FIU-IND Registration for Crypto Businesses: Who Needs It and What It Actually Is

FIU-IND registration has become the single most important compliance milestone for anyone building or operating a crypto business in India, and yet it is also the most widely misunderstood. Since the Ministry of Finance brought virtual digital asset activity under the Prevention of Money Laundering Act, 2002 through its notification dated 7 March 2023, every entity that exchanges, transfers, safekeeps, or helps issue virtual digital assets for Indian users is classified as a reporting entity and required to register with the Financial Intelligence Unit — India. What the process actually involves, who it covers, and what registration status actually grants are questions where confident answers are rare and careful ones are valuable. This first article in a three-part series sets out the framework; the following two cover the application process and the post-registration compliance and enforcement regime.

Key Takeaways

• FIU-IND registration is a mandatory reporting-entity registration under the PMLA, 2002 — it is not a licence and does not authorise any specific commercial activity.
• The Ministry of Finance notification dated 7 March 2023 (S.O. 1072(E)) classified five categories of virtual digital asset activity as designated business under Section 2(1)(sa)(vi) of the PMLA, making providers reporting entities under Section 2(1)(wa).
• The obligation is activity-based, not location-based: offshore platforms servicing Indian users must register, regardless of where they are incorporated.
• As of the FIU-IND FY 2024-25 Annual Report, 49 VDA service providers have registered — 45 domestic and 4 offshore — with total penalties of INR 2.8 billion imposed during the year on non-compliant entities.
• Non-registration triggers Section 13 PMLA consequences including monetary penalty, directions to comply, and platform blocking through the Ministry of Electronics and Information Technology.
• The FIU-IND updated its AML/CFT Guidelines for VDA reporting entities on 8 January 2026, converting the PMLA obligations into detailed operational requirements.

The March 2023 Notification and How the PMLA Came to Cover Crypto

Before March 2023, virtual digital asset businesses in India sat in a regulatory gap. The Income Tax Act had been amended in 2022 to tax income from VDAs at 30 per cent and impose 1 per cent TDS on transfers, but there was no framework governing the business activities themselves — no registration, no customer due diligence, no suspicious transaction reporting. The turning point came with the Ministry of Finance notification S.O. 1072(E) dated 7 March 2023, issued under Section 2(1)(sa)(vi) of the Prevention of Money Laundering Act, 2002.

The notification designated five categories of virtual digital asset activity as “designated business or profession” under the PMLA. As a consequence, entities carrying on these activities — on behalf of another person, in the course of business — became “reporting entities” under Section 2(1)(wa) of the Act. Three days later, on 10 March 2023, the FIU-IND issued its first set of Anti-Money Laundering and Combating the Financing of Terrorism Guidelines specifically for reporting entities providing services related to virtual digital assets. The detailed registration procedure was first issued through a VDA service provider circular on 17 October 2023, with a second revision notified on 20 January 2025. The most recent overhaul came with updated AML/CFT Guidelines dated 8 January 2026, which remain the operative framework.

What Triggers VDASP Status: The Five Designated Activities

The March 2023 notification defines five categories of activity that, when conducted for or on behalf of another natural or legal person in the course of business, bring the entity into the PMLA’s net. First, exchange between virtual digital assets and fiat currencies — the core business of any centralised exchange that allows INR deposits and withdrawals. Second, exchange between one or more forms of virtual digital assets — crypto-to-crypto swaps, which covers most spot trading interfaces. Third, transfer of virtual digital assets — relevant to wallet providers and custodians who execute transfers on behalf of users.

Fourth, safekeeping or administration of virtual digital assets or instruments enabling control over virtual digital assets — the custody business, whether retail or institutional, is squarely within the scope. Fifth, participation in and provision of financial services related to an issuer’s offer and sale of a virtual digital asset — this catches intermediaries in token offerings, advisory services tied to new issuances, and certain categories of brokerage. The scope is wider than “crypto exchange” and deliberately so. A non-fungible token marketplace that facilitates purchases, an OTC desk that executes trades, a wallet provider that takes custody, a token broker that intermediates an offering — each of these is a reporting entity in its own right. For founders planning a Web3 business in India, the first compliance question is not “do I need FIU registration” but “which of these five activities am I performing, and on whose behalf”.

