After FIU-IND Registration: Ongoing AML Compliance and Enforcement Lessons from Binance and Bybit

VDASP AML compliance begins rather than ends with FIU-IND registration. The 8 January 2026 AML/CFT Guidelines for reporting entities providing services related to virtual digital assets convert the Prevention of Money Laundering Act, 2002 and the Prevention of Money-laundering (Maintenance of Records) Rules, 2005 into detailed operational obligations that apply every day the platform is live. Since January 2024, the FIU-IND has issued penalty orders against multiple VDA service providers — KuCoin in March 2024, Binance in June 2024, Bybit on 31 January 2025 — that together provide a rich body of interpretive material on how the agency understands the obligations of a reporting entity. This third article in the series walks through the ongoing compliance architecture and the enforcement pattern, with particular attention to what the Bybit order (and the penalty aggregation seen in Binance) teach about the cost of non-compliance.

Key Takeaways

• The 8 January 2026 AML/CFT Guidelines are the current operative framework; they translate Chapter IV of the PMLA and Rules 7 and 8 of the PMLR into detailed technology-driven obligations on customer due diligence, transaction monitoring, and reporting.
• India implements the FATF Travel Rule with no de minimis threshold — all VDA transfers must carry originator and beneficiary information, a higher standard than many peer jurisdictions.
• Reporting entities must file Suspicious Transaction Reports, Cash Transaction Reports, and NPO Transaction Reports where applicable; record retention is five years under Section 12 of the PMLA.
• Bybit’s INR 9.27 crore penalty (31 January 2025 order) is the most detailed public record of FIU-IND enforcement reasoning, citing contraventions of Section 12(1) of the PMLA and Rules 2(1)(h), 3(1)(D), 7(2), 7(3), 8(2), and 8(4) of the PMLR.
• Penalty aggregation — fines multiplied across reporting failures and reporting periods — explains why enforcement orders reach crore-rupee figures despite the per-failure cap of INR 1,00,000 in Chapter IV.
• Good-faith engagement, transparency, and early cooperation have reduced penalty levels; opacity and delay have increased them.

The 8 January 2026 AML/CFT Guidelines Framework

The 8 January 2026 Guidelines represent the most comprehensive VDA-specific AML framework India has issued and are considered among the most detailed crypto-compliance regimes globally. They cover governance (board oversight, Designated Director and Principal Officer roles, internal audit), customer due diligence (identity verification, beneficial ownership, risk classification reviewed every six months, ongoing monitoring), transaction monitoring (red-flag typologies, sanctions screening against OFAC, EU, UN, and Indian lists), recordkeeping (five-year retention per Section 12 of the PMLA), reporting (STR, CTR, NPO-TR), the FATF Travel Rule, training, and the infrastructure obligations introduced in 2026 — live-selfie KYC, geo-tagging, penny-drop bank verification, and mandatory delisting of privacy coins and mixer-related tokens.

One meaningful structural feature of the 2026 Guidelines is the requirement that a public summary of the AML/CFT programme be displayed on the reporting entity’s website or app. This level of transparency is unusual for AML regimes globally and reflects a deliberate policy choice: Indian users engaging with VDA platforms should be able to see, at a summary level, that the platform has compliance obligations and describe them. The Guidelines also require reporting entities to update their framework when new products, technologies, or regulatory changes emerge, and to document the rationale for any risk-classification change. Compliance is no longer a policy document on file; it is an auditable, live system.

Customer Due Diligence Beyond One-Time KYC

Customer due diligence under the Indian regime is not a one-time onboarding exercise. At the identity stage, the reporting entity must verify identity and beneficial ownership at the time of establishing an account-based relationship and for transactions equal to or exceeding INR 50,000 or any international transaction. Onboarding must capture IP address, device information, geo-location, and timestamp. KYC is expected to be performed with live-selfie verification under the 2026 Guidelines, not a static document upload.

