TL;DR
- FIU guidelines classify exchanges as VDA service providers, requiring live identity checks, location data, bank verification, and PAN.
- Platforms must strengthen CDD, verify customers via independent sources, and record identifiers such as timestamped IPs, geolocation, device IDs, wallet addresses, and hashes.
- It discourages ICOs and ITOs, requires enhanced due diligence for high-risk clients, blocks mixers and tumblers, and retains transaction records five years or until investigations conclude.
India’s Financial Intelligence Unit has tightened oversight of crypto platforms with guidelines issued on January 8, adding stricter identity and monitoring requirements aimed at curbing illicit activity. Crypto exchanges are now formally classified as Virtual Digital Asset service providers and must adopt enhanced Anti-Money Laundering and Know Your Customer procedures. Platforms must collect PAN, real-time location data, verified bank details, and run live identity checks. Regulators argue that pseudonymous transfers raise misuse risks when controls are weak. The message is simple: onboarding is being redesigned as a compliance checkpoint that reduces enforcement uncertainty across exchanges.
Compliance scope expands from KYC to continuous monitoring
Under the guidance, reporting entities must move past static document uploads during onboarding at sign up and carry out live identity verification alongside stronger Client Due Diligence processes. The FIU points to the speed and pseudonymous nature of crypto transactions as a risk multiplier, warning that weak controls can invite misuse for money laundering, terror financing, and proliferation financing. Exchanges are instructed to identify customers using reliable, independent sources and to broaden the signals used for verification, monitoring, and risk assessment. This section reframes KYC as a dynamic test of presence and intent, not paperwork.
The updated checklist calls for technical identifiers including IP addresses with timestamps, geolocation data, device IDs, wallet addresses, and transaction hashes, all aimed at supporting verification, monitoring, and risk scoring. Platforms must also collect and verify a customer’s Permanent Account Number before any VDA activity. Bank account checks tighten via a penny-drop mechanism to confirm ownership and operational status, plus secondary ID and OTP verification. In FY 2024-25, 49 exchanges registered with FIU-IND, 45 India-based and 4 overseas. WazirX founder Nischal Shetty said similar controls already exist at major venues, and the framework removes ambiguity.
The FIU’s framework also targets fundraising, saying it is designed to strongly discourage Initial Coin Offerings and Initial Token Offerings due to concerns over economic rationale, disclosure standards, and risk mitigation. Enhanced due diligence becomes mandatory for high-risk transactions, politically exposed persons, non-profit organizations, and clients linked to FATF grey or black list jurisdictions. Exchanges must deploy tools to detect mixers, tumblers, and other anonymity services and block them when identified. Recordkeeping becomes non-negotiable, with identity and transaction data retained at least five years or until investigations conclude, as tax officials warn enforcement could weaken.
