Charting The Course – Essential Considerations For Indian Crypto Startups Amidst Evolving Regulations

Prefatory Note

If you are a startup venturing into the cryptocurrency space in India, you have embarked on an exciting journey that demands both strategic acumen and attention to regulatory detail. This article will guide you through the intricate maze of legal and commercial considerations essential for navigating the crypto industry.

Cryptocurrencies have captivated global imagination, transforming from a niche technological curiosity to a mainstream financial phenomenon. In India, this transformation has been nothing short of a rollercoaster ride. From the initial excitement of Bitcoin's arrival to the regulatory upheavals and the subsequent revival, the Indian crypto landscape continues to be shaped by resilience and innovation. As a startup in this ecosystem, understanding the regulatory framework, compliance requirements, and operational challenges is not just advisable; it is imperative.

This article will touch upon the significant regulatory milestones, the commercial implications of these regulations, and the strategic moves that can position your startup at the forefront of the Indian crypto revolution. Whether you are running a crypto exchange, developing blockchain applications, or exploring the possibilities of decentralized finance (DeFi), this article aims to serve as a roadmap, guiding you through the legal intricacies and commercial strategies vital for success.

I. Legal Status of Cryptocurrencies in India

Significant regulatory developments and judicial pronouncements have shaped the legal status of cryptocurrencies in India. Understanding this legal framework is crucial for startups navigating the crypto landscape in the country. This section provides a comprehensive overview of the evolving legal status, key regulations, and their implications for crypto businesses.

Regulatory Evolution: From RBI's Ban to Taxation Framework

In April 2018, the Reserve Bank of India ('RBI') issued a circular effectively banning banks and financial institutions from dealing in or providing services related to cryptocurrencies. This circular directed entities regulated by the RBI to cease offering services to individuals or businesses dealing in virtual currencies, including maintaining accounts, registrations, facilitating trading, settling transactions, clearing payments, or providing loans against virtual tokens. The RBI cited concerns over consumer protection, market integrity, and the potential misuse of cryptocurrencies for illicit activities such as money laundering and terrorist financing¹.

However, the cryptocurrency community in India challenged this directive, leading to a landmark Supreme Court judgment. In March 2020, the Supreme Court of India struck down the RBI circular², ruling that the ban was disproportionate and violated the fundamental right to carry on any occupation, trade, or business under a. 19(1)(g) of the Constitution of India. This judgment was a significant victory for the crypto industry, reinstating the legality of trading and dealing in cryptocurrencies.

In the wake of the Supreme Court ruling, the Indian government sought to establish a comprehensive regulatory framework for cryptocurrencies. The Cryptocurrency and Regulation of Official Digital Currency Bill, 2021 ('Crypto Bill 2021'), was introduced to provide clarity on the legal status of cryptocurrencies. Although the bill was not introduced in Parliament, it aimed to create a legal framework for the issuance and regulation of an official digital currency while banning private cryptocurrencies. However, this bill also proposed certain exceptions to promote the underlying technology of cryptocurrency and its potential applications.

Regulatory Clarifications and Compliance (2022-2025)

CERT-In Guidelines: On 28.04.2022, the Indian Computer Emergency Response Team ('CERT-In'), under the Ministry of Electronics and Information Technology ('MeitY'), issued Directions under s. 70B(6) of the Information Technology Act, 2000. These Directions relate to information security practices, procedures, prevention, response, and reporting of cyber incidents to ensure a safe and trusted internet. The guidelines mandate that service providers, intermediaries, data centres, corporate bodies, and government organizations must report all cybersecurity incidents to CERT-In within six hours of becoming aware of such incidents. This directive impacts the blockchain, Virtual Digital Asset ('VDA'), and Web3 industry, requiring any attacks or suspicious activities affecting systems, servers, networks, software, or applications related to blockchain, virtual assets, virtual asset exchanges, and custodian wallets to be reported. Additionally, all virtual asset service providers, virtual asset exchange providers, and custodian wallet providers must maintain all information obtained through know your customer ('KYC') procedures and records of financial transactions for five years.

