KYC and AML Policy

Revision History and Approval

1. INTRODUCTION:

1.1. According to the provisions of the Prevention of Money Laundering Act (PMLA) 2002 and the Prevention of Money Laundering (Maintenance of Records) Rules, 2005, the Reserve Bank of India (RBI) has issued comprehensive 'KNOW YOUR CUSTOMER' (KYC) Guidelines applicable to all Non-Banking Financial Companies (NBFCs) as amended from time to time.

1.2. In view of the same, the Board of Directors of Shabri Investments Private Limited (the (“Company”/ “We”/ “Us”/ “Ours”)) has adopted this Policy on Know Your Customer and Anti-Money Laundering Measures (the “Policy”) in line with RBI guidelines.

1.3. The Company has formulated this KYC Policy according to RBI’s Master Direction – Know Your Customer (KYC) Direction, 2016, dated 25th February 2016, updated from time to time.

2. APPLICABILITY:

This Policy will be applicable to all the products and services being offered by the Company.

3. OBJECTIVES:

3.1. To discourage the financing of terrorism and money laundering.

3.2. To improve the company's understanding of its clients' financial dealings, which will help manage its risks more skillfully.

3.3. To put in place appropriate procedures and legal frameworks for identifying and disclosing suspicious activity.

3.4. To follow all relevant legal and regulatory requirements.

3.5. To guarantee that personnel are properly trained in KYC, AML, and CFT protocols.

4. DEFINITIONS:

4.1. “Act” and “Rules” mean the Prevention of Money-Laundering Act, 2002 and the Prevention of Money Laundering (Maintenance of Records) Rules, 2005, respectively, and amendments thereto.

4.2. “Authentication” in the context of Aadhaar authentication, means the process as defined under sub-section (c) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

4.3. “Certified Copy”- Obtaining a certified copy shall mean comparing the copy of the proof of possession Aadhaar number where offline verification cannot be carried out of officially valid document so produced by the customer with the original and recording the same on the copy by the authorized officer of the Company as per the provisions contained in the Act.

4.4. “Central KYC Records Registry” (CKYCR) means an entity defined under Rule 2 (1) of the Rules, to receive, store, safeguard and retrieve KYC records in digital form of a customer.

4.5. “Customer” – means a person who is engaged in a financial transaction or activity with a Regulated Entity (RE) and includes a person on whose behalf the person who is engaged in the transaction or activity is acting.

4.6. “Customer Due Diligence (CDD)” means identifying and verifying the customer and the beneficial owner using reliable and independent sources of identification.

Explanation – The CDD, at the time of commencement of an account-based relationship or while carrying out occasional transaction of an amount equal to or exceeding rupees fifty thousand, whether conducted as a single transaction or several transactions that appear to be connected, or any international money transfer operations, shall include: (a) Identification of the customer, verification of their identity using reliable and independent sources of identification, obtaining information on the purpose and intended nature of the business relationship, where applicable; (b) Taking reasonable steps to understand the nature of the customer's business, and its ownership and control; (c) Determining whether a customer is acting on behalf of a beneficial owner, and identifying the beneficial owner and taking all steps to verify the identity of the beneficial owner, using reliable and independent sources of identification.

4.7. “Designated Director” means a person designated by the Company to ensure overall compliance with the obligations imposed under chapter IV of the PML Act and the Rules.

4.8. “Digital KYC” means the capturing live photo of the customer and any one Officially Valid Document (“OVD" where offline verification cannot be carried out, by an authorised officer of the Company).

4.9. “Equivalent e-document” means an electronic equivalent document, issued by the issuing authority with its valid digital signature including documents issued to the digital locker account of the customer as per rule 9 of the Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016.

4.10. “Officially Valid Document (OVD)” means the passport, the driving license, proof of possession of Aadhaar number, the Voter's Identity Card issued by the Election Commission of India, job card issued by NREGA duly signed by an officer of the State Government and letter issued by the National Population Register containing details of name and address. Provided that,

1. where the customer submits his proof of possession of Aadhaar number as an OVD, he may submit it in such form as are issued by the Unique Identification Authority of India.
2. where the OVD furnished by the customer does not have updated address, the following documents shall be deemed to be OVDs for the limited purpose of proof of address:
1. utility bill which is not more than two months old of any service provider (electricity, telephone, post-paid mobile phone, piped gas, water bill);
2. property or Municipal tax receipt;
3. pension or family pension payment orders (PPOs) issued to retired employees by Government Departments or Public Sector Undertakings, if they contain the address;
4. letter of allotment of accommodation from employer issued by State Government or Central Government Departments, statutory or regulatory bodies, public sector undertakings, scheduled commercial banks, financial institutions and listed companies and leave and license agreements with such employers allotting official accommodation.
3. the customer shall submit OVD with current address within a period of 3 (three) months of submitting the documents specified at (ii) above.
4. where the OVD presented by a foreign national does not contain the details of address, in such case the documents issued by the Government departments of foreign jurisdictions and letter issued by the Foreign Embassy or Mission in India shall be accepted as proof of address.

4.11. “Offline Verification” shall have the same meaning as assigned to it in clause (pa) of section 2 of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016.

4.12. “On-going Due Diligence” means regular monitoring of transactions in accounts to ensure that those are consistent with Company’s knowledge about the customers, customers’ business and risk profile, the source of funds / wealth.

4.13. “Politically Exposed Persons (PEPs)” are entities who are or have been entrusted with prominent public functions by a foreign country, including the Heads of States/Governments, senior politicians, senior government or judicial or military officers, senior executives of state-owned corporations and important political party officials.

4.14. “Updation / Periodic Updation” means steps taken to ensure that documents, data or information collected under the CDD process is kept up-to-date and relevant by undertaking reviews of existing records at periodicity prescribed by the Reserve Bank of India.

4.15. “Video-based Customer Identification Process (V-CIP)”: an alternate method of customer identification with facial recognition and customer due diligence by an authorised official of the Company by undertaking seamless, secure, live, informed-consent based audio- visual interaction with the customer to obtain identification information required for CDD purpose, and to ascertain the veracity of the information furnished by the customer through independent verification and maintaining audit trail of the process. Such processes complying with prescribed standards and procedures shall be treated on par with face – to - face Customer Identification Process for the purpose of this Policy.

4.16. “KYC Identifier” Identifier means the unique number or code assigned to a customer by the Central KYC Records Registry.

