India Anti-Money Laundering (PMLA) Compliance for Foreign Companies

Why Foreign Companies Must Understand India's PMLA

The Prevention of Money Laundering Act, 2002 (PMLA) is India's primary anti-money laundering legislation, enforced by the Enforcement Directorate (ED) and supplemented by regulatory oversight from the Reserve Bank of India, SEBI, and IRDAI. For foreign companies operating through a subsidiary, branch office, or liaison office in India, PMLA compliance is not optional -- it is a criminal law obligation that can result in prosecution of both the entity and its officers.

Between June 2014 and October 2025, the ED registered 6,312 PMLA cases, filed 1,805 prosecution complaints, and secured a conviction rate exceeding 92% in cases decided on merits. In FY 2024-25 alone, provisional attachment orders totalled INR 30,036 crore (approximately USD 3.6 billion), a 141% increase in value over the previous year. These numbers make clear that the PMLA is actively and aggressively enforced.

Foreign companies face particular exposure because cross-border transactions, intercompany fund flows, and multi-jurisdictional structures create the exact patterns that trigger PMLA scrutiny. Understanding the compliance framework is essential for every foreign investor in India.

Scope of PMLA: Who It Covers

Reporting Entities

The PMLA designates specific categories of businesses as "reporting entities" that bear the heaviest compliance burden:

• Banking companies: All banks including foreign bank branches operating in India
• Financial institutions: NBFCs, housing finance companies, and cooperative banks
• Securities intermediaries: Brokers, portfolio managers, mutual funds, and merchant bankers registered with SEBI
• Insurance companies: All entities regulated by IRDAI
• Payment system operators: Including fintech companies and prepaid instrument issuers
• Real estate agents: Agents involved in transactions of INR 50 lakh or above
• Dealers in precious metals: Jewellers and precious stone dealers above threshold transactions
• Virtual digital asset service providers: Crypto exchanges and related platforms (added in 2023)

Non-Reporting Entities

Even companies that are not designated reporting entities face PMLA obligations. Under Section 70, if a company violates any PMLA provision, both the company and any person responsible for its operations at the time of the violation are deemed guilty. This means a foreign private limited company operating in India, even if not a financial institution, must ensure its transactions do not involve proceeds of crime.

Beneficial Ownership: The 10% Threshold

What Changed

The PMLA Rules were amended to reduce the beneficial ownership identification threshold from 25% to 10%. This is one of the most impactful changes for foreign companies, as it dramatically expands the number of individuals who must be disclosed and verified during KYC processes.

Who Qualifies as a Beneficial Owner

Under the current rules, a beneficial owner is any natural person who:

• Holds 10% or more of the ownership interest in a company (shares, capital, or profit entitlement)
• Holds 10% or more of the voting rights
• Exercises effective control over the entity through other means (management rights, veto powers, shareholder agreements)

Impact on Foreign Companies

For a wholly owned subsidiary, the beneficial ownership chain must be traced back to the ultimate natural persons holding 10% or more in the parent company. This means:

• A Japanese parent company with 5 shareholders each holding 20% must disclose all 5 individuals
• A PE fund with multiple limited partners above 10% must identify each qualifying LP
• Complex holding structures through holding companies in Singapore, Mauritius, or the Netherlands require full chain disclosure

Companies must update their beneficial ownership declarations whenever the ownership structure changes, and banks can freeze accounts if beneficial ownership information is not current.

