1. Introduction

2. Objective

The objective of this Merchant Onboarding Policy is to establish a robust governance framework for the onboarding, KYC verification & due-diligence, risk assessment, continuous monitoring and record management of merchants utilizing Emanypay’s payment aggregation services. This policy will help in designing relevant SOPs to ensure that only legitimate and compliant merchants are onboarded, thereby minimizing exposure to fraudulent or high-risk activities. It aims to ensure compliance with applicable regulations, including the Reserve Bank of India (RBI) Guidelines on Payment Aggregators and Payment Gateways, and to safeguard Emanypay and the broader financial system from exploitation for Money Laundering (ML) and Terrorist Financing (TF).

3. Scope

This policy applies to all stakeholders involved in the merchant onboarding process, including the Risk, Onboarding and Technology team as well as external agents. It encompasses the following areas:

• Merchant Verification: Verification of merchant credentials and documentation through APIs and due diligence practices as per RBI KYC guidelines.
• Risk Assessment: Evaluation and categorization of merchants based on predefined risk criteria to identify and mitigate potential risks.
• Continuous Monitoring: Ongoing review and monitoring of merchant activities to detect any deviations or suspicious behaviour
• Reporting: Ensuring timely and accurate reporting of suspicious transactions to the Financial Intelligence Unit - India (FIU-IND).
• Record Management: Maintenance, preservation, and reporting of all records related to the merchant identification and transaction details.
• Compliance: Adherence to all relevant regulatory requirements and guidelines issued by the Reserve Bank of India (RBI) and other governing bodies.s

4. Governance Framework

Emanypay’s Merchant Onboarding Policy is based on adherence to applicable laws, regulations, and industry best practices. The Board of Directors is ultimately responsible for ensuring compliance, while Operational Risk Management Committee (ORMC), Senior Management oversees policy implementation, adherence, and updates in line with regulatory changes.

To ensure effective implementation and compliance, the Company has established the following governance framework:

• Operational Risk Management Committee: Oversees Policy implementation, reviews its effectiveness, and recommends improvements to align with regulatory guidelines.
• Principal Officer: A senior officer will be appointed as a Principal Officer, responsible for monitoring transactions, ensuring KYC/AML/CFT compliance, and reporting suspicious activities to the Financial Intelligence Unit – India (FIU-IND). The Principal Officer will also oversee adherence to regulatory guidelines.
• Designated Director: The Board will appoint a Designated Director to ensure compliance with the Prevention of Money Laundering Act (PMLA) and its rules. This Director will ensure that reporting obligations, including suspicious transaction reports (STRs), are met. Any changes in the Designated Director’s details will be promptly communicated to FIU-IND.

5. Key Elements of the Merchant Onboarding Procedure:

5.1 Pre-Onboarding Screening through Merchant KYC Application on Self Onboarding Portal

5.1.1 Prohibited Business List

Before or during the onboarding process, Emanypay’s internal team checks the merchant’s line of business to determine if it falls under the Prohibited Business Category. If the business is prohibited, the merchant’s application is outrightly rejected. If not, Emanypay proceeds with further processing.

Refer to the Indicative Prohibited Business List in Annexure 1.

5.1.2 Self-Onboarding Portal

5.1.2.1 Merchant Sign-Up

Merchants will sign up via Emanypay’s Self-Onboarding Portal by providing the following details:

• Full Name
• Mobile Number
• Email ID (verified via confirmation)
• Password

5.1.2.2 Merchant Application Details

After signing up, merchants must complete the Merchant Application by providing the following information. Emanypay verifies the accuracy of many of these details through integrated APIs to ensure a seamless onboarding process.

1. Merchant Contact Info

• Contact Person Name
• ID Proof (Aadhaar/Voter Card/Driving License) (API validation)
• Contact Number (OTP validation)
• Verified Email ID

2. Business Overview

• Business Type
• Business Category
• Business Description
• Website (HTTPS) / App URL (Google, Apple, Indus Store)
• Platform Type
• Expected Transactions/Year
• Average Ticket Amount
• Countries of Operation with Addresses

3. Business Details (as applicable)

• GST IN (API validation) or GST Declaration
• Udhyam Number (API validation)
• Business PAN (API validation)
• Business/Individual DOB/DOI (API validation)
• Business Legal Name (API validation)
• PAN Owner’s Name (API validation)
• Business Address
• CIN Number (API validation)

4. Bank Account Details (API validation via Penny Drop)

• IFSC Code
• Bank Account Number
• Account Holder Name
• Account Type
• Bank Name
• Branch Name

5.1.2.3 Upload KYC Documents

The merchant uploads KYC documents as per the KYC Document Checklist for backend verification. The KYC details are collected based on the firm’s constitution, including Company details, Director & Authorized Signatory information, and Bank details, as outlined in the KYC Checklist.

