In a significant move to clamp down on financial crime within the digital asset space, India's Financial Intelligence Unit (FIU) has rolled out a stringent set of new compliance protocols for cryptocurrency exchanges. The updated Anti-Money Laundering (AML) and Know Your Customer (KYC) guidelines, issued on January 8, 2026, introduce biometric verification and real-time location tracking for user onboarding, marking a new era of oversight for the sector.
Beyond Static Documents: The New Verification Mandate
The FIU, which functions under the Union Finance Ministry, now classifies crypto platforms as Virtual Digital Asset (VDA) service providers. The rules move far beyond simple document uploads. A cornerstone of the new framework is the requirement for a "live selfie" from users during account creation. This must be taken using specialized software that employs liveness detection technology, such as prompting the user to blink or move their head. This measure is designed to thwart the use of static photographs or sophisticated deepfakes to create fraudulent accounts.
Furthermore, exchanges are now obligated to capture and record precise geographical data at the moment an account is initiated. This includes the user's exact latitude and longitude, along with the date, timestamp, and IP address. To confirm the authenticity of linked bank accounts, the "penny-drop" method—processing a nominal transaction of one rupee—is now compulsory.
Enhanced Due Diligence and High-Risk Categories
The identity verification process has been substantially tightened. In addition to providing a Permanent Account Number (PAN), users must submit a secondary government-issued ID, such as a Passport, Aadhaar, or Voter ID. Email and mobile phone numbers must also be verified via OTP.
The guidelines mandate a risk-based approach to ongoing monitoring. For clients deemed "high-risk," KYC details must be updated every six months, while for all other users, an annual refresh is required. Enhanced due diligence is prescribed for specific high-risk categories. This includes individuals or entities with connections to tax havens, jurisdictions on the FATF grey or black lists, politically exposed persons (PEPs), and non-profit organisations (NPOs).
Targeting Anonymity and Preserving Records
The FIU's guidelines take a particularly dim view of certain crypto activities. They aim to "strongly discourage" Initial Coin Offerings (ICOs) and Initial Token Offerings (ITOs), citing their lack of clear economic justification and associated high risks for money laundering and terror financing.
Similarly, the use of tools designed to obscure transaction trails, such as anonymity-enhancing crypto tokens (AECs), tumblers, and mixers, is flagged. The guidelines explicitly state that exchanges must not facilitate such transactions and must implement strong risk mitigation measures if they are detected.
On the record-keeping front, all reporting entities—the registered crypto exchanges—must preserve comprehensive client identification, address, and transaction details for a minimum of five years, or until any investigation involving those records is concluded.
This robust regulatory push underscores India's stance on cryptocurrencies: while not recognizing them as legal tender and taxing them under income tax laws, the government is establishing a rigorous framework to monitor and curb their potential misuse for illicit financial activities.
