7.1 Building a Compliance Framework
For blockchain and cryptocurrency businesses operating in India, establishing a robust compliance framework is essential not just for legal protection, but also for building trust with users, banking partners, and regulators.
Compliance Framework Components
| Component | Description | Key Actions |
|---|---|---|
| Governance | Leadership and oversight structure | Board oversight, compliance officer, reporting lines |
| Risk Assessment | Identify and evaluate risks | ML/TF risk assessment, business risk analysis |
| Policies | Written compliance policies | KYC policy, AML policy, transaction monitoring policy |
| Procedures | Operational procedures | CDD procedures, enhanced due diligence, STR filing |
| Technology | Systems and tools | KYC verification, transaction monitoring, blockchain analytics |
| Training | Staff education | Regular training, awareness programs, testing |
| Audit | Independent review | Internal audit, external audit, testing |
7.2 KYC/AML Requirements
Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance form the cornerstone of regulatory requirements for crypto businesses in India.
Customer Due Diligence (CDD) Tiers
For low-risk customers with small transaction values. Basic identification with name, address, and ID verification. Applicable for occasional transactions below specified thresholds.
Default level for most customers. Includes identity verification, address verification, source of funds inquiry, and ongoing monitoring. Required for regular account holders.
Required for high-risk customers including PEPs, high-value transactions, and customers from high-risk jurisdictions. Additional documentation, senior management approval, and enhanced ongoing monitoring.
KYC Documentation Requirements
| Document Type | Individuals | Entities |
|---|---|---|
| Identity Proof | Aadhaar, PAN, Passport, Voter ID | Certificate of Incorporation, GSTIN |
| Address Proof | Aadhaar, Utility Bill, Bank Statement | Registered Office Proof |
| Photograph | Recent passport-size photo, selfie verification | Photos of authorized signatories |
| Financial Info | Bank account details, income proof (EDD) | Audited financials, Board Resolution |
| Beneficial Ownership | N/A | UBO declaration, shareholding pattern |
Transaction Monitoring
Effective transaction monitoring systems should detect:
- Structuring: Breaking large transactions into smaller amounts to avoid thresholds
- Rapid Movement: Quick in-and-out transactions
- Unusual Patterns: Deviations from normal customer behavior
- High-Risk Addresses: Transactions with sanctioned or suspicious wallets
- Mixer Usage: Transactions through mixing or tumbling services
- Cross-Border Patterns: Unusual international transaction flows
Technology Tip: Implement blockchain analytics tools (Chainalysis, Elliptic, etc.) integrated with your transaction monitoring system to automatically flag transactions involving high-risk addresses or mixing services.
7.3 FIU-IND Registration and Compliance
Virtual Digital Asset Service Providers must register with the Financial Intelligence Unit - India and comply with reporting requirements.
Registration Process
- Application to FIU-IND in prescribed format
- Documentation of compliance framework
- Appointment of Principal Officer and Designated Director
- Technical integration for report filing
- FIU-IND review and approval
- Ongoing compliance maintenance
Reporting Obligations
| Report Type | Trigger | Timeline |
|---|---|---|
| STR (Suspicious Transaction Report) | Suspicion of money laundering or terrorist financing | Within 7 days of detection |
| CTR (Cash Transaction Report) | Cash transactions above Rs. 10 lakh | Within 15 days of month end |
| NTR (Non-Profit Transaction Report) | Transactions by NPOs | Within 15 days of month end |
| Cross-Border Wire Transfers | International transactions | Monthly reporting |
7.4 Tax Compliance Advisory
Advising crypto clients on tax compliance requires understanding the VDA taxation framework comprehensively.
Tax Planning Considerations
- No Deductions: Unlike other capital gains, no expenses (except cost of acquisition) are deductible. Clients cannot reduce gains through trading fees, wallet charges, or gas fees.
- No Loss Set-Off: Losses cannot be set off against other VDA gains or any other income. Each profitable transaction is taxed independently.
- Gift Planning: Gifts to specified relatives are exempt; gifts to others are taxable in recipient's hands
- FIFO vs. Specific Identification: Method of cost basis calculation should be consistent
Scenario: Client has made 10 BTC trades during the year:
- 5 trades resulted in profits totaling Rs. 5,00,000
- 5 trades resulted in losses totaling Rs. 3,00,000
Incorrect Assumption: Net gain of Rs. 2,00,000, tax = Rs. 60,000
Correct Calculation: Tax on Rs. 5,00,000 profits @ 30% = Rs. 1,50,000. Losses of Rs. 3,00,000 provide NO benefit.
Advisory: Given the inability to offset losses, clients should carefully evaluate each trade's tax implications before executing. Consider timing of transactions across tax years where legally appropriate.
