India Financial Crime & AML Compliance: Regulators, Laws, and What Foreign Banks Need to Know

Who regulates financial crime in India?

The Reserve Bank of India (RBI) is the primary regulator for AML and financial crime compliance. It issues the Master Direction on Know Your Customer (KYC), sets standards for all scheduled commercial banks, cooperative banks, and non-banking financial companies (NBFCs), and has authority to impose monetary penalties, issue directions, or place institutions under prompt corrective action. The RBI publishes enforcement orders on its website, often within days of imposition.

The Financial Intelligence Unit India (FIU-IND), under the Ministry of Finance, is the country's central body for receiving, processing, and disseminating financial intelligence. Banks and all other reporting entities file suspicious transaction reports (STRs) and cash transaction reports (CTRs) with FIU-IND. The unit shares intelligence with law enforcement bodies, including the Enforcement Directorate (ED), which investigates and prosecutes PMLA offenses and holds civil asset attachment powers.

SEBI regulates AML obligations for brokers, portfolio managers, and capital markets intermediaries. Its master circulars on AML/CFT align the securities sector with PMLA requirements and FATF standards. Brokers and fund managers have parallel KYC and STR filing obligations that run alongside RBI-supervised entities.

IRDAI covers insurance entities. Insurers and intermediaries must maintain KYC records and report suspicious transactions to FIU-IND. Insurance is a recognized entry point for placement-stage laundering, and supervisory expectations have tightened in recent years.

MeitY administers digital infrastructure and the Digital Personal Data Protection Act 2023. Its role in financial crime compliance grows as banking services shift to digital channels and the DPDP Act imposes consent and data-handling constraints on KYC processes.

The Enforcement Directorate operates separately from prudential regulators. It can attach assets provisionally under PMLA, file prosecution complaints before special courts, and pursue extradition in cross-border cases. Its actions are often the most visible face of AML enforcement that markets and clients see.

What are the key AML and fraud laws in India?

The Prevention of Money Laundering Act 2002 (PMLA) is the foundation of India's AML framework. It defines money laundering as a criminal offense, establishes the list of "scheduled offences" whose proceeds trigger laundering liability, and creates obligations for "reporting entities," including banks, financial institutions, intermediaries, and designated non-financial businesses. The Act has been amended significantly in 2012, 2019, and 2023. The 2023 amendment extended the reporting entity definition to cover virtual asset service providers and certain professionals. Penalties include rigorous imprisonment of three to seven years, extendable to ten years for drug-related predicate offenses, plus attachment and confiscation of all proceeds with no upper limit.

The RBI Master Direction on Know Your Customer (KYC), first issued in 2016 and updated regularly, is the operational rulebook for banks and NBFCs. It mandates risk categorization of all customers, identity verification through Aadhaar or documentary evidence, ongoing Customer Due Diligence (CDD) for the life of the relationship, and controls aligned with FATF Recommendation 10. The Master Direction is a living document. Banks cannot treat an earlier read of it as current; the RBI amends it by circular without always issuing a consolidated replacement.

The Foreign Exchange Management Act 1999 (FEMA) governs cross-border flows and gives the RBI authority over foreign exchange transactions. FEMA violations are frequently linked to money laundering investigations, particularly in trade-based laundering cases involving over-invoicing or round-tripping.

The Benami Transactions (Prohibition) Amendment Act 2016 targets property held in fictitious names. The ED uses it alongside PMLA for property attachment in complex laundering schemes involving real estate.

The Digital Personal Data Protection Act 2023 (DPDP Act), administered by MeitY, imposes consent and data-minimization requirements that directly affect how reporting entities collect and process customer data during KYC. Banks must balance their statutory AML collection obligations against DPDP constraints. Regulators have not yet fully resolved the tension, and compliance teams should expect further guidance.

India's STR (Suspicious Transaction Report) regime requires filing within seven working days of suspicion forming, with no minimum transaction threshold. CTRs cover cash transactions above INR 10 lakh (approximately USD 12,000). Record-keeping obligations, aligned with FATF Recommendation 11, require five years' retention after account closure or transaction date.

