What changed
RBI observed that banks were seeking intrusive personal information—like number of dependents, names of children, lifestyle details, foreign visits, assets, and spouse details—beyond what is required for KYC/AML compliance. The circular reiterates that only mandatory, risk-relevant information should be collected at account opening; any optional data must be obtained separately with explicit customer consent and kept confidential.
What it means for you
Banks must immediately stop demanding excessive personal details from customers during account opening or periodic updates. This reduces customer friction and privacy complaints, but also tightens compliance: banks need to clearly distinguish mandatory vs. optional fields and obtain explicit consent for the latter. Non-adherence could invite regulatory action.
What you must do
- Review and prune KYC forms to remove non-mandatory fields like dependents, spouse name, wedding date, assets, and foreign visit history.
- Clearly label mandatory vs. optional fields in account opening forms and customer communication.
- Obtain explicit written consent before collecting any optional information, and only after account opening.
- Ensure all customer data (mandatory and optional) is treated as confidential and not used for cross-selling without separate consent.
- Train frontline staff on the revised KYC data collection norms to avoid overreach.
Who it affects
Regional Rural Banks (RRBs), State Cooperative Banks (StCBs), Central Cooperative Banks (CCBs), Customers opening accounts or undergoing periodic KYC updation
What specific information is now considered 'overboard' for KYC?
RBI flagged details like number of dependents, names of children, lifestyle, foreign visits in last three years, family members abroad, assets/liabilities, spouse name/DOB, wedding date, and investments as intrusive and not mandatory for KYC.
Can we still collect optional information from customers?
Yes, but only after the account is opened and with the customer's explicit consent. The customer must be told which fields are mandatory and which are optional.
What are the consequences if we continue collecting excessive data?
RBI has directed strict adherence. Non-compliance may lead to regulatory action, including penalties or supervisory restrictions, and could damage customer trust.