logo

KNOW YOUR CUSTOMER, ANTI-MONEY LAUNDERING AND TRANSACTION MONITORING POLICY

Executive Summary – KYC-AML Policy

This Know Your Customer (“KYC”) and Anti-Money Laundering, Counter-Terrorist Financing, and Counter-Proliferation Financing (“AML-CFT-CPF”) Policy outlines the overarching principles, governance framework, and control measures adopted by Bitcipher Labs LLP (operating under the brand “CoinSwitch”) to prevent misuse of its platform for money laundering, terrorist financing, and proliferation financing activities.

 

CoinSwitch is registered with the Financial Intelligence Unit – India (FIU-IND) as a Reporting Entity under the Prevention of Money Laundering Act, 2002 (“PMLA”) and complies with the PMLA, the Prevention of Money Laundering (Maintenance of Records) Rules, 2005, and applicable AML-CFT-CPF Guidelines issued by FIU-IND for Virtual Digital Asset (“VDA”) Service Providers.

Key Elements of the Policy

Regulatory Compliance & Governance

  • Establishes a comprehensive AML-CFT-CPF framework approved and overseen by the Board and senior management.
  • Defines roles and responsibilities of the Designated Director, Principal Officer, and Compliance Function.
  • Ensures alignment with applicable Indian laws, FIU-IND advisories, and supervisory expectations.

Risk-Based Approach

  • Adopts a documented Risk-Based Approach (RBA) to identify, assess, and mitigate ML/TF/PF risks across customers, products, transactions, delivery channels, and technologies.
  • Conducts periodic enterprise-wide risk assessments and customer risk categorisation (medium and high risk).

Customer Due Diligence & KYC

  • Implements robust Customer Identification and Verification procedures, including PAN verification, Officially Valid Documents, geo-location, liveness checks, and video-based KYC where required.
  • Applies Enhanced Due Diligence (EDD) for high-risk customers, Politically Exposed Persons (PEPs), high-risk jurisdictions, and complex or unusual transactions.
  • Provides for periodic KYC updation based on customer risk classification.

Ongoing Monitoring & Transaction Surveillance

  • Maintains continuous transaction monitoring covering fiat and VDA transactions.
  • Uses automated systems, red-flag indicators, and blockchain analysis tools to detect unusual or suspicious activity.
  • Ensures timely escalation, investigation, and reporting of suspicious and attempted suspicious transactions to FIU-IND.

Travel Rule & VDA-Specific Controls

  • Complies with applicable Travel Rule requirements for VDA transfers as both originating and beneficiary Reporting Entity.
  • Applies enhanced controls for unhosted wallets, anonymity-enhancing crypto assets, and high-risk VDA activities.

Sanctions, Screening & Proliferation Financing Controls

  • Screens customers and transactions against applicable sanctions lists, terrorist designations, and watchlists.
  • Integrates proliferation financing risk mitigation measures into sanctions screening and transaction monitoring.

Record-Keeping & Data Protection

  • Maintains customer, transaction, and due diligence records in accordance with statutory retention requirements.
  • Ensures confidentiality, data integrity, audit trails, and availability of records for regulatory and law enforcement authorities.

Training & Compliance Culture

  • Implements structured AML-CFT training and awareness programmes for employees, including induction, refresher, and role-based training.
  • Promotes a strong compliance culture and continuous improvement through audits, reviews, and regulatory feedback.

Disclaimer:
This Executive Summary is provided solely for ease of reference and high-level understanding. It does not constitute a complete statement of CoinSwitch’s KYC-AML-CFT-CPF framework and should not be relied upon independently for compliance, operational, or regulatory purposes.

For a comprehensive understanding of CoinSwitch’s obligations, controls, procedures, and responsibilities, readers are required to refer to the entire KYC-AML Policy, including all sections, annexures, and updates thereto. In the event of any inconsistency between this summary and the detailed provisions of the Policy, the detailed provisions shall prevail.

KNOW YOUR CUSTOMER AND ANTI-MONEY LAUNDERING POLICY

CoinSwitch

This This Know Your Customer (“KYC”) and Anti-Money Laundering and Counter-Terrorist Financing Policy (“KYC-AML Policy”/ “Policy”) sets out the principles, standards, and procedures adopted by CoinSwitch for compliance with applicable laws relating to the prevention of money laundering, terrorist financing, and proliferation financing.

This Policy governs access to and use of CoinSwitch’s websites (including https://coinswitch.co and https://coinswitch.co/pro) and mobile and web-based applications operated under the brand name “CoinSwitch” (collectively, the “Platform”). CoinSwitch facilitates services relating to Virtual Digital Assets (“VDA”), including enabling users to place buy and/or sell orders through third-party VDA exchanges and offering VDA-related programs as permitted under applicable law.

The Services (as defined in the Terms of Use) are being provided by and the Platform is operated by Bitcipher Labs LLP, a limited liability partnership incorporated under the Limited Liability Partnership Act, 2008, having its registered office at Bengaluru, Karnataka (hereinafter referred to as “CoinSwitch”, “we”, “us” or “our”). CoinSwitch is a Reporting Entity under the Prevention of Money Laundering Act, 2002 (“PMLA”) and is registered with the Financial Intelligence Unit – India (“FIU-IND”).

This AML-CFT Policy forms a legally binding framework governing the relationship between CoinSwitch and its users, and applies to all customers, transactions, products, services, employees, and relevant third-party arrangements of CoinSwitch.

CoinSwitch reserves the right to amend, modify, or update this Policy from time to time in order to remain compliant with applicable laws, regulatory directions, and supervisory expectations. Continued access to or use of the Platform following any such amendment shall constitute acceptance of the revised Policy. This Policy is to be read in conjunction with CoinSwitch’s Terms of Use, Privacy Policy, and other applicable internal policies and procedures (“Standard Terms”).

By accessing or using the Platform, users expressly acknowledge and consent to CoinSwitch undertaking customer due diligence, ongoing monitoring, data collection, verification, and reporting activities as required under this AML-CFT Policy and applicable law.

CoinSwitch adopts a zero-tolerance approach towards money laundering, terrorist financing, and proliferation financing. It has implemented risk-based controls, systems, and procedures to prevent misuse of the Platform for illicit or unlawful activities and remains committed to maintaining the highest standards of regulatory compliance.

