RBI KYC Master Direction 2026: How It Affects Company Bank Account Opening
- The RBI KYC Master Direction, 2016 (updated through 2026) governs all KYC requirements for company bank account opening in India
- Beneficial ownership threshold is 10% - every individual holding 10% or more shares or voting rights must complete full KYC
- Video KYC (V-CIP) is now accepted for verifying directors and authorised signatories of companies remotely
- Companies receive a 14-digit CKYC Identifier (KIN) from CERSAI, eliminating repeat KYC across banks
- Re-KYC timelines: 2 years (high risk), 8 years (medium risk), 10 years (low risk)
- Non-compliance with re-KYC leads to partial and then full account freeze, with mandatory 30-day written notice before any freeze
- Cash transactions above ₹10 lakh per month trigger mandatory Cash Transaction Reports (CTRs) to FIU-IND
The Reserve Bank of India's KYC Master Direction shapes every company's banking experience from the first account opening form to ongoing transaction monitoring. Originally issued in 2016 under the Prevention of Money Laundering Act (PMLA), 2002, this Direction has undergone over 15 amendments through 2026, each tightening anti-money laundering safeguards while gradually expanding digital verification options. For founders registering a Private Limited Company or LLP, understanding these norms is no longer optional - it directly determines how fast your company gets a functional bank account and how smoothly you maintain it.
This article breaks down the 2026-updated RBI KYC Master Direction as it applies to companies and LLPs. We cover the documents you need, the new V-CIP and CKYC processes, beneficial ownership rules, risk categorisation, re-KYC timelines, and the compliance steps that prevent account freezes.
What Is the RBI KYC Master Direction?
The Master Direction - Know Your Customer (KYC) Direction, 2016 is the RBI's consolidated regulatory framework governing customer identification, verification, and ongoing monitoring for all Regulated Entities (REs). It implements India's obligations under the Prevention of Money Laundering Act (PMLA), 2002 and aligns with recommendations from the Financial Action Task Force (FATF).
The Direction applies to:
- Scheduled commercial banks (SBI, HDFC, ICICI, and all others)
- Cooperative banks and Regional Rural Banks
- Non-Banking Financial Companies (NBFCs) registered with the RBI
- Payment system operators and prepaid instrument issuers
- Housing Finance Companies regulated by NHB
For companies, the Direction prescribes specific rules for legal entity KYC that go beyond individual customer norms. These include beneficial ownership identification, verification of authorisation documents (Board Resolutions, MoA/AoA), and ongoing monitoring of ownership structure changes.
Key Amendments Through 2026
The RBI has amended the original 2016 Direction multiple times. The most significant updates affecting company bank account opening include:
- January 2020: Introduction of Video-based Customer Identification Process (V-CIP) for individual accounts
- May 2021: Extension of V-CIP to proprietary firms and authorised signatories of legal entities
- April 2023: Mandatory CKYC registration for all new accounts, including company accounts
- November 2023: Beneficial ownership threshold reduced from 25% to 15% for companies
- July 2024: DigiLocker-based document verification accepted for MCA-issued certificates
- January 2025: Beneficial ownership threshold further reduced to 10%, aligning with FATF standards
- April 2026: Enhanced V-CIP protocols for legal entity account opening, updated risk categorisation matrix, and mandatory digital KYC record maintenance
Since January 2025, banks must identify every individual holding 10% or more of shares or voting rights in a company opening a bank account. If your company has 5 shareholders each holding 20%, all 5 must complete full KYC. Failure to declare UBOs can result in the bank refusing to open the account or reporting the entity to FIU-IND.
KYC Documents Required for Company Bank Account Opening
The RBI KYC Master Direction specifies two categories of documents for company accounts: entity-level documents that verify the company itself, and individual-level documents that verify the people behind it. Missing even one document delays the account opening process by 2 to 4 weeks in most banks.