Reporting under PMLA: In March 2023, the Indian government declared that entities dealing in VDAs, including crypto exchanges and related intermediaries, would be considered 'reporting entities' under the Prevention of Money Laundering Act, 2002 ('PMLA')³. This classification imposed stringent KYC, Anti-Money Laundering ('AML') and Counter Financing of Terrorism (CFT) requirements on these entities. Compliance with PMLA meant that crypto businesses had to:

• Register with FIU-IND: Entities were required to register with the Financial Intelligence Unit-India ('FIU-IND') and report suspicious transactions.
• Enhanced Due Diligence: Crypto businesses were required to implement robust Know Your Customer (KYC) and due diligence processes to verify the identities of their users.
• Record Keeping: Entities were required to maintain detailed records of transactions and user identities for a specified period.

Thus, by the end of 2023, significant compliance efforts had been undertaken, with 28 VDA entities, including major exchanges like CoinDCX, WazirX, CoinSwitch, and Zebpay, completing their registration with FIU-IND⁴.

In June 2024, FIU-IND imposed⁵ a penalty of Rs. 18.82 crore on Binance, a VDA service provider and a reporting entity under the PMLA, for non-compliance with s. 12(1) of the PMLA, read with r. 3(1)(D), 7(1), 7(3), and 8(2) of the PML (Maintenance of Records) Rules, 2005. Further, in December 2023, the Finance Ministry issued show cause notices (SCNs) to nine offshore crypto platforms for non-compliance with the PMLA. Concurrently, the MeitY blocked access to these platforms' URLs and mobile apps, including major exchanges like Binance and KuCoin. Such enforcement actions demonstrate the Indian government's strict approach to regulatory compliance in order to protect Indian investors from unregulated offshore exchanges.

RBI on Macro-Financial Risks: On 28.06.2023, the RBI discussed the risks linked to VDAs in Ch. III: Regulatory Initiatives in the Financial Sector of its Financial Stability Report⁶. The RBI highlighted several risks, including consumer protection, investor safety, market integrity, financial stability, and unique challenges faced by Emerging Markets and Developing Economies ('EMDEs') such as monetary sovereignty and 'cryptoisation'. To mitigate these risks, the RBI suggested three main policy approaches: prohibition, containment, and regulation. It stressed the importance of a globally coordinated effort to evaluate these risks, especially macroeconomic challenges like loss of monetary control and local currency volatility, which disproportionately affect EMDEs compared to advanced economies.

Central Bank Digital Currency (CBDC): The RBI has long supported the creation of India's CBDC, known as the e-Rupee. This vision came to fruition with the launch of the Rupee CBDC pilot program, backed by an enabling legal framework through amendments to the RBI Act, 1934, which broadened the definition of 'bank note' to include digital forms issued by the RBI. Currently, 10 banks are participating in the wholesale CBDC pilot, and 13 banks are part of the retail pilot. Both initiatives have shown promising results, testing various technical architectures, design choices, and use cases. As of 30.06.2023, the retail pilot had over 1 million users and more than 2,62,000 merchants, demonstrating its potential to drive innovation and efficiency in India's financial sector.

Global Cooperation and G20 Presidency: During its G20 presidency, India advocated for global cooperation in regulating cryptocurrencies. The IMF-FSB synthesis paper⁷, presented during the summit, emphasized the need for comprehensive regulatory and supervisory oversight of crypto-assets instead of a blanket ban. This global initiative is aimed at fostering a unified regulatory approach to mitigate macroeconomic and financial stability risks associated with cryptocurrencies.

Current Status and Ongoing Challenges

As of 2024, the legal status of cryptocurrencies in India remained in a transitional phase, characterized by cautious recognition coupled with stringent regulatory measures. While trading, holding, and investing in cryptocurrencies are permitted, their use as legal tender is prohibited. The regulatory framework primarily focuses on taxation and AML compliance, presenting both challenges and opportunities for crypto startups. Key ongoing challenges include:

• Regulatory Ambiguity: Despite significant regulatory advancements, certain aspects of cryptocurrency regulation remain ambiguous, particularly concerning the future legislative stance of the Crypto Bill 2021.
• Banking Relations: Securing banking partnerships remains a challenge due to the cautious approach of traditional financial institutions towards cryptocurrencies.
• Consumer Protection: Ensuring consumer protection and addressing fraud, security risks, and money laundering concerns are critical for maintaining market integrity and investor confidence.

