In a bid to enhance India’s cybersecurity and crypto infrastructure, the Indian Computer Emergency Response Team (CERT-In) has mandated all Virtual Private Network (VPN) providers and crypto exchanges to maintain customer data record for up to five years. The rules will come into effect in June 2022.
Per CERT-In, which operates under the Ministry of Electronics and Information Technology, it is demanding these details to “ensure cybersecurity of payments and financial markets of citizens”. The intention here is to balance customer data protection and their economic freedom in the wake of virtual assets like cryptos gaining ground.
Rise of Crypto Scams in India
A Chainalysis report suggests that Indian users visited crypto scamming websites like coinpayu.com, coingain.app and more over 9.6 million times. Even globally, such scams took the lion’s share of all cryptocurrency-related crimes as it saw investors worldwide lose about $7.7 billion worth of crypto. And this was just in 2021.
To put the skyrocketing quantum of these scams in perspective, there were about 3,300 active and operational frauds lurking around at any given point globally in 2021. In 2020, this number stood at 2,052.
In fact, India’s Enforcement Directorate (ED) is currently investigating seven cases, where crypto has been deployed for money laundering purposes. The cumulative proceeds from these crimes amount to about Rs 135 crore, per an answer in Lok Sabha by MoS Finance Pankaj Chaudhary.
And ED is not the only government organization battling this. Recently, the Narcotics Control Bureau (NCB) and Central Board of Indirect Taxes and Custom also discovered illicit crypto payments worth Rs 2.2 crore in about 11 cases associated with drug-trafficking.
CERT-In, in its detailed mandate for data collection, has asked for an extensive set of information for customer verification and identification. This includes IP addresses’ nature, ID and amount of transaction, public keys or addresses involved and contact details of the transactees.
Defaulting on these directions might lead to imprisonment of up to one year, a fine ranging to about Rs 1,00,000 or both, as per Section 70B of IT Act, 2000.
Starting June 2022, crypto services providers will also be compulsorily required to bring to CERT-In’s notice any cybersecurity incidents within six hours of them taking place. Current laws do not stipulate any timeline for such reporting.
Many industry experts see this step by CERT-In as positive and progressive. Vikram Subburaj, CEO of Giottus Crypto Exchange, says: “We welcome all such mandates that will keep our ecosystem healthy. It is heartening to see the government bring about clarity progressively to the crypto world.”
“With the ASCI setting guidelines for crypto ads, the Finance Minister announcing a new tax regime and now the KYC mandate, steps are being undertaken to treat crypto assets on par with stocks in the country on the regulatory front,” he adds.
It should be noted that these directives are only for those exchanges that hold custody of crypto wallets on behalf of their users. In such cases, a third party is in charge of managing your private keys and funds.
Vijay Pravin, CEO & Founder, BitsCrunch calls it a welcome move as well. “The new measure will ensure that all crypto-exchanges follow a uniform KYC process. A mandate to share details with government agencies and regulators for verification can establish an overall trustworthy platform.”
“In real-time, all decentralized crypto-exchanges are designed to let users remain anonymous and keep private information from any sort of regulatory authority, including the crypto-exchanges themselves. Therefore, this mandate ensures compliance, user-safety, and a more authentic way of on-boarding potential crypto-enthusiasts,” he concluded.
Storage Costs a Concern
However, the ensuing high storage costs for building a secure infrastructure to maintain all this data remain major concern.
“The mandate to store user KYC and transaction data within the crypto space comes with a view to protect customers, identify and prevent laundering/ illicit transactions. This translates into a significant compliance burden for crypto wallets, exchanges and other intermediaries that would now have to store vast swathes of data for a five-year period in a highly secure and compliant infrastructure,” says Megha Nambiar, Senior Legal Counsel, HyperVerge.
Vinay Butani, Partner, Economic Laws Practice feels the same. “Whilst at one end this certainly looks like a positive step towards compliance and user safety on the crypto platforms, however, on the other end, this is definitely going to drive up the costs of the exchanges given the additional compliances.”
But in addition, he thinks it could also drive away large numbers of customers, given their privacy and information security issues.
“It will be interesting to wait and watch if this move by the government is accepted as a positive step by the relevant stakeholders. While the government is hoping for greater compliance as its objective, this move could also deter consumers and could lead to a large-scale departure of customers given the rule seeks sensitive user information,” he notes.
But some organizations like GuardianLink are already ahead on the data collection and compliance curve. These directives only complement their existing commitment to bridging trust between customers and cryptocurrency.
“Even though the government hasn’t asked us, we have already started this process. We have already set out to meet this goal, anticipating the government’s move. We now plan to work with the government as best as possible to bring acceptability and legality for our community,” says Kameshwaran Elangovan, co-founder and CEO, GuardianLink.
Read all the Latest News , Breaking News and IPL 2022 Live Updates here.
,