The Ministry of Finance (“MoF”) has recently extended the applicability of certain compliance obligations under the Prevention of Money Laundering Act, 2002 (“PMLA”) to various service providers in the virtual digital asset ecosystem (virtual asset service providers i.e. “VASPs”).

The PMLA stipulates measures to prevent money laundering and also provides for the confiscation of property involved in money laundering. In the recent past, authorities (such as the Directorate of Enforcement) have taken recourse under the PMLA against different VASPs in India including issuing orders freezing their assets.¹

• VASPs notified as Person Carrying on Designated Business or Profession

  • The PMLA imposes due diligence and enhanced due diligence obligations² on specified “reporting entities” (“REs”).³ It also provides that any class of persons defined as a ‘person carrying on designated business or profession’ (“PCDBP”) is a RE for its purposes⁴ and the central government is empowered to designate any person as a PCDBP. Accordingly, the MoF vide the notification dated March 7, 2023 (“Notification”) has specified a person who carries out the following activities for or on behalf of another person in the course of business as PCDBP:

    1. Exchange of virtual digital assets (“VDAs”) with fiat currencies or other VDAs;

    2. Transfer of VDAs;

    3. Provide safekeeping or administration of VDAs or instruments that enable control over VDAs; and

    4. Participate and provide financial services related to an issuer’s offer and sale of VDAs.

  • Cryptocurrency exchanges, NFT platforms, cryptocurrency custody solutions and wallet providers, crypto lending and borrowing platforms, crypto launchpads, crypto payment gateways, crypto staking platforms and service providers facilitating initial coin/token offerings and executing SAFTs , are a few key businesses that will get covered under the definition of PCDBPs by virtue of the Notification.

• Compliance Obligations on the Reporting Entities under PMLA and rules framed thereunder:

  All REs including PCDBPs are subject to various compliance obligations under the PMLA and the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (“PMLA Rules”):

  • Verification of Identity⁶: Each RE is required to implement a know-your-client/customer (KYC) procedure to verify the identity of its ‘clients’⁸ and the ‘beneficial owner’⁸ using any of Aadhaar, Passport or other valid identity proof or mode of identification.

    The client due diligence needs to be carried out by a RE at two instances:

    • At the time of commencement of an account-based relationship⁹:

      1. identify clients, verify their identity, obtain information on the purpose and intended nature of the business relationship; and

      2. determine whether a client is acting on behalf of a beneficial owner, and identify the beneficial owner and take all steps to verify the identity of the beneficial owner.

    • In all other cases, verification of identity must be undertaken where a client carries out¹⁰:

      1. a transaction equal to or exceeding the value of INR 50,000, whether conducted as a single transaction or several transactions that appear to be connected, or

      2. any international money transfer operations.

    The RE is required to file an electronic copy of the KYC records with a Central KYC Records Registry (established under the PMLA) within 10 days of the commencement of the account-based relationship¹¹.

  • Enhanced Due Diligence ¹²: In case of certain specified transactions¹³ i.e., where the cash deposit or withdrawal, transaction in foreign exchange, high value import or remittance, exceeds the specified limit or where there is a high risk of money laundering or terrorist financing, the RE is required to carry out enhanced due diligence prior to the commencement of each such specified transaction, without which such transaction must not be permitted to be carried out. Such enhanced due diligence measures include:

    • undertaking identity verification of the clients before such transaction,

    • taking additional steps to examine the ownership and financial position of the client including obtaining information with respect to the source of funds, and

    • recording the purpose behind conducting the transaction and the intended nature of the relationship of the parties to the transaction.

  • Maintenance of Records¹⁴:

  1. A RE is required to maintain a record of certain transactions for at least 5 years from the date of each such transaction ¹⁵, along with all necessary related information to permit the reconstruction of individual transactions.¹⁶ These transactions include:

     1. Cash transactions of a value exceeding INR 10 lakhs;

     2. Series of cash transactions where individually each transaction may be less than INR 10 lakhs but the monthly aggregate value of such transactions exceeds INR 10 lakhs;

     3. Suspicious transactions i.e. a transaction or an attempted transaction which to a person acting in good faith:

        • gives rise to a reasonable ground of suspicion that it may involve:

          • proceeds of a scheduled offence under the PMLA (irrespective of the transaction value); or

          • financing of activities related to terrorism; or

        • appears to be made:

          • in circumstances of unusual or unjustified complexity; or

          • have no economic rationale or bona fide purpose.

     4. All cross border wire transfers of a value of more than INR 5 lakhs where either the origin or destination of the funds is in India.¹⁷

        The RE is also required to maintain a record of documents evidencing the identity of its clients and beneficial owners as well as account files and business correspondence relating to the clients for a period of five years after the business relationship between a client and the reporting entity has ended.¹⁸

     5. Each RE needs to communicate to the authorized officer of the government (“Authorised Officer”) the name, designation and address of a designated director ¹⁹ of the board of the RE and the Principal Officer (an officer designated by the RE).²⁰

  2. The Principal Officer is required to furnish the information referred to in para B.3(a) to the Authorized Officer. Further, every RE is also required to develop an internal mechanism for detecting the above-mentioned transactions and furnishing information about such transactions.

