India’s Financial Intelligence Unit (FIU-IND) now requires all virtual digital asset service providers to pass cybersecurity audits conducted by auditors empanelled with CERT-In. The mandate, issued via a letter dated September 15, ties successful audits to both obtaining and keeping FIU registration, citing a rise in crypto-related cyber heists nationwide.
Under this rule, crypto exchanges, custodians, and intermediaries must meet a security bar similar to regulated financial institutions under the Prevention of Money Laundering Act (PMLA). The FIU urged designated directors and chief compliance officers to move quickly across the roughly 55 registered entities.
Key details at a glance:
- Covered entities include exchanges, custodians, and intermediaries.
- Only CERT-In–empanelled auditors can perform the assessments.
- Passing the audit is now a prerequisite for FIU registration and renewal.
- The order responds to crypto incidents estimated at 20%–25% of India’s cybercrime caseload.
- Senior compliance leaders are expected to ensure immediate adherence.
A tougher compliance landscape
This step continues a tightening arc for India’s digital-asset oversight. Earlier this year, the FIU told exchanges to refresh customer KYC records—especially accounts older than 18 months—by June 30. Enforcement also picked up. In 2024, the FIU fined Binance 188.2 million rupees for anti–money laundering lapses after show-cause notices to several offshore platforms. KuCoin registered and paid a smaller penalty, while global players such as Coinbase moved to secure FIU registration to re-enter the market on compliant terms.
These actions signal that regulators expect bank-grade controls, from stronger identity checks to better record-keeping and monitoring. For users, that often translates to fewer surprise freezes and faster responses when suspicious activity appears.
Industry reaction and what comes next
Most industry voices welcomed standardized audits, arguing they will improve user trust and align India with global best practices. However, practical hurdles remain. Many bank-focused auditors will need deeper crypto expertise—think key-management procedures, cold-storage controls, and on-chain forensics. When combined with CERT-In’s log-retention rules, though, the audits should sharpen incident response and strengthen evidentiary trails for investigations.
Costs will rise. Smaller platforms may weigh consolidation against the expense of recurring assessments. Yet binding cybersecurity to AML supervision points to a more bank-like model for crypto in India. If regulators clarify the scope, frequency, and how audit findings affect licensing decisions, institutions may feel more comfortable deploying capital—and more local users could follow.