Why FIU-IND Registration Is Not a Licence

The most common misconception among founders, and the one most likely to produce downstream regulatory error, is that FIU-IND registration is a “crypto licence” that authorises the business to operate. It is not. The registration recognises the entity as a reporting entity under the PMLA and requires it to comply with the anti-money-laundering obligations under Chapter IV of the Act and the Prevention of Money-laundering (Maintenance of Records) Rules, 2005. It does not authorise any specific business activity, it does not grant permission to issue tokens, it does not substitute for a securities licence where one is required, and it does not insulate the entity from RBI scrutiny on payment or banking matters.

This distinction matters in practice. A registered VDASP that launches a token with the characteristics of a security may still face Securities and Exchange Board of India jurisdiction, which has covered security-like tokens since 1 April 2025. A registered VDASP dealing in fiat flows may still face RBI attention if its banking arrangements are non-standard. A registered VDASP engaging in consumer-facing deposit-like products may attract additional regulatory scrutiny under banking and deposit-taking statutes. Treating FIU-IND registration as the complete answer to “am I compliant” is the single most expensive framing error a founder can make at the outset.

Activity-Based Obligation: Why Offshore Entities Are Covered

The FIU-IND framework applies on an activity basis, not a physical-presence basis. This is the single most consequential design choice in the 2023 regime, and the one that has driven the bulk of enforcement attention. An exchange incorporated in the Seychelles, the Cayman Islands, or Dubai that accepts Indian users, allows INR deposits through any mechanism, or facilitates VDA activity linked to India is a reporting entity and must register. The absence of an Indian office, Indian directors, or Indian banking relationships does not displace the obligation.

The Ministry of Finance statement accompanying the December 2023 enforcement wave made this position explicit: the obligations are activity-based and are not contingent on physical presence of the entity in India. The FIU-IND has operationalised this by issuing compliance show-cause notices to offshore platforms under Section 13 of the PMLA and, in parallel, directing the Ministry of Electronics and Information Technology to block uncooperative platforms’ URLs and delist their mobile applications from the Apple and Google app stores in India. The first wave in December 2023 targeted nine offshore exchanges including Binance, Bitfinex, Bitstamp, Bittrex, Gate.io, Huobi, Kraken, KuCoin, and MEXC Global. A second wave, on 1 October 2025, extended notices to a further 25 offshore VDASPs.

Where the Registered Population Stands Today

Per the FIU-IND Annual Report for the financial year 2024-25, 49 VDA service providers have completed registration — 45 domestic platforms and 4 offshore. KuCoin was the first offshore exchange to register, in March 2024, following a penalty of approximately INR 34.5 lakh. Binance registered in August 2024, after paying a penalty of INR 18.82 crore in June 2024. Coinbase registered proactively in March 2025, without prior enforcement action. Bybit registered in February 2025, after being penalised INR 9.27 crore by an FIU-IND order dated 31 January 2025. Liminal Custody, a Singapore-based institutional custody provider, registered as the first compliant digital asset custody provider for Indian institutions.

Registered domestic platforms include CoinDCX, WazirX, ZebPay, Giottus, CoinSwitch, Mudrex, Bitbns, and several smaller exchanges and NFT marketplaces. The FIU-IND Annual Report also records aggregate penalties of INR 2.8 billion imposed on non-compliant VDA platforms during FY 2024-25, and describes the agency’s growing use of data analysis on suspicious transaction reports filed by VDASPs to identify criminal typologies — hawala flows, illegal gambling, fraudulent schemes linked to spoofed exchange accounts. The supervisory posture has shifted from procedural onboarding to active intelligence-driven enforcement.

What Non-Registration Actually Costs

The statutory consequence of failing to register as a reporting entity flows from Section 13 of the PMLA. On a show-cause basis, the Director of FIU-IND may issue warnings, directions to comply, directions to submit periodic compliance reports, or a monetary penalty. Under Chapter IV of the PMLA, the penalty for each failure is not less than INR 10,000 and may extend to INR 1,00,000. In practice, however, enforcement orders have reached far higher figures because they cover multiple failures across reporting periods — the Binance penalty of INR 18.82 crore and the Bybit penalty of INR 9.27 crore illustrate the aggregation effect.

