FIU-IND’s 2026 AML/CFT Guidelines for VDA SPs: 5 Operational Changes You Cannot Ignore

What every FIU-IND registered Virtual Digital Asset Service Provider needs to assess – right now.

–

On January 8, 2026, the Financial Intelligence Unit – India (FIU-IND) released updated AML & CFT Guidelines for Reporting Entities providing services related to Virtual Digital Assets (VDAs). These guidelines replace the 2023 framework and represent the most significant consolidation of India’s crypto compliance obligations since VDA SPs were brought under the Prevention of Money Laundering Act (PMLA) in March 2023.

This is not a minor update. The 2026 Guidelines convert scattered circulars, guidance notes and registration requirements into a single, enforceable framework. FIU-IND’s message is unambiguous: VDA SPs are now subject to increasingly bank-like AML/CFT expectations under Indian law.

Based on our audit work with FIU-IND registered entities, we have identified five operational changes that demand immediate attention from every VDA SP’s compliance function.

Who must register with FIU-IND?

Any entity that provides Virtual Digital Asset services in India, including crypto exchanges, custodians, wallet providers, token issuers, certain NFT platforms and Web3 intermediaries, is a Reporting Entity under the PMLA and must be registered with FIU-IND. Operating without registration is a violation of the PMLA and can attract penalties, directions and enforcement action under Section 13 of the Act.

1. Is liveness detection mandatory for Indian VDA SPs?

Yes. The 2026 Guidelines introduce, for the first time, a technology-specific KYC requirement: liveness detection at the point of customer onboarding. Every VDA SP must now capture the following at the time of KYC:

• A selfie of the client with liveness detection enabled.
• Latitudinal and longitudinal coordinates of the client at the time of onboarding.
• Date and timestamp of the KYC event.
• The client’s IP address.

What this means in practice: VDA SPs relying on basic document upload KYC flows are now non-compliant. This requirement necessitates integration with a liveness-enabled KYC provider. VDA SPs that have not yet upgraded their onboarding technology stack should treat this as an urgent remediation item.

2. What are the requirements for the Principal Officer under the 2026 guidelines?

The 2026 Guidelines formalize that the Principal Officer (PO) must be India-based and directly accessible to FIU-IND for PMLA compliance and coordination. The guidelines strongly imply local operational accessibility as a baseline requirement. The 2026 Guidelines incorporate the earlier PO Guidance (February 25, 2025) into the main framework and make clear that:

• The PO must be a senior employee with direct access to the Board.
• The PO must have demonstrated experience in AML, financial crime and regulatory reporting.
• The PO must be exclusively engaged with the reporting entity.
• Conflicts of interest between the PO and business functions are explicitly prohibited.
• Any change in PO details must be updated on FINgate immediately.

Why this matters: Many VDA SPs operating in India with foreign parent entities have assigned compliance responsibilities to offshore personnel. The 2026 Guidelines’ emphasis on accessibility and independent engagement creates clear, direct regulatory accountability and is a key area of examination during FIU-IND inspections.

3. Dual-layer governance: Designated Director and Principal Officer are distinct roles

The 2026 Guidelines codify a mandatory dual-layer compliance governance structure that is often misunderstood or conflated by VDA SPs:

Designated Director (DD)

• Board-level appointment responsible for overall PMLA and PMLR compliance.
• Must ensure internal systems exist for CDD, transaction monitoring, reporting and record-keeping.
• Oversees employee adherence to AML obligations across the organization.
• Responsible for quarterly Board-level review of AML/CFT functions.

Principal Officer (PO)

• Operational head of AML/CFT compliance, responsible for day-to-day implementation.
• Single point of contact for all FIU-IND communications, including STR/CTR/NTR filings.
• Must report AML/CFT program effectiveness to the Board or designated sub-committee annually.
• Cannot have a conflict of interest with any business or revenue-generating function.

Common gap we observe: Many VDA SPs have either not formally designated a Designated Director or have assigned both roles to the same individual. The 2026 Guidelines make it clear these are distinct appointments with distinct accountability. FIU-IND’s registration process verifies both appointments as part of the operational readiness check.

4. Travel rule and transaction monitoring obligations under the FIU-IND 2026 guidelines

The 2026 Guidelines bring Travel Rule compliance and technology-driven transaction monitoring into the main compliance framework, moving these from guidance-level expectations to enforceable obligations.

Key requirements:

• VDA SPs must maintain a documented Transaction Monitoring System (TMS) with defined rules, thresholds and alert disposition procedures
• Travel Rule obligations require the transmission of originator and beneficiary information for all VDA transfers, regardless of transaction value, no de minimis threshold applies under the FIU-IND framework.
• The TMS must generate audit trails sufficient for regulatory inspection and STR filing.
• Purely manual monitoring frameworks are increasingly difficult to justify for scaled VDA operations.

Audit observation: Fully manual transaction monitoring remains one of the most frequent material findings in AML/CFT audits of Indian VDA SPs. Entities with no documented TMS face the highest regulatory exposure, particularly where high transaction volumes are not matched by proportionate STR filings.

5. Registration framework is now a single, verifiable process – with live demonstrations

One of the most significant structural changes in the 2026 Guidelines is the absorption of the entire FIU-IND registration framework into a single document. The end-to-end process – previously spread across the 2025 Registration Circular and multiple guidance notes – now sits within the Guidelines.

The registration process now includes:

• FINgate-based initiation and issuance of a temporary reference ID.
• Detailed document and information submissions covering ownership, governance and operational structure.
• An operational readiness check, including a live demonstration of AML/CFT systems to FIU-IND.
• A mandatory in-person meeting at which both the Designated Director and Principal Officer must attend.
• Post-registration: ongoing obligation to update FINgate for any change in key personnel or business structure.

Important: Failure to demonstrate functional compliance during the live system demonstration can result in registration being withheld. This is no longer a paper-based compliance exercise.

Enforcement context: Non-compliance has consequences

India’s AML enforcement posture has shifted materially since 2023. FIU-IND issued show-cause notices to major international exchanges, including Binance, KuCoin, Kraken and others, for operating in India without registration and without adequate KYC/AML controls. Binance received a detailed penalty order in 2024. Non-compliant platforms faced URL blocking, cutting off access to Indian users.

The March 2026 FATF report on offshore VASPs specifically highlighted India’s enforcement actions as a model. FIU-IND is also establishing a dedicated Virtual Asset Lab to conduct automated web surveillance and OSINT to detect unregistered and high-risk crypto platforms.

The regulatory risk environment for non-compliant VDA SPs in India is no longer theoretical.

Is your VDA SP compliant with the 2026 guidelines?

Based on our audit experience with FIU-IND registered entities, the five areas above are the most common sources of material non-compliance. A gap against any one of them can be sufficient to attract regulatory scrutiny or create barriers to institutional onboarding.

Compliance7 Consulting conducts independent AML/CFT reviews for FIU-IND registered VDA SPs across nine compliance areas, including governance, CDD/KYC, transaction monitoring, STR/CTR reporting, Travel Rule and sanctions screening. Our reports are structured to satisfy both internal compliance requirements and third-party institutional counterparty demands. To discuss an audit engagement or a preliminary gap assessment, contact us.

Disclaimer: This article is for informational purposes only and does not constitute legal or regulatory advice. Compliance obligations should be assessed in the context of the specific business model and operational structure of each entity. Compliance7 Consulting is an independent AML/CFT compliance advisory and audit practice and is not affiliated with, endorsed by or acting on behalf of FIU-IND or any governmental or regulatory authority.