Navigating FIU-IND's 3rd Revision Circular for VDA Service Providers | M S Sulthan
+91 98479 80019 contact@mssulthan.com
Mon - Sat: 09:00 - 19:00
Disclaimer: As per the rules of the Bar Council of India, this content is for educational purposes only. It does not constitute legal advice or solicitation.

Navigating the Stricter Regulatory Landscape: FIU-IND's 3rd Revision Circular for VDA Service Providers

By M S Sulthan Legal Associates, Kozhikode | February 26, 2026 | Regulatory Law / Web3 Compliance

The regulatory framework for Virtual Digital Assets (VDAs) in India has definitively transitioned from ambiguous oversight to a stringent, technology-driven compliance mandate. Central to this paradigm shift is the Financial Intelligence Unit - India (FIU-IND), which has systematically tightened the onboarding and monitoring of VDA Service Providers (SPs) under the Prevention of Money Laundering Act, 2002 (PMLA).

For our corporate clients navigating the digital asset space, the release of the 3rd Revision of the Circular (F.No. 9-8/2023/COMPL/FIU-IND-Pt-II) on September 15, 2025, marks a critical escalation in regulatory scrutiny. The days of simple paperwork are over; FIU-IND now demands rigorous structural transparency and live technological audits.

1. The Regulatory Baseline: PMLA and Notified Activities

Before dissecting the new registration requirements, it is essential to establish the baseline of what constitutes a reporting entity in the Indian VDA ecosystem.

Definition of a Reporting Entity: Section 2(1)(wa) of the PMLA defines a "reporting entity" as a banking company, financial institution, intermediary, or a person carrying on a designated business or profession.

Notified VDA Activities: The Central Government's March 07, 2023 notification brought specific activities under the PMLA framework when carried out for or on behalf of another natural or legal person in the course of business. These include:

  • Exchange between virtual digital assets and fiat currencies.
  • Exchange between one or more forms of virtual digital assets.
  • Transfer of virtual digital assets.
  • Safekeeping or administration of virtual digital assets or instruments enabling control over them.
  • Participation in and provision of financial services related to an issuer's offer and sale of a virtual digital asset.

(Note: 'Virtual Digital Asset' carries the meaning assigned to it in Section 2(47A) of the Income-tax Act, 1961).

Mandatory Compliance: VDA SPs are required to comply with PMLA provisions, including establishing processes for customer due diligence (KYC), record-keeping, internal controls, employee training, and filing Suspicious Transaction Reports (STRs) with FIU-IND. Registration with FIU-IND is a pre-requisite. Failure to register is a strict non-compliance issue attracting action under Section 13(2) of the PMLA.

2. The 3rd Revision Circular: The 11-Point Tech-Driven Registration Protocol

To streamline the registration process and ensure complete transparency, the September 2025 circular introduced rigorous new demands. The FIU-IND will not schedule the mandatory in-person meeting until the following documentation (Points 1a to 1k) is submitted in full to their satisfaction:

Corporate Structure and Operational Proofs

  • 1(a) Business Nature Note: A brief note explaining exactly how the service provider's activities fall under the March 07, 2023 notification.
  • 1(b) Corporate Structure & SBO: A concise disclosure of the corporate structure, supported by an organogram, alongside the detailed particulars of Significant Beneficial Ownership (SBO).

Corporate, Financial & Tax Records

  • 1(c) MCA Filings: Copies of Incorporation Documents, Annual Returns, Balance Sheets, and Profit & Loss Accounts filed with the Ministry of Corporate Affairs for the last 3 financial years.
  • 1(d) GST Records: Copies of GST Returns for the last 3 financial years, along with GST registrations in all operating states to establish the nature of activities performed.
  • 1(e) Income Tax & TDS: Copies of Income Tax Returns and explicitly, copies of Form 26Q/26QF/26QE filed with the Income Tax Department for TDS on VDA transactions.

B2B Arrangements & The PACT Certificate

  • 1(f) Contractual Agreements: Duly executed copies of all contractual, operational, intermediary, custodial, or platform arrangements with domestic or international entities (exchanges, brokers, aggregators), plus a brief narrative on their scope and intended function.
  • 1(g) The "PACT" Certificate: Replacing the older "Fit and Proper" terminology, applicants must now secure a "Partner Accreditation for Compliance and Trust" (PACT) certificate from FIU IND registered VDA SP(s) if they have an ongoing or prospective relationship/agreement with them.

