India’s regulatory response to virtual assets has been deliberate, risk‑averse and heavily shaped by concerns around illicit finance and macro‑financial stability. Rather than constructing a comprehensive licensing and supervisory framework for Virtual Asset Service Providers (VASPs), India has chosen to treat Virtual Digital Asset Service Providers (VDASPs) primarily as anti‑money laundering (AML) gatekeepers under the Prevention of Money Laundering Act (PMLA), supported by a highly restrictive tax regime and a cautious central‑bank stance on private cryptocurrencies.
This approach has produced a robust enforcement‑backed AML architecture and strong tax‑driven visibility of domestic virtual‑asset activity, but it stops short of recognising VDASPs as regulated financial institutions. When contrasted with the emerging “full licensing” frameworks in the European Union’s Markets in Crypto‑Assets Regulation (MiCA), Dubai’s Virtual Assets Regulatory Authority (VARA), Bahrain’s Central Bank (CBB) Crypto‑Assets (CRA) regime, Singapore’s Monetary Authority (MAS) and the United Kingdom’s Financial Conduct Authority (FCA), it becomes clear that India is foregoing not only prudential and conduct safeguards, but also significant economic and strategic opportunities.
Indian VDASP Framework
At the conceptual level, India’s regime sits at the intersection of its domestic taxonomy of Virtual Digital Assets (VDAs) and the global concept of virtual assets as developed by the Financial Action Task Force (FATF). FATF defines virtual assets as digital representations of value that can be digitally traded or transferred and used for payment or investment, and Virtual Asset Service Providers as entities engaging in exchange, transfer, safekeeping, or participation in issuance and related financial services.
India’s Income‑tax Act provisions for VDAs capture a broad class of cryptographic tokens and cryptocurrencies as taxable assets, while policy and supervisory practice treat VDASPs as entities that facilitate buying, selling, custody, transfer and brokerage of those VDAs. Functionally, VDASPs are aligned with FATF’s VASP perimeter, but in law they are registered only as PMLA reporting entities rather than being authorised as licensed financial intermediaries. This distinction sits at the heart of the contrast between “registration‑only/AML‑centric” regimes and “full licensing” frameworks.
The differentiating Factors
As a regulator and supervisor of crypto asset service provider licensees, I had the privilege of deep dives into the crypto ecosystem through onsite inspection. It is a complex ecosystem infested with third party linkages, speed and incentive incompatibilities that require vigilance and scrutiny.
Under an AML‑centric model, the primary public objective is the mitigation of money‑laundering and terrorism‑financing risks. Entities are required to register with an AML authority, implement know‑your‑customer (KYC) and customer due diligence (CDD), comply with the so‑called Travel Rule for transfers, file suspicious transaction reports and deploy risk‑based monitoring systems; the supervisory lens focuses on the quality of AML controls and reporting.
In a full licensing framework, by contrast, AML is only one component of a broader prudential, conduct, governance and operational‑risk regime. Licensing is linked to a defined set of business activities, capital and safeguarding standards, fit‑and‑proper assessments, consumer‑protection rules and technology‑risk requirements, enforced by a financial regulator or a dedicated virtual‑asset authority. FATF’s own expectations, while framed as “licensing or registration,” increasingly assume that VASPs will come under effective supervision that spans not only financial crime but also broader safety and soundness and market‑integrity outcomes.[2][3][4][8][9][1][6]
The differences in the two are so stark that inspection of regulated crypto entities require two distinct lenses, oth that of FATF and the other that of prudential supervision. The Indian regulation embraced the first, but largely misses out the second( yet).
