Every entity in GIFT City operates under India’s anti-money-laundering regime – there is no IFSC carve-out from it. The framework is two-tier: the Prevention of Money-Laundering Act 2002 and its 2005 Rules are the statutory base, and the IFSCA’s AML, CTF and KYC Guidelines 2022 (amended through 2026) are the regulatory layer that operationalises them for IFSC entities, with the IFSCA as supervisor and FIU-IND as the reporting hub. The obligations are familiar but exacting – risk assessment, customer due diligence and beneficial-ownership identification, a Principal Officer and Designated Director (now with a mandatory certification), sanctions screening, and reporting to FIU-IND – and the consequences of failure run from IFSCA supervisory action to FIU-IND penalties and Enforcement Directorate attachment and prosecution under the PMLA. This page sets out the obligations and the enforcement as a matter of law; it is general information, not advice, and the IFSCA amends its AML circulars frequently, so verify at the time of use.
The framework at a glance
- Statutory base: Prevention of Money-Laundering Act 2002 + PML (Maintenance of Records) Rules 2005
- Regulatory layer: IFSCA (AML, CTF & KYC) Guidelines 2022 (28 Oct 2022), amended 31 Oct 2025 and 2 Jan 2026
- Supervisor / reporting: IFSCA supervises; FIU-IND receives reports (via the FINGate 2.0 portal)
- Beneficial owner: Natural person with a controlling interest above 10%, or who otherwise controls
- Officers: Principal Officer + Designated Director; NISM-IFSCA-01 certification (mandated November 2025)
- FATF: India in “regular follow-up” (the best tier) after the 2024 Mutual Evaluation
- Scope: AML/CFT obligations and enforcement as law – not setup, vehicle or tax
1. The two-tier framework: PMLA 2002 and the IFSCA Guidelines 2022
The first thing to be clear about is the hierarchy. The statutory base is the Prevention of Money-Laundering Act 2002 and the Prevention of Money-Laundering (Maintenance of Records) Rules 2005, in force since 1 July 2005; this is the law that defines money-laundering, designates “reporting entities,” and imposes the duties to verify identity, identify beneficial owners, keep records and report. Sitting on top, as subordinate regulatory guidance, are the IFSCA (Anti Money Laundering, Counter-Terrorist Financing and Know Your Customer) Guidelines 2022 (notified 28 October 2022, and amended on 31 October 2025 and again by a circular of 2 January 2026), which operationalise those duties for entities in the IFSC.
The relationship matters because it answers a common question: GIFT’s “foreign” character for exchange control does not exempt it from Indian AML law. An IFSC unit is an Indian-incorporated or registered entity and a PMLA reporting entity, and the IFSCA – as the unified IFSC regulator exercising the powers of the RBI, SEBI, IRDAI and the pension regulator within the IFSC – is its AML/CFT supervisor. The Guidelines are the rulebook; the PMLA is the Act behind them.
2. Who is caught: reporting entities and IFSC regulated entities
The Guidelines apply to every entity licensed, recognised, registered or authorised by the IFSCA – a banking unit, a fund management entity, a capital-market intermediary, an insurer, a finance company and so on – and those entities are PMLA reporting entities under the Act. In practice, if the IFSCA has authorised the activity, the AML framework applies to it.
A January 2026 amendment introduced a set of exemptions for defined categories – for example global in-house centres, international branch campuses, offshore educational centres and financial institutions servicing only their own group – but the exemption is conditional and partial: an exempt entity must still carry out a business risk assessment and comply with the PMLA wherever a money-laundering risk is identified. The safer working assumption for any GIFT entity is that the framework applies unless a specific exemption is clearly made out. The question of which IFSCA rulebook licenses a given entity is covered in our note on the IFSCA regime; this page is about the AML obligations that ride on top of all of them.
3. Customer due diligence, KYC and beneficial ownership
At the centre of the regime is customer due diligence. A regulated entity must identify and verify every customer at onboarding and keep that knowledge current through the relationship – not a one-off formality but an ongoing obligation. The Guidelines provide for video-based customer identification, and a 2025 amendment widened who may conduct it and tightened the accompanying cybersecurity standards.
The harder and more important limb is beneficial ownership. It is not enough to identify the immediate client; the entity must identify the natural person who ultimately owns or controls it – for a company, the person with a controlling ownership interest of more than 10% of the shares, capital or profits, or who otherwise exercises control. Layered and opaque structures are precisely where this obligation bites, and getting it wrong is the most common AML failing. Records of identity and transactions must be retained for five years.
4. Enhanced due diligence, PEPs and sanctions screening
Higher-risk relationships demand more. Enhanced due diligence – deeper verification, source-of-funds enquiry and senior sign-off – applies to politically exposed persons, customers from high-risk jurisdictions, and complex or unusual arrangements. A significant 2026 addition, aimed squarely at GIFT’s cross-border character, requires enhanced due diligence (including ascertaining the source of funds) wherever the beneficial owner is an Indian national, regardless of the risk score – a deliberate control against round-tripping, the routing of Indian money through the IFSC so that it re-enters India with a foreign character.