1. Definitions

For the purposes of this KYC-AML Policy (“Policy”), unless the context otherwise requires, the following terms shall have the meanings assigned to them below. Terms not defined herein shall have the meanings ascribed to them under the applicable laws and regulations.

1.1 Applicable Law

“Applicable Law” means all statutes, laws, rules, regulations, ordinances, directives, circulars, guidelines, orders, notifications, policies, and instructions having the force of law in India, as amended from time to time, including but not limited to the Prevention of Money Laundering Act, 2002 (“PMLA”), the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (“PML Rules”), the AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets issued by the FIU-IND, directions issued by the Ministry of Electronics and Information Technology and CERT-In, the Income Tax Act, 1961, and any other applicable regulatory or supervisory framework.

1.2 Designated Director

“Designated Director” means the director designated by CoinSwitch in accordance with the PMLA and PML Rules, who is responsible for ensuring overall compliance with the obligations imposed on the Reporting Entity, including governance, oversight, and implementation of this Policy.

1.3 Principal Officer

“Principal Officer” means the officer designated by CoinSwitch under the PMLA and PML Rules who is responsible for ensuring implementation and compliance with PMLA, PLMR and AML-CFT-CPF obligations, timely reporting of suspicious transactions to FIU-IND, and acting as the primary point of contact with regulatory and law enforcement authorities.

1.4 Virtual Digital Assets / Crypto Assets

“Virtual Digital Assets” or “Crypto Assets” mean any information, code, number, token, or digital representation of value (not being Indian or foreign currency), including cryptocurrencies and non-fungible tokens, as defined under Section 2(47A) of the Income Tax Act, 1961, and shall also include crypto-related derivative products such as Futures and Options, where such products are made available or supported on the CoinSwitch Platform, that use distributed ledger technology or are derived from such assets and can be transferred, stored, traded, or settled electronically through the CoinSwitch Platform.

1.5 Customer / User

“Customer” or “User” means shall mean as defined under the Terms of Use and who meets the eligibility requirements as provided under Clause 2.1 of Terms of Use.

1.6 Customer Due Diligence (CDD)

“Customer Due Diligence” refers to the process undertaken by CoinSwitch to identify and verify the identity of a Customer, understand the nature and purpose of the customer relationship, assess the customer’s risk profile, and conduct ongoing monitoring of transactions in accordance with a risk-based approach.

1.7 Enhanced Due Diligence (EDD)

“Enhanced Due Diligence” refers to additional due diligence measures applied by CoinSwitch to Customers or transactions assessed as high risk, including Politically Exposed Persons, high-risk jurisdictions, complex transaction patterns, or exposure to sanctions and proliferation financing risks or clients who are non-profit organization.

1.8 Officially Valid Document (OVD)

“Officially Valid Document” means such documents as notified under the PML Rules, including passport, driving licence, proof of possession of Aadhaar number, or voter’s identity card issued by the Election Commission of India or equivalent e-document containing the identity and address.

1.9 Politically Exposed Persons (PEPs)

“Politically Exposed Persons” are individuals who are or have been entrusted with prominent public functions by a foreign country, including heads of state or government, senior politicians, senior government, judicial or military officers, senior executives of state-owned enterprises, and important political party officials, as well as their immediate family members and close associates.

1.10 Proliferation Financing (PF) / Counter-Proliferation Financing (CPF)

“Proliferation Financing (PF) / Counter-Proliferation Financing (CPF)” refers to the act of providing funds or financial services that contribute to the proliferation of weapons of mass destruction and their means of delivery, in contravention of applicable laws or international sanctions frameworks, and the measures undertaken to prevent, detect, and disrupt such financing.

1.11 Sanctions Lists

“Sanctions Lists” mean lists of individuals, entities, wallets, or jurisdictions subject to financial or economic sanctions issued by the United Nations Security Council, Government of India, FIU-IND, FATF, or any other competent authority.

1.12 Unhosted Wallet

“Unhosted Wallet” refers to a Virtual Digital Asset wallet that is not maintained or controlled by a regulated virtual asset service provider and is controlled directly by the user through private keys.

1.13 Anonymity-Enhancing Crypto Assets (AECs)

“Anonymity-Enhancing Crypto Assets” are crypto assets or technologies designed to obscure origin, ownership, transaction details, or transaction trails, thereby increasing the risk of misuse for money laundering, terrorist financing, or proliferation financing.

1.14 Reporting Entity (RE)

“Reporting Entity” means CoinSwitch, as registered with FIU-IND under the PMLA, and obligated to comply with AML-CFT-CPF requirements, including customer due diligence, transaction monitoring, record maintenance, and regulatory reporting.

1.15 Risk-Based Approach (RBA)

“Risk-Based Approach” refers to the methodology adopted by CoinSwitch to identify, assess, and mitigate money laundering, terrorist financing, and proliferation financing risks in proportion to the nature, scale, and complexity of customer relationships and transactions.

1.16 Suspicious Transaction Report (STR)

“Suspicious Transaction Report” means a report filed by CoinSwitch with FIU-IND in respect of a transaction or series of transactions that raise reasonable grounds of suspicion of money laundering, terrorist financing, or proliferation financing.

1.17 Travel Rule

“Travel Rule” refers to regulatory requirements mandating the collection, verification, and transmission of originator and beneficiary information for Virtual Digital Asset transfers, in accordance with applicable AML-CFT guidelines.

1.18 Beneficial Owner

“Beneficial Owner” means the natural person(s) who ultimately own or control a customer or on whose behalf a transaction is being conducted, including those who exercise ultimate effective control over a legal person or arrangement.

1.19 Terrorist Financing (TF) / Counter-Terrorist Financing (CFT)

“Terrorist Financing (TF) / Counter-Terrorist Financing (CFT)” means the provision or collection of funds, directly or indirectly, with the intention that such funds be used, or in the knowledge that they are to be used, in full or in part, to carry out terrorist acts or support terrorist organisations, and the measures undertaken to prevent, detect, and disrupt such financing, as defined under applicable laws, including the Unlawful Activities (Prevention) Act, 1967.

2. Customer Acceptance Policy (CAP)

CoinSwitch has adopted a comprehensive Customer Acceptance Policy to ensure that it establishes and maintains business relationships only with customers whose identity, background, and risk profile are consistent with applicable Anti-Money Laundering (“AML”), Counter Terrorist Financing (“CFT”), and Counter Proliferation Financing (“CPF”) laws and regulatory expectations. This Policy forms a critical component of CoinSwitch’s overall AML framework and is designed to prevent the misuse of the Platform for money laundering, terrorist financing, proliferation financing, fraud, or any other unlawful activity.

