top of page
Search

Understanding the Updated VDASP Guidelines: A Comprehensive Overview

  • Jan 21
  • 9 min read

Updated: Feb 3


The issuance of the updated Anti-Money Laundering (AML), Countering the Financing of Terrorism (CFT), and Combating Proliferation Financing (CPF) Guidelines for Virtual Digital Asset Service Providers (VDASPs) guidelines in January 2026 marks a decisive milestone in India’s crypto and digital asset ecosystem regulations. This follows the March 2023 notification from the central government, which brought entities providing services related to virtual digital assets under the Prevention of Money Laundering Act, 2002 (PMLA) as “reporting entities.” India has progressively tightened compliance obligations through successive notifications, all consolidated in the guidelines issued in January 2026. These guidelines introduce additional procedural and operational obligations for VDASPs.


By formally subjecting VDASPs to oversight by the Financial Intelligence Unit – India (FIU-IND), the Indian regulatory framework has moved toward enforceable compliance obligations. These include mandatory registration, governance standards, and risk-based AML/CFT controls grounded in the PMLA. The latest guidelines further enhance this framework and help operationalize India’s commitment to align with global standards, particularly those articulated by the Financial Action Task Force (FATF).


Meaning of “Virtual Digital Asset Service Provider”


The March 2023 notification introduced a function-based definition for VDASPs. According to this notification, a VDASP is any person or entity that, as a business, carries out any of the following activities for or on behalf of another person:


  1. Exchange between virtual digital assets and fiat currencies.

  2. Exchange between one or more forms of virtual digital assets.

  3. Transfer of virtual digital assets.

  4. Safekeeping or administration of virtual digital assets or instruments enabling control over such assets.

  5. Participation in, or provision of, financial services related to an issuer’s offer and sale of a virtual digital asset.


This definition is activity-based, rather than location or incorporation status, and applies irrespective of physical presence in India. This means that offshore platforms and cross-border service providers catering to Indian users are equally subject to the PMLA framework as Indian entities, as long as they engage in activities that fall within the scope of the definition.


The scope of regulated activities mirrors the FATF’s functional definition of “Virtual Asset Service Providers,” particularly as articulated in the Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (2021). India has adopted this as a normative reference point for AML regulation.


By expressly covering transfers, custodial services, and issuance-related activities, the guidelines deliberately cast a wide regulatory net. This ensures that both centralized exchanges and other functionally similar service providers fall within the reporting entity regime overseen by the FIU-IND, consistent with the risk-based approach advocated by the FATF.


Mandatory Registration with FIU-IND


A central pillar of the VDASP guidelines is the requirement for mandatory registration with the FIU-IND. This requirement flows directly from the March 2023 notification, which states that no person shall carry on the activity of a Virtual Digital Asset Service Provider unless registered with FIU-IND. As of October 2025, fifty VDASPs have registered with FIU-IND.


The registration process is multi-step and includes submitting an extensive set of documents. These documents include details of the services offered, operational model, geographical scope, incorporation and corporate structure documents, tax returns, copies of agreements with ecosystem partners, and financial statements. An in-person meeting is also required.


The new guidelines have enhanced the registration criteria. The documents to be submitted to the FIU-IND now include a cybersecurity audit certificate from a CERT-In empaneled auditor and a Partner Accreditation for Compliance and Trust (PACT) certificate from FIU-registered VDASPs with whom the applicant has an ongoing or prospective relationship. Previously, a “fit and proper” certificate was required. In-person meetings now require a live demonstration of AML/CFT/CPF systems, including blockchain analytics tools and travel rule compliance.


Failing to register with FIU-IND may expose businesses to enforcement actions under the PMLA framework. Furthermore, FIU-IND may issue takedown notices requiring non-compliant entities to remove their application/URL from public access. This makes registration not just a procedural requirement but an essential legal step for operating as a VDASP catering to Indian users.


Upon registration, VDASPs become subject to the full spectrum of obligations applicable to “reporting entities” under the PMLA. This includes compliance with the Prevention of Money Laundering (Maintenance of Records) Rules, 2005 (PMLR), as amended. This classification has significant legal consequences: VDASPs are directly accountable to the FIU-IND for failures in reporting, record maintenance, or implementation of internal controls. They are also exposed to statutory penalties under the PMLA framework.


Governance Framework


The VDASP guidelines place particular emphasis on institutional governance and accountability. Every VDASP must appoint a Designated Director responsible for overall compliance with PMLA and PMLR. They must also appoint a Principal Officer in charge of implementation and compliance. This governance architecture closely follows the institutional accountability model prescribed by FIU-IND for other reporting entities, including banks and payment system operators.


However, Principal Officers of VDASPs must satisfy numerous eligibility conditions. This includes being based in India at a senior management level not below Head of Audit/Risk/Compliance. They must also be exclusively engaged on a full-time basis and not be actively involved in the business or operational activities of the entity.