What controls do India regulators expect?

The RBI Master Direction lays out an explicit control framework that goes beyond a checklist.

Know Your Customer (KYC) is mandatory at account opening and at periodic intervals. Customers are classified as low, medium, or high risk, with review cycles of ten, eight, and two years respectively. High-risk categories include politically exposed persons, non-resident customers, and customers from jurisdictions with strategic AML deficiencies. The risk classification must be documented, applied consistently, and defensible during RBI inspections.

Transaction Monitoring is required for all customers, with alerts calibrated against expected transaction patterns. The RBI expects banks to deploy rule-based and behavioral monitoring, and supervisory examinations increasingly test whether alert scenarios actually reflect the bank's customer mix. A generic global scenario library applied without local calibration is a finding waiting to happen.

Sanctions Screening runs against UN consolidated lists and domestic lists maintained by the Ministry of Finance. Banks must screen at onboarding and on an ongoing basis. SEBI-regulated entities also screen against OFAC and EU lists given the cross-border nature of capital markets. Screening must be integrated with PEP Screening, since FATF Recommendation 12 requirements apply with full force. Senior management approval is required before opening a PEP account, and Enhanced Due Diligence must continue throughout the relationship.

Correspondent banking controls, per FATF Recommendation 13, require due diligence on foreign correspondent institutions before establishing relationships. Shell bank relationships are prohibited.

STR filing procedures must be documented, tested, and free of tipping-off violations. The RBI examines STR quality during inspections, not just volume. Thin or template-generated STRs are a common finding. Record retention under the Master Direction requires five years from account closure or the transaction date.

What is unique about compliance in India?

Several features of India's compliance environment catch foreign banks off guard.

Aadhaar and Video KYC

The RBI Master Direction permits Aadhaar-based e-KYC for resident Indians through UIDAI's biometric API. It also permits a Video Customer Identification Process (V-CIP), where a bank officer conducts a live video session to verify documents and capture consent. Non-residents and certain high-risk customers can't use V-CIP; they require full in-person or paper-based KYC. Getting the customer segmentation right matters because regulators will check it. Firms that apply V-CIP broadly without assessing eligibility face findings on KYC quality.

Payment data localization

The RBI's 2018 circular requires all payment system data related to Indian customers to be stored on servers within India. This applies to payment aggregators, card networks, and digital wallets. It's separate from the DPDP Act 2023, which has broader personal data scope but allows cross-border transfers under a government-approved whitelist. Foreign banks operating digital payment channels must either build local infrastructure or contract with RBI-approved data centers. This adds cost and complexity that isn't always factored into market-entry planning.

Virtual digital assets

Since the Finance Act 2022 defined "virtual digital assets" (VDAs) as taxable assets, PMLA's reach has extended to VDA service providers. FIU-IND registration is now mandatory for crypto exchanges and VASPs operating in India, and FATF Recommendation 15 compliance is expected. Several major exchanges registered in 2023. FIU-IND has moved against non-registered exchanges, including blocking access for offshore platforms that accepted Indian customers without registration. It's no longer a grey area.

Beneficial ownership gaps

The Companies Act 2013 requires disclosure of significant beneficial owners (SBOs) with more than 10% economic interest in certain company types. Trust and partnership structures don't always map cleanly to the registry, and data quality is uneven. Banks performing Ultimate Beneficial Owner (UBO) identification on Indian corporate customers typically need to go beyond registry records to verify control through other means.

FATF mutual evaluation 2024

India's fourth-round FATF mutual evaluation report, published in September 2024, found strong technical compliance across most FATF recommendations but flagged gaps in supervision of designated non-financial businesses and professions (DNFBPs) and VASP oversight. India was placed in regular follow-up, the most positive category. But the DNFBP and VASP gaps are areas the RBI and FIU-IND will actively close, and regulated entities should expect the supervisory perimeter to widen.

Recent enforcement actions in India

RBI enforcement is public and specific. The central bank publishes penalty orders on its website within days of imposition, so the enforcement record is searchable and current.

