A dissection of the government notification imposing KYC/AML/CFT obligations on crypto-businesses in India.
Roughly 7% Indians own crypto-assets (aka Virtual Digital
Assets). Yet, until recently, India did not have regulatory
tools to identify crypto-owners or monitor their transactions. Earlier this
month, the Ministry of Finance (MoF) changed this. It issued a notification which brought entities dealing in ‘Virtual
Digital Assets’ (VDA), under the purview of India’s money laundering
legislation – the Prevention of Money Laundering Act 2002 (PMLA). With this
change, crypto-businesses are subject to an entirely new compliance universe.
The notification is straightforward. It lists five crypto-related activities that make businesses a ‘reporting entity’ under the PMLA:
(a) exchanging
VDAs and fiat money (like buying bitcoin with INR);
(b) exchange between different VDAs (like trading bitcoins
for dogecoins);
(c) transfer of VDAs (like buying pizza with
bitcoins);
(d) safekeeping or administration of VDAs or instruments enabling control over
VDAs (like crypto-wallet service providers); and
(e) participation in and provision of financial services related to an issuer’s
offer and sale of VDAs (like fiat on-ramp service
providers).
Businesses classified as ‘reporting entities’ must comply with obligations enlisted in the PMLA. A few of these are:
(a) verifying customer identity – crypto-businesses will have to conduct user KYC, like a bank would when opening an account;
(b) undertaking enhanced due diligence – a crypto-business must have systems in place to detect suspicious transactions or activities that need closer scrutiny. It must then undertake ‘enhanced diligence’ like asking for additional KYC details or source of funds. It must also be able to identify, monitor and report suspicious transactions or transactions involving proceeds of crime;
(c) maintaining records – crypto-businesses will have to store transaction records and identity records of its customers for a period of five years; and
(d) disclosing information – crypto-businesses will have to furnish information as and when required by relevant authorities.
Undoubtedly, these
obligations will increase the compliance burden for crypto-businesses. A lot of
work must be done to build a compliance architecture which meets the PMLA’s
standards. It can’t be done overnight. Yet, crypto businesses are offered no
buffer time to adapt to the new compliance environment. This may not affect
established crypto-exchanges which voluntarily implemented KYC/AML processes
(as a good practice). But those that did not, are scrambling. Crypto-businesses
that voluntarily implemented KYC/AML measures before the MoF notification faced
significant trade-offs. It increased their compliance burden, hindered customer
acquisition, and reduced their overall competitiveness against those who did
not implement these ‘good to have’ measures. By making this a mandatory
requirement, the notification reduces the negative impacts of voluntarily
implementing these measures.
Curiously, law enforcement agencies were already (in some ways) viewing
crypto-businesses (especially crypto-exchanges) as ‘reporting entities’ even
before the MoF notification. For instance, the Enforcement Directorate’s
(ED) press release for its WazirX investigation suggests that
it scrutinized WazirX’s KYC and AML practices as if it was a reporting entity.
By bringing crypto-businesses under PMLA, the government has given more teeth
to law enforcement agencies.
But enforcing these obligations might still be challenging. Crypto-businesses
can be centralized or decentralized. Enforcing KYC/AML obligations on
centralized models is simple. For example, for a centralized crypto-exchange
(like CoinDCX) – it’s clear that the responsibility for implementing the
KYC/AML checks is on the corporate entity. And those in charge of the company’s
conduct are responsible for the contraventions made by the company. But it’s
challenging to enforce such requirements on decentralized models. For example,
in case of a decentralized crypto-exchange – no single person or corporate
entity is responsible for running the applications. And so, even if we assume
that they fall within the ambit of the notification and must implement KYC/AML
checks, it’s unclear who is ultimately responsible for contraventions. With
decentralized crypto-models playing an increasing role in money laundering
activities, the Financial Action Task Force suggests that (on a case-to-case basis), it is
possible to identify the creator, owner, operator or individuals with
significant influence on such decentralized crypto-models and hold them
responsible for implementing the KYC/AML measures. Taking such positions is
bound to open a pandora’s box. And they certainly cannot be taken without
framing a comprehensive law to regulate VDAs.
The PMLA notification follows the government’s piecemeal approach to regulating
VDAs, as seen before with the advertising guidelines or the taxation rules. And even this time, the government has
carefully bypassed granting explicit legitimacy to VDAs or identifying a
regulator to overlook this industry. So, while bringing VDAs under the money
laundering laws is a step in the right direction, we need to do a lot more. It
is time to have a comprehensive law in place regulating VDAs in India.
(This article has been authored by the fintech team at Ikigai Law. It originally appeared in the March edition of FinTales, our monthly fintech newsletter.)
Image credits: Pixabay
For more on the topic please reach out to us at contact@ikigailaw.com