India tightens cryptocurrency KYC! AI anti-counterfeit selfies make full real-name verification mandatory for users

India’s Financial Intelligence Unit (FIU) has issued new guidelines mandating that cryptocurrency exchanges verify user identities through real-time selfie verification and geolocation checks, using eye-tracking software to prevent AI deepfake bypasses of KYC processes. This reflects India’s strict regulatory stance towards its 1.4 billion market, currently taxing crypto gains at 30% and not allowing tax loss deductions.

Why Is India Suddenly Tightening KYC Regulations

India’s FIU, as the regulator responsible for AML and KYC regulations, views this tightening not as a sudden move but as a continuation of long-term regulatory trends. With over 1.4 billion people, India is one of the world’s largest potential cryptocurrency markets. The crypto usage trends in this vast market could bring a new wave of investment to the sector but also heighten regulatory vigilance.

During a meeting with parliament members on Wednesday, officials from the Indian Income Tax Department (ITD) explicitly stated that cryptocurrencies and decentralized finance platforms could weaken tax enforcement. Tax officials argue that decentralized crypto exchanges, anonymous wallets, and cross-border crypto functions make taxation extremely difficult. Moreover, tax laws vary across jurisdictions, complicating effective crypto tax collection.

Under Indian income tax law, gains from crypto sales are taxed at a flat rate of 30%, with users only able to deduct the cost basis from gains. More harshly, Indian crypto traders cannot claim tax loss deductions, meaning they cannot offset losses from other crypto sales against gains in different transactions. This tax structure has already frustrated many traders, and the new KYC requirements further tighten the regulatory net.

India’s regulators are clear: permissionless blockchain technology threatens tax collection, so stricter identity verification is necessary to track every transaction and user. This regulatory approach aligns with the Reserve Bank of India’s push for central bank digital currency (CBDC) rather than stablecoins, aiming to bring digital assets into a controlled regulatory framework.

Specific Requirements of the New Regulations: From Selfies to Bank Verification

Six Major KYC Verification Steps

Real-time Selfie Verification: Using eye and head movement tracking software for liveness detection to prevent AI deepfake impersonation

Geolocation Tracking: Mandatory collection of geolocation and IP address data during account creation to build user behavior profiles

Timestamp Recording: Precise recording of account creation time for future tax audits and compliance tracking

Bank Account Verification: Confirming authenticity through small transactions sent to the user’s bank account

Dual Identity Proof: Submission of additional government-issued photo ID

Multi-channel Verification: Verification of email and mobile number to ensure contact information is genuine and active

Among these, the most technically sophisticated is the real-time selfie verification system. According to The Times of India, this system uses eye and head movement tracking to determine if the individual is real, not AI-generated deepfake images. As AI technology advances, cases of fake identities created with generative AI passing KYC checks have emerged. Indian regulators evidently aim to stay ahead of this loophole.

Geolocation and IP address collection are intended to build user activity profiles. Regulators can use this data to track whether users are opening accounts on multiple exchanges, using VPNs to hide their true location, or engaging in suspicious cross-border transactions. Timestamp records, while seemingly simple, can precisely determine asset holding periods, which are crucial for calculating capital gains tax.

Bank account verification is a core AML requirement. Sending small transactions (usually a few rupees) to verify that the user controls the bank account is a standard practice in traditional finance, now being incorporated into crypto regulation. Dual identity proof and multi-channel verification are measures to increase the cost of identity fraud, making it harder to register accounts using someone else’s identity.

Comparison with Global KYC Standards

Where does India’s new KYC requirement stand globally? Compared to the EU’s AML directives (AMLD) and the US’s Bank Secrecy Act (BSA), India’s requirements are more stringent in some aspects. The EU also mandates KYC for crypto exchanges but has not yet enforced real-time selfies and geolocation tracking. US requirements vary by state, with federal oversight mainly through FinCEN, but the technical measures are less detailed than India’s new rules.

China has already banned cryptocurrency trading entirely, so KYC is not an issue there. Japan and South Korea have similar KYC requirements to India but are more lenient regarding bank account verification. Singapore, as a crypto hub in Asia, adopts a balanced regulatory approach, requiring KYC but not overly intrusive on user privacy. India’s approach appears to favor stricter regulation, likely due to its large population and relatively weaker financial regulatory infrastructure.

Notably, the Reserve Bank of India has urged countries to prioritize the development of CBDCs over stablecoins. This stance suggests India aims to replace privately issued stablecoins with CBDCs, bringing digital payments fully under regulatory control. If successful, India could become the first major economy to widely promote CBDCs while strictly limiting private cryptocurrencies.

Practical Impact on the Crypto Market

For Indian crypto exchanges, the new regulations mean significantly increased technical and compliance costs. Deploying eye-tracking and liveness detection systems requires partnerships with specialized biometric tech providers, with high licensing and maintenance expenses. Smaller exchanges may be unable to bear these costs and could be forced out of the market, leading to increased market concentration.

For users, stricter KYC means further privacy loss. While regulators claim these measures are to combat money laundering and tax evasion, concerns over data security are rising. India’s data protection legislation is still evolving, and in case of hacking, biometric data, geolocation, and bank info could be compromised.

In terms of market size, India’s 1.4 billion population is critical to the global crypto scene. If strict regulation drives users underground or toward decentralized exchanges, the regulatory goals might backfire. DEXs are not subject to KYC, and while India can block their websites, tech-savvy users can still access them via VPNs and other methods. This could lead to a dual-market scenario: compliant centralized exchanges serving mainstream users, and privacy-focused decentralized platforms attracting users seeking anonymity.