India’s present framework for VDASPs is explicitly anchored in this registration‑only paradigm. Since bringing key VDASP activities under PMLA, India has required such entities to register as reporting entities with the Financial Intelligence Unit (FIU‑India), appoint a Designated Director and Principal Officer, and implement comprehensive AML and counter‑terrorist‑financing (CFT) programs. Registration is centralised via an electronic portal, with entry controls that include scrutiny of ownership, enforcement history, in‑person meetings and live demonstrations of AML systems. FIU‑India exercises risk‑based supervision through off‑site reviews and on‑site inspections, and it has not hesitated to impose significant monetary penalties on non‑compliant platforms, including offshore exchanges serving Indian clients without registration, in some cases accompanied by website blocking orders under the Information Technology Act. In parallel, India has deployed taxation as a powerful regulatory lever: a flat 30 per cent tax on income from VDA transfers, a one per cent tax deducted at source (TDS) on consideration above threshold transactions, and the disallowance of loss offsets against other income create a combination of fiscal recognition and deterrence.[1]
This regime is underpinned by the Reserve Bank of India’s (RBI) consistently sceptical posture toward private cryptocurrencies, which it has criticised on grounds of volatility, consumer harm, and potential threats to monetary sovereignty and capital‑account management. RBI neither licenses VDASPs as financial institutions nor provides them with a bespoke prudential framework; instead, its influence is exerted through its guidance on banking relationships, its caution on direct crypto exposures, and its parallel efforts to develop a central bank digital currency (CBDC) as a safer, public‑sector alternative to private tokens.
The Securities and Exchange Board of India (SEBI), for its part, has only limited reach into this space because VDAs are not treated as securities per se; only those tokenised instruments that closely resemble securities or collective investment schemes fall within its perimeter. The result, as the attached paper aptly characterises, is an “AML‑first, non‑prudential, non‑conduct” framework with “fragmented oversight,” in which FIU‑India, tax authorities, RBI, SEBI and the Ministry of Electronics and Information Technology exercise parallel powers over different aspects of VDAs and VDASPs without a single, holistic market supervisor.[1]
MiCA
The contrast with the European Union’s MiCA regime is particularly instructive. MiCA creates a harmonised authorisation framework for “crypto‑asset service providers” (CASPs), which include custodians, trading‑platform operators, exchange service providers, order‑execution firms, placing agents, advisers and portfolio managers in crypto‑assets. CASPs must obtain authorisation from a national competent authority, satisfy own‑funds requirements calibrated to their activities, and comply with safeguarding and segregation rules that require clear separation of client and firm assets and set liability standards for loss. They are also subject to conduct‑of‑business rules that mandate acting honestly, fairly and professionally in the best interests of clients, with obligations on conflicts of interest, disclosure, best execution and complaint handling. On the primary‑market side, issuers and offerors of many categories of crypto‑assets must publish white papers with prescribed content, and they bear liability for misleading or incomplete information. MiCA is designed to interact with the Digital Operational Resilience Act (DORA), bringing CASPs into an EU‑wide regime of information and communications technology (ICT) risk management, incident reporting, resilience testing and oversight of critical third‑party providers. Most significantly, authorisation in one Member State allows CASPs to offer services across the EU via passporting, turning the licence itself into a cross‑border franchise asset.[9][10][11][12][2]
VARA
