The goal of every KYC regime is to strike a delicate balance: service providers must have enough information to mitigate fraud, but not so much that user privacy becomes collateral damage. The regulatory developments of January 2026 reflect a clear effort to find this equilibrium.
On one side, the Financial Intelligence Unit of India (FIU) is tightening oversight of crypto-businesses, requiring more granular user and counterparty data to combat illicit finance. On the other, the Unique Identification Authority of India (UIDAI) is moving toward a privacy-first architecture, redesigning Aadhaar-based verification to give users finer control over exactly what data they share.
This edition of FinTales dives into both shifts. Here’s the menu for the month:
Main Course 1: Our take on FIU’s new anti-money laundering (AML) directions for the crypto industry.
Main Course 2: An analysis of UIDAI’s privacy-first approach to Aadhaar offline verification.
Dessert: Sweet news about the RBI’s growing focus on fraud management.
Mints: Quick refreshers on the latest fintech developments.
FIU’s New Directives for Virtual Assets Tighten the Regulatory Perimeter
If 2023 was the year India formally brought cryptocurrency within the ambit of anti-money laundering (AML) law, 2026 may well be the year that compliance becomes non-negotiable.
On 8 January 2026, FIU, the country’s AML watchdog, substantially revised its guidelines for crypto players. The aim is clear: reduce illicit finance risks in crypto ecosystems. While the changes appear substantial, they are less a surprise and more the logical culmination of a path FIU has been walking for some time.
India was among the early movers globally to explicitly extend its AML framework to crypto. On 7 March 2023, virtual asset service providers were brought within the scope of the Prevention of Money Laundering Act, 2002 by the Indian Government. The FIU’s 2023 guidelines that followed were deliberately light-touch: principle-based, advisory in tone, and designed to ease an emerging industry into compliance.
This phase, however, did not last long.
Over the past two years, the FIU steadily increased the enforcement efforts, signalling that AML compliance in crypto would be policed, not merely encouraged. In FY 2024-25 alone, penalties totalling nearly Rs. 28 crore were imposed on non-compliant virtual asset service providers. Binance was fined Rs. 18.82 crore and KuCoin Rs. 34.5 lakh for failing to register with the FIU and implement required AML controls.
The FIU has also shown it is willing to use sharper tools than fines. Under Section 79(3)(b) of the Information Technology Act, 2000, FIU can trigger takedowns of apps and URLs of offshore platforms that serve Indian users without registering as reporting entities. This power was exercised in late 2023 and again in October 2025, when 25 offshore exchanges were flagged, leading to the Ministry of Electronics and Information Technology blocking access to their platforms. The message was unmistakable: access to India’s vast retail crypto market is conditional on submission to Indian regulatory oversight.
Against this backdrop, the 2026 revised guidelines mark a decisive shift – not just in substance, but also in tone. They introduce new obligations and are written in a far more directive and enforcement-first language.
One of the most notable changes is the conditions attached to the Principal Officer’s role. The Principal Officer must now be a full-time, India-based AML professional with sufficient seniority, and independence. The guidelines also prescribe requirements like experience thresholds, subject-matter expertise, and deep familiarity with crypto-specific money laundering typologies.
The second major shift lies in customer onboarding. In response to the growing threat of mule accounts and identity fraud, FIU has mandated technologically intensive KYC processes. Platforms must now deploy ‘selfie with liveness detection’, requiring users to perform random actions such as blinking, head movement, facial gestures to establish physical presence. This is layered on top of existing processes such as verification of PAN and other identity related documents.
More significantly, platforms must capture latitude and longitude data, IP addresses, and device identifiers at onboarding. This geo-tagging allows regulators to test whether a user’s physical location aligns with their declared address, with mismatches triggering enhanced due diligence.
The guidelines also reveal a deep regulatory discomfort with anonymity-enhancing tools. Transactions involving mixers or tumblers – designed to obscure fund flows – are now outrightly prohibited. Initial Coin Offerings and Initial Token Offerings are ‘strongly discouraged’, reflecting concerns around fraud and weak economic justification of these processes.
Unhosted wallet transfers, particularly peer-to-peer transactions, are treated as inherently high-risk. Even in these cases, VDA service providers are expected to obtain sender and receiver information and may restrict such transactions altogether. The underlying principle is clear: crypto activity without sufficient transparency is unacceptable under Indian AML laws.
These requirements will materially reshape the industry. VASPs must invest heavily in AML and CFT infrastructure – automated transaction monitoring systems, specialised compliance teams, and advanced analytics capable of tracing complex on-chain behaviour. The result is a significantly higher barrier to entry, favouring large and well-capitalised players over smaller startups.
At the same time, this regulatory tightening is likely to spur the growth of a parallel ecosystem: certified AML analytics providers, blockchain forensics firms, and audit specialists tailored to Indian risk patterns and regulatory expectations.
