PART 2.6

KYC/AML Requirements for Crypto Platforms (PMLA 2002)

Reading Time: 55 minutes Last Updated: January 2025

Introduction

Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance have become critical legal requirements for cryptocurrency platforms in India. Following the March 2023 amendment to the Prevention of Money Laundering Act, 2002 (PMLA), Virtual Digital Asset Service Providers (VDA SPs) are now designated "reporting entities" with comprehensive compliance obligations.

This development represents a significant shift in the regulatory landscape. While the IAMAI v. RBI judgment ensured banking access was restored, the PMLA amendment imposes direct regulatory obligations on crypto platforms themselves. Legal practitioners must now advise clients on building robust compliance frameworks that satisfy these requirements.

This part provides a comprehensive examination of KYC/AML requirements applicable to cryptocurrency platforms, including the PMLA framework, RBI's Master Direction on KYC, FATF recommendations, and practical implementation guidance.

Key Regulatory Framework
  • Prevention of Money Laundering Act, 2002
  • Prevention of Money Laundering (Maintenance of Records) Rules, 2005
  • Gazette Notification dated March 7, 2023 (bringing VDA SPs under PMLA)
  • RBI Master Direction on KYC (2016, as amended)
  • FATF Recommendations (particularly Recommendation 15)
  • FIU-IND Guidelines

PMLA 2002 Framework

The Prevention of Money Laundering Act, 2002 is India's primary legislation against money laundering and terrorist financing. Understanding its framework is essential for implementing compliant crypto operations.

Objectives of PMLA

  • Prevent money laundering and confiscate property derived from money laundering
  • Address matters connected with or incidental to money laundering
  • Implement India's international obligations under UN conventions
  • Ensure financial system integrity

Key Concepts

Money Laundering (Section 3)

Whosoever directly or indirectly attempts to indulge or knowingly assists or knowingly is a party or is actually involved in any process or activity connected with the proceeds of crime including its concealment, possession, acquisition or use and projecting or claiming it as untainted property shall be guilty of offense of money laundering.

Proceeds of Crime (Section 2(1)(u))

Any property derived or obtained, directly or indirectly, by any person as a result of criminal activity relating to a scheduled offense, or the value of any such property.

Scheduled Offenses

PMLA applies to money laundering involving proceeds from scheduled offenses listed in the Schedule to the Act, including:

  • Part A: Offenses under IPC (fraud, forgery, criminal breach of trust)
  • Part A: Narcotics, terrorism, arms act violations
  • Part B: Offenses with cross-border implications
  • Part C: Offenses under other specific acts

Reporting Entities (Section 2(1)(wa))

Prior to the 2023 amendment, reporting entities included:

  • Banking companies
  • Financial institutions
  • Intermediaries
  • Designated non-financial businesses and professions

2023 PMLA Amendment - VDA Service Providers

The Ministry of Finance notification dated March 7, 2023, brought Virtual Digital Asset Service Providers under the ambit of PMLA. This was a watershed moment for cryptocurrency regulation in India.

Gazette Notification - March 7, 2023

The Central Government hereby specifies the following activities in relation to virtual digital assets, for the purposes of sub-clause (vi) of clause (sa) of sub-section (1) of section 2 of the Prevention of Money Laundering Act, 2002:

  • Exchange between virtual digital assets and fiat currencies
  • Exchange between one or more forms of virtual digital assets
  • Transfer of virtual digital assets
  • Safekeeping or administration of virtual digital assets or instruments enabling control over virtual digital assets
  • Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual digital asset

Definition of Virtual Digital Asset

The notification adopts the definition from Section 2(47A) of the Income Tax Act:

  • Any information, code, number, or token generated through cryptographic means
  • Providing a digital representation of value exchanged with or without consideration
  • With the promise or representation of having inherent value
  • Functions as store of value or unit of account
  • Includes NFTs and any other tokens as notified

