Virtual Digital Assets & Service Providers - AML/CFT Obligation

By

 

KYC Obligation-Revision Jan 2026


In legal parlance, crypto currency is called Virtual Digital Asset (VDA) and the exchanges that trade them are called VDA Service Providers (VDA SPs).


The Financial Intelligence Unit,(FIU-Ind) operating under the Ministry of Finance, Govt of India has classified all virtual digital asset service providers as “reporting entities” under the Prevention of Money Laundering Act, 2002. The designation took effect following a notification issued on March 7, 2023.

Crypto exchanges, wallet providers, and related platforms, whether based in India or offshore, are now subject to the same compliance standards as banks and other regulated financial institutions, according to the new framework.

All virtual digital asset service providers must register with FIU-IND to legally operate in the country. Platforms that fail to register face enforcement action, including financial penalties and potential criminal liability. The rules apply to centralized exchanges, custodial wallet providers, and offshore platforms offering services to Indian users.

New rules by the Financial Intelligence Unit (FIU), updated Jan. 8, 2026 require exchanges to verify users with a live selfie that shows them blinking to prove liveliness and authenticity, alongside precise logging of their geographical coordinates, date, time, and IP address.

Beyond the mandatory Permanent Account Number (PAN), exchanges are required to collect additional documents, such as a passport, driver's license, Aadhaar card (a local term for central government-issued ID), or voter ID, along with mobile numbers and email addresses, which are confirmed via one-time passwords (OTPs).

Exchanges are required to implement live selfie verification designed to confirm physical presence and detect deepfakes through movement-based checks. Platforms must also capture geo-location data at account creation, including IP address, date, and time. Bank account verification is mandatory through a “penny-drop” process, while users must submit an additional government-issued photo identification alongside their Permanent Account Number.

 

User's bank ownership is authenticated through the "penny-drop" method, which involves a small refundable 1 rupee (INR) charge, while high-risk clients, or those linked to tax havens, FATF-linked jurisdictions or potentially exposed persons or non-profit organizations, face enhanced due diligence checks every six months.

Exchanges can't support initial coin offerings (ICOs), which are token sales like mini-IPOs, and are barred from using tools like tumblers/mixers that hide transaction trails to make crypto untraceable. All platforms must register with the FIU, report suspicious trades, and keep user data for five years.

The guidelines state that ICOs and initial token offerings (ITOs) lack a justified economic rationale and pose "heightened and complex" risks of money laundering and terrorist financing.

 

India’s FIU-IND now treats all virtual asset providers as reporting entities under PMLA, mandating strict KYC, record-keeping and a ban on privacy tools and mixers. Transactions involving anonymity-enhancing tools, including privacy tokens, tumblers, or mixers, are prohibited under the new rules. Exchanges are barred from facilitating such activity. The rules also  mandate enhanced due diligence for high-risk clients, including individuals from jurisdictions on Financial Action Task Force black or grey lists, Politically Exposed Persons, and non-profit organizations.

 

India maintains a cautious stance on cryptocurrencies, defining them as virtual digital assets (VDAs) under the Income Tax Act, 1961. Indian citizens can buy and sell these VDAs via FUI-registered platforms, but cannot use them as legal tender or currency to make payments for goods and services.

Crypto platforms must retain customer identity and transaction records for at least five years, or longer if an investigation is ongoing. Suspicious Transaction Reports must be submitted to FIU-IND when required, according to the regulations.

 

The Enforcement Directorate holds enforcement authority and has imposed fines totaling 28 crore rupees during the 2024-25 fiscal year for non-compliance, according to official data.

 These guidelines transition the VDA sector into a supervised financial activity, aligning India with global Financial Action Task Force (FATF) standards.

National Security: By banning AECs and mixers, the state prevents the creation of a “dark financial system” used for terror financing or weapons of mass destruction.

Investor Protection: Mandatory registration and liveness detection significantly reduce the risk of “rug-pulls” and identity theft in the Indian crypto market.

Compliance Culture: The shift toward automated transaction monitoring and the “Travel Rule” ensures that Indian VDA SPs are interoperable with global regulated markets

Unlike many countries where more than one government agency handles and supervises crypto currency exchanges, India has designated its FIU (under the Union finance ministry) as the single-point authority for registering and monitoring VDA SPs against money laundering and terrorist financing risks.


