Selfies with liveness detection, recording of geographical coordinates, and bank account verification by the ‘penny-drop’ method are among the mandatory new measures listed by India’s Financial Intelligence Agency under anti-money laundering and terrorist financing KYC protocols for cryptocurrency exchanges when onboarding users.
The directions also discourage Initial Coin Offerings (ICOs) and Initial Token Offerings (ITOs), equivalent to IPOs, in the stock markets by exchanges. He says Tumblr, Mixer and anonymity-enhancing token-linked transactions “will not” be facilitated.
PTI The updated set of guidelines brought out by the Financial Intelligence Unit (FIU), an entity functioning under the Union Finance Ministry, on January 8 as part of ‘Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Guidelines’ for reporting of entities providing services related to Virtual Digital Assets (Cryptocurrencies) has been reviewed. The guidelines have been updated in March 2023, almost three years after they were first published.
Guidelines for Cryptocurrency Exchanges
FIU is the single-point regulator for cryptocurrency exchanges (reporting entities or VDA service providers) operating in India under the provisions of the Prevention of Money Laundering Act (PMLA).
The new guidelines mean that all crypto exchanges must register with the FIU as reporting entities and submit regular reports on suspicious transactions and maintain records of their clients (clients) to identify and address money laundering, terrorist financing and proliferation financing risks associated with crypto assets, which India has recognized not as legal tender but as taxable under the Income Tax Act.
The guidelines stipulate that exchanges should ‘mandatorily’ obtain Permanent Account Number (PAN), selfie with liveness detection, and latitude and longitude coordinates of the onboarding location with date and timestamp as well as IP (Internet Protocol) address of the customer as part of ‘client due diligence’ measures.
The RE (Crypto Exchange) will also ensure that the customer whose credentials are being presented at the time of onboarding is the same person who is actually accessing the application and initiating the account creation process in person, they determine.
It added, “The authenticity of such access and personal presence shall be established by capturing the live photograph of the customer and employing livelihood identification technology to verify the physical presence of the customer…”
Vitality is detected by specified software and is used for various legal purposes in India, such as making life certificates for pensioners, where they have to blink their eyes to establish that they are alive and authentic.
Exchanges have also been directed to collect one more identity and address document of the customer – either passport, driving license, Aadhaar, voter ID card or proof of possession of an equivalent ID – besides verifying their mobile number and email through a one-time password (OTP).
‘Penny-drop’ method
It added that verification of the customer’s bank account will be done through a ‘penny-drop’ mechanism to confirm the ownership and operational status of the account.
Under the ‘penny-drop’ method, a refundable credit of Rs 1 is charged to a customer by the banking or payment gateway for authenticating their bank account.
Exchanges have been asked to update KYC (Know Your Customer) every six months for “high-risk” customers and annually for all others.
By gathering details from open sources and consulting independent databases, an ‘enhanced customer due diligence’ is to be conducted for high-risk individuals or entities who have ties to either tax haven countries or jurisdictions designated under the FATF gray or black list and Politically Exposed Persons (PEPs) or Non-Profit Organizations (NPOs).
On ICOs/ITOs, the guidelines state that these activities present “increased and complex” money laundering and terrorist financing risks because they “lack” proper economic logic, while anonymity enhancing crypto tokens (AECs), tumblers and mixers are designed to hide or obscure the origin, ownership or value of transactions.
They say such transactions should not be facilitated and appropriate risk mitigation measures should be triggered.
As the name suggests, crypto tumblers or mixers mix coins from different sources after the transaction, making them very difficult to trace.
The guidelines also ask exchanges to preserve customer IDs, their addresses and transaction details for at least five years and retain them until the investigation is closed.
published – January 11, 2026 03:55 PM IST