Integrity Declarations & Cyber Security

  • 1(h) Legal Integrity: A self-declaration confirming no pending proceedings with the Directorate of Enforcement (ED) or other law enforcement, and no criminal cases initiated against the applicant, company/LLP, or its directors/partners.
  • 1(i) AML/CFT Questionnaire: A duly filled questionnaire covering various compliance aspects.
  • 1(j) Mandatory Cyber Security Audit: A cyber security audit certificate from a CERT-In empanelled auditor affirming compliance with all legal frameworks, specifically including the requirements set forth in the Directions dated 28th April 2022 under Section 70B(6) of the Information Technology Act, 2000.
  • 1(k) Additional Info: Any other information/document required by or shared with the Reporting Entity to ensure completion.

3. The In-Person Meeting & Live Technological Demonstration

The FIU-IND has fundamentally elevated the mandatory in-person meeting from a routine documentation review to a full-scale technical audit.

  • Mandatory Attendance: The meeting at the FIU-IND office must be attended mandatorily by the Designated Director (DD) and the Principal Officer (PO). Qualifications for the PO are strictly guided by the "Guidance for Principal Officer (PO) 25.02.2025".
Live Systems Demonstration: At the time of the meeting, the applicant must provide a live demonstration and walk-through of their actual AML/CFT compliance processes and systems. This explicitly includes real-time demonstrations of tools pertaining to KYC, Transaction Monitoring, Blockchain Analysis, the Travel Rule, and Sanction Screening.

4. Final Registration and FINNet 2.0 Integration

The circular explicitly clarifies a common misconception regarding the FINNET 2.0 Portal. VDA SPs must be aware that any system-generated "FIUREID" upon initial portal submission is for reference only.

Final registration in letter and spirit is granted only after the online registration on the FINNet 2.0 Portal is completed, and it is followed by the in-principal approval by the Director of FIU-India. The Director reserves the absolute right to deny or cancel the registration if the Reporting Entity is found to be not fulfilling its obligations under the PMLA.

Frequently Asked Questions (FAQ)

1. What is the new PACT Certificate required by FIU-IND?
The "Partner Accreditation for Compliance and Trust" (PACT) certificate is a mandatory requirement. If your VDA business has an ongoing or prospective relationship/agreement (B2B, broker, etc.) with an already FIU-IND registered VDA Service Provider, you must secure this certificate from them to prove compliance trustworthiness.
2. Who must attend the mandatory in-person meeting at FIU-IND?
The meeting must be attended personally by the company's officially appointed Designated Director (DD) and the Principal Officer (PO). The Principal Officer must meet the specific qualifications outlined in the February 25, 2025 guidance.
3. Is the system-generated FIUREID enough to legally operate?
No. The September 2025 circular explicitly states that the FIUREID generated upon applying on the FINNet 2.0 portal is purely for reference. Registration is only granted after completing the online process AND receiving in-principal approval from the Director FIU-India.
4. What specific tax documents are required for registration?
Applicants must submit GST Returns for the last 3 financial years along with all state GST registrations. For direct tax, they must provide Income Tax Returns and explicitly, copies of Form 26Q, 26QF, or 26QE filed with the Income Tax Department for TDS on VDA transactions.
5. What are the new Cyber Security Audit requirements?
Under point 1(j) of the circular, applicants must furnish a cyber security audit certificate from a CERT-In empanelled auditor. This must specifically affirm compliance with the Section 70B(6) Directions of the IT Act, 2000 (issued April 28, 2022), which govern reporting of cyber incidents and data retention.

Ensure your VDA business is fully compliant with the latest PMLA and FIU-IND regulations. Contact our Web3 Compliance desk today.

✉️ contact@mssulthan.com

© 2026 M S Sulthan Legal Associates. All Rights Reserved.

Newsletter

Don't miss our future updates! Get subscribed today!

MS Sulthan

Legal Associates

POLICIES

Disclaimer

Privacy Policy

Terms and Conditions

Certificate Verification

MENU

Home

About

Contact

CONTACT

+919847980019

+91-4953552516

contact@mssulthan.com

T1, Ground Floor, Hi-Lite Business Park, Kozhikode, Kerala - 673014

136/2, Rameshwar Nagar, Model Town, New Delhi – 110033

© 2026 MS Sulthan Legal Associates. All rights reserved.

slsl