India tightens KYC rules for cryptocurrency users.

• India strengthens KYC requirements for cryptocurrency exchanges.
• Live selfies and geolocation become mandatory.
• UIF classifies anonymity as high risk.

India has taken a further step in strengthening oversight of the cryptocurrency market by announcing stricter KYC rules for users of regulated platforms. The guidelines, published by the Financial Intelligence Unit (FIU), significantly expand requirements for identity verification and activity monitoring.

All new users of cryptocurrency exchanges will be required to undergo identity verification via live selfie. The process will use software capable of confirming the user's physical presence through actions such as blinking or head movement, with the aim of preventing fraud involving static images or deepfakes.

In addition to facial biometrics, users will need to present official documents issued by the Indian government, such as a passport, Aadhaar card, or voter registration card. Validation of the email address and mobile phone number will also be mandatory before full account activation.

The platforms will also need to perform a small test transaction on the user's bank account as an additional confirmation step. At the time of registration, information such as IP address, geolocation, date and time of access, and details of the device used will also need to be collected and stored.

Another relevant point of the guidelines is the periodic updating of KYC (Know Your Customer). Users classified as high-risk will have to update their data every six months, while others will have to undergo a new verification annually. The UIF (Financial Intelligence Unit) indicated that the risk classification will take into account usage patterns, transaction volume, and the type of product accessed.

The document also signals increased attention to certain segments of the sector. ITOs, and cryptocurrency tools focused on anonymity have been classified as high-risk activities, which may result in enhanced monitoring and additional compliance requirements for platforms offering this type of service.

The measures come after significant security incidents that affected major cryptocurrency exchanges in the country. In 2024, WazirX suffered a breach that resulted in the loss of approximately US$235 million in cryptocurrencies, compromising its operations and leading to a judicially overseen recovery plan.

The following year, CoinDCX was the target of a hacker attack that caused approximately US$44 million in damages. Although the incident involved an internal operational wallet, the case broadened the regulatory debate about internal controls and user protection.

With the new set of rules, India is reinforcing its approach to compliance and continuous monitoring in the cryptocurrency market, raising the bar for exchanges and users in one of the world's largest digital markets.