India’s financial intelligence framework has sharpened its focus on accountability. The Financial Intelligence Unit of India (FIU-IND) now expects every reporting entity to go beyond ticking compliance boxes. One of the most critical obligations is the independent AML/CFT review, a structured evaluation of whether your anti-money laundering and counter-terrorist financing controls actually work. For Virtual Asset Service Providers (VASPs), Designated Non-Financial Businesses and Professions (DNFBPs) and other reporting entities, getting this review right is no longer optional. It is a regulatory expectation with real consequences.
This article breaks down what an independent AML/CFT review under FIU-IND involves, who it applies to, what reviewers should examine and how reporting entities can prepare for it. Whether you operate a crypto exchange, a precious metals dealership, a real estate brokerage or a professional services firm, these requirements may apply to you.
Summary: Independent AML/CFT review under FIU-IND
| Area | Key Expectation | Regulatory Basis |
| Frequency | Periodic (typically annual for higher-risk entities) | Risk-based expectation derived from PMLA, 2002 and FIU-IND guidance. |
| Scope | Policies, procedures, controls and effectiveness | FIU-IND AML/CFT guidelines |
| Independence | The reviewer must not design/implement the framework | Implied governance and control expectation under PMLA framework and FIU-IND guidance. |
| Applicability | VASPs, DNFBPs and specified professionals | PMLA framework and sector-specific notifications / guidelines |
| CDD/KYC | Risk-based due diligence and ongoing monitoring | Prevention of Money Laundering (Maintenance of Records) Rules, 2005 |
| Reporting | STR, CTR, NTR filing within timelines | FIU-IND reporting framework under PML Rules, 2005 |
| Governance | Designated Director and Principal Officer oversight | Governance requirements under PMLA and PML Rules, 2005 |
| Record Keeping | Minimum 5 years retention | Prevention of Money Laundering (Maintenance of Records) Rules, 2005 |
| Monitoring | Scenario-based and risk-aligned transaction monitoring | Risk-based monitoring expectations under FIU-IND guidance |
What is an independent AML/CFT review under FIU-IND?
An independent AML/CFT review is a periodic evaluation of a reporting entity’s policies, procedures and internal controls related to anti-money laundering, counter-terrorist financing and counter-proliferation financing (AML/CFT/CPF). FIU-IND expects reporting entities to conduct periodic independent reviews, typically performed annually for higher-risk sectors such as Virtual Asset Service Providers, by parties who were not involved in designing or implementing the policies being assessed.
The purpose is straightforward. Regulators want assurance that compliance frameworks are not just documented, but effective. The review looks at whether the entity’s AML/CFT program identifies risks accurately, applies customer due diligence (CDD) measures proportionally, monitors transactions effectively and reports suspicious activity to FIU-IND as required under the Prevention of Money Laundering Act (PMLA).
This expectation is derived from the Prevention of Money Laundering Act, 2002, the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 and sector-specific AML/CFT guidelines issued by the Financial Intelligence Unit – India (FIU-IND). For VASPs, recent FIU-IND guidance and updates have introduced enhanced expectations, including independent assessments of AML/CFT/CPF frameworks and associated policies.
Who needs to conduct an independent AML CFT review?
FIU-IND’s AML/CFT obligations apply to all reporting entities registered under the PMLA framework. The independent review requirement covers a wide range of sectors and entity types. Each faces unique risks, but the core obligation remains the same: demonstrate that your AML/CFT controls are adequate and effective.
Virtual Asset Service Providers (VASPs)
VASPs, also referred to as Virtual Digital Asset Service Providers (VDASPs), became reporting entities under the PMLA following a March 2023 notification by the Ministry of Finance. Crypto exchanges, wallet providers and other VDA-related businesses operating in or serving India are required to register with FIU-IND when carrying on designated virtual digital asset activities in or from India. Recent FIU-IND guidance emphasizes the need for independent audit and/or review mechanisms for VASPs, depending on the entity’s risk profile and applicable regulatory expectations. This dual requirement reflects FIU-IND’s heightened scrutiny of the virtual asset sector.