Refer KYC Checklist in Annexure 2.

5.1.2.4 Acceptance of Terms & Conditions, Privacy Policy, and Service Agreement

When submitting the KYC documents, a popup appears for agreeing our general Terms & Conditions and Privacy Policy. The merchant will only be allowed to submit once they have read the clauses of the Service Agreement in its entirety.

5.2 KYC Verification and Due-Diligence

5.2.1 API Validations

Once the required details are obtained, Emanypay triggers relevant APIs to validate the information with the respective issuing authorities.

5.2.2 Application Details & Document Verification

In addition to API validations, our Risk team manually verifies all the information and documents provided by the merchant. Any discrepancies identified will be flagged and communicated to the merchant through the relevant Account Manager or Sales Representative for confirmation and correction.

Simplified due diligence (SDD) & enhanced due diligence (EDD) will be conducted on merchants based on merchant types. EDD includes requesting additional documents such as bank account statements for the company or directors, notarized affidavits, business declarations, legal opinions, AoA & MoA, GST filings for the past 3-6 months, or any relevant industry-specific licenses, as deemed appropriate. Additionally, positive address confirmation is conducted through physical background verification, either via a third-party vendor or our internal team.

5.3 Risk Assessment

The Risk Team to conduct background and antecedent checks on merchants to ensure that such merchants do not have any malafide intention of duping customers, do not sell fake/ counterfeit/ prohibit product etc.

5.3.1 Sanction Screening

Emanypay performs sanction screening on merchants against various domestic and international sanction lists. If no match is found, the merchant can proceed with the onboarding process. If a match is found, the merchant will be rejected and escalated to the relevant authorities, such as the Financial Intelligence Unit of India (FIU-IND), in compliance with regulatory requirements.

5.3.2 Platform Compliance

To ensure the merchant’s platform meets the necessary compliance requirements, following checks are performed on the merchant’s website/application:

1. Invalid Web/App URL

   If the provided URL is incorrect or non-functional, onboarding will be denied. The business team will be notified to address the issue with the merchant.

2. SSL Certification & Application Functionality

   Merchants must ensure their website is secured with a valid SSL certificate, and that their application is fully operational.

3. Business/Legal Name Discrepancy

   If the legal name of the entity does not match the name displayed on the website, further clarification or documentation establishing the relationship between the entities will be required.

4. Website Redirection

   If the website redirects customers to a different site for purchases or payments, onboarding will be declined. The business team will follow up with the merchant. Additionally, we whitelist the website to ensure transactions occur only from the officially shared, compliant website.

5. Mandatory Platform Disclosures

   Merchants must ensure the following sections are prominently displayed on their website/app:

   • About Us

     A brief description of the company and the nature of its business.

   • Product/Service Details

     A description of all products/services offered, including accurate pricing in INR.

   • Contact Information

     Direct communication channels for customer support, including the legal business name, registered address (with PIN code), contact number, and email ID of the organization.

   • Shipping & Delivery Policy

     Information on expected delivery timelines and shipping processes.

   • Cancellation & Refund Policy

     Clearly defined policies regarding refunds, cancellations, returns, and exchanges, including timelines, modes of refund, and acceptable channels for cancellation requests.

   • Customer Grievance Redressal Mechanism

     A dedicated section detailing the process for handling customer complaints and grievances, which must be easily accessible on the website/app.

   • Terms & Conditions

     Clear and accessible terms outlining the rights and responsibilities of both the merchant and the customer, covering aspects such as website usage, payments, shipping, and warranties.

   • Privacy Policy

     Details on how customer data is collected, used, and protected, in compliance with Indian data protection laws. Include sections on information collection, third-party disclosures, user rights, and cookie policies.

   • Transaction Process & Checkout Flow

     Clear navigation through the transaction process, including an “Add to Cart” option, payment flow, and checkout button or redirection to payment methods.

5.4 Risk Categorization

The Risk Team will conduct a risk profiling of all merchants, categorizing them as High, Medium, or Low risk based on factors such as the merchant’s industry, identity, nature of business activity, location, type of products/services offered, and delivery channel used.

The Risk Team assigns the Merchant Category Code (MCC) based on the merchant’s business profile and the products or services listed on their platform.

