India's New FIU-IND Rules Have Rewritten the Rulebook for Every Web3 Founder. Here's What You Actually Need to Do

On January 8, 2026, India's Financial Intelligence Unit (FIU-IND) dropped the most consequential update to crypto regulation the country has ever seen. If you run a Web3 business that touches Indian users exchange, wallet, DeFi protocol, NFT platform, or token issuer you are now expected to operate at the same compliance standard as a bank. This is not a metaphor. It is the literal language of the new guidelines. Most founders are not ready.

What Changed on January 8, 2026 and Why It's Different This Time

India has had a VDA (Virtual Digital Asset) regulatory framework since March 2023, when VDA service providers were brought under the Prevention of Money Laundering Act (PMLA) as "reporting entities." Those initial guidelines set up the skeleton FIU-IND registration, basic KYC, suspicious transaction reporting. The January 2026 update is not an extension of that framework. It is a complete rebuild of operational obligations, driven by India's FATF peer review, a surge in crypto-linked money laundering cases tracked by the Ministry of Home Affairs, and the release of the PRAHAAR strategy in February 2026, which specifically flagged crypto wallets and blockchain as tools being exploited for terror financing.

The result: 49 crypto exchanges are currently registered with FIU-IND, and all of them along with every unregistered platform serving Indian users are now subject to a compliance standard that is, in several respects, more demanding than what traditional NBFCs face. The window to comply is closing. FIU-IND's March 2026 closed-door workshop with the Bharat Web3 Association (BWA) made clear that enforcement is the next phase.

The Five Pillars of the New Compliance Regime - Explained for Founders

1. Live Identity Verification Is Now Mandatory

The old standard uploading a PAN card and a selfie is gone. The January 2026 guidelines require exchanges and wallet providers to conduct live identity verification at onboarding. This means collecting and verifying a PAN, a secondary government-issued ID (passport or Voter ID), a live photograph with geo-coordinates, IP address with timestamp, device ID, and wallet address. In addition, bank account verification must be confirmed through penny-drop verification before any VDA activity is permitted. This isn't aspirational. It is a minimum standard against which FIU-IND inspectors will now audit you.

2. The Principal Officer and Designated Director - Real Roles, Real Liability

The guidelines impose specific qualification and accountability standards on two key personnel: the Principal Officer (PO) and the Designated Director (DD). The PO is the operational compliance head they must be formally notified to FIU-IND via FINgate, must have verifiable AML/CFT experience, and cannot hold a position that creates a conflict of interest with their compliance duties. The DD bears ultimate board-level responsibility for AML/CFT compliance. Critically, if the PO changes, FIU-IND must be notified immediately. Many Indian Web3 startups have been treating these as box-ticking appointments. Under the new framework, the PO and DD carry personal liability for compliance failures.

3. The Travel Rule - India's Crypto Wire Transfer Law

The Travel Rule, a FATF standard that requires originator and beneficiary information to "travel with" a virtual asset transfer has now been formally operationalised under the Indian guidelines with tightened implementation requirements. Exchanges facilitating transfers must collect and transmit: sender name, sender account, sender address (physical or blockchain), receiver name, and receiver account. For unhosted wallet transfers (wallet addresses not held by a regulated entity), enhanced due diligence is mandatory. The guidelines explicitly define VDA SP liability for transfers to and from unhosted wallets this directly impacts DeFi protocols and self-custody platforms that previously operated in a grey zone.

4. CERT-In Cybersecurity Audits - A New Annual Obligation

For the first time, the 2026 guidelines introduce mandatory annual cybersecurity audits by CERT-In empanelled auditors, alongside the annual independent review of the AML/CFT compliance framework itself. This means Web3 businesses now have two mandatory annual audits: one covering financial compliance and one covering cybersecurity posture. The CERT-In audit requirement reflects the Ministry of Home Affairs' PRAHAAR strategy concern that crypto platforms are increasingly targeted as vectors for cyber-enabled financial crime. Passing a CERT-In audit requires documented incident response procedures, penetration testing results, and evidence of data localisation compliance where applicable.

