Research and Articles
- Capital Markets Hotline
- Companies Act Series
- Climate Change Related Legal Issues
- Competition Law Hotline
- Corpsec Hotline
- Court Corner
- Cross Examination
- Deal Destination
- Debt Funding in India Series
- Dispute Resolution Hotline
- Education Sector Hotline
- FEMA Hotline
- Financial Service Update
- Food & Beverages Hotline
- Funds Hotline
- Gaming Law Wrap
- GIFT City Express
- Green Hotline
- HR Law Hotline
- iCe Hotline
- Insolvency and Bankruptcy Hotline
- International Trade Hotlines
- Investment Funds: Monthly Digest
- IP Hotline
- IP Lab
- Legal Update
- Lit Corner
- M&A Disputes Series
- M&A Hotline
- M&A Interactive
- Media Hotline
- New Publication
- Other Hotline
- Pharma & Healthcare Update
- Private Client Wrap
- Private Debt Hotline
- Private Equity Corner
- Real Estate Update
- Realty Check
- Regulatory Digest
- Regulatory Hotline
- Renewable Corner
- SEZ Hotline
- Social Sector Hotline
- Tax Hotline
- Technology & Tax Series
- Technology Law Analysis
- Telecom Hotline
- The Startups Series
- White Collar and Investigations Practice
- Yes, Governance Matters.
Technology Law AnalysisMarch 13, 2023
Making Crypto Industry Compliant in India: A Welcome Move under the Anti-Money Laundering Laws
The Ministry of Finance (“MoF”) has recently extended the applicability of certain compliance obligations under the Prevention of Money Laundering Act, 2002 (“PMLA”) to various service providers in the virtual digital asset ecosystem (virtual asset service providers i.e. “VASPs”).
The PMLA stipulates measures to prevent money laundering and also provides for the confiscation of property involved in money laundering. In the recent past, authorities (such as the Directorate of Enforcement) have taken recourse under the PMLA against different VASPs in India including issuing orders freezing their assets.1
VASPs notified as Person Carrying on Designated Business or Profession
The PMLA imposes due diligence and enhanced due diligence obligations2 on specified “reporting entities” (“REs”).3 It also provides that any class of persons defined as a ‘person carrying on designated business or profession’ (“PCDBP”) is a RE for its purposes4 and the central government is empowered to designate any person as a PCDBP. Accordingly, the MoF vide the notification dated March 7, 2023 (“Notification”) has specified a person who carries out the following activities for or on behalf of another person in the course of business as PCDBP:
Exchange of virtual digital assets (“VDAs”) with fiat currencies or other VDAs;
Transfer of VDAs;
Provide safekeeping or administration of VDAs or instruments that enable control over VDAs; and
Participate and provide financial services related to an issuer’s offer and sale of VDAs.
Cryptocurrency exchanges, NFT platforms, cryptocurrency custody solutions and wallet providers, crypto lending and borrowing platforms, crypto launchpads, crypto payment gateways, crypto staking platforms and service providers facilitating initial coin/token offerings and executing SAFTs , are a few key businesses that will get covered under the definition of PCDBPs by virtue of the Notification.
Compliance Obligations on the Reporting Entities under PMLA and rules framed thereunder:
All REs including PCDBPs are subject to various compliance obligations under the PMLA and the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (“PMLA Rules”):
Verification of Identity6: Each RE is required to implement a know-your-client/customer (KYC) procedure to verify the identity of its ‘clients’8 and the ‘beneficial owner’8 using any of Aadhaar, Passport or other valid identity proof or mode of identification.
The client due diligence needs to be carried out by a RE at two instances:
At the time of commencement of an account-based relationship9:
identify clients, verify their identity, obtain information on the purpose and intended nature of the business relationship; and
determine whether a client is acting on behalf of a beneficial owner, and identify the beneficial owner and take all steps to verify the identity of the beneficial owner.
In all other cases, verification of identity must be undertaken where a client carries out10:
a transaction equal to or exceeding the value of INR 50,000, whether conducted as a single transaction or several transactions that appear to be connected, or
any international money transfer operations.
The RE is required to file an electronic copy of the KYC records with a Central KYC Records Registry (established under the PMLA) within 10 days of the commencement of the account-based relationship11.
Enhanced Due Diligence 12: In case of certain specified transactions13 i.e., where the cash deposit or withdrawal, transaction in foreign exchange, high value import or remittance, exceeds the specified limit or where there is a high risk of money laundering or terrorist financing, the RE is required to carry out enhanced due diligence prior to the commencement of each such specified transaction, without which such transaction must not be permitted to be carried out. Such enhanced due diligence measures include:
undertaking identity verification of the clients before such transaction,
taking additional steps to examine the ownership and financial position of the client including obtaining information with respect to the source of funds, and
recording the purpose behind conducting the transaction and the intended nature of the relationship of the parties to the transaction.