5.5 Merchant Application Approval

After completing all the above steps—KYC Verification, Due Diligence, Risk Assessment, and Categorization—all details and processes are re-verified and validated by the approver. The approver will then either approve or reject the merchant’s application.

Based on the merchant’s risk category and overall risk perception, the approver will decide if a rolling reserve is required from the merchant to mitigate risks related to chargebacks, refunds, and/or fraud. This requirement will be clearly communicated and will form part of the agreement.

5.6 Physical Background Verification

We conduct Physical Background Verification as a part of enhanced due diligence to ensure that the business activities align with the provided location.

5.7 Agreement

A comprehensive, legally binding contract is established, which includes merchant details such as name, address, business description, commercials, and settlement account information. The clauses of the merchant agreement are already agreed upon by the merchant when submitting their application on the Merchant Onboarding Portal.

5.8 Integration & PCI-DSS & PA-DSS Compliance Checks

Emanypay is responsible for checking Payment Card Industry Data Security Standard (PCI-DSS) and Payment Application Data Security Standard (PA-DSS) compliance of the merchant infrastructure, as applicable, during the merchant onboarding process. This compliance will depend on the chosen method of integration. There are two distinct integration methods that can be implemented, as outlined below:

5.8.1 Payment Through Emanypay’s Checkout Page:

In this method, Emanypay provides the merchant with a checkout page where the payment processing takes place. Since Emanypay directly handles the payment processing, the merchant is not involved in storing, processing, or transmitting any card details. PCI-DSS and PA-DSS compliance checks are managed by Emanypay.

5.8.2 Payment Processing at Merchant’s Checkout Page and PCI-DSS & PA-DSS Compliance

In cases where the merchant processes transactions through their own checkout page, the following additional checks must be performed before any further actions can be taken:

• Ensuring the merchant site does not store customer card data and any such related data but may store limited data for transaction tracking in compliance with applicable standards.
• Obtaining relevant PCI-DSS & PA-DSS certificates from the merchant, or if applicable, a compliance certification from the auditor who conducted the PCI-DSS & PA-DSS audit of the merchant.
• Ensuring that merchant agreements include provisions for customer data security, PCI-DSS & PA-DSS compliance, and incident reporting obligations.
• Emanypay, banks, or regulators reserve the right to conduct security audits of merchant infrastructure to verify compliance with PCI-DSS & PA-DSS standards, as and when required. Periodic security assessment reports will be obtained based on risk assessments.

5.8.3 Integration

The merchant’s developer downloads the test kit from the Emanypay website based on their platform. The merchant will receive an onboarding kit for web integration and transaction testing. A UAT (User Acceptance Testing) integration is conducted by the merchant’s developer accordingly. Upon completion of UAT testing, the UAT checklist is submitted to the Emanypay technology team. Once the checklist is submitted, production details are shared with the merchant’s developers, and the merchant goes live after the following checks and controls:

• Rate mapping
• Rate checking
• Challan template creation (if applicable)
• Q-Form building (if applicable)
• Live kit shared with the merchant
• Live testing performed
• Proper passing of parameters is checked

Upon successful completion of the onboarding process, Emanypay will activate the merchant’s account according to the agreement and commercial terms. The Merchant Identification Number (MID) and Terminal Identification Number (TID) will be generated. Once the merchant confirms successful integration through User Acceptance Testing (UAT), they will be activated in the Emanypay system and can begin processing transactions and collecting payments.

5.9 Ongoing Due Diligence

Emanypay conducts ongoing due diligence of merchants to ensure that their transactions align with our knowledge about the merchant, merchant’s business & risk profile. The extent of monitoring will be aligned with the merchant’s risk category.

5.9.1 Transaction Monitoring:

Transactions are closely monitored based on the following red flags that could signal potentially fraudulent activity:

• Large and complex transactions, or those with unusual patterns inconsistent with normal and expected activity of the merchant, which have no apparent economic rationale or legitimate purpose.
• Transactions exceeding prescribed thresholds for specific merchant categories.
• Transactions are not in line with declared ticket size and volume
• Multiple failed transaction attempts
• High/Moderate dependency on credit/debit card transactions - more than 50% of the total transaction
• Repeated use of payer details (name, number, email)
• Sudden spikes in transaction value or volume
• Historical chargebacks, refund rates, etc.

