Quick Overview
- Register and govern: enrol with FIU-IND on the FINnet 2.0 portal and appoint a Principal Officer and a Designated Director.
- Assess and document: run a business risk assessment and write a board-approved AML policy, controls and procedures from it.
- Know your customer: carry out customer due diligence and KYC and identify the beneficial owner (a controlling interest of more than 10 percent for a company or partnership).
- Monitor, screen, report: monitor transactions, keep KYC current, screen against sanctions lists, and file the prescribed reports with FIU-IND on time.
- Keep, train, test: keep records for five years, train staff, and test the programme through internal audit, compliance assurance or independent review. The shape is the same across sectors; the detail follows your regulator.
A reporting entity in India becomes AML compliant by registering with FIU-IND, appointing a Principal Officer and a Designated Director, and running a programme built on a business risk assessment: customer due diligence and KYC, beneficial-ownership identification, ongoing monitoring and periodic updation, sanctions screening, prescribed reporting, record-keeping, training and independent testing and audit. The shape is the same across sectors; the regulator, the rulebook and the risk profile differ.
AML Compliance Requirements in India
Anti-money-laundering compliance in India is not a one-time form to file. It is a programme that a regulated business builds, runs, and proves year after year to its regulator and the Financial Intelligence Unit – India. This guide sets out the AML compliance requirements in India as a practical, step-by-step programme that applies broadly in the same shape to every reporting entity, subject to sector-specific rules, regulators and transaction types.
It is the how-to that sits across every sector. For the law behind these duties, read the companion guide, AML Laws and Regulations in India. This guide remains at the national level and then routes you to the requirements for your sector below, because the detail, the regulator, and the risk profile differ between banks, other financial institutions, DNFBPs, and virtual digital asset service providers.
Which sector are you in? Find your compliance guide
The programme below is common to all reporting entities, but the regulator, the rulebook and the risk profile differ by sector. Use the links below for the compliance guide for your sector.
Sector | Who it covers | Guide |
Banks | Commercial, small finance, payments, local area, regional rural and cooperative banks | Read the banking-sector guide |
NBFCs and other RBI-regulated financial institutions | NBFCs, ARCs and other RBI-regulated financial institutions | Separate guide (coming soon) |
Securities market intermediaries | Stock brokers, mutual funds and other SEBI-regulated intermediaries. | |
Insurance | Insurers and insurance intermediaries under IRDAI. | |
DNFBPs | Real estate agents, dealers in precious metals and stones, and professionals. | |
IFSC entities | Entities in the International Financial Services Centre under IFSCA. | |
Virtual digital asset service providers | Businesses dealing in crypto and other virtual digital assets. |
Who must comply: reporting entities in India
The PMLA places AML duties on reporting entities. A reporting entity is a business that the law requires to conduct customer checks and report certain transactions. The main groups are financial institutions, including banks and non-banking financial companies; securities market intermediaries, insurance entities and other intermediaries; persons carrying on a designated business or profession, including notified DNFBPs such as real estate agents and dealers in precious metals and stones; and virtual digital asset service providers carrying out notified VDA activities. The duties are broadly the same in shape for all of them, subject to sector-specific rules. What differs is the regulator, the detailed rulebook and the risk profile.
Sector challenges across reporting entities
Reporting entities of all kinds share a few common challenges. The framework keeps moving, with category-specific RBI KYC Directions in 2025 and regulators updating their own rulebooks. Beneficial ownership, where the real person sits behind a company, partnership or trust, is consistently the hardest control to get right. Sanctions screening must keep pace with changing lists, and monitoring must be tuned to live typologies such as money mules and layering rather than left on defaults. The common thread is evidence: a business must be able to show, not just assert, that its programme works.
The scale of the obligation: statistics
In FY 2024-25, FIU-IND received more than 2 million reports per month and issued 8 compliance orders with penalties exceeding Rs 30 crore (FIU-IND Annual Report 2024-25). The Financial Action Task Force evaluated India in 2024 and found a good general understanding of financial sector risks, while expecting preventive measures to continue improving (FATF Mutual Evaluation Report on India, 2024). India’s 2022 National Risk Assessment identifies fraud, corruption and drug trafficking as the largest money-laundering risks. A strong, evidence-based programme is the only reliable defence.
