Every reporting entity in India now faces the same question: Is your AML program strong enough to survive an independent review?
The answer matters more today than it did a year ago. India’s Financial Intelligence Unit (FIU-IND) released updated AML and CFT guidelines for Virtual Digital Asset Service Providers (VDA SPs) in January 2026, making independent annual AML reviews and AML compliance testing mandatory for crypto businesses. For Designated Non-Financial Businesses and Professions (DNFBPs), the Prevention of Money Laundering Act (PMLA) has long required compliance programs, but the FATF’s 2024 mutual evaluation of India put a spotlight on weak supervision in the non-financial sector. Regulators are now paying closer attention.
This article breaks down the independent AML review requirements for both DNFBPs and VASPs in India, what reviewers look for, how the two categories differ and what happens if you fall short.
Who needs an independent AML review in India?
Two broad categories of reporting entities must maintain AML/CFT compliance programs and submit to independent review under Indian law.
DNFBPs under PMLA
Section 2(1)(sa) of the PMLA defines “persons carrying on a designated business or profession.” In India, this category includes casinos and establishments offering games of chance for cash or kind, real estate agents involved in buying and selling property, dealers in precious metals and precious stones, persons engaged in safekeeping and administration of cash and liquid securities on behalf of others and the Inspector-General of Registration appointed under the Registration Act, 1908.
One important distinction from the global FATF framework: India has not yet fully aligned the treatment of lawyers and accountants with the broader FATF DNFBP framework, a gap highlighted in FATF’s 2024 mutual evaluation.
VDA Service Providers (VASPs)
Following the March 2023 gazette notification, VDA Service Providers are classified as reporting entities under Section 2(1)(wa) of the PMLA. This generally covers crypto exchanges, custodial wallet providers, brokers, token-related intermediaries and other Web3 service providers involved in the exchange, transfer or safekeeping of virtual digital assets. Certain NFT platforms and related intermediaries may also fall within scope depending on the nature of their activities and whether they undertake covered VDA-related services.
FIU-IND’s January 8, 2026 guidelines consolidate all operational AML/CFT requirements for VDA SPs into a single framework. These guidelines explicitly mandate an independent annual audit of the AML/CFT/CPF program and an independent annual review of all associated policies.
The Legal basis for independent AML audits
The independent AML audit obligation for reporting entities in India draws from multiple legal instruments.
PMLA Sections 12 and 12AA set out the core obligations for reporting entities. Section 12 requires every reporting entity to maintain records of all transactions, verify and maintain records of the identity of clients and furnish information to FIU-IND. Section 12AA prescribes enhanced due diligence measures for specified high-risk transactions, including additional identity verification, examination of ownership and financial position and enhanced scrutiny requirements.
PML (Maintenance of Records) Rules, 2005 prescribe the detailed procedures for client due diligence, record-keeping formats and reporting timelines. The PML Rules and FIU-IND guidance collectively establish expectations around internal controls, record-keeping, reporting and AML/CFT compliance program.
FIU-IND AML/CFT Guidelines (January 2026 for VDA SPs) go further than the statutory minimum. These guidelines require VDA SPs to undergo a comprehensive independent audit that covers governance controls, access management, transaction monitoring systems, wallet security, cryptographic controls and incident response capabilities. The audit must also include a cybersecurity audit certified by a CERT-In empanelled auditor.
For DNFBPs, while the PMLA does not use the exact phrase “independent AML audit,” the requirement to maintain an effective AML/CFT program under Section 12, combined with FIU-IND’s supervisory expectations, creates strong supervisory expectations around independent AML testing and review. Regulators routinely assess whether compliance programs have been independently tested.
What does an independent AML review cover?
The scope of an independent AML review in India varies based on the entity type, but several core areas apply across the board.
