FIU-IND AML & CFT Guidelines 2026:Compliance Guide for Crypto Businesses and Regulators

FIU‑IND AML & CFT Guidelines 2026 mark a new regulatory phase for India’s crypto and digital asset sector.

With the Financial Intelligence Unit, India (FIU‑IND) issuing updated AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets (8 January 2026), virtual digital asset service providers (VDASPs) are now expected to operate at the same compliance standard as banks and other regulated financial institutions.

These guidelines convert the Prevention of Money Laundering Act (PMLA) and the Prevention of Money Laundering (Maintenance of Records) Rules (PMLR) into detailed, technology‑driven operational obligations for crypto exchanges, custodians, wallet providers, brokers, NFT platforms, token issuers, and Web3 intermediaries.

This guide is written for compliance professionals, regulatory leaders, founders, CTOs, and policy officials who need not just a summary of the rules, but a practical understanding of what must be built, documented, monitored, and defended during regulatory inspections.

Why VDASPs are now Full-Fledged Reporting Entities

The guidelines are anchored in three regulatory pillars:

Prevention of Money Laundering Act, 2002 (PMLA)
Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PMLR)
Government notification S.O. 1072(E) (March 2023), which formally designated VDA service providers as Reporting Entities (REs)

What is a Virtual Digital Asset under Indian law?

The guidelines adopt the definition of “Virtual Digital Asset” from Section 2(47A) of the Income‑tax Act, 1961. In simple terms, a VDA includes:

Any cryptographically generated token, number, or code (including cryptocurrencies and NFTs),
Digital representations of value used for investment or as a store of value,
Assets transferable, tradable, or storable electronically,
Any other digital asset notified by the Central Government.

Indian and foreign fiat currencies are explicitly excluded. The RBI’s Central Bank Digital Currency (CBDC / Digital Rupee) is also outside the scope of these guidelines.

Activities that trigger regulation

A business becomes a VDA Service Provider when it engages in any of the following, whether directly or as an intermediary:

Exchange between VDAs and fiat currencies,
Exchange between one or more VDAs,
Transfer of VDAs between wallets or platforms,
Safekeeping or administration of VDAs or private keys,
Participation in or provision of financial services related to the issuance or sale of a VDA.

This scope is deliberately broad and covers exchanges, brokers, custodians, NFT marketplaces, token launch platforms, DeFi interfaces with custody, and payment processors handling crypto flows.

Why FIU‑IND is the regulator for VDA SPs

Through Government Notifications (March 2023 and November 2023), VDASPs were formally classified as “Reporting Entities” under the PMLA. This brings them under the supervisory authority of FIU‑IND, with the same obligations as banks and financial institutions for:

Customer Due Diligence (CDD),
Enhanced Due Diligence (EDD),
Ongoing monitoring,
Suspicious Transaction Reporting (STR),
Record keeping,
Sanctions compliance,
Cooperation with law enforcement.

Importantly, the framework is activity‑based, not location‑based. A platform operating offshore but servicing Indian users or facilitating VDA activity linked to India is still covered.

Mandatory Registration with FIU-IND: No Compliance without Onboarding

Every VDA service provider operating in India, regardless of physical presence, must register on the FINgate portal before commencing or continuing operations.

Registration is a statutory requirement

Operating without registration constitutes a violation of the PMLA and can trigger penalties, directions, and enforcement under Section 13 of the Act. FIU‑IND also maintains a central database of:

Designated Directors,
Principal Officers,
Principal place of business,
Significant ownership and control information.

The Registration Workflow

Online registration and issuance of a temporary reference ID
Submission of comprehensive corporate, financial, technical, and compliance documentation
Mandatory in‑person meeting with FIU‑IND
Live demonstration of AML systems
Issuance of final Reporting Entity ID (RE‑ID)

Only after the RE‑ID is issued does the platform become formally authorised to operate as a Reporting Entity.

