May 08, 2023

India’s Attempt to Monitor Cryptocurrency Business through AML Regulations

Checkered History of Cryptocurrency in India

Cryptocurrency’s journey in India has been a rocky one, to say the least. India’s financial services regulator, the Reserve Bank of India (“RBI”) has time and again expressed concerns around the potential risks associated with virtual currencies or cryptocurrencies and recommended an absolute ban, warning that it could destabilize India’s monetary and fiscal stability if not prohibited. In April 2018, the RBI issued a directive requiring bank and other regulated entities to refrain from dealing in virtual currencies or providing services that facilitate dealing in virtual currencies (“RBI Directive”). This meant that Indian residents cannot use fiat currency to purchase or sell cryptocurrencies / virtual digital assets. This led to widespread criticism and uncertainty in the cryptocurrency industry, resulting in a writ being filed before the Supreme Court of India (Apex Court) challenging such RBI Directive.

Consequently, the Apex Court set aside the RBI Directive, finding it to be violative of the fundamental right of the cryptocurrency service providers to carry on their business. The Apex Court also called out RBI’s action to be ‘disproportionate’ as RBI had failed to prove any damage suffered by its regulated entities on account of their engagement with cryptocurrency service providers.

Since then, the Indian Government has been making attempts to introduce a legislation to regulate cryptocurrencies, however, nothing has been tabled before the Indian Parliament, till date. In 2022, the Hon’ble Finance Minister of India, Ms. Nirmala Sitharaman, through the Union Budget proposed significant changes to the tax regime with an objective to impose tax on transactions involving cryptocurrencies and even coined them as ‘virtual digital assets’ (“VDAs”). Despite that, the regulatory regime for cryptocurrency in India remains unclear.

Cryptocurrency Business brought under the ambit of PMLA

Given the decentralized framework within which cryptocurrencies / VDAs operate, there have been multiple ways in which regulators around the world are looking to tackle the risk of financial loss and frauds connected with VDAs. Implementation of robust KYC / AML regulations by the VDA service providers is one such approach, which has also been adopted by the Indian Government.

The Ministry of Finance, Government of India has recently issued a notification categorizing entities that enable: (i) exchange between VDAs and fiat currencies; (ii) exchange between one or more forms of VDAs; (iii) transfer of VDAs; (iv) safekeeping or administration of VDAs or instruments enabling control over VDAs; and (v) participation in and provision of financial services related to an issuer’s offer and sale of a VDAs; (collectively, “VDASP/s”), as ‘reporting entities’ for the purposes of the Prevention of Money Laundering Act, 2002 (“PMLA”).

Resultantly, such VDASP entities need to ensure compliance with Chapter IV of the PMLA and the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005 (“PML Rules”), which inter-alia include:

  1. Identity Verification / Client Due Diligence. VDASPs will now statutorily be required to verify the identity of its clients (customers) and their beneficial owners, if any. This will have to be done upon commencement of account-based relationship and while carrying out transactions of INR 50,000 or more and while carrying out any international money transfer transactions.

While certain prominent cryptocurrency exchanges in India adopted a self-regulatory approach and have been voluntarily carrying out KYC checks for their clients, this will now streamline the due diligence process across market participants.

  1. On-Going and Enhanced Due Diligence. VDASPs will be required to exercise ongoing due diligence with respect to their business relationship with every client, including reviewing due diligence measures when there is suspicion of money laundering, terrorist financing or doubts about the identity of their clients. Additionally, VDASPs will also be required to undertake enhanced due diligence prior to commencement of certain specified transactions.
  2. Maintain Records. VDASPs will have to maintain physical copies of updated client identification records, including account files and business correspondence relating to their clients. Additionally, VDASPs will also have to preserve transaction records in a manner which enables statutory authorities to reconstruct individual transactions. These records will have to be maintained for a period of five (5) years.
  1. Appoint a Principal Officer and Designate a Director. VDASPs will have to appoint a principal officer and designate a director, who will be responsible for the VDASP’s overall compliance with the PMLA and PML Rules. Details such as name, designation, contact number, e-mail id and address of the principal officer and designated director will also need to be notified to the Financial Intelligence Unit – India, which is a central national agency set up by the Government of India (“FIU-IND”).
  1. Register with the FIU-IND and Reporting Requirements. VDASPs will need to report details of all transactions, including suspicious transactions with FIU-IND within the timelines prescribed. Reporting requirements are contingent upon VDASPs registering themselves as ‘reporting entities’ with FIU-IND. This registration can be done on the FINGate 2.0 portal of the FIU-IND.