The Principal Officer is specifically tasked with the timely identification and reporting of suspicious transactions. They must ensure that internal policies are effectively implemented. The guidelines further require VDASPs to formulate internal mechanisms, policies, procedures, and controls to prevent money laundering, terrorist financing, and proliferation financing. This includes employee training programs and independent compliance audits. This approach reflects a conscious regulatory decision to impose parity of responsibility across sectors, irrespective of the technological form of the underlying asset.


Proactive Risk Management


The guidelines require VDASPs to implement measures to mitigate money laundering, terrorist financing, and proliferation financing risks inherent in virtual asset transactions. This is in strict accordance with the PMLA framework, extending traditional KYC obligations to virtual asset transactions:


  1. Robust Policies: VDASPs must establish robust policies for preventing money laundering, terrorist financing, and proliferation financing. These policies must undergo annual independent review to ensure their effectiveness. A concise summary of the policies is required to be prominently displayed on the VDASP’s website or mobile application.


  2. Periodic Risk Assessments: VDASPs are required to conduct and document periodic risk assessments to identify, evaluate, and mitigate risks across clients, geographies, products, services, and transactions. The board of the VDASP determines the frequency of risk assessments, but the gap between consecutive assessments must not exceed one year.


  3. Client Risk Classification: VDASPs must have a board-approved framework for risk classification of its clients, which must include at least high and medium risk categories. Criteria such as client identity, financial standing, nature of business, business location, geographical risk, types of products/services offered by the client, and types of transactions undertaken by the client should form the basis for such risk classification. The classification must be reviewed at least every six months to accommodate evolving risk patterns.


  4. Employee Screening and Training: VDASPs must undertake employee screening and maintain an ongoing employee training program to build organizational capacity for compliance.


  5. Client Acceptance Policies: VDASPs are required to implement customer due diligence (CDD) measures, monitor transactions on an ongoing basis, report suspicious transactions, and maintain records in strict accordance with the PMLR.


These measures mandate transparency, ensure independent oversight, and promote compliance capacity building. They are grounded in proactive risk management and governance aimed at strengthening institutional resilience against money laundering, terrorist financing, and proliferation financing risks.


Customer Due Diligence and Sanctions Screening


Some of these CDD obligations are not novel but are an extension of the compliance architecture already embedded in the PMLR. These include:


  1. Client Identification: Collecting PAN and verifying the identity of clients using reliable and independent sources at the commencement of an account-based relationship and periodically thereafter, or prior to carrying out specified transactions.


  2. Client Risk Profile: Developing a client risk profile based on available information, which is updated periodically.


  3. Continuous Monitoring: Continuous monitoring of client transactions and activities.


  4. Enhanced Due Diligence: Enhanced due diligence in cases involving high-risk customers or where money laundering, terrorist financing, or proliferation financing signals are present. This includes politically exposed persons, transactions involving tax havens, non-profit organizations, and virtual asset transfers to or from un-hosted wallets.


  5. Periodic Updates: Updating CDD of existing clients periodically, at least once every six months for high-risk clients and annually for all other clients.


  6. Documenting the CDD Program: Documenting the CDD program and having it approved by the VDASP’s board.


Additionally, VDASPs must collect technical details such as the client’s IP address with timestamp, geo-location coordinates, device ID, wallet addresses, and transaction hashes. To ensure the credentials of the person accessing the application, VDASPs must capture their client’s selfie with liveness detection enabled.


By combining traditional CDD practices with these technical safeguards, the guidelines create an additional layer of security against financial crime, reducing the risk of impersonation or fraud. The guidelines further mandate sanctions screening against applicable domestic and international lists, requiring VDASPs to prevent dealings with designated individuals, entities, or jurisdictions.


Transaction Monitoring, Reporting, and Record Maintenance


VDASPs must conduct ongoing due diligence, continuously scrutinizing transactions based on the client’s dynamic risk profile. This requires establishing advanced transaction monitoring systems that can identify the origin and destination of virtual digital assets. These systems must detect patterns indicative of money laundering, terrorist financing, or proliferation financing. They should be capable of generating alerts based on predefined red flag indicators and must ensure secure storage of transaction data, with role-based access control and reliable data backup and recovery.


Where a transaction is flagged by the system, alerts must be generated and reviewed by the Principal Officer. If the transaction is identified as suspicious, the guidelines mandate the timely filing of Suspicious Transaction Reports (STRs) with FIU-IND for both completed and attempted transactions, irrespective of the transaction amount. STRs must be filed only after a comprehensive investigation, ensuring that every data point available is analyzed to validate the suspicion.


In addition, the VDASP guidelines impose comprehensive record-keeping obligations, treating virtual digital asset activity at par with traditional financial transactions for AML/CFT/CPF purposes. VDASPs are required to maintain detailed records of all transactions, including client identification information, information relating to the nature, value, date, and parties to the transaction. This must be done in a manner that enables reconstruction of individual transactions when required by competent authorities. Complete audit trails, including verification responses, timestamps, and authentication logs, must be preserved in a tamper-proof manner. Such records must be preserved for the period prescribed under the PMLR and made available to the FIU-IND upon request.