4.17. FATCA means Foreign Account Tax Compliance Act of the United States of America (USA) which, inter alia, requires foreign financial institutions to report about financial accounts held by U.S. taxpayers or foreign entities in which U.S. taxpayers hold a substantial ownership interest.

5. KYC PROCESS:

5.1. Customer Acceptance Policy ("CAP"):

5.1.1. No account shall be opened by The Company in anonymous or fictitious/benami names.

5.1.2. No account shall be opened where the Company is unable to apply appropriate CDD measures, either due to non-cooperation of the customer or non-reliability of the documents/information furnished by the customer.

5.1.3. No transaction or account-based relationship is undertaken without following the CDD procedure.

5.1.4. The mandatory information to be sought for KYC purpose while opening an account and during the periodic updation shall be as specified under this Policy and as amended or specified from time to time. Any exceptions shall be discussed with the Principal Officer.

5.1.5. Optional'/additional information is obtained with the explicit consent of the customer after the account is opened.

5.1.6. The Company shall apply the CDD procedure at the UCIC level. Thus, if an existing KYC compliant customer of a RE desires to open another account with the same RE, there shall be no need for a fresh CDD exercise.

5.1.7. CDD Procedure is followed for all the joint account holders, while opening a joint account.

5.1.8. Suitable system is put in place to ensure that the identity of the customer does not match with any person or entity, whose name appears in the sanctions lists circulated by Reserve Bank of India.

5.1.9. Details of accounts resembling any of the individuals/entities in the lists shall be reported to FIU- IND apart from advising Ministry of Home Affairs as required under UAPA notification dated March 14, 2019, as amended from time to time. In addition to the above, other UNSCRs circulated by the Reserve Bank in respect of any other jurisdictions/ entities from time to time shall also be taken note of.

5.1.10. Verified that identity of the customer does not match with any person or entity, whose name appears in the sanctions list circulated by Reserve Bank of India.

5.1.11. Where Permanent Account Number (PAN) is obtained, the same shall be verified from the verification facility of the issuing authority.

5.1.12. Where the Company forms a suspicion of money laundering or terrorist financing, and it reasonably believes that performing the CDD process will tip-off the customer, it shall not pursue the CDD process, and instead file an STR with FIU-IND.

5.1.13. Where an equivalent e-document is obtained from the customer, The Company shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000)

All the customers, particularly those who are economically or socially disadvantaged, be treated equally and without discrimination.

5.2. Customer Identification Procedures ("CIP"):

5.2.1. Customer identification means identifying the customer and verifying his / her / its identity by using reliable, independent source documents, data or information while establishing a relationship. The Company will obtain sufficient information such as PAN, Voter ID card / Passport / Officially Valid Documents, etc. necessary to establish, to its satisfaction, the identity of each new customer, whether regular or occasional and the purpose of the intended nature of relationship. The Company will not insist on obtaining Aadhar except for those accounts intended to receive government subsidies subvention or benefits under direct benefit transfer scheme of the Government. However, customer voluntarily producing Aadhar for the purpose of identification will be accepted by the Company.

5.2.2. Besides risk perception, the nature of information/documents required would also depend on the type of customer (individual, corporate etc.). For customers that are natural persons, Company shall obtain sufficient identification data to verify the identity of the customer, his address/location, and also his recent photograph. For customers that are legal persons or entities, the Company shall:

(i). verify the legal status of the legal person/ entity through proper and relevant documents.

(ii). verify that any person purporting to act on behalf of the legal person/entity is so authorized and identify and verify the identity of that person.

5.2.3. Understand the ownership and control structure of the customer and determine who are the natural persons who ultimately control the legal person. An indicative list of the nature and type of documents/information that may be relied upon for Customer Identification Procedure as given in Point 5.4 herein.

5.2.4. The Company shall undertake identification of customers in the following cases:

(i). Commencement of an account-based relationship with the customer.

(ii) When there is a doubt about the authenticity or adequacy of the customer identification data it has obtained.

(iii). As and when applicable, selling third party products as agents, selling their own products and any other product for more than rupees fifty thousand.

5.2.5. For the purpose of verifying the identity of customers at the time of commencement of an account-based relationship, the Company shall, rely on Customer Due Diligence (CDD) done by a third party, subject to the following conditions:

(i). Records or the information of the customer due diligence carried out by the third party is obtained immediately from the third party or from the Central KYC Records Registry.

(ii). The Company shall take adequate steps to satisfy themselves that copies of identification data and other relevant documentation relating to the customer due diligence requirements shall be made available from the third party upon request without delay.

(iii). The third party is regulated, supervised or monitored for, and has measures in place for, compliance with customer due diligence and record-keeping requirements in line with the requirements and obligations under the Prevention of Money-Laundering Act

(iv). The third party shall not be based in a country or jurisdiction assessed as high risk.

(v). The ultimate responsibility for CDD, including done by a third party and undertaking enhanced due diligence measures, as applicable, shall rest with the Company.

5.3. Customer Due Diligence (CDD) Procedures:

For undertaking CDD, the Company shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity:

5.3.1. The Aadhaar number where:

• he/she is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or
• he/she decides to submit Aadhaar number voluntarily to the Company notified under first proviso to sub-section (1) of section 11A of the PML Act; or

(i) the proof of possession of Aadhaar number where offline verification can be carried out; or

(ii) the proof of possession of Aadhaar number where offline verification cannot be carried out or any OVD or the equivalent e-document thereof containing the details of his identity and address; and

5.3.2. The Permanent Account Number or the equivalent e-document thereof or Form No. 60 as defined in Income-tax Rules, 1962; and

5.3.3. Such other documents including in respect of the nature of business and financial status of the customer, or the equivalent e-documents thereof as may be required by the Company:

(i). proof of possession of Aadhaar under clause (aa) above where offline verification can be carried out, the Company shall carry out offline verification.

(ii). an equivalent e-document of any OVD, the Company shall verify the digital signature as per the provisions of the Information Technology Act, 2000 (21 of 2000) and any rules issues thereunder and take a live photo as specified under Digital KYC Process.

(iii). any OVD or proof of possession of Aadhaar number under clause (ab) above where offline verification cannot be carried out, the Company shall carry out verification through digital KYC as specified under Digital KYC Process.