Documentation expected

FIU‑IND expects enterprise‑grade transparency. Typical requirements include:

Corporate structure, shareholders, and ultimate beneficial ownership (UBO) chart,
Certificate of incorporation, constitutional documents, board resolutions for DD and PO,
Audited financial statements (three years or since incorporation),
GST registration and income‑tax filings (including Forms 26Q/26QE where applicable),
Contracts (domestic or international) with banks, custodians, liquidity providers, technology partners, and other VDASPs,
PACT (Partner Accreditation for Compliance and Trust) certificate
Board‑approved AML/CFT/CPF policy framework,
Litigation and regulatory action declarations,
CERT‑In cyber‑security certificate,
Independent IT and information security audit under the IT Act, 2000,
Business note explaining how the platform’s services fall within notified VDA activities.

The in‑person technical walkthrough

This is a critical supervisory step. FIU‑IND expects a live demonstration of:

KYC onboarding systems,
Sanctions screening engines,
Transaction monitoring dashboards and alert workflows,
Blockchain analytics tools (wallet clustering, transaction tracing),
Travel Rule data exchange mechanisms,
STR filing processes,
Record‑keeping and audit trail capabilities.

Failure to demonstrate functional compliance can result in rejection or cancellation of registration.

Governance Architecture: Accountability by Design

FIU‑IND mandates a dual‑layer compliance leadership structure.

Designated Director (DD)

The Designated Director is a board‑level officer responsible for overall compliance with PMLA and PMLR. Core responsibilities include:

Ensuring internal systems exist for CDD, monitoring, reporting, and record keeping,
Approving ML/TF/PF risk assessments,
Ensuring timely submission of reports to FIU‑IND,
Allocating adequate resources and staffing to compliance,
Overseeing employee adherence to AML obligations.

Principal Officer (PO)

The Principal Officer is the operational head of AML/CFT compliance. The role must be:

Full‑time,
Senior enough to access all business data,
Independent from revenue and growth functions,
Experienced in AML, financial crime, and regulatory reporting.

The PO must be formally notified to FIU‑IND and updated via FINgate whenever details change.

Responsibilities of the Principal Officer

The guidelines prescribe extensive duties, including:

Reviewing and deciding on all STR filings,
Maintaining internal escalation mechanisms,
Preserving records of investigations and decisions for at least five years,
Liaising with FIU‑IND and law‑enforcement agencies,
Periodic review of transaction monitoring rules and typologies,
Submitting quarterly AML effectiveness reports to the Board covering:
- Programme effectiveness,
- Identified vulnerabilities,
- STR statistics and trends,
- Red‑flag indicators issued by FIU‑IND,
- Proposed policy or system changes.

Conflicts of interest are explicitly prohibited.

AML/CFT/CPF Policy Framework: What must be Documented

Every VDASP must maintain a comprehensive written framework covering:

Money laundering risk,
Terrorist financing risk,
Proliferation financing risk,
Customer onboarding and lifecycle management,
Transaction monitoring methodology,
Sanctions compliance,
STR identification and filing procedures,
Cooperation with regulators and law enforcement,
Data retention and security controls,
Group‑wide policies where applicable.

Policies must be:

Approved by the Board,
Communicated to all staff,
Reviewed annually by independent auditors,
Updated for new products, technologies, and regulatory changes.

A public summary must be displayed on the platform’s website or app, introducing an unusual level of transparency for crypto businesses.

Client Acceptance and Risk Classification

Who cannot be onboarded

Anonymous accounts,
Fictitious identities,
Accounts opened on behalf of undisclosed third parties,
Clients appearing on sanctions lists.

Existing accounts without proper identity records must be regularised or closed after due notice.

Risk classification framework

Client risk classification must include at least two categories:

Medium risk, or
High risk.

Risk assessment must consider:

Client occupation and business model,
Geography and jurisdiction exposure,
Transaction volume and velocity,
Products used (spot trading, derivatives, NFTs, custody, P2P),
Funding sources and counterparties.