“The shape of the programme is the same in every sector. The mistake businesses make is copying a generic policy instead of building it from their own risk assessment. The risk assessment is what makes the rest defensible.”
Pathik Shah, FCA, CAMS, CISA, CS, DISA, FAFD
The AML compliance lifecycle in India
AML compliance is easier to manage as a connected lifecycle than as a pile of separate rules. Each step feeds the next, and a weakness in one shows up as a failure in another. The order that works in practice is to register and appoint officers, assess risk, write policy based on that assessment, then run the day-to-day controls of KYC, monitoring, screening, and reporting, with record-keeping, training, and independent testing wrapped around all of it.
Throughout, hold to the risk-based approach: do more where the risk is higher and less where it is lower, and be able to explain, with evidence, why each choice was made.
Register with FIU-IND
A reporting entity enrols with the Financial Intelligence Unit – India on the FINnet 2.0 platform, accessed through the FINGate 2.0 portal, which is also the channel for filing reports. This is a basic condition for meeting the reporting duty under Rule 3 and Rule 8 of the PMLR.
Setting up your AML function from scratch?
FINnet enrolment, officer appointments and the reporting workflow all have to line up before day one. AML India helps you stand up a complete, inspection-ready compliance department.
Appoint a Designated Director and a Principal Officer
Every reporting entity appoints two named officers under Rule 7 of the PMLR. The Designated Director carries overall responsibility for compliance. The Principal Officer is responsible for monitoring transactions, deciding whether activity is suspicious, and filing reports with FIU-IND. The same person should not hold both roles, and the entity must inform FIU-IND of both appointments and of any change.
Conduct the internal risk assessment (IRA)
The business risk assessment, also called the internal or enterprise-wide risk assessment, is the foundation of the programme. The entity assesses its money-laundering, terror-financing, and proliferation-financing risk across its customers, products and services, geographies, and delivery channels, sets controls, and determines a residual risk. The outcome should be shared with senior management or the board and refreshed at least annually and whenever a material change in risk occurs.
Is your risk assessment doing real work?
If the assessment does not actually drive your controls, the whole programme is pointed in the wrong direction. AML India builds a board-ready risk assessment that sets your priorities and stands up to scrutiny.
AML policies, controls and procedures implementation
The risk assessment is turned into a written AML policy that senior management approves and owns. The policy covers customer acceptance, customer identification and due diligence, rules for higher- and lower-risk customers, ongoing monitoring, the escalation route to the Principal Officer, reporting, record-keeping, and training, in line with the sector regulator’s directions.
Customer identification and customer due diligence (CDD)
The entity identifies and verifies every customer under Section 11A of the PMLA, Rule 9 of the PMLR and its sector regulator’s directions. KYC is the identity step; customer due diligence is the wider, risk-based assessment around it. Higher-risk customers get enhanced due diligence, including source-of-funds checks and senior approval, while lower-risk customers get a simplified approach. For non-profit organisation customers, apply the applicable registration and due diligence expectations, including DARPAN-related checks where relevant.
Beneficial ownership identification (part of CDD)
The beneficial owner is the natural person who ultimately owns or controls a customer. For a company or partnership, the threshold is a controlling interest of more than 10 per cent; for an unincorporated association or body of individuals, it is more than 15 per cent; and for a trust, it covers the author, trustees, beneficiaries with a 10 per cent or more interest and anyone exercising ultimate control. Looking through to the real owner is the step that most often fails at inspection.
Ongoing monitoring and periodic updation
The entity monitors transactions on an ongoing basis. It keeps KYC current through periodic updation on a risk-based schedule, with the customer’s risk categorisation itself reviewed periodically, at least once every six months, under the sector regulator’s directions. Good monitoring is tuned to real typologies rather than left on default settings, and the alerts it raises are actually worked on and closed.
Sanctions screening and targeted financial sanctions
The entity screens customers and transactions against the designated lists and freezes matched funds without delay. The counter-terrorism duty flows from Section 51A of the UAPA and the counter-proliferation duty from Section 12A of the WMD Act. Screening covers the United Nations Security Council lists and the relevant domestic lists. In practice, follow a clear hit workflow: detect a possible match; pause or freeze as required; escalate; confirm whether it is a true match; report and freeze on a true match; and document false positives.
