PMLA: What It Requires and Who It Applies To

What is PMLA?

The Prevention of Money Laundering Act 2002 (PMLA) is India's central anti-money laundering statute, criminalising the conversion or transfer of proceeds from scheduled offences and imposing compliance obligations on banks, NBFCs, fintechs, and other reporting entities. Enacted on 17 January 2003, it came into force on 1 July 2005 after the Ministry of Finance completed the supporting rule-making. The full text is published at fiuindia.gov.in.

India introduced PMLA primarily to address deficiencies identified in FATF's 2003 mutual evaluation. The law has since been amended seven times. The 2013 amendment introduced a formal risk-based approach, aligning PMLA with the FATF Recommendation 1 on the risk-based approach. The 2023 Finance Act added virtual digital asset service providers to the list of reporting entities and expanded the definition of "proceeds of crime" to cover tax fraud more explicitly.

Three bodies share PMLA enforcement. FIU-IND receives and analyses suspicious transaction reports, cash transaction reports, and other disclosures. The Enforcement Directorate (ED) investigates PMLA offences, provisionally attaches property, and files prosecution complaints before the PMLA Court. The Reserve Bank of India supervises banks and NBFCs through its KYC Master Direction, while SEBI and IRDAI cover capital market intermediaries and insurers respectively.

PMLA's structure mirrors the three core FATF pillars: customer identification, as defined under FATF Recommendation 10 on customer due diligence; record retention; and transaction reporting. What distinguishes PMLA from some peer frameworks is its predicate offence architecture: the law attaches to a Schedule of 29 predicate offences, ranging from drug trafficking and organised crime to corruption, securities fraud, and human trafficking. A transaction derived from any of these is money laundering under PMLA, regardless of the form the funds take by the time they enter the financial system.

Who does PMLA apply to?

PMLA uses the term "reporting entity" for covered organisations. The categories are defined in the Second Schedule and have expanded with each amendment cycle. Entities incorporated in India, or carrying out covered activities within Indian territory, are in scope. Foreign bank branches and subsidiaries operating in India are fully covered.

Banking and deposit-taking:

• All scheduled commercial banks (public sector, private sector, foreign branch)
• Co-operative banks with deposits above INR 50 lakh
• Regional Rural Banks
• Payment banks and small finance banks
• Post Office Savings Bank

Non-banking finance:

• All NBFCs registered with RBI, including those below the asset threshold for most other RBI regulations
• Housing Finance Companies registered with the National Housing Bank
• Microfinance institutions

Capital markets and insurance:

• Stockbrokers and sub-brokers registered with SEBI
• Portfolio managers, investment advisers, and mutual fund distributors
• Life and general insurers registered with IRDAI; insurance brokers and agents above applicable transaction thresholds

Fintechs and payments:

• RBI-licensed payment system operators: wallet providers, prepaid instrument issuers, online payment aggregators
• Account aggregators registered with RBI
• Virtual digital asset service providers (VDA SPs), added by the Finance Act 2023, required to register with FIU-IND before operating

Designated non-financial businesses and professions (DNFBPs):

• Real estate agents and developers for transactions above INR 50 lakh
• Dealers in precious metals and stones for transactions above INR 10 lakh
• Casinos
• Chartered accountants, company secretaries, and cost accountants when performing specified financial activities for clients

Size thresholds apply for a subset of entities, but the coverage is broad. Any institution handling material Indian rupee flows will almost certainly be a reporting entity under PMLA.

What does PMLA require?

1. Customer identification and CDD. Before opening an account or executing a transaction above INR 50,000, reporting entities must verify the customer's identity. For legal persons, they must trace control to the natural person who is the ultimate beneficial owner (UBO). The UBO threshold is 10% or more beneficial interest in a company, 15% for trusts, 25% for partnerships. The RBI KYC Master Direction 2016 translates these requirements into specific documents and processes for banks and NBFCs, including Aadhaar e-KYC and video-KYC.

2. Risk classification. Every customer must be assigned a risk category: low, medium, or high. High-risk customers (PEPs, non-residents, accounts with sanctioned-country links) require enhanced due diligence (EDD) at onboarding and more frequent periodic reviews. Review timescales: annually for high-risk customers, every two years for medium-risk, every five years for low-risk.

