India is reportedly imposing bank-grade compliance on crypto platforms, mandating cybersecurity audits and stricter oversight that signal a dramatic regulatory upgrade across the booming digital asset space.
India Mandates Cybersecurity Audits for Crypto Firms Under FIU’s Directive
WRITTEN BY
SHARE
Crypto Exchanges in India Now Face Bank-Level Compliance Obligations
India has reportedly mandated cybersecurity audits for all cryptocurrency exchanges, custodians, and intermediaries, with the Financial Intelligence Unit (FIU) directing that virtual digital asset (VDA) service providers must hire auditors empanelled with the Indian Computer Emergency Response Team (CERT-In), according to a Sept. 17 report by the Economic Times. Cert-In, under the Ministry of Electronics and Information Technology, oversees the country’s cybersecurity infrastructure. Completion of these audits is now mandatory for FIU registration, effectively placing VDA service providers under the same compliance obligations as banks, as defined by the Prevention of Money Laundering Act, 2002.
Addressing the government’s move, Harshal Bhuta, partner at P. R. Bhuta & Co., was quoted by the news outlet as saying:
The introduction of cyber security audits in all likelihood is triggered by recent crypto thefts in a few exchanges.
“At the same time, strict compliance with the CERT-in directions dated 28th April 2022, such as log maintenance and retention of subscriber data for prescribed period, would aid investigative agencies in tracing funds layered and obscured through cryptocurrency transactions,” he added.
Crypto-related crimes have surged, now representing 20–25% of India’s total cyber offenses, data from local platform Giottus showed. Offenders typically rely on darknet markets, privacy-enhancing coins, mixers, and exchanges with weak oversight to obscure illicit fund flows. In parallel, the FIU has substituted the “Fit & Proper” certificate with the new “Partner Accreditation for Compliance & Trust” certificate, signaling a narrower focus on regulatory compliance.
Although some legal experts consider the measure a step toward enhanced user safeguards, concerns persist over whether auditors accustomed to financial institutions can address crypto-specific vulnerabilities like private key security. Broader industry issues remain unresolved, including high taxation and regulatory uncertainty.
India has adopted a cautious approach to cryptocurrency regulation, avoiding full legal integration over concerns it could legitimize volatile assets and pose systemic risks. Gains from crypto assets are taxed at 30%, with a 1% tax deducted at source (TDS) on transactions. The Income‑Tax Bill 2025 formally defines VDAs and mandates reporting by entities handling them. A government document notes ongoing regulatory hesitation, with officials warning that a ban would not stop decentralized trading and that oversight remains difficult. The document also highlights concerns that U.S. stablecoin legislation could disrupt global payments and undermine India’s payment systems.
