// COMPLIANCE & AUDIT

FIU-IND Compliance (Crypto & VDA)

AML compliance advisory for Virtual Digital Asset service providers registering with FIU-IND.

FIU-INDRegistration
PMLA2002
FATFRec. 16
TravelRule Compliance
Overview

FIU-IND Compliance for Crypto & Virtual Digital Asset Businesses

India's Financial Intelligence Unit (FIU-IND) brought Virtual Digital Asset (VDA) service providers under the Prevention of Money Laundering Act 2002 (PMLA) through the 2023 PMLA (Maintenance of Records) Amendment Rules. VDA entities — including crypto exchanges, VDA custodians, VDA transfer services, and issuers of VDAs — are now required to register with FIU-IND, implement KYC/Customer Due Diligence (CDD) programmes, file Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs), and maintain records for five years.

Intelliroot's FIU-IND compliance programme covers the full PMLA/VDA obligation landscape — from FIU-IND registration readiness and KYC/AML control design to Travel Rule implementation (FATF Recommendation 16) for crypto transfers and DPDP Act 2023 compliance for the personal data of VDA users. Our team has direct experience with the intersection of financial crime compliance, blockchain transaction monitoring, and Indian data protection requirements that is unique to the VDA sector.

PMLA 2002 FIU-IND Directions 2023 FATF Rec. 16 DPDP Act 2023
Why This Matters

Why FIU-IND Compliance Is Non-Negotiable for VDA Businesses

Operating Without Registration Is Unlawful

VDA service providers operating in India without FIU-IND registration under PMLA are operating unlawfully. FIU-IND has issued show-cause notices and directed blocking of non-registered VDA platforms — the business risk of non-compliance is existential.

KYC/AML Controls Are Technically Demanding

PMLA KYC/CDD requirements for VDA entities must address the pseudonymous nature of blockchain transactions, wallet address screening, on-chain transaction monitoring, and risk-based enhanced due diligence for high-risk customers and jurisdictions. Generic KYC frameworks from traditional finance are insufficient.

Travel Rule Has Technical Complexity

FATF Recommendation 16 requires VDA exchanges to collect, retain, and transmit originator and beneficiary information for crypto transfers above a threshold. Implementing the Travel Rule requires integration with Travel Rule protocols (IVMS101, TRP, or similar), counterparty VASP due diligence, and handling of unhosted wallet transfers.

DPDP Adds Data Protection Obligations

VDA platforms hold detailed financial and identity data on large numbers of users. The DPDP Act 2023 imposes consent, data minimisation, and breach notification obligations on this data. FIU-IND's 5-year record-keeping requirement must be reconciled with DPDP's storage limitation principles.

Scope

What the FIU-IND Compliance Programme Covers

FIU-IND Registration & AML Programme

  • FIU-IND registration readiness assessment
  • AML/CFT policy and programme design
  • Principal Officer appointment and obligations
  • Internal controls and audit programme for AML

KYC / CDD Controls

  • KYC/CDD framework design for VDA customers
  • Risk-based customer due diligence tiers
  • PEP and sanctions screening implementation
  • Enhanced due diligence for high-risk customers

STR / CTR & Record-Keeping

  • Suspicious Transaction Report process design
  • Cash Transaction Report (CTR) threshold controls
  • 5-year record retention system and controls
  • On-chain transaction monitoring tool assessment

Travel Rule & DPDP Alignment

  • Travel Rule protocol selection and implementation review
  • Counterparty VASP due diligence process
  • Unhosted wallet transfer handling procedures
  • DPDP Act 2023 alignment for user data under PMLA
Methodology

Our FIU-IND Compliance Approach

01

Obligation Mapping & Gap Assessment

Map all applicable FIU-IND, PMLA, and FATF obligations to your entity type and business model. Conduct a structured gap assessment of existing KYC, AML, and record-keeping controls against PMLA requirements and FIU-IND Directions 2023.

02

AML Programme Design & Documentation

Design or enhance the AML/CFT programme — including the written KYC/CDD policy, risk assessment methodology, STR/CTR processes, Principal Officer mandate, and staff training programme — to meet FIU-IND requirements.

03

Technology & Controls Assessment

Assess the effectiveness of transaction monitoring tools, wallet screening solutions, and KYC technology against PMLA/FATF requirements. Identify coverage gaps for blockchain-specific risks including mixer usage, high-risk jurisdictions, and on-chain red flags.