Regulatory reporting to FIU-IND
The entity files the prescribed reports under Rule 3 and Rule 8 of the PMLR, including, where applicable, cash transaction reports for cash above Rs 10 lakh, suspicious transaction reports of any value, cross-border wire transfer reports for cross-border wire transfers of more than Rs 5 lakh, or its equivalent in foreign currency, where either the origin or destination of the funds is in India, reports on non-profit receipts above Rs 10 lakh, on cash transactions involving counterfeit currency, forged valuable security or forged documents, and on immovable property transactions of Rs 50 lakh or more. Monthly reports, including cross-border wire transfer reports, go by the 15th of the succeeding month, while immovable property reports under Rule 3(F) are filed quarterly. A suspicious transaction report must be filed promptly once the Principal Officer is satisfied that the transaction is suspicious. Reporting is confidential: a business must not tip off a customer that a report has been or may be filed.
Record management, CKYCR and FINnet 2.0
The entity keeps transaction records for 5 years from the transaction date. It keeps identity records, account files, and business correspondence for five years after the business relationship ends, or the account is closed, whichever is later, under Section 12 of the PMLA. Records must be retrievable for regulatory and law-enforcement requests. Records connect to two pieces of national infrastructure: the Central KYC Records Registry (CKYCR), where entities file and update KYC records, and FINnet 2.0, the FIU-IND platform through which reports are filed.
Training and awareness
Staff are trained by role so they can recognise and escalate risk, with the training refreshed as risks and rules change and evidenced with records of who was trained and when.
Independent testing and audit
The programme is tested through independent testing and audit that checks whether the controls work and whether findings are remediated. Independent testing is what turns a written programme into a defensible one.
Evidence to keep ready for inspection
A reporting entity should be able to show, not just assert, that its programme works. Keep the risk assessment with its methodology; customer files with due diligence and beneficial-ownership records and risk ratings; monitoring alerts with investigation notes and closure reasons; screening logs with list updates and match decisions; the filing records for each report type; the intimations of the Principal Officer and Designated Director; training records; and the independent testing and audit with its remediation tracker. This is the pack a regulator will ask for.
From compliance back to the law: every requirement above rests on a specific provision. For the legal basis, read the companion guide, AML Laws and Regulations in India. For detailed requirements that apply to you, follow the link to your sector above.
What this page does not cover
This page is the national overview. It does not give you the full method for any one control: the CDD procedure, the sanctions hit workflow, the FIU-IND filing steps, the EWRA model, the training plan and the audit methodology each live in their own requirement guide, linked from the lifecycle above.
National and sectoral risk assessment
A business’s own risk assessment does not sit in a vacuum. India conducts a National Risk Assessment (the last completed in 2022 and not public) and sectoral risk assessments that set out where the country sees the greatest risk of money laundering and terror financing. Use them to inform and justify the risk ratings in your own assessment and policy. Because the National Risk Assessment is not public, reference its existence and the FATF summary rather than quoting figures you cannot verify against a source you hold.
Risk factors to weigh
Use these in the business risk assessment and in deciding the level of due diligence for a customer.
Risk category | Examples across reporting entities |
Customer | Politically exposed persons and their associates, cash-intensive businesses, non-residents, customers with complex or opaque ownership, and those reluctant to disclose the beneficial owner. |
Product and service | High-value, cross-border, anonymous or prepaid products, and services that move funds quickly or across borders. |
Geography | Customers, funds or counterparties linked to higher-risk jurisdictions or to areas with elevated predicate-crime activity. |
Delivery channel | Non-face-to-face and digital onboarding, third-party introducers, and accounts operated through intermediaries. |
AML/CFT/CPF red flags to watch
Red flags do not prove wrongdoing, but they should trigger a closer look and, where the Principal Officer is satisfied, a suspicious transaction report.
- Unusual or unexplained transactions that do not fit the customer’s profile.
- Structuring, the splitting of transactions to stay under reporting thresholds.
- Funds that move through an account with no clear economic purpose.
- Hidden, evasive or layered ownership behind a customer.
- Transactions linked to higher-risk or sanctioned jurisdictions.
- Any match against a sanctions list or a designated persons list.
Best practices for a defensible AML programme
These lift a programme from present to defensible across any sector.
- Build everything from the risk assessment, and refresh it at least annually and on any material change.
- Keep the Principal Officer and Designated Director roles real and separate, with the time and authority to act.
- Look through to the real beneficial owner, and record how you got there.