KYC and Customer Due Diligence Requirements

Standard CDD

Reporting entities must conduct customer due diligence at the commencement of any account-based relationship involving INR 50,000 or more. The CDD process includes:

• Verification of the client's identity using officially valid documents
• Identification of the client's source of funds
• Understanding the purpose behind the transaction
• Determining the relationship between parties
• Ascertaining whether the client is acting on behalf of a beneficial owner

Enhanced Due Diligence (EDD)

Reporting entities must apply enhanced due diligence for:

• Politically Exposed Persons (PEPs): Individuals holding prominent public positions in foreign countries or India
• High-risk jurisdictions: Countries identified by FATF as having strategic deficiencies in AML/CFT frameworks
• Complex or unusually large transactions: Transactions with no apparent economic rationale
• Wire transfers above INR 50,000: Requiring originator and beneficiary information

Requirements for Foreign Company Subsidiaries

Foreign company subsidiaries in India must maintain a board-approved KYC policy with four elements:

1. Customer Acceptance Policy: Defining risk categories and acceptance criteria
2. Risk Management: Procedures for assessing and mitigating money laundering risk
3. Customer Identification Policy: Document requirements for different entity types
4. Transaction Monitoring: Systems for flagging suspicious patterns

The RBI's KYC Direction applies to foreign bank branches and subsidiaries, requiring them to apply the stricter of RBI norms or their home country regulations.

Reporting Obligations to FIU-IND

Reporting entities must file multiple categories of reports with the Financial Intelligence Unit - India (FIU-IND):

Cash Transaction Reports (CTR)

Suspicious Transaction Reports (STR)

Cross-Border Wire Transfer Reports (CBWTR)

Property Transaction Reports (PTR)

A transaction can be reported under both CTR and STR simultaneously if it meets both criteria. Failure to file reports can attract a penalty of up to INR 1 lakh per instance from the FIU Director.

Record Maintenance Requirements

Under Section 12 of the PMLA, all reporting entities must:

• Maintain transaction records: All transaction records for 5 years from the date of each transaction
• Maintain identity records: Documents evidencing client identity, beneficial ownership, and account files for 5 years after the business relationship ends
• Preserve business correspondence: All correspondence related to transactions subject to reporting
• Ensure retrievability: Records must be sufficient to permit reconstruction of individual transactions

Foreign companies should note that these retention requirements may conflict with DPDP Act data minimization principles. Companies must navigate both regimes, generally prioritizing PMLA retention requirements where they apply.

Group-Wide AML Programs

Foreign companies operating as part of a multinational group face specific obligations:

• Group-wide AML policies: Must implement programmes against money laundering and terrorist financing across the entire group, including the Indian entity
• Information sharing: Policies for sharing CDD information and risk assessments across group entities, with appropriate confidentiality safeguards
• Consistent standards: Indian subsidiaries of foreign banks must apply the stricter regulation between RBI norms and home country requirements
• Tipping-off prevention: Measures to prevent disclosure of STR filings to customers or unauthorized persons

Multinational companies should ensure their global AML compliance program extends to cover Indian operations, with local customization for PMLA-specific requirements. Companies with FEMA compliance programs should integrate their AML monitoring with FEMA transaction reporting.

Enforcement: The Enforcement Directorate

Powers of the ED

The Enforcement Directorate has expansive powers under the PMLA:

• Provisional attachment: The ED can attach properties suspected to be proceeds of crime for up to 180 days without court approval, extendable through adjudication
• Search and seizure: Powers to search premises, seize documents, and freeze bank accounts
• Arrest: Authority to arrest individuals involved in money laundering offences
• Prosecution: Filing of prosecution complaints (equivalent to chargesheets) before special PMLA courts

Recent Enforcement Statistics

Director and Officer Liability

Under Section 70 of the PMLA, when a company commits a violation, every person who was in charge of or responsible for the company's operations at the time is deemed guilty. This means:

• Resident directors of Indian subsidiaries can be personally prosecuted
• Foreign directors who authorized or directed the non-compliant conduct face liability
• Compliance officers and CFOs may be held responsible for reporting failures

Foreign companies must ensure their Indian directors and officers are adequately briefed on PMLA obligations and that D&O insurance covers PMLA-related proceedings.