5.9.2 Enhanced Due Diligence

Emanypay conducts enhanced due diligence (EDD) to actively manage and mitigate risks related to money laundering and terrorist financing for high-risk merchants. High-risk merchants are prioritized for more intensive monitoring of transaction patterns, additional business documentation requirements, and ongoing due diligence through automated systems to detect suspicious activities.

5.9.2.1 Leveraging AI & ML Technologies for Enhanced Transaction Monitoring

Emanypay employs real-time transaction monitoring tools based on rule-based algorithms, continuously refined to enhance fraud detection systems in alignment with FIU IND guidelines. These rules are designed to identify potential fraud or suspicious activities by flagging transactions that deviate from expected behavior for further review. The following rule types are actively used, as deemed necessary, to detect potentially fraudulent and suspicious transactions:

• Threshold Rules: Monitor specific transaction amounts or frequencies. Alerts are triggered when transactions exceed predefined thresholds, flagging large transactions for review.
• Velocity Rules: Track the speed or frequency of transactions. Rapid or unusual activity, such as a high number of transactions within a short period, is flagged for investigation.
• Geographic Rules: Analyze transactions across regions. Transactions involving high-risk countries or regions known for financial crimes are flagged for proactive risk management.
• Pattern Recognition Rules: Detect transactional patterns commonly associated with fraud or money laundering. Deviations from expected patterns are flagged for further analysis.
• Merchant Behavior Rules: Monitor individual merchant transaction patterns, including recurring chargebacks. Significant deviations from typical behavior are flagged for further analysis to assess potential fraud, customer dissatisfaction, or operational inefficiencies.
• Historical Data Analysis: Past transaction data is analyzed to identify patterns associated with fraudulent activities. This analysis helps refine the system’s ability to detect similar activities in real-time and address emerging fraud trends or money laundering schemes.
• Continuous Improvement: The transaction monitoring algorithms are continuously trained using validated fraud cases, improving their accuracy and reducing false positives over time. This ongoing learning process ensures the system becomes better at distinguishing between legitimate and suspicious transactions.

Fraudulent or suspicious activities are flagged in real-time for immediate action. All irregularities are escalated to the relevant stakeholders for review, resolution, and reporting in alignment with established guidelines.

5.9.2.2 Website Whitelisting

Additionally, we whitelist the officially shared websites of high and medium-risk merchants to ensure that transactions occur only from compliant sites. The merchant’s website will also be regularly audited to detect any fraudulent activity, including content violations, changes in contact information, illegal products or services, and other reputational risks.

5.9.2.3 App Based Merchant

For app-based merchants, to ensure that the apps are accessible and meet certain standards, Emanypay onboard only those merchants whose app is available on the Google Play Store, Apple App Store, and Indus Store.

5.9.3 Suspicious Transaction Reporting Obligations

Emanypay will ensure compliance with all regulatory requirements for reporting suspicious transactions and maintaining proper records in line with the Prevention of Money Laundering Act (PMLA) and associated rules. The following steps outline the process for regulatory reporting and records management:

5.9.3.1 Ongoing Transaction Monitoring and Risk Mitigation

Emanypay continuously monitors transactions to identify deviations from expected patterns, detect potential risks, flag suspicious activities, and investigate them through transaction screening and monitoring tools, along with manual techniques designed to analyse unusual patterns.

5.9.3.2 Suspicious Transaction Reporting

Once a suspicious transaction is found, a Suspicious Transaction Report (STR) will be filed with the Financial Intelligence Unit - India (FIU-IND) via the Fin Gate 2.0 portal within the prescribed period.

5.9.3.3 Record Management

The Principal Officer will retain a copy of all reported information for official records. The Principal Officer will also assist authorities with any inquiries, clarifications, or specific requisitions.

5.9.4 Periodic Risk Assessment & Categorization

5.9.4.1 Periodic Risk Assessment

The Risk Team will conduct periodic risk assessments on active/transacting Merchants to validate their assigned risk profiles and transaction patterns. The assessments will be performed once every six months.

The Company reserves the right to request additional documentation in compliance with RBI’s KYC/Re-KYC guidelines, temporary ceasing of operations or terminating the Merchant agreement, based on the outcomes of these monitoring activities.

5.9.4.2 Risk Re-Categorization

The risk classification of Merchants will be periodically reassessed based on ongoing monitoring of their activities and transaction patterns. If warranted, a Merchant’s risk profile may be upgraded from low to medium or high, depending on the results of periodic risk assessments.