Dealers in Precious Metals and Stones (DPMS)
Dealers in precious metals and precious stones qualify as DNFBPs under the PMLA. They are classified as reporting entities under the PMLA framework, particularly in relation to high-value transactions, including cash transactions of INR 10 lakh (INR 1 million) or above which trigger reporting obligations, whether in a single transaction or in several linked transactions. Given the inherent cash-intensity and cross-border nature of this sector, the independent review should pay close attention to transaction monitoring thresholds and client verification records.
Real estate agents
Real estate agents handling high-value property transactions, including developers and brokers, fall under DNFBP obligations. Property transactions are a well-documented channel for money laundering, making robust CDD and beneficial ownership identification essential. The independent review for real estate entities should assess how effectively the entity identifies ultimate beneficial owners and monitors transaction patterns.
Accountants and legal professionals
Professionals holding a Certificate of Practice from the Institute of Chartered Accountants of India (ICAI), the Institute of Company Secretaries of India (ICSI) or the Institute of Cost Accountants of India (ICMAI) are classified as reporting entities when they carry out specified financial transactions on behalf of clients, such as managing assets, creating companies or handling financial transactions. Because these professionals often serve as gatekeepers to the financial system, their independent AML/CFT review carries particular significance.
Key areas an independent AML/CFT review must cover
A comprehensive independent review under FIU-IND goes beyond a surface-level document check. Reviewers must assess both the design and the operational effectiveness of the entity’s AML/CFT program. Below are the primary areas every review should cover.
Policy and procedure adequacy
The review should confirm that the entity has documented AML/CFT/CPF policies covering client acceptance, risk assessment, CDD, enhanced due diligence (EDD), suspicious transaction identification, record keeping and reporting obligations. These policies must align with the PMLA, the PML (Maintenance of Records) Rules and the applicable FIU-IND guidelines for the entity’s sector.
Risk assessment framework
Reviewers should evaluate the entity’s risk assessment methodology. FIU-IND expects entities to classify clients based on risk categories, taking into account factors such as geographic risk, product or service risk, client profile and delivery channel risk. The review should confirm that risk ratings are documented, periodically updated and consistently applied.
Customer due diligence and KYC processes
The review must verify that the entity applies CDD measures proportional to assessed risk levels. This includes standard KYC at onboarding, simplified due diligence for lower-risk clients where permissible and EDD for higher-risk relationships such as politically exposed persons (PEPs), clients from high-risk jurisdictions or complex ownership structures. Ongoing monitoring of client relationships should also be assessed.
Transaction monitoring and suspicious activity reporting
FIU-IND requires reporting entities to file Suspicious Transaction Reports (STRs), Cash Transaction Reports (CTRs) and Non-Profit Organization Transaction Reports (NTRs) within prescribed timelines. The review should examine whether the entity’s monitoring systems generate appropriate alerts, whether those alerts are investigated promptly and whether reports reach FIU-IND through the FINnet 2.0 portal on time. For VASPs, recent regulatory developments have introduced or emphasized alignment with travel rule requirements for virtual asset transfers, in line with evolving global standards.
Governance and roles
Every reporting entity must appoint a Designated Director (DD) and a Principal Officer (PO). The DD holds board-level responsibility for PMLA compliance. The PO oversees day-to-day AML/CFT operations and should possess sufficient seniority, competence and AML/CFT knowledge to discharge these responsibilities effectively. The independent review should verify that these appointments are current, that role boundaries are clear and that the PO reports periodically (often annually) to the Board or a designated sub-committee on the effectiveness of the AML/CFT program.
Training and awareness
Regulators expect reporting entities to provide ongoing AML/CFT training to relevant staff. The review should confirm that training programs exist, cover current typologies and regulatory requirements and reach all employees who interact with clients or handle transactions.
Who can conduct the independent review?
Independence is the defining criterion. The reviewer must not have been involved in creating, implementing or operating the AML/CFT policies and procedures under review. This ensures objectivity and prevents self-assessment.
For larger organizations, an internal audit function that operates independently from the compliance team may conduct the review, provided there is no conflict of interest. For smaller entities, particularly DNFBPs and early-stage VASPs, engaging an external consultant with AML/CFT expertise is often the more practical and credible approach. An external consultant may not be considered independent if they were previously involved in designing or implementing the AML/CFT framework under review.