Beyond monetary penalty, the FIU-IND can request the Ministry of Electronics and Information Technology to block URLs and mobile applications of non-compliant reporting entities. Blocking has real market consequences: app-store delisting, disrupted user access, and the reputational cost of being publicly named as a non-compliant entity. A third consequence, often overlooked, is that registration after enforcement does not extinguish liability for the period of prior non-compliance — a VDASP that registers in 2026 remains exposed to enforcement action for violations during the 2023 to 2025 window. The FIU-IND’s position in this respect has been reinforced in the enforcement orders it has passed, notably against Bybit.

Looking Ahead

Three developments should shape planning through 2026 and 2027. First, the 8 January 2026 AML/CFT Guidelines have introduced new operational requirements — live-selfie verification with liveness detection, geo-tagging of platform sessions, penny-drop bank account validation, and removal of privacy coins and mixer-related listings — which materially raise the compliance floor for all reporting entities and make late entrants’ path to registration longer and more capital-intensive.

Second, India’s adoption of the OECD Crypto-Asset Reporting Framework will take effect from 1 April 2027, requiring VDASPs to report user transactions and corresponding disclosures for cross-border tax information exchange. Offshore entities will bear a disproportionate share of this burden, as India’s tax authorities have already identified approximately INR 888.82 crore in undisclosed VDA-related income. Third, a separate Indian crypto regulation bill has been in the works since mid-2025; if enacted, it may layer a substantive regulatory regime on top of the current AML-only framework. Founders planning new VDA businesses should assume that the compliance envelope will get tighter, not looser, over the next three years. Part Two in this series walks through the actual registration process, documents, and timeline; Part Three addresses the ongoing compliance regime and enforcement lessons from the Binance, Bybit, and offshore-exchange actions.

Frequently Asked Questions

Is FIU-IND registration a crypto licence in India?
No. FIU-IND registration is a reporting-entity registration under the Prevention of Money Laundering Act, 2002. It brings the entity within the AML/CFT framework and triggers record-keeping and reporting obligations under Chapter IV of the PMLA. It does not authorise any specific business activity, does not substitute for a securities licence where one is required for token-like instruments, and does not displace RBI oversight on banking and payment matters.

Who needs to register with FIU-IND as a VDA service provider?
Any entity that carries on one or more of five designated activities under the Ministry of Finance notification dated 7 March 2023 — fiat-to-crypto exchange, crypto-to-crypto exchange, VDA transfer, VDA safekeeping or administration, or participation in financial services related to a VDA issuer’s offer and sale — for another person in the course of business. The obligation is activity-based, so offshore platforms that serve Indian users are within scope regardless of their place of incorporation.

What happens if a crypto business does not register with FIU-IND?
Failure to register is a violation of the PMLA and attracts action under Section 13. The Director of FIU-IND may issue warnings, directions to comply, directions to submit compliance reports, or monetary penalty. Penalties have ranged from INR 34.5 lakh (KuCoin) to INR 18.82 crore (Binance) in enforcement orders. The FIU-IND may also direct MeitY to block URLs and delist mobile applications. Registration after enforcement does not extinguish liability for the prior period of non-compliance.

How many crypto exchanges are registered with FIU-IND?
As of the FY 2024-25 Annual Report, 49 VDA service providers have registered with FIU-IND — 45 domestic platforms and 4 offshore (including KuCoin, Binance, Bybit, and Coinbase). Total aggregate penalties imposed during FY 2024-25 on non-compliant platforms reached INR 2.8 billion, reflecting the transition from procedural onboarding to active enforcement.

Do offshore crypto exchanges need FIU-IND registration?
Yes, if they service Indian users or facilitate VDA activity linked to India. The Ministry of Finance has explicitly clarified that the obligation is activity-based and not contingent on physical presence. Offshore platforms that decline to register have faced show-cause notices, monetary penalties, and URL and app-store blocking through MeitY directions. In December 2023, nine offshore exchanges were notified; on 1 October 2025, a further 25 were notified.

---

This analysis was prepared by the Candour Legal Team. Candour Legal is a full-service Indian law firm with offices in Ahmedabad, Delhi, and Mumbai, publishing commentary on digital assets, financial regulation, and cross-border compliance at candourlegal.com.

Further reading in this series

• Part 2 — How to Register with FIU-IND: Documents, Principal Officer, and the 2-6 Week Timeline
• Part 3 — After FIU-IND Registration: Ongoing AML Compliance and Enforcement Lessons from Binance and Bybit
• India-UK CETA: Compliance Playbook Before the Entry Into Force — on cross-border compliance calibration ahead of a major regulatory transition.