Running alongside is sanctions screening: customers and counterparties must be screened against the United Nations Security Council and other designated lists, with freezing and reporting obligations where a match arises. PEP status, sanctions exposure and adverse media are the standard triggers that move a relationship into the enhanced tier.
5. Governance: the Principal Officer, the Designated Director and certification
The framework is built on named accountability. Every regulated entity must appoint a Principal Officer – responsible for monitoring and for filing reports with FIU-IND – and a Designated Director, who carries senior accountability for the entity’s compliance, with both notified to FIU-IND and the IFSCA under the PMLA Rules. These are not titles to be parked with a junior; they carry personal exposure.
Since an IFSCA circular of 17 November 2025, those officers must also hold the NISM-IFSCA-01 certification (a course on AML and counter-terrorist financing in the IFSC, developed by the National Institute of Securities Markets with the IFSCA Academy), obtained within the prescribed window of appointment and maintained on an ongoing basis. The direction of travel is clear: the IFSCA expects demonstrable AML competence at the top of every regulated entity, not delegated box-ticking.
6. Reporting to FIU-IND: STRs, CTRs and cross-border wire transfers
The reporting obligations run to FIU-IND, the Financial Intelligence Unit-India, through its FINGate 2.0 portal, on which every reporting entity must register. The principal reports are suspicious transaction reports (filed whenever suspicion arises, on a continuous basis), cash transaction reports, non-profit organisation transaction reports, and cross-border wire transfer reports (for cross-border wires above Rs 5 lakh, or the foreign-currency equivalent, where one end is in India).
Two points of nuance, both reinforced by the 2026 amendments, are worth stating. First, filing a suspicious transaction report does not oblige – or entitle – the entity to freeze or restrict the transaction; the report goes to FIU-IND for analysis, and any freezing follows only under due legal process. Second, the customer must not be tipped off that a report has been made, and the entity’s internal risk-categorisation of the customer is to be kept confidential. Report, confidentially; do not pre-judge.
7. India and FATF: the 2024 Mutual Evaluation
The international backdrop is favourable, and it shapes expectations. India’s Financial Action Task Force Mutual Evaluation was adopted at the FATF plenary in June 2024 and published in September 2024, placing India in the “regular follow-up” category – FATF’s best outcome tier, shared by only a small group of major economies. The evaluation acknowledged the strength of India’s legal framework while flagging areas to improve, such as the supervision of some non-financial sectors and the speed of concluding money-laundering prosecutions.
For the IFSC, the practical effect is twofold. The IFSCA’s AML expectations are explicitly FATF-aligned – the risk-based approach, beneficial-ownership and enhanced-due-diligence rules, sanctions screening and anti-tipping-off all track FATF recommendations – and the recent amendments (the Indian-beneficial-owner control, the confidentiality of risk grading) reflect that alignment. The signal to a GIFT entity is that AML standards will tighten over time, not relax; building to the FATF benchmark is building for the regime as it is heading.
8. Enforcement: FIU-IND penalties, IFSCA supervision and the Enforcement Directorate
The consequences of failure are real and layered across three bodies. The IFSCA, as supervisor, conducts on-site inspection and off-site monitoring of IFSC entities and can take supervisory and penalty action for AML failings. FIU-IND can issue directions and impose monetary penalties on a reporting entity or its Designated Director for breaches of the reporting and compliance obligations – it has, in the wider financial sector, imposed penalties running to several crore rupees on institutions for PMLA lapses. And the Enforcement Directorate investigates and prosecutes the offence of money-laundering itself: under the PMLA it can provisionally attach the proceeds of crime and bring prosecution before a special court, with rigorous imprisonment on conviction.
The throughline is that AML compliance in GIFT is not administrative housekeeping. A defective beneficial-ownership analysis, a missed suspicious-transaction report or an uncertified officer is not merely a paperwork lapse; it is a regulatory and, at the limit, criminal exposure for the entity and the individuals who run it. That is why the obligations in this note repay being built into a structure from the outset rather than retro-fitted.
| Obligation | What the law requires | Source |
|---|---|---|
| Business risk assessment | Document an entity-level money-laundering / terrorist-financing risk assessment and review it periodically | IFSCA Guidelines 2022 |
| Customer due diligence / KYC | Identify and verify every customer at onboarding and on an ongoing basis | IFSCA Guidelines 2022; PMLA Rules 2005 |
| Beneficial ownership | Identify the natural person with a controlling interest above 10%, or who otherwise controls | IFSCA Guidelines 2022 |
| Enhanced due diligence | Apply EDD to high-risk customers, PEPs, and (from 2026) Indian-national beneficial owners, with source-of-funds enquiry | IFSCA Guidelines (2026 amendment) |
| Sanctions screening | Screen against UNSC and other designated lists; freeze and report on a match | IFSCA Guidelines 2022 |
| Governance officers | Appoint a Principal Officer and a Designated Director; notify FIU-IND and the IFSCA | PMLA Rules 3 & 7 |
| Officer certification | Designated Director / Principal Officer to hold NISM-IFSCA-01 | IFSCA circular, 17 Nov 2025 |
| Reporting | File STR / CTR / NTR / cross-border wire reports to FIU-IND via FINGate 2.0 (wires above Rs 5 lakh) | PMLA 2002; PMLA Rules 2005 |
| Record-keeping | Retain identity and transaction records for five years | PMLA Rules 2005 |
| Channelisation | Route monetary consideration through an IFSC Banking Unit | IFSCA Guidelines (2026 amendment) |
Frequently asked questions
What AML and CFT laws apply to a GIFT IFSC entity?
