The PMLA 2023 amendments expanded the definition of reporting entities and tightened customer due diligence requirements. Virtual digital asset platforms were brought under the PMLA umbrella in March 2024, making crypto exchanges subject to the same obligations as banks. In June 2024, a major crypto exchange was fined ₹18.82 crore by FIU-IND for AML deficiencies. A payments bank received two separate fines for compliance failures including beneficial ownership identification and suspicious transaction monitoring, and was subsequently ordered to wind down operations. The FATF’s 2024 Mutual Evaluation of India, while recognising significant progress, explicitly called for improvement in STR quality, beneficial ownership transparency, and the supervision of designated non-financial businesses and professions.
The message from regulators is consistent and increasingly unambiguous: compliance checkbox behaviour is no longer sufficient. The question for every reporting entity operating in India is whether their AML programme is genuinely functional, or whether it is a documentation exercise waiting for an enforcement event to expose its gaps.
This checklist is designed to help compliance heads, principal officers, and senior management answer that question honestly.
Key Takeaways
- PMLA applies to a wider range of entities than many compliance teams realise, banks, NBFCs, payment aggregators, fintech platforms, crypto exchanges, insurance companies, real estate agents, and certain professional advisors are all covered.
- The four pillars of a PMLA-compliant AML programme are customer acceptance policy, risk management, customer identification policy, and transaction monitoring, all four must be documented, board-approved, and operationally implemented.
- Beneficial ownership threshold is 10%, any natural person with 10% or more beneficial interest in an entity must be identified, verified, and recorded.
- STR filing is mandatory within 7 working days of forming suspicion, regardless of the transaction amount, and tipping off the customer is a separate legal violation.
- Record retention is 5 years minimum, from the date of the transaction or the end of the client relationship, whichever is later.
- An AML programme that exists on paper but is not operationally enforced is a liability, regulators now look for demonstrable, live, auditable controls, not policy documents.
- Technology is not optional at scale, manual monitoring cannot cover the transaction volumes that modern reporting entities process; automated transaction monitoring with human oversight is the operational standard.
The AML Compliance Checklist: Eight Areas
Area 1: Governance and Organisational Structure
The foundation of an effective AML programme is governance, clearly defined roles, board-level accountability, and documented responsibility for compliance outcomes.
Board-approved AML/KYC policy
The AML programme must be documented in a board-approved policy covering all four key elements: customer acceptance policy, risk management, customer identification policy, and transaction monitoring. This is not a one-time document, it must be reviewed and updated regularly to reflect regulatory changes and emerging typologies.
Designated Director appointed and notified to FIU-IND
Every reporting entity must appoint a Designated Director, a senior management individual responsible for overall AML/CFT programme compliance. Their details must be communicated to FIU-IND.
Principal Officer appointed and notified
A Principal Officer, responsible for the operational implementation of the AML programme, including filing STRs and CTRs with FIU-IND, must be appointed and their details communicated to FIU-IND within 7 days of appointment.
Clear escalation pathways
Internal processes must define how suspicious activity is identified, escalated, reviewed, and either closed or filed as an STR, with documented decision trails at each stage.
AML responsibilities embedded in relevant roles
Compliance, operations, risk management, and frontline relationship management staff should have AML responsibilities explicitly embedded in their role descriptions and performance frameworks.
Area 2: Customer Acceptance Policy
Defined customer acceptance criteria
The organisation must have documented criteria for the categories of customers it will and will not accept, including explicit criteria for declining or exiting relationships with customers who present unacceptable risk profiles.
Risk-based customer categorisation
All customers must be categorised by risk level, low, medium, or high, based on criteria including customer type, business activity, geographic risk, transaction patterns, and PEP or adverse media status. The level of due diligence required at onboarding and ongoing monitoring applied subsequently must be proportionate to the risk category.
Enhanced Due Diligence (EDD) triggers defined
Specific criteria must be documented for when EDD is required, Politically Exposed Persons (PEPs), customers from high-risk jurisdictions, complex corporate structures, high-value transaction customers, and any customer whose risk assessment warrants enhanced scrutiny.
Anonymous and shell account prohibitions documented
Policies must explicitly prohibit opening accounts in fictitious or anonymous names, and must include controls to identify and close any existing accounts of this type.
Area 3: Customer Identification and KYC
CDD conducted at onboarding for all customers
Customer Due Diligence, verification of identity, address, and the nature of the business relationship, must be completed before establishing any customer relationship. This includes verification of Aadhaar and PAN for individuals.
Beneficial ownership identified for all corporate customers
For companies, trusts, partnerships, and other legal entities, the ultimate beneficial owners, natural persons holding 10% or more beneficial interest (15% for partnerships), must be identified and their identities verified. Nominee directors and complex ownership layers must be penetrated to reach the natural person.
Periodic KYC refresh in place
KYC must be periodically updated, at minimum at the frequency required by your sector regulator. High-risk customers should be subject to more frequent review than low-risk ones. Accounts where KYC is out of date must be flagged and their transaction processing limited until refresh is completed.