Thus, the current legal status of cryptocurrencies in India is evolving, with increasing clarity emerging amidst a complex legal and commercial environment. For startups, understanding this regulatory framework is crucial for strategic planning and compliance. The Indian cryptocurrency sector is at a crossroads, balancing innovation with stability and security in the financial ecosystem. As regulations continue to develop, startups and businesses must navigate a complex web of laws and guidelines that govern their operations. From stringent KYC and AML requirements to the intricate tax obligations on digital assets, compliance is not just a legal necessity but also a strategic imperative for sustaining growth and building trust in a rapidly changing market. Understanding these regulatory dimensions is crucial for any crypto venture aiming to operate successfully in India's dynamic digital economy.

II. Reporting Requirements

The PMLA serves as the core legislation governing KYC and AML requirements in India. Recognizing the evolving landscape of financial transactions and the growing significance of VDAs, the Indian government, in March 2023, broadened the scope of the PMLA to include entities dealing in VDAs. This regulatory expansion imposes stringent KYC and AML obligations on businesses operating within the cryptocurrency domain, ensuring that they adhere to rigorous standards aimed at preventing money laundering and terrorist financing activities. Some of the key obligations are:

• Registration with FIU-IND: Crypto exchanges and VDA entities are mandated to register with the FIU-IND. This registration is not merely a procedural formality but a fundamental requirement for legal operation under the PMLA framework. As mentioned above, the end of 2023 witnessed 28 VDA entities, including prominent exchanges, successfully completing their registrations, which signifies a crucial step towards ensuring regulatory compliance and fostering a secure trading environment for cryptocurrencies.
• Customer Identification and Verification: Entities must establish robust KYC procedures to accurately verify the identities of their customers. This process involves the collection and verification of personal information, including name, address, date of birth, and government-issued identification. For high-risk customers, such as politically exposed persons (PEPs) and entities from high-risk jurisdictions, enhanced due diligence measures are required. These measures include obtaining additional information, conducting more frequent reviews of their transactions and activities, and applying stricter scrutiny to mitigate risks associated with high-risk customers and to ensure that the business is not inadvertently facilitating illicit activities.
• Ongoing Monitoring: Continuous monitoring of customer transactions is essential to detect and report any suspicious activities promptly. This requires the implementation of automated systems designed to flag unusual patterns that may indicate money laundering or other illicit activities. Regular updating of customer information and reassessment of risk profiles are also critical components of ongoing monitoring. These practices ensure that entities remain vigilant and responsive to potential threats and changes in customer behaviour.
• Record Keeping: Maintaining comprehensive records of all transactions and customer identities for a minimum of five years is a mandatory requirement under the PMLA. These records must include details such as the nature and amount of the transaction, the parties involved, and the dates of execution. Proper record-keeping ensures that necessary information is readily available for audit and investigations by regulatory authorities, thereby enhancing transparency and accountability in the cryptocurrency market.
• Reporting Obligations: Entities are required to promptly report any suspicious transactions to FIU-IND, including transactions that appear to be connected with money laundering or terrorist financing. Additionally, entities must file regular reports on cash transactions, cross-border wire transfers, and other specified transactions, as mandated by the PMLA. Adhering to these reporting obligations is crucial for maintaining regulatory compliance and contributing to the broader efforts of combating financial crimes.

Implementing effective KYC/AML systems can be resource-intensive, necessitating the deployment of sophisticated technology and the training of personnel to handle complex compliance requirements. The dynamic nature of regulatory landscapes further adds to the complexity. To address these challenges, businesses must adopt best practices, which include utilising automated KYC solutions that streamline the verification process and reduce the risk of human error. Conducting regular AML training for employees ensures that they remain updated on regulatory requirements and industry best practices. Additionally, staying informed about regulatory changes and technological advancements is essential for maintaining robust compliance systems. Engaging with regulatory bodies and participating in industry forums can also provide valuable insights and facilitate better compliance.

Thus, adhering to KYC and AML requirements is not only a legal obligation but also a strategic imperative for cryptocurrency businesses in India. By implementing rigorous compliance measures and fostering a culture of vigilance and transparency, crypto startups can build trust with both customers and regulators, thereby ensuring sustainable growth in the rapidly evolving digital asset market.

