As regulatory scrutiny tightens and penalties mount, Indian banks are under growing pressure to fix gaps in AML and KYC compliance. In this interview with Fortune India, Deepak Bhawnani, Managing Director of Gurgaon-based tech-enabled risk mitigation firm FIOS, explains why fines are rising, where banks keep failing, and how technology and third-party intelligence can help reduce regulatory risk

Excerpts:

What are common AML and e-KYC compliance gaps that lead to fines by regulatory bodies like RBI and SEBI?

One of the most prevalent gaps in Anti-Money Laundering (AML) and e-KYC is inadequate client identification checkpoints. This is a critical base and component of the initial risk assessment (Level 1), and any red or yellow flags identified at this stage warrant a thorough investigation.  It is essential to fully understand underlying reasons for these flags to effectively mitigate potential risks.

Over time, traditional AML practices have increasingly evolved into comprehensive KYC processes. Today, many of these functions are automated through artificial intelligence (AI). Tasks such as transaction monitoring and verification of personhood are now handled by AI systems, enabling faster, timely and more efficient responses.

If financial institutions ignore red flags and fail to conduct proper due diligence on high-risk customers, they may face penalties from regulators such as the RBI and SEBI.

Once a transaction or customer relationship raises suspicion, banks, mandatorily, must dig deeper by performing enhanced KYC procedures. This not only helps uncover the true nature of the activity, it enables the bank to submit credible explanation and documentation to regulators, thereby reducing or mitigating fines.

How severe has the RBI/SEBI penalty wave become in the last 3-5 years?

In the past 3 to 5 years, India has witnessed a sharp and sustained escalation in regulatory penalties imposed on banks and financial institutions, which the industry now commonly refers to as the “penalty wave.” According to our tracking of AML and KYC fines, the amount is exponentially increasing every year, and these include some big names. In 2024, we saw the largest amounts of fines levied on banks and NBFCs so far, which included around 70 organisations getting fined.  Recently, one of the largest private banks got a penalty of ₹10 million for failing to adhere to certain regulatory guidelines and KYC norms.

Regulators like the RBI and the SEBI have adopted a much stricter stance when it comes to levying fines. This shift reflects growing concern over lapses and negligence within financial institutions. By imposing heavier penalties, these regulators aim not only to hold banks accountable but also to reinforce a robust culture of financial integrity and compliance across the sector. This approach serves as a strong deterrent against malpractice and encourages banks to strengthen their risk management and governance frameworks.  They are moving from occasional corrective actions to systematic, high-value monetary fines, supervisory restrictions, and in some cases even license cancellations.

What may be the causes behind repeated AML and KYC failures in Indian banks, despite heavy investments in technology and staff?

Despite heavy spending on technology, systems and staff, banks continue to face repeated AML and KYC fines because several core problems remain unresolved. One major issue is the commonality of names in India, where many customers share identical or very similar names, making accurate screening against sanctions and watchlists extremely difficult and leading to thousands of false alerts every day. Another challenge is the growing use of high-quality forged documents, including fake Aadhaar and PAN cards, which often pass traditional checks unnoticed. Weak and inconsistent staff training also plays a role, as frontline employees are not always taught how to spot red flags during real customer interactions or escalate concerns properly. Banks also tend to rely too heavily on technology, treating automated alerts as the final step rather than the start of deeper investigation, resulting in alert fatigue and missed risks.

How can banks integrate third-party compliance insights efficiently into their existing AML/KYC workflows to mitigate fines?

Banks can reduce AML and KYC fines by integrating third-party compliance insights directly into their existing workflows, rather than treating them as add-ons. As technology now supports every stage of the customer journey, from onboarding to transaction monitoring, external intelligence can be embedded seamlessly into these processes. Transaction volumes are set to rise sharply as India pushes financial inclusion and moves towards a trillion digital transactions a year, making manual checks impractical. In this environment, banks need cost-efficient tools that focus on high-risk customers without slowing operations. Platforms such as Fios Compliance use secure, cloud-native systems to provide real-time access to global and domestic sanctions lists, PEP data, regulatory records and law enforcement sources. By analysing both structured and unstructured open data, these tools uncover risks internal systems often miss, while giving compliance teams clear, audit-ready evidence to support decisions.

How can enhanced profile analysis uncover hidden risks that traditional compliance checks might miss?

Enhanced due diligence (EDD) and thorough investigative research plays a crucial role in identifying flags that traditional compliance checks may overlook or fail to detect. This includes eliminating duplicate records, validating customer profiles, conducting comprehensive checks against litigation and global sanctions lists, verifying source of funds, and analysing an individual's activities across multiple business segments. 

A comprehensive EDD can connect these dots, recognising subtle patterns indicative of risk. This underscores the need for continuous vigilance and deeper human scrutiny to prevent recurring fraud and misconduct.

As fines keep rising and regulatory scrutiny intensifies (UPI fraud, mule accounts, crypto onboarding, etc.), will third-party compliance firms become a necessity?

Yes, with AML, KYC, and other Regulatory Compliance fines now routinely running into hundreds of crores of rupees annually and RBI/SEBI enforcement showing no signs of easing, outsourcing specialised compliance functions to third-party experts is rapidly shifting from “nice-to-have” to “non-negotiable” for Indian banks and financial institutions.

Looking ahead to 2030: With the RBI’s new SRO framework for RegTech, scale-of-business supervision, and the regulator's expected adoption of advanced analytics/suptech, will the era of routine multi-crore fines end?

India's dynamic financial sector has a regulatory landscape that is complex and ever-evolving. While fines may persist as a compliance tool, their frequency and impact can be dramatically reduced through innovative, industry-driven frameworks.

The RBI's Self-Regulatory Organisations (SROs) initiative in RegTech is a game-changer. By empowering credible bodies to enhance professionalism, share critical data with the RBI, uphold ethical standards, and detect early warning signals without conflict of interest, SROs are building a more resilient ecosystem.

Amid this shift, Agentic AI and RegTech providers must remain steadfast allies to the financial community. By leveraging cutting-edge tools for real-time compliance monitoring, predictive risk analytics, and automated reporting, we can bridge the gap between regulation and rapid growth.