India’s anti-money laundering framework is no longer the patchwork it once was. The Prevention of Money Laundering Act, 2002 (PMLA), as reinforced by the PML Rules 2005 and a dense web of regulatory directions from the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), the Insurance Regulatory and Development Authority of India (IRDAI), the International Financial Services Centres Authority (IFSCA), and the Pension Fund Regulatory and Development Authority (PFRDA), has created one of the more comprehensive anti-money laundering and counter-financing of terrorism AML/CFT) architectures in the world.

The Financial Intellig(ence Unit – India (FIU-IND) sits at the centre of this ecosystem, receiving, analysing, and disseminating financial intelligence from over 7000+ reporting entities spanning banks, non-banking financial companies (NBFCs), securities intermediaries, insurance companies, payment system operators, and designated non-financial businesses and professions (DNFBPs). Yet compliance failure persists across sectors, entity sizes, and geographies. The reasons are varied, the consequences are serious, and the remedies are well within reach for any institution that chooses to treat AML/CFT as a governance imperative rather than a regulatory obligation.

This article addresses all three: the reasons why reporting entities fall short, the risks they thereby invite, and the measures that a well-governed institution must put in place to ensure it does not become the next cautionary case study.

 

Why Reporting Entities Fall Short –  The Anatomy of Non-Compliance

Non-compliance is rarely a deliberate act. It is more commonly the cumulative product of structural deficiencies, cultural indifference, resource constraints, and, increasingly, a dangerous overconfidence in technology. Understanding why reporting entities fail is the starting point for designing systems that prevent failure.

1. Treating AML as a Regulatory Checkbox Rather Than a Risk Function
   The most pervasive cause of AML failure in India is institutional: the compliance function is staffed, resourced, and empowered as if its primary purpose is to satisfy a regulator rather than manage a genuine financial crime risk. When AML is a checkbox, Suspicious Transaction Reports (STRs) become defensive filings rather than genuine intelligence outputs. Customer Risk Assessments become templated exercises rather than substantive evaluations. Transaction monitoring systems are procured and left uncalibrated for long. 

   The FIU-IND‘s own guidance distinguishes clearly between a prima facie ground for suspicion and a defensive filing made to avoid perceived regulatory risk. The checkbox mentality produces the latter at scale –  high filing volumes with low intelligence quality and offers no meaningful protection against either the underlying criminal activity or subsequent regulatory scrutiny.

2. Inadequate Know Your Customer (KYC) Infrastructure and Governance
   Non-compliance at the onboarding stage is foundational. If Customer Due Diligence (CDD) under Rule 9 of the PML Rules is performed inadequately with superficial identity verification, absent beneficial ownership mapping and no genuine risk categorisation –  the entire subsequent transaction monitoring framework rests on a false premise. A customer who was never properly understood cannot be effectively monitored.

   Common failures at this stage include: accepting self-attested photocopies without electronic verification; failing to update KYC within the periodicity mandated by risk category (two years for high-risk, eight for medium-risk, ten for low-risk under the RBI KYC Master Direction); failing to identify Ultimate Beneficial Owners (UBOs) in entities with complex ownership structures; and treating Customer Risk Assessment as a one-time onboarding activity rather than a dynamic, event-driven process.

3. Technology Deployed Without Governance
   India’s reporting entities have invested significantly in AML technology –  transaction monitoring platforms, name screening tools, and entity resolution systems. The problem is not the technology. It is the governance of technology.

   Alert thresholds that were set at implementation and never subsequently calibrated. Typology libraries populated in 2018 and not updated since. Model validation processes that exist in policy but have never been executed. False positive rates running at 95 to 98%, an industry standard by and large globally, but unexamined as a governance question within the institution.Technology deployed without governance is not a compliance asset. It is a compliance liability.

5. Human Capital Gaps – Quantity and Quality
   The AML function in most Indian financial institutions is chronically understaffed, given the complexity of the portfolios it is expected to monitor. Where staffing numbers are nominally adequate, the skill profile is often insufficient. Most analysts are trained to process alerts rather than to think analytically about financial crime patterns; Designated Directors and Principal Officers are appointed for positional convenience rather than professional expertise; training programmes that fulfil annual hours requirements without producing any genuine uplift in capability.The PMLA’s compliance requirements are not satisfied by headcount alone. It requires a function with the analytical capacity to detect what a rule set cannot – the behavioural pattern, the contextual anomaly, the network connection that no algorithm will flag automatically.

