Introduction
The intersection of cryptocurrency markets and anti-money laundering law represents one of the most technically complex and rapidly evolving frontiers of financial regulation in India. For much of the period between 2017 and 2022, India’s regulatory relationship with virtual digital assets (VDAs) was defined primarily by uncertainty: the Reserve Bank of India’s 2018 circular effectively prohibiting banks from dealing with crypto entities was struck down by the Supreme Court in Internet and Mobile Association of India v. Reserve Bank of India (2020), and no comprehensive regulatory framework was in place. The Finance Act 2022 introduced a taxation regime for VDA transactions; the Finance Act 2023 brought crypto exchanges and related businesses within the ambit of the Prevention of Money Laundering Act, 2002, as reporting entities; and by December 2023, the Financial Intelligence Unit of India had commenced enforcement action against major offshore crypto exchanges for non-compliance. This article examines the PMLA compliance obligations for Virtual Asset Service Providers, the FIU’s registration and enforcement functions, the implications of the WazirX exchange incident of 2024, and the comparative regulatory frameworks of Singapore and FATF.
Legal Framework
The Finance Act 2023 amended the definition of “reporting entity” under Section 2(1)(wa) of PMLA to include entities engaged in exchange between virtual digital assets and fiat currencies, exchange between one or more forms of virtual digital assets, transfer of virtual digital assets, safekeeping or administration of virtual digital assets or instruments enabling control over virtual digital assets, and participation in and provision of financial services related to an issuer’s offer or sale of a virtual digital asset. This brought crypto exchanges, wallet providers, VDA brokers, and token issuers within the reporting entity framework for the first time.
Reporting entities under PMLA are required to maintain records of all transactions, verify the identity of clients in accordance with Know Your Customer (KYC) norms, appoint a Principal Officer for compliance purposes, and file Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) with the Financial Intelligence Unit of India. For VASPs, the FIU issued a specific registration requirement: all entities qualifying as Virtual Asset Service Providers under PMLA were required to register with FIU-IND through an online portal by a specified date, failing which they would be subject to enforcement action including blocking of their services for Indian users.
The FIU-IND, established under Section 12 of PMLA, functions as the central national agency for receiving, processing, analysing, and disseminating information about suspicious financial transactions. For VASPs, FIU’s role encompasses both registration oversight and the receipt and analysis of STRs filed by crypto exchanges concerning suspicious customer transactions.
The parallel taxation framework under the Income Tax Act is significant for compliance planning. Section 115BBH, introduced by the Finance Act 2022, imposes a 30% tax rate on income from the transfer of VDAs, with no deduction permitted for losses or expenses other than the cost of acquisition. Section 194S requires any person making payment to a resident for transfer of VDA to deduct tax at source at 1%. The combination of the 30% taxation regime and PMLA compliance obligations has created a substantial regulatory burden for VDA businesses operating in India.
Judicial Developments
The Supreme Court’s 2020 ruling in Internet and Mobile Association of India v. Reserve Bank of India, which struck down the RBI’s banking ban on crypto entities, remains the foundational judicial statement on the regulatory treatment of VDAs. The Court held that the RBI’s circular was disproportionate in the absence of any demonstrated harm to the banking system attributable to crypto businesses. It did not address the AML or PMLA dimensions of crypto regulation, which were not then before the Court.
Subsequent litigation has focused on the income tax treatment of VDA transactions and the classification of specific tokens, but no major Supreme Court ruling has directly addressed PMLA’s application to VASPs as of 2025. The Delhi High Court, in various proceedings related to the FIU’s enforcement actions, has upheld FIU’s power to direct blocking of offshore exchange websites accessible to Indian users, holding that such blocking is a proportionate response to non-compliance with registration and reporting obligations.
The ED’s investigation into the WazirX exchange hack (discussed below) raised novel questions about the application of PMLA to the proceeds of cyber theft involving VDAs, particularly where the accused are foreign nationals operating outside India’s jurisdiction and where the stolen assets have already been transferred through privacy-enhancing protocols such as the Tornado Cash mixer.
Contemporary Issues and Analysis
In December 2023, FIU-IND issued show cause notices to nine offshore cryptocurrency exchanges, including Binance, OKX, Kraken, Bittrex, Bitfinex, Bitmex, Bitstamp, Kucoin, and Huobi, for operating in India without registering as reporting entities under PMLA. Simultaneously, FIU directed the Ministry of Electronics and Information Technology to block the websites and applications of these exchanges for Indian users under Section 69A of the Information Technology Act, 2000. The action was unprecedented in its scope and signalled that India intended to enforce its PMLA framework against offshore VASPs serving Indian customers.
Binance, the world’s largest crypto exchange by trading volume, subsequently applied for FIU-IND registration in early 2024, paid a penalty of approximately Rs. 18.82 crore for past non-compliance, and was granted registration, after which it resumed operations for Indian users. This episode illustrated both the credibility of FIU’s enforcement capability and the practical dynamics of regulatory compliance: a sufficiently credible enforcement threat, combined with a structured compliance pathway, can bring major global platforms into the regulatory framework.
The WazirX exchange hack of July 2024 was the most significant crypto security incident in Indian regulatory history. Approximately Rs. 2,000 crore worth of various crypto assets were stolen from WazirX’s multi-signature wallet in what cybersecurity investigators attributed to the Lazarus Group, a North Korea-affiliated state-sponsored hacking organisation. The ED launched a PMLA investigation into the incident, focusing on whether the exchange’s security failures constituted negligence that allowed the transfer of assets that could be classified as proceeds of crime, and on the efforts to trace and recover the stolen funds.
