State of the Law: The Fiat–Crypto Gateway as the First Regulatory Checkpoint

In our previous article, we examined the layered architecture of cryptocurrency systems and the challenges it poses to traditional regulatory scrutiny. As discussed, cryptocurrency networks are not monolithic systems but are composed of distinct technological layers including the protocol, programmable, tokenisation and interoperability layers. Unlike conventional financial systems, these layers operate without centralised intermediaries, and thereby preventing any single regulator interfering with or regulating its functioning. This feature disrupts the institutional foundations on which financial regulation has historically been built. We concluded that the more meaningful regulatory inquiry is not which layer of the technology to regulate, but rather which points within this ecosystem are most amenable to effective oversight.

If decentralised systems cannot be regulated in the same way as conventional financial systems, the more practical question is where the State can still exercise control. This takes us to the first checkpoint: the movement of value between fiat currency and crypto-assets. Regulation at this checkpoint focuses on the points where such movement passes through banks, payment rails, exchanges, or other identifiable service providers.

This article first explains the fiat–crypto gateway as a checkpoint. It then considers how Indian law presently regulates this interaction, before briefly examining the approach adopted by other jurisdictions. Finally, it considers the limitations of regulating at this checkpoint. We conclude that while regulation at the fiat–crypto gateway is necessary, it is limited. It captures the conversion of value when crypto interacts with fiat, but not the subsequent circulation of value on-chain. This is why additional checkpoints must be identified at other levels of the cryptocurrency ecosystem.

For most users, fiat–crypto conversion remains the primary practical way to enter and exit the cryptocurrency ecosystem. The entry point typically begins with converting fiat currency into crypto-assets via an intermediary such as a centralised exchange, a payment gateway, or, in some cases, a peer-to-peer (P2P) platform. This process is generally known as on-ramping. A user initiates this process by transferring funds from a bank account using conventional payment rails such as bank transfers, UPI, or card-based payments. At this stage, the transaction is entirely within the traditional financial system. It is more readily traceable, subject to KYC requirements, and regulated by traditional financial laws. Once the funds are credited to the user’s account, the user may acquire crypto-assets.

The reverse process, called the off-ramp, occurs when a user sells crypto-assets and withdraws fiat currency back into the banking system. Here again, the transaction re-enters a regulated environment, with banks and payment service providers acting as the final point of settlement. At both entry and exit, therefore, value passes through identifiable intermediaries, such as banks and exchanges, as well as regulated financial infrastructure. These transactions are therefore more readily traceable and can be brought within the scope of regulatory oversight.

This is what makes the fiat–crypto gateway a natural regulatory checkpoint, since this transaction leaves a record within systems that regulators already supervise. By contrast, a transaction within the blockchain can be completed pseudonymously, without any intermediary, on a public ledger that no single authority controls. This gateway is the point at which an otherwise decentralised system comes into contact with the formal financial system, where the conventional regulatory system has oversight.

India’s regulatory ecosystem regulates the fiat–crypto checkpoint predominantly through Anti-Money Laundering/Countering the Financing of Terrorism regulations (“AML/CFT”) and taxation. Both operate at points where crypto activity becomes visible to the formal legal and financial system.

The first intervention was under the Prevention of Money Laundering Act, 2002 (“PMLA”). By a notification dated 07.03.2023, the Central Government brought specified activities involving Virtual Digital Assets (“VDAs”) within the purview of the PMLA. These include, among other things, exchange between VDAs and fiat currencies. In practical terms, this means that businesses facilitating fiat-to-crypto or crypto-to-fiat conversions are brought within the PMLA reporting framework. These entities are therefore required to identify their customers, maintain records, monitor transactions and report suspicious activity. The PMLA framework has visibility over this checkpoint by regulating the businesses that make conversion between fiat currency and crypto-assets possible.

The second intervention is taxation. Through the Finance Act, 2022, India introduced a specific tax regime for VDAs. Income from the transfer of VDAs is taxed at a flat rate of 30%, and tax is required to be deducted at source on certain transfers. While taxation does not confer legal status on cryptocurrency, its significance lies in bringing VDA transfers within the State’s fiscal purview.

India’s approach at this checkpoint largely aligns with the rest of the world. This is reflected in the global Financial Action Task Force (“FATF”) framework, which requires countries to apply AML/CFT obligations to virtual asset service providers. In practical terms, these obligations are enforced at the points where users access, exchange, transfer, custody, or convert virtual assets through identifiable businesses, including fiat-facing exchanges and on/off-ramp providers. FATF also applies the ‘Travel Rule’, which requires information about the sender and recipient to accompany certain virtual asset transfers where regulated service providers are involved.

This approach is seen in the United Kingdom, where crypto-asset businesses carrying on in-scope activities must register with the Financial Conduct Authority under the AML/CFT regime, and in Singapore, where digital payment token service providers are subject to Monetary Authority of Singapore-administered AML/CFT requirements. Most countries have adopted the FATF Framework.

While India, like other jurisdictions, has regulated the on-ramp/off-ramp gateway, this checkpoint has inherent limitations. What happens on-chain after the on-ramp and before the off-ramp is often difficult to attribute, monitor or control in the same way as conventional financial transactions.

