The Computer Emergency Response Team (CERT-in) has issued a directive affecting the operation of cryptocurrency exchanges in India.
The CERT-in has mandated virtual asset service providers, VPN providers, and data centers to retain user information for five years. This is necessary to “provide cyber security in payments and financial markets for citizens, protect their data, fundamental rights and economic freedom.”
The data in question includes the names of clients, their contact and other information collected as part of the execution of the KYC procedure. Crypto exchanges and VPN providers must report any cyber incident within six hours of its occurrence. They are also instructed to hand over collected data to authorities upon request. The document reads:
“With regard to transaction records, the information must be stored in such a way that a single transaction can be reconstructed along with the relevant elements, including […] information regarding the identity of the parties, IP addresses with timestamps and time zones, transaction ID, public keys (or equivalent identifiers), the corresponding addresses or accounts (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.”
The CERT-in has not specified whether whether the rules apply only to platforms operating in India, or apply to foreign ones.