CoinSwitch offers its services exclusively to users who fulfil the eligibility criteria as per its Terms of Use. The status of “User” is granted only after the successful completion of customer identification, verification, and due diligence processes in accordance with this Policy and

applicable laws. CoinSwitch does not permit access to its Platform unless it is satisfied with the authenticity and reliability of the customer’s identity and information.

CoinSwitch follows a risk-based approach to customer acceptance and does not open or maintain accounts that are anonymous, fictitious, or held on behalf of undisclosed third parties. Customers are required to access and use the Platform solely for their own benefit, using funds and Virtual Digital Assets that are lawfully owned and controlled by them. Any attempt to operate an account on behalf of another person or entity is strictly prohibited.

2.1 Know Your Customer (KYC) Framework

CoinSwitch implements a robust Know Your Customer framework as a foundational element of its Customer Acceptance Policy. KYC is treated as a continuous process that begins at onboarding and continues throughout the lifecycle of the customer relationship. The objective of the KYC framework is to enable CoinSwitch to establish customer identity, understand the nature and purpose of the relationship, assess customer risk, and comply with obligations under the Prevention of Money Laundering Act, 2002, the PML Rules, FIU-IND AML-CFT-CPF Guidelines for VDA Service Providers, and CERT-In directions.

As part of the KYC process, CoinSwitch identifies and verifies customers using reliable and independent sources of information and documentation. Customer information is validated using a combination of automated systems and manual checks, and an audit trail of all KYC-related actions is maintained. CoinSwitch ensures that no customer is permitted to trade, deposit, withdraw, or transfer Virtual Digital Assets unless KYC and Customer Due Diligence requirements are satisfactorily completed.

2.2 Risk-Based Customer Categorisation

CoinSwitch applies a documented Risk-Based Approach to customer acceptance and management. Each customer is assessed at the time of onboarding to determine their inherent money laundering, terrorist financing, and proliferation financing risk. This assessment takes into account multiple risk factors, including the customer’s profile, transaction behaviour, geographical exposure, use of products or services, and screening outcomes.

Based on this assessment, customers are categorised as medium risk or high risk. The level of due diligence, monitoring, and review applied to each customer is proportionate to the risk category assigned. Customer risk categorisation is not static and is subject to periodic review and reassessment based on changes in customer behaviour, transaction patterns, or regulatory risk indicators.

2.3 Conditions for Acceptance and Continuation of Relationship

CoinSwitch establishes or continues a customer relationship only where it is able to apply appropriate Customer Due Diligence measures and verify the authenticity of the information and documents provided by the customer. Where CoinSwitch is unable to complete CDD, or where the information provided is found to be false, non-genuine, unreliable, misleading, or unverifiable, access to the Platform is restricted or terminated or denied.

CoinSwitch reserves the right to suspend, freeze, block, or terminate a customer relationship where continued compliance with AML-CFT-CPF obligations cannot be ensured, or where required by regulatory authorities. Such actions may be taken in response to non-cooperation by the customer, adverse screening results, suspicious activity, or instructions from competent authorities.

2.4 Sanctions, PEP, and Watchlist Screening

As part of its Customer Acceptance Policy, CoinSwitch screens customers against applicable sanctions lists, terrorist designations, Politically Exposed Persons databases, and other relevant watchlists at onboarding and on an ongoing basis. Screening is performed using automated systems supported by manual review where required.

Customers identified as Politically Exposed Persons or those linked to sanctioned persons, entities, jurisdictions, or activities are subject to enhanced due diligence and heightened monitoring. CoinSwitch does not knowingly establish or maintain relationships that would result in a breach of sanctions laws or regulatory prohibitions.

2.5 Prohibited and Restricted Relationships

CoinSwitch does not knowingly establish or maintain relationships with customers where the risks posed are assessed as unacceptable or unmanageable. This includes customers who attempt to conceal their identity, obscure the source or ownership of funds, misuse unhosted wallets or anonymity-enhancing technologies, or engage in activities inconsistent with regulatory expectations. CoinSwitch also restricts or terminates relationships where customers fail to comply with KYC, CDD, or information requests required for regulatory compliance.

2.6 Ongoing Review and Regulatory Oversight

Customer acceptance decisions are subject to ongoing review. CoinSwitch periodically reassesses customer risk profiles and updates customer information in line with its risk-based framework. The Customer Acceptance Policy is implemented under the oversight of the Designated Director and Principal Officer and is reviewed periodically to ensure continued alignment with regulatory developments, supervisory expectations, and emerging risks.

3. Customer Identification Procedure (CIP)

Customer Identification Procedure is a core component of CoinSwitch’s AML-CFT framework and forms the basis for establishing and maintaining customer relationships on the Platform. CoinSwitch follows a structured and risk-based approach to identify, verify, and periodically update customer information in order to ensure compliance with applicable laws and to prevent misuse of the Platform for money laundering, terrorist financing, or proliferation financing.

Customer identification is not treated as a one-time activity. It is a continuous process that begins at onboarding and continues throughout the duration of the customer relationship. CoinSwitch undertakes customer identification at multiple stages, including at the time of account creation, during periodic KYC updates, prior to or during transactions, and whenever doubts arise regarding the accuracy or adequacy of previously obtained information.

Customer identification records are made available to competent authorities, including FIU-IND, as and when required.

3.1 Objective of Customer Identification

The objective of the Customer Identification Procedure is to enable CoinSwitch to establish the true identity of each customer, understand the nature and purpose of the business relationship, assess the customer’s risk profile, and comply with obligations under the applicable regulations.

Through this procedure, CoinSwitch ensures that:

  • customers are identifiable and verifiable using reliable and independent sources;
  • fictitious, anonymous, or impersonated accounts are not permitted;
  • transactions are consistent with the customer’s profile and risk categorisation; and
  • appropriate monitoring and risk mitigation measures are applied.

3.2 Identification and Verification of Individual Customers

CoinSwitch identifies individual customers by collecting and verifying a prescribed set of personal, contact, and financial information at the time of onboarding. This information is used to establish the customer’s identity and create a risk profile in line with the risk-based approach. Identity and address details are verified using a combination of automated systems, third-party verification tools, and manual review where required. Mobile numbers and email addresses are verified using secure authentication mechanisms such as one-time passwords or verification links.

