In a significant regulatory move, India's Financial Intelligence Unit (FIU) has introduced a stringent new compliance framework for cryptocurrency exchanges operating within the country. The guidelines, issued on January 8, mandate rigorous Anti-Money Laundering (AML) and Know Your Customer (KYC) procedures, fundamentally altering the user onboarding process for digital asset platforms.
Enhanced Verification: Beyond Basic Documents
Under the updated norms, crypto exchanges are now formally classified as Virtual Digital Asset (VDA) service providers. The FIU has directed these platforms to move far beyond simple document uploads for customer identification. A key new requirement is the "live selfie" verification, where users must take a photograph using specialized software that confirms their physical presence through actions like eye-blinking or head movement. This measure is specifically designed to thwart the use of static images or sophisticated deepfakes during account creation.
Furthermore, exchanges are now obligated to capture precise geographical data at the moment of onboarding. This includes the latitude and longitude, date, timestamp, and IP address from where the account registration process is initiated. For bank account validation, the guidelines enforce the "penny-drop" method, involving a nominal transaction of one rupee to confirm the account is active and belongs to the registrant.
Stricter Identity Checks and Record-Keeping
The identity verification process has been substantially tightened. In addition to providing a Permanent Account Number (PAN), users must now submit a secondary official document. Acceptable forms include a Passport, Aadhaar card, or Voter ID. Both the provided email ID and mobile number must also undergo a one-time password (OTP) verification.
The FIU, which operates under the Union Finance Ministry, has outlined clear rules for ongoing compliance and risk management. KYC details must be updated every six months for clients deemed "high-risk" and annually for all other users. Enhanced due diligence is mandated for individuals or entities associated with higher risks, such as those linked to tax havens, jurisdictions on FATF's grey or black lists, politically exposed persons (PEPs), and non-profit organisations (NPOs).
Exchanges are required to preserve comprehensive client records, including identity, address, and transaction history, for a minimum of five years, retaining them until any ongoing investigation is concluded.
Cracking Down on Opaque Transactions and ICOs
The regulatory body has taken a particularly tough stance against mechanisms that obscure financial trails in the crypto ecosystem. The guidelines explicitly seek to "strongly discourage" Initial Coin Offerings (ICOs) and Initial Token Offerings (ITOs), labeling them as activities that "lack" justified economic rationale and pose "heightened and complex" money laundering and terror financing risks.
Tools like anonymity-enhancing crypto tokens, tumblers, and mixers have been flagged as instruments designed to conceal the origin, ownership, or value of transactions. The FIU has directed that such transactions must not be facilitated by exchanges and should immediately trigger appropriate risk-mitigation measures.
As the single-point regulator for crypto exchanges under the Prevention of Money Laundering Act (PMLA), the FIU requires all platforms to register as reporting entities. This obligates them to submit regular reports on suspicious transactions and maintain all necessary records to help authorities identify and combat risks related to money laundering, terrorist financing, and proliferation financing. While crypto assets are not legal tender in India, they remain subject to taxation under the Income-Tax law.