Entity-Level Documents
| Document | Issuing Authority | Purpose |
|---|---|---|
| Certificate of Incorporation (CoI) | MCA / Registrar of Companies | Proves legal existence and CIN |
| PAN Card of the Company | Income Tax Department | Tax identification and CKYC linking |
| Memorandum of Association (MoA) | MCA (filed during incorporation) | Verifies authorised objects and capital |
| Articles of Association (AoA) | MCA (filed during incorporation) | Confirms governance rules and signatory powers |
| Board Resolution | Company's Board of Directors | Authorises account opening and names signatories |
| Registered Office Address Proof | Utility company / Landlord | Verifies principal place of business |
| Beneficial Ownership Declaration | Company (self-declaration) | Identifies all UBOs with 10%+ holding |
| GST Registration Certificate | GST Portal | Additional verification (if applicable) |
Individual-Level Documents (Directors, Signatories, UBOs)
Each director, authorised signatory, and beneficial owner identified under the 10% threshold must provide:
- PAN card - mandatory for all individuals linked to the account
- Aadhaar card - required for Aadhaar-based e-KYC or V-CIP verification
- Officially Valid Document (OVD) - Aadhaar, passport, driving licence, voter ID, NREGA card, or NPR letter
- Address proof - OVD or utility bill not older than 2 months
- Passport-size photograph - recent, unless V-CIP captures a live image
Beneficial Ownership Rules: The 10% Threshold Explained
Beneficial ownership identification is the most significant compliance requirement for companies under the RBI KYC Direction. Banks are required to look through the corporate structure and identify the natural persons who ultimately own or control the company.
How the 10% Threshold Works
The RBI defines a beneficial owner of a company as any natural person who - individually or acting together with other persons - holds 10% or more of:
- Shares in the company (direct or indirect)
- Capital of the company
- Voting rights in the company
For indirect holdings, the bank traces ownership through intermediate entities. If Company A holds 40% of Company B, and Individual X holds 30% of Company A, then Individual X's indirect beneficial ownership in Company B is 12% (40% x 30%), which exceeds the 10% threshold.
When No Individual Meets the 10% Threshold
If the ownership structure is so dispersed that no single individual holds 10% or more, the bank must identify and verify the senior managing official - typically the Managing Director, CEO, or Whole-Time Director. This fallback applies to widely held companies, government-owned entities, and companies with complex cross-holding structures.
For LLPs, the beneficial ownership threshold applies to profit share or capital contribution. Every partner (designated or otherwise) contributing 10% or more of capital, or entitled to 10% or more of profits, must complete full KYC. This is specified in the LLP Agreement, which the bank verifies during onboarding.
Video KYC (V-CIP) for Company Accounts
The Video-based Customer Identification Process (V-CIP) allows banks to verify the identity of individuals remotely through a live video interaction. Originally introduced for individual accounts in 2020, the RBI has progressively expanded V-CIP to cover authorised signatories and directors of legal entities, making it a viable option for companies that need to open accounts without visiting a branch.
How V-CIP Works for Company Account Opening
The V-CIP process for company accounts follows these steps:
- Application submission: The company submits entity documents (CoI, PAN, MoA/AoA, Board Resolution, UBO Declaration) through the bank's digital platform or email
- V-CIP scheduling: The bank schedules individual V-CIP sessions for each director, authorised signatory, and UBO identified in the application
- Live video session: A trained bank official conducts a live video call (minimum 720p resolution) with each individual, verifying their identity against the OVD presented on camera
- Aadhaar OTP verification: The individual enters an Aadhaar OTP during the video session for real-time UIDAI authentication
- Live photo capture: The bank captures a live photograph during the video call for facial matching with the OVD
- Session recording: The entire video session is recorded and stored as part of the KYC record for a minimum of 5 years
- Account activation: After all individuals complete V-CIP and entity documents are verified, the account is activated within 1 to 3 working days
Limitations of V-CIP for Company Accounts
V-CIP does not eliminate all physical requirements. Banks retain the right to:
- Require a physical visit to the registered office for medium and high-risk accounts
- Ask for original documents for verification if digital copies are unclear or incomplete
- Refuse V-CIP for accounts involving foreign beneficial owners, PEPs, or entities in FATF grey-list countries
- Mandate in-person verification if the V-CIP session raises doubts about the individual's identity
Central KYC (CKYC) Registration for Companies
The Central KYC (CKYC) Registry, maintained by CERSAI under the Ministry of Finance, is a centralised database that stores verified KYC records of customers across all financial institutions. Since April 2023, banks are required to upload KYC records of all new accounts - including company accounts - to the CKYC registry.
