RBI Penalises CKYC Non-Compliance Up to Rs.1 Lakh Per Day: Is Your Institution Audit-Ready?
Most BFSI institutions know there are penalties for KYC non-compliance. Far fewer have mapped the specific obligations that generate those penalties, the audit trail evidence required to demonstrate compliance, and what a clean CKYC audit finding actually requires. This guide does all three.
The Penalty Framework - What PMLA and RBI Actually Say
The obligation to upload customer KYC records to CERSAI is not a guideline or a best practice. It is a statutory requirement under the Prevention of Money Laundering Act, 2002 and the rules framed under it. Non-compliance is a legal default, not an operational oversight.
Section 12 of PMLA requires every Reporting Entity to maintain records and furnish information as prescribed. The CKYC upload obligation flows directly from this provision. The penalty framework under Section 13 of PMLA empowers the Director of the Financial Intelligence Unit to impose monetary penalties, issue directions, and in severe cases, recommend cancellation of registration or licence.
The Enforcement Reality - Recent RBI Action
RBI's enforcement posture on KYC compliance has shifted materially since 2022. What was previously addressed through supervisory letters and directions has increasingly been followed by formal monetary penalties published on RBI's website. The published penalty orders make the specific violations explicit - they are instructive reading for any compliance team.
The pattern in recent enforcement actions is consistent: findings typically cover a combination of failure to upload CKYC records within the mandated timeline, deficiencies in periodic re-KYC processes, inadequate documentation of KYC verification, and absence of proper audit trails for KYC data access. No single finding is standalone - auditors look at the entire KYC compliance framework, and a weakness in one area typically surfaces weaknesses in others.
The 5 Audit Areas Most Likely to Generate Findings
Based on the pattern of RBI supervisory focus and CKYC compliance requirements under CKYCRR 2.0, these are the five areas where audit findings are most likely to arise - and what evidence you need to demonstrate compliance in each.
The 3-working-day upload deadline is the most directly enforceable CKYC obligation. Auditors will sample newly opened accounts and cross-reference account opening dates with CERSAI upload dates. A systemic delay - even of one or two days - across a large number of accounts creates significant penalty exposure.
Under CKYCRR 2.0, every CKYC record download requires OTP-based customer consent. The absence of an auditable consent log is both a regulatory violation and an evidence gap that makes it impossible to demonstrate compliance with the customer data access framework. This is the area with the widest compliance gap across the industry - most institutions have no consent log infrastructure at all.
The risk-tiered re-KYC schedule has been mandatory for years but inconsistently implemented across the industry. RBI's January 2026 deadline for implementing the 3-notice reminder framework has passed. Auditors will look for: a complete map of your customer base by risk tier, evidence that re-KYC due dates are being tracked, and documented proof that the 3-reminder notice sequence was sent before each due date with at least one written letter.
Storing or transmitting unmasked Aadhaar numbers is simultaneously a CKYCRR 2.0 violation and a potential Digital Personal Data Protection Act (DPDP) exposure. Auditors will examine not just the CKYC API submissions but the downstream systems - CBS, LMS, DMS, CRM - where Aadhaar data may be stored. A clean API submission does not protect against an adverse finding if the underlying systems retain unmasked data.
When a downloaded CKYC record produces a partial match against current onboarding data, the institution must follow the authorised CKYC Update API workflow. Auditors look for evidence that partial matches were identified, classified correctly, routed through the proper update process, and resolved before the CKYC number was stored. Undocumented partial matches - where a CKYC number was stored without completing the update workflow - are a recurring finding.
The Audit Readiness Checklist
The infographic below maps your audit readiness across all four critical compliance areas. Use it as a self-assessment framework before your next regulatory inspection.
Run through the checklist with your operations, technology, and compliance leads together. Any red item is a potential audit finding. More than two red items in any single area is a systemic gap that requires a remediation plan before the next inspection.
How many red items does your institution have?
HSS provides a structured CKYC compliance diagnostic for NBFCs and banks - we map your current state against all five audit areas and deliver a prioritised remediation plan within one week.
The True Cost of Compliance vs Non-Compliance
Compliance teams often face internal resistance when seeking budget for CKYC remediation. The most effective response is a direct comparison of the cost of compliance against the cost of non-compliance. The table below frames this comparison using real numbers.
| Cost Item | Cost of Compliance | Cost of Non-Compliance |
|---|---|---|
| Upload timeliness | Automated upload pipeline - one-time build cost | Rs.1 lakh per day per systemic default. 100 accounts delayed by 2 days = potential Rs.2 lakh exposure |
| OTP consent logging | Audit log infrastructure - moderate build or part of managed service | Adverse audit finding, potential direction to remediate, reputational exposure in published order |
| Periodic re-KYC programme | Automated reminder system, risk tier tagging - internal IT project or managed service | Account restriction liability post June 30, 2026 + regulatory finding for each overdue account |
| Aadhaar masking | One-time data audit and masking implementation across systems | PMLA violation + DPDP Act exposure + potential direction to remediate all affected records |
| Total managed service cost | Predictable monthly fee covering all compliance obligations | Unpredictable penalty exposure + internal remediation cost + management time + reputational risk |
The June 30, 2026 Deadline You Cannot Miss
Among the near-term compliance milestones, June 30, 2026 carries the most operational urgency. This is the date by which the grace period for low-risk customers with overdue KYC expires.
RBI's amended Master Direction allowed low-risk customers whose periodic KYC was overdue a grace period - the later of one year from their due date or June 30, 2026. After this date, institutions can restrict accounts where KYC remains incomplete. That restriction obligation cuts both ways: an institution that fails to identify and act on overdue KYC accounts is itself non-compliant, while one that restricts accounts without having followed the proper 3-notice sequence faces a different compliance exposure.
June 30, 2026 is weeks away. Is your re-KYC programme ready?
HSS can run your complete re-KYC audit population assessment and manage the notice, follow-up, and resolution workflow end to end. Talk to us before the deadline, not after.
Frequently Asked Questions
Make Your Next CKYC Audit a Clean One
HSS manages the complete CKYC compliance programme for NBFCs and banks - upload timeliness, OTP consent logging, periodic re-KYC, data matching documentation, and Aadhaar masking compliance. One managed service, all five audit areas covered.
Talk to Our Compliance Team Explore Our ServicesThis article is for informational purposes only and does not constitute legal advice. For institution-specific compliance guidance, consult your legal and regulatory team.
