FIU-IND Tightens Crypto Rules, Mandates Cybersecurity Audits

The Monetary Intelligence Unit of India (FIU-IND) has issued up to date tips for crypto and digital digital asset (VDA) firms, tightening compliance norms round governance, cybersecurity, and transaction monitoring.

The guidelines apply to crypto exchanges and VDA service suppliers registering or working in India. The transfer comes as FIU continues to widen its oversight over crypto platforms.

Principal officer position spelt out

A key a part of the replace focuses on the Principal Officer (PO).

FIU-IND has clearly outlined the position, duty, and reporting construction of the PO. The officer will probably be answerable for anti-money laundering, countering the financing of terrorism, and counter-proliferation financing obligations.

The PO should report on to the board of administrators or a board-level committee. The rules additionally state that the board should assessment the PO’s appointment yearly.

For a lot of exchanges, this places formal construction round a task that earlier existed largely on paper.

Cybersecurity audit is now obligatory

The up to date tips additionally make cybersecurity audits obligatory.

Crypto corporations will now need to submit a Cyber Safety Audit Certificates issued by an auditor empanelled with CERT-In. The audit should affirm compliance with CERT-In instructions and relevant cybersecurity requirements.

“The audit shall be complete and proportionate in protection throughout all crucial threat domains, and the audit report shall certify whether or not the audited atmosphere is satisfactorily secure to host and function the notified VDA actions,” the rules mentioned.

The audit will cowl governance controls, entry administration, infrastructure and community safety, software safety for KYC and transaction monitoring programs, pockets safety, cryptographic controls, backup and restoration, and third-party dangers involving cloud companies and APIs.

Incident response functionality and readiness to report back to CERT-In may also be reviewed.

Journey rule and unhosted pockets transactions

FIU-IND has additionally clarified how crypto corporations should implement journey rule necessities.

VDA service suppliers should accumulate and preserve detailed originator and beneficiary info for every transaction. The information should be verified and transmitted earlier than or throughout a switch.

The rules additionally require exchanges to hold out due diligence and sanction screening on counterparties.

A notable addition is the therapy of unhosted wallets. Reporting entities should accumulate info on transactions involving unhosted wallets, assess the danger, and apply enhanced due diligence measures the place wanted. This is applicable to peer-to-peer transfers that cross by way of an change as nicely.

Business response

Business gamers say the rules largely formalize present expectations.

“This isn’t only a compliance replace; it’s a strategic sign that India is able to lead within the digital asset house by way of a balanced method of innovation and monetary stability…From an investor standpoint, this oversight transforms VDA platforms into accountability-driven entities,” mentioned Sumit Gupta, Co-founder, CoinDCX.

“These guidelines have been at all times round as greatest enterprise practices to comply with, however now FIU has put this in pen and paper,” mentioned Vikram Subburaj, Co-founder and CEO, Giottus.

Subburaj mentioned the rules clearly clarify the tasks of roles just like the Principal Officer and supply operational readability on how journey rule information should be collected and processed.

A part of a broader enforcement push

The up to date tips come days after FIU-IND brought 49 crypto exchanges underneath its oversight, increasing compliance necessities to a wider set of platforms, together with offshore exchanges serving Indian customers.

This has elevated strain on exchanges to align absolutely with Indian AML and reporting norms.

On the identical time, the business is watching the Union Budget 2026 intently. There may be rising expectation that readability on taxation and compliance may assist convey crypto buying and selling exercise again to India, after volumes shifted offshore over the previous few years.

What customers are nonetheless asking

Many customers are nonetheless unclear about how these modifications have an effect on them.

Unhosted wallets and peer-to-peer transfers are usually not banned. Nonetheless, customers might even see further verification, information assortment, or delays for sure transactions, particularly when exchanges flag increased threat.

One other concern is whether or not smaller exchanges can take up the price of audits and compliance. Over time, the tighter guidelines may result in fewer however extra regulated platforms working in India.

For now, FIU-IND’s message is straightforward: crypto companies can function, however solely underneath strict monitoring and reporting requirements.

Additionally Learn: India’s IT Dept. Flags Crypto Risks, Users Face Higher Scrutiny