How CKYC Works for Company Accounts
When a company completes KYC with its first bank, the process follows this sequence:
- The bank verifies all entity and individual documents as per the RBI KYC Direction
- After verification, the bank uploads the complete KYC record to CERSAI's CKYC database
- CERSAI assigns a 14-digit KYC Identifier (KIN) to the company
- Each individual (director, signatory, UBO) also receives a separate KIN linked to their personal KYC
- When the company opens accounts with other banks, it provides the KIN instead of re-submitting all documents
- The new bank retrieves the verified KYC record from CERSAI using the KIN and performs only incremental verification for any changes
Companies with an existing CKYC record can open additional bank accounts in 3 to 5 working days instead of the typical 10 to 21 days, since the receiving bank downloads pre-verified KYC data from CERSAI instead of re-verifying documents from scratch. Keep your KIN accessible - most banks now ask for it as the first field in the account opening form.
Updating CKYC Records
Companies must update their CKYC record whenever there is a change in:
- Directors or designated partners (additions, resignations, or disqualifications)
- Authorised signatories for bank operations
- Beneficial owners crossing or falling below the 10% threshold
- Registered office address
- Company name (post-approval from MCA)
The update can be initiated through any bank where the company holds an account. The bank uploads the changes to CERSAI, which propagates the update to all linked financial institutions.
Risk Categorisation, Re-KYC Timelines, and Due Diligence Levels
Every bank account is assigned a risk category under the RBI KYC Direction. This categorisation determines the level of due diligence applied, the frequency of re-KYC, and the intensity of ongoing transaction monitoring. For companies, the risk category directly affects how quickly you can open an account and how often you face compliance requests.
| Risk Factor | Low Risk | Medium Risk | High Risk |
|---|---|---|---|
| Business Type | IT services, consulting, manufacturing | Real estate, construction, import-export | Jewellery, cash-intensive, cryptocurrency |
| Ownership Structure | Simple, Indian promoters only | Holding company with 1-2 layers | Multi-layered, foreign UBOs, PEPs |
| Turnover Range | Below ₹5 crore annually | ₹5 crore to ₹50 crore annually | Above ₹50 crore or unexplained spikes |
| Geographic Operations | Single state, domestic only | Multi-state or limited cross-border | FATF grey-list countries, tax havens |
| Account Opening Time | 3 to 7 working days | 7 to 14 working days | 14 to 30 working days (with EDD) |
| Re-KYC Frequency | Every 10 years | Every 8 years | Every 2 years |
| Due Diligence Level | CDD (standard) | CDD + periodic review | EDD + senior management approval |
| Transaction Monitoring | Automated threshold alerts | Automated + periodic manual review | Continuous monitoring + manual review |
Re-KYC Compliance: Timelines and Procedures
Re-KYC is the periodic renewal of customer verification that banks must conduct based on the assigned risk category. For company accounts, re-KYC involves updating both entity-level and individual-level information.
Re-KYC Timeline Summary
- High-risk accounts: Re-KYC every 2 years from the date of last KYC verification
- Medium-risk accounts: Re-KYC every 8 years
- Low-risk accounts: Re-KYC every 10 years
What Banks Verify During Re-KYC
During re-KYC, banks verify whether any material changes have occurred since the last KYC update:
- Director and signatory changes: New directors must complete fresh KYC; resigned directors are delinked
- Beneficial ownership changes: Share transfer records are reviewed to identify new UBOs crossing the 10% threshold
- Address verification: Updated utility bill or lease agreement for the registered office
- Business activity review: Transaction patterns are compared against the declared nature of business
- Risk re-assessment: The bank may upgrade or downgrade the risk category based on the updated information
Banks must follow a strict process before freezing accounts for KYC non-compliance. Step 1: Written notice at least 6 months before re-KYC due date. Step 2: Reminder notice 30 days before the due date. Step 3: Partial freeze (credits allowed, debits restricted) after the due date. Step 4: Full freeze only after additional notice and reasonable time. Companies can reverse a freeze at any point by completing the re-KYC process.
