On 8 January 2026, the Financial Intelligence Unit – India (FIU-IND) – the country’s central financial crime-monitoring authority under the Ministry of Finance – published a major update to the AML (Anti-Money Laundering) & CFT (Countering Finance of Terrorism) Guidelines specifically for Virtual Digital Asset Service Providers (VDA SPs).

These rules are now the single biggest regulatory development for crypto and digital asset services in India – and they matter not just for crypto exchanges and blockchain companies but for every Indian user, investor, developer, regulator, and citizen concerned about financial safety, fraud prevention, and transparency.

“Virtual Digital Assets” include:

• Cryptocurrencies

• Non-fungible Tokens (NFTs)

• Tokens, stablecoins, and similar digital assets

In India, these are not just tech buzzwords – they have been defined under the Income Tax Act and now regulated for financial crime purposes by FIU-IND.

Until now, crypto and digital asset sectors operated in a regulatory grey zone: taxed, but not directly regulated like banks or stock markets. The 8 January 2026 FIU-IND Guideline changes that - it brings VDA service providers firmly into India’s financial compliance framework similar to banks, NBFCs and other financial institutions.

This is significant because India has seen rapid growth in digital asset usage - and regulators want to ensure the ecosystem is not abused for:

• Money laundering

• Terrorist financing

• Fraud and financial crime

• Illegal fund flows

So this isn’t just a compliance update for businesses – it’s a national financial security measure.

All entities providing services related to Virtual Digital Assets, whether they are:

• Crypto exchanges (centralized or decentralized)

• Wallet providers

• Custodians

• NFT platforms

• VDA brokers

• Payment service providers dealing with crypto

• Offshore platforms serving Indian users

These must register with FIU-IND and comply with the guidelines – even if they do not have an office in India but serve Indian customers.

One of the landmark parts of the new guidelines is how users must be verified - making sure a person on a digital asset platform is who they say they are. The requirements include:

Strong KYC (Know Your Customer)

Platform operators must collect:

• Your Permanent Account Number (PAN)

• Government ID (Aadhaar/Passport/Voter ID)

• Live selfie verification with liveliness detection (to prevent deepfakes)

• Geolocation data (latitude + longitude)

• IP address

• Time and date stamp

• Bank account verification with a penny-drop method

This goes beyond basic ID checks – it’s meant to ensure identity, presence and traceability of every user.

Verification doesn’t stop after signup. The guidelines require:

• Continuous transaction monitoring

• Risk scoring and behavior analytics

• Enhanced checks for high-risk users (e.g., Politically Exposed Persons, sanctioned individuals, wallets linked to crime)

• Periodic reviews and updates

This is meant to catch suspicious patterns, like structuring transactions or sudden large movements of funds that could signal wrongdoing.

When VDAs move between wallets – especially between different operators – the platform must collect and share data for:

• Originator (sender)

• Beneficiary (receiver)

This aligns with global anti-money laundering standards known as the “Travel Rule” - meaning every digital asset transfer is traceable.

If a platform detects:

• A suspicious transaction,

• A pattern of unusual activity,

• Or behavior that suggests money laundering or terrorism financing,

It must promptly file a Suspicious Transaction Report (STR) with FIU-IND. The rules strictly prohibit “tipping off” - platforms cannot inform the customer that a report has been filed.

Record Keeping: 5 Years of Data

Platforms must maintain:

• All user records

• Transaction data

• Compliance logs

for at least five years after an account closes. This ensures audit trails for investigations and law enforcement use.

An important addition in the 2026 update is that all VDA service providers must obtain a cybersecurity audit certificate from a CERT-In-empaneled auditor - making sure systems are robust and resilient against hacking or data breaches.

Every VDA service provider must:

• Appoint a Designated Director – responsible for compliance

• Appoint a Principal Officer - managing day-to-day AML/CFT obligations

• Regularly update FIU-IND on changes

• File periodic regulatory submissions with detailed reporting

These roles are senior leadership positions: failures here can have legal and operational consequences.

Certain activities that make tracing difficult are strongly discouraged or subject to tight restrictions, such as:

• Crypto tumblers and mixers

• Anonymity-enhancing features

• Unhosted wallets without verification

These are common tools abusers use to cover illicit activity, and the guidelines target them.

FIU-IND does not just set guidelines – it enforces them. Offshore platforms that continue to operate without registration have already received legal notices, penalties, and even blocks on their websites or apps for non-compliance.

What This Means for Everyday Indians For Crypto Users

• You’ll undergo stricter onboarding

• Platforms must protect your identity and data

• Increased transparency and reduced fraud risk

For Investors

• Better safeguards against money laundering

• More credible and regulated exchanges to trade on

For Developers & Startups

• Compliance becomes a core requirement

• AML systems, cyber audits, and KYC tools are necessary, not optional

For Society and Law Enforcement

• Stronger tools to fight financial crime

• Ability to prosecute bad actors using digital assets

  

The FIU-IND AML & CFT Guidelines released on 8 January 2026 are more than a set of rules – they are India’s regulatory blueprint to bring crypto and digital asset services into a trusted, secure, and transparent financial system.

They strike a balance between innovation blockchain & digital finance and public safety with anti-money laundering, anti-terror financing, data integrity.

This marks a major milestone in India’s financial regulatory evolution, placing digital asset platforms under a regime similar to banks – not because they want to discourage innovation, but to ensure Indian users are protected and the system is resilient to misuse. As one of the leading VDA on/off‑ramp infrastructure providers, onramp.money follows robust KYC and AML standards.

you can read the full guidelines here - FIU INDIA - AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets

On 8 January 2026, the Financial Intelligence Unit – India (FIU-IND) – the country’s central financial crime-monitoring authority under the Ministry of Finance – published a major update to the AML (Anti-Money Laundering) & CFT (Countering Finance of Terrorism) Guidelines specifically for Virtual Digital Asset Service Providers (VDA SPs).