The investigation raised technically complex legal questions: whether the stolen assets, once transferred to the attacker’s wallets, constitute “proceeds of crime” under PMLA (since the predicate offence was cyber theft, which is listed in the Schedule); whether WazirX, as the exchange from which assets were stolen, is itself a “person in possession of proceeds of crime” (since the assets were in its custody); and whether the PMLA attachment power can be exercised over VDAs that exist on a public blockchain but are not in any physical location within India’s jurisdiction.
The Travel Rule, required by FATF Recommendation 16 and implemented in India through FIU’s guidance to VASPs, requires that information about the originator and beneficiary of a VDA transfer above a threshold amount must be transmitted with the transfer and retained by both the originating and beneficiary VASP. For Indian VASPs, implementation of the Travel Rule requires technical infrastructure for information sharing between exchanges, which many smaller platforms lack. The WazirX incident exposed the limitations of Travel Rule compliance in practice: the stolen funds were moved through multiple wallets and then into privacy protocols that are technically designed to defeat transaction tracing.
Comparative and International Perspective
FATF’s Recommendation 15, as revised in 2019 and updated in subsequent guidance, requires member countries to bring VASPs within their AML/CFT regulatory frameworks, to apply risk-based supervision to VASPs, and to implement the Travel Rule for VDA transfers. India’s PMLA amendment bringing VASPs within the reporting entity framework is compliant with Recommendation 15 in its basic structure. India’s FATF Mutual Evaluation (2023) gave India satisfactory ratings on technical compliance, including in the area of VASP regulation, though the evaluation noted that the framework was newly implemented and effectiveness would require time to assess.
Singapore’s Monetary Authority of Singapore (MAS) has implemented a licensing regime for VASPs under the Payment Services Act 2019, with AML requirements applied through the MAS Notice PSN02 on VASP AML compliance. The Singapore regime is notable for its risk-based tiering: exchanges with lower transaction volumes face lighter compliance requirements, while those handling above a specified threshold are subject to full FATF-equivalent obligations including Travel Rule implementation. India’s framework does not currently incorporate a similar risk-tiered approach, applying uniform reporting entity obligations to all VASPs regardless of scale.
The EU’s Markets in Crypto-Assets Regulation (MiCA), which came into full effect in 2024, establishes a licensing framework for crypto asset service providers across the EU with AML obligations running alongside the MiCA licensing requirements. The EU’s approach, combining prudential licensing with AML compliance in a single integrated framework, may offer a model for India’s eventual comprehensive VDA regulation.
Practical and Policy Implications
For Indian crypto exchanges operating after the Finance Act 2023, the immediate priority has been achieving and maintaining FIU registration, which requires establishing an AML/CFT compliance programme that includes client verification at onboarding, transaction monitoring, STR filing infrastructure, and staff training. The compliance cost for smaller exchanges is substantial relative to their revenues.
The blocking of offshore exchanges without Indian registration has had mixed effects on the Indian crypto market. Indian retail investors, unable to access major offshore platforms directly, have in some cases turned to peer-to-peer trading methods or used VPNs to access blocked exchanges, creating informal channels that are harder to monitor and more susceptible to misuse. The regulatory objective of bringing VDA activity within the AML framework is partially undermined where enforcement actions drive activity into informal channels.
For law enforcement, the WazirX investigation demonstrates both the potential and the limitations of PMLA as a tool for addressing crypto-related financial crime. Where the perpetrators are offshore state-sponsored actors, PMLA’s arrest and attachment powers are largely inapplicable; the investigation’s practical output is intelligence on transaction flows rather than physical enforcement action.
Suggestions and Reforms
A risk-tiered VASP compliance framework, similar to Singapore’s approach, would reduce the compliance burden on smaller Indian platforms while maintaining rigorous oversight of systemically important exchanges. The threshold for full PMLA reporting entity obligations should be calibrated by trading volume or customer base, with lighter obligations for platforms below the threshold.
A statutory framework for blockchain analytics as investigative evidence is needed: currently, blockchain transaction data used in PMLA investigations must be authenticated and presented through expert witnesses, creating procedural complexity. Specific rules of evidence governing the admissibility and weight of blockchain forensics evidence would improve the efficiency of PMLA proceedings involving crypto.
The Travel Rule implementation should be accompanied by technical assistance from RBI or SEBI (whichever becomes the primary VASP regulator) for smaller exchanges, to develop shared technical infrastructure for Travel Rule compliance. The current approach, which requires individual platforms to build proprietary solutions, is inefficient and creates compliance asymmetry between large and small platforms.
Conclusion
India’s extension of PMLA to VASPs reflects an appropriate recognition that cryptocurrency markets present genuine money laundering risks, particularly for layering transactions where the pseudonymity of blockchain transactions provides a degree of concealment unavailable through traditional banking. The December 2023 FIU enforcement actions and the subsequent compliance by major exchanges demonstrate that the framework can achieve regulatory results. However, the framework remains incomplete: the Travel Rule is not fully operational, the VASP regulatory architecture is fragmented between FIU, SEBI, and RBI, and the legal questions raised by crypto-specific incidents like WazirX remain unresolved. A comprehensive VDA legislation that integrates prudential, consumer protection, and AML requirements under a single statutory authority would be a more coherent regulatory response than the current piecemeal approach.