Anti-Money Laundering (AML) Obligations for Company Accounts
The RBI KYC Direction integrates AML compliance into the account lifecycle. For company accounts, banks implement specific monitoring and reporting requirements that affect daily operations.
Mandatory Reporting Thresholds
- Cash Transaction Reports (CTRs): All cash transactions (deposits + withdrawals) exceeding ₹10 lakh in a single month are reported to FIU-IND by the 15th of the following month
- Suspicious Transaction Reports (STRs): Any transaction that the bank considers suspicious - regardless of amount - must be reported to FIU-IND within 7 working days
- Non-Profit Organisation Transactions (NPTs): All transactions by non-profit entities, including Section 8 Companies, are reported monthly to FIU-IND
- Cross-border Wire Transfers: All international transfers above ₹5 lakh require originator and beneficiary information to be included in the payment message
Transaction Monitoring Triggers for Company Accounts
Banks flag company accounts for enhanced review when they detect:
- Cash-intensive operations inconsistent with the declared business type (e.g., an IT company making frequent large cash deposits)
- Rapid fund transfers - large credits immediately followed by transfers to multiple third-party accounts
- Shell company indicators - minimal operational activity despite large transaction volumes
- Round-tripping patterns - funds flowing out to a foreign entity and returning through a different route
- Director changes coinciding with significant transaction pattern shifts
Digital KYC and DigiLocker Integration
The RBI has progressively expanded digital KYC acceptance to reduce the documentation burden on companies. The 2026 amendments strengthen the role of DigiLocker and Aadhaar-based e-KYC in the company account opening process.
DigiLocker-Accepted Documents for Company KYC
Banks now accept documents fetched directly from DigiLocker as equivalent to original documents. For company accounts, the following MCA-issued documents are available on DigiLocker:
- Certificate of Incorporation - linked to the company's CIN on the MCA portal
- PAN card - individual PAN of directors issued by the Income Tax Department
- Aadhaar card - issued by UIDAI, accessible through the mAadhaar app or DigiLocker
- Driving licence - issued by the state RTO, available on DigiLocker
- GST Registration Certificate - issued by the GST portal
DigiLocker documents carry the same legal validity as originals under the Information Technology Act, 2000 and do not require physical verification or attestation.
Aadhaar e-KYC for Directors and Signatories
Under Section 11A of the PMLA, banks can verify directors and authorised signatories through Aadhaar-based OTP authentication. The UIDAI returns the individual's demographic and biometric data to the bank in real time. This electronic verification is legally equivalent to physical document verification and is accepted as a valid KYC method under the RBI Direction.
For companies with directors located in different cities, Aadhaar e-KYC combined with V-CIP means that no director needs to physically visit the bank branch. The entire process can be completed remotely in 1 to 3 working days per individual.
Step-by-Step: Opening a Company Bank Account Under 2026 KYC Norms
Here is the practical workflow for opening a company bank account in compliance with the current RBI KYC Master Direction:
- Gather entity documents (Day 1 to 3): Collect CoI, PAN, MoA/AoA, and proof of registered office. If the company was incorporated through SPICe+, download these from the MCA portal
- Pass Board Resolution (Day 3 to 5): Hold a Board Meeting and pass a resolution authorising account opening, naming the bank, and specifying authorised signatories with their operating powers (single/joint signatory, transaction limits)
- Prepare Beneficial Ownership Declaration (Day 5 to 7): List all individuals holding 10% or more shares/voting rights with their PAN, Aadhaar, and address details. If no individual meets the threshold, identify the senior managing official
- Collect individual KYC documents (Day 7 to 10): PAN, Aadhaar, and address proof for every director, signatory, and UBO. Download digital copies from DigiLocker where available
- Submit application to the bank (Day 10 to 12): Apply through the bank's online portal or visit a branch. Attach all entity and individual documents. Provide CKYC KIN if available from a previous bank account
- Complete V-CIP or in-person verification (Day 12 to 17): Each director, signatory, and UBO completes verification through V-CIP (remote) or in-person branch visit. Banks typically schedule V-CIP sessions within 2 to 3 working days of application
- Bank verification and processing (Day 17 to 21): The bank verifies documents against the MCA portal, conducts internal risk assessment, assigns a risk category, and processes the account
- Account activation (Day 21 to 25): Account number, cheque book, internet banking credentials, and debit card are issued. The bank uploads the KYC record to CERSAI and assigns the CKYC KIN
If your company already has a CKYC KIN from a previous bank account, steps 2 through 4 are significantly shortened. The new bank retrieves your verified KYC from CERSAI and requires only incremental documents (new Board Resolution naming the new bank). Total timeline drops to 5 to 10 working days.