Dubai’s VARA offers another model of full‑scope VASP licensing. Established by law in 2022, VARA functions as a dedicated virtual‑assets regulator with a remit over a wide range of activities, including advisory, broker‑dealer services, custody, exchanges, lending and investment management in virtual assets. Firms must obtain VARA licences that are specific to these activities, meet minimum capital and, in some cases, insurance requirements, adhere to strict custody and safekeeping rules, and maintain local substance. VARA also exercises a pronounced market‑conduct mandate, issuing detailed marketing and promotions rules, requiring risk disclosures, and reserving the right to restrict or prohibit high‑risk products for retail investors. Trading venues must maintain clear listing and delisting policies, undertake due diligence on tokens, monitor for market abuse and manage conflicts of interest between proprietary and client trading. On the operational‑risk side, VARA embeds cyber‑security, business continuity, incident‑reporting, and outsourcing controls directly into licence conditions, with particular attention to wallet, cloud and core trading‑engine providers.[3][13][14][15]
CRA
Bahrain’s Central Bank (CBB) offers a closely related but distinct example of a full VASP‑style regime in the region, built around the Crypto‑Assets (CRA) Module in Volume 6 of its Capital Markets Rulebook and related modules for crypto‑asset platform operators. The CRA Module provides that no person may, by way of business, undertake regulated crypto‑asset services within or from the Kingdom without obtaining a licence from the CBB, and it defines a suite of “crypto‑asset services” that closely mirrors both FATF’s VASP categories and MiCA’s CASP activities. These services include dealing and trading in accepted crypto‑assets as principal or agent, operating a crypto‑asset exchange platform, providing custody, and offering advisory and portfolio‑management services in crypto‑assets, all under a single supervisory roof. Like VARA and MiCA, the CBB’s framework is explicitly prudential and conduct‑oriented, not merely AML‑centric. Licensees must meet minimum capital requirements and financial‑resource tests, maintain risk‑management frameworks that are commensurate with the scale and complexity of their business, and comply with detailed standards of business conduct and conflict‑of‑interest management. The rules require robust measures to safeguard client assets, including segregation arrangements and clear obligations on custody, along with technology standards emphasising cyber‑security, systems integrity and resilience, and specific reporting and notification duties to the supervisor. Amendments to the CRA Module in 2023 also introduced a structured regime for digital‑token offerings where tokens qualify as securities, including a white‑paper template that prescribes content requirements and strengthens disclosure and investor‑protection expectations in the primary market.[4][5][16][17][18][19][20]
The CBB also pre‑approves “accepted crypto‑assets” against criteria that include security, traceability, governance, market depth and exposure to illicit activity, and it imposes market‑abuse and manipulation‑prevention rules that go well beyond pure AML. The mentioned jurisdictions demonstrates that it is possible to remain strongly aligned with FATF and to maintain a conservative risk posture while still granting full financial‑sector recognition to VASPs as licensed intermediaries—complete with explicit consumer‑protection, operational‑resilience and primary‑offering standards—rather than treating them only as reporting entities under an AML law.[5][17][21][4][1]
Likewise, Singapore’s MAS regime, built primarily under the Payment Services Act and associated guidance, similarly illustrates how virtual‑asset activities can be integrated into a broader prudential and conduct framework. Providers of Digital Payment Token (DPT) services require MAS licences as Standard Payment Institutions or Major Payment Institutions, are subject to base capital and safeguarding requirements, and must keep customer money segregated and protected, often through trust‑account structures or equivalent arrangements. MAS has proposed and implemented restrictions on retail access to high‑leverage crypto products, on lending of retail clients’ crypto‑assets, and on overly promotional marketing, especially through mass‑market channels. DPT licensees are expected to adhere to MAS’s technology‑risk management and business‑continuity guidelines, which set detailed expectations for governance of ICT, cyber‑security, outsourcing and resilience testing.
What Indian regime misses
If one juxtaposes these full licensing regimes with India’s FIU‑India‑centred framework across key dimensions such as authorisation, capital and safeguarding, consumer protection and market integrity, operational resilience, governance and scope of activities, the gaps become clear. In India, VDASPs obtain registration as PMLA reporting entities but not as licensed financial firms; there are no VDA‑specific minimum capital, own‑funds or client‑asset‑segregation rules, and no mandatory recovery and wind‑down planning.