Red Flags @ CDD/Transaction Monitoring


The FATF has published red flags for VASPs in September 2020

Customer and Identity-Related Red Flags

Incomplete or Inconsistent KYC: Providing false, incomplete, or inconsistent identification documents or details during the Know Your Customer (KYC) process.

Unusual Behavior: Customers being uncooperative when asked for identity verification or additional information regarding the source of funds.

Unverifiable Source of Funds/Wealth: The customer has significant wealth or conducts large transactions with no apparent legitimate income source that aligns with their profile.

Complex Structures: Using complex corporate structures or multiple layers of ownership to obscure the true beneficial owner.

Politically Exposed Persons (PEPs): High-value transactions involving PEPs or their relatives without a clear and legitimate source of funds require enhanced scrutiny. 

Customer Behavior and Profile

Incomplete or Forged Information: Providing insufficient KYC (Know Your Customer) information, using forged identification documents, or being reluctant to provide source-of-funds information.

Inconsistent Profile: A customer's activity (e.g., large-value transactions) is inconsistent with their stated occupation, age, or financial profile.

Multiple Accounts/IPs: Creating multiple accounts under different names or accessing accounts from a wide range of unrelated or high-risk IP addresses (e.g., using VPNs/TOR frequently).

Lack of VA Knowledge: Senders or recipients who appear unfamiliar with virtual asset technology but are conducting large or frequent transactions may be acting as "money mules". 

 

Transaction-Related Red Flags

Unusual Transaction Patterns: Transactions that do not align with the customer's typical activity, size, or frequency (e.g., an account with minimal history suddenly receiving or sending large sums).

Large and/or Frequent Transfers: Making large or frequent transactions, especially to individuals or firms not normally associated with the customer's business, or which do not make economic sense.

Structuring Transactions: Breaking down large amounts into smaller transactions to evade reporting thresholds.

Rapid Movement of Funds: Immediately withdrawing funds (converting VDA to INR or another VDA) after being deposited, unless there's a legitimate business reason.

Transactions with Unrelated Parties: Frequent transactions with unrelated third parties without a justifiable explanation. 

Transaction Patterns

Unusual Size or Frequency: A series of high-value transactions in a short period (e.g., within 24 hours), or transactions structured to fall just below reporting thresholds.

Lack of Logical Purpose: Transactions that do not make economic sense or are inconsistent with the customer's stated profile or business activities.

Immediate Withdrawal: Large deposits that are immediately traded or withdrawn from the platform, which may suggest "layering" activities to obscure the source of funds.

Complex Routing: Unnecessary routing of funds through multiple VAs, accounts, or service providers.

Exchanging at a Loss: Converting VAs to fiat currency (or other VAs) at a significant financial loss or regardless of high fees, which indicates a priority to move funds quickly over preserving value. 

 

Technical and Geographical Red Flags

Anonymity Tools: Transactions involving Anonymity Enhancing Crypto Tokens (AECs), "mixers," or "tumblers" are strictly prohibited as they are considered high-risk by FIU-India.

High-Risk Jurisdictions: Transactions involving countries with weak Anti-Money Laundering/Counter-Terrorist Financing (AML/CFT) regulations or those known for criminal activity or sanctions.

Unusual IP Addresses: Accessing the platform or conducting transactions from IP addresses in high-risk countries or multiple different IP addresses that don't match the customer's stated location.

Unhosted Wallets: Transactions to or from unhosted (self-hosted) wallets require Enhanced Due Diligence (EDD). 

VDA SPs in India are required to monitor for these indicators and file a Suspicious Transaction Report (STR) with the Financial Intelligence Unit-India (FIU-IND) within seven days if suspicion persists after investigation

 

Geographical Risks

High-Risk Jurisdictions: Transactions involving VDA SPs or individuals in countries with weak or non-existent Anti-Money Laundering and Counter-Terrorist Financing (AML/CFT) regulations, or those subject to sanctions.

Inconsistent Locations: IP addresses or registration information that frequently changes or does not align with the customer's declared location. 

VDA SPs are expected to implement robust AML/CFT measures, including customer due diligence (CDD) and ongoing transaction monitoring, to detect these indicators and file suspicious transaction reports (STRs) with their local Financial Intelligence Unit (FIU) when necessary. 

Anonymity-Enhancing Features

Use of Mixers/Tumblers: Engaging with services designed to obscure the flow of funds by mixing them with others.

