CFT in KYC stands for Countering the Financing of Terrorism, the third compliance pillar that sits alongside Know Your Customer (KYC) and Anti-Money Laundering (AML). Where KYC proves who the customer is and AML tracks the origin of funds, CFT asks a different question: where is the money going, and could it end up funding an act of terror?
For an Indian bank, non-banking financial company (NBFC), or fintech, cft kyc is not an abstract compliance label. It is a live operational obligation, enforced through the Prevention of Money Laundering Act (PMLA), the Reserve Bank of India (RBI) Master Direction on KYC, and the Financial Intelligence Unit-India (FIU-IND). This guide walks through what CFT means, how it differs from AML, and how India’s regulatory stack turns CFT from principle into practice.
What Does CFT Mean in KYC?
CFT is the set of laws, screening processes, and reporting duties that stop funds, licit or illicit, from reaching terrorist individuals, groups, or acts. It runs on the same identity data that KYC collects, which is why the two are almost always discussed together. A strong KYC foundation is the practical entry point for every CFT control that follows.
CFT full form and definition
CFT is short for Countering the Financing of Terrorism. Some regulators and industry bodies also use “Combating the Financing of Terrorism,” and a few use “Counter-Terrorism Financing” (CTF). All three refer to the same discipline.
The financing problem is distinct from money laundering. Terrorist financing can involve small amounts, legitimate sources like salaries or donations, and non-bank channels such as hawala or mobile wallets. A control set designed only to spot large, illicit flows will miss much of it. That is why CFT sits next to AML as its own pillar, not as a sub-section of it.
The KYC-AML-CFT triangle
Most compliance teams run KYC, AML, and CFT as a single programme, often labelled AML/CFT. The logic is simple: KYC supplies the identity signal, AML watches the money trail for illicit origin, and CFT watches the same trail for terror-linked destinations. Remove any one leg and the other two lose context.
This is why regulators like FIU-IND and the RBI publish a combined AML/CFT framework rather than three separate rulebooks. The next question, then, is where AML ends and CFT begins.
CFT vs AML: What’s the Difference?
AML and CFT share tools, sanctions lists, customer due diligence (CDD), transaction monitoring, and suspicious transaction reporting, but they answer different questions. Conflating them leads to blind spots, especially around small-value transfers and non-profit channels that CFT cares about more than AML does.
Source of funds vs use of funds
AML is oriented to the source of funds. An investigator asks whether the money originated from a predicate offence such as fraud, drug trafficking, or corruption, and then whether it was placed, layered, and integrated to hide that origin.
CFT is oriented to the use of funds. The money itself may be clean, a regular paycheque, a business payment, or a donation, but the destination or purpose is what makes it a crime. That shift matters because classical AML red flags like large cash deposits or structured transfers do not always appear in terrorist financing. Pattern recognition has to change.
Side-by-side comparison table
| Dimension | AML | CFT |
|---|---|---|
| Primary concern | Source of funds (illicit origin) | Use of funds (terror destination) |
| Typical red flags | Structuring, layering, shell entities, round-tripping | Small, frequent transfers; links to sanctioned individuals; NPO abuse |
| Regulatory basis in India | PMLA, 2002 | PMLA read with the Unlawful Activities (Prevention) Act (UAPA), 1967 |
| Reporting obligation | Suspicious Transaction Report (STR), Cash Transaction Report (CTR) | STR (terror financing typology), UAPA-linked freezing actions |
| Investigative authority | Enforcement Directorate (ED), FIU-IND | National Investigation Agency (NIA), Ministry of Home Affairs (MHA), FIU-IND |
Once the distinction is clear, the global scaffolding that shapes both disciplines comes into view.
The Global CFT Framework
CFT does not exist in one country in isolation. It follows a common international playbook because terror finance itself moves across borders. The Financial Action Task Force (FATF) sets the standards, and national regulators translate them into domestic law.
FATF recommendations and the risk-based approach
The FATF issues the 40 Recommendations on AML/CFT, along with specific guidance on terrorist financing, proliferation financing, and virtual assets. Countries are assessed on technical compliance and on effectiveness of implementation through mutual evaluations. See the FATF Recommendations for the current standard.
The central principle FATF asks countries to apply is the risk-based approach. Rather than treat every customer or transaction identically, reporting entities must identify, assess, and prioritise their highest terror-finance and money-laundering risks, and allocate controls accordingly. For a bank, that translates into risk-tiered onboarding, enhanced due diligence (EDD) for high-risk customers, and ongoing monitoring tuned to the actual threat profile.
Key national regulators
Beyond FATF, several regulators set CFT rules that Indian entities often have to consider, especially when they operate cross-border or serve non-resident customers.