Classification must be reviewed at least every six months, and the rationale documented.

Client Due Diligence (CDD): Data-Intensive Onboarding

CDD is the foundation of the entire compliance regime.

Individuals – mandatory data

Platforms must capture and verify:

Full name (as per PAN),
Date of birth, gender, nationality,
PAN (mandatory),
One Officially Valid Document (passport, driving licence, Aadhaar, NREGA card, or NPR letter),
Residential address,
Mobile number and email (OTP verified),
Occupation and income range,
Bank account details,
Live selfie with liveness detection (video-KYC),
IP address, device information, latitude & longitude, timestamp of onboarding.

A live photograph at onboarding is mandatory to establish physical presence.

Legal persons and entities

For companies, partnerships, trusts, and NGOs:

Corporate PAN must be verified from issuing authority databases,
Beneficial owners (≥10% ownership or control) must be identified under Rule 9(3) of PMLR,
NGOs must be registered on the NITI Aayog DARPAN portal.

CDD system expectations

CDD processes must use:

Reliable and independent data sources,
Periodic profile updates,
Risk‑based refresh cycles,
Secure storage of documents and verification logs.

Enhanced Due Diligence (EDD)

Enhanced Due Diligence (EDD) is mandatory when dealing with:

High‑risk customers,
Politically Exposed Persons (PEPs),
Non‑profit organisations,
Transactions indicating ML/TF/PF risk.

EDD measures include:

Detailed source‑of‑funds verification,
Recording the purpose of transactions,
Open‑source intelligence checks,
Independent verification of client information,
Increased frequency of monitoring and profile reviews.

If EDD cannot be completed, the relationship must be terminated and an STR filed.

Periodic KYC and CDD updates

High‑risk clients: at least annually,
All other clients: at least every two years.

If no information has changed, a self‑declaration is required. Any material change triggers full re‑onboarding. Expired documents must be replaced. Clients are legally obliged to inform platforms of changes in their information.

Ongoing Due Diligence and Transaction Monitoring

Monitoring must be continuous and technology‑driven.

What must be monitored

Behaviour versus declared profile,
Transaction size, frequency, and velocity,
Asset types used,
Counterparty risk,
Geographic exposure,
Rapid fiat‑crypto‑fiat cycles,
Use of mixers, privacy coins, or unhosted wallets.

System requirements

Platforms must deploy systems that:

Generate automated alerts,
Allow analyst and PO review,
Support transaction reconstruction,
Maintain role‑based access controls,
Provide secure backups and disaster recovery,
Retain tamper‑proof audit trails

For high‑volume platforms, FIU‑IND explicitly encourages the use of AI and machine learning models for risk scoring.

Travel Rule Compliance for Crypto Exchanges under FIU-IND Guidelines

Under Rules 4 and 5 of PMLR, originator and beneficiary information must accompany VDA transfers.

Data required from originator

PAN,
Identity document number,
Full name,
Wallet/account address,
Physical address,
Beneficiary wallet/account number.

Data required from beneficiary

Originator’s identity information,
Beneficiary’s identity information,
Wallet/account details.

Timing

Data must be exchanged before or at the time of transfer. Post‑facto submission is not permitted.

Both originator and beneficiary VDASPs must verify, retain, screen against sanctions lists, and monitor the transactions. Any suspicion triggers STR filing.

Sanctions Screening

Screening is mandatory:

At onboarding,
During KYC updates,
Whenever sanctions lists change,
Before executing any VDA transfer.

Lists include UNSC designations, Indian UAPA lists, and WMDA‑related restrictions. No VDA transfer may be executed before screening clearance.

Suspicious Transaction Reports (STRs)

STRs must be filed promptly when suspicion arises and must include:

Complete client KYC details,
Wallet addresses,
Transaction hashes and amounts,
Counterparty information,
IP addresses and device data,
Grounds of suspicion.