India’s general AML regime applies in full – there is no IFSC exemption. The statutory base is the Prevention of Money-Laundering Act 2002 with the PML (Maintenance of Records) Rules 2005; the regulatory layer is the IFSCA’s AML, CTF and KYC Guidelines 2022 (amended through 2026), which operationalise the PMLA for IFSC regulated entities. The IFSCA supervises AML compliance in the IFSC, and FIU-IND receives the reports.
Is the IFSCA or FIU-IND the AML regulator for the IFSC?
Both, in different roles. The IFSCA is the AML/CFT supervisor for IFSC regulated entities – it sets the guidelines and inspects and penalises for compliance failings. FIU-IND (the Financial Intelligence Unit-India) is the central agency to which entities file suspicious-, cash- and cross-border-transaction reports under the PMLA. The Enforcement Directorate investigates and prosecutes the offence of money-laundering itself.
Which entities are “reporting entities,” and what did the 2026 amendments exempt?
Every entity licensed, recognised, registered or authorised by the IFSCA is a regulated entity caught by the Guidelines, and IFSC units are PMLA reporting entities. A January 2026 circular exempted certain categories – for example global in-house centres, international branch campuses and financial institutions serving only their own group, on conditions – but even an exempt entity must run a business risk assessment and comply with the PMLA where money-laundering risk is identified.
Who is a beneficial owner under the IFSCA AML/CFT/KYC Guidelines?
For a company, the natural person who has a controlling ownership interest of more than 10% of the shares, capital or profits, or who otherwise exercises control over the entity. Identifying the beneficial owner – not just the immediate client – is a core obligation, and from 2026 an Indian-national beneficial owner triggers enhanced due diligence.
Who must an IFSC regulated entity appoint, and is the NISM-IFSCA-01 certification mandatory?
Every regulated entity must appoint a Principal Officer (responsible for reporting) and a Designated Director (senior accountability for compliance), and notify their details to FIU-IND and the IFSCA. Since an IFSCA circular of November 2025, these officers must also obtain the NISM-IFSCA-01 certification in AML and CTF in the IFSC, within the prescribed window, and maintain it.
What must be reported to FIU-IND, and how is a reporting entity registered on FINGate 2.0?
Suspicious transaction reports, cash transaction reports, non-profit transaction reports and cross-border wire-transfer reports (for cross-border wires above Rs 5 lakh where one end is in India), among others, filed electronically through the FIU-IND FINGate 2.0 portal, on which each reporting entity must register. Suspicious-transaction reporting is continuous – filed whenever suspicion arises.
When is enhanced due diligence required – and why does an Indian-national beneficial owner trigger it?
Enhanced due diligence applies to higher-risk relationships – politically exposed persons, high-risk jurisdictions and complex or unusual structures. A 2026 IFSCA amendment also requires it, including ascertaining the source of funds, wherever the beneficial owner is an Indian national, regardless of risk score – a deliberate control against round-tripping, the routing of Indian money through the IFSC to re-enter India with a foreign character.
Does filing a suspicious transaction report mean the transaction must be frozen?
No. A 2026 IFSCA clarification makes clear that a reporting entity must not restrict or freeze a transaction merely because a suspicious transaction report has been filed; the report goes to FIU-IND for analysis, and freezing or other action follows only under the proper legal process. The duty is to report, confidentially, without tipping off the customer.
How does India’s 2024 FATF Mutual Evaluation affect AML expectations in GIFT IFSC?
India’s FATF Mutual Evaluation, adopted in June 2024 and published in September 2024, placed India in the “regular follow-up” category – FATF’s best outcome tier. For the IFSC, the practical effect is that its AML framework is held to FATF-aligned standards, and the IFSCA’s recent amendments reflect those principles; it also signals that AML expectations will tighten, not loosen.
What are the consequences of an AML/CFT failure – penalties, attachment or prosecution?
They are serious and layered. The IFSCA can take supervisory and penalty action against a regulated entity; FIU-IND can impose monetary penalties on the entity or its Designated Director for reporting failures (it has imposed multi-crore penalties on financial institutions); and the Enforcement Directorate can provisionally attach the proceeds of crime and prosecute the offence of money-laundering before a special court under the PMLA, which carries rigorous imprisonment. AML compliance in GIFT is therefore not a formality.