India brings entire crypto sector under full AML regime with tough KYC and privacy bans
India has effectively folded its entire cryptocurrency ecosystem into the country’s anti-money laundering architecture, placing exchanges and other virtual asset platforms under the same scrutiny as traditional financial institutions.
The Financial Intelligence Unit – India (FIU‑IND), which operates under the Ministry of Finance, has formally designated all virtual digital asset (VDA) service providers as “reporting entities” under the Prevention of Money Laundering Act, 2002 (PMLA). The move follows an official notification issued on March 7, 2023, and is now fully in force.
Under this framework, crypto exchanges, custodial wallet operators, and other related platforms – whether headquartered domestically or abroad – are required to comply with robust anti-money laundering (AML) and counter-terrorist financing (CTF) rules. In practice, this means they must follow similar standards to banks, securities firms, and other regulated financial institutions.
Mandatory registration and legal exposure
Every virtual digital asset service provider that serves Indian users must now register with FIU‑IND to lawfully conduct business in the country. Registration is not a formality: it is the foundation for ongoing supervision, reporting, and enforcement.
Platforms that choose to ignore the requirement face a range of penalties. These include monetary fines and, in serious cases, potential criminal liability for responsible officers. The obligation extends to:
– Centralized cryptocurrency exchanges
– Custodial and hosted wallet providers
– Offshore platforms that offer services or access to users in India
This extraterritorial reach means that foreign exchanges cannot simply claim they are “not based in India” if they actively target or onboard Indian residents.
KYC requirements go far beyond basic onboarding
The updated rules significantly tighten know-your-customer (KYC) and customer due diligence (CDD) procedures for crypto platforms. The aim is to firmly link each account to a verifiable, real-world identity and reduce the space for anonymous or synthetic identities.
Key components of the enhanced KYC framework include:
– Live selfie verification: Platforms must deploy real-time selfie checks to verify that the person opening an account is physically present. These checks are expected to include movement prompts and other techniques to detect deepfakes or static image spoofing.
– Geo-location capture at onboarding: At the time an account is created, exchanges are required to capture and store geo-location metadata such as IP address, date, and time. This information can later be used to detect suspicious access patterns or jurisdictional risks.
– Bank account validation via penny-drop: Bank account details submitted by users must be verified through a small test transfer – the so‑called penny-drop method – to confirm ownership and accuracy.
– Additional government-issued ID: In addition to the Permanent Account Number (PAN), customers must provide another government-issued photo ID, ensuring stronger identity corroboration.
These measures collectively raise the bar for both retail and institutional customers, reducing the possibility of disposable or fraudulent accounts and making it harder to mask beneficial ownership.
Direct ban on privacy tools, mixers, and anonymity-enhancing assets
One of the most consequential aspects of the new framework is the outright prohibition of transactions involving anonymity-enhancing tools.
Exchanges and VDA service providers are forbidden from facilitating:
– Privacy-focused tokens and coins designed to obscure transaction details
– Tumblers and coin-mixing services that scramble transaction trails
– Any other mechanisms or tools that intentionally enhance transactional anonymity
Under the rules, it is not enough for platforms to passively avoid these services; they are expected to actively prevent such activity on their systems. This aligns India with a rising international trend of regulators targeting privacy infrastructure in the digital asset space, citing concerns over illicit finance and sanctions evasion.
Enhanced due diligence for high-risk categories
In addition to baseline KYC, FIU‑IND’s guidelines call for strengthened monitoring and vetting for customers and transactions that present elevated risk.
High-risk categories include:
– Individuals and entities from jurisdictions listed on the Financial Action Task Force (FATF) black or grey lists
– Politically Exposed Persons (PEPs) such as senior government officials or their close relatives and associates
– Non-profit and charitable organizations, which are often treated as higher-risk due to their global flows and sometimes opaque funding sources
For such clients, platforms must perform enhanced due diligence (EDD), which typically involves obtaining additional information on the purpose of the relationship, source of funds, expected transaction patterns, and closer ongoing monitoring.
Long-term record-keeping and mandatory reporting
Under the expanded AML regime, crypto businesses must maintain comprehensive and auditable records:
– Customer identity documents and verification data
– Transaction histories and related metadata
– Logs of account access, including IP addresses and timestamps where required
These records must be retained for at least five years. If an investigation is underway or anticipated, platforms may be compelled to keep them even longer. This retention window allows law enforcement and regulators to reconstruct transaction chains and follow funds over extended periods.