III. Taxation of Cryptocurrencies

The Finance Act 2022 marked a significant shift in India's regulatory approach to cryptocurrencies by introducing a formal definition and taxation framework for VDAs, which include cryptocurrencies and non-fungible tokens ('NFTs'). The key provisions include:

• Definition of VDAs: The law formally defined VDAs, bringing them within the ambit of taxation and regulation⁸.
• Taxation of VDAs: A flat 30% tax on income from the transfer of VDAs was introduced, along with a 1% Tax Deducted at Source ('TDS') on payments for VDA transfers exceeding Rs. 10,000 per year. This TDS became applicable from 01.07.2022⁹.
• No Deductions for Losses: No deductions for expenses (other than the cost of acquisition) or set-off of losses were permitted for VDA transactions¹⁰.

These measures were perceived as an acknowledgement of the crypto industry while simultaneously imposing strict tax compliance requirements. However, the introduction of a 30% tax and 1% TDS led to a significant decline in trading volumes on domestic exchanges, with many users shifting to offshore platforms¹¹.

Thus, the Finance Act 2022 stipulates that income generated from the transfer of VDAs is subject to a flat 30% tax rate, applicable uniformly to all gains, regardless of whether they are short-term or long-term. Notably, the legislation does not permit any deductions for expenses incurred during transactions, except for the cost of acquiring the VDA. This means that all other associated costs, such as transaction fees or administrative expenses, cannot be subtracted from the taxable income. This provision aims to streamline the taxation process and eliminate any ambiguities regarding deductible expenses.

In her Budget speech for 2025, the Union Finance Minister proposed an amendment to the Income-tax Act, 1961 ('Act') requiring prescribed reporting entities dealing in crypto assets to submit transaction details in a prescribed statement. The amendment also aims to align the definition of VDAs accordingly¹². This proposal comes in light of India's inclusion in the list of 52 'Relevant' jurisdictions under the Crypto-Asset Reporting Framework (CARF), which mandates the automatic exchange of tax-relevant information (AEOI) on crypto-assets¹³.

The Income-tax Appellate Tribunal (ITAT) in Raunaq Prakash Jain v. ITO¹⁴ held that gains from the sale of cryptocurrency (Bitcoin) prior to the assessment year ('AY') 2022-23 are taxable as capital gains rather than as income from other sources under s. 2(47) of the Act. The Tribunal clarified that although s. 2(47A), which defines VDAs, was introduced prospectively through the Finance Act 2022, s. 45(1) of the Act affirms that gains from the transfer of capital assets are taxable as capital gains. Thus, it was observed that since cryptocurrency was later recognized as an asset under the statute, it implies that it was already an asset even before this amendment.

In addition to the flat 30% income tax, the Finance Act 2022 introduced a 1% TDS on payments for the transfer of VDAs exceeding Rs. 10,000 in a financial year. The TDS provision, which applies to both resident and non-resident entities, came into effect on 01.07.2022, whereby the tax is deducted at the time of payment or credit, whichever occurs earlier. The objective is to enhance tax compliance and ensure that the government receives a portion of the transaction value upfront, thus improving tax collection efficiency.

The applicability of Goods and Services Tax ('GST') to cryptocurrency transactions is currently under review by Indian tax authorities. Although definitive regulations have not yet been established, businesses dealing with VDAs should be prepared for potential GST obligations. If VDAs are classified as goods or services under GST law, they may attract tax. Startups must prepare for this eventuality. Therefore, it is essential for businesses to maintain accurate and detailed records of all VDA transactions to ensure compliance with GST reporting requirements once the regulations are clarified.

Thus, the introduction of a comprehensive tax regime for cryptocurrencies through the Finance Act 2022 represents a significant step towards integrating VDAs into India's formal financial system. By imposing a flat 30% income tax, 1% TDS, and potential GST obligations, the government aims to ensure that income from cryptocurrency transactions is adequately taxed and regulated. Compliance with these tax provisions is essential for businesses to operate legally and sustainably. Through proper record-keeping, timely tax payments, and professional guidance, crypto startups can navigate the regulatory complexities and contribute to a transparent and accountable cryptocurrency ecosystem in India.

