FIU-IND mandates CERT-In-approved audits to enhance security, tackle money laundering, and align VDA firms with global standards
Government Tightens Cybersecurity Norms for Crypto Sector
Amid rising concerns over cybercrime in the virtual digital asset (VDA) space, the Indian government has made cybersecurity audits mandatory for all cryptocurrency exchanges, custodians, and intermediaries operating in the country.
As per a report by The Economic Times, the directive comes from the Financial Intelligence Unit of India (FIU-IND), and requires firms to conduct audits using professionals empanelled by CERT-In (Indian Computer Emergency Response Team), the national agency for cybersecurity under the Ministry of Electronics and IT.
Key Points of the Mandate
- Mandatory cybersecurity audits for crypto service providers registered with FIU-IND.
- Auditors must be approved by CERT-In, India’s official cybersecurity body.
- Applies to exchanges, custodians, intermediaries, and VDA firms.
- Aimed at combating money laundering and improving user trust and security.
- FIU-IND has the authority to deny or cancel registrations for non-compliance.
Why the Move Was Necessary
- Crypto crimes reportedly account for 20–25% of cybercrime cases in India.
- Hackers increasingly use darknet markets, privacy coins, and mixers to launder stolen assets.
- Investigations into VDA-related crimes remain challenging and opaque.
- The crypto sector is vulnerable to cross-border attacks, necessitating stronger regulatory oversight.
Industry Response: A Step Toward Trust
The crypto industry has broadly welcomed the directive as a trust-building and safety-enhancing measure.
Avinash Shekhar, Co-Founder & CEO, Pi42:
“For an industry built on trust, robust security standards are not optional — they are essential. This move will strengthen user confidence and bring Indian platforms closer to global best practices.”
He acknowledged that the audits would demand resources and time, but emphasized that the benefits far outweigh the costs.
Edul Patel, CEO, Mudrex:
“As India’s digital asset ecosystem grows, safeguarding investors is critical. This is a significant step toward resilience in the crypto economy.”
FIU-IND’s Compliance Framework
FIU-IND enforces compliance under the Prevention of Money Laundering Act (PMLA), 2002.
- In 2023, crypto and Web3 firms were brought under the PMLA ambit.
- They now operate under similar compliance requirements as banks and financial institutions.
- There are approximately 55 registered crypto firms in India today.
- FIU-IND introduced a new Partner Accreditation for Compliance & Trust (PACT) certificate, replacing the earlier “Fit & Proper” certification.
Legal Perspective: Room for Clarity
Purushottam Anand, Advocate and Founder of Crypto Legal, supported the move, calling it:
“A step in the right direction.”
However, he cautioned that more guidance is needed for PACT assessments, especially on operational aspects beyond compliance.
Summary: Why This Matters
The government’s move to mandate CERT-In approved audits:
- Strengthens India’s stance against crypto-linked money laundering
- Brings transparency and regulatory oversight to the booming Web3 sector
- Encourages self-regulation and accountability among crypto exchanges
- Builds consumer confidence and aligns with international cybersecurity norms