- Tune monitoring and screening to live typologies, and actually work on and close the alerts.
- Keep an inspection-ready evidence pack, so the programme can be shown to work, not just asserted.
- Train by role and test through independent testing and audit, then fix what the audit finds.
Want to know where you stand before the regulator does?
An independent AML health check measures your programme against the law and the regulator’s directions, and gives you a prioritised plan to close the gaps.
“The shape of the programme is the same in every sector. The mistake businesses make is copying a generic policy instead of building it from their own risk assessment. The risk assessment is what makes the rest defensible.”
Pathik Shah, FCA, CAMS, CISA, CS, DISA, FAFD
Frequently Asked Questions
Register with FIU-IND, appoint a Principal Officer and a Designated Director, run a business risk assessment, and build customer due diligence, beneficial-ownership checks, monitoring, screening, reporting, record-keeping, training and audit on top of it.
A business that the PMLA requires to carry out customer checks and report certain transactions: banks and other financial institutions, securities, insurance and other intermediaries, notified DNFBPs, and virtual digital asset service providers.
It depends on the sector. The RBI supervises banks and NBFCs; SEBI the securities market; IRDAI insurance; IFSCA entities in the IFSC; and the Director of FIU-IND supervises several DNFBPs, including virtual digital asset service providers. FIU-IND receives reports from everyone.
A Principal Officer, responsible for monitoring and reporting, and a Designated Director, who carries overall responsibility. Different people should hold the two roles, and both must be informed of FIU-IND.
The natural person who ultimately owns or controls the customer: more than 10 per cent for a company or partnership, more than 15 per cent for an unincorporated association or body of individuals, and, for a trust, the author, trustees, beneficiaries with a 10 per cent or more interest, and anyone exercising ultimate control.
Where applicable: cash transaction reports, suspicious transaction reports, cross-border wire transfer reports, non-profit receipt reports, counterfeit-instrument reports and immovable-property reports. Monthly reports are due by the 15th of the next month, immovable property reports are filed quarterly, and suspicious transaction reports are filed promptly once the Principal Officer is satisfied.
Transaction records for five years from the date of the transaction, and identity, account and correspondence records for five years after the relationship ends, whichever is later.
Doing more where the money-laundering risk is higher and less where it is lower, and being able to explain, with evidence, why each choice was made. It runs through every part of the programme.
The shape is the same, but the regulator, the detailed rulebook, the thresholds and the risk profile differ. Use the sector links above for the requirements that apply to you.
FIU-IND can impose monetary penalties and issue compliance orders, and the regulator can take its own action. Beyond penalties, weak compliance exposes the business to money laundering and reputational harm.
Official sources and review
This guide is grounded in the following primary official sources, linked to their official source where available.
- Prevention of Money-laundering Act, 2002 (India Code)
- Prevention of Money-laundering (Maintenance of Records) Rules, 2005 (India Code)
- Unlawful Activities (Prevention) Act, 1967 and Section 51A procedure (MHA)
- FATF Recommendations, including the June 2026 update to Recommendation 6 on targeted financial sanctions
- Financial Intelligence Unit – India, including the Annual Report 2024-25
- Central KYC Records Registry (CKYCR) Operating Guidelines, 2025 (CERSAI)
Why work with AML India
to inspection: risk assessments, policies, health checks, and a full compliance department setup, grounded in the PMLA, the PMLR, and each sector regulator’s directions.
Case study A multi-state reporting entity came to AML India after an inspection flagged gaps in its risk assessment and beneficial-ownership records. We rebuilt the programme from the risk assessment up, retrained the team by role, and put an evidence pack in place. The next inspection cycle closed with no major findings. “They turned a stack of disconnected policies into a programme we can actually defend.” Compliance head, regulated reporting entity |
Ready to make your AML programme defensible?
Whether you are setting up from scratch or fixing inspection findings, AML India can help. Talk to our team about a programme built for your sector and your risk.
About the Author
Pathik Shah
FCA, CAMS, CISA, CS, DISA (ICAI), FAFP (ICAI)
Pathik is a Chartered Accountant with more than 26 years of experience in governance, risk, and compliance. He helps companies with end-to-end AML compliance services, from conducting Enterprise- Wide Risk Assessments to implementing the robust AML Compliance framework. He has played a pivotal role as a functional expert in developing and implementing RegTech solutions for streamlined compliance.