Beyond onboarding, the reporting entity must conduct ongoing due diligence: screening against sanctions lists, monitoring funding sources and counterparties, and reviewing the customer’s risk classification at least every six months with documented rationale. Enhanced due diligence applies to high-risk customers, politically exposed persons, and counterparties in high-risk jurisdictions. Existing accounts without proper identity records must be regularised or closed after due notice — a particular compliance burden for platforms carrying over user bases from the pre-2023 period. The failure to implement adequate customer due diligence and enhanced due diligence under Rules 8(2) and 8(4) of the PMLR formed part of the Bybit penalty order in January 2025 and is a recurring theme in the FIU-IND’s enforcement findings.

STRs, CTRs, and the Reporting Cadence

Reporting entities must file Suspicious Transaction Reports with FIU-IND whenever they identify a transaction — executed or attempted — that gives rise to a reasonable suspicion of money laundering, terrorism financing, or other proceeds-of-crime activity. STRs are filed through the FINgate portal and must be filed within seven working days of the suspicion forming. Cash Transaction Reports cover cash-based transactions above prescribed thresholds; given that VDA platforms typically do not accept cash, CTR filings are usually limited to specific fact patterns. NPO Transaction Reports cover transactions involving not-for-profit organisations where the reporting entity holds accounts or facilitates transfers.

The FIU-IND Annual Report for FY 2024-25 describes active use of STR data to identify criminal typologies — hawala layers routed through crypto, illegal gambling flows, fraudulent schemes involving spoofed exchange accounts, and the integration of VDA flows into broader money-laundering patterns. A priority STR filed by a registered VDASP, the Report notes, helped law enforcement uncover a crypto-laundering operation involving spoofed exchange accounts and unauthorised transfers. This underscores a point that compliance teams sometimes miss: the STR is not merely a procedural filing to protect the platform from liability; it is intelligence input to an increasingly data-driven enforcement agency.

The FATF Travel Rule: No De Minimis Threshold

India’s implementation of the FATF Recommendation 16 Travel Rule is more demanding than many peer jurisdictions. Under the 8 January 2026 Guidelines, VDA transfers must carry originator and beneficiary information — name, account number or wallet identifier, address or date of birth, and in certain cases the national identifier — with no de minimis threshold. This contrasts with the FATF-recommended threshold of USD/EUR 1,000 that many countries have adopted. In India, a VDA transfer of INR 100 between two users on a registered platform attracts the same Travel Rule obligations as one of INR 100 crore.

Operationally, the Travel Rule has driven a material technology investment by Indian VDASPs. Platforms have adopted inter-exchange messaging protocols — TRISA, OpenVASP, or Sumsub-like integrations — to transmit the required information to counterparty VDASPs at the time of transfer. For transfers to unhosted wallets, the platform must collect the required originator information and make reasonable efforts to verify beneficiary information. Demonstrating operational Travel Rule compliance has become part of the in-person meeting in the registration process, and failure to implement it has been cited in offshore enforcement actions. The zero-threshold choice reflects a policy preference for comprehensive traceability over transactional convenience, consistent with India’s broader approach to financial-integrity regulation.

The Binance Penalty: Aggregation Across Reporting Failures

The INR 18.82 crore penalty against Binance in June 2024 — the largest crypto-related fine imposed in India to date — illustrates the aggregation effect that makes Chapter IV enforcement far more costly than its per-failure cap suggests. Chapter IV of the PMLA provides for a monetary penalty between INR 10,000 and INR 1,00,000 for each contravention. Read alone, the ceiling looks modest. Read in context, where enforcement covers multiple contraventions across reporting periods, the aggregate figure scales rapidly. Binance’s non-compliance spanned the period from the March 2023 PMLA notification through its August 2024 registration — roughly seventeen months of continuous violation across onboarding, due diligence, monitoring, and reporting obligations for a very large user base.

