Building the FIU-IND Compliance Programme: A Designated Director’s Playbook

The FIU-IND compliance programme is the documentary and operational architecture that sits between a reporting entity’s day-to-day business and its Designated Director’s personal-liability perimeter under Section 70 of the Prevention of Money Laundering Act, 2002. Exposure crystallises wherever the programme fails — an unfiled STR, an unidentified beneficial owner, a record gap inside the five-year window prescribed by Section 12(3). This playbook walks the Designated Director through the architecture the way it should be built: Section 12 obligations cross-referenced to the PML (Maintenance of Records) Rules, 2005; the governance layer that separates the Designated Director from the Principal Officer; the eight core policy documents; the risk-based approach; customer due diligence and beneficial ownership identification; transaction monitoring; the five reporting types that flow to FIU-IND; the recordkeeping discipline; the training and audit calendars; and board-level reporting. The piece is written as an operational manual rather than as legal analysis.

Key Takeaways

• Section 12 of PMLA imposes five obligations on reporting entities — transaction records, FIU reporting, identity verification, beneficial owner identification, and identity-record retention — each operationalized by the PML (Maintenance of Records) Rules, 2005.
• The Designated Director (board-level) is structurally distinct from the Principal Officer (operational); the Designated Director carries personal exposure under Section 70 of PMLA where a contravention is attributable to consent, connivance, or neglect.
• The compliance programme rests on eight policy documents, all board-approved, each with prescribed refresh cadence and clear ownership.
• The customer due diligence framework requires beneficial owner identification at the 25% threshold for companies (lower for trusts and partnerships), PEP and sanctions screening at onboarding and on an ongoing basis, and enhanced DD for high-risk customers.
• Five report types flow to FIU-IND through its electronic platform — STR, CTR, NTR, CCR, and CBWTR — each with specific triggers, thresholds, formats, and timelines.
• Records must be maintained for five years from the date of transaction or from the end of the business relationship, under strict confidentiality and the Section 12(2) tipping-off prohibition.

The Statutory Architecture: Section 12 of PMLA and the 2005 Rules

Section 12(1) of the Prevention of Money Laundering Act, 2002, imposes five substantive obligations on every entity that meets the definition of “reporting entity” under Section 2(wa). The reporting entity must (i) maintain records of all transactions of a nature and value prescribed under the rules; (ii) furnish to the Director of FIU-IND, within the prescribed time, information relating to such transactions; (iii) verify the identity of its clients in the prescribed manner; (iv) identify the beneficial owner where the client is not a natural person; and (v) maintain records of the identity and beneficial ownership of clients for the prescribed period. Section 12(2) layers a confidentiality and “tipping-off” prohibition over the reporting obligation: the reporting entity, its officers, and its employees must not disclose to any person — including the client — that information has been or will be furnished to FIU-IND. Section 12(3) prescribes the retention period of five years — measured from the date of the transaction for transaction records, and from the end of the business relationship for identity and beneficial-ownership records.

The PML (Maintenance of Records) Rules, 2005, operationalize each Section 12 obligation through prescribed procedures. Rule 3 specifies the categories of transactions that must be recorded. Rule 6 prescribes the procedure and manner of maintaining information. Rule 7 prescribes the procedure and manner of furnishing information to FIU-IND — the format of each report type, the channel of submission, and the timelines. Rule 8 prescribes the procedure for verification of client identity. Rule 9 contains the operational core of the customer due diligence framework, including the beneficial ownership identification thresholds, the documentation required at onboarding, and the ongoing CDD obligations. Beyond the parent statute and rules, the Designated Director must track FIU-IND’s master directions, advisories, and circulars, which clarify operational expectations and respond to emerging typologies. The compliance programme is a living architecture that must be reviewed annually against the current state of the rules and FIU guidance.

The Governance Layer: Designated Director, Principal Officer, Board

The PML Rules require every reporting entity to appoint both a Designated Director and a Principal Officer, and the two roles are deliberately distinct. The Designated Director sits at the board level — typically the Managing Director, Chief Executive Officer, or a Whole-Time Director. The role is fiduciary in character. The Designated Director is accountable to the board for the integrity of the compliance programme as a whole, not merely for its discrete operational outputs. The Principal Officer sits at the operational level and is the day-to-day owner of STR determination, FIU liaison, internal escalation, and operational compliance. In most reporting entities, the Principal Officer reports to the Designated Director through the compliance function and indirectly to the board through the AML/CFT compliance update.