The reviewer should possess relevant qualifications and experience in AML/CFT compliance. Certifications such as CAMS (Certified Anti-Money Laundering Specialist) add credibility. The reviewer should also be familiar with FIU-IND’s specific guidelines for the entity’s sector, as requirements vary between financial institutions, VASPs, DNFBPs and professionals.
Common gaps found during independent reviews
Based on industry experience, several recurring issues surface during independent AML/CFT reviews of reporting entities in India. Recognizing these patterns can help organizations prepare proactively.
Outdated policies rank among the most frequent findings. Many entities draft AML/CFT policies at the time of FIU-IND registration but fail to update them as guidelines evolve. Recent FIU-IND guidance and regulatory developments for VASPs, for example, have introduced new expectations around travel rule alignment, independent assessments and governance structures that many existing policies do not yet reflect.
Weak transaction monitoring is another common gap. Some entities rely on manual processes or basic threshold-based alerts that fail to capture structuring patterns, layering techniques or unusual transaction velocities. Reviewers frequently note the absence of scenario-based monitoring tailored to the entity’s specific risk profile.
Insufficient record keeping also appears regularly. The PMLA requires entities to maintain transaction records and CDD documentation for a minimum of five years from the date of cessation of the transaction or business relationship. Reviewers often find incomplete client files, missing beneficial ownership declarations or inadequate documentation of risk assessment decisions.
Poor STR quality is a concern FIU-IND has highlighted publicly. Reports that lack analytical depth, fail to articulate the basis for suspicion or arrive late undermine the purpose of the suspicious activity reporting regime. The independent review should assess not just whether STRs are filed, but whether they contain meaningful analysis.
How to prepare for an independent AML/CFT review
Preparation can significantly improve both the review experience and its outcomes. The following steps help reporting entities approach the process with confidence.
First, update your AML/CFT policy documentation. Confirm that your policies reference the latest FIU-IND guidelines applicable to your entity type, including recent FIU-IND updates and guidance applicable to VASPs. Verify that procedures match actual practice. A policy that describes processes your team does not follow creates more risk than having no policy at all.
Second, review your risk assessment. Confirm that client risk categories reflect current conditions, including any changes in jurisdictional risk ratings, product offerings or client base composition. The Financial Action Task Force regularly updates its lists of jurisdictions with strategic AML/CFT deficiencies and your risk assessment should reflect these changes.
Third, audit your CDD files. Sample a cross-section of client files to verify that KYC documentation is complete, risk ratings are assigned and justified and ongoing monitoring records are up to date. Address gaps before the independent reviewer finds them.
Fourth, test your transaction monitoring system. Run scenarios that reflect common money laundering typologies relevant to your sector. Verify that alerts trigger appropriately and that your investigation and escalation process works as designed.
Fifth, confirm governance appointments. Verify that your DD and PO appointments are current, properly documented and communicated to FIU-IND. Confirm that the PO has submitted required reports and that Board-level reporting on AML/CFT program effectiveness is occurring periodically, typically at least annually.
Building a culture of compliance
The independent AML/CFT review under FIU-IND is more than a regulatory checkbox. It is an opportunity for reporting entities to identify vulnerabilities before regulators do, strengthen internal controls and demonstrate a genuine commitment to combating financial crime. For VASPs navigating evolving FIU-IND guidance and regulatory developments, for DNFBPs managing cash-intensive operations and for professionals serving as financial gatekeepers, a well-executed independent review builds both regulatory confidence and organizational resilience.
The stakes are clear. Non-compliance with PMLA obligations can result in monetary penalties starting from INR 10,000 to INR 1 lakh (INR one hundred thousand) per failure, which may escalate depending on the severity of non-compliance, repeated violations or regulatory adjudication, along with regulatory action and reputational damage. Taking a proactive approach to your independent review is a sound investment.
If your organization needs support preparing for or conducting an independent AML/CFT review, Compliance7’s team of CAMS-certified consultants can help. We work with VASPs, DNFBPs, financial institutions and professional firms across multiple jurisdictions. Book a free consultation to discuss your compliance needs.
This article is for informational purposes only and does not constitute legal or regulatory advice. Regulatory expectations may evolve and entities should refer to official notifications and sector-specific guidance issued by the Financial Intelligence Unit – India and other competent authorities. For guidance specific to your business, consult a qualified compliance professional.