(iv). KYC Identifier, the Company shall retrieve the KYC records online from the CKYCR in accordance with this Policy.

(v). Provided that for a period not beyond such date as may be notified by the Government for a NBFC, instead of carrying out digital KYC, the Company may obtain a certified copy of the proof of possession of Aadhaar number or the OVD and a recent photograph where an equivalent e- document is not submitted.

Provided further that in case e-KYC authentication cannot be performed for an individual desirous of receiving any benefit or subsidy under any scheme, owing to injury, illness or infirmity on account of old age or otherwise and similar causes, the Company shall apart from obtaining the Aadhar number, perform identification preferably by carrying out offline verification or alternatively by obtaining the certified copy of any other OVD or the equivalent e-document thereof from the customer. CDD done in this manner shall invariably be carried out by an official of the Company and such exception handling shall also be a part of the concurrent audit. The Company shall ensure to duly record the cases of exception handling in a centralised exception database. The database shall contain the details of grounds of granting exception, customer details, name of the designated official authorising the exception and additional details, if any. The database shall be subjected to periodic internal audit/inspection by the Company and shall be available for supervisory review.

Explanation 1: The Company shall, where its customer submits a proof of possession of Aadhaar Number containing Aadhaar Number, ensure that such customer redacts or blacks out his Aadhaar number through appropriate means where the authentication of Aadhaar number is not required as per the above provision.

Explanation 2: Biometric based e - KYC authentication can be done by the Company officials/ business correspondents/ business facilitators.

Explanation 3: The use of Aadhaar, proof of possession of Aadhaar etc., shall be in accordance with the Aadhaar (Targeted Delivery of Financial and Other Subsidies Benefits and Services) Act, 2016 and the regulations made thereunder.

KYC verification once done by one branch/office of the Company shall be valid for transfer of the account to any other branch/office, provided full KYC verification has already been done for the concerned account and the same is not due for periodic updation.

5.3.4. PAN Card shall be verified electronically from NSDL so as to ascertain correctness of PAN Number and corresponding name appearing in Income Tax data base. The said verification may be carried out by the Company itself or through an independent Agency.

5.3.5. AADHAR, Driving License and the Voters ID shall be verified through Independent Agency.

5.3.6. Utility Bills and Passport will be used to verify address

5.3.7. Customer will electronically upload his/ her/ their selfie.

5.3.8. Bank statement will be used to verify bank account number.

5.3.9. Accounts Opened through OTP based e-KYC in non-face to face mode are subject to the following conditions:

5.3.9.1. There must be a specific consent from the customer for authentication through OTP.

5.3.9.2.Only term loans shall be sanctioned. The aggregate amount of term loans sanctioned shall not exceed rupees sixty thousand in a year.

5.3.9.3. Account opened using OTP based e-KYC shall not be allowed for more than 1 (one) year unless identification as per this Policy is carried out. If Aadhaar details are used, the process shall be followed in its entirety including fresh Aadhaar OTP authentication.

5.3.9.4 .If the CDD procedure mentioned in this Policy is not completed within 1 (one) year, no debits shall be allowed with respect to borrowal accounts.

5.3.9.5. A declaration shall be obtained from the customer to the effect that no other account has been opened nor will be opened using OTP based KYC in non face-to-face mode with any other bank/ NBFC or financial institution. Further, while uploading KYC information to CKYCR, the company shall clearly indicate that such accounts are opened using OTP based e-KYC and other REs shall not open accounts based on the KYC information of accounts opened with OTP based e-KYC procedure in non-face-to-face mode.

5.4. Customer Identification Procedure:

Certified documents or its equivalent e-documents that shall be obtained from the customers at the time of account opening are as below:

6. Beneficial Ownership Guidelines:

6.1. Rule 9 (1A) of the Prevention of Money Laundering Rules, 2005 requires that every banking company, and financial institution (as the case may be), shall identify the beneficial owner and take all reasonable steps to verify their identity.

6.2. Beneficial Owner (BO) means:

• Where the customer is a company, the beneficial owner is the natural person(s), who, whether acting alone or together, or through one or more juridical person, has/have a controlling ownership interest or who exercise control through other means.

Explanation: For the purpose of this sub-clause:

• "Controlling ownership interest" means ownership of/entitlement to more than 10 per cent of the shares or capital or profits of the company.
• "Control" shall include the right to appoint majority of the directors or to control the management or policy decisions including by virtue of their shareholding or management rights or shareholders agreements or voting agreements.
• Where the customer is a partnership firm, the beneficial owner is the natural person(s), who, whether acting alone or together, or through one or more juridical person, has/have ownership of/entitlement to more than 10 per cent of capital or profits of the partnership or who exercises control through other means.

Explanation: For the purpose of this sub-clause, "control" shall include the right to control the management or policy decision.

• Where the customer is an unincorporated association or body of individuals, the beneficial owner is the natural person(s), who, whether acting alone or together, or through one or more juridical person, has/have ownership of/entitlement to more than 10 (ten) per cent of the property or capital or profits of the unincorporated association or body of individuals.

Explanation: Term 'body of individuals' includes societies.

• Where no natural person is identified under (a), (b) or (c) above, the beneficial owner is the relevant natural person who holds the position of senior managing official.
• Where the customer is a trust, the identification of beneficial owner(s) shall include identification of the author of the trust, the trustee, the beneficiaries with 15% (fifteen percent) or more interest in the trust and any other natural person exercising ultimate effective control over the trust through a chain of control or ownership.

6.3. For opening account of a customer who is a juridical person (not specifically covered in the earlier part) such as societies, universities and local bodies like village panchayats, etc., or who purports to act on behalf of such juridical person or individual or trust, certified copies of the following documents or the equivalent e-documents thereof shall be obtained and verified:

6.3.1. Document showing name of the person authorised to act on behalf of the entity.

6.3.2. Documents, as specified for the Individuals, of the person holding an attorney to transact on its behalf and Such documents as may be required by the Company to establish the legal existence of such an entity/juridical person.

