The India FIU-IND AML/CFT Guidelines for VDA Service Providers are Financial Intelligence Unit – India guidance for reporting entities that provide services related to virtual digital assets. As of June 5, 2026, the framework is in force, with the original FIU-IND guidelines effective from March 10, 2023 and an updated version listed by FIU-IND as of January 8, 2026. The profile should be read with Ministry of Finance notification S.O. 1072(E), which brought specified VDA activities within India’s Prevention of Money Laundering Act framework.
Scope of the FIU-IND VDA AML/CFT guidelines
The framework applies to service providers engaged in specified VDA activity for or on behalf of another natural or legal person in the course of business. Covered activity includes exchanges between VDAs and fiat currencies, exchanges between one or more VDAs, VDA transfers, safekeeping or administration of VDAs or instruments enabling control over VDAs, and financial services connected to an issuer’s offer or sale of a VDA.
FIU-IND’s original guidance states that it applies to service providers and explains how they should implement AML/CFT/CPF obligations. It focuses on VDAs that are convertible to other funds or value, including VDAs that convert to other VDAs, to fiat, or otherwise intersect with the fiat financial system. Central bank digital currencies are outside the scope of the guidance because they are digital representations of fiat currency.
Key obligations for VDA service providers
The guidelines place VDA SPs within India’s reporting-entity architecture. VDA SPs are expected to register with FIU-IND as reporting entities, maintain an AML/CFT/CPF program, adopt internal policies and controls, conduct training and internal audit, and appoint both a Designated Director and a separate Principal Officer.
- KYC and CDD: Service providers must have a mechanism for KYC before onboarding clients or wallets, avoid anonymous, pseudonymous or fictitious wallets, identify beneficial ownership, and maintain accurate customer information.
- EDD and sanctions screening: The guidance treats VDA activity as higher ML/TF/PF risk and calls for enhanced due diligence where risk is higher, including for PEPs and higher-risk jurisdictions. Sanctions screening should occur during onboarding and when a VDA transfer is initiated.
- Reporting: Suspicious transactions, including attempted transactions, must be reported to FIU-IND no later than seven working days after suspicion is formed. Reports may include indicators such as IP addresses, device identifiers, wallet addresses and transaction hashes.
- Records and safeguards: Records must generally be retained for at least five years after the business relationship ends or the account is closed. The guidance also calls for system controls, privacy safeguards, encryption and records sufficient to reconstruct transactions.
Transfers, unhosted wallets and the Travel Rule
FIU-IND treats transfers, exchanges of VDAs for VDAs, and exchanges of VDAs for fiat currencies on the lines of wire transfers. The Travel Rule portion of the guidance calls for required and accurate originator information and required beneficiary information, transmitted immediately and securely to the beneficiary service provider or financial institution where applicable and made available to authorities on request.
Transfers involving unhosted wallets are categorized as high risk when either the originator or beneficiary wallet is not hosted by a service provider that is an obliged entity. The onus of compliance falls on the obliged entity where at least one wallet is hosted, with scope for additional controls on unhosted-wallet transfers.
Status and enforcement context
FIU-IND’s downloads page lists the VDA AML/CFT guidelines as updated on January 8, 2026. The same page lists the original March 10, 2023 guidance and subsequent registration circulars. A September 15, 2025 registration circular describes registration as a prerequisite for VDA SPs and sets out process expectations including in-person review, information submissions, PACT certificates in relevant partner relationships, cybersecurity audit materials and live demonstrations of compliance systems.
In October 2025, the Press Information Bureau said FIU-IND had issued notices to 25 offshore VDA service providers and described the PMLA obligations as activity-based rather than dependent on physical presence in India. That position makes the framework relevant to both onshore and offshore VDA SPs that carry out notified activities for or on behalf of persons in the course of business.