Board oversight is the third pillar of the governance layer, and it is what FIU-IND inspections actively look for. Best practice is a board-level AML/CFT compliance committee, or a designated risk committee with explicit AML/CFT scope, receiving a quarterly compliance dashboard that covers report-filing volumes, alert disposition statistics, audit findings, training completion, and any enforcement correspondence. Annual deliverables to the full board should include the enterprise-wide risk assessment, the Designated Director’s compliance affirmation, and the independent audit report. Segregation between business functions and compliance functions is structural. The Principal Officer cannot also have a revenue or sales remit. The Designated Director, while business-side at the level of overall corporate role, must approach AML/CFT compliance through an independent lens informed by the compliance function rather than by business pressure to onboard or retain a particular customer.

The Policy Stack: Eight Core Documents

The compliance programme rests on eight policy documents. Each must be board-approved, each has a prescribed refresh cadence, and each has a single accountable owner.

• AML/CFT Policy. The master document. States the entity’s commitment to AML/CFT compliance, defines the regulatory perimeter, names the Designated Director and Principal Officer, sets the policy review cadence (annual minimum), and references the eight subordinate policies. Board-approved; reviewed annually.
• KYC and Customer Due Diligence Policy. Onboarding requirements, documentation matrix, beneficial owner identification methodology, PEP and sanctions screening, ongoing CDD triggers, enhanced DD for high-risk customers, re-KYC cadence.
• Risk-Based Approach Framework. The enterprise-wide risk assessment methodology, customer risk-classification grid (high / medium / low), product / geographic / channel risk axes, and the annual risk-assessment cycle.
• PEP and Sanctions Screening Policy. Sources (UN Consolidated List, MHA-published lists, other applicable sanctions regimes), screening cadence (onboarding plus ongoing), match-handling procedure, freeze obligations, and reporting to FIU-IND and the appropriate authority.
• Transaction Monitoring and Reporting Procedure. Rule-based and pattern-based monitoring scenarios, alert-disposition workflow, escalation to the Principal Officer, STR determination methodology, and the five FIU report types with their internal triggers.
• Recordkeeping Policy. The five-year retention discipline, storage format, accessibility, confidentiality safeguards, and auditor-access protocols.
• Training Policy. Onboarding modules for new joiners, annual refresher cadence, role-specific training (front-office, compliance, board), training records, and assessment requirements.
• Whistleblower and Internal Escalation Mechanism. Confidential reporting channels, non-retaliation commitments, investigation protocols, and the interface with the Principal Officer’s STR-determination process.

Risk-Based Approach: The Enterprise Risk Assessment

The risk-based approach is the operating principle that determines where compliance resources are deployed. The enterprise-wide risk assessment (EWRA) is its formal expression — an annual document that maps the reporting entity’s risk exposure across four axes: customer risk, product / service risk, geographic risk, and delivery-channel risk. Customer risk classification produces a high / medium / low grid that drives the level of due diligence, the monitoring intensity, and the frequency of re-KYC. The EWRA is not an academic document; it is the foundation on which the rest of the compliance programme stands, and FIU-IND inspectors will ask to see it. The Designated Director should ensure the EWRA is updated annually, board-noted, and signed off by the Principal Officer with input from the business heads.

Customer Due Diligence: Onboarding, Ongoing, Enhanced

Customer due diligence operates in three modes. Onboarding CDD captures identity verification through one of the prescribed routes — Aadhaar-based authentication, DigiLocker, video customer identification (V-CIP), or physical KYC — together with beneficial owner identification, PEP and sanctions screening, and an initial customer risk rating. Beneficial owner identification follows the 25% controlling-interest threshold for companies, with lower thresholds applicable to trusts (15%) and partnerships (15%), as prescribed under Rule 9(13) of the PML Rules. Where no natural person can be identified by the controlling-interest threshold, the senior managing official is to be identified as the beneficial owner.

Ongoing CDD picks up after onboarding. It includes periodic re-KYC at intervals determined by customer risk classification (typically 24 / 60 / 120 months for high / medium / low risk), transaction-pattern monitoring against the customer’s expected activity profile, beneficial-ownership refresh on material corporate changes, and event-driven re-KYC where the customer’s risk indicators shift. Enhanced due diligence (EDD) applies to high-risk customers including PEPs, customers from higher-risk jurisdictions, customers with complex ownership structures, and customers whose transaction activity exceeds normal patterns. EDD typically involves senior management approval for the relationship, additional documentation, source-of-funds and source-of-wealth declarations, and more intensive ongoing monitoring.

