International Financial Services Centres Authority (“IFSCA”) in exercise of powers conferred under Section 28(1) read with Section 12(1) and Section 13(1) of the International Financial Services Centres Authority Act, 2019 vide Notification No. F. No. IFSCA/GN/2025/004,1 dated April 11, 2025, issued the International Financial Services Centres Authority (KYC Registration Agency) Regulations, 2025 (“KYC Regulations”)
Following the issuance of a consultation paper on the draft International Financial Services Centres Authority (KYC Registration Agency) Regulations, IFSCA received numerous public comments, suggestions, and feedback. A compilation of these responses has also been made available on the IFSCA official website. Taking into account the inputs received, the IFSCA has now notified the final KYC Regulations.
The primary purpose of the KYC Regulations shall be to regulate, standardize, and streamline the centralized Know Your Customer (“KYC”) process for financial transactions within International Financial Services Centres (“IFSCs”), ensuring compliance with international anti-money laundering (“AML”) and combating financing of terrorism (“CFT”) standards.
The salient features of the KYC Regulations are outlined below:
I. Registration Process
- Entities seeking registration as KYC Registration Agency (“KRAs”) must apply to IFSCA using the prescribed format, submitting the application electronically or otherwise along with the requisite fee.
- It has been noted that only companies incorporated in the IFSC are eligible. However, entities already registered with SEBI as KRAs may also open a fully owned subsidiary or branch in the IFSC to seek registration under these regulations.
- A minimum net worth of USD 1 million (One Million United States Dollars) shall be required at all times, and in case of branches, the parent SEBI-registered entity shall underwrite and maintain this financial threshold.
II. Eligibility and Fit & Proper Criteria
- Entities and individuals involved in the KRA’s functioning, such as directors, key managerial personnel, principal and compliance officers, and controlling shareholders, must meet the ‘fit and proper person’ criteria.
- This includes demonstrable financial integrity, good character and reputation, and a clean legal record. They must not have been convicted for crimes involving moral turpitude or economic offences, nor be subject to regulatory action, insolvency proceedings, or be designated as wilful defaulters or fugitive economic offenders.
III. Key Officer Appointments
KRAs must appoint a Principal Officer and a separate Compliance Officer, both of whom must operate from outside the IFSC. These officers must possess educational qualifications in fields such as finance, law, accounting, management, economics, or related disciplines. Further they must meet the requirements as specified in the KYC Regulations.
IV. Validity and Surrender of Registration
A KRA’s registration remains valid unless it is suspended or cancelled by IFSCA or voluntarily surrendered by the KRA with formal approval from IFSCA. The surrender of registration becomes effective only after IFSCA expressly accepts it.
V. Code of Conduct
KRAs must adhere to a comprehensive Code of Conduct outlined in Schedule I of the KYC Regulations. They are expected to act fairly and in the best interest of clients, uphold integrity and transparency, avoid misrepresentation and conflict of interest, and maintain the confidentiality of client data unless disclosure is legally mandated. The KRAs must also implement robust internal controls, ensure client grievance redressal, and avoid offering investment advice or engaging in market manipulation.
VI. Record Keeping
- KRAs shall be required to maintain electronic records for at least 5 (five) years. This shall include balance sheets, profit and loss statements, statutory audit reports, quarterly net worth statements, and compliance documentation under anti-money laundering laws.
- KRAs shall maintain a well-defined Business Continuity Plan (BCP) that identifies procedures in case of emergencies or disruptions. This plan must be reviewed annually and updated when there are material changes to business operations. Furthermore, KRAs must implement a strong Cybersecurity and Cyber Resilience Framework, including internal systems to identify, manage, and mitigate operational and data-related risks.
VII. Interoperability and Data Integrity
- KRAs shall be required to establish seamless electronic connectivity with other KRAs in the IFSC, as well as those regulated by SEBI or international regulators. The systems must support real-time sharing and verification of KYC documents and updates.
- KRAs shall maintain a well-defined Business Continuity Plan (BCP) that identifies procedures in case of emergencies or disruptions. This plan must be reviewed annually and updated when there are material changes to business operations. Furthermore, KRAs must implement a strong Cybersecurity and Cyber Resilience Framework, including internal systems to identify, manage, and mitigate operational and data-related risks.
VIII. Change in Control
For KRAs incorporated in the IFSC, any direct or indirect change in control whether by acquisition of shares, management rights, or voting agreements shall require prior approval from IFSCA. In the case of branch KRAs, any such change must be notified to IFSCA within 15 (fifteen) days of occurrence.
IX. Fee Payment and Audit Requirements
KRAs must pay the fees as prescribed by IFSCA. The KRAs shall also be required to conduct annual statutory audits through qualified professionals such as Chartered Accountants, Company Secretaries, or equivalent foreign professionals authorized to conduct audits. The audit report must be submitted to IFSCA by 30th September following the close of the financial year. Further, surprise audits may also be conducted, and KRAs must file such reports as required by the Authority.
X. Duties of KRAs and Regulated Entities
- KRAs shall be responsible for maintaining, updating, and verifying KYC documents uploaded by regulated entities. The proper storage, retrieval, and secure handling of data must be ensured and all concerned intermediaries of any updates to client records must be notified.
- Regulated Entities, in turn, must conduct initial due diligence, upload KYC data to the KRA’s system within 3 (three) working days of KYC completion, and retain physical copies of the documents. The Regulated Entities shall be prohibited from using client data for any purpose other than KYC compliance and are accountable for updating client information as necessary.
- Further, kindly refer to the KYC Regulations for the details of the duties, functions and obligations of KRAs and Regulated Entities.
XI. KYC Data Sharing
Subject to client consent, KRAs may allow access to KYC data for other financial regulators as specified by IFSCA. They shall also be permitted to connect with the Central KYC Registry (CKYCR) or other authorized government platforms to support centralized KYC initiatives across financial sectors. All sharing must comply with applicable data protection laws.
XII. Inspection and Regulatory Oversight
IFSCA may initiate inspections either directly or by appointing a third-party inspecting authority. KRAs are obligated to cooperate fully and provide unrestricted access to documents, premises, systems, and personnel. The inspecting authority may also examine the conduct and decision-making of the PO, CO, directors, and other officers. Inspection reports, whether interim or final, must be submitted to IFSCA, and IFSCA may take appropriate regulatory actions based on the findings. These include the power to impose penalties or suspend/cancel the registration.