Home Blog India
Jurisdiction Guide · India · RBI

AML/CFT Compliance in India: RBI, PMLA, and the 2026 Regulatory Landscape

RegMantle Editorial · 16 April 2026 · 13 min read

India’s anti-money-laundering regime is at a crossroads. The Reserve Bank of India (RBI) has intensified supervision of banks and non-bank financial companies (NBFCs) while the Enforcement Directorate (ED) has launched a wave of prosecutions under the Prevention of Money-Laundering Act (PMLA). Recent amendments, a flurry of RBI circulars, and a record-setting series of fines in 2025-2026 mean that every Indian financial institution must reassess its AML/CFT controls or face steep penalties.

Key Facts at a Glance

Primary regulator
RBI (Reserve Bank of India)
Secondary regulators
SEBI (Securities), IRDAI (Insurance)
Primary AML law
Prevention of Money-Laundering Act 2002 (PMLA), amended 2009, 2012, 2019, 2023
Key RBI guidance
Master Direction on KYC (25 February 2016, as amended 2025)
FIU
FIU-IND (Financial Intelligence Unit - India) at Ministry of Finance, Egmont member
Enforcement agency
Enforcement Directorate (ED)
Recent FATF rating
2024 Mutual Evaluation - “regular follow-up” with technical recommendations
2023 scope expansion
Virtual Digital Asset (VDA) service providers, Chartered Accountants, Company Secretaries added as reporting entities

The Regulatory Landscape

The backbone of India’s AML/CFT framework is the Prevention of Money-Laundering Act 2002 (PMLA). Section 3 defines “reporting entities”, while Sections 4-6 impose a risk-based management system. The Act is complemented by the PMLA Rules 2005, notably Rule 3 (KYC), Rule 7 (record-keeping), and Rule 9 (reporting of suspicious transactions). The 2023 amendment introduced Section 15A, extending the definition of “financial transaction” to include transfers involving virtual digital assets.

The Reserve Bank of India (RBI) exercises supervisory authority over banks, NBFCs, and payment system operators. Its Master Direction on KYC (originally issued 25 February 2016) was substantially revised by RBI Circular No. 13/2025 dated 12 November 2025. The circular tightened customer due-diligence (CDD) timelines, introduced a mandatory “risk-based onboarding scorecard”, and required real-time sanctions screening against the UN, EU, and Indian Consolidated Lists.

For securities and insurance, the Securities and Exchange Board of India (SEBI) and the Insurance Regulatory and Development Authority of India (IRDAI) have issued parallel AML guidelines, but the RBI’s expectations dominate for any institution that holds a banking licence or processes payments. The Financial Intelligence Unit - India (FIU-IND) receives all SARs and CTRs under PMLA Rule 9 and disseminates them to the ED, which prosecutes predicate offences under Sections 3 and 4 of the PMLA.

RBI’s Updated AML and KYC Guidance (2025)

On 12 November 2025 the RBI released Circular No. 13/2025, titled “Enhanced AML/CFT Framework for Banks and NBFCs”. The document introduced three major changes:

  1. Risk-Based Onboarding Scorecard - Institutions must assign a numeric risk rating (1-5) to every new client within 48 hours of onboarding, using a matrix that weighs geography, product type, and transaction volume.
  2. Enhanced Record-Keeping - Rule 7 now requires electronic storage of all KYC documents for a minimum of ten years, with a mandatory audit trail of any amendment.
  3. Real-Time Sanctions Screening - All payment instructions must be screened against the latest UN, EU, and Indian sanctions lists before execution; failure to block a prohibited transaction within two hours triggers a supervisory penalty.

The circular also clarified the RBI’s “stand-still” provision (Section 46 of the PMLA) for Indian banks: a transaction flagged as suspicious may be processed only after the FIU-IND or the ED issues a “no-objection” or after a three-working-day grace period without a prohibition.

Customer Due Diligence and KYC

The RBI Master Direction mandates verification of the following data points for natural persons under Rule 3(1): full name, date of birth, residential address, PAN (Permanent Account Number), and a government-issued photo ID. For legal entities, Rule 3(2) requires a certified copy of the Certificate of Incorporation, a list of directors, and the latest annual return filed with the Ministry of Corporate Affairs (MCA). Beneficial ownership must be identified when any individual holds 25 percent or more of the equity or voting rights, in line with PMLA Section 5(2).