Transaction Monitoring: Rules, Patterns, Case Management

Transaction monitoring is the operational engine of the compliance programme. Rule-based scenarios catch defined thresholds and patterns — large cash transactions, structured transactions just under the reporting threshold, rapid in-and-out movements, transactions involving high-risk jurisdictions, and transactions inconsistent with the customer’s profile. Pattern-based monitoring, increasingly supported by machine-learning systems at larger reporting entities, identifies anomalies that do not fit any rule but deviate from the customer’s expected behaviour. Every alert moves into a case-management workflow: an initial disposition by the operations team, escalation to the Principal Officer where the alert is not closed at the first level, and ultimately a determination of whether an STR is to be filed. The Principal Officer’s STR-determination process must be documented, defensible, and timely. Filing an STR is not optional once the Principal Officer concludes a suspicion exists.

The Reporting Mechanics

Five report types flow from the reporting entity to FIU-IND through its electronic reporting platform. Each has a specific trigger, threshold, format, and timeline, and each is filed by the Principal Officer under the Designated Director’s overall accountability.

Recordkeeping: The Five-Year Discipline

Section 12(3) of PMLA, read with Rule 6 of the PML Rules, requires that transaction records be maintained for five years from the date of the transaction, and that identity and beneficial-ownership records be maintained for five years from the end of the business relationship. The records must be in a form that allows reconstruction of individual transactions, must be accessible to authorised personnel and to FIU-IND or other regulators on request, and must be held under strict confidentiality. The five-year discipline is operationally demanding: a high-volume reporting entity will accumulate millions of transaction records and tens of thousands of identity files within any one-year period, and the systems and processes for retention, retrieval, and confidentiality must scale accordingly. Common failures inspected by FIU-IND include partial records, records held in non-readable legacy formats, records inaccessible to compliance personnel, and records that have been deleted before the retention period elapsed.

Training: The Annual Calendar

Training is the most under-invested element of the typical compliance programme and the easiest place for an inspector to score findings against the reporting entity. The training calendar should cover three audiences. New-joiner training, completed within thirty days of onboarding for any employee whose role touches customer interaction, transaction handling, or compliance. Annual refreshers for all relevant staff, with the content updated for the previous year’s regulatory developments and the entity’s own incident learnings. Role-specific deep-dive training for front-office staff (focused on red-flag recognition and customer interaction), compliance staff (focused on STR determination, alert disposition, and reporting mechanics), and the board (focused on governance, risk appetite, and enforcement trends). Training completion must be documented, attested, and reportable to the Designated Director and the board.

Independent Audit and Board Reporting

The Designated Director must commission an independent audit of the compliance programme on at least an annual basis. Independent here means independent of the compliance function being audited — an internal audit team that is structurally separate from the AML/CFT compliance function, or an external audit firm engaged for the purpose. The audit scope should cover the policy framework, the risk assessment, customer due diligence quality, transaction monitoring effectiveness, STR determination quality, recordkeeping integrity, and training completion. Audit findings are reported to the AML/CFT compliance committee and to the board, with remediation tracked through closure.

Board reporting follows a structured cadence. Quarterly: a compliance dashboard covering filing volumes, alert and case statistics, training completion, and any open enforcement correspondence. Half-yearly or annually: the enterprise-wide risk assessment update, the Designated Director’s compliance affirmation, the independent audit report and management response, and a forward-looking risk-and-resource statement for the next period. The board’s role is not to operate the compliance programme but to confirm that it exists, that it is being run with integrity, and that the Designated Director has the authority and resources to discharge the role properly.

Sectoral Overlays

The compliance programme architecture is the same across reporting-entity categories, but the operational overlays differ. Banks and NBFCs layer the RBI’s master directions on KYC and AML/CFT on top of the PMLA framework. Stockbrokers and depository participants apply SEBI’s intermediary AML circulars in parallel with PMLA. Virtual digital asset service providers, designated as reporting entities by the March 2023 notification under Section 2(sa) of PMLA, deal with FIU-IND directly and face additional sector-specific compliance through FIU’s advisories. Real estate agents (designated in 2022) and dealers in precious metals and stones (designated in 2020) face sectoral overlays tailored to their transaction patterns. Chartered Accountants, Company Secretaries, and Cost Accountants in practice (designated in 2023) face the privilege-and-confidentiality interface that the professional inclusion has created. In each case, the Designated Director must integrate the sectoral overlay with the core PMLA framework rather than treat them as parallel regimes.