3.3 Geo-Location and Liveness Verification

CoinSwitch captures the geo-location coordinates of the customer at the time of onboarding to establish the physical location from which the verification is undertaken. This includes capturing latitude, longitude, date, timestamp, and IP address, in line with regulatory expectations.

CoinSwitch also uses liveness detection and selfie-based verification mechanisms to ensure that the customer undergoing onboarding is a real and present individual. In cases where discrepancies are observed between declared address information and geo-location data, enhanced due diligence measures are applied.

3.4 Video-based Customer Identification

CoinSwitch may conduct video-based customer identification where automated verification processes are insufficient, where enhanced due diligence is required, or where additional assurance of identity is necessary. Video-KYC is conducted using secure systems and recorded in accordance with applicable regulatory requirements. This process may also be applied to high-risk customers, Politically Exposed Persons, or customers associated with higher-risk activities or transactions.

3.5 Bank Account Verification

CoinSwitch conducts bank account verification as part of its Customer Due Diligence and ongoing due diligence framework to establish and validate the linkage between a customer’s verified identity and the bank account used for fiat transactions on the Platform.

Bank verification is performed using an automated penny-drop, reverse penny-drop or equivalent verification mechanism, whereby a nominal amount is transferred to the customer’s bank account to confirm account ownership and ensure consistency between the bank account holder details and the customer’s verified KYC information.

CoinSwitch periodically reviews bank account details and may re-verify bank accounts where required based on risk indicators, changes in customer information, or unusual transaction activity.

3.6 Customer Due Diligence (CDD)

CoinSwitch applies Customer Due Diligence measures proportionate to the risk category assigned to the customer. At a minimum, standard due diligence is conducted for all customers, which includes identity verification, screening, and risk profiling.

For customers assessed as high risk, CoinSwitch applies enhanced due diligence measures. Enhanced due diligence may include additional information collection, source of funds verification, increased transaction monitoring, deeper background checks, and more frequent reviews. CoinSwitch retains discretion to determine the scope and intensity of due diligence based on evolving risk indicators and regulatory guidance.

3.7 Ongoing Due Diligence and Trigger-Based Review

Customer identification does not end at onboarding. CoinSwitch continuously monitors customer activity and transaction behaviour to ensure consistency with the customer’s profile and stated purpose. Customer information is reviewed and updated periodically and whenever trigger events occur, such as unusual transaction patterns, changes in customer behaviour, adverse screening results, or regulatory alerts.

Where CoinSwitch identifies doubts regarding the authenticity, accuracy, or adequacy of customer information, it undertakes additional verification and may restrict or suspend account activity until concerns are resolved.

3.8 Failure to Complete Identification

CoinSwitch does not establish or continue a customer relationship where it is unable to complete customer identification or due diligence requirements. Where a customer fails to provide required information, provides false or misleading information, or refuses to cooperate with verification requests, CoinSwitch restricts access to the Platform and may terminate the relationship. In such cases, CoinSwitch evaluates whether a Suspicious Transaction Report is required to be filed with FIU-IND.

 

4. Risk-Based Approach (“RBA”) and Customer Risk Categorisation

CoinSwitch adopts a comprehensive RBA for the identification, assessment, mitigation, and management of money laundering (“ML”), terrorist financing (“TF”), and proliferation financing

(“PF”) risks associated with its operations as a Reporting Entity providing services related to Virtual Digital Assets. This approach enables CoinSwitch to apply proportionate controls commensurate with the nature and level of risk identified and to allocate compliance resources efficiently.sued by the Financial Intelligence Unit – India (FIU-IND), as amended from time to time.

4.1 Enterprise-Wide Risk Assessment

CoinSwitch conducts a structured, enterprise-wide risk assessment to identify areas where its products, services, customers, delivery channels, and technologies may be exposed to ML/TF/PF risks. The assessment considers, inter alia, risks arising from Virtual Digital Assets, VDA-related products and services, transaction structures, the use of anonymity-enhancing technologies, complex or high-value transactions, exposure to high-risk jurisdictions, and the technologies or tools associated with VDA activities.

Prior to the launch of any new products, services, technologies, or material changes to existing offerings, CoinSwitch undertakes a specific risk assessment to identify, assess, and mitigate any additional ML/TF/PF risks that may arise from such changes.

The enterprise-wide risk assessment is documented and is proportionate to the nature, size, geographical presence, complexity, and structure of CoinSwitch’s business. The results of the risk assessment, along with the mitigation measures identified and implemented, are placed before the Board for review and oversight and are made available to FIU-IND or other competent authorities as and when required. CoinSwitch ensures that the enterprise-wide risk assessment is conducted on a regular basis and that the interval between any two assessments does not exceed one year.

4.2 Customer Risk Categorisation Framework

The risk categorization framework sets out the principles, parameters, and methodology for categorising customers based on their assessed ML/TF/PF risk and forms the basis for the application of appropriate customer due diligence, ongoing monitoring, and enhanced controls.

Under this framework, customers are classified at a minimum into the following risk categories:

  • Medium Risk
  • High Risk

CoinSwitch may develop additional sub-categories or apply more granular segmentation where a higher risk perception warrants enhanced scrutiny.

4.3 Parameters for Customer Risk Classification

Customer risk classification is undertaken based on a holistic assessment of multiple parameters, including the customer’s identity, financial position, nature of business or activity, source of funds, transaction behaviour, geographical exposure of the customer and transactions, and the type of products or services availed through the Platform. These parameters are objectively defined within CoinSwitch’s internal procedures and are consistently applied to ensure uniformity in risk assessment.

4.4 Periodic Review of Customer Risk Classification

CoinSwitch has implemented a system of periodic review of customer risk classification to ensure that the assigned risk level remains appropriate over time. The risk classification of customer accounts is reviewed at a periodicity of at least once every six months, or earlier where triggered by changes in customer behaviour, transaction patterns, profile updates, regulatory developments, or other risk indicators.

Where a review results in a change to a customer’s risk category, the applicable due diligence and monitoring measures are updated accordingly without undue delay.

4.5 Confidentiality of Risk Classification

The risk classification of customers and the specific reasons underlying such classification are treated as confidential and are restricted to authorised personnel within CoinSwitch. Such information is disclosed only on a need-to-know basis or where required under applicable law or regulatory direction.