Operational resilience is another point of divergence: while EU CASPs will be covered by DORA, and VARA, CBB and MAS already require cyber, ICT and business‑continuity frameworks as conditions of licensing, Indian VDASPs operate without virtual‑asset‑specific regulations on cyber‑security, cloud and outsourcing risk, incident reporting or resilience testing.[10][11][14][15][16][2][3][4][5][9][1]
Capability Gaps
These regulatory differences translate into concrete capability gaps. On prudential strength and failure management, India’s AML‑only regime permits the existence of AML‑compliant but financially weak or operationally fragile VDASPs. Without capital buffers, segregation of client assets and pre‑planned orderly‑wind‑down mechanisms, an exchange or custodian failure can quickly become a disorderly collapse, reminiscent of high‑profile global failures that prompted MiCA’s, VARA’s and CBB’s prudential requirements. From a consumer and investor‑protection standpoint, India’s framework generates what may be termed “high‑tax, low‑rights” conditions: retail users are subject to punitive taxation and comprehensive AML surveillance, but they have limited recourse if they suffer mis‑selling, unfair trading practices or losses from poorly governed platforms. Market‑integrity risks are similarly under‑addressed; the absence of explicit rules and tools for detecting and sanctioning manipulation, wash trading, insider dealing or abusive listing practices undermines price discovery and deters institutional liquidity that relies on fair‑trading assurances.[11][2][4][5][10][1]
Business Model Sustainability
Regulatory‑perimeter clarity and business‑model certainty are also compromised by India’s decision not to articulate a formal taxonomy of virtual‑asset activities and corresponding licences. While FIU‑India’s AML perimeter captures exchanges, custodians and some brokers for reporting purposes, there is no legal categorisation of virtual‑asset custodians, trading venues, investment managers, staking providers, stablecoin issuers or tokenisation platforms, nor explicit treatment of decentralised‑finance front‑ends and financialised non‑fungible tokens. In MiCA, those activities correspond to distinct CASP categories tied to specific requirements, VARA’s regulations map well‑defined activities to licence types, and the CBB’s CRA Module defines “crypto‑asset services” in granular terms with corresponding authorisation tests. The lack of such a taxonomy leaves compliant Indian firms facing uncertainty over which business models are permissible and how they will be supervised, while also making it harder for regulators to risk‑weight activities and to design proportionate rules.[2][3][4][5][10][1]
Third Party Risks
Governance, outsourcing and third‑party risk is perhaps the most under‑recognised blind spot in India’s current approach. The PMLA‑based framework requires VDASPs to appoint AML‑specific roles, but it does not impose board‑level governance standards, independent directors, risk and audit committees, or technology‑governance structures targeted at crypto‑specific risks. At the same time, many VDASPs rely heavily on third‑party providers for wallet infrastructure, custody, cloud hosting, blockchain analytics, KYC utilities and fraud‑monitoring engines, often via cross‑border arrangements that are opaque to Indian supervisors. Without explicit expectations or approval requirements for such outsourcing, and without contractual provisions on service‑level agreements, audit rights, concentration monitoring and exit strategies, this dependence creates single points of failure.
A cyber‑incident or outage at a key vendor can disable fraud monitoring or custody functions across multiple platforms simultaneously, yet FIU‑India’s current supervision focuses primarily on whether tools exist rather than whether they are governed, calibrated and resilient. This stands in marked contrast to VARA, the CBB and MAS, which embed outsourcing and third‑party‑risk controls into their licensing frameworks, and to the EU’s move toward direct oversight of critical ICT providers.[14][16][3][4][9][10][1]
Token Issuance Framework
The absence of explicit token‑issuance and primary‑market regulation also has material consequences. In India, there is no dedicated regime governing the issuance of tokens, whether through initial centralised offerings, exchange listings or other public sales, aside from the application of general fraud, consumer‑protection and securities laws where tokens fall within existing definitions. This means there are no standardised requirements for white papers, no mandated disclosures on token economics, governance, conflicts of interest or risk factors, and no clear liability framework for misleading statements at the point of sale.
By contrast, MiCA sets out detailed white‑paper content requirements and makes issuers and offerors liable for inaccuracies,
Much of the risk in virtual‑asset markets emerges at this primary‑market stage; without targeted regulation, retail investors remain exposed to aggressive marketing and information asymmetries that cannot be rectified by transaction‑level AML monitoring alone.[12][18][19][20][3][2][1]
Sum up
These structural gaps manifest in at least six categories of missed economic and strategic outcomes.
First, India’s framework limits market depth and institutional participation. Domestic banks, mutual funds, insurers and pension funds generally prefer to deal with counterparties that are licensed, prudentially supervised, and subject to explicit client‑asset protections and conduct rules. In the absence of such a licensing layer, most Indian institutions remain at the sidelines of VDA markets, restricting the development of derivatives, tokenised funds, structured products and other instruments that can deepen liquidity and help integrate virtual assets into mainstream finance within a controlled environment.
