Key Highlights
- FIU-IND has issued updated compliance guidelines for crypto and VDA firms operating in India.
- Mandatory CERT-In cybersecurity audits and clearer Principal Officer responsibilities introduced.
- Travel Rule norms tightened, with added scrutiny on unhosted wallet and P2P transactions.
The Financial Intelligence Unit of India (FIU-IND) has issued updated guidelines for crypto and virtual digital asset (VDA) companies, tightening compliance norms around governance, cybersecurity, and transaction monitoring.
The guidelines apply to crypto exchanges and VDA service providers registering or operating in India. The move comes as FIU continues to widen its oversight over crypto platforms.
Principal officer role spelt out
A key part of the update focuses on the Principal Officer (PO).
FIU-IND has clearly defined the role, responsibility, and reporting structure of the PO. The officer will be responsible for anti-money laundering, countering the financing of terrorism, and counter-proliferation financing obligations.
The PO must report directly to the board of directors or a board-level committee. The guidelines also state that the board must review the PO’s appointment every year.
For many exchanges, this puts formal structure around a role that earlier existed largely on paper.
Cybersecurity audit is now mandatory
The updated guidelines also make cybersecurity audits compulsory.
Crypto firms will now have to submit a Cyber Security Audit Certificate issued by an auditor empanelled with CERT-In. The audit must confirm compliance with CERT-In directions and applicable cybersecurity standards.
“The audit shall be comprehensive and proportionate in coverage across all critical risk domains, and the audit report shall certify whether the audited environment is adequately safe to host and operate the notified VDA activities,” the guidelines said.
The audit will cover governance controls, access management, infrastructure and network security, application security for KYC and transaction monitoring systems, wallet security, cryptographic controls, backup and recovery, and third-party risks involving cloud services and APIs.
Incident response capability and readiness to report to CERT-In will also be reviewed.
Travel rule and unhosted wallet transactions
FIU-IND has also clarified how crypto firms must implement travel rule requirements.
VDA service providers will have to collect and maintain detailed originator and beneficiary information for each transaction. The data must be verified and transmitted before or during a transfer.
The guidelines also require exchanges to carry out due diligence and sanction screening on counterparties.
A notable addition is the treatment of unhosted wallets. Reporting entities must collect information on transactions involving unhosted wallets, assess the risk, and apply enhanced due diligence measures where needed. This applies to peer-to-peer transfers that pass through an exchange as well.
Industry reaction
Industry players say the guidelines largely formalize existing expectations.
“This isn’t just a compliance update; it’s a strategic signal that India is ready to lead in the digital asset space through a balanced approach of innovation and financial stability…From an investor standpoint, this oversight transforms VDA platforms into accountability-driven entities,” said Sumit Gupta, Co-founder, CoinDCX.
“These rules were always around as best business practices to follow, but now FIU has put this in pen and paper,” said Vikram Subburaj, Co-founder and CEO, Giottus.
Subburaj said the guidelines clearly explain the responsibilities of roles like the Principal Officer and provide operational clarity on how travel rule data must be collected and processed.
Part of a broader enforcement push
The updated guidelines come days after FIU-IND brought 49 crypto exchanges under its oversight, expanding compliance requirements to a wider set of platforms, including offshore exchanges serving Indian users.
This has increased pressure on exchanges to align fully with Indian AML and reporting norms.
At the same time, the industry is watching the Union Budget 2026 closely. There is growing expectation that clarity on taxation and compliance could help bring crypto trading activity back to India, after volumes shifted offshore over the last few years.
What users are still asking
Many users are still unclear about how these changes affect them.
Unhosted wallets and peer-to-peer transfers are not banned. However, users may see additional verification, data collection, or delays for certain transactions, especially when exchanges flag higher risk.
Another concern is whether smaller exchanges can absorb the cost of audits and compliance. Over time, the tighter rules could lead to fewer but more regulated platforms operating in India.
For now, FIU-IND’s message is simple: crypto businesses can operate, but only under strict monitoring and reporting standards.
Also Read: India’s IT Dept. Flags Crypto Risks, Users Face Higher Scrutiny