5. Risk Classification Every Six Months Not Annually

Under the previous framework, customer risk classification was largely a one-time or annual exercise. The new guidelines mandate a minimum semi-annual review of all customer risk classifications, with documented rationale for changes. High-risk customers including those linked to FATF grey/black-listed jurisdictions, politically exposed persons (PEPs), non-profit organisations, and large-volume traders require enhanced due diligence at both onboarding and on an ongoing basis. Every classification decision must be documented and available for FIU-IND inspection.

The DeFi Question: "We're Decentralised" Is Not a Legal Argument Anymore

One of the most consequential clarifications in both the new FIU-IND guidelines and India's broader PMLA VDASP framework is the treatment of DeFi protocols. The regulations do not exempt protocols from compliance based on architecture alone. The test is functional: does any identifiable party exercise control or sufficient influence over user assets or protocol behaviour? If yes, that party is a reporting entity under the PMLA, regardless of how the codebase is labelled.

"A mere self-claim of being 'decentralised' is insufficient. DeFi lies on a spectrum, and only protocols that are demonstrably and sufficiently decentralised may be treated differently." India's PMLA VDASP Framework

In practice, this means: front-end interfaces targeting Indian users create compliance obligations even if the underlying smart contracts operate autonomously. Protocols with admin keys, governance tokens with voting rights, or fee-capture mechanisms are almost certainly caught by the VASP definition. Founders of DeFi protocols with Indian users who have not taken legal advice on their regulatory status are running a material and growing risk.

The Regulatory Trajectory: Where India Is Heading in 2026 and Beyond

India's current approach "regulation through compliance infrastructure rather than outright legislation" is becoming clearer. The Parliamentary Standing Committee on Finance convened in January 2026 for a nearly three-hour session on cryptocurrency enforcement gaps and investor protection. The CBDT has issued notices to over 44,000 taxpayers suspected of VDA non-compliance, having identified ₹889 crore in undisclosed income. India has also signalled early readiness for the OECD's Crypto-Asset Reporting Framework (CARF) ahead of the 2027 implementation deadline, which will require Indian exchanges to automatically report non-resident transaction data to foreign tax authorities and foreign exchanges to report Indian resident data to India's Income Tax Department.

The direction is clear: India is building compliance infrastructure first, and legislative framework second. Web3 founders who build compliance-first cultures today are not just avoiding penalties. They are positioning themselves to be the businesses that survive and thrive when the comprehensive regulatory framework arrives and capture the institutional capital that follows regulatory clarity.

THE 2026 COMPLIANCE CHECKLIST FOR INDIAN WEB3 FOUNDERS

• FIU-IND Registration: If you haven't registered, you are already non-compliant. Register via FINgate immediately.

• Live KYC Infrastructure: Upgrade onboarding to collect geo-tagged photos, device IDs, and penny-drop bank verification.

• PO and DD Appointments: Formally notify FIU-IND of qualified, conflict-free Principal Officer and Designated Director.

• AML/CFT Policy: Draft a comprehensive written framework including a public-facing summary and publish it on your platform.

• Travel Rule Implementation: Establish counterparty data collection for all VDA transfers, with enhanced due diligence for unhosted wallets.

• CERT-In Audit: Engage a CERT-In empanelled auditor for your first mandatory cybersecurity audit.

• Semi-Annual Customer Risk Review: Build a documented process for reviewing and updating all customer risk classifications every six months.

• Mixer/ICO Policy: Remove or disable any mixer/tumbler functionality. Review token offering plans against the FIU-IND ICO discouragement framework.

For founders operating across India and Dubai, structuring a VARA-licensed UAE entity alongside an Indian VDASP-registered exchange or custody business the 2026 update adds a critical compliance coordination layer. Your UAE entity's AML/CFT policies (required for VARA licensing) and your Indian entity's FIU-IND compliance framework must be aligned, not contradictory. Transfer of VDA between the two entities triggers Travel Rule obligations in both jurisdictions. The good news: the substantive standards FATF-based AML/CFT frameworks, KYC standards, transaction monitoring are largely harmonised between the two regulatory regimes, because both are built on FATF recommendations. The challenge is operationalising them simultaneously without two separate legal teams working in silos and creating gaps.