Second, India is foregoing the opportunity to host high‑quality, globally scalable VASP franchises. MiCA’s passporting, VARA’s branding as a specialist virtual‑asset hub and CBB’s crypto‑assets licences have turned their authorisations into internationally recognised credentials that facilitate cross‑border partnerships and market entry. Indian founders building institution‑grade platforms increasingly find it rational to incorporate in the UAE, EU, Bahrain or Singapore, locating governance, risk management and IP offshore while limiting India to back‑office and development functions.[15][17][3][4][5][9][11][2][1]
Third, India’s approach has implications for innovation, Web3 development and talent migration. Web3 start‑ups and developers seek regulatory clarity and predictable supervisory treatment for activities such as token‑based gaming, decentralised‑finance interfaces and tokenisation of real‑world assets. Jurisdictions that combine strict but transparent rules with sandboxes and proportional licensing paths, such as Singapore, Dubai and Bahrain, become magnets for such activity. India’s combination of heavy tax, AML‑only supervision and uncertain token classification pushes some of the most ambitious projects to experiment and scale elsewhere, even when their teams or user bases are Indian.
Fourth, at a geopolitical level, India risks limiting its influence in the setting of global standards. As regimes such as MiCA, VARA, the CBB’s CRA framework and MAS’s DPT rules crystallise, they increasingly serve as templates for emerging guidance at the Financial Stability Board, IOSCO and even FATF, particularly on prudential and conduct matters. By confining its domestic response to AML and taxation, India reinforces its image as a defensive, risk‑containment jurisdiction rather than as an agenda‑setter on the architecture of tokenised finance.[17][3][4][5][6][9][10][15][1]
Fifth, there are direct consumer‑welfare and financial‑inclusion costs. The paradox of India’s regime is that residents face heavy tax and AML obligations when using domestic, visible platforms, but receive relatively limited sector‑specific protections in return; those unwilling to tolerate this mismatch may gravitate toward offshore platforms accessed via virtual private networks, peer‑to‑peer arrangements and informal channels that offer even less protection and undermine the very AML objectives the regime was designed to serve. At the same time, the lack of regulated low‑risk products—such as tokenised government securities, regulated stablecoins for remittances, or properly safeguarded tokenised deposits—constrains the use of virtual‑asset technology to support legitimate financial‑inclusion and payment‑efficiency goals, especially when compared to jurisdictions experimenting with regulated stablecoins and tokenised bank liabilities under tight supervision.
Finally, the combination of unregulated third‑party dependence and absent resilience standards threatens to convert idiosyncratic failures into systemic trust shocks. An outage or breach at a major wallet or cloud provider serving several Indian VDASPs could disrupt services for a large number of users; in a context where retail customers often do not clearly differentiate between crypto platforms and other fintech providers, such events may undermine confidence in the broader digital‑finance ecosystem.
The Road Ahead
Against this backdrop, two broad policy trajectories present themselves. A “status quo‑plus” path would retain FIU‑India’s central role and the AML‑first orientation, but deepen supervisory intensity and refine peripheral elements. FIU‑India could expand its risk‑based inspections, thematic reviews and industry guidance on topics such as the Travel Rule, exposure to DeFi and third‑party risk, and the tax authorities could adjust TDS thresholds to relieve liquidity pressures without significantly weakening transaction‑level visibility. Some soft‑law references to good practice in segregation, cyber‑security and outsourcing could be introduced through circulars, but without creating a separate licensing framework. This approach would be administratively straightforward and consistent with RBI’s conservative stance, but it would leave untouched the core prudential and conduct deficits that limit institutional participation and push high‑quality business offshore.