FIU‑IND expects high‑quality narratives and complete datasets. Threshold‑based STRs are allowed only with documented justification.

Prohibition on Tipping-Off

Directors, officers, and employees are strictly prohibited from informing clients or third parties about:

STR filings,
Investigations,
Requests from FIU‑IND.

This applies before, during, and after submission.

Other Reports to FIU-IND

VDASPs must submit periodic consolidated reports including:

System metrics,
Alert statistics,
Compliance status,
Risk indicators,
Operational updates,
Any other data prescribed by FIU‑IND.

Record-Keeping Obligations

Records must be preserved for at least five years after account closure. This includes:

Client identity records,
CDD and EDD documents,
Transaction histories,
VDA and fiat values,
Dates, counterparties, and purpose,
Travel Rule data.

Audit trails must capture verification responses, timestamps, authentication logs, and be stored in tamper‑proof form.

High-Risk Crypto Activities: Regulatory Red Lines

ICOs and ITOs

Token offerings are considered high risk. Platforms must apply full AML controls, investor disclosures, market‑manipulation safeguards, and due diligence on issuers. Smart contracts do not remove compliance obligations. FIU‑IND strongly discourages such activities.

Unhosted wallets

Transfers involving unhosted wallets are high risk. Originator and beneficiary data must still be collected. P2P transfers require enhanced controls and may be restricted or prohibited based on risk assessment.

Unregistered VDASPs

Obligations apply even if a provider is not registered. Non‑registration can trigger enforcement under Section 13 of PMLA.

Anonymity‑enhancing crypto assets (AECs)

These are treated as unacceptably high risk and should not be onboarded. If unavoidable, strict mitigation and EDD are mandatory.

Mixers and tumblers

Transactions involving mixers/tumblers require enhanced monitoring, blockchain analytics, and risk mitigation. Facilitation is strongly discouraged.

Strategic Implications for Crypto Businesses

The guidelines effectively reclassify crypto platforms as regulated financial institutions.

Key implications:

Compliance costs become structural, not optional,
Manual monitoring is no longer viable,
Data engineering becomes a regulatory function,
Governance failures carry personal liability,
Banking relationships depend on demonstrable compliance maturity.

Platforms should adopt a phased roadmap:

Regulatory gap assessment,
System and policy remediation,
Automation of monitoring and reporting,
Continuous optimisation and audit readiness.

How ZIGRAM Supports VDASP Compliance

ZIGRAM provides modular, regulator‑ready platforms covering:

KYC and identity verification,
Sanctions screening across 3,330+ watchlists,
Blockchain‑aware transaction monitoring,
Travel Rule data orchestration,
STR workflow automation,
Risk‑based customer profiling,

Our solutions are designed for rapid deployment, cost efficiency, and full alignment with FIU‑IND expectations.

What FIU-IND 2026 Changes for Crypto Leaders

Compliance Becomes Infrastructure

AML is no longer documentation. It is a core operational system, like payments or custody.

Leadership Accountability Increases

Board members and senior executives carry direct responsibility under PMLA.

Data Is the New Regulator Interface

KYC, Travel Rule data, transaction logs, and STRs define regulatory trust.

Scale Depends on Compliance Maturity

Banking access, partnerships, and global growth depend on regulator-ready compliance.

In India, Crypto growth now follows compliance maturity.

Conclusion

India’s AML framework for virtual digital assets is no longer evolving, it has arrived.

The 2026 FIU‑IND guidelines represent one of the most comprehensive crypto compliance regimes globally, blending FATF standards, traditional financial regulation, and blockchain‑specific controls into a single enforceable architecture.

For compliance leaders, the message is clear: crypto compliance is now infrastructure, not documentation.

For regulators and policymakers, the framework establishes India as a jurisdiction willing to support innovation but only on the foundation of financial integrity.

For digital asset businesses, the next phase of growth will belong not to the fastest movers, but to the most compliant operators.