The Indian government has ordered all cryptocurrency exchanges, custodians, and intermediaries (entities handling virtual digital assets or VDAs) to undergo cybersecurity audits. These audits must be carried out by a security auditor empanelled with CERT-In, the nodal cybersecurity authority under the Ministry of Electronics and Information Technology. The requirement is now a precondition for registration with the Financial Intelligence Unit-India (FIU-IND) under the Prevention of Money Laundering Act (PMLA).
Why Was This Needed?
- There has been a surge in cyber heists and thefts targeting crypto exchanges in India.
- Crypto-related crimes are said to make up about 20-25% of cybercrime in the country, according to estimates by a local platform.
- Existing regulations under PMLA already require VDAs to follow KYC, record-keeping, and reporting for suspicious transactions. This new rule adds a cybersecurity control layer.
What’s Required & Who’s Affected
| Who | What Must They Do |
|---|---|
| All VDA service providers (exchanges, custodians, intermediaries) | Hire CERT-In empanelled auditors and undergo cybersecurity audits. |
| Directors, principal officers, & chief compliance officers | Comply immediately with the directive. |
| Firms seeking or maintaining registration with FIU-IND | Must fulfil audit requirement. Non-compliance can lead to denial or cancellation of registration. |
Implications & Challenges
Pros:
- Improves security posture of crypto platforms; potentially fewer hacks.
- Boosts user trust and investor confidence in crypto industry.
- Improves traceability & compliance, helping in regulatory oversight, anti-money laundering efforts.
Challenges:
- Smaller exchanges might find compliance costly (hiring auditors, fixing vulnerabilities).
- Ensuring auditors are competent, audit scope is well defined given crypto has specific risks (wallet security, private key handling, smart contract risks etc.).
- Implementation timeline / monitoring enforcement might be tricky.
What Happens Next
- Exchanges will need to initiate the audits immediately (per FIU letter dated September 15, 2025).
- CERT-In will maintain an empanelled list of approved auditors. Platforms need to choose from that list.
- FIU-IND may deny or cancel registration of firms not meeting the requirement. The Economic Times
This move marks a key strengthening of regulatory oversight in India’s crypto sector, focusing not just on financial safeguards but also on cybersecurity. It’s a major step toward aligning with global best practices for virtual asset providers.
