India has tightened oversight of crypto platforms, with the Financial Intelligence Unit demanding strict identity and monitoring processes to curb illicit activity.
The updated guidelines were issued on 8th January 2026, requiring crypto firms to be classified as Virtual Digital Asset (VDA) service providers and adopt improved AML and KYC procedures, going further than basic document uploads for onboarding.
The changes made for protection
India now requires that reporting entities must carry out live identity verification and implement rigorous CDD procedures. This comes as concerns regarding the speed and the pseudonymous nature of crypto transactions increase, with regulators mentioning that these features increase the risk of misuse for money laundering, terror financing, and proliferation financing if left unchecked.
Under the new rules, exchanges have to identify customers using reliable and independent sources, collecting a wider set of technical identifiers, including IP addresses with timestamps, geolocation data, device IDs, wallet addresses, and transaction hashes. All this data supports verification, monitoring, and risk assessment.
Exchanges are also required to collect and verify users’ Permanent Account Numbers (PANs) before allowing any VDA-related activity. Additionally, customers must submit a secondary government-issued IS like a passport or voter ID, together with a one-time password verification for registered email addresses and phone numbers. Bank account verification has also been tightened, requiring firms to use penny-drop verification to confirm the ownership and operational status of linked accounts.
The FIU also targeted fundraising activities, mentioning that the new framework will discourage Initial Coin Offerings and Initial Token Offerings due to concerns over economic rationale, disclosure standards, and risk management. This improved due diligence will be required for high-risk transactions, non-profit organisations, clients linked to jurisdictions on the Financial Action Task Force grey or black lists, and politically exposed individuals.
Exchanges will also have to launch tools that detect the use of mixers, tumblers, and other anonymity-enhancing services, blocking them where identified. Records of customer transaction data will be retained for at least five years or until any investigation is concluded.
Indian tax officials expressed additional concerns over crypto activity, warning that the increased use of digital assets could undermine the country’s ability to enforce tax rules efficiently.
