Selfie, ‘penny drop’ mandated as KYC for crypto customers in India

India’s financial intelligence agency has mandated stricter Know Your Customer (KYC) norms for cryptocurrency exchanges, including selfie with liveness detection, geo-tagging of onboarding location and bank account verification through the ‘penny-drop’ method, under updated anti-money laundering and terror financing guidelines.
The revised guidelines, issued by the Financial Intelligence Unit (FIU) under the Union Finance Ministry on January 8, also discourage Initial Coin Offerings (ICOs) and Initial Token Offerings (ITOs) and prohibit facilitation of transactions involving tumblers, mixers and anonymity-enhancing crypto tokens. The guidelines, updated nearly three years after their first issuance in March 2023, apply to reporting entities or virtual digital asset (VDA) service providers operating in India under the Prevention of Money Laundering Act (PMLA). The FIU acts as the single-point regulator for cryptocurrency exchanges.
All crypto exchanges are required to register with the FIU, report suspicious transactions and maintain customer records to address money laundering, terrorist financing and proliferation risks. Cryptocurrencies are not recognised as legal tender in India but are taxed under the Income-Tax law.
Mandatory client due diligence measures include collection of Permanent Account Number (PAN), live selfie with liveness detection, latitude and longitude of onboarding location with date and time stamp, and the customer’s IP address. Exchanges must ensure that the person providing credentials is the same individual initiating account creation, verified through live photograph and liveness detection technology.
Clients must submit one additional identity and address proof such as passport, driving licence, Aadhaar, voter ID or equivalent document, besides mobile number and email verification via one-time password (OTP). Bank accounts must be authenticated using the penny-drop mechanism, involving a refundable Re 1 credit to confirm ownership and operational status.
KYC updates are mandated every six months for high-risk clients and annually for others. Enhanced due diligence is required for politically exposed persons, non-profit organisations and clients linked to tax havens or FATF grey- or black-listed jurisdictions. The FIU said ICOs and ITOs pose heightened money laundering and terror financing risks due to lack of justified economic rationale. Transactions involving anonymity-enhancing tokens, tumblers and mixers, which obscure transaction origins, must not be facilitated and should trigger risk mitigation measures.
Exchanges have been directed to preserve client identity, address and transaction records for at least five years or until the closure of any investigation.