In January 2024, the RBI directed Paytm Payments Bank Limited to stop accepting fresh deposits, credit transactions, or top-ups in customer accounts after February 29, 2024. The central bank cited "persistent non-compliances and continued material supervisory concerns," with publicly reported issues including KYC deficiencies and failures to properly identify the UBO structure of related entities. The action triggered significant customer migration, licence scrutiny, and reputational damage. It's the clearest recent demonstration that the RBI will act decisively when it finds supervisory concerns aren't being addressed.

The Enforcement Directorate's prosecution of the ABG Shipyard fraud illustrates how PMLA's civil attachment mechanism works in practice. The ED attached assets worth over INR 22,800 crore in what is described as India's largest bank fraud, involving 28 lender banks and proceeds estimated at more than USD 2.8 billion. PMLA's attachment powers operate in parallel to criminal prosecution, and the ED doesn't need a conviction before it can freeze assets.

For foreign banks, the Standard Chartered 2019 sanctions action is a relevant reference point. Standard Chartered has significant operations in India, and its group-level settlement for sanctions violations across multiple jurisdictions illustrates how a compliance failure in one corridor affects the entire franchise. RBI inspections of foreign bank branches examine group-level compliance posture as well as local controls.

RBI inspection cycles run every two to three years for foreign bank branches. Institutions that receive inspection reports with adverse AML/KYC findings are given timelines to remediate. Failure to remediate moves the matter to formal penalty proceedings. Most large banks have received at least one KYC-related penalty notice from the RBI in the past five years.

What foreign banks operating in India need to know

Foreign banks enter India either as branch operations or under the wholly owned subsidiary (WOS) model introduced in 2013. The WOS route provides near-national treatment but requires initial paid-up capital of INR 5 billion (approximately USD 60 million). Branch operations face tighter restrictions on deposit products and branch expansion. The choice of structure has direct implications for compliance architecture.

Each bank must designate a Principal Officer responsible for AML/KYC compliance and for filing STRs and CTRs with FIU-IND. The role carries personal accountability. The Principal Officer signs STR submissions and is named in RBI inspection correspondence. A group compliance function in London or Singapore doesn't satisfy this. India-specific designation and documented authority are both mandatory.

RBI inspections cover both prudential and AML matters in the same cycle. Inspection teams will review the completeness of STR filings, sample customer files to check KYC quality, and test whether risk categorization is applied consistently. Foreign banks with global KYC platforms often find that India-specific requirements (Aadhaar integration, V-CIP eligibility rules, local Politically Exposed Person (PEP) scope, UBO registry checks) aren't covered by their standard global templates. Localisation work is rarely optional.

Outsourcing KYC functions to third-party providers is permitted under RBI guidelines, but the bank retains full liability. Any arrangement must be documented, and the service provider is subject to indirect RBI oversight through the bank's vendor management framework.

STR filing windows are tight. The PMLA requires submission within seven working days of the suspicion forming. There's no safe harbor for late filings. FIU-IND tracks filing timeliness and patterns of late or thin filings show up as deficiencies in regulatory reporting cycles.

The DPDP Act 2023 adds a personal data dimension to every KYC process. Data collected on Indian residents is subject to consent requirements and processing limitations. Banks moving KYC data offshore for group analytics or centralized screening must have contractual and technical safeguards that satisfy both DPDP requirements and the RBI's data localisation rules for payment data. Getting both right simultaneously requires a coordinated approach from technology, legal, and compliance teams.

How FluxForce supports India compliance

FluxForce's real-time transaction monitoring maps directly to RBI's expectation of behavioral alerting calibrated to each customer's risk profile. Automated STR drafting reduces the time from alert to submission, helping banks meet India's seven-working-day filing window consistently. Integrated sanctions screening and PEP screening run continuously against UN, domestic, and international watchlists. Every decision carries a full evidence trail, built for RBI inspection review and ED proceedings. For compliance teams scaling operations in India or entering the market, request a demo to see how the platform fits your specific obligations.