3. Record retention. CDD documents, account files, and transaction records must be retained for five years from the date the business relationship ends, or five years from the date of the individual transaction for one-off dealings. This mirrors the standard under FATF Recommendation 11 on record-keeping.

4. Suspicious transaction reporting. When a transaction is suspicious, regardless of amount, the reporting entity must file an STR with FIU-IND within seven days of forming suspicion. Suspicion triggers the obligation; certainty is not required. Tipping off the customer is a criminal offence under Section 8A.

5. Cash transaction reports (CTRs). All cash transactions above INR 10 lakh (individually or in aggregate for a customer in a calendar month) must be reported to FIU-IND by the 15th of the following month.

6. Counterfeit currency and non-profit organisation reports. Transactions involving counterfeit notes require immediate reporting. Cash receipts or payments above INR 10 lakh involving non-profit organisations are reportable under a separate NTR (Non-profit Organisation Transaction Report) format.

7. Internal controls. Every reporting entity must appoint a Principal Officer responsible for compliance, develop a board-approved AML/CFT policy, run training for relevant staff on a scheduled basis, and subject the AML programme to an independent audit at least annually. The Principal Officer must be given sufficient seniority and authority to act on suspicion without having to obtain prior approval from business lines.

What evidence do regulators expect?

RBI onsite examinations and FIU-IND reviews follow a consistent checklist. Institutions that treat PMLA compliance as a policy-writing exercise rather than an operational one fail quickly under scrutiny.

Governance:

• Board-approved AML/CFT policy with a visible last-reviewed date within the preceding 12 months
• Principal Officer appointment letter and documented escalation authority to senior management
• Risk appetite statement specifying which customer categories and product types require enhanced controls and at what thresholds

Customer files:

• Complete KYC records for every active relationship: government-issued photo ID, proof of address, and, for business accounts, incorporation documents tracing control to the UBO
• CDD review timestamps confirming that accounts were re-assessed on the schedule matching their risk category
• EDD records for high-risk customers: source-of-wealth documentation, adverse media check outputs, and sign-off from a senior compliance officer

Transaction monitoring:

• System configuration records: which rules are active, what the thresholds are, and when each rule was last reviewed or updated
• Alert disposition logs showing who reviewed each alert, what decision was reached, the written rationale, and the date of closure
• STR filing log: case reference numbers, date suspicion was formed, date the report was filed with FIU-IND, and a copy of each filed report
• CTR filing records for all eligible cash transactions with submission timestamps

Training:

• Completion records for all staff in covered roles, with dates, curriculum content, and assessment results
• New-joiner training records, ideally completed within 30 days of start date
• Annual refresher documentation

Audit:

• Most recent internal audit report on the AML programme with management responses
• Evidence of remediation: findings closed, not just logged

Examiners pay particular attention to the gap between alert generation and STR filing. A 45-day lag where suspicion was formed at the analyst level but the report filed late is a penalty trigger, regardless of the quality of the report itself.

Common failure modes

We've seen the same PMLA citations repeat across examination cycles and enforcement actions. Awareness of the rules isn't the problem. Embedding controls in daily operations is.

• Late STR filing. The seven-day window starts when suspicion forms, not when the case reaches the compliance team. Investigators reviewing internal chat logs and email trails have traced red flags to front-line analysts who flagged transactions weeks before a report was filed. Late filing is an automatic civil penalty trigger.

• UBO not traced beyond the first layer. Corporate accounts opened with incomplete shareholding documentation. Nominee directors and holding structures that obscure the real controller are the most common gap. Examiners follow the chain; an incomplete file means the institution cannot demonstrate it did.

• Re-KYC treated as a document refresh. Accounts past their review date are updated with a new ID copy and no reassessment of risk profile. Examiners want to see evidence of genuine review: updated income information, fresh adverse media checks, and a revised risk category where warranted.

• Transaction monitoring rules never updated. Rules calibrated at product launch and unchanged for years. As transaction volumes and customer behaviour evolve, static rules generate either alert floods or coverage gaps. RBI's 2023 examination findings explicitly called out rule sets unchanged for more than 18 months.

• Alert closures without written rationale. Compliance staff dismiss monitoring alerts with no documentation of their reasoning. Examiners treat undocumented alert closure as a programme deficiency, regardless of how the underlying transaction ultimately turned out.

