FIU-IND updates guidelines for crypto, virtual digital asset entities

FIU-IND releases guidelines for crypto, virtual digital asset entities

In a step towards regulatory clarity for crypto companies, the Finance Ministry’s Financial Intelligence Unit of India (FIU-IND) has issued updated guidelines to tighten business operation practices, cybersecurity disclosures, KYC norms for virtual digital asset (VDA) companies registering in India.

The guidelines details parameters and role around the appointment of Principal Officer (PO). The PO will be responsible for anti-money laundering, Countering the Financing of Terrorism, Counter-Proliferation Financing (AML/CFT/ CPF), and will report directly to the Board or a designated committee of board of the RE (reporting entities). The PO’s term will be re-evaluated on a yearly basis by the board, it said.

Updates on cybersecurity auditing

Another significant update in the guidelines is its focus on cybersecurity and data protection. The VDA entities will now require a Cyber Security Audit Certificate issued by Indian Computer Emergency Response Team (CERT-In) empaneled auditor, affirming compliance with applicable cybersecurity frameworks and the CERT-In Directions.

“The audit shall be comprehensive and proportionate in coverage across all critical risk domains, and the audit report shall certify whether the audited environment is adequately safe to host and operate the notified VDA activities,” the guidelines said.

The scope of the audit will cover areas such as governance, compliance, access control and insider risk; infrastructure, network and endpoint security; application and AML systems security (including KYC, transaction monitoring, wallet security, cryptographic controls, backup and recovery); security of third-party, cloud services, exchange, custodian, and API risks; incident detection and response with CERT-In reporting readiness, etc.

Clarity on travel rules

The Travel Rules section in the guidelines outline the requirements for Virtual Digital Asset Service Providers (VDASPs) to ensure transparency and compliance in VDA transfers.

The updated guidelines states the information VDASPs must maintain to reconstruct individual transactions, including originator and beneficiary details.

The reporting entities must verify and transmit accurate originator and beneficiary information before or during the VDA transfer. Take up client due diligence measures and sanction screening on the counterparty to avoid dealing with illicit actors or sanctioned entities, it mentioned.

This will also be helpful to track and store data of anonymous unhosted wallet during peer-to-peer crypto transactions on an exchange.

The reporting entities now need to collect data on unhosted wallet transfers, and monitor and assess that information as necessary to determine the risk posed by such transaction, and then apply appropriate enhanced measures under CDD and other risk-based controls to such transaction and client.

What did the industry say?

"This isn't just a compliance update; it’s a strategic signal that India is ready to lead in the digital asset space through a balanced approach of innovation and financial stability...From an investor standpoint, this oversight transforms VDA platforms into accountability-driven entities. ," said Sumit Gupta, Co-founder, CoinDCX.

According to Gupta, these refined guidelines provide the "structural 'guardrails' necessary for a safe digital asset market".  By mandating rigorous reporting and cybersecurity audits (like CERT-In certification), these norms effectively weed out bad actors and sanitize the ecosystem.

“These rules were always around as best business practices to follow but now FIU has put this in pen and paper,” said Vikram Subburaj, Co-founder and CEO, Giottus.

For instance, they have defined the how job roles like PO exactly should be and what their power and responsibilities are. Most importantly, the guidelines have detailed how to collect and process data under Travel Rules section, he said.