Record-Keeping Requirements
Advise clients to maintain:
- Complete transaction history from all exchanges
- Wallet transaction records
- Cost basis documentation for all acquisitions
- Bank statements showing fiat movements
- TDS certificates (Form 26AS reconciliation)
- Records of gifts given or received
7.5 Corporate Structure Advisory
Advising blockchain startups on corporate structure involves multiple considerations:
Entity Selection
| Structure | Advantages | Considerations |
|---|---|---|
| Private Limited Company | Limited liability, credibility, fundraising ease | Compliance burden, audit requirements |
| LLP | Limited liability, tax efficiency, flexibility | Cannot issue equity, limited VC appetite |
| Foreign Subsidiary | Regulatory arbitrage, global operations | FEMA compliance, transfer pricing, substance requirements |
Jurisdictional Considerations
For global operations, consider:
- Singapore: Clear licensing framework, crypto-friendly
- Dubai (VARA): Comprehensive regulatory regime
- Estonia: Digital nation, e-residency
- Switzerland (Zug): Crypto Valley ecosystem
Structuring Advice: Many Indian crypto businesses use a hybrid structure with an Indian technology/development company and a foreign operating entity for customer-facing services. This requires careful FEMA compliance, transfer pricing documentation, and substance in the foreign jurisdiction.
7.6 Compliance Checklists
- Register company with appropriate structure
- Apply for FIU-IND registration
- Implement KYC/AML policy and procedures
- Deploy KYC verification system (Aadhaar, PAN integration)
- Implement transaction monitoring system
- Integrate blockchain analytics tool
- Appoint Principal Officer and Designated Director
- Establish compliance team structure
- Draft Terms of Service and Privacy Policy
- Implement TDS collection mechanism (Section 194S)
- Set up banking relationships
- Conduct security audit of platform
- Implement cold storage for customer assets
- Establish customer grievance mechanism
- Register with CERT-In if required
- Define clear IP licensing terms for NFT purchases
- Implement creator verification process
- Establish DMCA/IP takedown procedures
- Disclose NFT characteristics and limitations
- Implement TDS compliance for secondary sales
- Address consumer protection requirements
- Consider ASCI guidelines for promotions
- Implement age verification for adult content (if any)
- Smart contract security audit
- Metadata storage and persistence plan
- Assess whether activities trigger licensing requirements
- Smart contract security audit
- Evaluate if tokens constitute securities
- Consider decentralization level and liability
- Document governance mechanisms
- Risk disclosures for users
- Consider geoblocking for restricted jurisdictions
- Establish bug bounty program
- Insurance/coverage for protocol risks
- Legal opinion on regulatory classification
7.7 Client Advisory Best Practices
Initial Consultation Framework
- Business Model Understanding:
- What specific crypto activities are involved?
- Who are the target customers (retail/institutional)?
- What jurisdictions will be served?
- What is the technical architecture?
- Regulatory Mapping:
- Identify all applicable regulations
- Determine licensing/registration requirements
- Map compliance obligations
- Risk Assessment:
- Regulatory risk (pending legislation)
- Banking access risk
- Tax risk
- Operational risk
- Compliance Roadmap:
- Prioritized action items
- Timeline for implementation
- Resource requirements
- Ongoing compliance calendar
Engagement Letter Considerations
When engaging with crypto clients, engagement letters should address:
- Scope limitations (not financial/investment advice)
- Regulatory uncertainty disclaimers
- Client's obligation to provide accurate information
- Confidentiality provisions
- Conflict of interest disclosures (if holding crypto)
7.8 Staying Current
The crypto regulatory landscape evolves rapidly. Technology lawyers must:
- Monitor FIU-IND and RBI circulars regularly
- Track Parliamentary proceedings for crypto legislation
- Follow court judgments affecting crypto
- Monitor global regulatory developments (SEC, MiCA, etc.)
- Engage with industry associations (BACC, IAMAI)
- Participate in regulatory consultations
Resources: Key sources for staying updated include FIU-IND website, RBI notifications, MeitY releases, SEBI circulars, income tax department updates, and industry newsletters from bodies like the Blockchain and Crypto Assets Council (BACC).
7.9 Key Takeaways
- Build comprehensive compliance frameworks covering governance, policies, procedures, and technology
- Implement tiered KYC based on risk assessment
- FIU-IND registration and reporting is mandatory for VDA service providers
- Tax advisory must account for the no-deduction, no-loss-set-off rules under Section 115BBH
- Corporate structure should consider both Indian requirements and global operational needs
- Use compliance checklists to ensure comprehensive coverage
- Stay current with rapidly evolving regulatory landscape