In 2026, robust transaction monitoring and alerting systems are not merely regulatory checkpoints but a strategic imperative for any serious participant in the virtual asset ecosystem. These systems enhance operational resilience against increasingly sophisticated threats. The timely filing of STRs and record-keeping is equally critical, as they strengthen India’s continued fight against money laundering, terrorist financing, and proliferation financing. The implementation of these measures enables law enforcement authorities to investigate potential crime, reconstruct past transactions with precision, trace illicit funds, and effectively prosecute perpetrators, thus strengthening the nation’s financial security and sovereignty. Beyond compliance, these measures are prerequisites for transparency and accountability, sending a clear signal of a healthy, compliant business to clients and investors.


Travel Rule and Other Anti-anonymity Measures


The VDASP guidelines incorporate the “travel rule,” as articulated in international AML standards, and apply it to virtual asset transfers. VDASPs are required to ensure that specified originator and beneficiary information accompanies virtual digital asset transfers. This enables traceability and effective law enforcement access. VDASPs must deploy technological solutions to obtain, hold, and transmit such information or use a self-declaration mechanism where such deployment is not feasible.


Furthermore, the guidelines prohibit deposits or withdrawals of virtual assets designed to enhance anonymity or obscure the origin, ownership, or transaction details. Untraceable privacy-focused tokens like Monero or Zcash may be impacted by this prohibition. Crypto tumblers, mixers, and other anonymity-enhancing tools and protocols are also prohibited. Such steps effectively remove any anonymity in virtual asset transfers that may be exploited by criminals, leading to enhanced traceability, reduced systemic risk, and further alignment with global standards.


The guidelines also mention that initial coin offerings (ICOs) and initial token offerings (ITOs) “are strongly discouraged” due to their purported heightened risks and potential for misuse. Given that there is no clear regulatory framework governing ICOs and ITOs, setting out investor safeguards, and concerns regarding the lack of supervisory oversight, this stance may be justifiable for the present.


Enforcement Powers, Penalties, and Legal Consequences of Non-Compliance


AML oversight, while restrictive in the short term, is often viewed as a prerequisite for long-term market legitimacy. The VDASP guidelines derive their enforceability from the statutory architecture of the PMLA, thereby exposing non-compliant VDASPs to coercive regulatory and penal consequences. As reporting entities, VDASPs fall within the supervisory jurisdiction of the FIU-IND. This agency is empowered to call for information, conduct compliance reviews, and initiate proceedings for failure to adhere to registration, reporting, record-keeping, or due diligence obligations. Violations may attract monetary penalties, directions for remedial action, and in aggravated cases, further proceedings under the PMLA framework, including potential attachment and prosecution where proceeds of crime are involved.


Conclusion


While the VDASP guidelines establish a clear legal framework, their implementation may pose operational and structural challenges for virtual asset businesses operating in India. Smaller and emerging VDASPs may face disproportionate compliance burdens in implementing sophisticated KYC systems, transaction monitoring tools, "travel rule" solutions, and continuous sanctions screening mechanisms. All of these require substantial financial and technological resources, as well as a level of organizational maturity that many technology-driven startups have not historically prioritized.


As a result, the guidelines are likely to accelerate industry consolidation, favoring well-capitalized and compliance-ready entities while marginalizing new entrants. From a regulatory design perspective, this outcome reflects a conscious policy choice to privilege financial integrity and systemic trust over rapid market expansion. This will reshape the Indian VDASP ecosystem into one that more closely resembles the regulated financial services sector.


The guidelines are likely to compel VDASPs to redesign onboarding workflows, restrict anonymity-enhancing features, and recalibrate cross-border transfer models. While these measures may initially slow innovation and increase compliance costs, they also lay the groundwork for institutional trust and sustainable market participation. From a policy perspective, the Indian approach aligns with the broader regulatory trajectory advocated by multilateral institutions, including the IMF and OECD. It may also serve as a stabilizing force for compliant market participants.



Comments

Need a Consultation? 

Schedule an online meeting with us

Privacy Policy

© 2025 DRN Legal. All rights reserved. 

Disclaimer

In accordance with the rules of the Bar Council of India, DRN Legal and its members are prohibited from soliciting work or advertising in any form or manner. By continuing to use this website, You confirm and acknowledge that:​ 1. There has been no advertisement, personal communication, solicitation, invitation, or inducement of any kind from DRN Legal or its members to solicit work or advertise through this website. 2. The sole purpose of this website is to provide general information about DRN Legal, its areas of practice, and its professionals. 3. You are accessing this website of your own accord for personal or professional information. 4. Any information or materials obtained from this website are accessed at your own initiative, and using this website does not create a lawyer-client relationship. 5. This website is not intended to serve as an advertisement or solicitation, and its content should not be interpreted as legal advice. 6. DRN Legal is not responsible for any consequences arising from actions taken based on the information provided on this website. Users should seek independent legal advice for specific concerns. 7. All content on this website is the intellectual property of DRN Legal.

bottom of page