6.3.3. For opening an account of a Legal Person who is not a natural person, the beneficial owner(s) shall be identified and all reasonable steps in terms of sub-rule (3) of Rule 9 of the Rules to verify his/her identity shall be undertaken keeping in view the following:

• a. Where the customer or the owner of the controlling interest is (i) an entity listed on a stock exchange in India, or (ii) it is an entity resident in jurisdictions notified by the Central Government and listed on stock exchanges in such jurisdictions, or (iii) it is a subsidiary of such listed entities; it is not necessary to identify and verify the identity of any shareholder or beneficial owner of such entities
• b. In cases of trust/nominee or fiduciary accounts whether the customer is acting on behalf of another person as trustee/nominee, or any other intermediary is determined. In such cases, satisfactory evidence of the identity of the intermediaries and of the persons on whose behalf they are acting, as also details of the nature of the trust or other arrangements in place shall be obtained.

6.4. Further, while undertaking customer identification, the Company shall also be ensured that:

6.4.1. Decision-making functions of determining compliance with KYC norms are not outsourced.

6.4.2. Introduction is not sought while opening accounts.

7. Video based Customer Identification Process (V-CIP):

7.1. The Company may undertake live V-CIP to be carried out by their official for establishment of an account based relationship with a new individual customer, proprietor (in case of proprietorship firm), authorized signatories and Beneficial Owner (BO) (in case of Legal Entity (LE) customers), conversion of existing accounts opened in non-face to face mode and updation / periodic updation of KYC for eligible customers, after obtaining his informed consent and shall adhere to the following stipulations:

7.1.1. V-CIP Infrastructure:

7.1.1.1. The Company shall comply with the RBI guidelines on minimum baseline cyber security and resilience framework, as well as other general guidelines on IT risks.

7.1.1.2. The Company shall have in-house infrastructure in its own premises and the V-CIP connection and interaction shall originate from its own secured network domain. The Company shall also comply with the Outsourcing Guidelines issued by RBI for any technology related outsourcing activities. Where cloud deployment model is used, it shall be ensured that the ownership of data in such model rests with the Company only and all the data including video recording is transferred to the Company's exclusively owned / leased server(s) including cloud server, if any, immediately after the V-CIP process is completed and no data shall be retained by the cloud service provider or third-party technology provider assisting the V-CIP of the Company.

7.1.1.3. The Company shall ensure end-to-end encryption of data between customer device and the hosting point of the V-CIP application, as per appropriate encryption standards. The customer consent should be recorded in an auditable and alteration proof manner.

7.1.1.4. The V-CIP infrastructure / application should be capable of preventing connection from IP addresses outside India or from spoofed IP addresses.

7.1.1.5. The video recordings should contain the live GPS co-ordinates (geo-tagging) of the customer undertaking the V-CIP and date-time stamp. The quality of the live video in the V-CIP shall be adequate to allow identification of the customer beyond doubt.

7.1.1.6. The application shall have components with face liveness / spoof detection as well as face matching technology with high degree of accuracy, even though the ultimate responsibility of any customer identification rests with The Company. Appropriate artificial intelligence (AI) technology can be used to ensure that the V-CIP is robust.

7.1.1.7. The Company shall regularly upgrade technology infrastructure including application software as well as workflows based on experience of detected / attempted / 'near-miss cases of forged identity. Any detected case of forged identity through V-CIP shall be reported as a cyber event under extant regulatory guidelines.

7.1.1.8. The Company shall conduct necessary tests such as Vulnerability Assessment, Penetration testing and a Security Audit to ensure its robustness and end-to-end encryption capabilities of V-CIP Infrastructure. Any critical gap reported under this process shall be mitigated before rolling out its implementation. The Company shall engage suitably accredited agencies as prescribed by RBI to conduct such tests periodically in conformance to internal / regulatory guidelines.

7.1.1.9. The Company shall conduct appropriate testing of function, performance and maintenance strength of the V- CIP application software and relevant APIs / webservices etc. before being used in live environment. Only after closure of any critical gap found during such tests, The Company shall roll out the application. Such tests shall also be carried out periodically in conformity with internal/ regulatory guidelines.

7.1.2. V-CIP Procedure:

7.1.2.1. The Company shall formulate a clear workflow and standard operating procedure for V- CIP and ensure adherence to it. The V-CIP process shall be operated only by officials of The Company specially trained for this purpose. The official should be capable to carry out liveliness check and detect any other fraudulent manipulation or suspicious conduct of the customer and act upon it.

7.1.2.2. Disruption of any sort including pausing of video, reconnecting calls, etc., should not result in creation of multiple video files. If pause or disruption does not lead to the creation of multiple files, then there is no need to initiate a fresh session by the Company. However, in case of call drop / disconnection, fresh session shall be initiated.

7.1.2.3. The official of the Company shall ensure that if there is a disruption in the V-CIP procedure, the same shall be aborted and a fresh session shall be initiated.

7.1.2.4. The sequence and/or type of questions, including those indicating the liveness of the interaction, during video interactions shall be varied in order to establish that the interactions are real-time and not pre-recorded.

7.1.2.5. Any prompting, observed at end of customer shall lead to rejection of the account opening process.

7.1.2.6. The fact of the V-CIP customer being an existing or new customer, or if it relates to a case rejected earlier or if the name appearing in some negative list should be factored in at appropriate stage of workflow.

7.1.2.7. The authorised official of the Company performing the V-CIP shall record audio-video as well as capture photograph of the customer present for identification and obtain the identification information using any one of the following:

a. OTP based Aadhaar e-KYC authentication.

b. Offline Verification of Aadhaar for identification.

c. KYC records downloaded from CKYCR, using the KYC identifier provided by the customer.

d. Equivalent e-document of Officially Valid Documents (OVDs) including documents issued through Digi-locker, the Company shall ensure to redact or blackout the Aadhaar number.

7.1.2.8. In case of offline verification of Aadhaar using XML file or Aadhaar Secure QR Code, The Company shall ensure that the XML file or QR code generation date is not older than 3 (three) working days from the date of carrying out V-CIP. Further, in line with the aforesaid prescribed period, the Company shall ensure that the video process of the V-CIP is undertaken within 3 (three) working days of downloading / obtaining the identification information through CKYCR / Aadhaar authentication / equivalent e-document, if in the rare cases, the entire process cannot be completed at one go or seamlessly. However, The Company shall ensure that no incremental risk is added due to this.

7.1.2.9. If the address of the customer is different from that indicated in the OVD, suitable records of the current address shall be captured. The Company shall ensure that the economic and financial profile/information submitted by the customer is also confirmed from the customer while undertaking the V-CIP in a suitable manner.

