In a new directive, the Financial Intelligence Unit – India (FIU-IND) requires Virtual Digital Asset (VDA) service providers to complete cybersecurity audits before they can register or remain registered as reporting entities under the Prevention of Money Laundering Act, 2002 (PMLA). 

According to its September 15, 2025 circular, FIU-IND has directed VDA service providers—including crypto exchanges—to ensure their directors, principal officers, and chief compliance officers submit cybersecurity audit certificates from CERT-In empanelled auditors, with mandatory compliance effective right away.  

Entities offering services such as cryptocurrency-to-fiat conversion, crypto-to-crypto trading, transfer, custody, or administration of digital assets, and financial services tied to digital asset sales are classified as VDA service providers. The Ministry of Finance formally placed these activities under the PMLA on March 7, 2023. 

Entities offering services such as cryptocurrency-to-fiat conversion, crypto-to-crypto trading, transfer, custody, or administration of digital assets, and financial services tied to digital asset sales are classified as VDA service providers. The Ministry of Finance formally placed these activities under the PMLA on March 7, 2023. 

FIU-IND has clarified that VDA service providers must adhere to full PMLA compliance, covering due diligence, record keeping, internal control mechanisms, employee training, and reporting of suspicious transactions. Non-compliance or failure to register could attract penalties under Section 13(2) of the PMLA. 

Spike in crypto thefts triggers tougher compliance rules 

Following major cryptocurrency thefts in India, regulators issued the directive. Notably, WazirX lost $235 million in July 2024 from a Liminal wallet, and CoinDCX suffered a Rs 368 crore cyberattack on its internal account earlier this year. 

Experts believe mandatory cybersecurity audits will enhance user safety and support investigations into stolen crypto. Harshal Bhuta, Partner at PR Bhuta & Co., told the Economic Times that recent thefts prompted the move. 

He remarked that enforcing strict compliance—such as proper log keeping and retention of subscriber information for the mandated period—would support investigators in following the trail of funds moved through crypto transactions. 

Why It Matters  

By introducing mandatory cybersecurity audits, the government signals its intent to strengthen regulation of India’s booming crypto ecosystem, raising questions about maintaining innovation alongside compliance. The audits could protect investors, boost confidence, deter illicit fund movements, and aid authorities in tracking crypto transactions more effectively. 

The introduction of mandatory audits and the PACT certification regime may raise costs for smaller and newer crypto firms, possibly driving them away or into informal operations. In the absence of an overarching crypto law, such obligations could lead to regulatory overreach and uncertainty for compliant businesses. Consequently, India’s crypto industry may remain in a grey area—subject to intense scrutiny but without clear legal guidelines—until a formal legislative framework is enacted.