What changed after the penalty is equally instructive. Binance paid the fine, registered with FIU-IND in August 2024, and committed to data sharing with Indian authorities. By March 2026, enforcement actions premised on that shared data had resulted in over 400 Indian traders being placed under tax audit. Registration, in other words, does not insulate users of the platform from retrospective scrutiny — a consequence that Indian users of offshore platforms should consider when choosing where to trade. The Binance experience suggests that late registration is an efficient outcome for the platform compared to continued non-compliance, but not always the gentlest outcome for the platform’s pre-existing user base.

The Bybit Order: A Template for Enforcement Analysis

The Bybit order dated 31 January 2025, imposing a penalty of INR 9.27 crore under Section 13(2)(d) of the PMLA, is the most detailed public record of FIU-IND’s enforcement reasoning in a VDA matter. The order, passed by the Director of FIU-IND, found contraventions of Section 12(1) of the PMLA read with multiple provisions of the PMLR, 2005. The cited rules are instructive because they map the exact obligations a registered VDASP must satisfy: Rule 2(1)(h) (definitions linked to client identity), Rule 3(1)(D) (record-keeping on identity and transactions), Rule 7(2) and 7(3) (FIU-IND’s powers and directions), and Rules 8(2) and 8(4) (customer due diligence and enhanced due diligence).

Bybit had applied for VDASP registration on 26 June 2024, but the application was under review at the time of the penalty order. The FIU-IND’s findings establish that a pending registration application does not pause enforcement for prior non-compliance — the agency can (and did) penalise the entity for violations during the period it was operating without registration, while its application was still being processed. Following the order, Bybit settled the penalty and completed registration in February 2025. For compliance teams, the Bybit order is now the operational reference point for what non-compliance looks like in the FIU-IND’s own language, and for how penalty amounts are constructed. A compliance framework built to satisfy Bybit’s cited rule-numbers is substantially stronger than one built to satisfy generic FATF language.

The Offshore Waves and the Direction of Enforcement

Two waves of enforcement action against offshore platforms illustrate the FIU-IND’s priorities. The December 2023 wave targeted nine exchanges — Binance, Bitfinex, Bitstamp, Bittrex, Gate.io, Huobi, Kraken, KuCoin, and MEXC Global — with show-cause notices under Section 13 of the PMLA. KuCoin became the first offshore entity to register after paying a penalty of approximately INR 34.5 lakh. Binance followed at a much higher penalty level. Bittrex ultimately shut down; several others negotiated registration or withdrew from the Indian market. OKX closed its Indian operations in 2024 citing regulatory hurdles.

The second wave, on 1 October 2025, extended notices to 25 further offshore VDASPs including Paxful, Changelly, Huione, CEX.IO, BTCC, Coinex, Remitano, Bitrue, BitMex, and Probit Global. A further blocking round was issued on 10 March 2026. The penalty ranges have held: INR 34.5 lakh at the lower end (KuCoin) to INR 18.82 crore at the upper (Binance). The FIU-IND Annual Report indicates that good-faith engagement, proactive cooperation, and early transparency have been associated with lower penalty levels; in at least one case, a registered VDASP received only a warning rather than a monetary sanction. For offshore platforms weighing their options, the pattern is clear: register, cooperate, and settle; or be blocked, delisted, and excluded from the Indian market.

Looking Ahead

The trajectory through 2026 and 2027 has three defining features. First, the OECD Crypto-Asset Reporting Framework, which India will implement from 1 April 2027, will require VDASPs to report user transactions and disclosures for cross-border tax information exchange. Combined with the Section 285BAA reporting regime under the Income Tax Act that takes effect from April 2026, Indian tax authorities will have granular data on user-level VDA activity from both domestic and offshore registered platforms. The INR 888.82 crore of undisclosed VDA-related income already identified by tax authorities suggests the enforcement appetite is substantial.