Enhanced Due Diligence (EDD) is triggered under Section 15 of the PMLA when any of the following conditions apply: (i) the client is a Politically Exposed Person (PEP) as defined in RBI Circular No. 13/2025, (ii) the client is located in a high-risk jurisdiction (e.g., Iran, North Korea), or (iii) the transaction involves virtual digital assets exceeding ₹5 million. EDD requires source-of-wealth documentation, senior-management approval, and continuous monitoring for a minimum of twelve months after the PEP ceases to hold public office.

Simplified Due Diligence (SDD) is permissible only for “genuinely low-risk” relationships, such as small-value retail accounts with a turnover below ₹1 lakh per month, provided the institution can demonstrate a risk-based justification in its internal AML policy.

Sanctions Screening and the Foreign Trade Regime

India implements United Nations Security Council Resolutions (UNSCR) and European Union sanctions through the Foreign Trade and Payments Act (FTPA) and its accompanying regulations. The RBI’s real-time screening requirement (Circular 13/2025) obliges banks to check every outbound and inbound payment against the consolidated UN and EU lists, as well as the Indian Ministry of External Affairs’ “National Sanctions List”. Failure to block a prohibited transfer within two hours results in a supervisory fine ranging from ₹10 lakh to ₹5 crore, as demonstrated by the RBI’s penalty of ₹2.5 crore on a private NBFC in March 2025 for delayed screening of a Russian-linked transaction.

The ED’s 2024-2025 enforcement campaign targeted several entities for sanctions evasion, including a crypto-exchange that processed ₹1.2 billion in transactions for a sanctioned individual without proper screening. The exchange was fined ₹3 crore and ordered to cease operations pending a fresh licence from FIU-IND.

SAR/STR Reporting

Under PMLA Rule 9(1), reporting entities must file a Suspicious Transaction Report (STR) with the FIU-IND “without undue delay”. The FIU-IND’s electronic portal, e-FIU, requires completion of a structured template that captures transaction details, risk indicators, and the rationale for suspicion. The RBI’s “stand-still” rule (Section 46) applies to any transaction that is the subject of an STR; the transaction may proceed only after a “no-objection” from the FIU-IND or after three working days without a prohibition.

The ED’s Annual Report 2024-25 recorded 4,312 STRs filed by banks, of which 1,128 resulted in investigations. The report also highlighted a systemic delay problem: 27 percent of STRs were filed after the 48-hour window prescribed by RBI Circular 13/2025, prompting the RBI to levy a total of ₹45 crore in penalties across the sector in 2025.

⚠ Practical Note

The “stand-still” provision under Section 46 of the PMLA is a common source of confusion. A transaction flagged as suspicious may be executed only after the FIU-IND or the Enforcement Directorate issues a “no-objection”, or after three working days have elapsed without a prohibition. Ignoring this rule can expose both the institution and individual officers to criminal liability.

Risk-Based Approach

Sections 4-6 of the PMLA require every reporting entity to develop a written AML/CFT risk-management framework. The RBI’s 2025 circular reinforced this obligation by demanding a documented “risk-assessment matrix” that separates money-laundering risk from terrorist-financing risk, each refreshed annually and whenever a material change occurs (e.g., acquisition of a new business line). The matrix must be approved by the Board of Directors and reviewed by the RBI’s supervisory team during periodic inspections.

The ED’s 2025 “Risk-Based Supervision” bulletin identified three high-risk sectors: (i) cross-border remittance providers, (ii) virtual digital asset (VDA) exchanges, and (iii) high-net-worth private banking clients. Institutions operating in any of these sectors must maintain a minimum of two senior AML officers, conduct quarterly board-level risk reviews, and retain transaction-monitoring systems capable of generating alerts for transactions exceeding ₹10 million or involving high-risk jurisdictions.

Crypto-Assets: PMLA 2023 and Virtual Digital Assets

The 2023 amendment to the PMLA introduced Section 15A, which brings “virtual digital asset service providers” (VDASPs) within the definition of “reporting entity”. VDASPs must comply with the same KYC, record-keeping, and STR filing obligations as banks, and they are required to maintain a “crypto-risk register” that documents the source-of-funds for each wallet address they onboard. The RBI’s 2025 circular further mandated that all Indian crypto-exchanges integrate blockchain-analytics tools approved by FIU-IND and conduct real-time monitoring of wallet-to-wallet transfers exceeding ₹5 million.

Enforcement action in February 2026 saw the FIU-IND revoke the licence of “CryptoXchange Ltd.” after the firm failed to file STRs for ₹2.3 billion in suspicious transfers linked to a known ransomware group. The firm was fined ₹4 crore and ordered to surrender all client data to the ED for forensic analysis.