These rules are now the single biggest regulatory development for crypto and digital asset services in India – and they matter not just for crypto exchanges and blockchain companies but for every Indian user, investor, developer, regulator, and citizen concerned about financial safety, fraud prevention, and transparency.

“Virtual Digital Assets” include:

• Cryptocurrencies

• Non-fungible Tokens (NFTs)

• Tokens, stablecoins, and similar digital assets

In India, these are not just tech buzzwords – they have been defined under the Income Tax Act and now regulated for financial crime purposes by FIU-IND.

Until now, crypto and digital asset sectors operated in a regulatory grey zone: taxed, but not directly regulated like banks or stock markets. The 8 January 2026 FIU-IND Guideline changes that - it brings VDA service providers firmly into India’s financial compliance framework similar to banks, NBFCs and other financial institutions.

This is significant because India has seen rapid growth in digital asset usage - and regulators want to ensure the ecosystem is not abused for:

• Money laundering

• Terrorist financing

• Fraud and financial crime

• Illegal fund flows

So this isn’t just a compliance update for businesses – it’s a national financial security measure.

All entities providing services related to Virtual Digital Assets, whether they are:

• Crypto exchanges (centralized or decentralized)

• Wallet providers

• Custodians

• NFT platforms

• VDA brokers

• Payment service providers dealing with crypto

• Offshore platforms serving Indian users

These must register with FIU-IND and comply with the guidelines – even if they do not have an office in India but serve Indian customers.

One of the landmark parts of the new guidelines is how users must be verified - making sure a person on a digital asset platform is who they say they are. The requirements include:

Strong KYC (Know Your Customer)

Platform operators must collect:

• Your Permanent Account Number (PAN)

• Government ID (Aadhaar/Passport/Voter ID)

• Live selfie verification with liveliness detection (to prevent deepfakes)

• Geolocation data (latitude + longitude)

• IP address

• Time and date stamp

• Bank account verification with a penny-drop method

This goes beyond basic ID checks – it’s meant to ensure identity, presence and traceability of every user.

Verification doesn’t stop after signup. The guidelines require:

• Continuous transaction monitoring

• Risk scoring and behavior analytics

• Enhanced checks for high-risk users (e.g., Politically Exposed Persons, sanctioned individuals, wallets linked to crime)

• Periodic reviews and updates

This is meant to catch suspicious patterns, like structuring transactions or sudden large movements of funds that could signal wrongdoing.

When VDAs move between wallets – especially between different operators – the platform must collect and share data for:

• Originator (sender)

• Beneficiary (receiver)

This aligns with global anti-money laundering standards known as the “Travel Rule” - meaning every digital asset transfer is traceable.

If a platform detects:

• A suspicious transaction,

• A pattern of unusual activity,

• Or behavior that suggests money laundering or terrorism financing,

It must promptly file a Suspicious Transaction Report (STR) with FIU-IND. The rules strictly prohibit “tipping off” - platforms cannot inform the customer that a report has been filed.

Record Keeping: 5 Years of Data

Platforms must maintain:

• All user records

• Transaction data

• Compliance logs

for at least five years after an account closes. This ensures audit trails for investigations and law enforcement use.

An important addition in the 2026 update is that all VDA service providers must obtain a cybersecurity audit certificate from a CERT-In-empaneled auditor - making sure systems are robust and resilient against hacking or data breaches.

Every VDA service provider must:

• Appoint a Designated Director – responsible for compliance

• Appoint a Principal Officer - managing day-to-day AML/CFT obligations

• Regularly update FIU-IND on changes

• File periodic regulatory submissions with detailed reporting

These roles are senior leadership positions: failures here can have legal and operational consequences.

Certain activities that make tracing difficult are strongly discouraged or subject to tight restrictions, such as:

• Crypto tumblers and mixers

• Anonymity-enhancing features

• Unhosted wallets without verification

These are common tools abusers use to cover illicit activity, and the guidelines target them.

FIU-IND does not just set guidelines – it enforces them. Offshore platforms that continue to operate without registration have already received legal notices, penalties, and even blocks on their websites or apps for non-compliance.

What This Means for Everyday Indians For Crypto Users

• You’ll undergo stricter onboarding

• Platforms must protect your identity and data

• Increased transparency and reduced fraud risk

For Investors

• Better safeguards against money laundering

• More credible and regulated exchanges to trade on

For Developers & Startups

• Compliance becomes a core requirement

• AML systems, cyber audits, and KYC tools are necessary, not optional

For Society and Law Enforcement

• Stronger tools to fight financial crime

• Ability to prosecute bad actors using digital assets

  

The FIU-IND AML & CFT Guidelines released on 8 January 2026 are more than a set of rules – they are India’s regulatory blueprint to bring crypto and digital asset services into a trusted, secure, and transparent financial system.

They strike a balance between innovation blockchain & digital finance and public safety with anti-money laundering, anti-terror financing, data integrity.

This marks a major milestone in India’s financial regulatory evolution, placing digital asset platforms under a regime similar to banks – not because they want to discourage innovation, but to ensure Indian users are protected and the system is resilient to misuse. As one of the leading VDA on/off‑ramp infrastructure providers, onramp.money follows robust KYC and AML standards.

you can read the full guidelines here - FIU INDIA - AML & CFT Guidelines for Reporting Entities Providing Services Related to Virtual Digital Assets