Introduction
Crypto-based assets continue to keep regulators across the world on their toes. The race to develop effective regulation for the ever-evolving range of crypto- based assets is riddled with roadblocks; the basic challenges being imposing a uniform classification on them within the broader class of digital assets and regulating them both responsibly and effectively.
India has adopted a broad definition to cover crypto-based assets: virtual digital assets (VDAs). VDAs are defined as assets representing a certain value created using encryption or other methods, including unique digital items such as non-fungible tokens (NFTs).
“VDA-related REs will now have to actively, and as a legal obligation, assist the Directorate of Enforcement in its investigations.”
There is currently no specific law in India on the regulation of VDAs. India’s banking regulator – the Reserve Bank of India (RBI), in April 2018, did try to limit the circulation of VDAs in the Indian financial ecosystem. The RBI restrained banks and other entities regulated by the RBI from providing services to entities dealing in VDAs (virtual currencies at that time). The RBI’s direction and power to regulate VDAs were challenged before the Supreme Court, which struck down the RBI’s April 2018 circular as being disproportionate. The Supreme Court, however, upheld the RBI’s power and authority to regulate virtual currencies.
More recently, the Ministry of Finance released a notification in March 2023 under the Prevention of Money Laundering Act, 2002 (PMLA) that introduces reporting obligations on businesses dealing with VDAs (the “March 2023 Notification”).
PMLA Notification – Increasing the Net of Reporting Entities
The PMLA imposes reporting and compliance obligations on “reporting entities” (REs). REs include banks, financial institutions, and entities carrying on designated business activities (identified by the Ministry of Finance). The March 2023 Notification expanded the list of designated businesses – a person or entity carrying on the activities outlined in the table below in the course of business is now an RE under the PMLA regime:
Section No. | Activities designated under the March 2023 Notification | Coverage |
3.00 | Transfer of VDAs | VDA transfer services: provide services to transfer VDAs between individuals or entities, similar to money transfer services |
4.00 | Safekeeping or administration of VDAs or instruments enabling control over VDAs | VDA custodians and wallet providers: offer safekeeping or administration services for VDAs, including digital wallets that enable users to store, manage, and control their VDAs |
5.00 | Participation in and provision of financial services related to an issuer’s offer and sale of a VDA | Financial service providers for VDAs: participate in or provide financial services related to an issuer’s offer and sale of a VDA, such as initial coin offerings, token sales, or other fundraising methods involving VDAs or platforms servicing VDA-based lending and borrowing |
1.00 | Exchange between VDAs and government-issued currencies | Cryptocurrency exchanges: facilitate the buying, selling, or trading of VDAs for fiat currencies (like US dollars or Indian rupees) or other VDAs |
2.00 | Exchange between one or more forms of VDAs | Cryptocurrency exchanges: facilitate the buying, selling, or trading of VDAs for fiat currencies (like US dollars or Indian rupees) or other VDAs |
The business activities added under the ambit of REs are the same activities identified by the Financial Action Task Force under the definition of “Virtual Asset Service Provider” in its recommendations on combating money laundering and terror financing.
Compliance and Reporting Obligations
REs are subject to a significant number of compliance and reporting obligations. These include various requirements under the PMLA which are inter-linked with regulations and directions issued by the RBI. Although crypto-exchanges have usually followed know your customer (KYC) standards and diligence for their customers, the compliance obligations are now a “must-have”, rather than the “good-to-have” they were before. These obligations include the following:
- Maintaining records of transactions: REs are required to maintain a record of specified transactions in such a manner as to enable them to reconstruct each individual transaction. The specified transactions include cash transactions of a value exceeding INR1 million (monthly aggregate), cross-border transfers exceeding INR 500,000 or suspicious transactions irrespective of value.
- Maintaining records of customers: REs have to maintain documents evidencing the identities of their clients and beneficial owners as well as account files and business correspondence relating to their clients.
- Identifying senior employees for compliance purposes: REs have to designate a director and separately appoint a “principal officer” to ensure overall compliance with reporting obligations.
- Verifying customer identity: REs have to follow and implement KYC guidelines to accurately ascertain the identity of their customers and also the “‘beneficial owners.” Identity and beneficial owner verification has to be done not only at the time of commencement of the RE-customer relationship but also when the customer carries out a transaction in excess of INR50,000 or any cross-border money transaction.
- Additional verification of specified transactions: REs have to conduct enhanced due diligence (EDD) prior to the commencement of certain specified transactions, failing which such transactions must be stopped. EDD measures include verifying identity, examining the ownership and financial position as well as the source of funds, and recording the purpose of the transaction.
- Reporting to the Financial Intelligence Unit-India (FIU-I): REs have to furnish necessary information relating to all transactions in the prescribed format to FIU-I on a monthly basis. In addition, REs have to regularly and continuously oversee and report suspicious transactions to FIU-I.
The enforcement authority (an officer empowered under Section 49(1) of the PMLA) can inquire about the status of compliance or conduct audits of the RE’s records. The enforcement authority, if it is of the opinion that an RE is non-compliant, may direct the RE to comply with specific instructions, direct the RE to increase reporting obligations or impose a monetary penalty on the RE. More importantly, VDA-related REs will now have to actively, and as a legal obligation, assist the Directorate of Enforcement (the entity responsible for enforcing economic laws and fighting economic crime in India) in its investigations by providing information and documents.
Conclusion: The Challenges Ahead
Although the above list of obligations is not exhaustive, it clearly reflects the need to implement adequate processes to ensure compliance. For instance, REs need to maintain records of customers and all transactions for a period of five years. This will require an increase in security and storage capacity, and subsequent compliance with privacy and data localisation (RBI requires end-to-end data on transactions to be stored in India) obligations.
Similarly, monitoring all transactions on an exchange to adequately identify suspicious transactions requires advanced system and oversight capabilities. Indian regulators may even consider all VDA transactions as high risk due to their potential anonymity and cross-border aspects. Consequently, even regular day-to-day VDA activities may be seen as potentially suspicious or high-risk transactions requiring constant monitoring and EDD measures. These compliance obligations are onerous and unhelpfully ambiguous.
There has been a disconnect between the enforcement authorities and the industry in the recent past on which activities invite RE compliance obligations. For instance, the FIU-I held that PayPal (a technology interface not handling funds) is an RE under the PMLA and imposed a monetary penalty on PayPal for alleged violations of compliance and reporting obligations. PayPal challenged the FIU-I’s decision before the Delhi High Court. The Court held that PayPal is an RE under the PMLA required to maintain records and furnish information on transactions. The court reasoned that regulatory authorities must be empowered “to view and analyse all aspects of data connected with a particular transaction” in order to effectively fight against money laundering. Following this judgment, a technology interface or system with enables payment between a payer and a beneficiary will be treated as an RE under the PMLA.
The March 2023 Notification substantially increases the cost and compliance burden on exchanges, wallet providers, and other service providers dealing in VDAs. It hits anonymity (a key factor in the popularity of VDAs), and would require consistent, costly, and canonical disclosures of VDA transactions. VDA-related REs will have to build and implement adequate processes and infrastructure akin to banks to not only track and comply with the requirements but go above and beyond to safeguard themselves from the potentially onerous expectations of enforcement authorities.