Into the Web - AML Risks of Virtual Assets - Part 1

Part I of this article explores the current Indian regulatory and legal framework governing the virtual asset industry and recommendations for AML/CFT compliance in respect of virtual asssets.

Indian legal framework

The virtual asset industry has had a somewhat difficult time in India, with the RBI banning any regulated entities from providing services to any individual or business, dealing in digital currencies, given the risks involved in such transactions. The term ‘services’ included maintaining accounts, registering, trading, settling, clearing, giving loans against virtual tokens, accepting them as collateral, opening accounts of exchanges, dealing with them and transferring or receipt of money in accounts relating to purchase/ sale of VCs or facilitating the same thereof.

However, in 2020, the Supreme Court of India ruled against the two-year old banking ban on virtual currency, imposed by the Reserve Bank of India (RBI). The Court said that the 2018 circular issued by the RBI is disproportionate, and therefore, ultra vires the Constitution of India. However, at present, there are no regulations in India governing virtual currencies and entities dealing in them. The Central Government’s proposed ‘Cryptocurrency and Regulation of Official Digital Currency Bill, 2021’ remains to be taken up for discussion before the Parliament. The RBI has now stated in its Notification dated May 31, 2021, in line with the Supreme Court ruling that banks and financial institutions dealing in cryptocurrency must follow the KYC and AML/CFT compliance guidelines in effect, in respect of cryptocurrency dealings as well as clarifying that its 2018 circular is no longer valid.

Presently in India, as per guidelines issued under Section 35A of the Banking Regulation Act, 1949, and Rule 9(14) of Prevention of Money-Laundering (Maintenance of Records) Rules, 2005; RBI requires banks and financial institutions (FIs) to follow certain customer identification procedure for opening of accounts and monitoring transactions of suspicious nature, for the purpose of reporting the same to appropriate authorities, in line with the FATF Recommendations and Basel Committee on Banking Supervision (BCBS)’s paper on Customer Due Diligence (CDD) for banks. Banks/ FIs have been advised to ensure that a proper policy framework on ‘Know Your Customer’ and Anti-Money Laundering measures is formulated and put in place with the approval of their Boards.

RBI’s May 2021 Notification now requires banks and financial institutions to carry out customer due diligence processes in line with regulations governing standards for Know Your Customer (KYC), Anti-Money Laundering (AML), Combating of Financing of Terrorism (CFT) and obligations of regulated entities under Prevention of Money Laundering Act, (PMLA), 2002, in addition to ensuring compliance with relevant provisions under Foreign Exchange Management Act (FEMA) for overseas remittances. However, it is important to note that these measures are tailored to address a traditional financial system and broadly involve customer identification procedures, monitoring transactions and risk management programmes, all of which happen to be a considerable challenge when it comes to the virtual asset class. The present system relies heavily on documentation, whereas the virtual asset industry tends to lean towards anonymity.


Keeping in mind the risks discussed above, it is recommended that financial institutions, individuals should approach services and customers connected to cryptocurrency with a full understanding of their respective roles with regard to cryptocurrencies and any potential elevated risks. AML compliance and Know Your Customer (KYC) compliance becomes the bedrock of risk management when it comes to the virtual asset industry.

  • Identification and Monitoring Requirements

A robust AML programme rests on the ability to identify each customer and their jurisdiction, especially in view of the unique challenges posed by the virtual asset industry, it becomes even more important for financial institutions, wallets, to ensure that it has adequate policies and procedures in place to allow for comprehensive KYC and AML compliance. Such records may be shared with the regulator, in accordance with the law in force. It is recommended that such policies be easily tailored, depending on the nature of the customer’s business, jurisdiction, role, etc.

  • Account Monitoring and Suspicious Activity

Owing to the unique concerns arising out of virtual currencies, it is helpful for the financial institutions to have a comprehensive record keeping system in terms of virtual transactions as well as heightened due diligence and customer account monitoring, by developing special red flags that apply to the nature of dealings in cryptocurrency markets.

From an enforcement and investigation perspective, to overcome the challenges posed by the virtual asset industry, US law enforcement authorities such as the Office of Foreign Asset Control, Homeland Security have brought in firms that have compliance and investigation software capabilities, which provide access to databases, training, and expertise to help tie together cryptocurrency transactions; to be adapted to investigate cryptocurrency offences. The process involves analysing the blockchain public ledger of all cryptocurrency transactions, by using proprietary data to overlay real world entities on the blockchain and determine which ones are involved, which enable tracing the assets as well as the perpetrators.

Law Enforcement and Combating Anti-Money Laundering/ Financing of Terrorism (CFT)

According to a recent Financial Times report, anonymous cryptocurrencies are being used to make payments via intermediary services available on hire on dark web platforms like Hydra, which enable conversion of virtual currencies into cash-based currencies or gift vouchers, prepaid debit cards, etc. The anonymity and simplicity of cryptocurrencies is what makes them more lucrative to criminals. In its report titled, Cryptocurrency in Stages, blockchain analysis firm, Chainalysis  has reported that cryptocurrency has become a mainstream asset class. In its 2021 Crypto Crime Report, Chainalysis has reported that approximately USD 350 million was paid to hackers, however, the overall percentage ratio of illicit transactions was only 0.34% in 2020. The major crimes include money laundering, ransomware, darknet markets, scams, theft, and terror financing.

The Financial Action Task Force (FATF), over the years has issued various guidelines to aid the unique challenges faced by regulators and governments around the world, whilst dealing with the unfamiliar model of virtual currencies. More recently, in 2019 and March 2021, the FATF issued an updated set of draft guidelines, in line with the developments in the virtual assets industry, including recognising NFTs and DeFi, to monitor and mitigate the potential AML/CFT risks posed by virtual currencies, owing to their global presence and nature. Major concerns in the virtual asset industry can be categorised as follows:

  1. In its June 2014 Report, the FATF stated that convertible virtual currencies that can be exchanges for real money or other virtual currencies/ assets are particularly vulnerable to money laundering or terrorist financing abuse as they allow for greater anonymity. The anonymity factor may also permit the anonymous or third-party funding via virtual exchangers where the funding source is not properly identified.
  2. The limitations in identification and verification of participants offers criminals an oasis of anonymity and an unprecedented ease of operation. However, it is important to know that cryptocurrency blockchains record each and every transaction that takes place, making it possible, albeit very challenging and time consuming to trace the parties involved.
  3. The absence of clarity over responsibility for AML/CFT compliance, supervision and enforcement in transactions spanning multiple jurisdictions. It must be noted that the existing financial regulatory framework, due diligence and compliance standards were meant to plug the loopholes and tackle the challenges in the traditional system of banking.
  4. The absence of a central body to oversee and regulate, as the system has no central server or service provider, as there is no central oversight body established to carry out the monitoring.


The virtual asset industry offers an unprecedented revolution in the world of financial systems. However, how the potential is tapped, will be crucial in determining the fate of the world’s financial system in the years to come. In view of the fact that the criminal elements will not shy away from exploiting the system to their advantage, making an active and efficient oversight of the industry by law enforcement and regulators is crucial. Cryptocurrency oversight and regulation also offer a renewed opportunity for increased AI-based account monitoring, based on AML/CFT guidelines by financial institutions, enabling a more robust compliance and reporting of offences.