   Therefore, depending on the size and scale of a reporting entity’s operations, the quality of an AML team underpins its performance and in the end, effectiveness. It is necessary that the team be skilled, consistently upskilled, and supported by state-of-the-art technology to meet all its obligations. All it needs is one failure, and then subject to intense scrutiny and questioning, which, in a scenario of being penalised, potentially ends in reputational damage.

6. Weak Governance at the Top – The Tone That Doesn’t Carry
   Provisions of the PMLA and the regulatory directions of the RBI, SEBI, IFSCA, and other regulators impose explicit obligations on boards and senior management. Yet in practice, AML/CFT receives disproportionately little board attention relative to credit risk, market risk, and operational risk. Annual compliance reports are received and noted. The Principal Officer presents. Questions are limited. Accountability is diffuse.When the governing body does not engage substantively with AML/CFT as a risk management question, when it does not ask what the institution’s residual ML/TF risk is, whether controls are calibrated to actual risk, what the quality of STR output looks like, and what the consequence framework for identified control failures is; it creates a cultural signal that travels downward through the entire institution.
7. Multi-Regulator Confusion and Perimeter Ambiguity
   India’s AML/CFT supervision is distributed across multiple regulators with overlapping, adjacent, and sometimes inconsistent frameworks. An entity that is simultaneously regulated by SEBI as a broker, operates a wallet business regulated by RBI, and operates in GIFT City under IFSCA jurisdiction may face three distinct AML/CFT frameworks with different STR formats, CDD standards, and record-keeping timelines, and no coordinating mechanism between the supervisors.

This regulatory complexity creates genuine confusion, but it also, more dangerously, creates space for motivated non-compliance dressed as confusion. The absence of a unified AML supervisory coordination framework in India means that gaps in one perimeter may not be visible to supervisors in another.

 

The Risk Landscape –  What Non Compliance Actually Costs

The risks associated with AML non-compliance in India are not merely regulatory. They span legal, financial, reputational, operational, and systemic dimensions, each with materially different consequences for the institution and its leadership.

1. Legal and Regulatory Risk

   This is the most immediately visible category. Under the PMLA, the Enforcement Directorate (ED) has powers to conduct searches, seizures, surveys, attach property, and arrest. Section 13 of the PMLA empowers the Director of FIU-IND to impose a monetary penalty of not less than ₹10,000 and not more than ₹1,00,000 per failure on reporting entities and their designated officers for non-compliance with the Act’s obligations. More significantly, the ED’s power of provisional attachment under Section 5 of the PMLA can result in the attachment of assets equivalent in value to the proceeds of crime,  a consequence that can dwarf any regulatory fine.

   Beyond the PMLA, sectoral regulators impose independent sanctions. SEBI’s adjudicating officers may impose penalties under the SEBI Act. The RBI may impose penalties under the Banking Regulation Act, 1949, or take supervisory action, including business restrictions. IFSCA may revoke or suspend licences of IFSC-regulated entities for AML/CFT failures. The cumulative regulatory exposure of a multi-regulated entity that fails across perimeters can be severe.Individual officers are not insulated. Section 13(2) of the PMLA imposes penalties on the designated director and the principal officer of a reporting entity for a single lapse (e.g., failure to report a suspicious transaction). Regulatory enforcement trends globally, and increasingly in India, are moving toward personal accountability for senior officers who fail to perform their roles and fulfil obligations under the law, rather than merely issuing institutional fines.

2. Financial Risk
   The direct financial costs of AML non-compliance include regulatory fines and penalties, the costs of external remediation (e.g., regulatory consultants, forensic reviews, system overhauls), and the diversion of management bandwidth from productive activity to regulatory response. Globally, AML penalties totalled $3.8 billion in 2025, with APAC jurisdictions seeing a 44% increase in enforcement activity.

   The indirect financial costs are larger and less visible: reputational damage driving customer attrition; correspondent banking relationships placed under review or terminated; increased cost of regulatory capital as prudential supervisors factor compliance risk into their assessments; and the litigation exposure that follows when customers, counterparties, or shareholders pursue civil claims arising from compliance failures.