KYC Requirements by Entity Type
The RBI KYC Direction prescribes slightly different requirements based on the type of legal entity. Here is a comparison of KYC norms for the most common business structures:
| Requirement | Private Limited Company | LLP | One Person Company (OPC) |
|---|---|---|---|
| Incorporation Certificate | CoI from MCA | CoI from MCA | CoI from MCA |
| Governing Document | MoA and AoA | LLP Agreement | MoA and AoA |
| Authorisation Document | Board Resolution | Partners' Resolution | Director's Declaration |
| UBO Threshold | 10% of shares or voting rights | 10% of capital or profit share | Sole member is the UBO |
| Minimum Individuals for KYC | All directors + signatories + UBOs | All designated partners + signatories + UBOs | Sole director + nominee |
| V-CIP Eligibility | Yes (for all individuals) | Yes (for all individuals) | Yes (sole director) |
| CKYC Registration | Mandatory since April 2023 | Mandatory since April 2023 | Mandatory since April 2023 |
| Typical Account Opening Time | 7 to 21 working days | 7 to 21 working days | 5 to 14 working days |
Common KYC Rejections and How to Avoid Them
Banks reject or delay company account applications for specific, avoidable reasons. Based on the common issues flagged during bank onboarding, here are the top rejection causes and their fixes:
- Incomplete Board Resolution: The resolution must name the specific bank, branch (if required), authorised signatories with their DIN/DPIN, and operating instructions (single or joint signatory). Generic resolutions without bank details are rejected
- Missing UBO Declaration: Banks will not process the application without a signed Beneficial Ownership Declaration form. Even if a single person holds 100% shares, the declaration is still required
- Director KYC mismatch: The name on the director's PAN must exactly match the name on the MCA portal. Initials, middle names, or spelling variations cause rejection. Correct the mismatch with the Income Tax Department or MCA before applying
- Expired address proof: Utility bills older than 2 months and rental agreements beyond their validity period are not accepted. Collect fresh documents before the bank submission
- No activity clause in MoA: Some banks verify that the company's MoA authorises the type of business activity the account will fund. If the MoA objects are too narrow or unrelated to the stated purpose, the bank may ask for an amendment
- DIN deactivation: If any director's DIN is flagged as deactivated on the MCA portal (due to non-filing of DIR-3 KYC), the bank will hold the application until the DIN is reactivated. File DIR-3 KYC immediately to resolve this
Ongoing KYC Compliance After Account Opening
Opening the account is the first step. The RBI KYC Direction imposes ongoing obligations that companies must meet throughout the account's lifecycle. Non-compliance at any stage can trigger enhanced monitoring, account restrictions, or regulatory reporting.
Mandatory Updates Within 30 Days
Companies must notify the bank within 30 days of any change in:
- Directors: Submit new director's KYC documents, updated Board Resolution, and DIR-12 filing acknowledgement
- Registered office address: Submit INC-22 filing acknowledgement, updated CoI (if applicable), and new address proof
- Authorised signatories: Submit new Board Resolution and KYC documents of new signatories
- Shareholding pattern: Notify the bank if any individual crosses or falls below the 10% UBO threshold due to share transfers, allotments, or buybacks
- Company name: Submit the fresh CoI issued by MCA after name change approval
Annual Compliance Touchpoints
Beyond ad-hoc updates, companies should align their bank KYC compliance with their regular annual filing calendar:
- After AGM (September to November): Share the annual return filing acknowledgement if the bank requests verification of current director and shareholder details
- After DIR-3 KYC (September): Confirm that all directors have filed their annual DIR-3 KYC with the MCA to prevent DIN deactivation, which affects bank operations
- After share transfers: Update the UBO Declaration if any transfer changes the beneficial ownership structure above or below 10%
- Before re-KYC due date: Proactively collect updated documents from all directors and signatories to complete re-KYC before the bank's deadline
Companies that integrate bank KYC updates into their regular compliance management process avoid last-minute scrambles. Assign one person - typically the Company Secretary or a Virtual CFO - to maintain a tracker of all bank accounts, their KYC status, re-KYC due dates, and the current list of signatories and UBOs across all banks.