4.6 Application of Risk-Based Controls

CoinSwitch applies customer due diligence, enhanced due diligence, transaction monitoring, and ongoing review measures proportionate to the customer’s risk classification. Higher-risk customers are subject to enhanced scrutiny and more intensive monitoring to ensure timely detection and reporting of suspicious activities, while medium-risk customers are monitored using controls appropriate to their assessed risk.

CoinSwitch does not engage in wholesale de-risking and evaluates each customer relationship based on its specific risk profile and CoinSwitch’s ability to effectively manage and mitigate the identified risks in compliance with applicable laws and regulatory guidance.

5. Ongoing Due Diligence and Transaction Monitoring

CoinSwitch conducts ongoing due diligence and transaction monitoring throughout the lifecycle of the customer relationship to ensure that customer activity remains consistent with the information obtained at onboarding, periodic KYC updates, and the customer’s assigned risk classification. This framework enables CoinSwitch to identify, assess, mitigate, and report risks relating to money laundering, terrorist financing, and proliferation financing in a timely manner.

The extent and intensity of ongoing due diligence and monitoring are proportionate to the customer’s risk category and the nature, volume, and complexity of transactions undertaken on the Platform.

5.1 Transaction Monitoring Framework

CoinSwitch has established and maintains a comprehensive transaction monitoring framework that operates on a continuous basis and is aligned with FIU-IND guidance for detecting suspicious transactions.

Transaction monitoring applies to all transactions conducted on or through the Platform, including fiat-to-fiat, fiat-to-VDA, VDA-to-VDA, and VDA-to-fiat transactions. The monitoring framework is designed to identify both attempted and completed suspicious transactions.

Monitoring systems are calibrated to the scale, size, and complexity of CoinSwitch’s VDA-related activities and are periodically reviewed to remain effective against evolving ML/TF/PF risks.

5.2 Identification of Unusual and Suspicious Activity

CoinSwitch’s monitoring framework is designed to flag unusual or suspicious activity that may indicate illicit behaviour. This includes, but is not limited to, transactions that are inconsistent with a customer’s known profile, sudden changes in transaction patterns, structuring or layering of funds, rapid movement of VDAs, exposure to high-risk jurisdictions, use of unhosted wallets, and transactions involving anonymity-enhancing technologies or services.

Red Flag Indicators, typologies, alerts, and advisories issued by FIU-IND are embedded into CoinSwitch’s monitoring processes, along with additional indicators identified through internal risk assessments.

All alerts generated through monitoring systems are promptly reviewed and escalated to the Principal Officer wherever required.

5.3 Travel Rule Compliance

CoinSwitch complies with the Travel Rule requirements applicable to Virtual Digital Asset (“VDA”) transfers in accordance with Rule 4 of the PML Rules and the AML-CFT-CPF Guidelines issued by the FIU-IND. These requirements are applied to all VDA transfers facilitated on or through the Platform, irrespective of transaction value.

CoinSwitch ensures that sufficient and accurate information is obtained, held, and transmitted to permit reconstruction of individual VDA transactions and to maintain transparency in VDA transfers involving CoinSwitch, whether acting as an originating Reporting Entity or a beneficiary Reporting Entity.

5.3.1 Obligations as the Originating Reporting Entity

Where CoinSwitch acts as the originating Reporting Entity for a VDA transfer initiated by a customer holding a wallet with CoinSwitch or using CoinSwitch services, CoinSwitch undertakes Customer Due Diligence and sanctions screening on the customer as well as appropriate screening of the counterparty Reporting Entity prior to transmitting the required Travel Rule information. This is to ensure that CoinSwitch does not unknowingly deal with illicit actors, sanctioned persons, or prohibited entities.

CoinSwitch ensures that required and accurate originator and beneficiary information is submitted prior to, simultaneously with, or concurrently with the execution of the VDA transfer. Post-facto submission of required information is not permitted.

The required information obtained, held, and transmitted by CoinSwitch as the originating Reporting Entity includes, at a minimum:

  • the originator’s Permanent Account Number (PAN) and identity document number;
  • the originator’s verified full name;
  • the originator’s wallet address or account number used to process the transaction;
  • the originator’s verified physical or geographical address and date of birth;
  • the beneficiary’s name, as identified by the originator, which is reviewed for sanctions screening, transaction monitoring, and STR determination; and
  • the beneficiary’s wallet address or account number used to process the transaction.

All transmitted information is securely stored and made available without delay to FIU-IND or other competent authorities upon lawful request.

5.3.2 Obligations as the Beneficiary Reporting Entity

Where CoinSwitch acts as the beneficiary Reporting Entity for a VDA transfer received from another Reporting Entity, CoinSwitch obtains and holds the Travel Rule information transmitted by the originating Reporting Entity and reviews such information for sanctions screening, transaction monitoring, and suspicious activity detection.

The information obtained and retained by CoinSwitch as the beneficiary Reporting Entity includes:

  • the originator’s PAN and identity document number;
  • the originator’s name, reviewed for screening and monitoring purposes;
  • the originator’s wallet address or account number;
  • the originator’s physical or geographical address and date of birth;
  • the beneficiary’s verified name, which CoinSwitch confirms against its own customer records; and
  • the beneficiary’s wallet address or account number.

CoinSwitch verifies that beneficiary information received from the originating Reporting Entity matches its verified customer data and escalates discrepancies for enhanced review.

5.3.3 Technology Enablement and Secure Information Exchange

CoinSwitch deploys appropriate technological solutions to enable secure, timely, and accurate transmission, receipt, storage, and retrieval of Travel Rule information between originating and beneficiary Reporting Entities. These solutions are designed to ensure integrity, confidentiality, availability, and auditability of data in compliance with AML-CFT-CPF obligations.

In exceptional circumstances where deployment of such technological solutions is not feasible, CoinSwitch may rely on a controlled self-declaration–based mechanism, subject to enhanced scrutiny and internal approvals, to ensure continued compliance with regulatory expectations.

The deployed mechanisms enable CoinSwitch to:

  • transmit required information securely and immediately in connection with VDA transfers;
  • maintain reliable communication channels for follow-up with counterparty Reporting Entities;
  • conduct counterparty due diligence and seek additional information where transactions present elevated risk or involve potential sanctions exposure; and
  • promptly provide required information to FIU-IND or other competent authorities upon request.