When a transaction or customer behavior appears suspicious – for example, inconsistent with a user’s profile, unusually complex, or lacking clear economic purpose – platforms are required to file Suspicious Transaction Reports (STRs) with FIU‑IND. Failure to report can itself trigger regulatory action.
Enforcement ramp-up and penalties
The Enforcement Directorate (ED), India’s primary agency for enforcing PMLA violations, has been empowered to oversee compliance and penalize breaches in the crypto sector. According to official data, fines amounting to 28 crore rupees have already been imposed during the 2024–25 fiscal year for non-compliance with the new framework.
These penalties signal that authorities intend to treat crypto violations with the same seriousness as infractions in banking, securities, or payment services. For platforms, this elevates compliance from a theoretical requirement to a core operational risk.
What this means for crypto exchanges and platforms
For service providers, the shift to full AML coverage transforms how businesses must operate:
– Compliance as a core function: Exchanges now need dedicated compliance teams, AML officers, and internal audit processes comparable to those in established financial institutions.
– Technology investment: Tools for identity verification, biometric checks, IP and device fingerprinting, sanctions screening, and transaction monitoring become essential.
– Greater operational costs: Implementing and maintaining these systems raises the cost of doing business, particularly for smaller or early‑stage platforms.
– Revised product offerings: Services tied to anonymity or high privacy – such as support for certain privacy coins or blending tools – will likely be discontinued for Indian users.
Platforms that adapt effectively may gain an advantage, as regulators are more likely to tolerate and even support compliant actors while clamping down on grey‑market operators.
Impact on users: less anonymity, more friction
For everyday users, the new rules mean more paperwork and less privacy:
– Onboarding will involve multiple identity documents, live selfie verification, and possibly additional checks in case of flagged risks.
– Users accustomed to using VPNs, privacy coins, or mixers will find that regulated Indian platforms no longer support those options.
– Bank linkages will be closely verified, reducing the ability to use third-party or borrowed accounts.
While this increases friction and reduces anonymity, regulators argue that it brings crypto activity closer to the standards already familiar in banking and securities markets, potentially making digital assets more acceptable for institutional and mainstream adoption.
India’s broader regulatory trajectory
India’s move to bring crypto fully within the PMLA framework fits into a wider global pattern. Many jurisdictions are extending AML and CTF obligations to virtual asset service providers in line with FATF recommendations.
For India specifically, this approach allows authorities to:
– Curb money laundering, terror financing, and tax evasion risks associated with pseudonymous transactions
– Improve visibility into capital flows linked to digital assets
– Build regulatory experience without immediately declaring crypto legal tender or fully endorsing it as a mainstream asset class
By emphasizing compliance and transparency, India is signaling that crypto can operate within its financial system, but only under strict oversight.
Strategic considerations for businesses entering the Indian market
For global exchanges, wallet providers, and fintech startups exploring India, the message is clear: entering the market now requires a regulatory-first strategy.
Key steps include:
– Conducting a detailed assessment of whether their current KYC and AML processes meet Indian requirements
– Implementing geo-fencing or tailored service offerings to ensure offshore operations do not inadvertently violate Indian laws
– Preparing for periodic audits and responding promptly to information requests from FIU‑IND and the Enforcement Directorate
– Educating users about the rationale for stricter checks to mitigate customer frustration and build trust
Companies that proactively align with FIU‑IND expectations may find opportunities to collaborate with banks, payment providers, and institutional investors who prefer dealing with fully regulated platforms.
Long-term outlook: compliance as a competitive edge
Over time, India’s stringent AML regime could reshape the country’s crypto landscape in several ways:
– Consolidation: Smaller or non-compliant players may exit the market, leaving room for a smaller number of highly regulated, better-capitalized platforms.
– Institutional entry: Strong compliance standards may encourage more traditional financial institutions to explore digital asset products, secure in the knowledge that regulatory expectations are clear.
– Innovation in RegTech: Demand for advanced identity verification, analytics, and monitoring tools is likely to spur innovation in regulatory technology tailored to crypto.
For users and companies alike, the direction of travel is unmistakable: crypto in India is moving away from a lightly regulated, speculative space toward one that is more tightly integrated with the formal financial system, where transparency and accountability are non-negotiable.