The Indian government has been increasingly tightening laws on Virtual Digital Assets (VDAs), which include cryptocurrencies, tokens, and related services. Crypto exchanges, wallet providers, and custodians will be subject to Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) responsibilities beginning in 2023.
The government has now taken a huge step forward by making cybersecurity audits mandatory for all VDA service providers. These audits must be performed by auditors accredited by CERT-In (Indian Computer Emergency Response Team), India’s national cybersecurity nodal body.
The Regulatory Context: Crypto Under PMLA
Until 2023, India’s approach to regulating cryptocurrency was fragmented. That changed when the Ministry of Finance officially identified entities dealing in VDAs as reporting entities under the PMLA.
This means that exchanges, custodians, wallet providers, and other similar organizations are now held to the same AML/CFT compliance standards as banks, NBFCs, and payment service providers.
Key AML/CFT Requirements for VDA Providers
Key AML/CFT Requirements for VDA Providers:
- Register with FIU-IND (Financial Intelligence Unit, India).
- Implement KYC (Know Your Customer) and CDD protocols.
- Conduct enhanced due diligence (EDD) on high-risk customers.
- Conduct enterprise-wide risk assessments.
- Keep transaction and customer records for at least five years.
- Monitor and report Suspicious Transaction Reports (STRs) and Cash Transaction Reports (CTRs) to the FIU.
- Screen for sanctions and watchlists.
- Comply with the FATF Travel Rule for cryptocurrency transfers to ensure that originator and beneficiary data are securely conveyed.
These rules establish a compliance framework aimed at preventing the use of VDAs for money laundering, fraud, or terrorist financing.
The Cybersecurity Audit Mandate: A New Layer of Oversight
The government declared in September 2025 that all crypto exchanges and VDA service providers must pass cybersecurity examinations, which will be conducted solely by CERT-In auditors.
Why Now?
The timing is not accidental. Globally, cryptocurrency platforms have been frequently targeted by:
- Hacks and cyber-heists (millions lost through exchange compromises)
- Phishing and social engineering targeting customer KYC records
- Ransomware campaigns laundering proceeds through crypto channels
- Insider threats and poor infrastructure security leading to data breaches
What the Audit Covers
While the formal scope specifics are always growing, CERT-In audits normally examine:
In summary, the audits will determine if AML/CFT processes are technologically enforceable and resilient to cyber attacks.
How Cybersecurity Audits Strengthen AML/CFT Compliance
What It Means for VDA Service Providers
- Compliance is unavoidable – Cybersecurity audits are now a statutory requirement, not merely a best practice.
- Increased scrutiny from the FIU-IND – Noncompliance may result in registration suspension or penalties.
- Competitive advantage: Providers with excellent compliance frameworks can increase user trust.
- Future readiness – As FATF guidelines and worldwide rules evolve, early implementation facilitates alignment.
How Certcube Labs Can Help
At Certcube Labs, we specialize in cybersecurity compliance, CERT-In audit readiness, and AML/CFT frameworks for crypto and fintech businesses.
By integrating our cybersecurity and regulatory compliance experience, we assist exchanges and VDA service providers in not only meeting government regulations but also strengthening their position in a trust-driven market.
Conclusion: The Way Forward for India’s Crypto Ecosystem
The integration of cybersecurity assessments with AML and CFT requirements is a watershed moment for India’s cryptocurrency economy. Exchanges and VDA service providers that prioritize compliance will not only avoid regulatory challenges, but will also strengthen their relationships with customers and partners.
At Certcube Labs, we’re here to help you every step of the way, from compliance strategy to technical execution, so you can stay safe, compliant, and ahead of the curve.