AML/CFT program design and governance
Reviewers assess whether the entity has a documented, board-approved AML/CFT policy. They review whether the policy is tailored to the entity’s specific risk profile rather than a generic template. The governance structure is evaluated, including whether a Designated Director (at the board level) and a Principal Officer (responsible for day-to-day compliance and FIU-IND reporting) have been properly appointed and are fulfilling their roles.
Customer Due Diligence (CDD) and KYC
The CDD procedures will be reviewed for adequacy and consistency. This includes the Customer Identification Program, ongoing due diligence for existing relationships, Enhanced Due Diligence for high-risk customers (politically exposed persons, high-risk jurisdictions, complex ownership structures) and beneficial ownership identification. For VDA SPs, reviewers also assess KYC processes specific to blockchain-based onboarding and wallet-level identification.
Transaction monitoring and Suspicious Activity Reporting (SAR)
Reviewers evaluate whether the entity’s transaction monitoring system can detect patterns associated with money laundering, terrorist financing and proliferation financing. They test the alert generation and investigation workflows and verify that Suspicious Transaction Reports (STRs), Cash Transaction Reports (CTRs) and Non-Profit Organization Transaction Reports (NTRs) are filed with FIU-IND within the prescribed timelines.
Sanctions screening
The review checks whether the entity screens customers and transactions against relevant sanctions lists, including UN Security Council lists and India’s domestic designations. For VDA SPs, this extends to blockchain analytics for wallet-level sanctions screening.
Record-keeping and data retention
Reviewers verify that transaction records and CDD documentation are maintained for at least five years from the date of the transaction or the end of the business relationship. For VDA SPs, this includes on-chain transaction records and wallet mapping data.
Training and awareness
The review assesses whether the entity conducts regular AML/CFT training for all relevant staff, whether training content is updated to reflect current typologies and whether training records are maintained.
Technology and cybersecurity (VDA SPs)
For VDA Service Providers, the January 2026 guidelines add a distinct layer: a mandatory cybersecurity audit by a CERT-In empanelled auditor. This audit covers infrastructure and network security, application security for KYC and transaction monitoring systems, wallet security and cryptographic controls, backup and disaster recovery, third-party risk management (cloud services, APIs) and incident response capability including readiness to report to CERT-In. All critical systems, including wallets, trading engines, authentication systems, blockchain nodes, APIs, cloud infrastructure and KYC systems, require audit coverage.
DNFBPs vs. VASPs: Comparing review requirements
Understanding the differences between DNFBP and VASP review requirements helps reporting entities plan their compliance programs effectively.
| Requirement | DNFBPs | VASPs (VDA SPs) |
|---|---|---|
| Governing framework | PMLA Sections 12 & 12AA, PML Rules, FIU-IND general guidance | All DNFBP requirements + January 2026 FIU-IND VDA Guidelines |
| Independent AML review mandate | Implied best practice; expected during supervisory assessments | Explicitly mandated (annual) |
| Cybersecurity audit | Not required under current regulations | Mandatory (CERT-In empanelled auditor) |
| Sanctions screening scope | Standard sanctions lists | Standard lists + blockchain wallet screening |
| Supervision maturity | Less developed (FATF 2024 finding) | Recent but increasingly active |
| Reporting obligations | STRs, CTRs, NTRs | STRs, CTRs, NTRs + blockchain-specific reports |
Penalties for non-compliance
The consequences of failing an independent AML audit or not conducting one at all, are significant.
Under Section 13 of the PMLA, the Director of FIU-IND can impose a monetary penalty for each failure to comply with obligations under the Act or Rules. The Director can also issue written warnings, direct specific corrective measures or require the entity to submit reports at prescribed intervals.
For serious or systemic failures, penalties can reach crore-level amounts. In January 2025, FIU-IND imposed a penalty of INR 9.27 crore (INR 92.7 million) on Bybit Fintech Limited for PMLA violations. FIU-IND also issued show-cause notices to nine offshore VDA SPs, including Binance and KuCoin, demonstrating that enforcement extends to entities operating without a physical presence in India.