Re-KYC triggered by material changes
Any material change in customer circumstances, change of address, change in beneficial ownership, significant change in transaction patterns, must trigger a KYC review.
Video KYC compliant with RBI guidelines (where applicable for digital onboarding)
Digital onboarding processes must comply with RBI’s Video Customer Identification Process (V-CIP) requirements where relevant.
CKYC integration
Customer KYC data must be submitted to and retrieved from the Central KYC Records Registry (CKYCR) as required, reducing duplication and maintaining a unified KYC record across reporting entities.
Area 4: Transaction Monitoring
Transaction monitoring system in place
All transactions must be monitored for suspicious activity. At the volumes processed by modern financial institutions, this requires a technology-based transaction monitoring system, manual review alone is not operationally adequate.
Monitoring covers all transaction channels
Transaction monitoring must cover cash transactions, NEFT/RTGS/IMPS transfers, UPI transactions, card transactions, and any other channels through which funds move. Monitoring only traditional banking channels while leaving UPI or digital payment volumes unmonitored is a significant gap.
Alert thresholds calibrated to risk, not just regulatory minimums
Monitoring thresholds should be calibrated based on customer risk profiles and transaction patterns, not simply set at the regulatory reporting threshold. Structuring behaviour (transactions just below thresholds) must be detectable.
False positive management process documented
The process for reviewing, investigating, and closing alerts, including the criteria for escalating to STR versus closing as a false positive, must be documented and consistently applied. Alert closure decisions must have documented rationale.
Network and relationship monitoring, not just account-level monitoring
Monitoring should extend to identifying suspicious patterns across related accounts and entities, not just within individual accounts. Coordinated activity across a network of accounts may be invisible at the account level but apparent in aggregate.
Area 5: Reporting to FIU-IND
Cash Transaction Reports (CTR) filed monthly
All cash transactions exceeding ₹10 lakh, individually or in aggregate over a month, must be reported to FIU-IND by the 15th of the following month via the FINnet portal. Source – Reserve Bank of India
Suspicious Transaction Reports (STR) filed within 7 working days
Any transaction, regardless of amount, that appears suspicious or has no apparent economic rationale must be reported to FIU-IND within 7 working days of forming the suspicion. The 7-day clock starts when the suspicion is formed, not when the transaction occurred.
Cross-Border Wire Transfer Reports (CBWTR) filed
Cross-border wire transfers exceeding ₹5 lakh must be reported to FIU-IND. Source – Reserve Bank of India
Non-Profit Organisation Reports (NTR) filed
Cash receipts by non-profit organisations exceeding ₹10 lakh must be reported.
Counterfeit Currency Reports (CCR) filed
When counterfeit currency is detected, it must be reported to FIU-IND and the relevant police authority promptly.
STR quality meets investigative standards, not just compliance standards
STRs must contain sufficient detail to generate actionable intelligence, full transaction context, entity relationships, the specific basis for suspicion, and any corroborating information available. Low-quality STRs filed as compliance checkbox exercises do not meet the regulatory standard and have been explicitly flagged in FATF assessments of India.
No tipping off
Once an STR has been decided upon, the customer must not be informed, before, during, or after filing. This prohibition extends to all employees and officers involved in the process.
Area 6: Record Retention
All transaction records maintained for minimum 5 years
Records of every transaction must be retained for a minimum of 5 years from the date of the transaction.
Customer identification records maintained for minimum 5 years
KYC documents, account opening records, CDD documentation, and beneficial ownership records must be retained for a minimum of 5 years from the end of the customer relationship.
STR and related documentation retained
Records relating to STR filings, including the investigation documentation supporting the suspicion, must be retained for a minimum of 5 years.
Records stored in accessible, auditable format
Records must be stored in a format that allows prompt retrieval in response to regulatory requests. Electronically submitted data must be machine-readable and encrypted.
Area 7: Training and Awareness
AML training programme in place for all relevant staff
All staff involved in customer relationships, transaction processing, and compliance functions must receive regular AML training. Training content must be role-specific, frontline staff need different training than compliance officers.
Training frequency and completion documented
Training must be recurring, not a one-time onboarding exercise. Completion records must be maintained and available for regulatory review.
Senior management and board briefed on AML obligations
The board and senior management must understand the organisation’s AML obligations, the current risk environment, and the adequacy of the programme in place. AML is not purely a compliance function, it requires active governance attention.
Training updated to reflect new typologies and regulatory changes
AML training content must be updated when significant regulatory changes occur (such as the PMLA 2023 amendments) and when new laundering typologies become relevant to the institution’s risk profile.
Area 8: Internal Audit and Independent Review
Independent AML audit conducted regularly
The AML programme must be subject to independent internal audit, separate from the compliance function, to verify that policies are operationally implemented and effective. Quarterly audit notes must be submitted to the Audit Committee.
Audit findings actioned and tracked
Audit findings must generate documented remediation actions with owners and deadlines. The status of remediation must be tracked and reported to senior management.
