FIU Registration of VDA Service Providers

Introduction

Regulatory landscape for cryptocurrencies i.e. virtual digital assets (VDAs) has significantly evolved in India in the last two years. Though a VDA specific legislation is still missing, regulatory clarity has been provided by introducing amendments into taxation and anti-money laundering legislations. This article briefly outlines which VDA exchanges or other service providers are required to register with FIU and what are the broad compliances these entities are required to follow.

Who are ‘Service Providers’?

Ministry of Finance vide Notification dated March 7, 2023 (S.O. 1072 (E)) has designated entities engaged in the following activities, when carried out for or on behalf of another natural or legal person in the course of business to be treated as a ‘person carrying on a designated business’ under the provisions of the Prevention of Money-laundering Act, 2002 (PMLA): 

“(i) Exchange between virtual digital assets and fiat currencies.

(ii) Exchange between one or more forms of virtual digital assets.

(iii) Transfer of virtual digital assets.

(iv) Safekeeping or administration of virtual digital assets or instruments enabling control over virtual digital assets.

(v) Participation in and provision of financial services related to an issuer’s offer and sale of a virtual digital asset.”

Entities providing the above mentioned services are ‘reporting entity’ in terms of Section 2(1)(wa) of PMLA and are referred to as service providers (SPs) in the   “Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) Guidelines” (“FIU Guidelines) issued by Financial Intelligence Unit – India (FIU).

Scope of FIU Guidelines

FIU Guidelines offer a roadmap for adopting a risk-based approach and implementing effective risk management strategies by SPs which shall discourage and identify any money laundering or terrorist financing activities. These guidelines provide a summary of the provisions of the applicable anti-money laundering and counter-terrorism financing laws in India with a strategy to use deterrence, detection and record keeping to facilitate investigations.

FIU Registration

As a reporting entity, SPs are now required to mandatorily get registered with FIU and comply with stipulated provisions relating to customer due diligence, transaction monitoring, record keeping and reporting obligations. Failure to register with FIU shall attract penalty under Section 13 of the PMLA. The Designated director and the principal officer of the SP must attend an in-person meeting with FIU as part of the registration process and are also required to submit the following documents/details:

 A brief description of the nature of services offered by the SP;

1. A brief note on the corporate structure and beneficial owners of the entity;
2. Copies of incorporation documents and returns and filings made with MCA in last three years;
3. Copies of GST returns of last three financial years;
4. Copies of Income tax returns and TDS returns on VDA transactions; and
5. Copies of agreements with any person or entity, from India or aboard, engaged in any designated activity.

The Guidelines do not specifically prohibit registration of an entity incorporated outside India as a virtual asset service provider.

General obligations of SPs

SPs must establish a robust AML/CFT/CPF program containing internal mechanisms for detecting and reporting of transactions. To ensure adherence, reporting entities must also formulate and enforce internal policies and procedures. Furthermore, a Designated Director and a Principal Officer must be appointed to oversee the implementation of obligations and adherence to FIU-IND directions. Complementing these efforts, SPs are obligated to provide tailored training to employees, incorporating screening procedures and instruction manuals.

The internal audit departments are required to regularly verify compliance with policies and pay special attention to business relationships and transactions lacking apparent economic or lawful purpose. A robust KYC procedure must be implemented based on the risk-based approach (RBA) in compliance with the standards prescribed under the Master Direction – Know Your Customer – 2016 of the Reserve Bank of India. SPs are required to follow client due diligence norms, such as maintaining customer information and identifying customers, as well as enhance due diligence norms in response to assessed risks for complex or unusually large transactions.

SPs must perform sanction screening during onboarding and VDA transfers, promptly applying UN Security Council directives and comply with all applicable laws and regulations. SPs must conduct periodic due diligence on counterparties, aligning with the risk-based approach, and in correspondent relationships, gather sufficient information, assess AML/CFT/CPF controls, and obtain senior management approval.

Risk assessment and reporting obligations

One of the key aspects of the FIU Guidelines is the reporting obligation. Within the AML/CFT/CPF program, SPs are mandated to promptly report, within 7 days, transactions suspected to involve proceeds of crime or terror financing in a prescribed suspicious transaction report (STR)) to FIU. Specific indicators of VDA activity, such as device identifiers, IP addresses, wallet address and transaction hashes, may also need reporting. In addition to this, transactions exceeding ₹10,00,000/- by non-profit organizations must also be reported. A transactional monitoring system is also essential focusing on intermediary SPs and hosted wallets.

Reporting entities, including their personnel, are prohibited from disclosing the submission reports to the FIU-IND. This prohibition extends before, during, and after the filing of an STR, ensuring no tipping off to clients. SPs are required to retain records for five years after the client relationship ends. A pivotal obligation for SPs is conducting risk assessments to understand and mitigate financial crimes. This includes identifying high-risk areas and categorizing clients as high or low risk, with special attention to non-residents, high net worth individuals, trusts, charities, and entities with family shareholding. 

Specific obligations

ICO/ITO: In the context of Initial Coin Offerings (ICOs) and Initial Token Offerings (ITOs), which serve as fundraising mechanisms for new projects, entities engaged in “issuance, offer, book-building, underwriting, market making and placement agent activity, sale, distribution, ongoing market circulation and trading” of a VDA are classified as Service Providers (SPs). Pertinently, the provision specifically includes many entities in addition to the VDA issuing entity or the VDA exchanges which seems to be a departure from the general global practice. Entities engaged in these activities (e.g. market making, underwriting etc.) are classified as a SPs only in the context of ICO/ITO, it is not very clear whether providing such services with respect to an old/existing VDA will make these entities as a SP.

 Use of automation or smart contract: Guidelines prescribe that use of ‘automated processes such as smart contract’ will not relieve controlling persons responsible for the execution of such contracts from the obligations of SPs. Such persons are required to adopt appropriate measures to mitigate risk and are likely to be liable for any non-compliance.    

 VDA Transfers: FIU Guidelines prescribe KYC and compliance requirements for transferring VDA under different scenarios. VDA transfers to or from unhosted wallets are advised to be treated as high risk transactions and transfers involving an intermediary SP are to be considered as a cross-border transfer.

Travel rule: SPs must furnish accurate information of the originator and the beneficiary on wire transfers, covering both fiat and VDA denominations.  Beneficiary SPs are equally obligated to obtain, hold, and provide the required originator information, ensuring accuracy and adherence to regulatory guidelines. 

Conclusion

The AML and CFT guidelines set forth by FIU-IND for Virtual Asset Service Providers provides the much needed regulatory clarity for web3 and VDA industry in India. Risk based approach suggested by FIU for detecting and reporting suspicious transactions will discourage bad elements without hampering the growth and adoption of innovative blockchain technology. Though these Guidelines are restricted to tackling AML/CFT related concerns and are not exhaustive, it is a welcome step towards formulating a comprehensive regulatory framework for VDAs in India.

Disclaimer: Nothing contained in this blog constitues legal advice as the details are only shared for educational and informative purposes.