The Computer Emergency Response Team (CERT-in) has just issued a directive affecting the operation of crypto exchanges in India.
The CERT-in has required virtual asset service providers, VPN providers as well as data centers to retain user information for at least five years. According to the agency, this is necessary to “provide cybersecurity in the field of payments and financial markets for citizens, protect their data, fundamental rights and economic freedom.”
The data includes the names of clients, their contact and other information collected as part of the execution of the KYC procedure. Cryptocurrency trading platforms and VPN providers must report any cyber incident within six hours of its occurrence.
In addition, they will have to hand over collected data to the authorities when they request so.
According to the document:
“With regard to transaction records, the information must be stored in such a way that a single transaction can be reconstructed along with the relevant elements, including […] information regarding the identity of the parties, IP addresses with timestamps and time zones, transaction ID, public keys (or equivalent identifiers), corresponding addresses or accounts (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.”