Maintenance of Records14:
A RE is required to maintain a record of certain transactions for at least 5 years from the date of each such transaction 15, along with all necessary related information to permit the reconstruction of individual transactions.16 These transactions include:
Cash transactions of a value exceeding INR 10 lakhs;
Series of cash transactions where individually each transaction may be less than INR 10 lakhs but the monthly aggregate value of such transactions exceeds INR 10 lakhs;
Suspicious transactions i.e. a transaction or an attempted transaction which to a person acting in good faith:
gives rise to a reasonable ground of suspicion that it may involve:
proceeds of a scheduled offence under the PMLA (irrespective of the transaction value); or
financing of activities related to terrorism; or
appears to be made:
in circumstances of unusual or unjustified complexity; or
have no economic rationale or bona fide purpose.
All cross border wire transfers of a value of more than INR 5 lakhs where either the origin or destination of the funds is in India.17
The RE is also required to maintain a record of documents evidencing the identity of its clients and beneficial owners as well as account files and business correspondence relating to the clients for a period of five years after the business relationship between a client and the reporting entity has ended.18
Each RE needs to communicate to the authorized officer of the government (“Authorised Officer”) the name, designation and address of a designated director 19 of the board of the RE and the Principal Officer (an officer designated by the RE).20
The Principal Officer is required to furnish the information referred to in para B.3(a) to the Authorized Officer. Further, every RE is also required to develop an internal mechanism for detecting the above-mentioned transactions and furnishing information about such transactions.
The Principal Officer should furnish the requisite information to the Authorised Officer under the following timelines:
Suspicious Transactions: Within 7 days of being satisfied that the transaction is suspicious; Any other information should be furnished on a monthly basis, before the 15th day of the succeeding month.21
Maintain a record of documents evidencing the identity of its clients and beneficial owners as well as account files and business correspondence relating to its clients.22
Imposition of Fine and Bar of Proceedings
The Authorised Officer can inquire about the compliance status of the obligations on the RE on a suo moto basis or on an application made by any authority, officer or person23. Depending upon the nature and complexity of a case, the Authorised Officer may also order an audit of the records maintained by a RE.24
In the course of the inquiry, if the Authorised Officer finds that a RE or its designated director or any of its employees has failed to comply with the compliance obligations, then, he may—
issue a written warning; or
direct compliance with specific instructions; or
direct submission of reports on the measures they are taking; or
4. impose a monetary penalty on such RE or its Designated Director on the Board or any of its employees, which shall not be less than INR 10,000 but may extend to INR 1,00,000 for each failure. 25
Except as provided above, immunity has been provided to the RE, its director and employees against any liability under a civil or criminal proceeding against them for furnishing above-mentioned information to the Authorised Officer.26
Although the Supreme Court of India in the IAMAI case affirmed the VASPs fundamental right to trade and do business, guaranteed under the Constitution of India, it has not been a smooth journey for the exchanges. These exchanges have been subject to investigations by various government authorities and their assets have been frozen in the course of their trade. The Notification is a positive step towards bringing more clarity on the compliance requirements. The VASPs will now be treated at par with financial institutions, banking companies, and intermediaries and will be subject to the rigours of the PMLA and PMLA Rules. This mechanism will ultimately benefit the entire ecosystem as the bad actors will be identified and eliminated, due to the constant reporting of suspicious transactions. Further, the legitimacy of VASPs should also improve the customers’ trust and help in attracting institutional capital.
The RBI in May 202127, had clarified to banks, payment system operators, and others (“Banking and Payment Sector”) that they may, continue to carry out customer due diligence processes with respect to the transactions involving virtual currencies, in line with governing standards and obligations of the regulated entities under the PMLA. Now with compliances to be carried out by VASPs under the PMLA read with PMLA Rules it would be interesting to see whether the taboo adopted against VASPs by the Banking and Payment Sector will reduce.
The VASPs operating in India will need to build in appropriate internal infrastructure in order to comply with the aforesaid requirements as conducting KYC and keeping a track of the transactions facilitated by the VASPs is no more a ‘good to have’ industry practice but a legal obligation. While VASPs may already have KYC policies in place, they will have to match them to the standards provided under the PMLA read with the PMLA Rules.
The extra-territorial application of the PMLA being ambiguous, the non-resident VASPs having an Indian user base should also take note of the Notification and build appropriate safeguards.
The Notification aligns with Nishith Desai Associates’ previous recommendation submitted in 2017, a “Draft Code of Self-Regulation for Virtual Currency Businesses in India” (“Draft Code”) to an Inter-ministerial Committee which was set up to study virtual currencies.28
We recommended to the Inter-ministerial Committee that a self-regulatory code, such as the Draft Code, backed by a statutory mandate may be introduced imposing compliance obligations as per the KYC/AML norms prescribed under the PMLA.29 Further in 2018, we had separately also suggested in our research paper “Building a Successful Blockchain Ecosystem for India”,30 that crypto business activity may be notified as a “designated business or profession” under the PMLA to mitigate money laundering risks. The Draft Code, inter alia, provided for a certification mechanism for a business that satisfied certain eligibility criteria and subjected them to compliances similar to those prescribed under PMLA such as maintaining records of the identity of customers, business activities and transactions, and reporting of materially non-compliant transactions.