04

Travel Rule Implementation Review

Assess or design the Travel Rule implementation — covering protocol selection, counterparty VASP due diligence, originator/beneficiary data collection and transmission, and unhosted wallet handling procedures aligned to FATF Recommendation 16 and emerging Indian regulatory guidance.

05

FIU-IND Registration Support & Roadmap

Prepare the FIU-IND registration documentation package, compile the compliance evidence bundle, and deliver a remediation roadmap for outstanding AML and DPDP gaps — providing a clear path to compliant registration and ongoing obligations management.

Regulatory Coverage
FIU-IND PMLA 2002 VDA / Crypto KYC / CDD STR / CTR Travel Rule FATF Rec. 16 Transaction Monitoring DPDP Act 2023 Crypto Compliance
FAQ

Frequently Asked Questions

The PMLA 2023 amendment requires registration for entities providing VDA services including exchange between VDAs and fiat currencies, exchange between different VDAs, transfer of VDAs, safekeeping or administration of VDAs, and participation in and provision of financial services related to VDA issuance or sale. This covers crypto exchanges, custodians, OTC desks, DeFi interface providers, and VDA payment processors operating in India or serving Indian customers.
The Travel Rule (FATF Recommendation 16) requires VDA service providers to collect, retain, and transmit originator and beneficiary information (name, account/wallet address, identification number) for VDA transfers above specified thresholds. For transactions between registered VASPs, this data must travel with the transaction. For transfers to unhosted wallets, enhanced due diligence applies. India has not yet issued its own Travel Rule threshold but FATF sets a global threshold of USD/EUR 1,000.
This is a genuine tension. DPDP Act's storage limitation principle requires personal data to be deleted once the purpose is served. PMLA's 5-year retention requirement creates a legal basis for retaining KYC and transaction records for the mandated period. We help clients implement a retention framework that satisfies PMLA's minimum retention while applying DPDP-compliant deletion processes to non-mandatory data categories and respecting data principal rights within the bounds of the PMLA exemption.
Yes. A critical component of FIU-IND compliance is having a defensible, documented process for identifying, escalating, and filing Suspicious Transaction Reports — including the tipping-off prohibition, internal escalation to the Principal Officer, and secure FIU-IND submission. We design the end-to-end STR process, create the internal investigation templates, and train the compliance and operations teams on STR obligations.

Deliverables

FIU-IND Registration Readiness Report

Comprehensive gap assessment of the entity's readiness for FIU-IND registration under PMLA, covering all required programme components with compliance status ratings.

AML/CFT Programme Documentation

Complete AML programme documentation suite — written KYC/CDD policy, risk assessment methodology, STR/CTR process, Principal Officer mandate, and staff training materials.

Technology Controls Assessment

Assessment of transaction monitoring, wallet screening, and KYC technology against PMLA/FATF requirements, with coverage gap findings and tool enhancement recommendations.

Travel Rule Compliance Framework

Travel Rule implementation design covering protocol selection, counterparty VASP due diligence process, data collection and transmission procedures, and unhosted wallet handling.

Remediation Roadmap

Prioritised remediation plan for outstanding AML, Travel Rule, and DPDP compliance gaps — with effort estimates, implementation sequencing, and FIU-IND registration timeline alignment.

Related Services in Compliance & Audit

ISO 27001 Gap Assessment ISO 27001 Internal Audit SOC 2 Readiness PCI DSS Compliance
GET STARTED
Accepting New Engagements · 24h Response

Request a Security Assessment

Tell us about your environment and security objectives. We'll design a bespoke assessment and deliver a detailed proposal within 48 hours.

Scoping Call with a Certified Consultant 45-minute deep-dive with a senior practitioner — no sales pitch.
Proposal Delivered in 48 Hours Fully scoped engagement plan with pricing and timeline.
Free Attack Surface Analysis Preliminary external exposure report at no cost.
Fully Confidential. NDA Available. No obligation. Your data is never shared.
200+ Engagements
40+ Services
98% Satisfaction
CERT-In Empanelled ISO 27001 OSCP · CEH · CISSP
1
You
2
Service
3
Details

About You

We'll use this to route you to the right expert.

What Do You Need?

Select all that apply — you can pick multiple.

Select at least one area to continue.

Final Details

Optional context to help us scope your engagement.

By submitting, you agree to our Privacy Policy. We'll never share your data.