FATF Mutual Evaluation and India's Standing

India's 2024 FATF mutual evaluation report confirmed that India has achieved a high level of technical compliance across FATF recommendations. Key findings relevant to foreign companies:

• India has made significant efforts to combat illicit finance despite the scale of its economy and population
• The beneficial ownership transparency framework has been substantially strengthened
• Cross-border cooperation mechanisms under PMLA Chapter IX are operational
• Reporting entity supervision by RBI, SEBI, and IRDAI meets FATF standards

India's positive FATF standing means foreign companies cannot claim ignorance of the AML framework or argue that India's regime is not internationally aligned.

Practical Compliance Steps for Foreign Companies

Step 1: Determine Reporting Entity Status

Assess whether the Indian entity qualifies as a reporting entity under PMLA. Financial services companies, NBFCs, insurance entities, and securities intermediaries are automatically covered. Manufacturing, technology, and service companies that are not reporting entities still face general PMLA obligations.

Step 2: Appoint a Principal Officer

Every reporting entity must designate a Principal Officer responsible for furnishing information to FIU-IND. The Principal Officer must be registered with FIU-IND and is personally accountable for timely and accurate reporting.

Step 3: Implement KYC Program

Develop a board-approved KYC policy covering customer acceptance, risk management, customer identification, and transaction monitoring. Ensure the policy addresses the 10% beneficial ownership threshold and includes procedures for PEP screening.

Step 4: Establish Transaction Monitoring

Implement systems to flag transactions meeting CTR thresholds (INR 10 lakh cash) and CBWTR thresholds (INR 5 lakh cross-border). Separately, develop criteria for identifying suspicious transactions regardless of monetary value.

Step 5: Register with FIU-IND

All reporting entities must register with FIU-IND through their online portal. Registration requires company details, Principal Officer information, and category of reporting entity.

Step 6: Train Staff

All staff involved in customer-facing roles, transaction processing, and compliance functions must receive PMLA training covering red flag identification, reporting procedures, and tipping-off prohibitions.

Step 7: Annual Review

Conduct annual reviews of the AML program effectiveness, update risk assessments, and ensure compliance with any regulatory amendments. Coordinate with annual compliance filings and tax compliance schedules.

Sector-Specific PMLA Considerations

Foreign Banks and NBFCs

Foreign bank branches and NBFC subsidiaries in India face the most intensive PMLA compliance burden. The RBI's KYC Master Direction applies directly, and these entities must maintain a full-service AML compliance infrastructure including automated transaction monitoring systems, dedicated compliance teams, and regular internal audits. Foreign bank branches must apply the stricter of RBI norms or their home country regulations, which often results in layered compliance obligations that exceed what either regime independently requires.

The RBI conducts periodic inspections of foreign bank branches specifically focused on KYC/AML compliance. Deficiencies identified during inspection can result in monetary penalties, restrictions on business expansion, and reputational damage. Several foreign bank branches have received regulatory action from the RBI for KYC process failures, even when their global AML programs met home country standards.

Manufacturing and Trading Companies

Foreign manufacturing subsidiaries and trading companies are not designated reporting entities, but they face PMLA exposure through multiple channels. Their banking relationships subject their transactions to scrutiny by the bank's AML monitoring systems. Large cash transactions at factory sites, vendor payments through informal channels, and unusual patterns in receivables can trigger STR filings by the company's bank without the company's knowledge.

Manufacturing companies with complex supply chains should pay particular attention to vendor due diligence. If a supplier is later found to be connected to money laundering activities, the company's transactions with that supplier may be scrutinized by the ED. Implementing basic KYC procedures for significant vendors, even though not legally required, provides a valuable defence layer.

Real Estate and Construction

Foreign companies investing in Indian real estate through permissible FDI routes face PMLA exposure because real estate agents involved in transactions of INR 50 lakh or above are designated reporting entities. The real estate sector has historically been a focus area for ED enforcement, and transactions involving foreign-owned entities receive heightened attention.

Companies should ensure all property transactions are fully documented with clear audit trails connecting the source of funds to legitimate business activities. Transfer pricing documentation for intercompany funding of property acquisitions provides additional protection against PMLA scrutiny.

