A dissection of the government notification imposing KYC/AML/CFT obligations on crypto-businesses in India.

Roughly 7% Indians own crypto-assets (aka Virtual Digital Assets). Yet, until recently, India did not have regulatory tools to identify crypto-owners or monitor their transactions. Earlier this month, the Ministry of Finance (MoF) changed this. It issued a notification which brought entities dealing in 'Virtual Digital Assets' (VDA), under the purview of India's money laundering legislation – the Prevention of Money Laundering Act 2002 (PMLA). With this change, crypto-businesses are subject to an entirely new compliance universe

The notification is straightforward. It lists five crypto-related activities that make businesses a 'reporting entity' under the PMLA:

  1. exchanging VDAs and fiat money (like buying bitcoin with INR);
  2. exchange between different VDAs (like trading bitcoins for dogecoins);
  3. transfer of VDAs (like buying pizza with bitcoins);
  4. safekeeping or administration of VDAs or instruments enabling control over VDAs (like crypto-wallet service providers); and
  5. participation in and provision of financial services related to an issuer's offer and sale of VDAs (like fiat on-ramp service providers).

Businesses classified as 'reporting entities' must comply with obligations enlisted in the PMLA. A few of these are:

  1. verifying customer identity – crypto-businesses will have to conduct user KYC, like a bank would when opening an account;
  2. undertaking enhanced due diligence – a crypto-business must have systems in place to detect suspicious transactions or activities that need closer scrutiny. It must then undertake 'enhanced diligence' like asking for additional KYC details or source of funds. It must also be able to identify, monitor and report suspicious transactions or transactions involving proceeds of crime;
  3. maintaining records – crypto-businesses will have to store transaction records and identity records of its customers for a period of five years; and
  4. disclosing information – crypto-businesses will have to furnish information as and when required by relevant authorities.

Undoubtedly, these obligations will increase the compliance burden for crypto-businesses. A lot of work must be done to build a compliance architecture which meets the PMLA's standards. It can't be done overnight. Yet, crypto businesses are offered no buffer time to adapt to the new compliance environment. This may not affect established crypto-exchanges which voluntarily implemented KYC/AML processes (as a good practice). But those that did not, are scrambling. Crypto-businesses that voluntarily implemented KYC/AML measures before the MoF notification faced significant trade-offs. It increased their compliance burden, hindered customer acquisition, and reduced their overall competitiveness against those who did not implement these 'good to have' measures. By making this a mandatory requirement, the notification reduces the negative impacts of voluntarily implementing these measures.

Curiously, law enforcement agencies were already (in some ways) viewing crypto-businesses (especially crypto-exchanges) as 'reporting entities' even before the MoF notification. For instance, the Enforcement Directorate's (ED) press release for its WazirX investigation suggests that it scrutinized WazirX's KYC and AML practices as if it was a reporting entity. By bringing crypto-businesses under PMLA, the government has given more teeth to law enforcement agencies.

But enforcing these obligations might still be challenging. Crypto-businesses can be centralized or decentralized. Enforcing KYC/AML obligations on centralized models is simple. For example, for a centralized crypto-exchange (like CoinDCX) – it's clear that the responsibility for implementing the KYC/AML checks is on the corporate entity. And those in charge of the company's conduct are responsible for the contraventions made by the company. But it's challenging to enforce such requirements on decentralized models. For example, in case of a decentralized crypto-exchange – no single person or corporate entity is responsible for running the applications. And so, even if we assume that they fall within the ambit of the notification and must implement KYC/AML checks, it's unclear who is ultimately responsible for contraventions. With decentralized crypto-models playing an increasing role in money laundering activities, the Financial Action Task Force suggests that (on a case-to-case basis), it is possible to identify the creator, owner, operator or individuals with significant influence on such decentralized crypto-models and hold them responsible for implementing the KYC/AML measures. Taking such positions is bound to open a pandora's box. And they certainly cannot be taken without framing a comprehensive law to regulate VDAs.

The PMLA notification follows the government's piecemeal approach to regulating VDAs, as seen before with the advertising guidelines or the taxation rules. And even this time, the government has carefully bypassed granting explicit legitimacy to VDAs or identifying a regulator to overlook this industry. So, while bringing VDAs under the money laundering laws is a step in the right direction, we need to do a lot more. It is time to have a comprehensive law in place regulating VDAs in India.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.