In a significant move to eliminate anonymity and combat illicit activities, Indiaโs Financial Intelligence Unit (FIU) has issued a stringent new set of Anti-Money Laundering (AML) and Know Your Customer (KYC) guidelines for cryptocurrency exchanges.2 Effective as of January 8, 2026, the mandate requires Virtual Digital Asset (VDA) service providers to implement high-tech verification methods that go far beyond standard document uploads.
The new rules aim to prevent the use of AI-generated deepfakes and static photos by bad actors looking to bypass traditional security layers.
1. The “Liveness” Test: No More Static Selfies
The most visible change for Indian crypto users is the introduction of mandatory live selfie verification.
- The Tech: Onboarding software must now employ liveness detection technology. This requires users to perform specific actionsโsuch as blinking, moving their head, or speakingโto prove their physical presence in real-time.
- The Goal: To ensure that the person initiating the account creation is the actual individual whose credentials are being used, thereby neutralizing deepfake and impersonation attempts.
2. Geotracking and Digital Footprinting
For the first time, exchanges are required to capture the precise digital and physical location of a user during the onboarding process.
- Data Captured: Platforms must record the latitude and longitude (exact GPS coordinates), IP address, and a precise timestamp of when the account setup was initiated.
- Reasoning: This creates a permanent digital audit trail that allows law enforcement to trace the physical origin of high-risk or suspicious transactions.
3. The “Penny-Drop” Bank Verification10
To ensure a direct and verified link between crypto accounts and the traditional banking system, the FIU has mandated the “Penny-Drop” method.
- How it Works: The exchange sends a nominal amount (e.g., โน1) to the user’s provided bank account.
- Verification: The transaction must successfully confirm that the bank account is active and belongs to the same person registered on the exchange.
Summary of the New Crypto KYC Mandate (2026)
| Requirement | Details |
| Verification Method | Live selfie with eye-blinking/head movement detection. |
| Location Tracking | Capturing latitude, longitude, and IP address at signup. |
| Identity Documents | PAN (Mandatory) + a secondary ID (Aadhaar, Passport, or Voter ID). |
| Bank Verification | Mandatory “Penny-Drop” transaction of โน1. |
| Contact Verification | Double OTP verification (Email + Mobile Number). |
| High-Risk Clients | KYC updates every 6 months; annual updates for others. |
Discouraging ICOs and “Mixer” Services
Beyond individual user verification, the FIU guidelines have taken a hard stance against privacy-enhancing technologies.
- ICOs & ITOs: Initial Coin Offerings are “strongly discouraged” due to a lack of economic justification and high risk.
- Tumblers & Mixers: Exchanges are prohibited from facilitating transactions involving crypto mixers or anonymity-enhancing tokens that hide transaction trails.
- Record Keeping: All registered exchanges must preserve client identity and transaction details for at least five years.
Industry Reaction
While major Indian exchanges like WazirX and CoinDCX have stated that they were already following several of these global best practices, the formalization of these rules by the FIU creates a standardized, level playing field.18 However, critics within the Web3 community argue that the combined pressure of these strict onboarding rules and Indiaโs existing 30% tax on crypto gains may continue to push innovation out of the country.