Beyond monetary penalties, non-compliance can result in suspension or cancellation of FIU-IND registration, which effectively bars the entity from operating in India.
Practical steps to prepare for your independent AML review
Whether you are a DNFBP or a VASP, preparation is key. Start with these steps.
Conduct a self-assessment. Map your current AML/CFT program against the requirements of PMLA Section 12, the PML Rules and (for VASPs) the January 2026 FIU-IND guidelines. Identify the gaps before an external auditor does.
Appoint the right people. Verify that your Designated Director and Principal Officer meet the designation and compliance responsibility requirements under applicable PMLA and FIU-IND obligations. The Designated Director must be a board-level officer. The Principal Officer handles day-to-day compliance operations and serves as the primary contact with FIU-IND.
Update your risk assessment. Your AML/CFT program must reflect your current risk profile, not a risk assessment from two years ago. Factor in new products, new geographies and evolving money laundering typologies relevant to your sector.
Test your transaction monitoring. Run sample scenarios through your monitoring system. Can it flag structuring? Layering through multiple wallets? Transactions involving sanctioned jurisdictions? If you cannot demonstrate that your system catches known red flags, reviewers will note it.
Organise your records. Reviewers will request CDD files, transaction records, STR and CTR filing logs, training records and board minutes approving your AML policy. Having these organised and accessible saves time and demonstrates a mature compliance culture.
Engage a qualified reviewer. For the AML/CFT program review, choose a reviewer with specific experience in PMLA compliance and, ideally, familiarity with your sector. For VASPs, the cybersecurity component must be audited by a CERT-In empanelled firm
Frequently Asked Questions
How often must a VASP conduct an independent AML audit or AML compliance review in India?
The January 2026 FIU-IND guidelines require an annual independent audit of the AML/CFT/CPF framework and an annual independent review of all associated policies.
Are DNFBPs legally required to conduct independent AML audits?
The PMLA does not explicitly mandate an “independent AML audit” for DNFBPs. However, the obligation to maintain an effective AML/CFT program under Section 12, combined with regulatory expectations from FIU-IND, makes independent review a practical necessity. Regulators assess program effectiveness during supervisory examinations.
What qualifications should the reviewer have?
For the AML/CFT review, there is no single prescribed certification, but reviewers with CAMS (Certified Anti-Money Laundering Specialist) credentials and experience with PMLA reporting entities are generally preferred. The review should be conducted with sufficient independence from operational AML functions to enable objective assessment of control effectiveness and compliance gaps. For the cybersecurity component (VASPs only), the auditor must be empanelled with CERT-In.
The review should be conducted with sufficient independence from operational AML functions to enable objective assessment of control effectiveness and compliance gaps.
What happens if FIU-IND finds compliance failures?
Penalties under Section 13 of PMLA range from INR 10,000 to INR 100,000 per failure. Serious violations can attract multi-million penalties, as demonstrated by the INR 9.27 crore fine on Bybit in 2025. FIU-IND can also suspend or cancel registration.
Key Takeaways
Independent AML reviews are becoming an expected supervisory standard for Indian reporting entities, with VDA Service Providers now subject to an explicit annual mandate under FIU-IND’s January 2026 guidelines. VASPs have an explicit annual mandate under the January 2026 FIU-IND guidelines. DNFBPs face growing regulatory scrutiny following FATF’s 2024 findings on supervision gaps. Both categories risk substantial penalties and operational disruption if their compliance programs fall short.
The best time to prepare is before regulators or reviewers identify gaps in your AML/CFT framework. Compliance7 provides independent AML reviews and AML audit support for reporting entities across India, including VDA Service Providers, fintechs, NBFCs and other PMLA-regulated businesses. Our CAMS-certified consultants help organizations assess control effectiveness, strengthen AML governance and prepare for supervisory scrutiny. Contact us to discuss your AML review or audit requirements.
This article is for informational purposes only and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your organization.