Looking Ahead

The compliance perimeter under PMLA continues to expand. Recent inclusions have brought professional services, real estate, jewellery, and virtual assets within the reporting framework, and the trajectory of FATF mutual evaluation findings suggests further sectoral additions over the next two to three years. FIU-IND’s electronic reporting platform is migrating toward newer infrastructure that will demand more granular data inputs from reporting entities, including structured beneficial-ownership data and standardised customer risk classifications. The enforcement trend is unmistakable: 2024 and 2025 saw a marked increase in penalty orders against reporting entities for compliance failures, with the Binance and Bybit orders signalling that FIU-IND will pursue offshore entities providing services into India. For Designated Directors, the operational posture for the next regulatory cycle should be: a sturdier compliance programme, sharper documentation, an EWRA that genuinely informs resource allocation, and a defensible audit trail. The Designated Director’s protection under Section 70 rests not on the absence of compliance incidents but on the demonstrable integrity of the compliance programme that surrounded them.

Frequently Asked Questions

Who can be appointed as a Designated Director under the PML Rules?
The Designated Director must be a person designated by the reporting entity to ensure overall compliance with the obligations imposed under Chapter IV of PMLA. In banks and NBFCs, the Designated Director is typically the Managing Director, Chief Executive Officer, or a Whole-Time Director. The role sits at the board level and is structurally distinct from the operational Principal Officer role.

What is the personal liability exposure of the Designated Director?
Under Section 70 of PMLA, where an offence under the Act is committed by a company, every person who at the time the offence was committed was in charge of, and was responsible to, the company for the conduct of its business shall be deemed guilty of the offence. The Designated Director’s exposure is real and direct, particularly where the contravention is attributable to consent, connivance, or neglect. A robust compliance programme is the Designated Director’s primary defence.

Can the same person serve as both Designated Director and Principal Officer?
The PML Rules contemplate two structurally distinct roles — one board-level and fiduciary, the other operational and day-to-day. While the Rules do not categorically prohibit the same person from holding both designations, best practice in mid-sized and larger reporting entities is to separate the roles. In very small reporting entities, combined holding may be operationally necessary but it weakens the governance segregation that inspectors look for.

What is the timeline for filing a Suspicious Transaction Report?
The STR is to be filed within the timeline prescribed under the PML Rules, measured from the Principal Officer’s internal determination of suspicion. The reporting entity’s procedure document should incorporate the current prescribed timeline and the internal escalation path that ensures the timeline is met. Late filing or non-filing is a category-one inspection finding.

What is the difference between the enterprise-wide risk assessment and customer risk classification?
The enterprise-wide risk assessment is a programme-level document that maps the reporting entity’s risk exposure across customer, product, geographic, and channel axes. Customer risk classification is a customer-level grid (high / medium / low) that drives the depth of due diligence, the monitoring intensity, and the re-KYC frequency for each individual customer relationship. The EWRA informs the methodology by which customers are classified; the classification operationalises the EWRA at the customer level.

How often should the compliance programme be refreshed?
The AML/CFT Policy and the eight subordinate policies should be reviewed at least annually, with interim updates triggered by regulatory amendments, significant incidents, or material business changes. The enterprise-wide risk assessment is annual. Training is annual at minimum, with role-specific updates as required. Customer risk classification is event-driven plus periodic. The independent audit is annual at minimum, with FIU-IND inspections and enforcement correspondence triggering additional remediation as needed.

This analysis was prepared by the Candour Legal Team. Candour Legal is a full-service Indian law firm with offices in Ahmedabad, Delhi, and Mumbai, publishing commentary on financial regulation, AML/CFT compliance, and corporate structuring matters at candourlegal.com.

Further reading

• FIU-IND Registration for Crypto Businesses — on the registration framework for VDA service providers under PMLA.
• FIU-IND Registration Process and Documents — the procedural walkthrough for VDASP registration.
• VDASP AML Compliance and Enforcement — the post-registration compliance and enforcement perspective.
• RBI’s Unregistered Type I NBFC Category — on the parallel regulatory perimeter recalibration for non-banking financial companies.