Custodial Wallets, Self Custodial Wallets, and P2P Platforms

Traceability is easier where crypto-assets remain within a centralised exchange (like CoinDCX or Binance). Centralised exchanges typically retain control over users’ private keys (hence the term ‘custodial’ wallet) and hold their crypto assets in trust. Trades between users are often reflected within the platform’s internal ledger rather than on the blockchain itself. The exchange updates its own records to debit one account and credit another, in a manner similar to an internal bank transfer. Such transactions remain within the platform’s systems and can therefore be monitored. Therefore, when the movement is entirely between users of a centralised exchange, it is possible to follow the trail of value and attribute it to the relevant users. The existing 2023 notification recognises this and requires entities to report on the ‘exchange’ and ‘transfer’ of VDAs.

The difficulty begins when the asset is withdrawn from this environment and transferred to a decentralised environment. A user may, for example, withdraw crypto-assets to a self-custodial wallet (like Metamask). In a self-custodial wallet, the user holds their own private keys and exercises direct control over their assets. There is no intermediary involved in authorising the transaction. The user acts as their own custodian and assumes the role usually performed by the intermediary (acting as their own bank). As a result, there may be no service provider that can be made a reporting entity for subsequent wallet-to-wallet transfers.

A similar difficulty arises when users interact through P2P platforms like Binance P2P. In some cases, the platform may temporarily hold crypto-assets in escrow while the buyer transfers fiat currency directly to the seller’s bank account. Once payment is confirmed, the crypto-assets are released to the buyer. This structure splits the transaction. The platform may have visibility over the crypto leg, while the fiat leg moves directly between users through the banking system. The bank may see a fiat transfer, but may not know that it relates to a crypto transaction. The platform may see the crypto transfer, but may not control the fiat movement.

What Happens On-Chain

Once crypto-assets move on-chain, particularly into self-custodial wallets, they can be used without any further interaction with the traditional financial system. They may be transferred between wallets, exchanged for other tokens, or deployed within decentralised applications. For example, a user who wants to swap one crypto-asset for another may do so through a decentralised exchange, where the trade is executed against liquidity pools rather than matched with a specific buyer or seller. A liquidity pool is a pool of crypto-assets contributed by multiple users and governed by a smart contract. The transaction is processed automatically by code, without a centralised exchange, order book or identifiable intermediary facilitating the trade.

Similarly, assets may be moved across different blockchain networks through interoperability mechanisms, and consequently transferred across borders (since wallets and crypto live on the internet and are inherently border agnostic) without passing through any regulated financial channels. At this stage, value may circulate entirely within a decentralised environment. While transactions remain visible on public ledgers, the absence of identifiable intermediaries and the pseudonymous nature of blockchain addresses significantly limit the ability of regulators to trace activity back to specific individuals and the value that is being moved within this system may not be easily gauged unless the crypto-asset is converted back into fiat currency.

Traceability is made more difficult with the employment of mixers and tumblers. A mixer aggregates funds from multiple users into a common pool or liquidity pools and redistributes equivalent amounts in a manner that obscures their origin. From an external observer’s perspective, this makes it harder to link the assets received by a user with the assets originally deposited. In recent years, decentralised variants of these services have also emerged, operating through smart contracts rather than centralised operators.

These complications are exacerbated further by ‘layering’. Layering refers to the process of obscuring the origin of funds through a series of complex transactions. For example, a user may convert fiat into crypto-assets, transfer those assets to a self-custodial wallet, deposit them into a decentralised liquidity pool, exchange them for different tokens, bridge those tokens to another blockchain network, and ultimately convert them back into fiat in a different jurisdiction. Each step adds distance between the original fiat conversion and the eventual off-ramp, making it harder to connect the identity of the user who entered the system with the person or wallet receiving value at the point of exit.

The fiat–crypto gateway is the most immediate checkpoint for regulating the movement of value in the cryptocurrency ecosystem. India’s present approach, through AML/CFT obligations and taxation, recognises this reality and broadly aligns with global practice.

However, this checkpoint is only a starting point. It gives the State visibility when value moves between fiat currency and crypto-assets, but it does not provide continuing oversight once value circulates on-chain. Self-custodial wallets, P2P structures, decentralised applications, mixers, liquidity pools and cross-chain transfers all demonstrate the limits of regulations at the fiat–crypto gateway. More fundamentally, the effectiveness of this checkpoint depends on the continued need to convert crypto-assets into fiat currency. As crypto-assets become more widely used within self-contained on-chain ecosystems, users may have less need to on-ramp and off-ramp, limiting the visibility of gateway-focused regulation

The fiat–crypto gateway should therefore be seen as the first checkpoint, not the entire regulatory answer. In the posts that follow, we will examine other points within the crypto ecosystem where regulation may be able to reach.

Anirudh Krishnan, Anuraag Rajagopalan and Hasthisha S. Desikan are Advocates at the Madras High Court and AK Law Chambers.

Athif Ahmed and Reddy Pawan Kumar are Advocates at Hash Legal.