News Alert
The Enforcement Directorate has issued detailed compliance guidelines for Virtual Asset Service Providers (VASPs) under the Prevention of Money Laundering Act, covering KYC norms, transaction monitoring, and suspicious transaction reporting.
PMLA Obligations for VASPs — Framework Overview
Following the amendment of the Prevention of Money Laundering Act (PMLA) in 2023 to include Virtual Asset Service Providers (VASPs) as reporting entities, the Enforcement Directorate has now issued comprehensive operational guidelines specifying the KYC, transaction monitoring, and reporting obligations of crypto exchanges, wallet providers, and other VASPs registered with the Financial Intelligence Unit-India (FIU-IND). The guidelines took effect from March 1, 2026 and apply to all entities registered as VASPs with FIU-IND.
Under the guidelines, VASPs must implement a three-tier KYC process: basic KYC for low-value transactions (below Rs 50,000 per year), standard KYC for transactions between Rs 50,000 and Rs 10 lakh, and enhanced due diligence (EDD) for all transactions above Rs 10 lakh and for politically exposed persons (PEPs) regardless of transaction amount. The KYC must be completed before the customer's first transaction, and periodic KYC refresh is required annually for high-risk customers and every three years for others.
Transaction Monitoring and STR Filing
VASPs are required to implement automated transaction monitoring systems capable of flagging suspicious patterns including large transactions that are inconsistent with the customer's stated purpose, rapid movement of funds between wallets without apparent economic purpose (layering indicators), transactions with entities on OFAC, UN, or India-specific sanctions lists, and transactions involving privacy coins or mixing services that obfuscate the transaction trail. The monitoring system must generate automated alerts for manual review by a designated principal officer.
Suspicious Transaction Reports (STRs) must be filed with FIU-IND within seven working days of the transaction being flagged as suspicious. The guidelines note that the obligation to file an STR arises regardless of whether the transaction is completed or attempted — attempted transactions that appear suspicious must also be reported. VASPs are prohibited from "tipping off" the customer that an STR has been filed or that the transaction is under investigation, consistent with the tipping-off prohibition under Section 8A of the Prevention of Money Laundering Act.
Compliance Programme and Penalties
All registered VASPs must designate a Principal Officer responsible for PMLA compliance and a Deputy Principal Officer as backup. The Principal Officer must be a senior management employee with direct access to the board and must submit a quarterly compliance report to the board. An annual independent audit of the VASP's AML/CFT programme by a PMLA-qualified auditor is mandated, with the audit report to be submitted to FIU-IND by June 30 of each year.
Failure to comply with PMLA obligations exposes VASPs and their officers to prosecution under the PMLA, with penalties including imprisonment of up to seven years and fines up to Rs 1 crore per violation. FIU-IND has the authority to suspend or cancel the VASP's registration for non-compliance. Given the regulatory and reputational risks, VASPs should prioritise implementing compliant AML/CFT programmes and should engage experienced PMLA compliance advisors to review and strengthen their existing frameworks.
This regulatory update is provided for general information purposes. It does not constitute legal or tax advice. Please consult a qualified advisor before taking any action based on this information.