3. Reputational Risk
   Reputational risk in AML/CFT operates on a compressed timeline and an amplified scale. A regulatory enforcement action, a media report of ED attachment proceedings, a FATF mutual evaluation finding that names an institution’s sector –  any of these can trigger withdrawal of institutional deposits, counterparty due diligence reviews, and downstream correspondent banking scrutiny within days.

   India’s financial media is increasingly covering AML/CFT enforcement. An institution that has treated AML/CFT as a cost centre rather than a risk function has no reputational reserves to draw on when enforcement arrives.

5. Operational Risk
   AML non-compliance creates operational risks that often go unmeasured until they materialise. An institution that has accepted accounts on inadequate CDD documentation discovers this deficiency not at onboarding but at the moment of a regulatory inspection, an ED enquiry, or an internal fraud investigation, at which point remediation at scale is both operationally disruptive and evidentially significant.Operational risk in AML also manifests as systemic failure: a transaction monitoring system that has been generating alerts without adequate analyst review for two years; a name screening tool with outdated sanctions lists; a CTR reporting process with data quality errors that have been accumulating in FIU-IND’s records. Each of these represents a control failure that compounds over time and becomes progressively more expensive to remediate.
6. Proliferation Financing and Sanctions Risk
   This dimension of AML/CFT risk is the least discussed in India and among the most consequential. India’s trading relationships with entities across the Gulf, Southeast Asia, and beyond expose Indian financial institutions to proliferation financing risks through dual-use goods financing, trade-based money laundering (TBML), and the proceeds of sanctions evasion. IFSCA-regulated entities in GIFT City face this risk acutely due to the international nature of their operations.Provisions under the PMLA and extant regulations (as amended) impose obligations on reporting entities to maintain records and report suspicious transactions connected to the financing of weapons of mass destruction and proliferation networks. Failure to identify and report such transactions creates liability not only under the PMLA but potentially under India’s international obligations and the sanctions frameworks of the jurisdictions in which correspondent relationships are maintained. Detection mechanisms have to be sharp, and action on any such case has to be swift. These provisions are substantive, material and cannot be ignored. Reporting obligations are of priority, and time is of the essence.
7. Systemic and Societal Risk
   This is the risk category that regulatory frameworks are ultimately designed to prevent, but that institutions rarely account for in their internal risk calculations. When AML frameworks fail across a sector, as they did in India’s cooperative banking sector, as they have in certain NBFC segments, the proceeds of crime that pass through the financial system fund drug trafficking, human trafficking, terrorism, and corruption. The cost of these predicate crimes is borne by society, not by the institution whose compliance framework enabled them.India’s FATF mutual evaluation, conducted in 2023–2024, acknowledged the country’s technical compliance achievements but noted continued effectiveness gaps in the quality of STR filings, beneficial ownership transparency, and DNFBP supervision. These systemic gaps represent both a collective compliance failure and a genuine public policy risk.

 

Preventive Measures –  Building a Compliance Framework That Actually Works

 Compliance with AML/CFT obligations in India is not primarily a matter of scale of resources. It is a matter of design, governance, and institutional will. The following measures, grounded in the PMLA, the PML Rules, and the regulatory frameworks of India’s major financial sector regulators, represent the architecture of an effective AML/CFT programme.

1. Risk-Based Customer Due Diligence – Beyond the KYC Form
   Effective CDD begins not with a form but with a risk question: what is the nature and purpose of this relationship, what risks does it present, and what level of due diligence is proportionate to those risks?Under Rule 9 of the PML Rules, reporting entities must verify the identity of customers and beneficial owners using Officially Valid Documents, conduct ongoing due diligence, and update KYC records within the mandated periodicity. The August 2025 amendment to the RBI KYC Master Direction reinforces the requirement for Offline Aadhaar XML as a CDD-satisfying document and mandates presentation attack detection in all Video KYC sessions. CKYCRR 2.0, now operational, enables real-time KIN lookup and DigiLocker-integrated document verification, providing identity assurance at source, not merely at submission.