5.3.4 Monitoring, Exceptions, and Escalation

CoinSwitch monitors VDA transfers to identify transactions that lack required originator or beneficiary information or present inconsistencies, anomalies, or red flags. Transactions with missing, incomplete, or unreliable Travel Rule information are subject to enhanced scrutiny and may be restricted, delayed, or declined until compliance requirements are satisfied.

Any transaction identified as suspicious in connection with Travel Rule reviews is escalated in accordance with CoinSwitch’s internal escalation framework and assessed for reporting to FIU-IND through a Suspicious Transaction Report. Confidentiality and tipping-off prohibitions are strictly observed.

5.4 Sanctions and Watchlist Screening

CoinSwitch conducts sanctions and watchlist screening at onboarding, upon changes in customer information, at periodic intervals, and in connection with VDA transactions. Screening is performed against applicable sanctions regimes, including United Nations Security Council Resolutions, directives issued under the Unlawful Activities (Prevention) Act, 1967, the Weapons of Mass Destruction Act, 2005, and other applicable laws.

Preventive controls are in place to ensure that transactions involving sanctioned persons, entities, wallets, or jurisdictions are identified promptly. Where required, wallets or transactions may be placed on hold pending further review and regulatory clearance.

5.5 Blockchain Analysis and On-Chain Monitoring

CoinSwitch utilises blockchain analysis and on-chain monitoring tools as an integral component of its ongoing due diligence, transaction monitoring, and risk mitigation framework for VDA activities. The objective of blockchain analysis is to enhance transparency of VDA transactions and to identify, assess, and mitigate potential ML, TF and PF risks, in accordance with the PMLA, PML Rules, and applicable guidelines issued by FIU-IND.

Blockchain analysis is applied to VDA transactions conducted on or through the Platform, including deposits, withdrawals, and transfers involving both hosted and unhosted wallets. The application of on-chain monitoring is risk-based and proportionate to the nature, scale, and risk profile of the customer, product, and transaction.

5.5.1 Scope and Application

Blockchain analysis covers, inter alia, the assessment of wallet addresses, transaction flows, counterparty exposure, and transactional patterns to identify indicators of elevated ML/TF/PF risk. Such indicators may include exposure to high-risk jurisdictions, sanctioned or watch-listed wallet addresses, use of anonymity-enhancing technologies or crypto assets, rapid movement or layering of VDAs, and other typologies identified through CoinSwitch’s internal risk assessments, regulatory advisories, or supervisory communications.

5.5.2 Review, Escalation, and Integration with AML Controls

Transactions, wallet interactions, or behavioral patterns flagged through blockchain analysis are reviewed by Coinswitch in conjunction with customer identification data, transaction history, and customer risk classification. Where warranted, CoinSwitch may seek additional information from the customer, apply Enhanced Due Diligence measures, impose appropriate risk-mitigating controls, or escalate the matter to the Principal Officer for further evaluation.

Outputs from blockchain analysis form an integral input into CoinSwitch’s Customer Due Diligence, Enhanced Due Diligence, transaction monitoring, and Suspicious Transaction Reporting processes, and may result in regulatory reporting to FIU-IND in accordance with applicable requirements.

5.5.3 Periodic Review and Effectiveness

Blockchain analysis tools, monitoring parameters, and identified risk typologies are reviewed periodically to ensure their continued effectiveness, alignment with evolving ML/TF/PF risks, and consistency with applicable laws, regulatory guidance, and supervisory expectations.

5.6 Suspicious Transaction Reporting (“STR”)

CoinSwitch identifies and reports suspicious and attempted suspicious transactions in accordance with the PML Act, PML Rules, and FIU-IND guidance, irrespective of transaction value.

Where suspicion is established after due analysis and application of mind, STRs, including reports of attempted suspicious transactions, are filed with FIU-IND promptly from the date on which suspicion is confirmed.

Suspicious Transaction Reports are filed only after due application of mind and comprehensive analysis of all relevant information, including customer KYC data, transaction history, wallet details, and behavioural indicators. The Compliance Team is responsible for investigation and preparation of STRs, and the Principal Officer is responsible for filing reports with FIU-IND promptly.

CoinSwitch strictly maintains confidentiality of STR-related processes and prohibits tipping-off in any form.

5.6.1 Sanctions or watchlist matches identified at onboarding, during periodic screening, or in connection with transactions are escalated immediately to the Principal Officer. Transactions involving confirmed sanctioned persons, entities, wallets, or jurisdictions are blocked or restricted pending regulatory clearance, and reports are filed in accordance with applicable legal requirements.

CoinSwitch maintains internal escalation matrices to ensure that alerts, high-risk cases, and regulatory reporting obligations are handled within defined turnaround times. These matrices are reviewed periodically to ensure alignment with regulatory expectations and operational scale.

5.7 Regulatory Reporting and Review

CoinSwitch submits periodic reports, metrics, and other prescribed information to FIU-IND in the form and manner specified from time to time. The transaction monitoring and ongoing due diligence framework is subject to periodic review and enhancement based on regulatory updates, internal audits, and evolving ML/TF/PF risks.

CoinSwitch responds promptly and comprehensively to requests, notices, or directions received from FIU-IND, law enforcement agencies, or other competent authorities under Applicable Law and ensures confidentiality of regulatory and law enforcement communications and strictly prohibits disclosure of such requests or related actions to customers or third parties, in line with tipping-off prohibitions under the PMLA.

5.8 AML business continuity

CoinSwitch ensures continuity of critical AML-CFT functions, including transaction monitoring, sanctions screening, escalation, and regulatory reporting, during system outages, operational disruptions, or emergencies.

Business continuity and disaster recovery arrangements ensure that AML-CFT controls remain operational or are restored within reasonable timeframes. Manual or alternate procedures may be activated where required to ensure compliance with statutory obligations.

6. Record Keeping and Data Retention

CoinSwitch maintains comprehensive, accurate, and secure records relating to customer identification, transactions, and due diligence activities in accordance applicale laws and regulations.

All records are preserved in a manner that ensures confidentiality, integrity, availability, and non-repudiation, and are not destroyed during the applicable statutory retention period.

6.1 Customer Identification Records

CoinSwitch maintains and preserves records pertaining to customer due diligence and identification obtained at the time of onboarding and during the course of the business relationship. These records are retained for a minimum period of five (5) years after the termination of the account-based relationship or such longer period as may be required under Applicable Law or directed by regulatory or law enforcement authorities.