7.1.2.10. The Company shall capture a clear image of PAN card to be displayed by the customer during the process, except in cases where e-PAN is provided by the customer. The PAN details shall be verified from the database of the issuing authority including through Digi locker.

7.1.2.11. Use of printed copy of equivalent e-document including e-PAN is not valid for the V-CIP.

7.1.2.12. The authorised official of the Company shall ensure that photograph of the customer in the Aadhaar/OVD and PAN/e-PAN matches with the customer undertaking the V-CIP, and the identification details in Aadhaar/OVD and PAN/e-PAN shall match with the details provided by the customer.

7.1.2.13. All accounts opened through V-CIP shall be made operational only after being subject to concurrent audit, to ensure the integrity of the process and its acceptability of the outcome.

7.1.2.14. The Company shall comply with all such matters required under other statutes, such as the Information Technology (IT) Act.

7.2. V-CIP Records and Data Management:

7.2.1. The Company shall store the entire data and recordings in a system(s) located in India, in a safe and secured manner and shall bear time and date stamp for easy historical search.

7.2.2. The Company shall follow the provisions of Record Management as contained in this Policy.

7.2.3. The activity log along with credential of the official performing V-CIP shall be preserved.

8. CDD Procedure and sharing KYC information with Central KYC Records Registry (CKYCR):

8.1. The Company shall capture customer's KYC records and upload onto CKYCR within 10 (ten) days of commencement of an account-based relationship with the customer.

8.2. Operational Guidelines for uploading the KYC data have been released by CERSAI.

8.3. The Company shall capture the KYC information for sharing with the CKYCR in the manner mentioned in the Rules, as per the KYC templates prepared for 'Individuals' and 'Legal Entities' (LEs), as the case may be.

8.4. The Company were required to start uploading the KYC data pertaining to all new individual accounts opened on or after from April 1, 2017, and KYC records pertaining to accounts of Legal entities opened on or after April 1, 2021, with CKYCR in terms of the provisions of the Rules ibid.

8.5. Once KYC Identifier is generated by CKYCR, The Company shall ensure that the same is communicated to the individual/LE as the case may be.

8.6. In order to ensure that all KYC records are incrementally uploaded on to CKYCR, The Company shall upload/update the KYC data pertaining to accounts of individual customers and LEs opened prior to the above-mentioned dates at the time of periodic updation, when the updated KYC information is obtained/received from the customer.

8.7. The Company shall ensure that during periodic updation, the customers are migrated to the current CDD standard.

8.8. Where a customer, for the purposes of establishing an account based relationship, submits a KYC Identifier to a RE, with an explicit consent to download records from CKYCR, then such RE shall retrieve the KYC records online from the CKYCR using the KYC Identifier and the customer shall not be required to submit the same KYC records or information or any other additional identification documents or details, unless:

1. there is a change in the information of the customer as existing in the records of CKYCR;
2. the current address of the customer is required to be verified;
3. the Company considers it necessary in order to verify the identity or address of the customer, or to perform enhanced due diligence or to build an appropriate risk profile of the client.
4. The validity period of documents downloaded from CKYCR has lapsed.

9. RISK MANAGEMENT:

9.1. The Company shall have a risk-based approach as specified hereinunder. Based on the assessment and perception of risk, the customers will be divided into three risk categories, i.e., low, medium, and high risk. Risk classification will be done in a broad sense based on factors like the name of the customer, their financial and social standing, the type of commercial activity they engage in, details about their location and company, the sourcing method they use, the type of underlying loan, and so forth. To prevent giving the customer away, the risk assessment of a client and the particular rationale behind it must be kept private and not disclosed to them.

9.2. As per the KYC policy, for acceptance and identification, the Company's Customers would be categorized based on perceived risk, broadly into three categories – A, B & C. Category A would include High Risk Customers, Category B would include Medium Risk Customers while Category C would include Low Risk Customers.

9.3. None of the Customers will be exempted from the Company's KYC procedures, irrespective of the status and relationship with Company or its Promoters. The due diligence to be exercised would depend on the risk categorisation of the customers. Enhanced due diligence will be carried out in respect of customers falling in the medium and high-risk category.

9.4. Customer risk category should include:

9.4.1. High Risk-High risk customers typically include:

1. Non-resident customers.
2. High net worth individuals without an occupation track record of more than 3 (three) years.
3. Trust, charitable organizations, Non-Government Organization (NGO), organizations receiving donations.
4. Companies having close family shareholding or beneficial ownership.
5. Firms with sleeping partners.
6. Politically exposed persons (PEPs) of Indian/ foreign origin.
7. Person with dubious reputation as per public information.
8. Company name changed in last 2 (two) years.
9. Irregular/Delay in compliance – GST, PF, etc. by an entity.
10. Any other risk perceived during assessment.
11. Customer onboarded via non face to face mode.

9.4.2. Medium Risk-Medium Risk customer will include:

1. Salaried applicant with variable income/ unstructured income receiving Salary in cheque /cash.
2. Salaried applicant working with, Proprietary, Partnership firms;
3. Self- employed professionals other than HNIs.
4. Self-employed customers with sound business and profitable track record for a reasonable period.
5. High Net worth individuals with occupation track record of more than 3 years.
6. Source of Funds is not clear.
7. Company Profile, Location of company, Low net worth promoters, any negative news which is more than 5 (five) years old.
8. Any other risk perceived during assessment.

9.4.3. Low Risk-Low Risk individuals (other than high net worth) and entities whose identities and sources of wealth can be easily identified, and all other person not covered under above two categories. Customer carrying low risk may include the following:

1. Individuals (other than high net worth) and entities whose identities and sources of wealth can be easily identified, and all other persons not covered under the above two categories.
2. Salaried employees with well-defined salary structures
3. People working with government owned companies, regulators, and statutory bodies, MNC's, rated companies public sector units, public limited companies etc.
4. If the profile is assessed to be low risk by credit due to strong mitigations available.

Important for Risk categorization:

If the customer falls under more than one Risk category, then a higher Risk Category shall apply. E.g., If the client is in the Low-Risk category and also in high-risk category), then the Client would be considered in the High-Risk category.

10. RESPONSIBILITY:

10.1. The Board of Directors of the Company shall select a Designated Director to oversee the Company's overall compliance with the PMLA Act and its Rules. The Designated Director's identity, title, and address will be shared by the Company with the RBI and FIU-IND. The Designated Director of the Company shall be the person other than Principal Officer of the Company.