Alternatively, India could pursue a phased migration to full VASP licensing while preserving its risk‑averse instincts. One design option would be to designate SEBI as the lead regulator for virtual‑asset markets, empowered to license and supervise VASPs on prudential, conduct and operational‑risk dimensions, with FIU‑India continuing to oversee AML/CFT and entering into co‑ordination arrangements for joint inspections and information sharing. Another would be to create a dedicated virtual‑assets authority, through central legislation, endowed with a mandate that cuts across prudential, conduct and technology issues
The EU’s crypto regulation MiCA is now fully applicable https://www.walkersglobal.com/Insights/2025/01/The-EUs-crypto-regulation-MiCA-is-now-fully-applicable
[3] Regulation of virtual assets in Dubai https://www.trowers.com/insights/2024/june/regulation-of-virtual-assets-in-dubai
[4] Crypto-asset Module https://www.cbb.gov.bh/wp-content/uploads/2022/08/Vol-6-CRA.pdf
[5] An overview of the regulation of virtual assets in Bahrain https://charltonsquantum.com/wp-content/uploads/docs/bahrain-crypto-guide.pdf
[6] Updated Guidance for a risk-based approach to virtual … https://www.fsb.org/2021/10/updated-guidance-for-a-risk-based-approach-to-virtual-assets-and-virtual-asset-service-providers/
[7] FATF’s updated guidance to Virtual Assets and … https://www.harneys.com/our-blogs/regulatory/fatf-s-updated-guidance-to-virtual-assets-and-virtual-asset-service-providers/
[8] 12 Outcomes from FATF’s Oct 2021 Updated Guidance for Virtual Assets and VASPs | Notabene https://notabene.id/post/12-outcomes-from-fatfs-oct-2021-updated-guidance-for-virtual-assets-and-vasps
[9] Crypto-Asset Service Providers (CASPs): New Rules and … https://complywiser.com/blog/post/crypto-asset-service-providers-casps-new-rules-and-responsibilities-under-mica
[10] The European regulation Markets in Crypto-Assets (MiCA) – AMF https://www.amf-france.org/en/news-publications/depth/mica
[11] MiCA Regulation’s Impact on the EU Cryptocurrency Landscape | SDX https://www.sdx.com/blog/mica-regulations-impact-on-the-eu-cryptocurrency-landscape/
[12] [PDF] MiCA Legal Framework – How To Comply With the EU’s Crypto … https://www.squirepattonboggs.com/media/yvspymyt/mica-legal-framework-how-to-comply-with-the-eus-crypto-asset-rules.pdf
[13] Virtual Assets Regulatory Authority (VARA) – VARA https://www.vara.ae/en/
[14] April 2024: VARA Licencing Process for New Firms https://www.addleshawgoddard.com/en/insights/insights-briefings/2024/commercial-services/dubais-virtual-assets-regulatory-authority-2024-licence-application-process/
[15] VARA: Dubai’s Virtual Asset Regulations & Benefits https://blog.cryptoworth.com/virtual-assets-regulatory-authority-dubai/
[16] Crypto-asset Platform Operators Module CPO https://www.cbb.gov.bh/wp-content/uploads/2018/12/Crypto-Currency-Regulation-Version-7.pdf
[17] Bahrain Virtual Assets Regulations https://charltonsquantum.com/bahrain-virtual-assets-regulation/
[18] The Central Bank of Bahrain introduces a new regulatory … https://www.tamimi.com/news/the-central-bank-of-bahrain-introduces-a-new-regulatory-framework-for-digital-tokens-in-bahrain/
[19] The Central Bank of Bahrain Launches New Regulatory … https://zubipartners.com/2023/06/08/the-central-bank-of-bahrain-launches-new-regulatory-framework-for-digital-tokens/
[20] The Central Bank of Bahrain Launches New Regulatory Framework for Digital Tokens – ZU’BI & PARTNERS https://www.zubipartners.com/2023/06/08/the-central-bank-of-bahrain-launches-new-regulatory-framework-for-digital-tokens/
[21] Central Bank of Bahrain Issues Regulations governing … https://www.tamimi.com/law-update-articles/central-bank-of-bahrain-issues-regulations-governing-crypto-asset-services/
[22] Financial Action Task Force on Virtual Assets Providers (VA Updated RBA) | Compliance Alert https://compliancealert.org/view-blog/53/
[23] Crypto-Assets Module https://www.cbb.gov.bh/wp-content/uploads/2024/01/Vol-6_CRA_2024.pdf
[24] PDF Virtual assets and related providers | Updated FATF guidance – KPMG https://kpmg.com/kpmg-us/content/dam/kpmg/pdf/2021/virtual-assets-related-providers.pdf
[25] FATF’s updated virtual asset guidance: what you need to … https://www.reedsmith.com/en/perspectives/2021/11/fatfs-updated-virtual-asset-guidance-what-you-need-to-know
[26] Bahrain Amendments to the Crypto-assets rules https://www.trowers.com/insights/2023/may/bahrain-amendments-to-the-crypto-assets-rules
Leave a Reply