Client Due Diligence and Enhanced Due Diligence under the AML CFT framework

The Financial Intelligence Unit (FIU-IND) has issued updated AML &CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets on January 8, 2025 (Guidelines). The updated guidelines aim to provide a comprehensive approach to regulating the digital asset sector while balancing innovation with financial stability and security concerns. 

Client Due Diligence (CDD) is a statutory control prescribed for reporting entities engaged in Virtual Digital Asset activities. It is intended to verify the identity of a client, establish the ownership and control structure and assess the money laundering, terrorist financing and proliferation financing risk before and during the business relationship. The Guidelines require that CDD be carried out at the time of onboarding and thereafter at periodic intervals or whenever there is doubt about the authenticity or adequacy of previously obtained information. CDD is not a one time formality. It is a continuous process that includes collection of identity data, verification from reliable and independent sources, development of a client risk profile and ongoing monitoring of transactions and behaviour. 

The Guidelines specifically require the use of independent data sources and open source intelligence, updating of client information when risk indicators change and the use of digital identifiers such as IP address, device ID, geo location and transaction hashes for verification and risk assessment. For individuals, minimum information such as full name, date of birth, PAN, identity document, address, mobile number, email, occupation and bank account details must be obtained and verified. Enhanced Due Diligence (EDD) is not a separate regime but a higher level of scrutiny that applies when the risk profile of a client or transaction so warrants. 

The Guidelines mandate a risk based approach in which clients are classified at least into high risk and medium risk categories, with additional sub categories for higher risk perception. The parameters include the client profile, nature of business, geography, types of transactions and types of products or services used. Based on this classification, enhanced measures under CDD must be clearly defined and objectively applied. EDD therefore operates as an escalation of CDD. Where the identity of the client is doubtful, where information cannot be verified, where the client is suspected to be false or non genuine, or where the risk indicators show heightened exposure, the reporting entity must apply enhanced measures or decline or terminate the relationship. In all cases, anonymous accounts, fictitious names and undisclosed beneficial ownership are prohibited. Transactions must be continuously monitored and suspicious activity must be reported to FIU India in accordance with the PMLA and the Rules. 

In effect, CDD establishes who the client is and how the relationship is to be assessed. EDD determines how deeply and how frequently that assessment must be conducted when the risk is elevated. Both are legally mandated controls forming the core of the AML and CFT compliance framework for Virtual Digital Asset service providers in India.