Covered Activities

Activity Description Example
VDA-Fiat Exchange Converting crypto to/from INR or other fiat Buying Bitcoin with INR
VDA-VDA Exchange Trading one crypto for another Swapping ETH for USDT
VDA Transfer Moving VDA between wallets/accounts P2P transfers, withdrawals
Custody/Administration Holding VDA on behalf of others Custodial wallets
Token Offerings ICO, IEO, or similar services Launchpad platforms

Immediate Compliance Obligations

From March 7, 2023, VDA service providers are required to:

  1. Register with FIU-IND
  2. Appoint Designated Director and Principal Officer
  3. Implement KYC procedures
  4. Maintain records as prescribed
  5. File reports (CTR, STR) with FIU-IND
  6. Cooperate with enforcement agencies

Critical Compliance Deadline

VDA service providers who were already operating as of March 7, 2023 were required to register with FIU-IND within a specified period. Failure to register or comply with PMLA requirements can result in significant penalties.

KYC Requirements

Know Your Customer requirements form the foundation of AML compliance. For VDA service providers, KYC must be implemented in line with PMLA Rules and can draw guidance from RBI's Master Direction on KYC.

Customer Identification

At the time of onboarding, the following must be verified:

For Individuals

  • Full legal name
  • Date of birth
  • Permanent address and correspondence address
  • Nationality
  • PAN (mandatory for Indian residents)
  • Aadhaar (recommended for e-KYC)
  • Photograph
  • Source of funds
  • Occupation/profession

For Legal Entities

  • Legal name and any trade names
  • Registration/incorporation certificate
  • Principal place of business
  • PAN of entity
  • GST registration (if applicable)
  • Board resolution for authorized signatories
  • KYC of authorized persons
  • Beneficial ownership details

Acceptable KYC Documents

Category Acceptable Documents
Identity Proof Passport, PAN, Voter ID, Driving License, Aadhaar
Address Proof Aadhaar, Utility bills, Bank statement, Passport
Entity Documents COI, MOA/AOA, Partnership Deed, Trust Deed

e-KYC and Video KYC

VDA platforms can utilize digital KYC methods:

  • Aadhaar e-KYC: Using Aadhaar authentication with UIDAI
  • Video KYC (V-KYC): Live video verification following RBI guidelines
  • Digital Document Verification: DigiLocker integration
KYC Best Practices
  • Implement Aadhaar e-KYC for instant verification where possible
  • Use video KYC for higher value accounts
  • Verify PAN with NSDL/UTIITSL database
  • Cross-check documents against sanctions lists
  • Re-verify KYC periodically (at least annually for high-risk customers)

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)

Risk-Based Approach

PMLA mandates a risk-based approach to customer due diligence. Customers must be categorized based on risk profile:

Risk Category Characteristics Due Diligence Level
Low Risk Salaried individuals, small traders, verified source of funds Standard CDD
Medium Risk Self-employed, moderate transaction volumes Standard CDD with monitoring
High Risk PEPs, high-value traders, complex structures, high-risk jurisdictions Enhanced Due Diligence

Standard Customer Due Diligence (CDD)

  • Verify customer identity using reliable documents
  • Identify beneficial owner and verify identity
  • Understand purpose and intended nature of relationship
  • Conduct ongoing monitoring of transactions

Enhanced Due Diligence (EDD)

EDD is required for high-risk customers and involves additional measures:

  • Senior management approval for establishing relationship
  • Additional information on source of wealth and funds
  • More frequent KYC updates
  • Enhanced transaction monitoring
  • First transaction through verified bank account

Politically Exposed Persons (PEPs)

Special attention is required for PEPs - individuals entrusted with prominent public functions:

  • Heads of state/government, ministers
  • Senior politicians, judicial officials
  • Senior executives of state-owned corporations
  • Senior military officials
  • Family members and close associates of above
PEP Compliance Requirements
  • Implement systems to identify PEPs
  • Obtain senior management approval for PEP relationships
  • Establish source of wealth and funds
  • Conduct enhanced ongoing monitoring
  • Continue monitoring for specified period after PEP leaves position

Beneficial Ownership

For legal entity customers, identify ultimate beneficial owners:

  • Natural person owning more than 25% (or lower threshold based on risk)
  • Natural person exercising control through other means
  • If no beneficial owner identified, identify senior managing official
  • Verify identity of beneficial owners

Transaction Monitoring

Effective transaction monitoring is essential for identifying suspicious activities and meeting reporting obligations.

