitigate its effect and eradicate the incident. 47. The response and recovery plan of the KRAs shall aim at timely restoration of systems affected by incidents of cyber attacks or breaches. KRAs shall have the same Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as specified by SEBI for Market Infrastructure Institutions vide SEBI circular CIR/MRD/DMS/17/20 dated June 22, 2012 as amended from time to time. 48. The response plan shall define responsibilities and actions to be performed by its employees and support/outsourced staff in the event of cyber attacks or breach of cyber security mechanism. 49. Any incident of loss or destruction of data or systems shall be thoroughly analysed and lessons learned from such incidents shall be incorporated to strengthen the security mechanism and improve recovery planning and processes. 50. KRAs shall also conduct suitable periodic drills to test the adequacy and effectiveness of response and recovery plan. Sharing of information 51. All Cyber-attacks, threats, cyber-incidents and breaches experienced by KRAs shall be reported to SEBI within 6 hours of noticing/detecting such inc....
X X X X Extracts X X X X
X X X X Extracts X X X X
....s and advisories related to Cyber security from time to time, along with the cyber audit report. 57. KRAs shall take necessary steps to put in place systems for implementation of this framework. Incident Reporting Form 1. Letter/Report Subject - Name of the intermediary - SEBI Registration no. - Type of intermediary - 2. Reporting Periodicity Year- Quarter 1 (Apr-Jun) Quarter 2 (Jul-Sep) Quarter 3 (Oct-Dec) Quarter 4 (Jan-Mar) 3. Designated Officer (Reporting Officer details) - Name: Organization: Title: Phone/Fax No: Mobile: Email: Address: Cyber-attack/breach observed in Quarter: (If yes, please fill Annexure C) ( If no, please submit the NIL report) Date & Time Brief information on the Cyber-attack/breached observed Annexure C: Form for reporting Cyber attack/breach by KRA 1. Physical location of affected computer/network and name of ISP - 2. Date and time incident occurred - Date: Time: 3. Information of affected system - IP Address: Computer/Host Name: Operating System (incl. Ver./release No.): Last Patched/Updated: Hardware Vendor/ Model: &nb....
X X X X Extracts X X X X
X X X X Extracts X X X X
....clients 2. CIR/MIRSD/22/2011 dated 25-Oct-11 In-person verification (IPV) of clients by subsidiaries of Stock Exchanges, acting as Stock Brokers 3. MIRSD/Cir-23/2011 dated 02-Dec-11 The Securities And Exchange Board of India (KYC Registration Agency) Regulations, 2011 4. MIRSD/Cir-26/2011 Dated 23-Dec-11 Guidelines In Pursuance of The SEBI KYC Registration Agency (KRA) Regulations, 2011 And For In-Person Verification (IPV) 5. MIRSD/CIR-5/2012 dated 13-Apr-12 Uploading of The Existing Clients' KYC Details In The KYC Registration Agency (KRA) System by The Intermediaries 6. CIR/MIRSD/09/2012 dated 13-Aug-12 Aadhaar Letter As Proof of Address For Know Your Client (KYC) Norms 7. CIR/MIRSD/12/2012 dated 21-Sep-12 Processing of investor complaints against KRA {KYC (Know Your Client) Registration Agency} in SEBI Complaints Redress System (SCORES) 8. CIR/MIRSD/01/2013 dated 04-Jan-13 Rationalisation Process For Obtaining PAN by Investors 9. CIR/MIRSD/2/2013 dated 24-Jan-13 Guidelines On Identification of Beneficial Ownership 10. CIR/MIRSD/4/2013 dated 28-Mar-13 Amendment to SEBI {(Know Your Client) Registration Agency} Regulations, 2011 and relevant circulars 11....