RBI’s KYC Penalties: A Sisyphean Grind?

The gods had condemned Sisyphus to ceaselessly rolling a rock to the top of a mountain, whence the stone would fall back of its own weight. They had thought, for some reason, that there would be no more dreadful punishment than futile and hopeless labor. - Albert Camus

The Reserve Bank of India fined HDFC Bank ₹7.5 million last week for lapses in KYC compliance. The move followed RBI Governor Sanjay Malhotra’s recent nudge to banks to stop asking customers to resubmit documents already shared and verified.
In his speech on March 17, 2025, Malhotra said: 

“Once the customer has updated his details, for example, his residential address, with one regulated entity of any financial sector regulator, it gets updated in CKYCR and other REs are notified of the updation. Rules… mandate regulated entities to check the CKYCR system before seeking KYC documents for opening an account. However, most banks and NBFCs have not enabled the same in their branches/business outlets, causing avoidable inconvenience to customers”

There are two issues here: one, the way stakeholders go about KYC and the other, the current nature of enforcement actions by the banking regulator and the outcomes.

The second point first. There was a time when the issue of imposing monetary penalties upon banks was well debated in the public domain; this was just before it was accepted that, yes, penalties indeed matter and an enforcement department was set up in RBI to deal with errant banks. While on the one hand, it was thought that not dealing with errant banks was a moral hazard, the other argument, which went against monetary penalties, was that after all, the impact of such penalties would ultimately fall on the customers for no fault of theirs. An alternative suggestion was that mere “naming and shaming” of in the public domain would drive the regulated entities to behave. But then this suggestion put too much faith in the behavioural aspects without understanding the behavioural dynamics in a broader societal setting.

Anthropologists broadly classify societies in terms of Guilt, Shame and Fear cultures. One would agree that naming and shaming works better in shame cultures. To make the semantics easy, Japan is an ultimate example of shame culture – where suicides are often linked to an unbearable sense of shame. One notable example is the resignation and later the death of Shoichi Nakagawa, the former finance minister of Japan, who got inebriated and slurred his way through a press conference after a G7 meeting in the aftermath of global financial crisis – he was thought to have shamed the Japanese society and the latter doesn’t accept anyone once the person is involved in serious shameful act.

Anyway, that was to just to make a point that understanding the incentive/disincentive structures underlie the design of penal frameworks have subtle underpinnings in a social, anthropological and psychological setting. No one explains it better than Upton Sinclair, who felt “It is difficult to get a man to understand something, when his salary depends on not understanding it”. This is true of every setting – be it the wrongdoer or the purveyors of medicines to deter wrongdoers.

Punishment, like reward, plays an important role in operant conditioning in modifying behaviour. If alternatives exist in a deterrent mechanism – paying nominal penalties than stop wrongdoing – one may choose the lesser evil. This has been evident in the West when banks were willing to cough up huge penalties without accepting that they have done the forbidden – a moral hazard. 

One question that comes to mind about any public policy is about the nature and benefits of outcomes. If repeated violations of rules and the imposition of penalties become the norm, there seems to be a need for RBI to analyse them. Is the deterrence that is expected of a penalty visible, or has the system become entrenched in a ritual? Are the banks imputing the KYC-related costs as part of their overall cost structure that ultimately may impose larger costs on the society than the benefits that they promise? By the way, how many times has a bank such as IndusInd Bank been penalised for any violation and yet ended up in a quagmire? If most of the penalties are due to KYC violations, is there a chance of regulators missing the wood for the trees? In other words, it is an issue of proportionality in terms of costs and benefits, both for the regulator and the regulated. There certainly seems to be a need, now that sufficient time has elapsed since RBI started the enforcement activity and imposing penalties, to understand the correlation among the lapses, penalties and the manifestation of deterrence.

To be sure, the costs of a KYC compliance set-up don’t come cheap! It is also a fact that the logic of proportionality may not fully apply here since KYC is unavoidable as we are signatories to the Financial Action Task Force. This inter-governmental organisation works to prevent money laundering and terrorist financing - and that it has become a part of PMLA laws. 

Here comes the other issue of why KYC, which is part of the paraphernalia to protect customers, is leaving a bad taste or a sense of harassment for the same customers. It certainly has to do with the ease of doing business! The RBI Governor’s recent push for the Central KYC Registry system is well-timed. However, challenges persist—possibly due to data privacy concerns or reluctance among banks to fully integrate it.

A concerted effort is required to ensure the CKYCR framework is fully operational and widely adopted. Until then, customers will continue to face redundant KYC checks, and penalties may remain an ineffective deterrent.

The recurring cycle of penalties and compliance failures resembles Sisyphus' endless toil—regulators impose fines, and banks pay them, yet the fundamental issues remain unresolved. The real challenge lies not just in enforcing compliance but in streamlining KYC processes to be efficient, effective, customer-friendly, and, last but not least, cost-effective to incentivise banks to adopt it wholeheartedly. Only then can the burden be lifted and the regulatory rock stop rolling back down the hill.