KYC and AML Protocols for Indian Crypto Exchanges

The rigid identity verification architecture required by domestic exchanges to comply with the Prevention of Money Laundering Act (PMLA) for digital asset trading.

Published 2026-06-05 Read time: ~5 mins

Regulatory Mandate for VDA Service Providers

The regulatory landscape governing Virtual Digital Assets (VDAs) in India necessitates stringent adherence to Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols. The Ministry of Finance, through an amendment to the Prevention of Money Laundering Act (PMLA), 2002, has officially brought VDAs and services related to them under the purview of AML/CFT (Combating the Financing of Terrorism) regulations. This designates VDA service providers, including cryptocurrency exchanges operating within India, as "reporting entities."

Obligations as Reporting Entities under PMLA

As reporting entities, VDA service providers are mandated to comply with specific directives issued under the PMLA, with oversight by the Financial Intelligence Unit – India (FIU-IND). This compliance framework is critical for maintaining financial integrity and preventing illicit financial activities within the VDA ecosystem.

Registration with FIU-IND

Every VDA service provider operating in India is statutorily required to register with FIU-IND. This registration process involves providing comprehensive details about the entity's operations, beneficial ownership, and compliance mechanisms. Failure to register can lead to significant penalties and regulatory action.

Appointment of a Principal Officer

Reporting entities must designate a Principal Officer who serves as the primary point of contact with FIU-IND. This individual is responsible for ensuring compliance with PMLA obligations, including the submission of various reports, and acting as the liaison for all regulatory communications and inquiries.

Comprehensive Customer Due Diligence (CDD)

VDA exchanges must implement robust CDD procedures for all customers engaging in VDA-related transactions. These procedures are foundational to the KYC framework and aim to identify and verify the identity of customers, assess their risk profiles, and monitor their transactional behavior.

Identification and Verification

At a minimum, CDD involves:

  • Obtaining identity details: Collecting official documents such as Permanent Account Number (PAN), Aadhaar, Passport, or Voter ID.
  • Verification of identity: Cross-referencing submitted documents with reliable and independent sources.
  • Address verification: Confirming the customer's residential or business address.
  • Beneficial ownership identification: For entities, identifying and verifying the natural persons who ultimately own or control the entity.
  • Purpose and nature of relationship: Understanding the economic rationale behind the customer's VDA activities.

These measures are critical for establishing a customer's true identity and mitigating the risks associated with anonymous transactions, a common concern in the VDA space.

Ongoing Due Diligence and Risk Assessment

CDD is not a one-time process. Reporting entities are required to conduct ongoing due diligence, which includes:

  • Regular review of customer information: Updating identity and beneficial ownership records periodically or when significant changes occur.
  • Transaction monitoring: Scrutinizing transactions to ensure they are consistent with the customer's profile and stated business activities.
  • Risk assessment: Categorizing customers based on their risk factors (e.g., geographical location, type of VDA activity, transaction volume) and applying enhanced due diligence (EDD) measures for high-risk customers.

Transaction Monitoring and Reporting Obligations

A cornerstone of AML compliance is the proactive monitoring of transactions and reporting suspicious activities to FIU-IND. This mechanism helps detect and deter money laundering and terrorist financing.

Suspicious Transaction Reports (STRs)

VDA exchanges must file STRs with FIU-IND if they have reasonable grounds to suspect that a transaction or an attempted transaction, regardless of its value, involves proceeds of crime, is intended for terrorist financing, or is otherwise unusual and lacks a clear economic rationale. The reporting of an STR must be done promptly, without prior intimation to the customer involved.

Cash Transaction Reports (CTRs)

While VDAs are inherently digital, reporting entities must also comply with CTRs for transactions involving fiat currency if thresholds are met. This ensures a comprehensive view of a customer's financial activities that touch the traditional banking system.

Non-Profit Organisation Transaction Reports (NTRs)

Specific reporting requirements may also apply to transactions related to non-profit organizations if designated thresholds or suspicious indicators are met, addressing potential misuse of such entities for illicit financial flows.

Regulatory Implications for Cross-Border Transactions

For cross-border VDA transactions, the Foreign Exchange Management Act (FEMA), 1999, becomes relevant. While VDAs are not recognized as currency, their treatment under FEMA remains subject to ongoing clarification. However, the underlying fiat remittances associated with VDA transactions, especially for investment or outward remittance purposes, are subject to FEMA guidelines. VDA service providers must ensure that customers adhere to prescribed limits and reporting requirements for foreign exchange transactions facilitated through their platforms.

Data Retention and Confidentiality

Reporting entities are obligated to maintain records of all customer identification data, account files, and business correspondence, as well as records of all transactions, for a period of five years from the date of the transaction or the end of the business relationship. Strict confidentiality protocols must be observed concerning all customer data and reported information.