As per new directives for VPN service providers and crypto exchanges in India, the government has directed them to collect private information as well as the ownership patterns of customers.
India named the Computer Emergency Response Team (CERT) of the country's Ministry of Electronics and Information Technology as the national agency for cyber security, including the crypto industry, to clarify which agency has the authority over activities (suspicious or illicit) in the sector.
As seen in the creation document, the Emergency Response Team will act as the national agency to perform the following functions in the area of cybersecurity:
The document shows that this measure requires crypto companies, such as virtual asset service providers, to maintain KYC (Know Your Customer) information and financial transaction records for five years. The same is done "to ensure cyber security in payments and financial markets for citizens while protecting their data, fundamental rights, and economic freedom from the growth of virtual assets."
While the industry sees the announcement as a soft step toward regulation before crypto-specific legislation is enacted, the government has not suggested the move is a step toward regulation.
The heavily criticized crypto transaction tax rule was a similar but vigorous action, announced in February and placed last month. A senior Finance Ministry official stated that "the fact that crypto is taxable does not make it legal."
India's crypto law remains to be passed, with the government seeking a global consensus. Indian Finance Minister Nirmala Sitharaman has spoken several times about the potential of cryptocurrencies and blockchain and the security concerns.
"Blockchain itself is so full of potential in the payment realm and so many others," she said last week. "Our intention is not to harm this (cryptocurrency or Blockchain)." However, she added that cryptos "can also be manipulated for undesirable purposes, money laundering, or lead to the financing of terrorism."
Notably, this is the first time the Indian government has made it clear that data must be kept in storage for five years. KYC processes and data will need to align with the guidelines of three entities — the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), and the Department of Telecommunications (DoT).
Crypto businesses must also designate a point of contact for CERT, the Ministry of Electronics and Information Technology unit, to have an open communication channel regarding these new rules.
Speaking at a public forum Friday at Stanford University, Sitharaman asked for "collective global action" for the effective regulation of this dynamic technology:
"If there is impatience out there in the world saying what are you doing with cryptocurrencies? I can understand the impatience, but I'm sorry, this is how it will be. We will have to take our time to make sure that, at least with the available information given, we are making an informed decision."