The Draft Code, although voluntary and without statutory backing such as under the PMLA, was a first-of-its-kind in 2017. It was originally prepared for the Digital Asset and Blockchain Foundation of India (DABFI), which was later subsumed into the erstwhile Blockchain and Crypto Assets Council (BACC) of the Internet and Mobile Association of India (IAMAI).31 Such measures helped businesses to demonstrate their diligence when called upon by law enforcement agencies and also helped in tracing/reconstructing suspicious transactions, identifying perpetrators and helping criminal proceedings. The Notification provides statutory recognition to these KYC/AML measures suggested before and ushers in uniform practices across the industry.
The regulators are further enabled under the PMLA read with applicable rules to issue enhanced or simplified measures to verify the client's identity. The RBI has already issued Know Your Customer (KYC) Direction, 2016 which applies to the Banking and Payment Sector. It would be interesting to see if any regulator issues specific rules for VASPs or subject them to the existing regulations, especially in the case of the RBI, as it has been a strong advocate of banning crypto-related business, but would now have to adopt a balanced approach of regulation instead of prohibition.
The Indian government has been vocal about promoting blockchain, although heavily discouraging crypto at the same time. Further, in a few instances, the government has also suggested that it will await global consensus before passing any law regulating VDAs. However, lately, there have been a few changes introduced with respect to VDAs such as a new tax regime, reporting of VDAs under the Companies Act and now maintenance of records under the PMLA, which together have led to reducing uncertainty regarding the status of VDAs in India. These changes collectively may also be an encouraging opportunity for a new breed of service providers under the VDA ecosystem. However, ambiguity still exists on the overall regulatory direction of VDAs in India, and the introduction of a separate legislation/regulation for VDAs would be a step forward for the overall development of the industry.
You can direct your queries or comments to the authors
1Under PMLA, INR 936 crore related to crypto currency is attached/seized/freezed by ED as on 31.01.2023 - https://pib.gov.in/PressReleseDetailm.aspx?PRID=1896722
2Section 12 AA of the PMLA.
3“Reporting entities” under section 2(1)(wa) of the PMLA is defined as “a banking company, financial institution, intermediary or a person carrying on a designated business or profession”.
4Other categories which fall under the PCDBP definition include (a) persons which carry out activities such as playing games of chance for cash or kind, (b) the Inspector-General of Registration appointed under the Registration Act, 1908, (c) real estate agents as notified by the government, (d) dealers in precious metals, precious stones and other high-value goods, and (e) persons engages in safekeeping and administration of cash and liquid securities on behalf of other persons.
5Simple Agreement Against Future Tokens.
6Section 11A of the PMLA.
7“Client” under section 2(1)(ha) of the PMLA is defined as “a person who is engaged in a financial transaction or activity with a reporting entity and includes a person on whose behalf the person who engaged in the transaction or activity, is acting.”
8“Beneficial owner” under section 2(1)(fa) of the PMLA is defined as “an individual who ultimately owns or controls a client of a reporting entity or the person on whose behalf a transaction is being conducted and includes a person who exercises ultimate effective control over a juridical person.”
9Rule 9(1)(a) of the PMLA Rules.
10Rule 9(1)(b) of the PMLA Rules.
11Rule 9(1A) of the PMLA Rules.
12Section 12AA of the PMLA.
13As defined under explanation to section 12AA of the PMLA.
14Section 12 of the PMLA
15Section 12(3) of the PMLA.
16Necessary related information includes (a) nature of the transaction, (b) amount of the transaction and the currency in which it was denominated, (c) date on which the transaction was attempted or executed, and (d) parties to the transaction.
17Rule 3 of the PMLA Rules.
18Section 12(4) of the PMLA.
19The RE is required to appoint a Designated Director i.e. Managing Director or whole time director in case the RE is a company or a person designated by the RE to ensure overall compliance with the obligations with respect to maintenance and furnishing of records, and enhanced due diligence to be conducted by the RE.
20Rule 7(1) of the PMLA Rules.
21Rule 8 of the PMLA Rules.
22Section 12(1)(e) of the PMLA
23Section 13(1) of the PMLA.
24Section 13(1A) of the PMLA.
25Section 13(2) of the PMLA.
26Section 14 of the PMLA.
27 RBI/2021-22/45 DOR. AML.REC 18 /14.01.001/2021-22 dated May 31, 2021 - https://rbi.org.in/Scripts/NotificationUser.aspx?Id=12103
28This committee comprised of members including from the Central Board of Direct Taxes (CBDT), the Ministry of Home Affairs, Ministry of Electronics and Information Technology (MeitY), Reserve Bank of India (RBI), and the National Institution for Transforming India (NITI Aayog).