From Recognition to Supervision 

The regulatory journey began in March 2023, when the Ministry of Finance notified Virtual Digital Asset Service Providers (VDA SPs) as 'Reporting Entities' under the Prevention of Money Laundering Act, 2002 (PMLA). That notification brought crypto platforms within the same legal framework as banks and other financial institutions for the purpose of anti-money laundering compliance. FIU-IND was designated as the AML/CFT/CPF regulator for VDA SPs later that year, via Notification S.O. 4877(E) dated November 9, 2023. The latest guidelines consolidate requirements that were previously scattered across multiple circulars and guidance documents into a single, coherent framework. 

Registration as a Gate, Not a Formality 

The 2026 guidelines dedicate an entire chapter to the registration process which is something the 2023 version did not do with the same granularity. Registration with FIU-IND through the FINgate portal is now a mandatory pre-condition before commencing operations. An applicant receives only a temporary reference ID on submission; formal registration including the issuance of a FIU Reporting Entity ID is granted only after a document review and a mandatory in-person meeting with FIU-IND. 

That in-person meeting is important. The applicant's Designated Director and Principal Officer must both attend and provide a live walkthrough of their AML/CFT systems including KYC infrastructure, transaction monitoring tools, blockchain analytics, travel rule compliance mechanisms, and sanction screening. FIU-IND reserves the right to deny or cancel registration if systems are found inadequate. Registration is, in effect, a supervised assessment of operational readiness. 

The document requirements are extensive: incorporation documents, GST returns, income tax filings, PACT certificates from existing VDA SP partners, Organizational agreements with other VDA SPs, a CERT-In empaneled cybersecurity audit certificate, and a self-declaration of no pending criminal proceedings against the entity or its directors. The cybersecurity audit requirement alone covering governance, access controls, KYC and AML system security, API risks, and incident response put a huge burden on applicants. 

Non-registration is now explicitly treated as a PMLA violation under Section 13(2), which carries enforcement consequences. Obligations also apply extraterritorially as any entity engaging in notified VDA activities targeting Indian users must register, regardless of where it is incorporated. 

Governance at Board Level 

The guidelines introduce a two-tier compliance leadership structure. The Designated Director is a board-level appointee responsible for overall PMLA compliance. Their job is ensuring internal controls exist for customer due diligence, transaction monitoring, suspicious transaction reporting, and record-keeping. The Principal Officer (PO) is the full-time operational head of AML compliance and must hold at least three years of relevant experience in AML, financial crime, and regulatory reporting. 

Many requirements tighten what the 2023 version left open. For example:  

• The PO must be exclusively engaged with the reporting entity and no concurrent roles elsewhere.  

  
  

• The PO must be a permanent invitee to the board's risk evaluation committees.  

  
  

• The PO should be based in India.  

  
  

• The PO must present a review of the AML/CFT function to the board or a designated board sub-committee at least quarterly. This reporting must cover compliance programme effectiveness, identified vulnerabilities, STR summaries, FIU-IND guidance implementation status, and proposed policy changes.  

  
  

• The guidelines also require an independent annual audit of the AML/CFT framework by someone external to the team that designed the policies. The audit report goes to the board. 

The effect is that crypto exchanges now carry governance obligations structurally similar to banks. The "outsourced compliance" model where a third-party firm nominally handles AML obligations does not meet the standard these guidelines set. 

KYC Requirements for Traceability 

Section 4 of the guidelines contains the most important changes. The standard for customer due diligence has been elevated from verifying who someone is to creating conditions under which they can be traced across systems and over time. 

At the point of onboarding, reporting entities must collect a myriad of information like the address, PAN details, bank account details, email ID etc. On top of this, entities must capture a selfie with liveness detection, the geo-location coordinates (latitude and longitude) at the time of onboarding along with a timestamp and IP address, and the Device ID. Wallet addresses must also be mapped to the client's profile. 

Bank account verification must be done through a penny-drop mechanism which is a small test transfer to confirm both ownership and operational status of the account. Mobile and email verification must use OTP or link validation. The liveness detection requirement ensures that the person submitting credentials is physically present during account creation, not operating through pre-recorded material or a third party. 

PAN is now mandatory for all individual clients and not optional, not one of several alternatives. For legal entities, PAN must be verified directly against the issuing authority's database. Periodic KYC refresh is risk-calibrated: high-risk clients must be re-verified at least every six months; all others at least once a year. Where there is any material change in a client's information, the entity must conduct CDD equivalent to new client onboarding. Risk classification of clients into at least High and Medium risk categories must be reviewed every six months, and the rationale for each classification subject to periodic review. 

The volume of data collected, the requirement to retain it for five years after account closure, and the need for it to be retrievable for regulatory inspection create serious infrastructure and data security obligations. The guidelines acknowledge privacy-law implications but do not resolve the tension. Cybersecurity exposure increases proportionally with the data collected. 

The Travel Rule: No Deferred Compliance 

The Travel Rule: FATF Recommendation 16 applied to virtual asset transfers requires that originator and beneficiary information travel with a VDA transaction. The 2026 guidelines implement this with a specific low threshold of transactions that varies across jurisdictions for VDA transfers.  

Before transmitting a transfer, the originating reporting entity must conduct CDD and sanction screening on the counterparty. The information that must accompany each transfer includes the originator's PAN and identity document number, verified full name, wallet address, and physical address or date of birth; and the beneficiary's name and wallet address. The beneficiary RE must verify the beneficiary's identity and confirm that received data is consistent with its own records. 

This data must be submitted before or simultaneously with the transfer itself.  