10.2. The Company shall appoint the 'Principal Officer', who will be responsible for ensuring compliance under AML and KYC requirements under PMLA and rules framed thereunder, RBI requirements, CKYC/e-KYC and under such other requirements, monitoring transactions and sharing and reporting information as required under applicable law. The Company will communicate the name, designation and address of the Principal Officer to the FIU-IND and RBI. Principal Officer means an officer at the management level nominated by the Company.

10.3. In order to ensure successful implementation of its KYC policy:

1. The company will assign Senior Management, which includes the MD, WTD, CRO, and Head of Compliance, to oversee KYC compliance.
2. Mandatory internal audits as well as concurrent audits when needed to confirm adherence to KYC/AML policies and procedures.
3. The auditors' periodic submission of audit reports to the committee for auditing.

11. ON-GOING DUE DILIGENCE & EVALUATION

11.1. With regard to each customer, the Company would conduct ongoing due diligence and carefully review the transactions to make sure they align with their understanding of the customer, his business and risk profile, the source of funds or wealth, and, if needed, the source of funds. However, the overarching principle for ODD is that the extent of ODD/monitoring would be aligned with the risk category of the customer.

11.2. The Company shall use a risk-based approach for the periodic updating of KYC in order to guarantee that the data or information gathered under CDD is kept current and applicable, especially in high-risk situations. From the date of account opening/last KYC update, full KYC exercise must be completed at least once every 2 (two) years for high-risk customers, once every 8 (eight) years for medium-risk customers, and once every 10 (ten) years for low-risk customers.

12. PERIODIC UPDATION OF KYC OF INDIVIDUAL CUSTOMERS:

12.1. In case there is no change in KYC information: In case of no change in the KYC information, a self-declaration from the customer shall be obtained through customer's email-id registered with the Company, customer's mobile number registered with the Company, ATMs, digital channels (such as online banking / internet banking), letter, etc.

12.2. Address change: If the customer's address is the only thing that has changed, the company must request a self-declaration of the new address from the customer via the following channels: ATMs, digital channels (such as online banking and internet banking, the company's mobile application), letters, etc. The company may choose to verify the customer's declared address. Furthermore, for the purpose of proving the address that the customer reported at the time of the periodic update, the Company may, at their discretion, seek a copy of OVD as described in this Policy or presumed OVD or the equivalent e-documents thereof.

12.3. Additional measures: In addition to the above, the Company shall ensure that:

12.3.1. The KYC documents of the customer as per the current CDD standards are available with them. This is applicable even if there is no change in customer information but the documents available with the Company are not as per the current CDD standards. Further, in case the validity of the CDD documents available with the Company has expired at the time of periodic updation of KYC, the Company shall undertake the KYC process equivalent to that applicable for onboarding a new customer.

12.3.2. The Customer's PAN details, if available with the Company, is verified from the database of the issuing authority at the time of periodic updation of KYC.

12.3.3. The Company shall ensure to provide acknowledgment to the customer with date of having performed KYC updation.

12.3.4. The Company shall adopt a risk-based approach with respect to periodic updation of KYC.

12.3.5. The Company shall advise the customers that in order to comply with the PML Rules, in case of any update in the documents submitted by the customer at the time of establishment of business relationship / account-based relationship and thereafter, as necessary, the customers shall submit to the Company the update of such documents. This shall be done within 30 (thirty) days of the update to the documents for the purpose of updating the records at the Company' end.

12.3.6. In case of existing customers, the Company shall obtain the Permanent Account Number or equivalent e-document thereof or Form No.60 of the customer. Provided that before temporarily ceasing operations for an account, the Company shall give the customer accessible notice and a reasonable opportunity to be heard. Further, the Company shall include, in its internal policy, appropriate relaxation(s) for continued operation of accounts for customers who are unable to provide Permanent Account Number or equivalent e-document thereof or Form No. 60 owing to injury, illness or infirmity on account of old age or otherwise, and such like causes. Such accounts shall, however, be subject to enhanced monitoring. Provided further that if a customer having an existing account-based relationship with the Company gives in writing to the Company that he does not want to submit his Permanent Account Number or equivalent e- document thereof or Form No.60, the Company shall close the account and all obligations due in relation to the account shall be appropriately settled after establishing the identity of the customer by obtaining the identification documents as applicable to the customer.

12.3.7. A system of periodic review of risk categorisation of accounts, with such periodicity being at least once in 6 (six) months, and the need for applying enhanced due diligence measures shall be put in place. Higher risk accounts shall be subjected to intensify monitoring.

12.3.8. As a risk-mitigating measure for such accounts, the Company shall ensure that transaction alerts, OTP, etc., are sent only to the mobile number of the customer registered with Aadhaar. In case of request of change of mobile number from the customer, below steps to be followed:

12.3.9. The customer to initiate forma request from registered email id or letter to the Company for change of mobile number, (the mobile number should be linked with Aadhaar).

12.3.10. On receipt of formal request from the Customer, RE to initiate Aadhaar based OTP verification of mobile number.

12.3.11. Post successful verification of mobile number, the customers' details to be updated in the records of the Company.

12.3.12. For ongoing due diligence, the Company may consider adopting appropriate innovations including artificial intelligence and machine learning (AI & ML) technologies to support effective monitoring.

13. ENHANCED DUE-DILIGENCE:

13.1. Accounts of non-face-to-face customers (other than Aadhaar OTP based on-boarding): Non-face-to-face onboarding facilitates the Company to establish relationship with the customer without meeting the customer physically or through V-CIP. Such non-face-to-face modes for the purpose of this Section includes use of digital channels such as CKYCR, DigiLocker, equivalent e-document, etc., and non-digital modes such as obtaining copy of OVD certified by additional certifying authorities as allowed for NRIs and PIOs. Following CDD measures shall be undertaken by the Company for non-face-to-face customer onboarding (other than Aadhaar OTP based on-boarding):

1. In case the Company has introduced the process of V-CIP, the same shall be provided as the first option to the customer for remote onboarding. It is reiterated that processes complying with prescribed standards and procedures for V-CIP shall be treated on par with face-to-face CIP for the purpose of this Master Direction.
2. In order to prevent frauds, alternate mobile numbers shall not be linked post CDD with such accounts for transaction OTP, transaction updates, etc. Transactions shall be permitted only from the mobile number used for account opening. The Company shall have a Board approved policy delineating a robust process of due diligence for dealing with requests for change of registered mobile number.
3. Apart from obtaining the current address proof, the Company shall verify the current address through positive confirmation before allowing operations in the account. Positive confirmation may be carried out by means such as address verification letter, contact point verification, deliverables, etc.
4. The Company shall obtain PAN from the customer and the PAN shall be verified from the verification facility of the issuing authority.
5. First transaction in such accounts shall be a credit from existing KYC-complied bank account of the customer.
6. Such customers shall be categorized as high-risk customers and accounts opened in non-face to face mode shall be subjected to enhanced monitoring until the identity of the customer is verified in face-to-face manner or through V-CIP.

