In a recent circular, the Ministry of Electronics and Information Technology has made it compulsory for all virtual asset service providers to store the ‘know your customer’ (KYC) details and transaction records of their users for a period of five years. Crypto industry experts have cited this as a positive step towards compliance and user safety on crypto platforms. However, some experts believe that this will lead to an increase in the compliance burden for exchanges.
“These new data storage guidelines will increase the compliance burden for exchanges. The high cost of compliance might lead them to explore new geographies. This will test the resilience of the exchanges that are already battling with low trade volumes, as well as the shadow ban on banking and payment services,” says Sharat Chandra, vice president, research and strategy, EarthID, a Blockchain platform.
Saikat Dutta, Strategic advisor, The Dialogue, a public policy think tank, however, feels that the stated objective of CERT-In’s recent directive is to bridge the gap in cyber incidence analyses by having access to more information and data to enhance cyber security.
“The guidelines mandate service providers (VPS, VPN etc.), intermediaries, data centres and body corporate to synchronise ICT system clocks, retain user data for five years, and report cyber incidents. In addition, it mandates that the virtual asset service providers, virtual asset exchange providers, and custodian wallet providers mandatorily maintain all KYC information for five years,” he says.
Importantly, the recent rule is only relevant to cryptocurrency exchanges that hold custody of the crypto wallets on behalf of their users. In a custodial wallet, you won’t have full control over your funds – nor the ability to sign transactions and manage your private keys for yourself.
Dileep Seinberg, founder and CEO, MuffinPay, a bill payment and utility token services, says that this move “indicates that the government is positive on crypto, and that it needs better measures of control and regulations similar to the ones in place for mutual funds, stock and bonds”.
“This should be motivating the share market investors who look for new avenues for investment,” he says.
Dutta explained that this directive has multiple market-level implications. The first would be that as entities are pushed to connect their ICT systems with the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC), or National Physical Laboratory (NPL), this would impact the service providers, which might disrupt services and hinder incident response. Second, mandating metadata retention from VPN service providers might compromise its trust quotient, thus impacting its business. In addition, compromising VPN would also impact Indian operations businesses which use VPN.
Moreover, the KYC requirement is broad, and could impact the operations of cloud service providers.
“The customer information sought under this requirement is sensitive and could deter consumers from availing the cloud services. As India’s cloud market is growing and we are looking at India to be a global hub of cloud computing, it is imperative that we refrain from placing additional burdens which may not help CERT-In achieve its objectives, while at the same time, it might affect the growth of cloud in India,” Dutta adds.
Gaurav Mehta, founder of Catax, a crypto taxation, auditing, and forensics start-up said that it will assist the FIU (Financial Intelligence Unit), CBDT (Central Board of Direct Taxes), NATGRID (National Intelligence Grid), and other law enforcement agencies in achieving their objectives more quickly by assisting them in gathering detailed information about crypto investments, wallets, money laundering, evasion, and other illicit activities conducted previously.