- The United States Financial Crimes Enforcement Network (FinCEN) enforces the Bank Secrecy Act.
- The United Kingdom Financial Conduct Authority (FCA) supervises regulated firms on financial crime.
- The European Union’s new Anti-Money Laundering Authority (AMLA) is consolidating supervision across member states.
- The United Nations Security Council publishes consolidated sanctions lists under resolutions such as UNSCR 1267 and UNSCR 1373, which bind all member states to freeze the assets of designated terrorists and groups.
Each of these bodies feeds into India’s own list of screening obligations. How India operationalises them is where the real detail lives.
CFT Under India’s PMLA and RBI Framework
India runs one of the more comprehensive AML/CFT regimes in Asia, built on a handful of statutes and a single set of KYC rules for regulated entities. If you work in compliance at an Indian fintech, bank, or payments firm, this is the stack you are actually accountable to.
PMLA 2002 and its CFT scope
The Prevention of Money Laundering Act, 2002 (PMLA) is the anchor statute. It criminalises money laundering, empowers attachment and confiscation of proceeds of crime, and places reporting duties on banks, NBFCs, payment system operators, intermediaries, and more. See the Reserve Bank of India for how these duties flow to regulated entities.
Successive amendments have broadened the CFT footprint. The 2012 amendment expanded predicate offences and strengthened enforcement tools. More recently, a March 2023 notification brought Virtual Digital Asset (VDA) service providers, crypto exchanges, wallet providers, custodians, under PMLA, pulling them into the same AML/CFT reporting regime that banks already follow.
RBI Master Direction on KYC (CFT provisions)
For the entities the RBI supervises, the operational rulebook is the Master Direction on KYC. It is updated frequently and consolidates what a Reporting Entity must do for customer identification, risk categorisation, record-keeping, and reporting, including the CFT-specific requirements.
The Master Direction requires reporting entities to maintain a written KYC policy covering risk assessment, a customer acceptance policy, CDD and EDD procedures, and defined workflows for filing STRs, CTRs, Counterfeit Currency Reports (CCRs), and Non-Profit Organisation Transaction Reports (NTRs) with FIU-IND. Our detailed walkthrough of these obligations lives in our AML compliance guide, which covers how these policies fit together in practice.
FIU-IND as India’s financial intelligence unit
The Financial Intelligence Unit-India is the central agency that receives, analyses, and disseminates financial intelligence to enforcement bodies. Reporting entities file STRs, CTRs, CCRs, and NTRs with FIU-IND on a defined schedule, and FIU-IND shares actionable intelligence with the ED, NIA, Central Bureau of Investigation (CBI), and state agencies.
Since the 2023 VDA notification, FIU-IND has also become the registration point for crypto and VDA service providers operating in or targeting India. A provider that fails to register is treated as operating outside the legal framework, which has already led to high-profile access restrictions on non-compliant exchanges.
UAPA and terrorist designation in India
CFT enforcement in India also runs through the Unlawful Activities (Prevention) Act, 1967 (UAPA). The UAPA schedules list designated terrorist individuals and organisations. Once a person or entity is designated, reporting entities must freeze their funds and report the freezing action, typically in coordination with the MHA. The Ministry of Home Affairs maintains the list and notifies changes that flow through the regulated sector almost immediately.
With the legal framework in place, the next question is how day-to-day KYC operations actually deliver CFT outcomes.
How KYC Enables CFT Compliance
CFT is only as strong as the identity data it runs on. A shaky onboarding process produces duplicate accounts, synthetic identities, and unverified beneficial owners, and every CFT control downstream inherits those weaknesses. This is why regulators describe KYC as the front door of the AML/CFT programme.
Customer identification as the CFT entry point
The Customer Identification Programme (CIP), document verification, liveness checks, and beneficial ownership resolution, is the minimum CFT baseline. If an entity cannot confidently answer “who is this customer,” it cannot screen them against sanctions lists, risk-tier them, or interpret their transaction behaviour. Our what is KYC compliance guide goes deeper into the CIP foundation.
Sanctions, PEP, and watchlist screening
Every customer, at onboarding and on an ongoing basis, must be screened against the UN Security Council consolidated list, the United States Office of Foreign Assets Control (OFAC) list, the European Union consolidated list, and India’s MHA UAPA designations. Politically Exposed Person (PEP) screening adds another layer of scrutiny. A deeper treatment of the process lives in our sanctions screening explainer and our PEP screening process breakdown. Screening is not a one-time event; lists update frequently, so continuous rescreening is the norm.