Yet, for all its rigor, the current approach is not without blind spots. The guidelines focus primarily on centralised intermediaries – exchanges and custodial service providers. This risks pushing illicit activity towards decentralised finance (De-Fi) protocols and peer-to-peer platforms where no clear reporting entity exists. The more regulated the perimeter becomes, the more activity may migrate outside it.
There is also a practical constraint. The effectiveness of these rules ultimately depends on the technological and human capacity of both regulators and VASPs to analyse blockchain data. India still faces a shortage of skilled personnel and advanced tools for large-scale blockchain forensic analysis.
Future iterations of the framework may need to engage more directly with DeFi and invest in public-private partnerships to build shared analytical capability. For now, however, the direction is unmistakable: India’s crypto policy has moved towards stricter enforcement, and AML compliance is no longer optional – it is existential.
Rethinking Offline Aadhaar Verification
In December 2025, the UIDAI amended the Aadhaar (Authentication and Offline Verification) Regulations, 2021 to streamline Aadhaar offline verification. The amendments place an increased emphasis on data privacy principles, driven by the introduction of the Aadhaar Verifiable Credential (AVC) – a new format for offline verification available only through the new Aadhaar App.
Before we get to the details, we’ll make a quick pitstop here to understand the two ways in which Aadhaar-based KYC can be done: online authentication and offline verification.
Think of authentication as a digital handshake between the verifying entity on one end and the UIDAI on the other. The entity sends a real-time request to UIDAI servers using the Aadhaar number and either an OTP or biometric/demographic details of the user. UIDAI responds with either a Yes/No authentication result or a digitally signed data packet with the user’s information.
For verification, the user directly shares Aadhaar information with the verifying entity. Verification can happen without making a live request to UIDAI, either through physical means (e.g. Aadhaar PVC card or printed e-Aadhaar) or electronic means (e.g. e-Aadhaar or Aadhaar Paperless Offline e-KYC). The only reason that it’s called ‘offline’ is because the verifier does not send any real-time request to UIDAI or receive a real-time response during verification; both methods are still internet-based.
Circling back to the amendments, they respond to a growing gap between how offline Aadhaar verification was designed under these regulations and how it has come to be implemented in practice. In simple terms, UIDAI has re-centred offline verification around three broad ideas.
First, Aadhaar data should move only when the user chooses to share it. Currently, many entities pull Aadhaar data directly from sources like DigiLocker. The UIDAI has clarified that offline verification is premised on user-initiated sharing of Aadhaar data, rather than retrieval of a user’s data by any other entity or person.
To support this, the Aadhaar App is now the primary user-facing channel for Aadhaar services. Users can proactively share Aadhaar documents or credentials through the app (push), or respond to a verification request initiated by a business (pull). In a typical flow, a business may present a dynamic QR code or send a request to the user’s Aadhaar App. The user receives a notification, reviews who is requesting the data and for what purpose, and approves or rejects the request. The user remains the gatekeeper, reviewing and approving the request before a single byte of data is transferred.
Second, the user must have full control to selectively share Aadhaar information. Existing privacy-focused approaches like masked Aadhaar hide the first eight digits of the Aadhaar number, but they still reveal a fixed set of details regardless of context. For example, if you are checking into a hotel, the receptionist will have to check your name, age and the validity of your Aadhaar. They do not need your permanent address or gender. A masked Aadhaar would still hand over your full profile.
With AVC, the user can selectively share Aadhaar data like name and age while withholding their address and gender. The selected data is then shared as a machine-readable, digitally verifiable credential, without exposing the complete Aadhaar profile. This introduces data minimisation into offline Aadhaar verification in a way that was previously not possible.
However, the UIDAI has confirmed the continued validity of existing methods. While AVC represents the new gold standard for privacy, it doesn’t replace other forms of offline verification. Users can still use Secure QR Codes (physical cards and e-Aadhaar) or password-protected XML files.
Third, entities conducting offline verification should be identifiable and traceable. If these entities want to conduct offline verification through the Aadhaar App, they must mandatorily register with the UIDAI as Offline Verification Seeking Entities, or OVSEs. The introduction of OVSE registration, combined with app-based consent flows, brings a higher degree of accountability into the offline verification ecosystem. Users can make informed decisions about sharing their data, and UIDAI can effectively supervise how offline verification is carried out in practice.
Taken together, these amendments mark a clear evolution in India’s Aadhaar framework. Offline verification is no longer treated as a loosely governed alternative to online authentication. For businesses, this means rethinking KYC journeys to place the user at the centre and preparing systems to consume AVC. For users, it means greater transparency, tighter control, and reduced data exposure.
