28
/
4
Min Read
Crypto exchanges in India will have to make significant changes, including a possible pivot to institution-grade security, to comply with new KYC and anti-money laundering norms issued by the Financial Intelligence Unit (FIU).
According to norms released last week, exchanges are now classified as virtual digital asset (VDA) providers and that they will need to capture live selfie photos using software that ensures physical presence, provide government-issued IDs such as Aadhaar, voter ID or passport, mobile numbers, and even capture users' IP addresses, device details, geolocation at the time of onboarding.
The overall objective looks like making the crypto exchanges more accountable and transparent, and minimise risks of misuse such as money laundering.
"Every Reporting Entity shall ensure that a clear, comprehensive, and concise summary of its Policies is prominently displayed and made accessible on its official website and/or mobile application accessed by the users for onboarding and login," says one of the norms.
"..The risk assessment by the RE [Reporting Entities] shall be properly documented and be proportionate to the nature, size, geographical presence, complexity of activities/structure, etc. of the RE. Further, the periodicity of risk assessment exercise shall be determined by the Board in alignment with the outcome of the previous risk assessment exercise. However, it must be ensured that the assessment is carried regularly, and the interval between any two assessments shall not exceed one year," it adds.
Some other important highlights include the penny-drop rule wherein a small amount is transacted to verify the bank account ownership. There's also mention of high risk clients, who have to update their KYC every six months.
Having said that, the norms also seem pretty much aligned with 'Digital Personal Data Protection (DPDP) Rules, which came into effect very recently. For the uninitiated, DPDP is India's version of GDPR of the European Union and aims to provide a comprehensive framework for protecting digital personal data, setting out the obligations of entities handling such data (Data Fiduciaries) and the rights and duties of individuals (Data Principals).
Considering the digital rules and regulations, an educated guess is that the crypto platforms will have to align more with the DPDP and add-ons as well as institution-grade security and custody architecture.
Industry watchers also believe that the DPDP significantly raises the baseline. Crypto platforms will be compelled to adopt institution grade security, auditable custody frameworks, clear data ownership models, and strong incident response mechanisms. The regulatory environment leaves little room for informal or loosely governed systems.
"DPDP makes it clear that handling sensitive data without bank-grade controls is no longer acceptable. Crypto platforms will need institution-grade custody systems with hardened key management, role-based access, segregation of duties, and continuous monitoring.
In effect, DPDP accelerates crypto's transition from startup-grade infrastructure to financial-market-grade security," Hilal Ahmad Lone, CISO, Liminal Custody tells Entrepreneur India.
According to Nikhil Jhanji, Principal Product Manager at Privy by IDfy, crypto platforms must shift from broad data collection to precise, purpose driven verification. Jhanji also noted that DPDP encourages privacy by design where identity and transaction legitimacy are established through selective disclosure and strong access controls, without retaining unnecessary personal data. Traceability and privacy are no longer opposing forces when systems are built correctly.
On poor data governance and weak custody, Jhanji said: "Yes. Market volatility is expected and priced in. Poor data governance and weak custody introduce hidden, compounding risks. Breaches, identity misuse, and custody failures erode trust permanently and invite regulatory action. For many crypto platforms, governance risk will outweigh market risk."
Despite the lack of full-fledged support from the government, the cryptocurrency market in India has continued to grow. According to Zebpay, the market is poised to be worth USD 15 billion by 2035. As of 2025, the report adds, India has 119 million crypto traders and investors.
Moreover, there have been some positive developments in the Indian crypto market in the last couple of years or so. For instance, Binance and KuCoin got registered with the FIU-IND. Binance also shelled out USD 2.25 million to settle previous non-compliance issues. It's estimated that at least 49 exchanges have now registered with the agency.
This also puts India in a position to take some sort of leadership in the crypto space. With checks and balances and regulations, India could also set the benchmark for the world for a privacy-first, regulated crypto ecosystem.
"India has a unique opportunity. Unlike many markets that regulated crypto either too loosely or too late, India is aligning financial integrity (FIU-IND) with data privacy (DPDP) early. If implemented well, this could position India as a model for privacy-conscious, compliance-ready crypto ecosystems, where innovation scales on top of trust, not at the cost of it," Lone of Liminal Custody said.
This article was originally
published by the 