IV. Data Protection and Privacy Compliance Requirements

The Digital Personal Data Protection Act, 2023 ('DPDP Act'), enacted on 11.08.2023, aligns Indian data protection norms with global standards, particularly inspired by the European Union's General Data Protection Regulation (GDPR). The DPDP Act aims to protect individuals' digital personal data while allowing businesses to process such data for lawful purposes. For blockchain and cryptocurrency startups, understanding and complying with this Act is crucial for maintaining consumer trust and avoiding legal pitfalls. Some of the key data protection requirements are:

• Data Processing Principles: The DPDP Act mandates adherence to fundamental data processing principles, emphasizing purpose limitation, data minimization, and lawful processing, requiring businesses to collect and process only necessary personal data with explicit consent from the data subject. Given the decentralized nature of blockchain, ensuring these principles is vital to regulatory adherence.
• Data Security Measures: Implementing robust security measures to protect personal data from unauthorized access, data breaches, and cyberattacks is a core requirement of the DPDP Act. Blockchain startups must employ advanced encryption techniques, secure storage solutions, and conduct regular security audits and vulnerability assessments to safeguard data integrity and confidentiality.
• Cross-Border Data Transfer: S. 16 of the DPDP Act empowers the central government to restrict the transfer of personal data to countries or territories outside India. Businesses must obtain explicit consent from data subjects for international data transfers and ensure that the recipient country has adequate data protection standards.
• Rights of Data Subjects: The DPDP Act enshrines several rights for data subjects, including the right to access, rectify, erase, and port their personal data. Data subjects must be provided with clear and accessible mechanisms to exercise these rights. Blockchain startups must establish processes to build trust and maintain records of all data subject interactions.

Startups, particularly in the blockchain and crypto sectors, often face resource constraints while implementing comprehensive data protection measures that require investment in technology, training, and processes. However, adopting best practices can mitigate these challenges. Conducting regular data protection audits, training employees on data privacy principles and cybersecurity, and implementing Data Protection Impact Assessments (DPIAs) for new projects involving personal data are proactive measures to identify and address potential privacy risks before they materialize. Additionally, leveraging technological solutions such as automated compliance tools, encryption, and secure access controls can enhance data protection efforts while optimizing operational efficiency.

V. Consumer Protection and Dispute Resolution

The Consumer Protection Act, 2019 ('CP Act') provides a comprehensive framework for addressing grievances and disputes related to cryptocurrency transactions. This legislation is crucial for safeguarding consumer interests and fostering trust in the crypto industry. As cryptocurrency adoption continues to grow, ensuring robust consumer protection mechanisms is essential for maintaining credibility and encouraging broader participation in the digital asset market. Some of the key consumer protection requirements are as follows:

• Transparent Information: Crypto businesses must provide clear, accurate information and disclosures on fees, risks involved, the terms of service, and all the costs associated with trading, transferring, or holding cryptocurrencies to enable informed decision-making.
• Grievance Redressal Mechanism: Cryptocurrency businesses must establish clear procedures for lodging complaints and ensure these are easily accessible to consumers. Appointing a dedicated grievance officer who is well-versed in technical and regulatory aspects is important to handle issues competently.
• Dispute Resolution: Implementing alternative dispute resolution (ADR) mechanisms, such as mediation and arbitration, can provide a cost-effective and efficient way to resolve disputes amicably. Regular training and certification of mediators and arbitrators in the nuances of cryptocurrency transactions can enhance the effectiveness of these mechanisms.

Managing consumer expectations and addressing grievances in a timely manner are crucial for maintaining customer trust and satisfaction. The dynamic and often volatile nature of the cryptocurrency market can lead to a variety of consumer concerns, from transaction delays to discrepancies in account balances. To navigate these challenges, businesses should adopt best practices that prioritize consumer protection and transparency. Conducting regular reviews of grievance redressal processes, maintaining clear communication on complaint status, valuing customer feedback, and making policies easily accessible go a long way in building consumer confidence. Additionally, businesses should ensure that their terms of service, privacy policies, and fee structures are not just easily accessible but also written in plain language to avoid any confusion. Engaging with consumer protection agencies and industry associations can also help businesses stay updated on best practices and regulatory developments.