DESSERT
Safer payments, smarter rails
The RBI has announced that it will soon release a discussion paper on introducing calibrated safeguards in digital payments – such as additional authentication layers for specific categories of users, including senior citizens. The move is aimed at reducing fraud and strengthening customer protection.
India’s digital payments story is already one of the country’s biggest digital infrastructure successes. In just a few years, UPI has evolved from a domestic experiment into one of the most sophisticated payment systems in the world, now accounting for nearly half of all global real-time payment transactions. Payments that once took days now settle in seconds, at almost zero cost, across cities, towns, and remote villages.
But scale brings risk. Fraud has grown faster, more organised, and more technologically sophisticated.
The RBI has responded with smarter tools. MuleHunter uses AI to detect mule accounts. The Digital Payments Intelligence Platform (DPIP), launched in 2025, enables real-time sharing of fraud signals across banks and fintechs.
The proposed discussion paper builds on this approach. Instead of blanket restrictions, it explores targeted safeguards for vulnerable users – keeping payments frictionless for most while adding protection where needed.
If done right, these measures can strengthen trust without slowing innovation. And trust is what will sustain the next phase of India’s digital payments growth.
MINTS
🚀 DFS launches V-CIP pilot for NRIs in Bahrain: The Department of Financial Services (DFS) has launched a pilot with SBI to test the Video Customer Identification Process (V-CIP) as a KYC method for non-resident Indians (NRIs) in Bahrain. As part of the pilot, SBI has successfully opened two accounts – a Non-Resident External (NRE) and a Non-Resident Ordinary (NRO) account – for a Bahrain-based customer using V-CIP. Extending V-CIP overseas is expected to allow customers to complete KYC remotely, and significantly speed up the onboarding process for NRIs.
🌏 Govt and RBI explore linking UPI with Alipay+: The Indian government and the RBI have started discussions with Ant International on linking its cross-border digital payments network, Alipay+, with UPI to enable cross-border transactions. If the proposal goes through, Indian travelers could use UPI to pay at overseas merchants that accept Alipay+, making international payments more seamless.
🧾🔍 Impact of Budget 2026 on Fintechs: The Union Budget 2026–27 has outlined a set of measures aimed at strengthening the foundations of India’s financial system.
- The government has allocated Rs. 2,196 crores to the UPI incentive scheme for FY 2025–26 and estimates allocating Rs. 2,000 crores for FY 2026–27, up from Rs. 1,500 crores in FY 2024–25.
- It has proposed setting up a high-level committee to shape the next phase of banking reforms, which could potentially open the door to new frameworks such as full-stack digital bank licences.
- The Budget places a strong emphasis on improving MSME liquidity through invoice discounting. It plans to scale up the TReDS ecosystem by making it the default platform for large public sector buyers, offering government-backed guarantees to financiers, enabling better data-driven underwriting, and creating a securitisation market for receivables.
- At the same time, tax law enforcement for crypto platforms has been tightened, with daily penalties introduced for non-reporting and incorrect disclosures.
Taken together, the Budget signals a shift toward building more resilient, scalable, and globally integrated financial systems.
⚖️ RBI’s Regulatory Reset: The RBI has announced a set of measures aimed at strengthening customer protection, improving operational clarity, and adopting a more risk-based approach to supervision across the financial sector.
- Review of Business Correspondent (BC) framework: A committee comprising officials from the RBI, Department of Financial Services, Indian Banks’ Association, and NABARD has been set up to review BC operations and recommend measures to enhance their efficiency.
- Tighter oversight on mis-selling: The RBI has flagged concerns around mis-selling and emphasised that third-party products sold at bank counters must align with customers’ needs and risk appetite. It plans to issue comprehensive directions on advertising, marketing, and sales practices.
- Harmonised rules on loan recovery: To address inconsistencies in existing instructions on recovery agents and recovery practices, the RBI will review and align all conduct-related norms across regulated entities.
- Revised customer liability framework: The RBI intends to update its 2017 framework on limiting customer liability in unauthorised digital transactions to reflect changes in technology and payment systems, and is expected to introduce compensation of up to Rs. 25,000 for small-value frauds.
- Registration relief for small NBFCs: NBFCs with assets below Rs.1,000 crore that do not raise public funds and have no customer interface may be exempted from RBI registration, given their lower systemic risk profile.
Draft guidelines on these proposals are expected to be issued for public consultation.
😎 Loans processed through Account aggregator framework pick up: Loan disbursements through account aggregators rose to Rs 24,000 crore in the first half of FY26, according to account aggregator (AA) industry alliance Sahamati. Nearly one in ten personal loans is now routed through the AA framework, signalling increased adoption. The ecosystem is expected to expand into MSME credit, housing finance, and use cases such as fraud and risk management.
For any queries, reach out to us at contact@ikigailaw.com
Image credits: AI generated
Author credits: Fintech Team
