INTRODUCTION

On the 7^th of March 2023, the central government issued a notification that brought several kinds of virtual asset service providers within the ambit of the Prevention of Money Laundering Act, 2005 (“PMLA”).[1] Entities carrying on the following business or profession were notified to be ‘reporting entities’ under the PMLA (hereafter referred as “Virtual Asset Service Providers” or “VASPs”):

1. exchange between virtual digital assets and fiat currencies;
2. exchange between one or more forms of virtual digital assets;
3. transfer of virtual digital assets;
4. safekeeping or administration of virtual digital assets or instruments enabling control over virtual digital assets; and
5. participation in and provision of financial services related to an issuer’s offer and sale of a virtual digital asset.

This note covers the obligations imposed upon VASPs under the PMLA and the Prevention of Money-laundering (Maintenance of Records) Rules, 2005 (“PML Rules”) along with Indian Computer Emergency Response Team’s Directions dated 28^th April, 2022 (“CERT-In Directions”).

CUSTOMER DUE DILIGENCE

Under the PML Rules, all VASPs are required to undertake know-your-customer (“KYC”) measures at the time of commencement of an account-based relationship.[2] As part of KYC, VASPs must[3]:

1. identify clients;
2. verify their identity;
3. obtain information on the purpose and intended nature of the business relationship; and
4. determine whether a client is acting on behalf of a beneficial owner, and identifying the beneficial owner and verifying the identity of the beneficial owner.

Please note that in case of natural persons, while the CERT-In Directions only require one officially valid document for KYC,[4] the PML Rules mandatorily require the following documents[5]:

1. the Permanent Account Number or the equivalent e-document thereof or Form No. 60; and
2. any of the following documents:

• proof of possession of Aadhaar;
• passport;
• driving licence;
• voter’s identity card issued by Election Commission of India;
• job card issued by NREGA duly signed by an officer of the state government; or
• the letter issued by the National Population Register.

Please note that VASPs must register with the Central KYC Registry, i.e., Central Registry of Securitisation Asset Reconstruction and Security Interest of India (“CKYCR”).[6] Additionally, VASPs must, within 10 (Ten) days after the commencement of an account-based relationship with a client, file the electronic copy of the client’s KYC records with the CKYCR.[7]

ONGOING CUSTOMER DUE DILIGENCE

VASPs must now exercise ongoing due diligence and closely examine the transactions to ensure that they are consistent with their knowledge of the client, its business and risk profile and where necessary, the source of funds.[8]

VASPs must also repeat the KYC process for existing clients at appropriate times on the basis of (i) materiality and risk; (ii) the time period that has elapsed since the last time KYC was undertaken; and (iii) and the adequacy of data obtained.[9]

Additionally, VASPs must have a documented plan to undertake risk assessment to mitigate against risks of money laundering and terrorist financing.[10] The risk assessment must be up to date, available to competent authorities and self-regulating bodies, and take into consideration all the relevant risk factors before determining the level of overall risk and the appropriate mitigation to be applied.[11]

MAINTENANCE OF RECORDS

A VASP must maintain a record of all transactions to be able to reconstruct individual transactions, for a period of five years from the date of the transaction between a client and the reporting entity.[12] In light of the PML Rules and the CERT-In Directions, the information maintained by a VASP to enable the reconstruction of individual transactions must include:[13]

1. the nature of the transactions;
2. the amount of the transaction and the currency in which it was denominated;
3. the date on which the transaction was conducted;
4. the parties to the transaction;
5. IP addresses along with timestamps and time zones;
6. transaction ID;
7. the public keys (or equivalent identifiers); and
8. addresses or accounts involved (or equivalent identifiers).

Additionally, a VASP must maintain records evidencing identities of its client and beneficial owner, and account files and business correspondence relating to its clients, for a period of 5 (Five) years after the business relationship with the client has ended or the account is closed, whichever is later.[14]

REPORTING TO THE FIU-IND

Given that VASPs are now reporting entities under the PMLA, they must appoint a principal officer and designate a director to ensure overall compliance with PMLA and the PML Rules. Thereafter, VASPs must communicate the name, designation and address of the designated director and the principal officer to Financial Intelligence Unit – India (“FIU-IND”).[15]

The principal officer of the VASP is responsible to do the following:

1. furnish every month (and retain a copy of) certain information to the FIU-IND under the PML Rules, which includes information on all cross-border wire transfers of the value of more than INR 5,00,000 (Five lakh) or its equivalent in foreign currency;[16] and
2. furnish information to the FIU-IND promptly on all suspicious transactions, but not later than 7 (Seven) working days of being satisfied that the transaction is suspicious, whether or not made in cash and by way of:

• deposits and credits, withdrawals into or from any accounts in whatsoever name they are referred to in any currency maintained;
• credits or debits into or from any non-monetary accounts;
• money transfer or remittances in favour of own clients or non-clients from India or abroad and to third-party beneficiaries in India or abroad;
• loans and advances including credit or loan substitutes, investments and contingent liability; and
• collection services in any currency.

At the moment, reporting entities are required to register on the portal of FIU-IND and furnish the foregoing information in the format prescribed by FIU-IND. We suspect that the FIU-IND may update the relevant format to accommodate the transactions around cryptocurrency.

COMMENTS

The virtual asset industry sought regulation as opposed to an outright ban for a very long time. Formally inducting VASPs under the PMLA framework is a welcome step. While at the moment there is no regulator directly governing the activities of VASPs in India, the decision to notify VASPs as reporting entities under the PMLA may reflect the government’s intention to regulate the industry and not implement an outright ban. Additionally, it will be interesting to observe how scope of services rendered by VASPs are tailored to comply with the PMLA and PML Rules.

Please reach out to Mathew Chacko, Ankita Hariramani, and Aadya Misra for queries.

[1] Gazette notification, Ministry of Finance (7th March, 2023) <https://egazette.nic.in/WriteReadData/2023/244184.pdf>.

[2] Rule 9(1), PML Rules.

[3] Rule 9(1)(a), PML Rules.

[4] Annexure III, CERT-In Directions.

[5] Rule 6(4), PML Rules.

[6] Para 3(a), Central KYC Registry Operating Guidelines, 2016.

[7] Rule 9(1A), PML Rules.

[8] Rule 9(12)(i), PML Rules.

[9] Rule 9(12)(iii), PML Rules.

[10] Rule 9(13)(i), PML Rules.

[11] Rule 9(13)(ii), PML Rules.

[12] Section 12(1)(a) and 12(3), PMLA.

[13] Rule 4, PML Rules; CERT-In Directions.

[14] Section 12(1)(e) and 12(4), PMLA.

[15] Rule 7(1), PML Rules.

[16] Rules 7(2) and 8(1), PML Rules.