5.9.4.3 Updation/Periodic Updation of KYC

Emanypay adopts a risk-based approach for periodic updation of KYC to ensure that the information or data collected under Customer Due Diligence (CDD) remains up-to-date and relevant. The frequency of periodic KYC updation will vary based on the risk profile of the merchants:

• High-Risk Merchants: Periodic updation shall be done at least once every two years from the date of onboarding or the last KYC update.
• Medium-Risk Merchants: Periodic updation shall be done at least once every eight years from the date of onboarding or the last KYC update.
• Low-Risk Merchants: Periodic updation shall be done at least once every ten years from the date of onboarding or the last KYC update.

1. Updation / Periodic Updation of KYC for Individuals

• No Change in KYC Information: If there is no change in KYC information, a self-declaration in this regard must be obtained from the merchant via the merchant’s registered email, mobile number or letter etc.
• Change in Address: If there is a change in the address, the merchant must submit a self-declaration of the new address which must be verified within two months via positive confirmation methods through CPV.

2. Updation / Periodic Updation of KYC for Legal Entities

• No Change in KYC Information: If there is no change in the KYC information, a self-declaration in this regard must be obtained from the Legal Entity (LE) through the LE’s registered email, digital channels, or a letter from an authorized official of the LE. Additionally, REs must verify and update the Beneficial Ownership (BO) information as needed to ensure its accuracy.
• Change in KYC Information: If there is a change in the KYC information, the Emanypay performs the full KYC process, similar to the onboarding process for a new LE merchant.

3. Additional Requirements

• KYC Documents: If there is no change in merchant information, but the KYC documents are outdated or no longer comply with current CDD standards, the RE must undertake the KYC process as applicable for onboarding a new merchant.
• Acknowledgment: After receiving the necessary KYC updates, Emanypay will provide an acknowledgment to the merchant, specifying the date of receipt of the relevant documents, including the self-declaration.
• Data Update: All updated KYC information and documents must be promptly recorded and updated in Emanypay’s systems.

6. Record Management

In compliance with the Master KYC Guidelines issued by the Reserve Bank of India (RBI) under the Prevention of Money Laundering (PML) Act and Rules, Emanypay adheres to the following procedures concerning the maintenance, preservation, and reporting of merchant information to ensure compliance with applicable regulations:

6.1 Transaction Record Maintenance System

Emanypay has implemented a system to maintain all necessary records of merchant transactions, prescribed under PML Rule 3, to permit reconstruction of individual transactions. These records are preserved for a minimum period of five years from the date of the transaction including transactions details such as nature, amount, date and parties involved.

6.2 Merchant Identification and Address Records

Emanypay ensures that all records pertaining to the identification of merchants, including updated identification data, account files, business correspondence, and any results of analysis undertaken of onboarded merchants preserved for at least five years after the business relationship is ended.

6.3 Availability of Records for Authorities

Emanypay ensures that merchant identification and transaction records are made available to the competent authorities upon request. This process will be carried out in full compliance with the regulatory requirements outlined by the RBI.

6.4 Non-Profit Organization (NPO) Registration

For merchants who are non-profit organizations (NPOs), Emanypay shall ensure that the details of such merchants are registered on the DARPAN Portal of NITI Aayog. If the merchant’s details are not registered, Emanypay shall take the necessary steps to complete the registration. These records shall be maintained for a period of five years after the business relationship has ended.

7. Review

Operational Risk Management Committee (ORMC), a committee approved by the board, will review the Merchant Onboarding Policy annually to ensure its continued suitability, adequacy, and effectiveness. This review will incorporate any changes in applicable laws and identify the need for revisions to internal processes. Additionally, policy will be reassessed whenever significant regulatory changes occur.

In the event of material changes to the regulatory framework or operational requirements, recommendations will be made to the ORMC for consideration. All updates and changes will be approved by the ORMC and communicated to relevant stakeholders, including merchants and staff.

Until the next review, this policy will be interpreted in conjunction with any modifications advised by regulatory authorities, such as the RBI and NPCI. In cases of conflict between this policy and applicable RBI guidelines or other statutory regulations, the latter will take precedence.

