The FIU-IND registration checklist for VDA service providers
FIU-IND registration is the gate to running a VDA business for Indian users, and it is decided on the AML programme you can demonstrate, not the form you file. This is the readiness list we run with founders before they start on the FINGate portal. Read the explainer first: FIU-IND registration, explained.
Work through it in order. The perimeter decides whether you register at all; the people and the programme decide whether the application survives the meeting; reporting, tax and the ongoing obligations decide whether the registration survives contact with operations.
Confirm you are a VDA service provider under the PMLA
The March 2023 notification designates five activities. If you do one of them for or on behalf of others, in the course of business, you are in.
- Do you exchange virtual digital assets for fiat currency, or one VDA for another? Both are notified activities under S.O. 1072(E) of 7 March 2023.
- Do you transfer VDAs, or provide safekeeping or administration of VDAs or of instruments enabling control over them? Custody and wallet infrastructure sit here.
- Do you participate in, or provide, financial services related to an issuer's offer and sale of a VDA? Launch and issuance services are inside the perimeter, and 'VDA' takes its meaning from section 2(47A) of the Income-tax Act 1961, the definition the March 2023 notification points to, widened from 1 April 2026 and renumbered by the Income-tax Act 2025.
Understand what this is, and what it is not
An AML registration as a reporting entity under the PMLA. It is not a licence, and India has no crypto licensing regime.
- Registration makes you a reporting entity with AML and CFT obligations. It is not an authorisation to operate, a government endorsement, or an investor-protection mark.
- It is mandatory before you carry on a notified activity: non-registration is treated as a PMLA violation that can draw action under section 13.
- Location does not matter. The obligation is activity-based and applies irrespective of where you are registered, which is why offshore platforms serving Indian users must register too.
Appoint the people, then register with FIU-IND
The application is judged on two named individuals and a working demonstration, not on a form.
- A Principal Officer who is management level, engaged full-time and exclusively with your entity, has at least three years of relevant AML experience, is based in India, and is a different person from the Designated Director.
- A Designated Director who owns overall compliance with Chapter IV of the PMLA, with both appointments communicated to FIU-IND through the FINGate portal.
- The dossier, filed at least 15 days before a mandatory in-person meeting both must attend: corporate structure with significant beneficial ownership, three years of financials, tax and TDS filings, counterparty agreements, a PACT certificate and a CERT-In empanelled cyber-security audit, plus a live demonstration of your KYC, monitoring, blockchain-analytics, Travel Rule and sanctions-screening systems. Registration is formal only when the Director, FIU-IND approves it and assigns your FIU RE-ID.
Build the AML programme that must actually run
FIU-IND approves a running system, not a policy binder.
- KYC that meets the guidelines: PAN verification, geo-location captured at onboarding, penny-drop verification of the client's bank account, and enhanced due diligence for high-risk clients, PEPs and FATF grey-list and black-list jurisdictions.
- KYC refresh on a clock, at least every six months for high-risk clients and annually for everyone else, with records kept five years and able to reconstruct individual transactions.
- Screening with hard edges: India's Travel Rule requires originator and beneficiary information to travel before or with the transfer, never after, and states no monetary threshold for VDA transfers. Privacy coins and mixer flows cannot be facilitated at all.
Reporting: STRs, the monthly report, and no tipping off
The filings that make you a reporting entity, and the ones FIU-IND enforces.
- Suspicious transaction reports filed promptly wherever there are reasonable grounds of suspicion, irrespective of amount, and including attempted transactions.
- A monthly report to FIU-IND with metrics, activity indicators and compliance status, filed whether or not anything looked suspicious.
- No tipping off: the PMLA prohibits telling a client that an STR has been filed or may be filed.
Model the tax alongside
Registration is the AML half. The Income-tax Act runs in parallel and shapes the product economics.
- 30% on income from VDA transfers under section 115BBH, with no deduction other than cost of acquisition, no set-off of VDA losses against other income and no carry-forward.
- 1% TDS on consideration for VDA transfers under section 194S, subject to annual thresholds of Rs 50,000 or Rs 10,000 depending on the payer category, so check who is paying before assuming a trade is caught or exempt.
- The framework moved in 2025 and 2026: the Finance Act 2025 widened the VDA definition and added crypto-asset transaction reporting from 1 April 2026, India's implementation of the OECD reporting framework, the Income-tax Act 2025 renumbers these provisions from the same date, and Budget 2026 kept the 30% rate and the 1% TDS unchanged while adding reported penalties for reporting lapses. Confirm the current section numbers before you file anything.
Keep it alive
Registration is the start of a supervised relationship, and the enforcement history is real.
- Run the ongoing obligations as operations, not paperwork: the monthly report, KYC refresh cycles, five-year records, and the current FIU-IND guidelines, updated 8 January 2026, as the manual.
- Take enforcement seriously: FIU-IND issued show-cause notices to nine offshore exchanges in December 2023 and had their apps and URLs blocked; Binance paid a penalty of Rs 18.82 crore and registered in August 2024, Bybit paid Rs 9.27 crore and registered in February 2025, and notices went to 25 more offshore platforms on 1 October 2025.
- Re-check the perimeter as the product changes: a new feature can add a notified activity, issuance-related services make the provider a reporting entity in its own right and are strongly discouraged by the guidelines, and privacy-coin support is barred.
Register before you operate, and build the programme before you register. FIU-IND approves a working system: named people, KYC that runs, records that reconstruct transactions, reports that actually go out. The offshore exchanges that were blocked and fined were not punished for being crypto businesses; they were running notified activities without registering. The route in is open, and it is cheaper walked early than bought back after a blocking order and a penalty.
Preparing an FIU-IND application?
Send us what you do with VDAs and who your users are, and we will map the notified activities, the people you need and the gaps in the programme, in one call.
Want this as a PDF in your inbox?
Email us and we will send the current version, and the updated one each time the law moves. Or print the page: it is built for paper.
This checklist is general information for founders, not legal or tax advice for your specific business. The PMLA framework, the FIU-IND guidelines and the tax provisions change; confirm every point against current law before relying on it. Whether an activity is notified depends on the facts of your product. Have your setup reviewed before you file.
Prepared by Infinilex Consultancy · infinilex.io · Verified as of 18 July 2026. Printed copies date; check infinilex.io/resources/ for the current version.