6.2 Transaction Records

CoinSwitch maintains complete and accurate records of all transactions conducted on or through the Platform. Transaction records are preserved for a minimum period of five (5) years from the date of the transaction. Where a transaction or account is subject to an ongoing investigation or has been reported to FIU-IND or any other competent authority, such records are retained until confirmation is received that the matter has been conclusively closed.

6.3 Audit Trails and Data Integrity

CoinSwitch preserves complete and tamper-proof audit trails for all KYC, transaction monitoring, and compliance activities. Audit trails include verification responses, timestamps, authentication logs, system access logs, and investigation workflows. Appropriate safeguards are implemented to prevent unauthorised alteration, deletion, or destruction of records.

6.4 Data Security and Confidentiality

CoinSwitch applies appropriate technical and organisational safeguards to protect customer information and records against unauthorised access, disclosure, misuse, or loss. Access to AML-CFT records is restricted strictly to authorised personnel on a need-to-know basis. All data handling practices are aligned with applicable data protection, information security, and confidentiality requirements.

Customer information is disclosed only where required under Applicable Law or pursuant to lawful directions from regulatory or enforcement authorities. CoinSwitch strictly prohibits tipping-off in relation to Suspicious Transaction Reports or AML-CFT reviews.

6.5 Review and Compliance Assurance

CoinSwitch periodically reviews its record-keeping and data retention framework to ensure continued compliance with applicable laws, regulatory guidance, and evolving ML/TF/PF risks associated with VDA activities. The framework is subject to internal audit and supervisory review, as applicable.

7. Additional Risk Mitigation Measures for High-Risk VDA Activities

CoinSwitch recognises that VDA activities inherently carry elevated risks of money laundering, terrorist financing, and proliferation financing due to their speed, global reach, pseudonymity, and evolving technological features. In accordance with the AML-CFT Guidelines issued by FIU-IND, CoinSwitch has implemented additional risk mitigation measures for activities, products, services, customers, and transactions assessed as high risk.

These measures are applied in a proportionate manner based on the nature, size, complexity, and risk profile of the activity and are integrated into CoinSwitch’s overall Risk-Based Approach framework.

7.1 Identification of High-Risk VDA Activities

CoinSwitch identifies high-risk VDA activities through its enterprise-wide risk assessment and ongoing monitoring processes. Activities that may be considered higher risk include, but are not limited to, transactions involving anonymity-enhancing crypto assets, interactions with unhosted or self-custodial wallets, exposure to high-risk or sanctioned jurisdictions, complex or unusually large-value transactions, rapid movement or layering of VDAs, and use of technologies or services designed to obscure transaction trails.

Prior to the introduction of any new VDA product, service, technology, or delivery mechanism, CoinSwitch undertakes a specific risk assessment to identify and mitigate potential ML/TF/PF risks arising from such offerings.

7.2 Enhanced Due Diligence for High-Risk Activities

Where a customer, transaction, product, or activity is classified as high risk, CoinSwitch applies Enhanced Due Diligence measures commensurate with the identified risks. These measures

may include obtaining additional customer information, enhanced verification of identity and source of funds, closer scrutiny of transaction behaviour, and more frequent review of customer risk classification.

Enhanced Due Diligence is conducted where required, escalated to senior management or the Principal Officer for appropriate action.

7.3 Controls for Anonymity-Enhancing Crypto Assets and Technologies

CoinSwitch does not allow Crypto withdrawals / Deposits for anonymity-enhancing crypto assets, privacy-focused protocols, or other technologies designed to obfuscate transaction origin or destination.

7.4 Unhosted Wallet Risk Management

Transactions involving unhosted or self-custodial wallets are subject to enhanced scrutiny due to the absence of an intermediary Reporting Entity. CoinSwitch undertakes additional verification, monitoring, and Travel Rule compliance checks for such transactions to ensure visibility over originator and beneficiary information.

CoinSwitch may seek additional information from customers regarding ownership, control, and purpose of unhosted wallets and may restrict transactions where required information cannot be obtained or verified to its satisfaction.

7.5 Geographic and Cross-Border Risk Controls

CoinSwitch incorporates geographic risk factors into its monitoring and risk mitigation framework. Transactions involving jurisdictions identified as high-risk, non-cooperative, or subject to enhanced monitoring by FATF or other competent authorities are subject to increased scrutiny, enhanced monitoring, and escalation procedures.

CoinSwitch ensures that it does not engage in transactions that violate applicable sanctions regimes, including those issued under United Nations Security Council Resolutions, UAPA or other applicable laws.

7.6 Proliferation Financing Risk Mitigation

CoinSwitch integrates proliferation financing risk considerations into its AML-CFT controls, including sanctions screening, transaction monitoring, and customer risk assessments.

Transactions with potential links to entities, individuals, or jurisdictions associated with proliferation risks are subject to enhanced review, escalation, and reporting where required.

7.7 Ongoing Monitoring and Review of High-Risk Activities

High-risk VDA activities are subject to continuous monitoring and periodic reassessment to ensure that the applied mitigation measures remain effective and proportionate. CoinSwitch reviews emerging typologies, regulatory guidance, and technological developments to update its controls and monitoring parameters as necessary.

The outcomes of monitoring and risk mitigation actions are documented and retained in accordance with record-keeping requirements and are made available to competent authorities upon request.

8. Periodic KYC Updation (Periodic CDD Updation).

The periodicity of KYC updation is determined based on customer risk classification. For customers assessed as high risk, KYC updation is undertaken at least once every six months. For all other customers, including medium-risk customers, KYC updation is undertaken at least once every year, measured from the date of account opening or the last KYC updation, whichever is later.

During periodic updation, CoinSwitch reviews the completeness and validity of all CDD information and documents, including identity details, address, nature of business or occupation, source of funds, and beneficial ownership details, where applicable.

Where there is no change in CDD information, CoinSwitch shall obtain a self-declaration from the customer confirming that the information on record remains unchanged. In the case of legal persons, CoinSwitch additionally ensures that beneficial ownership information remains accurate and up to date, supported by a self-declaration.

Where there is any change in CDD information, or where the validity of CDD documents has expired, CoinSwitch undertakes the CDD process equivalent to that applicable at the time of onboarding a new customer, including verification of updated documents.