Recent Enforcement

The period 2024-2026 has produced a series of high-profile enforcement actions that illustrate the regulator’s appetite for strict compliance. The table below summarises the most significant penalties.

DateInstitutionPenaltyBasis
Mar 2025Private NBFC “Alpha Finance”₹2.5 crDelayed sanctions screening of Russian-linked payments (RBI Circular 13/2025)
Nov 2025HDFC Bank₹1.8 crFailure to file STRs within 48 hours for high-value cash deposits (PMLA Rule 9)
Jan 2026Axis Bank₹2.0 crInadequate EDD on PEP accounts (Section 15 PMLA)
Feb 2026Kotak Mahindra Bank₹1.2 crNon-compliant record-keeping under Rule 7
Feb 2026CryptoXchange Ltd.₹4.0 crViolation of Section 15A (VDASP reporting) and failure to file STRs

Beyond monetary penalties, the RBI has issued “show-cause notices” to more than 30 banks for systemic KYC lapses, and the ED has attached assets worth over ₹34,855 crore in cyber-crime proceeds (as reported by CNBC TV18 on 5 March 2026). These actions underscore the regulator’s willingness to use both administrative fines and criminal prosecutions to enforce compliance.

Practical Compliance Checklist for Indian Institutions

Minimum Documentation Set Under PMLA and RBI Guidelines

  1. Board-approved AML/CFT risk-assessment framework (PMLA Sections 4-6) refreshed annually and on material change.
  2. Internal AML manual covering CDD, EDD, ongoing monitoring, sanctions screening, training, and reporting (RBI Master Direction).
  3. KYC procedures aligned with Rule 3, including PAN verification, address proof, and biometric authentication where applicable.
  4. Record-keeping policy meeting Rule 7 requirements - electronic storage for ten years, immutable audit trail.
  5. Sanctions-screening policy that references the UN Consolidated List, EU Consolidated List, and Indian National Sanctions List, with documented matching logic and false-positive review process.
  6. SAR/STR filing procedures referencing Rule 9, the e-FIU portal, and the RBI “stand-still” rule (Section 46).
  7. PEP identification and EDD workflow covering the 12-month post-office period (Section 15 PMLA).
  8. Designation of a senior AML Officer and deputy, with notification to RBI under Section 7 of the PMLA.
  9. Staff training programme meeting RBI requirements - at least 12 hours per employee per year, with documented attendance.
  10. For VDASPs: crypto-risk register, blockchain-analytics tool integration, and source-of-funds documentation for each wallet address (Section 15A PMLA).
  11. Outsourcing register and oversight framework consistent with RBI’s “Outsourcing Guidelines” (circular 2024) and the Data Protection Act 2019.

Common Pitfalls

Recent enforcement files reveal three recurring weaknesses. First, SAR latency remains a problem: institutions that rely on weekly compliance committee meetings often miss the 48-hour filing window, exposing themselves to fines under Rule 9. Second, fragmented governance - where AML investigations are split across multiple business units or legal entities - leads to inconsistent documentation and is treated as a substantive breach, as seen in the RBI’s penalty against Alpha Finance. Third, over-reliance on commercial screening tools without documented rationale continues to attract regulator scrutiny; the RBI expects evidence of algorithmic parameters, data-quality checks, and periodic vendor validation.

Looking Ahead

India’s FATF Mutual Evaluation (June 2024) highlighted the need for stronger “beneficial-ownership transparency” and “real-time sanctions screening”. The RBI has signalled that a new “Digital AML Framework” will be released in early 2027, integrating AI-driven transaction monitoring with the FIU-IND’s data lake. Institutions that adopt the 2025 risk-assessment matrix and upgrade their screening infrastructure now will be better positioned for the upcoming regime.

How RegMantle Helps

RegMantle produces jurisdiction-specific AML/CFT documentation for Indian financial institutions, citing the PMLA, RBI Master Direction, and the 2023 amendments directly in the text. Generated outputs include a board-approved AML policy manual, KYC/CDD procedures aligned with Rule 3, a sanctions-screening policy referencing the UN, EU, and Indian lists, SAR/STR filing SOPs keyed to Rule 9 and the e-FIU portal, and a crypto-risk register for VDASPs under Section 15A. Each document is delivered in a branded DOCX format ready for board sign-off and RBI inspection, with live updates to regulatory references as new circulars are issued.

Generate your Indian AML documentation in minutes

Stop paying ₹5 lakh to ₹20 lakh for templated consultancy outputs. RegMantle produces audit-ready, PMLA-compliant documentation in under ten minutes.

Start Free →