Story so far: On January 8, the Financial Intelligence Unit of India (FIU-IND) updated the existing “AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets”. These guidelines apply to entities that include cryptocurrency exchanges and set out rules governing how companies facilitating cryptocurrency trades will need to vet their customers.
What do the updated guidelines say?
In order to comply with Indian laws, entities such as cryptocurrency exchanges will need to perform due diligence and obtain verified information about clients including their personal identification number and contact details. This is called KYC or Know-Your-Client/Customer. In addition, exchanges will have to collect their customers’ occupation and income range, selfies with “aliveness detection” and latitude and longitude coordinates of the boarding location with date, time stamp and IP address. What’s more, the customer’s bank account will need to be verified using the penny drop method, where a small amount is transacted to ensure that the account belongs to that person and is in working order.
Exchanges will also need to identify high-risk transactions and clients in order to apply enhanced measures to them. Under this framework, high-risk clients will have to undergo KYC updates at least once every six months, while others will have to undergo this update at least once a year.
The guidelines also “strongly discouraged Initial Coin Offering (ICO) and Initial Token Offering (ITO) activities, in addition to urging other service providers dealing with virtual digital assets to register with FIU-IND as reporting entities.
Finally, the regulator banned exchanges from facilitating transactions involving anonymity-enhancing crypto-tokens, as well as “mixers” that make it difficult to trace the movement of crypto-tokens and assets.
Do all cryptocurrency exchanges perform KYC procedures?
For years, centralized exchanges that support cryptocurrency trading have implemented KYC procedures to ensure that legitimate customers are using their services for legitimate purposes. KYC also makes it easier to deter criminal activity, freeze illegal accounts or track fraudulent transactions.
A lingering concern is that fiat currencies such as rupees could be converted into harder-to-trace crypto-assets to avoid legal reporting requirements. AML or anti-money laundering laws exist to prevent this. Regulators are also concerned that cryptocurrencies could be used to financially support terrorist groups, leading to counter-financing of terrorism (CFT) regulations for institutions to comply with.
For example, Binance – one of the world’s largest crypto exchanges – settled with US regulators in 2023 for violations that included failing to “implement programs to prevent and report suspicious transactions” involving terrorists, ransomware attackers, money launderers, child abusers, criminals and sanctioned users.
Meanwhile, blockchain analytics platform Chainalysis reported this year that Lebanon’s Hezbollah, Hamas and the Houthis are using crypto “to a scale never seen before, despite various military setbacks.”
Naturally, Indian regulators want to prevent the country’s crypto exchanges from being used to facilitate similar illegal transactions.
However, not all crypto exchanges implement strict KYC procedures. For example, a number of decentralized exchanges, called DEXs, offer fully anonymous and unregulated transactions with far fewer checks and guarantees. Make no mistake; there are many non-criminal reasons for using a DEX, such as ensuring privacy, avoiding state repression, or wanting to retain control of your crypto assets instead of entrusting them to a centralized exchange. However, DEXs are also attractive options for money launderers, fraudsters, hackers and those who finance terrorism.
To effectively counter these threats, Indian regulators will need to go far beyond issuing guidelines.
How do crypto exchanges screen Indian customers?
WazirX founder Nischal Shetty said leading Indian exchanges already follow global best practices and compliance standards at the bank level, with the new FIU rules formalizing the existing ones. Some of WazirX’s own KYC processes include basic identity requirements, selfie verification and bank verification as per FIU/PMLA norms.
WazirX, which experienced a hacked multi-signature wallet in July 2024 and a loss of approximately $230 million in assets, resumed operations last year following its restructuring in Singapore.
“The updated guidelines also emphasize liveness detection for new users and geo-tagging to ensure ID verification details match the user’s location (exceptions apply under various conditions), which are already in place in our user registration process. DigiLocker also enables an instant verification process that securely shares a new user’s KYC documents (Aadhaar and PAN) with WazirX,” The Hindutty said.
Another popular exchange, CoinDCX, implemented KYC processes that included ID checks, face and liveness match checks, geographic verification, and bank account verification.
In July 2025, CoinDCX also suffered a security breach that cost it approximately $44 million, but customer assets were not affected.
Meanwhile, ZebPay COO Raj Karkara welcomed the new improved AML and KYC protocols for crypto exchanges and highlighted their role in promoting wider adoption of cryptocurrencies in India.
“Measures such as liveness detection and geo-tagging during the onboarding process help strengthen user authentication, improve transparency and ensure greater accountability across platforms, aligning the industry with evolving global compliance expectations,” he said.
Additionally, ZebPay and CoinDCX have been collecting user photos as part of the KYC process for at least a year, according to their websites, regular KYC re-verification was routine at several crypto exchanges even before the rule update, while several Indian exchanges also offered KYC via Digi-Locker.
In essence, the updated FIU-IND guidelines do not introduce drastic changes to the existing KYC framework for crypto exchanges.
What is the legal status of cryptocurrency in India?
Both investors and business leaders in India have been calling for more regulatory clarity on cryptocurrencies. Many traders remain hopeful that their concerns will be addressed at parliamentary level or resolved in the annual budget. However, past government debates have only repeated basic arguments about legality and security. These measures lag far behind more advanced crypto legislation being prepared in the US, Europe and East Asia to stimulate fintech businesses, increase registrations on exchanges and regulate the issuance of stablecoins.
Even though virtual digital assets like cryptocurrencies are taxed at 30% capital gains and 1% TDS in India, there is almost no reliable safety net for Indian investors in case they are scammed, hacked or subjected to unfair terms by private players.
Many crypto-investors knowingly trade through Indian exchanges to comply with Indian laws and tax requirements, but encounter a regulatory environment that is vague and discouraging.
Published – 15 Jan 2026 08:00 IST
