Crypto KYC: How are crypto exchanges vetting customers?

What is meant by Crypto KYC? How do cryptocurrency exchanges in India vet their customers? Read here to learn more.

With the rapid growth of cryptocurrencies and other virtual digital assets (VDAs), regulators across the world have been grappling with concerns related to money laundering, terror financing, tax evasion, and financial instability.

In India, where crypto trading remains legal but unregulated as legal tender, the government has increasingly relied on anti-money laundering (AML) and counter-terrorist financing (CFT) frameworks to bring oversight to the sector.

On January 8, India’s Financial Intelligence Unit (FIU-IND) updated its “AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets.” These guidelines directly impact crypto exchanges and related service providers, laying down stringent norms for customer verification and monitoring.

Why regulate crypto exchanges?

Cryptocurrencies are pseudonymous by design, allowing users to transact without revealing their real-world identities on public blockchains. While this feature offers privacy and financial inclusion, it also raises red flags for regulators due to:

Don't miss ClearIAS updates: Add ClearIAS as a preferred source on Google Add →

• Use of crypto in money laundering and terror financing
• Cross-border transfers bypassing traditional banking channels
• Difficulty in tracing beneficial ownership
• Tax evasion and proceeds of crime are being routed through digital assets

India is a signatory to the Financial Action Task Force (FATF) recommendations, which require member countries to regulate Virtual Asset Service Providers (VASPs). The updated FIU-IND guidelines are part of India’s effort to align with these global standards.

Who do the guidelines apply to?

The guidelines apply to “Reporting Entities” under the Prevention of Money Laundering Act (PMLA), 2002, including:

• Cryptocurrency exchanges
• Platforms facilitating the buying, selling, or transfer of VDAs
• Custodial wallet providers
• Entities offering financial services related to VDAs

These entities are now legally obligated to conduct customer due diligence (CDD) and report suspicious transactions to FIU-IND.

What is crypto KYC, and why is it central?

At the heart of the updated framework is Know Your Customer (KYC), a globally accepted compliance mechanism to establish the identity of users and assess risk.

Under the new rules, crypto exchanges must obtain and verify:

• Personal identity details (such as PAN or equivalent ID)
• Contact information
• Bank account details
• Financial profile and risk indicators

This moves crypto platforms closer to traditional banks and financial institutions in terms of regulatory scrutiny.

New and enhanced customer vetting requirements

The updated FIU-IND guidelines significantly expand the scope of information collected during onboarding.

1. Personal and financial profiling

Exchanges must now collect:

• Customer’s occupation
• Income range, enabling risk assessment and detection of disproportionate transactions
• Nature of business, in case of non-individual users

This helps regulators flag instances where crypto activity does not align with a user’s declared financial capacity.

2. Biometric verification and liveness detection

To prevent identity fraud and impersonation, exchanges must obtain:

• A selfie with liveness detection, ensuring that the user is a real person and not using static images or deepfake techniques

This mirrors advanced KYC practices increasingly used by banks and fintech platforms.

3. Location and digital footprint tracking

Exchanges are required to capture:

• Latitude and longitude of the onboarding location
• Date and time stamp
• IP address of the device used

This geo-spatial and digital data helps in:

• Detecting cross-border misuse
• Tracing suspicious access patterns
• Supporting law enforcement investigations

4. Bank account verification through the “penny drop” method

A crucial step in linking crypto activity to the formal financial system is bank account verification.

• A small amount (penny drop) is transferred to the user’s bank account
• Successful receipt confirms that the account:
  • Exists
  • Is operational
  • Belongs to the stated individual

This reduces the risk of mule accounts and anonymous fund routing.

Ongoing monitoring and reporting obligations

Customer vetting does not end with onboarding. Exchanges must:

• Conduct ongoing due diligence
• Monitor transactions for suspicious patterns
• File Suspicious Transaction Reports (STRs) with FIU-IND
• Maintain transaction and KYC records for a specified period

High-risk customers and transactions may require enhanced due diligence (EDD).

Implications of the new guidelines

1. Strengthening financial integrity

The measures enhance India’s ability to:

• Track illicit financial flows
• Prevent misuse of crypto for terror financing
• Improve tax compliance

2. Impact on crypto exchanges

While large exchanges may adapt easily, smaller platforms may face:

• Higher compliance costs
• Increased operational complexity
• Risk of user attrition due to intrusive KYC norms

3. Privacy and data protection concerns

The collection of biometric data, precise location, and financial details raises concerns about:

• User privacy
• Data security and breaches
• Absence of a comprehensive personal data protection law (at present)

This remains a key area of debate between regulators and industry stakeholders.

Conclusion

India’s updated AML & CFT guidelines mark a decisive step toward mainstreaming cryptocurrency regulation without granting legal tender status. By imposing stringent KYC, geo-location tracking, and transaction monitoring norms, the government aims to strike a balance between innovation and national security.

Related articles:

• Stablecoins: How is India managing them?
• Bitcoin halving