FIU-IND registration was supposed to be the hard part. For most Virtual Digital Asset Service Providers (VDA SPs) in India, getting that FIU Identification Number felt like crossing the finish line. However, registration is only the starting point. VASP compliance in India now demands operational maturity that many registered firms have not yet built. As of the FIU-IND Annual Report for FY 2024-25, only 49 VASPs hold active registration. Of those, a significant number still struggle with basic obligations like filing quality STRs, appointing qualified compliance leadership and meeting the enhanced standards set by the FIU-IND AML and CFT Guidelines issued on 8 January 2026. The gap between being registered and being compliant is where regulatory risk lives. This article breaks down where Indian VASPs are falling short, what the 2026 guidelines actually require and how to close the gaps before regulators close them for you.
| Compliance area | Key requirement | Common gap |
|---|---|---|
| Governance structure | Separate Designated Director and Principal Officer | Symbolic appointments with no real authority |
| Customer due diligence | Risk-based CDD and EDD with ongoing monitoring | One-time KYC with no periodic review |
| STR and CTR filing | Timely, quality reports via FINGate 2.0 | Low filing volumes or generic narratives |
| Travel Rule | Originator and beneficiary data for VDA transfers | No technical solution implemented |
| Sanctions screening | Real-time screening against UN, OFAC and domestic lists | Manual or batch-only screening |
| Independent audit | Periodic AML/CFT program review by external experts | No audit conducted since registration |
Why FIU registration alone is not enough
Registration gives a VASP its reporting entity status under the Prevention of Money Laundering Act, 2002 (PMLA). It does not guarantee that the firm can meet its ongoing obligations. FIU-IND’s own annual report for 2024-25 highlighted recurring problems across the VASP sector: low-quality Suspicious Transaction Reports, symbolic Principal Officer appointments and weak internal controls.
The enforcement record reinforces this. In June 2024, FIU-IND imposed a penalty of INR 18.82 crore (188 million) on Binance for PMLA violations. Even outside the VDA sector, FIU-IND has shown its reach: Paytm Payments Bank, a payments bank under RBI supervision, received a fine of INR 5.49 crore (54.9 million) for AML deficiencies, signalling that no category of reporting entity is exempt from scrutiny. Between December 2023 and October 2025, FIU-IND issued show cause notices to over 30 offshore VDA platforms for operating without registration and failing to comply with Indian AML requirements. Penalties across the sector have ranged from INR 34.5 lakh (3.45 million) to INR 18.82 crore (188 million).
These actions send a clear signal. Regulators are looking beyond the registration certificate. They want evidence of a functioning compliance program that meets the full scope of VASP compliance India standards.
How the 2026 guidelines redefine VASP compliance India requirements
On 8 January 2026, FIU-IND issued updated AML and CFT Guidelines for VDA SPs, replacing the March 2023 framework. The new guidelines treat VDA SPs as full reporting entities on the same standard as banks and financial institutions. For firms that built minimal compliance frameworks around the 2023 requirements, the 2026 guidelines represent a significant operational upgrade.
Governance: Designated Director and Principal Officer
The guidelines require every VASP to appoint both a Designated Director (DD) and a Principal Officer (PO). These must be separate individuals. The DD holds overall responsibility for PMLA compliance at the board level. The PO manages day-to-day AML operations, coordinates with FIU-IND and oversees report filing.
In practice, many VASPs have treated the PO role as a formality. FIU-IND has called this out directly. A Principal Officer who lacks seniority, AML expertise or decision-making authority does not satisfy the requirement. Firms should review whether their current DD and PO appointments meet the functional expectations under the 2026 guidelines.
Customer due diligence and enhanced due diligence
The 2026 guidelines mandate a risk-based approach to Customer Due Diligence (CDD). Firms must categorise customers by risk level and apply Enhanced Due Diligence (EDD) for high-risk categories. These include politically exposed persons, customers from high-risk jurisdictions, customers using privacy coins or mixing services and those conducting unusually large or complex transactions.
Ongoing monitoring is not optional. Firms must review customer profiles periodically, update KYC records and flag behavioural changes that indicate increased risk. A one-time KYC check at onboarding does not meet the standard.
Suspicious Transaction Reporting
STR quality remains one of the biggest compliance gaps in the Indian VASP sector. FIU-IND expects detailed narratives explaining why a transaction is suspicious, supported by evidence from the firm’s monitoring systems. Generic or templated STRs attract regulatory scrutiny rather than demonstrating compliance.
Firms must also file Cash Transaction Reports (CTRs) for transactions exceeding INR 10 lakh (1 million) and Cross-Border Wire Transfer Reports where applicable. All reports flow through the FINGate 2.0 portal and must pass the Report Validation Utility before submission.
