FIU IND VDA AML/CFT/CPF Guidelines (Updated 08.01.2026): Practical Compliance Implications for VDA Service Providers

Authored by STAB, a division of Strategy India (Direct Selling & MLM Fraud Risk Advisory)

(Compliance note for general information; not official guidance and not legal advice)

This note is Strategy India's professional interpretation of FIU IND's AML/CFT/CPF Guidelines for Reporting Entities providing services related to Virtual Digital Assets (updated 08.01.2026). It is not an FIU IND publication or a formal legal opinion. For binding requirements, stakeholders should refer to the official Guidelines and the underlying law (including PMLA/PMLR).

 

Why these Guidelines matter

From Strategy India's vantage point, India's fraud landscape has been reshaped over the past decade by three converging trends: aggressive use of MLM style compensation plans to distribute unregulated products and "crypto opportunities"; offshoring of control to hubs such as Dubai while victims remain in India; and increasing reliance on VDAs, unhosted wallets and mixers/tumblers to move and park funds.

The updated FIU IND Guidelines set out operational expectations for VDA service providers to comply with Chapter IV obligations under the PMLA and the PMLR, including registration, governance, CDD, monitoring, reporting, and record-keeping.

1. Applicability and activity-based obligations

If your platform (irrespective of its place of incorporation) is engaged in notified VDA activities involving India/Indian users, it falls within the scope of the Guidelines. For example, an offshore exchange that onboards Indian users and provides notified VDA services in relation to India should evaluate applicability and, where required, register and comply as a Reporting Entity.

As a practical compliance point, incorporation location does not, by itself, determine applicability; the obligations are activity-based. The Guidelines state that VDA SP obligations apply irrespective of physical presence in India, and that entities engaged in notified activities (regardless of registered location) are required to register and comply.

In practice, an offshore incorporation structure does not remove the need to assess applicability and comply where notified activities are carried out in relation to India. Non-registration is deemed a violation of the provisions of the PMLA and may invite action under Section 13(2) of the PMLA, in addition to any other applicable enforcement measures.

2. Registration focuses on operational readiness, not only documentation

The registration process includes prescribed documentation and an in-person meeting intended to verify AML/CFT/CPF systems, processes and tools in place. A VDA SP seeking registration must, among other things:

• Disclose detailed information on its corporate structure, significant beneficial owners, financials, GST and income tax records, and all domestic and overseas arrangements with exchanges, brokers, custodians, intermediaries and other VDA SPs.
• Obtain a CERT In empanelled cybersecurity audit certificate, confirming that its environment is adequately safe to host and operate notified VDA activities. That audit must cover governance, access controls, network and endpoint security, application and AML system security, wallet security, backup and recovery, cloud and API risks, and incident response readiness.
• Undergo an in-person meeting with FIU IND, attended by both the Designated Director and the Principal Officer, where the entity must provide a live walkthrough of its AML stack: KYC systems, transaction monitoring, blockchain analytics, Travel Rule implementation, sanctions screening, and related tools.

Applicants are expected to demonstrate their capabilities during the in-person meeting. FIU IND reserves the right to deny or cancel registration if the applicant fails to fulfil its obligations under the PMLA.

3. Governance and accountability framework

The Guidelines emphasise governance accountability through the Designated Director and Principal Officer roles, with defined responsibilities and expectations regarding seniority, independence, and board oversight.

Designated Director: carries overall responsibility for compliance with Chapter IV of PMLA and PMLR, including internal mechanisms for record keeping, reporting and risk assessment.

Principal Officer (PO) must:

• Be full-time, senior, and exclusively dedicated to AML/CFT/CPF responsibilities.
• Sit at a management level, with sufficient authority and independence from business operations.
• Be based in India.
• Have unimpeded access to client identification data, CDD information and transaction records.
• Report directly to the Board or a Board Committee on the effectiveness of the AML program, vulnerabilities, STR statistics and implementation status of FIU IND guidance.
• Make the final call on whether an alert is suspicious and file Suspicious Transaction Reports (STRs) promptly, recording reasons either way.

From a governance standpoint, the framework requires named accountability and expects documented decision-making by the Principal Officer, including reasons for STR filing or non-filing, and periodic reporting to the board/board committee.

4. CDD/KYC: stronger attribution and verification

VDA transactions are, by nature, fast and borderless. The Guidelines expand the practical CDD dataset for VDA onboarding and ongoing due diligence.