CoinSwitch ensures that all information and documents obtained during periodic or ad-hoc updation are promptly updated in its systems. Records clearly capturing the date of CDD updation and nature of changes are maintained.

Customers are advised of their obligation to promptly inform CoinSwitch of any changes in information or documents submitted at the time of establishing the relationship or thereafter. Non-compliance with periodic KYC updation requirements may result in restrictions, suspension, or termination of account access, in accordance with Applicable Law.

9. Governance Structure, Roles and Responsibilities

9.1 Board Oversight

The Board of Directors bears ultimate responsibility for AML-CFT compliance. The Board approves the AML-CFT Policy, CDD Programme, risk assessment framework, and material updates thereto. The Board ensures that adequate resources, internal controls, systems, and trained personnel are in place to effectively manage ML/TF/PF risks.

The Board or a designated Committee of the Board reviews AML-CFT matters periodically, including reports placed by the Principal Officer.

In addition to responsibilities set out elsewhere in the Policy, the Board of Directors or a designated Committee of the Board reviews AML-CFT matters at least annually and more frequently where warranted based on the risk profile, regulatory developments, or material incidents.

Periodic reports placed before the Board include, inter alia, summaries of risk assessments, customer risk distribution, STR filings, sanctions exposure, regulatory communications, audit findings, and status of corrective actions. The Board provides strategic direction and ensures that management implements timely remedial measures.

9.2 Designated Director

CoinSwitch has appointed a Designated Director in accordance with Rule 2(1)(ba) of the PML Rules. The Designated Director is responsible for ensuring overall compliance with the obligations imposed under Chapter IV of the PMLA and the PML Rules.

The Designated Director ensures the establishment of internal mechanisms for adherence to procedures relating to maintenance of records under Rule 5, furnishing of information under Rule 7, submission of prescribed reports under Rule 3, and conduct of risk assessments under Rule 9(13) of the PML Rules. The Designated Director oversees compliance across record-keeping, CDD, transaction monitoring, reporting, and training, and ensures that adequate resources and controls support statutory compliance.

9.3 Principal Officer

CoinSwitch has appointed a Principal Officer in accordance with Rule 2(1)(f) of the PML Rules. The Principal Officer is a senior management-level official, based in India, and is exclusively engaged with CoinSwitch on a full-time basis for AML-CFT compliance.

The Principal Officer possesses adequate seniority, independence, and authority, has a minimum of three years of relevant experience, and has thorough knowledge of ML/TF/PF risks specific to the VDA sector.

The Principal Officer is responsible for implementation and ongoing compliance with AML-CFT obligations, monitoring transactions, and furnishing information and reports to FIU-IND, including Suspicious Transaction Reports.

While analytical and preparatory tasks may be delegated within the AML compliance team, the ultimate responsibility for analysis, decision-making, and reporting rests with the Principal Officer. Reasons for treating transactions as suspicious or non-reportable are documented and retained.

The Principal Officer has unrestricted and timely access to all customer, transaction, and KYC information and may call for information from any function within CoinSwitch to ensure timely regulatory reporting.

The Principal Officer reports directly to the Board or a designated Board Committee and places a periodic review of the AML-CFT framework before it, at least annually, covering effectiveness of controls, identified risks, STR filings, FIU-IND instructions, and proposed policy changes.

The Principal Officer and the Designated Director are separate individuals. Their appointment details are communicated to FIU-IND and updated through the FINGate portal as required.

10. Employee Training and Awareness

CoinSwitch promotes a strong culture of compliance and vigilance across the organisation and provides structured and comprehensive training to ensure that employees are able to identify, assess, and report suspicious activities in accordance with applicable AML-CFT-CPF requirements.

10.1 AML/CFT Training Framework

The AML/CFT training programme at CoinSwitch is designed to ensure that all employees understand and comply with the company’s obligations under applicable AML, KYC, sanctions, and related regulatory frameworks, as part of its broader commitment to preventing financial crimes.

Training is delivered through a combination of online learning modules and practical case-based exercises. Employees may be required to successfully complete assessments or quizzes to demonstrate adequate understanding of the training content.

Completion of mandatory AML/CFT training within prescribed timelines is required for all employees. Training completion is monitored by management and the compliance function. Employees requiring clarification or additional support are provided appropriate assistance. Failure to complete mandatory training within stipulated timelines may result in corrective or disciplinary action, including restriction or suspension of duties, until training requirements are fulfilled.

10.2 Induction and Refresher Training

All new employees are required to complete AML/CFT and KYC training within thirty (30) days of commencement of employment. Refresher training is conducted on a periodic basis, and at least annually, to ensure continued awareness of regulatory developments, policy updates, and emerging ML/TF/PF risks.

Training modules cover, inter alia, customer due diligence requirements, customer risk profiling, enhanced due diligence measures, identification of suspicious transactions, internal escalation procedures, reporting obligations, and confidentiality requirements. Case studies and practical scenarios are incorporated to facilitate effective application of concepts.

10.3 Internal Guidance and Customer Communication

CoinSwitch may issue internal guidance notes, standard operating procedures, and frequently asked questions (FAQs) to support employees in implementing this Policy. Where required, appropriate customer-facing FAQs or guidance may be made available to facilitate information gathering and address customer queries in a transparent and compliant manner.

10.4 Policy Integrity

CoinSwitch has taken reasonable measures to ensure that this Policy is aligned with applicable laws and regulatory guidelines. The invalidity or unenforceability of any provision of this Policy shall not affect the validity or enforceability of the remaining provisions.

10.5 Recruitment screening

CoinSwitch undertakes appropriate screening of employees at the time of recruitment for roles relevant to AML-CFT compliance, customer onboarding, transaction monitoring, and related control functions.

Screening measures may include verification of identity, employment history, and other checks deemed appropriate based on the role and risk exposure. These measures are designed to ensure integrity, competence, and fitness of personnel entrusted with AML-CFT responsibilities.

10.6 Training effectiveness

Records of AML-CFT training completion, assessment results, and attendance are maintained by CoinSwitch in accordance with record-keeping requirements.

The effectiveness of training programmes is periodically reviewed by the Compliance function through assessment outcomes, quality of escalation, audit observations, and supervisory feedback. Training content and frequency are updated as necessary to address identified gaps, emerging risks, and regulatory changes.

Updated Date: 26th Feb 2026