[Jaideep Reddy is Counsel and Krati Hashwani a Senior Associate, Trilegal]
The virtual digital asset (also known as crypto-asset or cryptocurrency) (VDA) industry is accustomed to legal ambiguity in India. There has been little in the way of legislative clarity, barring the specific income-tax regime introduced in 2022, and piecemeal measures such as a mandatory disclosure of holdings for companies under the Companies Act, 2013, and certain compliance requirements under the Indian Computer Emergency Response Team (CERT-In) Directions, 2022.
Two key missing pillars of a robust regulatory framework have been: (i) a licensing regime, overseen by a regulator, and (ii) a statutory anti-money laundering and countering the financing of terrorism (AML/CFT) regime subjecting VDA intermediaries to reporting obligations.
Observers were, therefore, generally pleased when, by a notification issued by the Ministry of Finance, Government of India (Notification) on 7 March 2023, a host of VDA intermediaries were classified as reporting entities (REs) under the Prevention of Money-Laundering Act, 2002 (PMLA). The Financial Intelligence Unit – India (FIU) has also published on its website a set of guidelines known as the ‘AML & CFT Guidelines for Reporting Entities Providing Services Related To Virtual Digital Assets’ (FIU Guidelines) which have been stated to be effective from 10 March 2023. Classifying VDA intermediaries as REs under the PMLA, and hence bringing them at par with several other value intermediaries across sectors, such as banks, stock-brokers, real estate agents, and jewellers, was always a low-hanging fruit which did not require a legislative change, unlike a new licensing framework.
Directionally, the move is positive as this brings VDA intermediaries and the transactions they process under the reporting umbrella, in line with international best practices. However, the Notification and FIU Guidelines still throw up some ambiguities.
This post probes two of the less discussed but key issues associated with the new framework: (i) how the Financial Action Task Force’s (FATF) standards can be used to fill in interpretational gaps, and (ii) whether the FIU Guidelines have attained the status of binding law.
FATF Standards as an Aid to Interpretation
The FATF is an independent inter-governmental body that sets global AML/CFT standards (Standards) and monitors compliance with the Standards. Rather than a policy shift specific to the VDA sector, the Notification appears to come in anticipation of the FATF’s upcoming evaluation of India later this year. The Notification is one amongst a slew of measures under the PMLA by the Central Government in recent weeks, and VDA intermediaries are just one among the several classes of persons and entities newly included as reporting entities, in line with the Standards. The FATF evaluation will have important ramifications for India’s perception as an investment destination the international community.
The language in the Notification and FIU Guidelines is highly similar to that of the detailed FATF Standards on VDAs. For instance, the definition in the Notification defining VDA service providers is almost verbatim to the definition in the FATF Standards. The FIU Guidelines too, borrow copiously from the Standards.
The Supreme Court has repeatedly recognised that domestic laws must be interpreted in harmony with international treaties and conventions. This doctrine has specifically been applied in the context of the PMLA and FATF Standards in the 2022 judgment of Vijay Madanlal Choudhury v. Union of India. Although the said judgment has been criticised severely, this particular principle that it recognizes is well-accepted. In this case, the Supreme Court took FATF interpretations into account while construing the PMLA.
It is reasonable, therefore, to conclude that the Notification and FIU Guidelines are likely to, and should, be construed in light of the FATF Standards, which can be used to clarify certain ambiguities. While this blog cannot delve into the application of the FATF Standards to each ambiguity due to space constraints, some illustrations are discussed below.
Under the Notification, an entity that carries out any of certain specified activities for or on behalf of another person in the course of its business will fall within the ambit of a ‘person carrying on designated business or profession’, which is a type of RE under the PMLA. One of the covered activities is “safekeeping or administration of VDAs or instruments enabling control over VDAs”. This brings us to the question of certain ‘non-custodial’ VDA wallet service providers i.e., providers of software tools that allow users to store their own VDAs in a manner in which the user, rather than the service provider, has control over the VDA. This is the case where the user possesses the ‘private key’ (which can be loosely analogised to a password) associated with a VDA wallet, and the service provider does not. A bare reading of the Notification and FIU Guidelines gives no guidance as to whether such a service provider would be covered. However, the FATF Standards usefully provide that this limb of the definition would not typically cover software developers or providers of unhosted wallets who only develop or sell the software/hardware, and that it would instead generally cover custodial wallet service providers who have control of the private key. The FATF Standards also clarify that in the case of a multi-signature VDA wallet (which would have more than one private key), entities holding even one key which would be required for a transfer may be seen as having ‘control’ for the purpose of the definition.
The Notification also covers the activities of exchanging between VDAs and fiat currencies, exchanging between one or more forms of VDAs, and transfer of virtual digital assets. This leads to the question of whether decentralised exchanges or decentralised finance (DeFi) applications, which often do not have a central owner and are governed using blockchain smart contracts, are covered by the Notification. The Standards shed light on these situations too, while the Notification and FIU Guidelines are silent. The Standards state that the provider of a DeFi software application would not be covered as an RE under the Standards, which do not apply to underlying software or technology. However, the Standards clarify that persons “who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized” may be classified as REs if “they are providing or actively facilitating” covered activities.
These two situations illustrate how the Standards can fill in the gaps where the extant PMLA framework on VDAs is silent.
Legal Status of the FIU Guidelines
The Prevention of Money-laundering (Maintenance of Records) Rules, 2005 (PMLR), which set out various compliance requirements for REs, provide that guidelines may be issued by the ‘regulator’. This term is defined in the PMLR as follows (in relevant part): “a person or an authority or a Government which is vested with the power to license, authorise, register, regulate or supervise the activity of reporting entities or the Director [FIU] as may be notified by the Government for a specific reporting entity or a class of reporting entities or for a specific purpose.” For already regulated institutions such as banks, the interpretation is clear, as the definition points to the authority which licenses or supervises the RE (i.e., in this instance, the Reserve Bank of India). In turn, such authorities have issued detailed AML/CFT guidelines to their regulated entities. However, VDA intermediaries are not specifically licensed or supervised by any authority as of date. The question hence arises as to who is the ‘regulator’ for VDA intermediaries, as that would be the entity with the power to frame guidelines.
The definition of ‘regulator’ also includes the Director, FIU, “as may be notified by the Government for a specific reporting entity or a class of reporting entities or for a specific purpose.” As of date, no such notification appears to exist notifying the FIU as the regulator for VDA intermediaries under this provision.
Curiously, the text of the FIU Guidelines does not state which authority has issued the document, and under which provision of law. It is also undated, though one of its provisions states an effective date of 10 March 2023.
Courts have held that merely publishing a document on a Government website is not sufficient for the document to attain the status of binding law (In the matter of Scheme of Amalgamation of Wadala Commodities Limited with Godrej Industries Limited). The rule of law dictates that any binding law must be issued in accordance with procedure established by law. While the PMLR does not specifically provide that the regulator’s guidelines ought to be gazetted, the requirement of the ‘regulator’ being notified (in the absence of a licensing / supervising authority) is, in our view, a sine qua non under the PMLR. In that light, as of date, it is doubtful whether the FIU Guidelines are binding.
– Jaideep Reddy & Krati Hashwani