Is registration with FIU-IND mandatory for crypto exchanges?

Yes, registration is mandatory. Non-compliance invites enforcement action under the PMLA.

Navigating the 2026 AML & CFT Guidelines for Virtual Digital Assets: The Definitive FAQ Guide

Q: Are Privacy Coins allowed in India?

No, dealings in Anonymity-Enhancing Crypto Tokens (AECs) are considered unacceptably high risk and are generally prohibited.

Q: What is the Travel Rule for crypto?

The Travel Rule mandates sharing sender and receiver details for crypto transfers between service providers.

Crypto Regulations | By M S Sulthan Legal Associates | Updated: January 16, 2026

The Financial Intelligence Unit – India (FIU-IND) has released the updated Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) Guidelines for Virtual Digital Asset Service Providers (VDA SPs) as of January 8, 2026. These regulations mark a significant shift in compliance obligations for the crypto sector in India.

This guide breaks down the complex regulatory text into 24 essential questions and answers to help businesses and investors understand their new obligations.

I. Scope and Applicability

1. What is the legal basis for these new guidelines?

The guidelines are grounded in the Prevention of Money-Laundering Act, 2002 (PMLA) and the Unlawful Activities (Prevention) Act, 1967 (UAPA). They were issued after the Government of India officially notified Virtual Digital Asset Service Providers (VDA SPs) as "Reporting Entities" under the PMLA.

2. Which activities classify a business as a VDA Service Provider (VDA SP)?

An entity is considered a VDA SP if it conducts any of the following activities for business purposes:

Exchange between virtual digital assets and fiat currencies.
Exchange between one or more forms of virtual digital assets.
Transfer of virtual digital assets.
Safekeeping or administration of virtual digital assets or custodial wallets.
Participation in financial services related to an issuer’s offer or sale of a VDA.

3. Do these guidelines apply to foreign (offshore) crypto exchanges?

Yes. The obligations are "activity-based" and apply irrespective of physical presence in India. Any entity, regardless of its registered location, must register as a Reporting Entity and comply with these rules if it engages in the notified activities for Indian users.

4. Are Central Bank Digital Currencies (CBDCs) covered?

No. The Digital Rupee (e₹) issued by the Reserve Bank of India (RBI) is excluded from the scope of these guidelines as it represents a digital form of sovereign fiat currency.

II. Registration and Governance

5. Is registration with FIU-IND mandatory?

Yes. Registration with FIU-IND is a mandatory pre-requisite. Non-registration is deemed a violation of the PMLA and may invite enforcement action under Section 13(2) of the Act.

6. What is the "In-Person Meeting" requirement for registration?

After submitting documents, applicants must attend a mandatory in-person meeting to verify their AML/CFT compliance systems. This must be attended by the Designated Director and Principal Officer. The applicant must provide a live demonstration of their systems, including KYC, transaction monitoring, and blockchain analytics tools.

7. Who is the "Principal Officer" and can they be the same as the Director?

The Principal Officer (PO) is a management-level officer responsible for implementing compliance obligations. The PO must be an independent officer reporting directly to the Board.

Crucial Rule: The Principal Officer and the Designated Director must be separate individuals.

8. Are there residency requirements for the Principal Officer?

Yes. The Principal Officer must be based in India to ensure effective discharge of obligations. They must be exclusively engaged with the Reporting Entity on a full-time basis and cannot hold concurrent engagements.

III. KYC and Client Due Diligence (CDD)

9. What are the new mandatory KYC data points?

Beyond standard ID proofs, VDA SPs must now collect:

Live Selfie: A photograph with liveness detection technology.
Geo-Location: Latitude/Longitude of onboarding location, IP address, and timestamp.
PAN: Mandatory verification of the Permanent Account Number.

10. How must bank accounts be verified?

Verification of the client's bank account must be carried out through a "penny-drop mechanism". This confirms both the ownership and the operational status of the account.

11. What is "Enhanced Due Diligence" (EDD)?

EDD involves more rigorous verification for higher-risk scenarios. It is mandatory for:

Clients from high-risk jurisdictions (tax havens, FATF lists).
Politically Exposed Persons (PEPs).
Non-Profit Organizations.
Any case with a mismatch between the address furnished and geo-coordinates.

12. How frequently must KYC be updated?

High-Risk Clients: At least once every six months.
All Other Clients: At least once every year.

IV. Transaction Monitoring & The Travel Rule

13. What is the "Travel Rule" for crypto transfers?

The Travel Rule requires VDA SPs to share specific information about the sender (originator) and receiver (beneficiary) when transferring funds.

Originating SPs: Must transmit name, wallet, PAN, and address.
Beneficiary SPs: Must verify the beneficiary's name against their own records.

14. Is post-facto submission of Travel Rule data allowed?

No. Submission of the required information must occur before or when the VDA transfer is conducted. Post-facto submission is not permitted.

15. Are transfers to "Unhosted Wallets" allowed?

Yes, but they require stricter scrutiny. VDA SPs must collect data on unhosted wallet transfers and apply risk-based enhanced measures. They may impose limitations based on risk assessment.

V. Prohibitions & High-Risk Activities

16. What is the stance on Privacy Coins?

Dealings in Anonymity-Enhancing Crypto Tokens (AECs) are considered "unacceptably high risk." Reporting Entities must refrain from permitting deposits or withdrawals of AECs (like Monero or Zcash) designed to obfuscate transaction origins.

17. Are Crypto Mixers or Tumblers allowed?

No. Transactions involving crypto tumblers, mixers, or other anonymity-enhancing services must not be facilitated. Service providers must deploy tools to detect and block such transactions.

18. How should Initial Coin Offerings (ICOs) be treated?

ICOs and Initial Token Offerings (ITOs) are strongly discouraged due to their elevated risks. If facilitated, the controlling parties must undertake documented risk assessments before launch.

VI. Reporting & Record Keeping

19. What is a Suspicious Transaction Report (STR)?

An STR is a report filed with FIU-IND when a transaction gives reasonable grounds to believe it involves proceeds of crime or terrorism financing. This must be filed regardless of the transaction amount.

20. What is "Tipping-off"?

"Tipping-off" refers to revealing to the client that an STR is being filed or that information is being furnished to the FIU-IND. This is strictly prohibited to protect the integrity of investigations.

21. How long must records be maintained?

Client Records: For five years after the account relationship ends.
Transaction Records: For five years from the date of the transaction.

22. Is an external audit required?

Yes. Reporting Entities must conduct an independent annual audit of their AML/CFT controls and systems to assess compliance.

Need Assistance with AML Compliance?

Ensure your crypto business is fully compliant with the new 2026 regulations. Contact our expert legal team today.

Book Consultation