Monitoring Objectives

  • Identify unusual or suspicious transaction patterns
  • Detect potential money laundering or terrorist financing
  • Ensure transactions align with customer profile
  • Generate alerts for investigation
  • Support regulatory reporting requirements

Red Flags for Crypto Transactions

Category Red Flags
Transaction Patterns Rapid movement of funds (deposit-trade-withdraw)
Structuring to avoid reporting thresholds
Multiple accounts with similar patterns
Geographic Risks Transactions involving high-risk jurisdictions
VPN usage to mask location
Inconsistent geographic indicators
Customer Behavior Reluctance to provide KYC information
Use of multiple identities
Frequent IP address changes
Blockchain Indicators Interaction with mixer/tumbler services
Transactions from darknet addresses
Known sanctioned wallet addresses

Blockchain Analytics

VDA platforms should implement blockchain analytics to:

  • Screen incoming transactions for high-risk sources
  • Identify connections to illicit activities
  • Track transaction flow across wallets
  • Identify mixer/tumbler usage
  • Check against sanctions lists

Reporting Obligations

VDA service providers must file various reports with FIU-IND as mandated under PMLA.

Cash Transaction Report (CTR)

  • When: Cash transactions exceeding Rs. 10 lakhs or equivalent
  • Frequency: Monthly, by 15th of succeeding month
  • Format: As prescribed by FIU-IND
  • Note: Includes series of connected transactions

Suspicious Transaction Report (STR)

  • When: Transaction appears suspicious regardless of value
  • Timeline: Within 7 working days of determination
  • Includes: Attempted transactions even if not completed
  • Confidentiality: Must not tip off customer about STR filing
What Constitutes Suspicious Transaction

A transaction whether or not made in cash which, to a person acting in good faith:

  • Gives rise to a reasonable ground of suspicion that it may involve proceeds of crime
  • Appears to have no economic rationale or bonafide purpose
  • Involves financing of terrorism

Other Reports

  • Non-Profit Organization Transaction Report (NTR): For transactions by NPOs
  • Cross-Border Wire Transfer Report: For international transactions above threshold
  • Counterfeit Currency Report: Not typically applicable to VDAs

Record Retention

PMLA requires maintenance of records for minimum 5 years:

  • Records of transactions
  • Customer identification records
  • Correspondence and documents
  • Account files and business correspondence
  • STR-related documentation

FIU-IND Registration

The Financial Intelligence Unit - India (FIU-IND) is the central national agency responsible for receiving, processing, analyzing, and disseminating information relating to suspected money laundering.

Registration Process

  1. Prepare required documents and information
  2. Apply through FIU-IND online portal (FINNET 2.0)
  3. Appoint Designated Director
  4. Appoint Principal Officer
  5. Submit registration application
  6. Await verification and approval
  7. Obtain registration number

Required Information for Registration

  • Entity details (name, registration, address)
  • Nature of business activities
  • Designated Director details and undertaking
  • Principal Officer details and undertaking
  • Contact information
  • Digital signature certificates

Designated Director and Principal Officer

Designated Director

  • Responsible for overall compliance
  • Must be a whole-time director or partner or trustee
  • Personally liable for compliance failures
  • Must authorize and submit reports

Principal Officer

  • Day-to-day compliance management
  • Interface with FIU-IND
  • Submit reports and respond to queries
  • Train staff on AML compliance

FIU Registration Checklist

Company/LLP registration certificate
PAN of entity
Board resolution appointing Designated Director
Board resolution appointing Principal Officer
Designated Director undertaking
Principal Officer undertaking
KYC documents of Designated Director and Principal Officer
Digital signature certificates
Description of VDA activities

FATF Compliance

The Financial Action Task Force (FATF) sets international standards for combating money laundering and terrorist financing. India, as a FATF member, implements these standards, which increasingly apply to virtual asset service providers.