AML risk assessment conducted and documented
A formal enterprise-wide AML/CFT risk assessment, identifying the specific money laundering and terrorism financing risks relevant to the institution’s products, customers, geographies, and delivery channels, must be conducted and kept current. This is the foundation for calibrating the proportionate controls across the programme.
Programme reviewed following significant events
Material regulatory changes, new product launches, entry into new geographies, significant changes in customer base, or internal compliance failures must trigger a review of the relevant programme elements.
Where Technology Fits in an Effective AML Programme
A technically compliant AML programme, one that meets all of the above obligations, can still be operationally ineffective if it is built on manual processes at scale. At the transaction volumes processed by modern banks, NBFCs, and payment platforms, manual monitoring is not a viable approach to detecting suspicious activity.
The minimum technology infrastructure for an effective AML programme includes automated transaction monitoring that covers all channels, risk scoring that prioritises investigation effort on genuine high-risk cases rather than generating uniform alert volumes, network analysis capability that identifies suspicious patterns across related entities, and case management that maintains an auditable record of every investigation decision.
Beyond compliance infrastructure, the institutions that are most effective at actually detecting and investigating financial crime have analytical capability that goes further, multi-hop transaction tracing, entity network analysis, and AI-powered pattern detection that surfaces the network-level indicators of organised laundering operations that rule-based monitoring misses.
Learn more about Prophecy Eagle I, AI-powered financial crime analytics →
For how AI detects smurfing and structuring that rule-based systems miss, read: Smurfing Detection AML →
Frequently Asked Questions
1. Who is required to comply with AML regulations in India?
Any entity defined as a “reporting entity” under the PMLA is required to comply. This includes banks, NBFCs, payment system operators, fintech platforms, stock brokers and mutual funds, insurance companies, virtual digital asset service providers, real estate agents (above prescribed thresholds), and certain professional advisors. The specific obligations are shaped by both the PMLA framework and sector-specific guidelines from the relevant regulator, RBI, SEBI, or IRDAI.
2. What are the four key elements of an AML compliance programme under PMLA?
The four key elements mandated under PMLA and RBI Master Directions are: customer acceptance policy (defining which customers the institution will accept and on what terms), risk management (assessing and managing money laundering risk across the customer base and product range), customer identification policy (KYC and CDD processes for verifying customer identity and beneficial ownership), and transaction monitoring (ongoing monitoring of customer transactions for suspicious activity).
3. What is the deadline for filing an STR with FIU-IND?
An STR must be filed with FIU-IND within 7 working days of forming the suspicion that a transaction is suspicious. The obligation arises when the suspicion is formed, not when the transaction occurred, which may have been earlier. Once the decision to file has been made, the customer must not be informed (tipping off is prohibited under PMLA).
4. What is the beneficial ownership threshold under PMLA?
Under PMLA rules, a beneficial owner is defined as any natural person who ultimately owns or controls a customer entity and holds 10% or more beneficial interest (for companies). For partnerships, the threshold is 15%. All beneficial owners meeting or exceeding this threshold must be identified, verified, and their details recorded.
5. What are the penalties for AML non-compliance in India?
Under Section 13 of the PMLA, FIU-IND can impose monetary penalties ranging from ₹10,000 to ₹1,00,000 per violation. Beyond FIU-IND penalties, sector regulators, RBI, SEBI, IRDAI, have their own enforcement powers including business restrictions, licence revocations, and fines. Recent enforcement actions demonstrate that penalties are being applied with increasing frequency and severity, including a ₹18.82 crore fine against a crypto exchange in 2024 and the wind-down order imposed on a payments bank for repeated AML compliance failures.
6. How often must KYC be refreshed?
KYC must be periodically updated according to the risk level of the customer, high-risk customers require more frequent refresh than low-risk ones. The RBI Master Direction specifies periodic update requirements for different customer categories. Any material change in customer circumstances, change of beneficial ownership, significant change in transaction patterns, change of address, must trigger a review regardless of the scheduled refresh cycle.
7. What records must be retained and for how long?
All transaction records must be retained for a minimum of 5 years from the date of the transaction. Customer identification records, KYC documents, account opening records, CDD and beneficial ownership documentation, must be retained for a minimum of 5 years from the end of the customer relationship. Records relating to STR filings and the investigation documentation supporting them must also be retained for 5 years.
8. What is the difference between a CTR and an STR?
A Cash Transaction Report (CTR) is a mandatory report filed for all cash transactions exceeding ₹10 lakh, submitted monthly to FIU-IND by the 15th of the following month, it is a threshold-based reporting requirement. A Suspicious Transaction Report (STR) is filed when any transaction, regardless of amount, appears suspicious or lacks apparent economic rationale; it must be filed within 7 working days of forming the suspicion and is a judgement-based reporting obligation. The two obligations operate independently: a transaction can be both a CTR (above ₹10 lakh cash) and an STR (suspicious) simultaneously.