Annexures

Annexure 1: Indicative Prohibited Business List

1. Adult Goods and Services

• Pornography and other sexually suggestive materials (including literature, imagery, and other media)
• Escort or prostitution services
• Website access and/or website memberships of pornography or illegal sites

2. Alcohol as per applicable laes and regulations

• Alcoholic beverages such as beer, liquor, wine, or champagne

3. Body Parts

• Organs or other body parts

4. Bulk Marketing Tools

• Email lists, software, or other products enabling unsolicited email messages (spam)

5. Cable Descramblers and Black Boxes

• Devices intended to obtain cable and satellite signals for free

6. Child Pornography

• Pornographic materials involving minor

7. Copyright Unlocking Devices

• Mod chips or other devices designed to circumvent copyright protection

8. Copyrighted Media

• Unauthorized copies of books, music, movies, and other licensed or protected materials
• Copyrighted software, including unauthorized copies of software, video games, and other licensed or protected materials (including OEM or bundled)

9. Counterfeit and Unauthorized Goods

• Replicas or imitations of designer goods
• Items without a celebrity endorsement that would normally require such an association
• Fake autographs, counterfeit stamps, and other potentially unauthorized goods

10. Drugs and Drug Paraphernalia

• Illegal drugs and drug accessories, including herbal drugs like salvia and magic mushrooms

11. Drug Test Circumvention Aids

• Drug cleansing shakes, urine test additives, and related items

12. Endangered Species

• Plants, animals, or other organisms (including product derivatives) in danger of extinction

13. Gambling

• Lottery tickets, sports bets, memberships/enrollment in online gambling sites, and related content
• Skill-based games can be allowed on a case-by-case basis

14. Government IDs or Documents

• Fake IDs, passports, diplomas, and noble titles

15. Hacking and Cracking Materials

• Manuals, how-to guides, information, or equipment enabling illegal access to software, servers, websites, or other protected property

16. Illegal Goods

• Materials, products, or information promoting illegal goods or enabling illegal acts

17. Miracle Cures

• Unsubstantiated cures, remedies, or other items marketed as quick health fixes

18. Offensive Goods

• Literature, products, or other materials that defame or slander any person or group based on race, ethnicity, national origin, religion, sex, or other factor
• Encouragement or incitement to violent acts
• Materials that promote intolerance

19. Offensive Goods - Crime

• Crime scene photos or items, such as personal belongings, associated with criminals
• Encouragement or incitement to violent acts
• Materials that promote intolerance

20. Pyrotechnic Devices, Combustibles, Corrosives, and Hazardous Materials

• Explosives and related goods
• Encouragement or incitement to violent acts
• Materials that promote intolerance

21. Regulated Goods

• Airbags, batteries containing mercury, Freon or similar substances/refrigerants, chemical/industrial solvents, government uniforms, car titles, license plates, police badges and law enforcement equipment
• Lock-picking devices, pesticides, postage meters, recalled items, slot machines, surveillance equipment, and other goods regulated by government or other agencies

22. Tobacco and Cigarettes

• Cigarettes, cigars, chewing tobacco, and related products

23. Traffic Devices

• Radar detectors/jammers, license plate covers, traffic signal changers, and related products

24. Weapons

• Firearms, ammunition, knives, brass knuckles, gun parts, and other weapons

25. Wholesale Currency

• Discounted currencies or currency exchange schemes

26. Live Animals or Animal Parts

• Live animals or hides/skins/teeth, nails, and other parts of animals

27. Multi-Level Marketing Collection

• Matrix sites or sites using a matrix scheme

28. Non-Compliance with Applicable Laws

• Any product or service not in compliance with all applicable laws and regulations, whether federal, state, local, or international, including laws in India

29. Risk to Payment Gateway Reputation

• Services that may harm the payment gateway facilitators’ reputation or are prone to chargeback and fraud (e.g., adult material, escort services, friend finders)

30. Ambiguous Legal Areas

• Businesses operating in legal areas that are unclear or ambiguous (e.g., web-based telephony, websites supplying controlled substances, online matchmaking services)

31. Outrightly Banned by Law

• Businesses banned by law (e.g., betting & gambling, publications or content leading to moral turpitude, lotteries, and sweepstakes)

32. Pyramid Schemes and Get-Rich-Quick Schemes

• Businesses involved in pyramid marketing schemes or quick wealth schemes

33. Harmful Products or Services

• Any product or service deemed detrimental to the interests of the acquiring bank or facilitator, as communicated by them

34. Mailing and Virtual Currency

• Mailing services
• Virtual currency, cryptocurrency, or prohibited investments for commercial gain or credits that can be monetized, re-sold, or converted

35. Money Laundering

• Activities related to money laundering

36. Database Providers

• Database providers for tele-callers

37. Activities Prohibited by the Telecom Regulatory Authority of India

• Any activities prohibited by the TRAI

38. Other Prohibited Activities

• Any other activities prohibited by applicable laws

Annexure 2: KYC Checklist