At onboarding, for individuals, REs must capture at least:

• Full name as per PAN, date of birth, gender, PAN details, ID type and number, and nationality.
• Address, mobile number, and email ID.
• Occupation, income range, and bank account details, with bank ownership and activity verified through a penny drop mechanism.
• A live selfie, validated with liveness detection technology, to ensure physical presence at onboarding.
• Geo location coordinates (latitude and longitude) of the onboarding location, with date and timestamp, along with IP address and other identifiers such as wallet addresses and transaction hashes where relevant.

PAN accompanies this, plus one approved ID, OTP based verification of mobile and email, and verification via reliable, independent sources.

Key enhanced CDD triggers:

• If there is a mismatch between the declared address and captured geo coordinates, enhanced CDD is required.
• For high-risk clients from FATF grey/black list jurisdictions and tax havens, PEPs, and non-profit organisations, enhanced CDD is mandatory; if it cannot be fully implemented, the relationship must be terminated, and an STR filed.

Periodic KYC updates are explicitly required under a risk-based approach, with at least 6-monthly updates for high-risk clients and at least annual updates for others.

5. Travel Rule: operational implication ("no data, no move")

For years, a significant advantage for fraud operators has been the ability to move value across platforms with minimal linked identity data. The Guidelines change that through a rigorous application of the Travel Rule to VDA transfers.

For VDA transfers between service providers, the originating RE must obtain, hold, and transmit:

• Originator's PAN and ID document number.
• Originator's verified full name.
• Originator's wallet address or account number.
• Originator's verified physical address.
• Originator's date of birth.
• Beneficiary's name, for screening and monitoring purposes.
• Beneficiary's wallet address or account number.
• The amount and type of VDA.

The beneficiary RE must similarly obtain and retain the originator's information and verify that the beneficiary's name matches its KYC records.

The Guidelines explicitly state that post facto submissions are not permitted; submissions must occur before or during the VDA transfer. Operationally, this increases traceability across platforms and strengthens the audit trail available for monitoring, sanctions screening and STR quality.

6. Unhosted wallets, AECs and mixers: calibrated risk treatment

From our investigations, unhosted wallets, anonymity-enhancing tokens, and mixers are standard tools for moving proceeds of fraud. The Guidelines address each of these explicitly.

Unhosted wallets: Transfers to and from unhosted wallets and P2P structures are treated as higher risk. REs must collect data, monitor and assess such transfers. They must apply appropriate enhanced CDD and risk-based controls to such transactions and clients. They may impose additional limitations or prohibitions on unhosted wallet activity, in line with their risk assessment, including enabling only transactions assessed as reliable based on client, behavioural, or geographic factors, or law enforcement inputs. This keeps the door open for legitimate self-custody use cases while signalling that if an RE cannot adequately monitor and manage the risk associated with a particular unhosted wallet pattern, it is expected to either control or decline that activity.

Anonymity-enhancing tokens and mixers: AECs are treated as unacceptably high-risk, and REs are required to refrain from permitting deposits/withdrawals and from facilitating such transactions. Similarly, mixer/tumbler and other anonymity-enhancing services are to be identified through monitoring and analytics, rather than facilitated, with suitable risk mitigation measures triggered.

7. Transaction monitoring, STR expectations and tipping-off

The Guidelines require continuous transaction monitoring aligned to FIU IND guidance, timely escalation, and STR filing that includes attempted suspicious transactions. There is no monetary threshold when suspicion exists.

REs must:

• Maintain systems capable of identifying complex, unusually large, or atypical transactions with no apparent economic or lawful purpose.
• Integrate red flag indicators, typologies and instructions issued by FIU IND into their monitoring programmes.
• Ensure the PO reviews alert handling approaches regularly and conducts sample checks of data to confirm that unusual or potentially suspicious transactions are correctly escalated.

On reporting:

• STRs should use all reasonably available data, including KYC, transaction history, IP data, device IDs, location, and behavioural patterns.
• A strict prohibition on tipping off applies before, during, and after STR submission; neither customers nor third parties may be informed that a report has been or may be filed.

8. Record keeping and reconstruction (minimum five-year retention)

Effective investigation requires not just live monitoring, but a reliable archive. Client identification records must be preserved for at least five years after the account-based relationship ends, and transaction records must be preserved for at least five years from the transaction date, with longer retention for records linked to ongoing investigations/disclosures.