How the 2026 Amendments Affect Startups and New Companies
The 2026 amendments to the RBI KYC Master Direction have specific implications for DPIIT-registered startups and newly incorporated companies:
- Faster account opening via V-CIP: Startups with directors in different cities no longer need to coordinate a single branch visit. Each director completes V-CIP independently from their own location
- DigiLocker reduces document chasing: Incorporation certificates, PAN, and Aadhaar downloaded from DigiLocker are accepted as originals, eliminating the need for notarised copies or bank attestation
- CKYC portability: Founders who already have personal KINs from individual bank accounts can expedite the company KYC process. The bank retrieves their pre-verified personal KYC from CERSAI
- Simplified risk categorisation: Most newly incorporated companies with domestic promoters and straightforward ownership qualify for low-risk categorisation, enabling faster account opening (3 to 7 working days) and a 10-year re-KYC cycle
- GST registration integration: Companies with active GST registration benefit from an additional verification layer that banks use to validate business activity, sometimes accelerating the risk assessment step
Penalties and Consequences of Non-Compliance
Non-compliance with RBI KYC norms creates consequences at two levels: for the company (as a customer) and for the bank (as the Regulated Entity). Understanding both helps companies anticipate what banks will enforce and why.
Consequences for Companies
- Account partial freeze: Credits allowed, debits restricted (except for government payments and EMIs) - this is the first enforcement step
- Account full freeze: All transactions blocked after continued non-compliance, requiring branch-level re-verification to unfreeze
- STR filing: If the bank suspects the KYC non-compliance is intentional (e.g., to avoid UBO disclosure), it may file a Suspicious Transaction Report with FIU-IND
- Cross-bank impact: Since CKYC records are centralised, non-compliance flagged by one bank can trigger re-verification requests from other banks where the company holds accounts
Consequences for Banks (Why Banks Enforce Strictly)
- Monetary penalties: ₹50 lakh to ₹5 crore for KYC violations under Section 47A of the Banking Regulation Act, 1949
- Operational restrictions: Branch expansion freezes and new product launch restrictions for persistent non-compliance
- Reputational risk: RBI publishes all penalty orders publicly, damaging the bank's market standing
- FATF mutual evaluation impact: Systemic KYC failures by Indian banks affect India's FATF rating, prompting stricter RBI enforcement cycles
Under the PMLA, the Financial Intelligence Unit (FIU-IND) can access transaction records of any company account flagged through CTRs or STRs. FIU-IND operates under the Ministry of Finance and shares intelligence with the Enforcement Directorate, Income Tax Department, and other agencies. Maintaining clean KYC records is the most effective way to avoid being flagged for enhanced scrutiny.
Practical Compliance Checklist for Company Bank Account KYC
Use this checklist to confirm your company is fully prepared before approaching any bank for account opening under the 2026 RBI KYC norms:
- ☑ Certificate of Incorporation downloaded from MCA portal or DigiLocker
- ☑ Company PAN card received from the Income Tax Department (auto-generated during SPICe+ incorporation)
- ☑ MoA and AoA with objects clause matching the intended business activity
- ☑ Board Resolution naming the specific bank, authorised signatories, and operating instructions
- ☑ Beneficial Ownership Declaration listing all individuals with 10%+ shareholding
- ☑ PAN and Aadhaar of every director, signatory, and UBO (names must match across all documents)
- ☑ Address proof for all individuals (utility bill not older than 2 months or valid OVD)
- ☑ Registered office address proof (utility bill, lease agreement, or NOC from property owner)
- ☑ DIR-3 KYC status confirmed as active for all directors on the MCA portal
- ☑ CKYC KIN noted (if available from a previous bank account)
- ☑ GST Registration Certificate (if applicable and already obtained)