  3. The Principal Officer should furnish the requisite information to the Authorised Officer under the following timelines:

     1. Suspicious Transactions: Within 7 days of being satisfied that the transaction is suspicious; Any other information should be furnished on a monthly basis, before the 15th day of the succeeding month.²¹

     2. Maintain a record of documents evidencing the identity of its clients and beneficial owners as well as account files and business correspondence relating to its clients.²²

• Imposition of Fine and Bar of Proceedings

  The Authorised Officer can inquire about the compliance status of the obligations on the RE on a suo moto basis or on an application made by any authority, officer or person²³. Depending upon the nature and complexity of a case, the Authorised Officer may also order an audit of the records maintained by a RE.²⁴

  In the course of the inquiry, if the Authorised Officer finds that a RE or its designated director or any of its employees has failed to comply with the compliance obligations, then, he may—

  1. issue a written warning; or

  2. direct compliance with specific instructions; or

  3. direct submission of reports on the measures they are taking; or

  4. 4. impose a monetary penalty on such RE or its Designated Director on the Board or any of its employees, which shall not be less than INR 10,000 but may extend to INR 1,00,000 for each failure. ²⁵

  Except as provided above, immunity has been provided to the RE, its director and employees against any liability under a civil or criminal proceeding against them for furnishing above-mentioned information to the Authorised Officer.²⁶

NDA ANALYSIS:

Although the Supreme Court of India in the IAMAI case affirmed the VASPs fundamental right to trade and do business, guaranteed under the Constitution of India, it has not been a smooth journey for the exchanges. These exchanges have been subject to investigations by various government authorities and their assets have been frozen in the course of their trade. The Notification is a positive step towards bringing more clarity on the compliance requirements. The VASPs will now be treated at par with financial institutions, banking companies, and intermediaries and will be subject to the rigours of the PMLA and PMLA Rules. This mechanism will ultimately benefit the entire ecosystem as the bad actors will be identified and eliminated, due to the constant reporting of suspicious transactions. Further, the legitimacy of VASPs should also improve the customers’ trust and help in attracting institutional capital.

The RBI in May 2021²⁷, had clarified to banks, payment system operators, and others (“Banking and Payment Sector”) that they may, continue to carry out customer due diligence processes with respect to the transactions involving virtual currencies, in line with governing standards and obligations of the regulated entities under the PMLA. Now with compliances to be carried out by VASPs under the PMLA read with PMLA Rules it would be interesting to see whether the taboo adopted against VASPs by the Banking and Payment Sector will reduce.

The VASPs operating in India will need to build in appropriate internal infrastructure in order to comply with the aforesaid requirements as conducting KYC and keeping a track of the transactions facilitated by the VASPs is no more a ‘good to have’ industry practice but a legal obligation. While VASPs may already have KYC policies in place, they will have to match them to the standards provided under the PMLA read with the PMLA Rules.

The extra-territorial application of the PMLA being ambiguous, the non-resident VASPs having an Indian user base should also take note of the Notification and build appropriate safeguards.

The Notification aligns with Nishith Desai Associates’ previous recommendation submitted in 2017, a “Draft Code of Self-Regulation for Virtual Currency Businesses in India” (“Draft Code”) to an Inter-ministerial Committee which was set up to study virtual currencies.²⁸

We recommended to the Inter-ministerial Committee that a self-regulatory code, such as the Draft Code, backed by a statutory mandate may be introduced imposing compliance obligations as per the KYC/AML norms prescribed under the PMLA.²⁹ Further in 2018, we had separately also suggested in our research paper “Building a Successful Blockchain Ecosystem for India”,³⁰ that crypto business activity may be notified as a “designated business or profession” under the PMLA to mitigate money laundering risks. The Draft Code, inter alia, provided for a certification mechanism for a business that satisfied certain eligibility criteria and subjected them to compliances similar to those prescribed under PMLA such as maintaining records of the identity of customers, business activities and transactions, and reporting of materially non-compliant transactions.

The Draft Code, although voluntary and without statutory backing such as under the PMLA, was a first-of-its-kind in 2017. It was originally prepared for the Digital Asset and Blockchain Foundation of India (DABFI), which was later subsumed into the erstwhile Blockchain and Crypto Assets Council (BACC) of the Internet and Mobile Association of India (IAMAI).³¹ Such measures helped businesses to demonstrate their diligence when called upon by law enforcement agencies and also helped in tracing/reconstructing suspicious transactions, identifying perpetrators and helping criminal proceedings. The Notification provides statutory recognition to these KYC/AML measures suggested before and ushers in uniform practices across the industry.

The regulators are further enabled under the PMLA read with applicable rules to issue enhanced or simplified measures to verify the client's identity. The RBI has already issued Know Your Customer (KYC) Direction, 2016 which applies to the Banking and Payment Sector. It would be interesting to see if any regulator issues specific rules for VASPs or subject them to the existing regulations, especially in the case of the RBI, as it has been a strong advocate of banning crypto-related business, but would now have to adopt a balanced approach of regulation instead of prohibition.

The Indian government has been vocal about promoting blockchain, although heavily discouraging crypto at the same time. Further, in a few instances, the government has also suggested that it will await global consensus before passing any law regulating VDAs. However, lately, there have been a few changes introduced with respect to VDAs such as a new tax regime, reporting of VDAs under the Companies Act and now maintenance of records under the PMLA, which together have led to reducing uncertainty regarding the status of VDAs in India. These changes collectively may also be an encouraging opportunity for a new breed of service providers under the VDA ecosystem. However, ambiguity still exists on the overall regulatory direction of VDAs in India, and the introduction of a separate legislation/regulation for VDAs would be a step forward for the overall development of the industry.