Records must permit the reconstruction of individual transactions, including the nature, amount, VDA/fiat type, date, counterparties, and linked Travel Rule data, with tamper-proof audit trails and prompt retrieval when required by competent authorities.

9. ICOs/ITOs and issuance-related services

ICOs/ITOs are described as presenting heightened and complex ML/TF/PF risks, and persons offering services across issuance, sale/distribution and ongoing market circulation/trading may fall within the RE framework under these Guidelines.

Key points:

• Use of smart contracts or automated infrastructure does not relieve controlling parties of Chapter IV obligations.
• Controllers are expected to perform risk assessments and build robust controls before launch.
• ICO/ITO-related activities are strongly discouraged and carry heightened FIU IND scrutiny.

This is directly relevant to token-based MLM structures and pseudo-investment programmes, where "token sales" are often a veneer for recruitment-led money circulation.

 

Strategy India's view: what this changes for the ecosystem

From an enforcement and compliance perspective, the Guidelines strengthen attribution (who/where), enhance transactional traceability (Travel Rule timing and data requirements), and raise expectations for monitoring, STR quality, and record reconstruction.

For regulators and enforcement agencies, this creates a structured, technology-backed intelligence layer over India's VDA ecosystem.

For serious VDA businesses, they make explicit the baseline operational readiness expected by FIU IND for AML/CFT/CPF compliance.

For fraud architectures built on speed, opacity, and jurisdictional arbitrage, the practical operating space narrows for regulated entities seeking to implement these controls effectively.

At Strategy India, the assessment is straightforward: these Guidelines will not end crypto-enabled fraud on their own. But they give India, for the first time, a coherent, enforceable AML/CFT framework for VDAs that can support investigation, prosecution, and policy-making at scale, provided it is implemented with the same seriousness with which it has been drafted.

 

Official Acronyms from the Guidelines

AEC: Anonymity-Enhancing Crypto Tokens

AML: Anti-Money Laundering

API: Application Programming Interface

CBDC: Central Bank Digital Currency

CDD: Client Due Diligence

CERT-In: Indian Computer Emergency Response Team

CFT: Countering the Financing of Terrorism

CPF: Combating Proliferation Financing

CRS: Common Reporting Standards

DD: Designated Director

DNFBP: Designated Non-Financial Business and Profession

FATF: Financial Action Task Force

FI: Financial Institution (traditional financial institutions not defined as SPs)

FIU-IND: Financial Intelligence Unit - India

GST: Goods and Services Tax

ICO: Initial Coin Offering

ITO: Initial Token Offering

Intermediary SP: Intermediary Service Provider (Refers to a Service Provider in a serial chain that receives and re-transmits a VDA transfer on behalf of the Originator SP and Beneficiary SP or another intermediary SP)

KYC: Know Your Customer

LEA: Law Enforcement Agency

MCA: Ministry of Corporate Affairs

ML: Money Laundering

ML/TF/PF: Money Laundering, Terrorism Financing and Proliferation Financing

NFT: Non-Fungible Token

NPO: Non-Profit Organisation

NRAL: National Risk Assessment

ODD: Ongoing Due Diligence

OFAC: Office of Foreign Assets Control (US)

OTC: Over-the-Counter

OTP: One-Time Password

P2P : Peer-to-Peer

PACT: Partner Accreditation for Compliance and Trust

PAN: Permanent Account Number

PEP: Politically Exposed Persons

PF: Proliferation Financing

PMLA: Prevention of Money Laundering Act, 2002

PMLR: Prevention of Money-Laundering (Maintenance of Records) Rules, 2005

PO: Principal Officer

RBA: Risk-Based Approach

RBI: Reserve Bank of India

RE: Reporting Entities

RFI: Red Flag Indicators

SP: Service Provider providing services relating to Virtual Digital Assets

STR: Suspicious Transaction Report/Reporting

TDS: Tax Deducted at Source

TF: Terrorism Financing

UAPA: Unlawful Activities (Prevention) Act, 1967

UNSC: United Nations Security Council

UNSCR: United Nations Security Council Resolutions

VDA: Virtual Digital Assets

VDA SP: Virtual Digital Asset Service Provider

WMDA: Weapons of Mass Destruction and their Delivery Systems (Prohibition of Unlawful Activities) Act, 2005

Download: AML/CFT/CPF Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets (Updated 08.01.2026), issued by FIU IND.