Privacy Coins: Exchanging traceable VAs (like Bitcoin) for "anonymity-enhanced cryptocurrencies" (AECs or privacy coins) to further hide the trail.

Dark Web/Illegal Links: Transactions linked to known illegal activities, darknet markets, or questionable gambling sites. 


The above is just illustrative and put up for the uninitiated. As technologies evolves new ways of obscuring transaction trials/CDD may emerge and one has to move with the tide.



Those who read this, also read:




1. Virtual Digital Assets & Service Providers 

2. Obligations of RE under sec 12  PMLA 2002

Formerly Faculty for Finance & Associate Dean, IBS-Kochi MBA (Banking & Finance – CUSAT);CFA. Accredited Management Teacher from CME of AIMA, Delhi has been in Management Education from 1988. Exposure is in the field of Mutual Funds, Market Research, Project Report preparation & evaluation, Advertising & NGO Activities. This Chief Manager, UTI Asset Management Co Pvt. Ltd(1992-2003), Mumbai. Undergone training in Case Study method of teaching under Mr. Trevor Williams and Mr. Scott M Andrews conducted by the ECCH, UK . Published Books & Book Review, Series of academic articles and maintains a column on MFs under "Fund scan" in Business Manorama since January 2007,Contributes "Portfolio Doctor" column for 'Sampadyam' a wealth mgt publication in Malayalam from manorama group since February 2007, Listed her case studies at asiacase.com.Presented papers in national & international conferences on Mutual Funds. Faculty Member @ ASIET, Kalady from 2010 to June 2019. Dean @ SNGIST, N Paravur, Ernakulam from Sep 2019 -Jan 2021, I continue my efforts to spread the knowledge in area of Finance and contribute to Management Education

Comments

Post a Comment

Popular posts from this blog

National Risk Assessment (NRA): India

By
  India's National Risk Assessment (NRA) is  an ongoing exercise to identify sectors that are vulnerable to money laundering and terrorist financing (ML/TF) .  The NRA is based on recommendations from the Financial Action Task Force (FATF) and helps inform policy-making, resource allocation, and the implementation of effective AML/CFT measures. The NRA also ensures that national strategies address both domestic and international threats. The NRA provides a foundation for informed policy-making, resource allocation, and the implementation of effective AML/CFT measures . It ensures that national strategies are aligned with the specific risk landscape of the country and that they address both domestic and international threats. The subject matter of NRA  was discussed in the Anti-Money Laundering Steering Committee (AMLSC) set up with the approval of Finance Minister, and it was decided to conduct the NRA following the World Bank methodology. The Methodology requi...
Read more

Customer Due Diligence(CDD) : Individuals

By
Image
This post is based on RBI Master Circular dated Feb 25, 2016 updated on Jan 04, 2024  Part I - Customer Due Diligence (CDD) Procedure in case of Individuals For undertaking CDD, REs shall obtain the following from an individual while establishing an account-based relationship or while dealing with the individual who is a beneficial owner, authorised signatory or the power of attorney holder related to any legal entity: (a)     the Aadhaar number where,   (i) He is desirous of receiving any benefit or subsidy under any scheme notified under section 7 of the Aadhaar (Targeted Delivery of Financial and Other subsidies, Benefits and Services) Act, 2016 (18 of 2016); or (ii) He decides to submit his Aadhaar number voluntarily to a bank or any RE notified under first proviso to sub-section (1) of section 11A of the PML Act; or (aa) the proof of possession of Aadhaar number where offline verification can be carried out; or (ab) the proof of possession of Aa...
Read more

Periodic Updation of Customer Risk Profile

By
1. Preparation of Customer Profile from KYC Data In the initial years of KYC, RBI has been following a handholding approach as can be seen from their circular dated July 2009 and that of Feb 25, 2016 as updated on Jan 04, 2024. RBI requires REs to conduct risk profiling and risk categorization and periodic updation.  Extracts from RBI MD dated July 01, 2009 under Customer Acceptance Policy a)ii) Parameters of risk perception are clearly defined in terms of the nature of business activity , location of customer  and his clients, mode of payments, volume of turnover, social and financial status etc. to enable categorisation of customers into low, medium and high risk (banks may choose any suitable nomenclature viz. level I, level II and level III). Customers requiring very high level of monitoring, e.g. Politically Exposed Persons (PEPs) may, if considered necessary, be categorised even higher; b). Banks should prepare a profile for each new customer based on risk categorisatio...
Read more