FATF Recommendation 15 - New Technologies

Recommendation 15 specifically addresses virtual assets and VASPs:

  • Countries should assess and mitigate ML/TF risks of virtual assets
  • VASPs should be regulated and supervised for AML/CFT
  • VASPs should be licensed or registered
  • Countries should apply effective sanctions for non-compliance

Travel Rule

The FATF Travel Rule requires VASPs to obtain, hold, and transmit originator and beneficiary information for virtual asset transfers:

  • Originator: name, account number, address/national ID/customer ID
  • Beneficiary: name, account number
  • Applies to transfers above de minimis threshold
  • Information must travel with the transaction

Travel Rule Implementation

India has not yet fully implemented the Travel Rule for VDA transfers. However, platforms should prepare for eventual implementation by:

  • Collecting originator/beneficiary information
  • Implementing systems for information exchange
  • Monitoring international developments

FATF Grey List Considerations

Transactions involving countries on FATF grey list (increased monitoring) or black list (high-risk) require enhanced scrutiny:

  • Enhanced due diligence for customers from listed countries
  • Additional documentation requirements
  • Senior management approval
  • Potential prohibition for black-listed jurisdictions

Penalties for Non-Compliance

Non-compliance with PMLA requirements can result in significant penalties and consequences for VDA service providers.

Penalties under PMLA

Violation Penalty Section
Failure to maintain records Up to Rs. 10 lakhs Section 12
Failure to verify identity Up to Rs. 10 lakhs Section 12
Failure to report transactions Up to Rs. 10 lakhs per instance Section 12
Non-cooperation with authorities Up to Rs. 10 lakhs Section 12
Money laundering offense 3-7 years imprisonment + fine Section 4

Personal Liability

Under Section 70 of PMLA, where an offense is committed by a company:

  • Every person in charge of the company is liable
  • Directors may be personally prosecuted
  • Defense of lack of knowledge or due diligence available

Business Consequences

  • Enforcement Directorate investigation
  • Attachment of assets
  • Reputational damage
  • Loss of banking relationships
  • Potential closure of business

Implementation Guide

Building an AML Program

  1. Governance: Appoint Designated Director and Principal Officer
  2. Risk Assessment: Conduct enterprise-wide ML/TF risk assessment
  3. Policies: Develop comprehensive AML/KYC policy
  4. Procedures: Document detailed operational procedures
  5. Technology: Implement KYC and transaction monitoring systems
  6. Training: Regular staff training on AML compliance
  7. Testing: Independent audit and testing of controls
  8. Reporting: Establish reporting processes with FIU-IND

Technology Requirements

  • Identity verification system (e-KYC, Video KYC)
  • Sanctions screening tool
  • PEP database access
  • Transaction monitoring system
  • Blockchain analytics platform
  • Case management system
  • Regulatory reporting system

AML Program Checklist

FIU-IND registration completed
Designated Director appointed
Principal Officer appointed
Written AML/KYC policy approved by Board
Customer risk categorization framework
KYC procedures documented
Transaction monitoring rules implemented
Sanctions screening enabled
STR filing process established
CTR filing process established
Staff training conducted
Record retention procedures in place

Practice Tips for Lawyers

Due Diligence for Crypto Clients
  • Verify FIU-IND registration status
  • Review AML/KYC policy documents
  • Assess governance structure (DD, PO appointments)
  • Evaluate transaction monitoring capabilities
  • Check record-keeping practices
Policy Drafting
  • Align with PMLA Rules and FIU-IND requirements
  • Incorporate RBI KYC Master Direction principles
  • Include crypto-specific provisions
  • Address blockchain analytics usage
  • Define escalation procedures
Responding to ED Investigation
  • Advise on rights during search operations
  • Ensure proper documentation of seized materials
  • Review statements before signing
  • Gather all compliance documentation proactively
  • Consider voluntary disclosure if gaps identified
Common Compliance Gaps
  • Inadequate beneficial ownership identification
  • Missing or incomplete STR documentation
  • Insufficient transaction monitoring rules
  • Lack of periodic KYC refresh
  • Poor record keeping practices
  • Inadequate staff training