The FATF's 2025 Targeted Update on VASP implementation found that 99 jurisdictions had passed or were processing legislation on the Travel Rule, but challenges in implementation remain for interoperability between platforms using different technical protocols, and the so-called 'sunrise issue' where VASPs in compliant jurisdictions must transact with counterparties in non-compliant ones. Indian reporting entities dealing with offshore VASPs will face these same interoperability challenges. The guidelines allow for a self-declaration-based mechanism in exceptional cases where full technological deployment is not feasible, but this is explicitly a fallback, not a default. 

High-Risk Activity: Mixers, Privacy Tokens, Unhosted Wallets 

The guidelines take an explicit stance on three categories of activity. 

Anonymity-Enhancing Crypto Tokens (AECs): VDAs designed to conceal origin, ownership, or transaction value are classified as high risk. Reporting entities must not permit deposits or withdrawals of AECs. Dealings in AECs are treated as falling outside the entity's permissible risk appetite. 

Tumblers and Mixers: Transactions involving crypto tumblers, mixers, or similar services must be identified through transaction monitoring and blockchain analytics and must not be facilitated. Detection triggers mandatory risk mitigation measures. The guidelines do not ban the underlying tokens but prohibit the services that obscure transaction trails. 

Unhosted Wallets: Transfers to or from wallets not hosted by a regulated RE carry extra risk due to anonymity, unlimited portability, and the absence of an obligated counterparty. Reporting entities must collect originator and beneficiary data on these transactions and apply enhanced CDD. They may also impose additional controls or prohibitions on unhosted wallet transactions based on their own risk assessment. 

The approach is risk-based, not prohibitory. No asset class is outright banned at the exchange level. But the compliance burden associated with these categories is designed to make their facilitation operationally costly. 

Cybersecurity, Audit, and Data Retention 

AML compliance under the 2026 guidelines is inseparable from cybersecurity governance. The CERT-In empanelled cybersecurity audit required both at registration and on an ongoing basis covers the full technical infrastructure: governance frameworks, access controls, KYC and transaction monitoring systems, cryptographic controls, backup and recovery, API risks, cloud infrastructure, and incident response capabilities. 

Records must be preserved for at least five years after account closure, and for all transactions from the date of the transaction. Where records relate to ongoing investigations, they must be retained until the case is formally closed. Audit trails covering verification responses, timestamps, and authentication logs must be stored in tamper-proof form. Systems must be capable of retrieving individual records promptly on regulatory request. 

The integration of IT infrastructure into AML compliance creates a dual risk exposure. A cybersecurity breach is simultaneously an AML compliance failure if it compromises the integrity of KYC or transaction records. The guidelines explicitly require that the cybersecurity audit certify whether the audited environment is adequately safe to host and operate VDA activities. 

Transaction Monitoring and STR Filing 

The guidelines require continuous transaction monitoring through automated systems. Suspicious Transaction Reports must include not just transaction data but also KYC information, wallet addresses, counterparty details, device IDs, IP addresses, and grounds of suspicion. Attempted suspicious transactions like those that were initiated but not completed must also be reported. 

REs are encouraged to adopt AI and machine learning tools for detection. All alerts generated by monitoring systems must be reviewed by the AML compliance team and the Principal Officer without delay. Where the PO determines a transaction does not warrant an STR, the reasons must be recorded. The reporting format is prescribed by FIU-IND and must be followed precisely. Monthly reports covering activity indicators and compliance status must also be submitted to FIU-IND. 

The STR obligation is threshold-agnostic. An entity must file if it has reasonable grounds to believe a transaction involves proceeds of crime or terrorist financing irrespective of the transaction amount or whether it crosses any reporting threshold under PMLA. Tipping off or disclosing to a client or any other party that an STR has been filed is prohibited before, during, and after submission. 

What This Means for Crypto Businesses 

Three consequences follow from this framework: 

1. Structural cost escalation: The process of registration alone requires extensive documentation, and a live systems demonstration. Ongoing compliance requires a full-time India-based Principal Officer with AML experience, quarterly board reporting infrastructure, annual independent policy audits, Travel Rule-compliant technical systems, blockchain analytics tools, and data retention architecture. Smaller or informal operators will find compliance economically prohibitive. 

   
   

2. Sector institutionalization: The guidelines create regulatory clarity that the sector has lacked. For entities that clear the compliance bar, the FIU RE-ID functions as a credibility signal particularly relevant for institutional partnerships and potential banking relationships. India's framework, in aligning closely with FATF standards, also reduces friction for internationally compliant VASPs seeking to operate in the Indian market. 

   
   

3. Market consolidation: The informal sector of offshore entities with no Indian registration, platforms without robust KYC infrastructure, P2P services operating without AML controls faces a clear exit ramp. Enforcement tools under Section 13 of PMLA, including monetary penalties and URL blocking (already used against non-registered foreign VDA SPs), remain available. As FATF's 2025 update notes globally, the trend is toward more registered VASPs but with persistent implementation gaps in practice. India's in-person, live-demonstration registration process is specifically designed to close that gap. 

Conclusion 

The 2026 FIU-IND guidelines convert three years of accumulated regulatory intent into specific, auditable obligations covering registration, governance, customer due diligence, travel rule implementation, high-risk asset controls, cybersecurity, and transaction monitoring. For VDA businesses operating in India, the question is not whether to comply but how quickly operational gaps can be closed. The firms that treat compliance as infrastructure, building it into onboarding systems, transaction flows, and board reporting cycles will be positioned to operate in this market over the long term. Those that treat it as documentation will find themselves in difficulty when FIU-IND conducts its next round of in-person assessments. Crypto may remain decentralised at the protocol layer, but in India its gateways now operate within a firmly regulated compliance architecture.