Conclusion

Navigating the intricate and dynamic landscape of cryptocurrencies in India demands a comprehensive understanding of the legal and regulatory framework, coupled with strong compliance and robust operational strategies. The Indian government's stance on cryptocurrencies has been shaped by significant legislative and regulatory developments, presenting both challenges and opportunities for startups in this burgeoning industry.

The Supreme Court's landmark judgment in 2020 reinstated the legality of cryptocurrency trading, setting the stage for further regulatory clarifications and compliance requirements. While the Crypto Bill 2021 has not been enacted, the introduction of a comprehensive tax regime under the Finance Act 2022 underscores the government's intent to regulate this sector while fostering innovation.

The compliance requirements, particularly the stringent KYC and AML obligations under the PMLA, are designed to ensure transparency and integrity in cryptocurrency transactions. Registration with FIU-IND, enhanced due diligence, continuous monitoring, and record-keeping are not merely regulatory formalities but essential practices for maintaining the credibility and sustainability of crypto businesses.

The enactment of the DPDP Act further emphasizes the importance of safeguarding personal data in the digital age. By adhering to the principles of data minimization, purpose limitation, and lawful processing, and by implementing robust security measures, crypto startups can build trust and protect the rights of data subjects. Additionally, managing cross-border data transfers in line with the DPDP Act's restrictions will be crucial for businesses handling international transactions.

Consumer protection and dispute resolution remain fundamental to the success of cryptocurrency businesses. Providing clear and transparent information, establishing effective grievance redressal mechanisms, and ensuring fair dispute resolution processes are critical for fostering consumer trust and satisfaction. Given the volatility and complexity of the cryptocurrency market, continuous improvements in consumer protection measures and engagement with regulators and industry associations will be necessary to keep pace with emerging risks and regulatory developments.

In conclusion, India's regulatory landscape for cryptocurrencies is gradually taking shape, characterized by cautious recognition and stringent compliance requirements. For startups, understanding this environment and proactively aligning with regulatory standards is not only a legal obligation but also a strategic imperative. By embracing robust compliance measures, ensuring data protection, and prioritizing consumer protection, crypto businesses can navigate the complexities of the existing regulatory framework and leverage the opportunities within India's cryptocurrency market.

The path ahead is challenging yet promising. With careful planning, adherence to regulatory requirements, and a commitment to transparency and integrity, cryptocurrency startups can not only thrive in the current legal landscape but also contribute to shaping a resilient and innovative digital asset ecosystem in India. As regulations continue to evolve, staying informed and proactive will be key to long-term success in this dynamic and exciting industry.

Footnotes

1. RBI/2017-18/154 – Prohibition on dealing in Virtual Currencies (VCs) dated 06.04.2018.

2. Internet and Mobile Association of India v. Reserve Bank of India, (2020) 10 SCC 274.

3. Notification S.O.1072(E) [F. NO. P-12011/12/2022-ES-CELL-DOR], dated 07.03.2023.

4. Supra at vi.

5. Order in original No. 10/DIR/FIU-IND/2024 in the matter of Binance u/s. 13 dated 19.06.2024.

6. RBI's FSR June 2023: Chapter III: Regulatory Initiatives in the Financial Sector, available at: https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=1271

7. Financial Stability Board: IMF-FSB Synthesis Paper: Policies for Crypto-Assets, 07.09.2023, available at: https://www.fsb.org/uploads/R070923-1.pdf

8. Amendment to S. 2(47A) of the Income-tax Act, 1961.

9. Section 115BBH of the Income-tax Act, 1961.

10. Ibid.

11. The Hindu Business Line, 25.12.2023 – Year-ender 2023: Indian Cryto Industry Adapts Amid Challenges, Eyes Future Growth.

12. Para (iii)(2) to Annexure to Part B, Speech of Nirmala Sitharaman dated 01.02.2025, Minister of Finance, Budget 2025-2026.

13. FAQ No. 23, Press Release on Frequently Asked Questions (FAQs) on Budget 2025, dated 01.02.2025.

14. Raunaq Prakash Jain v. Income-tax Officer, [2024] 169 taxmann.com 298 (Jodhpur – Trib.).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.