Update – AML & CFT Guidelines For Reporting Entities Providing Services Related To Virtual Digital Assets, 2026

The Financial Intelligence Unit, Ministry of Finance, Government of India ("FIU-IND") has issued the updated "AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets" on January 08, 2026 ("2026 Guidelines") effectively replacing the erstwhile AML & CFT Guidelines issued on March 10, 2023 ("2023 Guidelines").

While the 2026 Guidelines for the most part, retain the broad AML/CFT architecture set out under the 2023 Guidelines, they consolidate the operational requirements earlier prescribed through multiple circulars and guidance documents issued by the FIU-IND from time to time, most notably the 'Circular for Registration of Virtual Digital Asset Service Providers (VDA SPs) in FIU India as Reporting Entity (RE)' dated September 15, 2025 ("2025 Registration Circular"), and the 'Guidance for Principal Officer (PO) – Minimum Requirements and Qualifications' dated February 25, 2025 ("PO Guidance"), which was not available in the public domain.

In effect, FIU-IND has now streamlined this AML/CFT framework into a single guidance document, consolidating multiple requirements (which were earlier scattered and/or not publicly accessible) to be adhered by Virtual Digital Asset Service Provider reporting entities ("VDASP REs").

We have captured the key highlights and changes in the 2026 Guidelines below:

1. FIU Registration Framework consolidated into the 2026 Guidelines.

1.1. One of the key features of the 2026 Guidelines is that they substantively incorporate and codify the end-to-end registration framework for VDASPs that was earlier set out through FIU-IND's 2025 Registration Circular.

1.2. Specifically, the 2026 Guidelines now contain a dedicated chapter titled "Registration of VDASPs with FIU-IND",¹ which absorbs and streamlines the procedural requirements introduced under the 2025 Registration Circular, covering the FINGate-based initiation of registration, issuance of temporary reference IDs, detailed document/information submissions, operational readiness checks, and the mandatory in-person meeting with live demonstrations of AML/CFT systems amongst others.

2. Minimum requirements and qualifications of a PO.

2.1. The 2026 Guidelines now specifically incorporate the minimum eligibility requirements for appointment of a Principal Officer ("PO"), which were set out under the PO Guidance, including, the following: -

1. The PO must be a sufficiently senior officer at the management level at the VDASP RE who is exclusively responsible for ensuring adherence with the requirements under Chapter IV of Prevention of Money Laundering Act, 2002 and not be actively involved in other business or operational activities of the VDASP RE.
2. The PO must be exclusively engaged with the VDASP RE on a full-time basis and cannot concurrently be engaged with another entity.
3. The PO should be thoroughly knowledgeable about legal issues surrounding the Anti Money Laundering ("AML") framework, PMLA, AML/Terror Financing ("TF") risks and vulnerabilities, etc. and must have at least three (3) years of experience relating to this skill set.
4. The PO should be permanently involved in high level decisions, which evaluate the ML/TF risks associated with products, services, delivery channels etc. and must have sufficient resources and support staff to effectively carry out implementation of the AML/TF program of the VDASP RE.
5. The PO should enforce timelines and compliances relating to AML/TF as well as requests made by the FIU-IND. The PO should also frequently review AML/TF functions and place the same before the Board of Directors ("Board") / sub-committee of the VDASP RE preferably on a quarterly basis, etc.²

2.2. While the erstwhile PO Guidance stated that the "PO should be preferably based out of India...", the 2026 Guidelines now expressly require that the "PO should be based in India...". This change materially tightens the compliance position and is particularly relevant for multi-jurisdictional entities, where senior management and compliance personnel may be distributed across multiple locations (including outside India). Such entities may need to reassess their PO appointment and reporting structures to ensure alignment with the aforesaid revised requirement under the 2026 Guidelines.

3. Clear delineation of roles and responsibilities – DD & PO

3.1. The erstwhile 2023 Guidelines collectively captured the roles, responsibilities and obligations of a Designated Director ("DD") and a Principal Officer ("PO") in establishing effective mechanisms for combating money laundering, countering terrorist financing, and combating proliferation financing.³ However, now the 2026 Guidelines clearly differentiate between the roles, responsibilities and obligations of a DD⁴ and the PO.⁵

3.2. Responsibilities of the DD: The 2026 Guidelines further clarify the functions of the DD as a person responsible for ensuring the overall compliance of the VDASP RE with the AML / TF obligations prescribed under Chapter IV of the PMLA. Additionally, certain new responsibilities / obligations have been expressly identified for the DD under the 2026 Guidelines, as below:

1. Evolve internal mechanisms for adherence to the procedure and manner of maintaining information as prescribed by the FIU-IND from time to time including proper upkeep of Customer Due Diligence ("CDD") records, transaction records and other related documents;
2. Evolve an internal mechanism in adherence with the procedure and manner for furnishing information to FIU-IND as prescribed under Rule 7 of the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 ("PMLR"); and
3. Be responsible for carrying out risk assessment identify, assess and take effective measures to mitigate AML/TF risks with respect to clients, products, services, transactions etc.

3.3. Responsibilities of the PO: The 2026 Guidelines introduce a few additional and more granular implementation related responsibilities and obligations for the PO, as set out below:

1. Analysis and decision-making in relation to the alert governance framework, including verification and retention of relevant records and documents for audit purposes;
2. Recording of reasons for treating any transaction / series of transactions as suspicious transactions and ensuring that there is no undue delay in determining such transactions as suspicious;
3. Decision making in relation to non-reportability of certain alerted transactions and recording the reasons for such decisions;
4. Periodic review of the list of alerted transactions and the reporting mechanisms in the VDASP RE to ensure continued compliance. This will also include conducting surprise checks of the data being monitored by the AML compliance team of the VDASP RE to avoid / mitigate any gap.⁶

3.4. Additionally, the 2026 Guidelines also require the PO to report the following matters to the Board or a designed sub-committee (if any) on an annual basis:

1. Assessment of the effectiveness of the AML/TF program of the VDASP RE and identification of any risks or vulnerabilities thereof;
2. Summary of suspicious transaction reports and other reports prescribed under the PMLA and PMLR;
3. Proposed changes to the AML/TF policy of the VDASP RE;
4. Any instructions, red-flag indicators, guidance etc. issued by the FIU-IND from time to time; etc.

4. Risk Classification Identified.

4.1. The 2026 Guidelines strengthen internal control and oversight by requiring a more standardised and governance-driven approach towards risk assessment and client risk classification.

4.2. Under the revised framework, risk assessments must be formally documented, proportionate and subject to Board-driven periodicity, with an express safeguard that the interval between two risk assessments must not exceed one year.⁷

4.3. Importantly, client risk classification is now expressly required to be conducted through a Board approved framework which, at a minimum, categorises clients into High Risk and Medium Risk buckets (with flexibility to create additional categories as necessary). The Guidelines further mandate a periodic review of such client risk classification at least once every six months.⁸

To view the full article, click here.

Footnotes

1. Chapter 2 of the 2026 Guidelines.

2. Now captured under Paragraph 3.2 of the 2026 Guidelines.

3. Paragraph 5.4.2 of the 2023 Guidelines.

4. Paragraph 3.1 of the 2026 Guidelines.

5. Paragraph 3.3 of the 2026 Guidelines.

6. Paragraph 3.3 of 2026 Guidelines.

7. Paragraph 3.6.1(d) of 2026 Guidelines.

8. Paragraphs 3.6.2(a) and 3.6.2(c) of 2026 Guidelines.

Originally published 20 January 2026.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.