Following the notification issued by the Ministry of Finance, the FIU-IND reached out to various cryptocurrency exchanges (through e-mails) requiring them to register as a ‘reporting entity’. We are given to understand that some of the offshore cryptocurrency exchanges were also approached.

FIU-IND Guidelines for VDASPs

As a part of the outreach to the cryptocurrency industry, the FIU-IND also circulated with the industry players certain AML & CFT Guidelines for VDASPs (“FIU Guidelines”). These FIU Guidelines set out the steps and measures that VDASPs are expected follow to identify and curb money laundering, terrorist financing or proliferation financial activities. Interestingly, some of the provisions of these FIU Guidelines go beyond the scheme of the PMLA. Certain additional obligations contained under the FIU Guidelines, include:

  1. Adoption of Employee Screening Procedures and Trainings. VDASPs will be required to put in place adequate screening procedures when hiring employees. Further, role specific trainings and instruction manuals in respect of client on-boarding, KYC, client due-diligence, sanctions screening, record keeping, and transaction processing will have to be undertaken / provided.
  2. Sanctions Screening. Sanctions screening will need to be conducted both at the time of onboarding as well as at the time of transfer of VDAs. As a part of the screening process, VDASPs will be required to apply directives for implementing United Nations Security Council Resolutions relating to suppression and combatting of terrorism, terrorist financing and proliferation of weapons of mass destruction and its financing, and other related directives (including directives issued under the Unlawful Activities (Prevention) Act 1967 and the Weapons of Mass Destruction and Delivery System (Prohibition of Unlawful Activities) Act, 2005).
  3. Counterparty Due Diligence. VDASPs enabling transfer of VDA held by their client in the wallet hosted by such VDASPs, to a wallet hosted by another VDASP, will be required to carry out counterparty due diligence of such other VDASP before transmitting any information to such counterparty VDASP.
  4. Travel Rule. The FIU Guidelines state that all transactions related to transfer / exchange of VDAs will be considered as wire transfers and VDASPs will be required to include accurate originator and beneficiary information, on wire transfers and related messages. In this regard, the originator and beneficiary VDASPs will be required to obtain and hold accurate originator and beneficiary information (including, originator PAN, name, account number and address and beneficiary name and account number).

Given the nature of information that VDASPs are required to obtain and hold, one will need to see how such VDASPs adhere to this requirement. Clarity may be required on whether the FIU-IND expects VDASPs to enter into contractual arrangements with counterparty VDASPs for obtaining the information.

  1. Restriction on Tip-off. VDASPs, including their directors, officers and employees, must not disclose / tip-off to their client that a suspicious transaction report or related information is being reported to the FIU-IND.


Bringing VDASPs within the ambit of PMLA is undoubtedly a progressive move, indicating the Indian Government’s intention to regulate rather than outright ban VDA / crypto businesses. While this move to recognize the cryptocurrency industry as reporting entities has largely been welcomed by the industry, it will be interesting to see how the FIU-IND will monitor compliance of the PMLA and the PML Rules, including the FIU Guidelines, by the VDASPs, especially, by the VDA exchanges / service providers, which have no formal presence in India but continue to offer services to Indian users.

India’s presidency at the G20 is being seen as a unique opportunity to shape discussions surrounding the cryptocurrency regulations. Recently, the Hon’ble Finance Minister, Ms. Nirmala Sitharaman stated that regulation of cryptocurrency will need global coordination. She also stated that there is consensus amongst all member countries to align regulatory approaches to establish a coherent, well-coordinated and predictable regulatory environment for the cryptocurrency industry. This will not only mitigate risks associated with VDAs such as money laundering and terrorist financing, but also promote innovation and competition in the space.





These are the views and opinions of the author(s) and do not necessarily reflect the views of the Firm. This article is intended for general information only and does not constitute legal or other advice and you acknowledge that there is no relationship (implied, legal or fiduciary) between you and the author/AZB. AZB does not claim that the article's content or information is accurate, correct or complete, and disclaims all liability for any loss or damage caused through error or omission.