14. Accounts of Politically Exposed Persons (PEPs):

14.1. The Company shall have the option of establishing a relationship with PEPs provided that:

The Company shall have the option of establishing a relationship with PEPs (whether as customer or beneficial owner) provided that, apart from performing normal customer due diligence:

1. The Company has in place appropriate risk management systems to determine whether the customer or the beneficial owner is a PEP.
2. Reasonable measures are taken by the Company for establishing the source of funds / wealth.
3. The approval to open an account for a PEP shall be obtained from the senior management level in accordance with the Company's Customer Acceptance Policy.
4. All such accounts are subjected to enhanced monitoring on an on-going basis.

In the event of an existing customer or the beneficial owner of an existing account subsequently becoming a PEP, senior management's approval is obtained to continue the business relationship.

5. The CDD measures as applicable to PEPs including enhanced monitoring on an on-going basis are applicable.
6. These instructions shall also be applicable to accounts where a PEP is the beneficial owner. These instructions shall also be applicable to family members or close associates of PEPs.

15. RECORD MANAGEMENT:

15.1. All transaction records including KYC documents obtained from customers under the policy would be maintained for a period of 5 (five) years from the date of transaction.

15.2. The Company to preserve the records pertaining to the identification of the customers and their addresses obtained while opening the account and during the course of business relationship, for atleast 5 (five) years after the business relationship is ended.

15.3. Make available swiftly the identification records and transaction data to the competent authorities upon request.

15.4. Maintain records of the identity and address of their customer, and records in respect of transactions.

15.5. Records should contain all the information necessary to permit the reconstruction of the individual transaction including the following information:

• Nature of the transactions.
• Amount of the transaction and the currency in which it was denominated.
• The date on which the transaction was conducted.

Parties to the transaction

15.6. As required under RBI regulations, the Company shall ensure filing of all required Suspicious Transaction Report (STR) and Cash Transaction Report (CTR) to Financial Intelligence Unit (FIU) – India within 15 (fifteen) days of arriving at a conclusion that any transaction, whether cash or non-cash, or a series of transactions integrally connected are of suspicious nature.

15.7. The Principal Officer should record his reasons for treating any transaction as suspicious. It should be ensured that there is no undue delay in arriving at such a conclusion once a suspicious transaction report is received from a branch or other office. Such report shall be made available to the competent authorities on request. Illustrative list of activities which would be construed as suspicious transactions is given below. Any changes required due to business exigencies or due to regulatory / audit requirements, will be required to be approved by Principal Officer, appointed under this Policy.

15.7.1. Activities not consistent with the customer's business, i.e., accounts with large volume of credits whereas the nature of business does not justify such credits.

15.7.2. Any attempt to avoid Reporting/Record-keeping Requirements/provides insufficient / suspicious information.

15.7.3. A customer who is reluctant to provide information needed for a mandatory report, to have the report filed or to proceed with a transaction after being informed that the report must be filed.

15.7.4. Any individual or group that coerces/induces or attempts to coerce/induce the Company employee from not filing any report or any other forms.

15.7.5. An account where there are several cash transactions below a specified threshold level to avoid filing of reports that may be necessary in case of transactions above the threshold level, as the customer intentionally splits the transaction into smaller amounts for the purpose of avoiding the threshold limit.

15.7.6. Certain Employees of the Company arousing suspicion:

1. a. An employee whose lavish lifestyle cannot be supported by his or her salary.
2. b. Negligence of employees/wilful blindness is reported repeatedly.
3. c .The Company shall consider filing an STR, if necessary, when it is unable to comply with the relevant CDD measures in relation to the customer.

15.7.7. Some examples of suspicious activities/transactions to be monitored by the operating staff:

1. a. Multiple accounts under the same name
2. b. Refuses to furnish details of source of funds by which initial contribution is made, sources of funds are doubtful etc;.
3. c. There are reasonable doubts over the real beneficiary of the loan.
4. d. Frequent requests for change of address.

16. MONITORING:

16.1. Constant observation is a necessary component of efficient KYC processes. The risk profile and risk sensitivity of the account will be taken into consideration when monitoring the amount of transactions. All complex and exceptionally big transactions, as well as any unexpected patterns lacking any obvious economic or legal rationale, require the Company to give them extra attention. The scope of the monitoring will correspond to the customer's risk level. Accounts with higher risk will be closely monitored.

16.2. The following activities may form part of the monitoring function:

16.2.1. The account of the Customer after signing of the agreement to be closely monitored for signs of any unusual transactions; and

16.2.2. All Cash & suspicious transactions are required to be reported within the timelines given under Prevention of Money laundering Act ('PMLA'), 2002; the PML Rules 2005 framed thereunder; and the Foreign Regulation Act 2010.

17. REPORTING TRANSACTIONS:

17.1. Income Tax Rules rules pertaining to the Common Reporting Standards (CRS) and the Foreign Account Tax Compliance Act (FATCA) reporting requirements must be followed.

17.2. No limitations should be placed by the Company on the accounts in which a STR has been made. Additionally, it must be made sure that there is never any kind of tipping off to the customer.

17.3. The Principal Officer shall record his grounds for treating any transaction or a sequence of transactions as suspicious.

17.4. RBI has made it clear that uploading STR requires use of the FINnet gateway site. For the purpose of submitting STR in both Account-based Reporting Format (ARF) and Transaction-based Reporting Format (TRF), FIU has permitted Web filing. Web filing requires entering information.

17.5. Following reporting are required to FIU by 15th of the succeeding month:

17.5.1. All cash transactions of the value of Rs. 10 lakhs and above or its equivalent in foreign currency. All series of cash transactions integrally connected to each other which have been individually valued below rupees ten lakh or its equivalent in foreign currency where such series of transactions have taken place within a month and the monthly aggregate is ₹ 10,00,000/- and above or its equivalent in foreign currency.