   Risk categorisation at onboarding must be substantive, not templated. High-risk categories under Indian regulation inter-alia include Politically Exposed Persons (PEPs) and their family members and close associates; customers from FATF-listed high-risk jurisdictions; entities with complex beneficial ownership structures; and customers whose business activities create inherent exposure to ML/TF risk. Enhanced Due Diligence (EDD) for these categories must be documented, reviewed by senior management, and revisited when circumstances change.

2. Calibrated Transaction Monitoring – From Volume to Intelligence
   An effective transaction monitoring system is not one that generates the most alerts. It is one that generates alerts with sufficient quality to support genuine investigation and, where warranted, STR filing. It should be able to generate case reports and ultimately lead to quality STRs that are of value to law enforcement authorities.Calibration governance must be owned by the compliance function, not the technology team. The Principal Officer must be able to answer, with evidence: what are our current alert thresholds and why; when were they last reviewed; what is our false positive rate and trend; what typologies are covered in our scenario library; and are those typologies current relative to FIU-IND guidance, regulatory prescriptions and FATF typology reports?

   FATF’s ongoing typology work emphasises that transaction monitoring calibration must be event-driven, not annual. Whenever a new product is launched, a new customer segment is onboarded, or a new regulatory typology is issued, the monitoring parameters must be reviewed and documented before implementation.

3. STR Quality Over STR Quantity – The Intelligence Imperative
   FIU-IND has been explicit in its guidance: a Suspicious Transaction Report does not discharge liability. It is a submission of financial intelligence. A report that contains no analytical reasoning, no connection between observed behaviour and a specific suspicion, and no supporting context does not fulfil the intent of the PMLA. It simply creates a paper trail.Every STR filed by a reporting entity should reflect genuine analysis: what was observed, why it is suspicious, what predicate offence it might relate to, what the customer’s profile and history suggest, and what the institution has done or proposes to do in respect of the relationship. This requires analysts with investigative capabilities, supported by a 360-degree view of the customer and its activities, not just data-processing skills.

4. Record Keeping Discipline – Compliance as Evidence Architecture
   PMLA requires reporting entities to maintain records of transactions, identity documents, and analyses supporting STR decisions for 5 years from the cessation of the transaction or the business relationship, as applicable. Not just that.  Documents relating to risk assessments conducted, account files, and business correspondence relating to its clients are also subject to record-keeping obligations. This is not an archiving obligation. It is an evidentiary obligation: the records must be retrievable, complete, and capable of supporting a law enforcement investigation or a FIU-IND information request. Moreover, it is the duty of every reporting entity, its designated director, officers and employees to observe the procedure and the manner of maintaining information as specified by its regulator. 

   Common failures include: risk assessment documentation, records maintained in formats that cannot be queried electronically; STR decision rationale not documented at the time of the decision; CDD documents stored without version control, making it impossible to establish what was known about a customer at what point; and CKYC records not updated within the mandated window.

5. Training That Produces Capability, Not Certificates
   Annual AML/CFT training is a regulatory requirement under the regulatory frameworks. It is also, in most institutions, a compliance ritual that produces certificates without producing capability.

   Effective training must be role-differentiated; the front office officer who opens accounts needs different AML knowledge than the transaction monitoring analyst, who needs different knowledge than the STR reviewer, who needs different knowledge than the board director. It must use India-specific typologies and case studies to ensure relevance, and incorporate other best practices from overseas programmes. It must test outcomes, not just completion. And it must be refreshed periodically whenever the regulatory framework, risk landscape, or typology landscape changes materially.

6. Independent Testing and Internal Audit
   The AML/CFT programme must be subject to independent testing, not by the compliance function itself but by the internal audit function or an external party with AML expertise. The testing must cover not just the existence of policies and procedures but their operational effectiveness: are CDD records actually complete; are monitoring alerts actually being reviewed within prescribed timeframes; are STR decisions actually documented with adequate analysis; are CKYC records actually being uploaded within the specified timelines.Internal audit findings related to AML/CFT must be reported directly to the Audit Committee of the Board, not filtered through management. This reporting line is not a governance nicety but the mechanism by which the board obtains an independent view of whether its AML/CFT risk appetite is being operationally honoured.