Second, FIU-IND has formalised cooperation with other regulators through memoranda of understanding and is integrating STR analysis into inter-agency investigations. The compliance architecture is becoming an intelligence architecture. Third, the 8 January 2026 Guidelines set a technology-driven floor that is expected to tighten further as the agency refines its expectations. For VDA service providers — whether already registered or planning to register — the operational lesson is consistent: compliance is infrastructure, not documentation; the Principal Officer’s office is a standing function rather than a regulatory filing; and the platform that treats AML/CFT as a live operating discipline is the one that avoids being the subject of the next FIU-IND order. The firms that will outlast the 2026-2028 regulatory cycle are the ones that have built compliance as a durable capability rather than as a registration gate.

Frequently Asked Questions

What are the ongoing AML obligations of a registered VDASP in India?
A registered VDASP must maintain an operational AML/CFT framework under the 8 January 2026 Guidelines covering customer due diligence (including live-selfie KYC, beneficial ownership verification, and six-monthly risk classification review), transaction monitoring with sanctions screening, record retention for five years under Section 12 of the PMLA, FATF Travel Rule compliance for all VDA transfers regardless of size, and filing of Suspicious Transaction Reports, Cash Transaction Reports, and NPO Transaction Reports as applicable. Ongoing updates to Principal Officer and ownership details must be notified via the FINgate portal.

What was the Bybit penalty under the PMLA?
On 31 January 2025, FIU-IND imposed a penalty of INR 9.27 crore on Bybit Fintech Limited under Section 13(2)(d) of the PMLA. The order cited contraventions of Section 12(1) of the PMLA read with Rules 2(1)(h), 3(1)(D), 7(2), 7(3), 8(2), and 8(4) of the Prevention of Money-laundering (Maintenance of Records) Rules, 2005. Bybit had applied for VDASP registration on 26 June 2024, but the pending application did not pause enforcement for prior non-compliance. Bybit settled the penalty and registered in February 2025.

Does India apply a threshold to the FATF Travel Rule for crypto transfers?
No. India’s implementation of the FATF Travel Rule under the 8 January 2026 AML/CFT Guidelines has no de minimis threshold. All VDA transfers, regardless of size, must carry originator and beneficiary information between reporting entities. This is a stricter standard than many peer jurisdictions that have adopted the FATF-recommended threshold of USD/EUR 1,000.

How does FIU-IND calculate penalties under the PMLA?
Under Chapter IV of the PMLA, the monetary penalty for each contravention is between INR 10,000 and INR 1,00,000. The per-failure cap is modest, but FIU-IND aggregates penalties across multiple contraventions and across reporting periods, which is how orders reach crore-rupee totals. Binance paid INR 18.82 crore (June 2024); Bybit paid INR 9.27 crore (January 2025); KuCoin paid approximately INR 34.5 lakh (March 2024). Aggregate penalties imposed in FY 2024-25 on non-compliant platforms totalled INR 2.8 billion.

Can registration with FIU-IND extinguish liability for prior non-compliance?
No. The FIU-IND’s enforcement pattern, reinforced by the Bybit order of 31 January 2025, establishes that registration after a period of non-compliance does not extinguish liability for that earlier period. Enforcement and registration proceed on parallel tracks. A VDASP that registers in 2026 remains exposed to penalty for violations committed between March 2023 and registration, including for inadequate customer due diligence, failure to maintain records under Section 12(1) of the PMLA, and failure to file required reports.

---

This analysis was prepared by the Candour Legal Team. Candour Legal is a full-service Indian law firm with offices in Ahmedabad, Delhi, and Mumbai, publishing commentary on digital assets, financial regulation, and cross-border compliance at candourlegal.com.

Further reading in this series

• Part 1 — FIU-IND Registration for Crypto Businesses: Who Needs It and What It Actually Is
• Part 2 — How to Register with FIU-IND: Documents, Principal Officer, and the 2-6 Week Timeline
• Enhancing Corporate Governance Through ROC Expansion — on the parallel tightening of corporate governance obligations under the MCA framework.