The story so far: On January 8, India’s Financial Intelligence Unit (FIU-IND) regulator updated the existing ‘AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets.’ These guidelines apply to entities that include cryptocurrency exchanges, setting down rules governing how companies facilitating crypto trades will have to vet their customers.
What do the updated guidelines say?
In order to comply with Indian laws, entities such as cryptocurrency exchanges will have to carry out their due diligence and obtain verified client information including their personal identity number and contact details. This is called KYC or Know-Your-Client/Customer. In addition to this, exchanges will have to collect their customers’ occupation and income range, a selfie with “liveness detection,” and latitude and longitude coordinates of the onboarding location with the date, timestamp, and IP address. What’s more, the customer’s bank account will have to be verified through the penny drop method, in which a small sum is transacted to make sure that the account belongs to the stated person and is in working order.
Exchanges will also have to identify high-risk transactions and clients in order to apply enhanced measures to them. Under this framework, high-risk clients will need to undergo KYC updates at least once every six months while others will have to undergo this update at least once every year.
The guidelines also “strongly discouraged” Initial Coin Offering (ICO) and Initial Token Offering (ITO)-related activities, apart from urging other service providers dealing with virtual digital assets to register with the FIU-IND as reporting entities.
Finally, the regulator has barred exchanges from facilitating transactions involving anonymity-enhancing crypto tokens, as well as “mixers” that make it harder to trace the movement of crypto tokens and assets.
Do all cryptocurrency exchanges carry out KYC procedures?
Centralised exchanges that support cryptocurrency trades have already been carrying out KYC procedures for years now, to ensure that legitimate customers are using their services for legal purposes. KYC also makes it easier to deter criminal activities, freeze offending accounts, or track fraudulent transactions.
A persistent concern is that fiat currency such as rupees could be converted into harder-to-trace crypto assets in order to evade legal reporting requirements. AML or Anti-Money Laundering laws exist to prevent this. Regulators also fear that cryptocurrencies could be used to financially support terrorist groups, leading to the Countering the Financing of Terrorism (CFT) regulations that institutions must comply with.
For example, Binance—one of the world’s biggest crypto exchanges—settled with U.S. regulators in 2023 for violations that included its failure to “implement programs to prevent and report suspicious transactions” with terrorists, ransomware attackers, money launderers, child abusers, criminals, and sanctioned users.
Meanwhile, blockchain analytics platform Chainalysis this year reported that Lebanese Hezbollah, Hamas, and the Houthis were using crypto “at scales never before observed, in spite of various military setbacks”.
Naturally, Indian regulators are keen to prevent crypto exchanges within the country from being used to facilitate similar illegal transactions.
However, not all crypto exchanges carry out stringent KYC procedures. For example, numerous decentralised exchanges, called DEXs, offer a fully anonymous and unregulated transacting experience with far fewer controls and safeguards. Make no mistake; there are many non-criminal reasons for using a DEX, such as ensuring privacy, avoiding state repression, or wanting to maintain control of one’s crypto assets instead of entrusting it to a centralised exchange. However, DEXs are also attractive options for money launderers, scammers, hackers, and those financing terrorism.
In order to effectively address these threats, Indian regulators will have to go far beyond issuing guidelines.
How do crypto exchanges vet Indian customers?
WazirX founder Nischal Shetty stated that leading Indian exchanges were already following global best practices and bank-level compliance standards, with the FIU’s new rules formalising existing ones. Some of WazirX’s own KYC processes include the core identity, selfie check, and bank verification requirements under FIU/PMLA norms.
WazirX, which experienced a hacked multi-signature wallet in July 2024 and the loss of around $230 million in assets, resumed operations last year after its restructuring in Singapore.
“The updated guidelines also highlight liveliness detection for new users, and geo tagging to ensure the ID verification details match with the user location(exceptions apply under different conditions), which are already in place in our user onboarding process. We also have an instant verification process enabled with DigiLocker where it securely shares a new user’s KYC documents (Aadhaar and PAN) with WazirX,” Mr. Shetty told The Hindu.
Another popular exchange, CoinDCX, had implemented KYC processes that included personal ID checks, face match and liveliness checks, geographic validation, and bank account verification.
In July 2025, CoinDCX also suffered a security breach that cost it around $44 million, but customer assets were not affected.
Meanwhile, ZebPay COO Raj Karkara hailed the new enhanced AML and KYC protocols for crypto exchanges, highlighting their role in supporting the wider acceptance of crypto in India.
“Measures such as liveness detection and geo-tagging during the onboarding process help strengthen user verification, improve transparency, and ensure greater accountability across platforms, aligning the industry with evolving global compliance expectations,” he stated.
Furthermore, ZebPay and CoinDCX were both collecting users’ photos as part of the KYC process for more than a year at least, according to their websites Periodic KYC re-verification was routine at multiple crypto exchanges even before the rules were updated, while several Indian exchanges also offered KYC via Digi-Locker.
In essence, FIU-IND’s updated guidelines do not introduce drastic changes to the existing KYC framework for crypto exchanges.
What is the legal status of cryptocurrency in India?
Both investors as well as business leaders in India have called for greater regulatory clarity surrounding cryptocurrencies. Many traders continue to hope that their concerns will be handled at a parliamentary level or addressed in the annual budget. However, past government debates have only reiterated basic arguments about legality and security. These measures lag far behind the more advanced crypto legislation being drafted in the U.S., Europe, and East Asia that is meant to stimulate fintech entrepreneurship, increase exchange registrations, and regulate stablecoin issuance.
Though virtual digital assets such as cryptocurrencies see capital gains taxed at 30% and a TDS rate of 1% in India, there is almost no reliable safety net for Indian investors in case they are scammed, hacked, or subjected to unfair terms by private players.
Many crypto investors consciously trade through Indian exchanges in order to comply with Indian laws and taxation requirements, but are met with a regulatory landscape that is vague and discouraging.
Published – January 15, 2026 08:00 am IST