  

The Governing Board and Leadership –  AML/CFT as a Fiduciary Obligation

 The role of the governing board in AML/CFT oversight has undergone a fundamental shift over the past decade. What was once understood as a management function delegated entirely to the Principal Officer and compliance team, with the board receiving an annual report (at best), is now increasingly recognised as a fiduciary obligation of the board itself.

This shift is both regulatory and judicial. The Caremark standard in US corporate law which holds that directors may be personally liable for failing to establish and monitor adequate compliance information systems- has its Indian-law analogue in the fiduciary duties of directors under the Companies Act, 2013, read with the PMLA’s personal liability provisions for designated directors under Section 13(2). In practical terms, this means that a board that receives a cursory annual AML/CFT compliance report, asks no substantive questions, and records a generic “noted” minute is not discharging its oversight obligation. It is creating a documentary record of its own inattention.

 

What the Regulatory Framework Requires of Boards and Senior Management

 The RBI’s Master Direction on KYC requires that the AML/CFT policy of a regulated entity be approved by the Board of Directors. SEBI’s Master Circular on AML Standards/CFT requires that the AML programme be approved by the board. PMLA and regulations specify the roles and responsibilities of both Designated Director and Principal Officer. These are highly responsible duties intended to protect the institution, its customers, and the financial ecosystem from abuse by criminals. The PMLA itself places several obligations on reporting entities at the institutional level – obligations that, at the governance level, cannot be discharged without active board engagement.

 

What Meaningful Board Oversight Looks Like

 A governing board that is genuinely discharging its AML/CFT oversight obligation will engage substantively with questions that go beyond the compliance report’s headline metrics. It should ask the following :

 On risk: What is the institution’s inherent ML/TF risk profile, and how does it compare to our risk appetite? Has the Business Risk Assessment been reviewed in light of new products, customer segments, or geographies? What are the highest-risk relationships in the portfolio, and are controls over those relationships proportionate?

 On effectiveness: What is the quality of our STR output – not just the volume? Are our transaction monitoring thresholds calibrated to our actual risk profile, and when were they last independently reviewed? What did our last independent AML audit find, and what has management done about it? How many of the alerts generated are risk-based?

On accountability: Is the Principal Officer appropriately resourced and empowered? Does the compliance function have direct escalation access to the board when it encounters management resistance to compliance recommendations? What is the consequence framework when control failures are identified?

On AI and technology: If the institution uses AI or machine learning in its transaction monitoring or name screening, does the board understand the model governance framework? Who is accountable for model bias, false negative rates, and the adequacy of human review?

 

Leadership Tone –  The Cultural Multiplier

The greatest multiplier of AML/CFT programme effectiveness is not technology, staffing, or policy documentation. It is the signal that senior leadership and the governing board send through their questions, their resource allocation decisions, their responses to compliance findings, and their personal engagement with AML/CFT as a risk management priority.

For instance; when a Managing Director dismisses a compliance concern as commercially inconvenient, or when a board committee accepts a compliance report without a single substantive question, the message travels downstream in the organisation. When a board’s Risk Committee receives a detailed briefing on ML/TF typologies, asks pointed questions about STR quality and monitoring calibration, and holds management accountable for remediation timelines, the message travels equally far but in the opposite direction.

AML/CFT is no longer a back-office function. It is a board-level fiduciary obligation, a reputational asset and in an AI-led world where the speed and sophistication of financial crime are accelerating – an area that demands from governing bodies the same analytical rigour they apply to credit risk, capital adequacy, and strategic planning.

 

Conclusion

Compliance as a Public Good, Not Just an Institutional Obligation

India’s AML/CFT framework exists because the proceeds of crime from drug trafficking, human trafficking, corruption, tax evasion, and terrorism financing cause real harm to real people. Every Suspicious Transaction that a reporting entity detects and reports is a potential disruption of a criminal network. Every beneficial ownership that is accurately identified and verified is one fewer route for illicit funds to enter the formal financial system. Every board that asks the right questions about its institution’s AML/CFT effectiveness is one more governance barrier between criminal proceeds and the economy.

Non-compliance does not merely invite regulatory sanction. It makes the institution an unwitting partner in the predicate crime that generated the funds passing through its systems. The cost of compliance, properly resourced and governed, is real but finite. The cost of complicity –  even the unwitting complicity of an institution that did not ask enough questions –  is incalculable.