• PMC Bank (2019) is the most documented case of systematic failure at scale: over INR 4,355 crore in loans to HDIL were concealed through fictitious accounts for years, with no effective CDD or monitoring controls detecting the exposure. RBI placed the bank under regulatory restrictions in September 2019, and the ED subsequently filed PMLA proceedings (Enforcement Directorate press release archive, enforcementdirectorate.gov.in).

Penalties for non-compliance

PMLA penalties operate on two tracks: civil enforcement by FIU-IND and RBI, and criminal prosecution by the Enforcement Directorate.

FIU-IND civil penalties (Section 13 PMLA):

• INR 10,000 per day for each day of failure to maintain records or file required reports
• Maximum INR 1 lakh per continuing violation before escalation
• FIU-IND can direct suspension of operations in serious cases

RBI penalties (under the Banking Regulation Act 1949, applied for KYC/AML failures):

• Fines up to INR 1 crore per violation, or twice the benefit derived, whichever is higher
• In October 2023, RBI imposed a penalty of INR 5.49 crore on Paytm Payments Bank for persistent KYC compliance failures, followed in January 2024 by a direction barring the bank from onboarding new customers (RBI enforcement actions, rbi.org.in)
• In 2021, RBI placed regulatory restrictions on multiple co-operative banks for KYC and AML programme deficiencies

ED criminal prosecution (Section 4 PMLA):

• Minimum imprisonment: three years; maximum: seven years (up to ten years for scheduled drug offences)
• Imprisonment is in addition to fines, not alternative to them
• All property found to be proceeds of crime is liable to confiscation

Asset attachment (Section 5 PMLA):

• ED can provisionally attach property equivalent in value to the laundered proceeds before conviction, with a 180-day window for the adjudicating authority to confirm attachment
• As of March 2024, the ED had provisionally attached approximately INR 1,37,748 crore under PMLA since the law came into force, covering real estate, bank accounts, and business assets across hundreds of cases (Enforcement Directorate Annual Report 2023-24, enforcementdirectorate.gov.in)

The ED's case filings rose from under 100 per year before 2014 to over 1,000 per year by 2023. The trajectory is upward.

Related regulations and frameworks

PMLA is India's domestic implementation of the FATF 40 Recommendations. India joined FATF in 2010 and its June 2024 mutual evaluation rated the country "Largely Compliant" on most technical recommendations, a substantial improvement from the 2010 assessment. The report identified remaining gaps in DNFBP supervision and beneficial ownership transparency, areas likely to drive future amendments (FATF, Mutual Evaluation Report India, June 2024).

RBI KYC Master Direction 2016: The RBI KYC Master Direction is the operative regulation for banks and NBFCs. PMLA sets the legal obligation; the KYC Direction specifies exactly how to meet it: which documents are acceptable for each customer type, how Aadhaar e-KYC and video-KYC work, what risk categories map to which CDD intensity. The two instruments are inseparable in practice.

Prevention of Money Laundering (Maintenance of Records) Rules 2005: These rules specify the reporting formats for STRs, CTRs, CCRs, and NTRs, along with the five-year retention requirement. They are updated by the Ministry of Finance without requiring an amendment to the parent Act.

FEMA (Foreign Exchange Management Act 1999): PMLA and FEMA share jurisdiction over suspicious cross-border transactions. A suspicious inward remittance often generates obligations under both statutes simultaneously. The ED enforces both.

International comparators: PMLA's core obligations, customer due diligence under FATF Rec 10, record-keeping under FATF Rec 11, and suspicious transaction reporting under FATF Rec 20, mirror those in the UK's Money Laundering Regulations 2017 and the EU's Sixth Anti-Money Laundering Directive. The substantive requirements across all three are broadly equivalent; the supervisory architecture, penalty ranges, and predicate offence lists differ by jurisdiction.

How FluxForce supports PMLA compliance

FluxForce's AI agents automate the highest-friction parts of PMLA compliance: continuous transaction monitoring against live risk signals, customer due diligence checks against sanctions lists and adverse media, and suspicious transaction report drafting with full decision audit trails. When an alert fires, the system surfaces relevant transaction history, risk scores, and a plain-language explanation of the basis for suspicion. Compliance teams reach faster, better-documented STR decisions well within the seven-day window. Schedule a demo to see how FluxForce maps to your specific PMLA obligations.