Travel Rule compliance
The 2026 guidelines require VDA SPs to collect and transmit originator and beneficiary information for virtual asset transfers. This aligns with FATF Recommendation 16 and mirrors requirements already enforced in jurisdictions like the EU, Singapore and the UAE.
For Indian VASPs, Travel Rule compliance requires a technical solution. Firms must integrate with counterparty VASPs to exchange required data fields before or during a transfer. Many registered VASPs in India have not yet implemented any Travel Rule infrastructure. With India also preparing to implement the OECD Crypto Asset Reporting Framework (CARF) by April 2027, the data collection and transmission requirements will only increase.
Sanctions screening
Real-time screening against applicable sanctions lists is a baseline expectation. Firms must screen customers, counterparties and transactions against UN, OFAC and domestic lists maintained by Indian authorities. Batch screening or manual checks introduce delays and create windows where sanctioned entities can transact.
Automated screening integrated into the onboarding and transaction monitoring workflows is the standard that regulators expect.
High-risk activities under VASP compliance India framework
The 2026 guidelines identify specific activities that require heightened scrutiny.
Initial Coin Offerings (ICOs) and token launches carry elevated money laundering and fraud risk. Firms facilitating these activities must apply EDD and assess the legitimacy of the issuer.
Transactions involving unhosted wallets (self-custodial wallets not linked to a registered VASP) require additional verification of the customer’s relationship to the wallet.
Mixing services, tumblers and privacy-enhancing technologies are flagged as inherently high-risk. Firms must have policies governing whether to permit transactions involving these tools and must document their risk rationale.
Peer-to-peer (P2P) trading platforms face particular challenges because counterparty identification is harder. The guidelines expect P2P platforms to implement controls that achieve equivalent CDD outcomes.
Where most VASPs fall short on VASP compliance in India
Based on our work with VDA SPs across India, here are the VASP compliance India gaps we see most frequently.
Policies exist on paper but not in practice. Many firms drafted AML policies to satisfy registration requirements. Those policies have not been updated since inception, tested through training or stress-tested through independent review.
No independent AML audit. The 2026 guidelines expect periodic external review of the AML/CFT program. Most VASPs have never conducted one. An independent audit identifies weaknesses that internal teams cannot see and provides documented evidence of compliance effort.
Training gaps. Compliance staff, customer-facing teams and senior management all need role-appropriate AML training. Annual training is the minimum. Many VASPs have conducted no formal training since registration.
Remediation backlog. Firms that received observations during registration or from banking partners often have unresolved remediation items. These create compounding risk as regulatory expectations increase.
No Travel Rule solution. As noted above, most Indian VASPs lack the technical infrastructure to comply with Travel Rule requirements. This gap will become critical as CARF implementation approaches.
How Compliance7 supports Indian VASPs
At Compliance7, we work with VDA SPs across the full compliance lifecycle. Our team brings 12+ years of AML/CFT consulting experience across banking, fintech and crypto sectors, with CAMS-certified professionals who understand both the regulatory framework and the operational reality of running a VASP in India.
FIU-IND registration support
For firms that have not yet registered, we handle applicability assessment, entity categorisation, FINGate portal onboarding and DD/PO appointment guidance. For a detailed walkthrough of the registration process, see our FIU-IND Registration Guide.
AML/CFT policy and procedure drafting
We draft policies tailored to your business model, risk profile and customer base. This includes CDD/EDD procedures, sanctions screening protocols, STR escalation workflows and record-keeping frameworks that meet the 2026 guidelines.
Independent AML audit
Our audit covers governance, CDD, transaction monitoring, STR quality, sanctions screening, training and record-keeping. You receive a detailed findings report with prioritised remediation recommendations.
Remediation support
If you have received regulatory observations, banking partner concerns or internal audit findings, we help you close the gaps with practical fixes rather than theoretical recommendations.
Training programs
We deliver role-specific AML training for compliance teams, front-line staff and board members. Training programs are customised to the VDA sector and cover the 2026 guidelines, red flag indicators and reporting obligations.
Ongoing compliance advisory
Regulatory requirements evolve. We provide ongoing support to keep your program current, including regulatory change monitoring, periodic policy updates and STR quality reviews.
Whether you are a crypto exchange, custodian wallet provider, P2P platform, NFT marketplace, DeFi protocol or token issuer, the compliance obligations are the same. The question is whether your program can withstand scrutiny.
This article is for informational purposes only and does not constitute legal or regulatory advice. For guidance specific to your business, consult a qualified compliance professional.
If your organisation needs help navigating these requirements, book a free consultation to assess your compliance program against the 2026 FIU-IND guidelines and identify the gaps that matter most for your business.