Transaction monitoring and STRs
Once a customer is onboarded, transaction monitoring looks for patterns consistent with terror finance: small-value transfers to high-risk geographies, rapid movement between unrelated accounts, or sudden activity in a previously dormant account. When a pattern crosses the threshold, the reporting entity files an STR with FIU-IND. Our AML transaction monitoring primer covers how modern rule engines and behavioural analytics catch these signals earlier.
These controls all share the same weakness: they fail if the identity at the top of the stack is wrong. That is where digital identity earns its place in the CFT conversation.
Aadhaar eKYC and Video KYC as CFT Enforcement Tools
India has one of the most advanced digital identity stacks in the world, and it directly strengthens CFT. High-assurance identity is harder to fake, faster to verify, and far easier to audit than paper-based onboarding. For a compliance team, that means fewer synthetic identities slipping through and a cleaner base for every downstream CFT control.
Aadhaar eKYC for high-assurance identity
Aadhaar electronic KYC (eKYC), delivered through biometric or one-time password (OTP) authentication, lets permitted reporting entities verify a customer against the Unique Identification Authority of India (UIDAI) database in real time. For CFT, this matters because the identity being screened is tied to a biometric or device-bound factor, not just a scanned document. Spoofing, identity theft, and mule-account creation all become materially harder.
Video KYC (V-CIP) and live interaction verification
The RBI’s Video-based Customer Identification Process (V-CIP) adds a live human or AI-assisted check on top of document verification. It requires liveness detection, geotagging inside India, random question prompts, and an auditable video recording. From a CFT standpoint, V-CIP closes the synthetic identity gap that static selfies cannot. Our RBI Video KYC guidelines walkthrough unpacks each requirement.
AI and biometric detection for evolving TF tactics
Terror finance tactics evolve, and so must identity checks. Deepfake detection, document forgery forensics, and behavioural signals now sit inside modern onboarding flows, catching manipulated selfies, recycled identity documents, and bot-driven account farms before they become live accounts. This is the layer HyperVerge builds, and it is what turns Aadhaar eKYC and V-CIP from a box-ticking exercise into a real CFT control.
With the tools clear, the final piece is packaging them into a practical programme.
CFT Compliance for Indian Fintechs and FIs: A Practical Checklist
A CFT programme is only as useful as its implementation. The following checklist condenses the statutory and operational requirements into actions a compliance lead can sign off on this quarter.
Onboarding controls
Confirm that every new customer is subjected to a documented identity assurance level, either Aadhaar eKYC, V-CIP, or offline Aadhaar, depending on the product. Run sanctions and PEP screening on day zero, not at month-end. Assign a risk tier at onboarding and record the rationale so that the decision is auditable later.
Ongoing monitoring controls
Keep transaction monitoring rules tuned for CFT typologies, not only AML typologies, and review the rule set at least annually. Define clear re-KYC triggers such as risk category upgrade, change in beneficial ownership, or unusual transaction patterns. Maintain STR filing discipline with a defined service level from alert to filing.
Governance and reporting controls
Designate a Principal Officer and, where required, a Money Laundering Reporting Officer (MLRO), with direct reporting to the board or a board-level committee. Retain KYC records and transaction data for the full statutory period, typically five years after the end of the business relationship. Run an independent AML/CFT audit annually and close findings on a tracked timeline.
FAQs
What is CFT in KYC?
CFT in KYC is the set of checks that stops funds from reaching terrorists or terror acts, using the identity data KYC collects. It runs alongside AML as the third pillar of a financial crime programme and covers sanctions screening, watchlist checks, transaction monitoring, and suspicious transaction reporting to FIU-IND.
How is CFT different from AML?
AML targets the source of funds and asks whether money came from a predicate crime. CFT targets the use of funds and asks whether money is heading to a terrorist person, group, or act. The tools overlap, customer due diligence, monitoring, and reporting, but the red flags and legal hooks differ, especially in India where UAPA drives CFT enforcement.
What is CFT under RBI regulations in India?
Under RBI rules, CFT is built into the Master Direction on KYC. Reporting entities must maintain a written KYC policy, run customer due diligence, screen against UN and MHA UAPA lists, monitor transactions, file STRs and other reports with FIU-IND, and designate a Principal Officer accountable for the programme.
How do banks implement CFT measures?
Banks implement CFT through risk-tiered onboarding, Aadhaar eKYC or Video KYC for identity, continuous sanctions and PEP screening, transaction monitoring tuned to terror-finance typologies, and trained staff who escalate suspicious activity to the Principal Officer for STR filing with FIU-IND.
See how HyperVerge’s Aadhaar eKYC, Video KYC, and sanctions and PEP screening APIs enforce CFT at scale for Indian financial institutions. Start your free HyperVerge account and see the stack in action.
