The updated guidelines for combating money laundering and terrorist financing, notified by the Financial Intelligence Unit - India (FIU-IND), may enhance compliance requirements for cryptocurrency exchanges and raise entry barriers for new market participants, according to industry executives.

Under the updated framework for anti-money laundering (AML) and counter-terrorist financing (CTF), notified on January 8, virtual digital asset (VDA) service providers must undergo mandatory cyber security audits by professionals accredited by the Indian Computer Emergency Response Team (CERT-In).

FIU-IND has also made registration with the agency mandatory for entities offering VDA-related services to strengthen regulatory oversight of the sector.

Rajagopal Menon, vice president at WazirX, said the updated guidelines largely formalise compliance practices by removing long-standing ambiguity around expectations.

“This is essentially a formalisation of the rules of the game. Leading exchanges were already following global best practices and bank-level compliance standards, but there were no formal rules. Now the contours are clearly defined, and everyone knows what is expected,” Menon told ET.


The guidelines introduce a detailed registration process on the FINGate portal, along with mandatory in-person meetings, which could make fresh registrations more difficult and slow the entry of new platforms, while also driving away bad actors.

Sumit Gupta, cofounder of cryptocurrency exchange CoinDCX, said the framework strengthens the integrity of the ecosystem by imposing stricter oversight.

"The FIU-IND’s refined guidelines provide the structural guardrails necessary for a safe digital asset market. By mandating rigorous reporting and cybersecurity audits, these norms effectively weed out bad actors and sanitise the ecosystem,” Gupta said, adding that the changes signal a more structured and mature digital asset market in India.

In March 2023, FIU-IND had released the AML and CFT guidelines outlining compliance requirements for entities providing services related to virtual digital assets, bringing them under the ambit of the Prevention of Money Laundering Act (PMLA), 2002.

Executives and lawyers also pointed out that the latest move will improve investor confidence in the asset class.

“The guidelines signal a positive intent and bring transparency and accountability in the ecosystem, thereby enabling responsible players to enter and thrive," said Anirban Mohapatra, partner, Cyril Amarchand Mangaldas. "A rule-based system with clear oversight and cybersecurity audit requirements will improve confidence of investors and help build resilience in the ecosystem.”

The guidelines also tighten customer onboarding norms, removing long-standing grey areas around know-your-customer (KYC) processes. Platforms are now required to capture detailed user information, including income, occupation, bank account details, geo-location data, liveness detection during onboarding, and one-time password (OTP)-based verification of contact details.

While this could improve regulatory confidence and reduce misuse of crypto platforms, it may also increase onboarding friction and impact user acquisition, particularly among retail users.

For existing players, the updated rules place greater emphasis on governance and accountability. VDA firms must appoint a designated director responsible for AML and CFT compliance, while principal officers overseeing AML and CFT compliance will be required to report directly to the board or a board-appointed committee, increasing personal and organisational liability for regulatory lapses.

Vimal Sagar Tiwari, cofounder of crypto exchange CoinSwitch, said making FIU registration mandatory before commencing VDA-related business strengthens oversight and accountability across the ecosystem.

“The emphasis on the role of a designated director ensures clear senior-level accountability, embedding AML and CFT obligations into business strategy and decision-making. By mandating board-level oversight, the guidelines strengthen governance and improve risk management, enabling responsible innovation while deterring bad actors,” said Tiwari.

The mandatory annual risk-based assessments, independent internal audits, enhanced transaction monitoring systems, and monthly reporting requirements are expected to push up ongoing compliance costs, especially for smaller and less funded platforms, executives noted.

In October last year, FIU-IND issued notices to 25 offshore cryptocurrency exchanges for non-compliance with the PMLA, 2002. The exchanges included Huione, Paxful, Changelly and BitMex, which were found to be providing service to Indian users without registering with the regulator.

Till now, India’s crypto industry has operated in a legally permitted but largely unregulated space. While holding and trading cryptocurrencies is not banned, the sector lacked an overarching regulatory framework, with oversight coming largely through taxation and anti-money laundering provisions rather than sector-specific rules.

The space has also seen a series of high-profile cyber-attacks in recent years, including incidents involving major exchanges, such as CoinDCX and WazirX.

The WazirX hack in July 2024, which resulted in losses of over $230 million, remains the largest known cyberattack on an Indian crypto exchange. The breach was later linked to North Korea–affiliated hacking groups, including the Lazarus Group.