17.5.2. All cash transactions where forged or counterfeit currency notes or bank notes have been used as genuine or where any forgery of a valuable security or a document has taken place facilitating the transactions.

17.5.3. All transactions involving receipts by non-profit organizations of value more than ₹ 10,00,000/- or its equivalent in foreign currency.

17.5.4. All Suspicious Transaction Report (STR) should be furnished within 7 (seven) days of arriving at a conclusion that any transaction, whether cash or non-cash, or a series of transactions integrally connected are of suspicious nature.

17.5.5. In accordance with RBI regulations, the Company shall make sure that all necessary Suspicious Transaction Reports (STR) and Cash Transaction Reports (CTR) are filed to the Financial Intelligence Unit (FIU) - India within a week of concluding that any transaction—cash or non-cash—or a group of closely related transactions are suspicious.

17.6. The Principal Officer should record his reasons for treating any transaction as suspicious. It should be ensured that there is no undue delay in arriving at such a conclusion once a suspicious transaction report is received from a branch or other office. Such report shall be made available to the competent authorities on request.

17.7. Any changes required due to business exigencies or due to regulatory / audit requirements, will be required to be approved by Principal Officer, appointed under this Policy.

18. INTERNAL ML/ TF RISK ASSESSMENT:

18.1. The Company shall carry out 'Money Laundering (ML) and Terrorist Financing (TF) Risk Assessment' exercise periodically to identify, assess and take effective measures to mitigate its money laundering and terrorist financing risk for clients, countries or geographic areas, products, services, transactions or delivery channels, etc.

18.2. While assessing the ML/TF risk, the Company shall take cognizance of the overall sector-specific vulnerabilities, if any, that the regulator/supervisor may share from time to time. Further, the internal risk assessment shall be carried in commensurate to its size, geographical presence, complexity of activities/structure, etc.

18.3. In addition, the company will use a Risk Based Approach (RBA) to mitigate and manage the risks that have been identified, and it will have sufficient controls and procedures in place for this purpose based on the size of the firm. The implementation of controls should be routinely reviewed and improved upon as needed. Such an internal risk assessment must be completed on a regular basis, but no later than once a year, in accordance with the regulatory obligation outlined in the circular, and it must be submitted to the board or risk management committee.

19. EMPLOYEE TRAINING:

Employees will be required to participate in regular training programs so they may have a sufficient screening mechanism as part of their hiring and human recruitment process.
It is necessary to implement an ongoing employee training program to ensure that staff members are sufficiently taught in KYC, AML, and CFT policies. Employees handling new customers, compliance personnel, and frontline staff will receive training with distinct objectives. The front desk employees will receive specialized training to address problems resulting from inadequate client education. AML procedures must be implemented with care, ensuring that the audit function is staffed with individuals who are suitably qualified and knowledgeable about the company's KYC/AML/CFT policies, regulations, and other matters.

20. CONFIDENTIALITY:

Customers' personal information obtained for the purpose of opening an account will be kept private and confidential. Details of this information won't be shared with third parties for the purpose of cross-selling or for any other reason without the customer's express consent. The following are the exceptions to the aforementioned rule:

1. Where disclosure is under compulsion of law;
2. Where there is a duty to the public to disclose;
3. The interest of bank requires disclosure and;
4. Where the disclosure is made with the express or implied consent of the customer

21. OTHER INFORMATION:

The Company shall pay adequate attention to any money-laundering and financing of terrorism threats that may arise from new or developing technologies and it shall be ensured that appropriate KYC procedures issued from time to time are duly applied before introducing new products/services/technologies. Agents used for marketing of credit cards shall also be subjected to due diligence and KYC measures. Unique Customer Identification Code ("UCIC") shall be allotted while entering new relationships with the individual customers as also the existing individual customers. The Company shall review the policy on an annual basis or at earlier intervals, if there any regulatory changes necessitating such interim reviews.

22. INTRODUCTION OF NEW TECHNOLOGIES:

22.1. The Company must recognize and evaluate the potential ML/TF risks associated with the creation of new goods and procedures, such as delivery systems and the use of cutting-edge technology to both new and already-released goods.

22.2. Further, the Company shall ensure:

1. To undertake the ML/TF risk assessments prior to the launch or use of such products, practices, services, technologies; and
2. Adoption of a risk-based approach to manage and mitigate the risks through appropriate enhanced due diligence measures and transaction monitoring, etc.

23. REQUIREMENTS/OBLIGATIONS UNDER INTERNATIONAL AGREEMENTS - COMMUNICATIONS FROM INTERNATIONAL AGENCIES:

23.1. In order to prevent the Company from being used as a channel for Money Laundering (ML)/ Terrorist Financing (TF) and to ensure the integrity and stability of the financial system, efforts are continuously being made both internationally and nationally, by way of prescribing various rules and regulations. Internationally, the Financial Action Task Force (FATF) sets standards and promotes effective implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other related threats to the integrity of the international financial system. India, being a member of FATF, is committed to upholding measures to protect the integrity of international financial system.

23.2. The Company shall ensure that in terms of Section 51A of the Unlawful Activities (Prevention) (UAPA) Act, 1967 and amendments thereto, they do not have any account in the name of individuals/entities appearing in the lists of individuals and entities, suspected of having terrorist links, which are approved by and periodically circulated by the United Nations Security Council (UNSC).

23.3. The Company shall also ensure to refer to the lists as available in the Schedules to the Prevention and Suppression of Terrorism (Implementation of Security Council Resolutions) Order, 2007, as amended from time to time. The aforementioned lists, i.e., UNSC Sanctions Lists and lists as available in the Schedules to the Prevention and Suppression of Terrorism (Implementation of Security Council Resolutions) Order, 2007, as amended from time to time, shall be verified on daily basis and any modifications to the lists in terms of additions, deletions or other changes shall be taken into account by the Company for meticulous compliance.

23.4. The Company shall ensure meticulous compliance with the "Procedure for Implementation of Section 12A of the Weapons of Mass Destruction (WMD) and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005" laid down in terms of Section 12A of the WMD Act, 2005 vide Order dated January 30, 2023, by the Ministry of Finance, Government of India as updated from time.