Fintech and Payment Companies

Foreign fintech companies operating in India, whether through subsidiaries or partnerships, face expanding PMLA obligations. Payment system operators are designated reporting entities, and the RBI has issued specific guidelines on AML compliance for fintech entities. Virtual digital asset service providers were added as reporting entities in 2023, requiring crypto exchanges and related platforms to register with FIU-IND and implement full KYC/AML programs.

The expansion of PMLA to cover virtual digital assets is particularly relevant for foreign fintech companies offering crypto trading, DeFi services, or blockchain-based financial products in India. Non-compliance can result in both PMLA prosecution and loss of the FIU-IND registration needed to operate legally.

Cross-Border Cooperation Under PMLA

Chapter IX of the PMLA establishes a framework for international cooperation in anti-money laundering enforcement:

• Reciprocal arrangements: India can enter into agreements with foreign countries for mutual legal assistance in PMLA investigations, including attachment and confiscation of proceeds of crime located abroad.
• Letters rogatory: Indian courts can issue letters rogatory to foreign jurisdictions to assist in PMLA proceedings, and India honours similar requests from countries with reciprocal arrangements.
• FATF membership: As a FATF member, India participates in the global AML information-sharing network and cooperates on cross-border money laundering investigations.
• Information exchange: FIU-IND exchanges financial intelligence with counterpart FIUs globally through the Egmont Group network.

For foreign companies, this cross-border framework means that PMLA violations by the Indian subsidiary can trigger enforcement actions in the parent company's home jurisdiction. Conversely, AML violations by the parent company abroad may result in increased ED scrutiny of the Indian operations.

Internal Compliance Framework: Building Blocks

Foreign companies should implement the following internal compliance framework for PMLA readiness:

Governance Structure

• Board-level oversight: The Board of Directors of the Indian entity must approve the AML/KYC policy and review it annually.
• Principal Officer: A senior management-level employee designated as the Principal Officer, registered with FIU-IND, with direct reporting line to the Board.
• Compliance committee: A cross-functional team including legal, finance, operations, and IT representatives to oversee AML program implementation.

Risk Assessment

• Entity-wide risk assessment: Annual assessment of money laundering and terrorist financing risks based on customer base, product/service offerings, geographic exposure, and transaction patterns.
• Customer risk categorization: Classification of customers into low, medium, and high-risk categories with corresponding due diligence levels.
• New product/service risk review: Assessment of AML risks before launching new products, services, or entering new business relationships.

Technology Requirements

• Transaction monitoring system: Automated systems to flag transactions meeting CTR thresholds, unusual patterns, and sanctions matches.
• Sanctions screening: Real-time screening against UN, FATF, and Indian government sanctions lists for all customer onboarding and transactions.
• Record management: Digital systems capable of storing and retrieving 5 years of transaction records, customer identification documents, and correspondence.

Common Pitfalls for Foreign Companies

• Treating PMLA as a banking-only issue: Even non-financial companies face PMLA obligations through their banking relationships and intercompany transactions.
• Incomplete beneficial ownership disclosure: The 10% threshold catches many shareholders that were previously below the 25% radar. Failure to update disclosure when ownership changes is a common violation.
• Ignoring cross-border wire transfer reporting: Every intercompany payment, intercompany transfer, royalty remittance, and dividend repatriation above INR 5 lakh triggers CBWTR obligations for the bank.
• No tipping-off protocols: Informing a customer that an STR has been filed is a criminal offence. Companies must train staff on confidentiality requirements.
• Relying solely on parent company AML programs: The Indian entity must have a locally customized AML program that meets PMLA-specific requirements, even if the parent has a global AML framework.
• Inadequate record retention: 5-year retention requirements apply from the date of each transaction, not from the end of the business relationship for transaction records.

Key Takeaways

• The PMLA applies to all companies operating in India, not just financial institutions. Foreign companies face additional scrutiny due to cross-border transaction patterns.
• Beneficial ownership disclosure now starts at 10% (reduced from 25%), requiring many foreign companies to update their declarations.
• The Enforcement Directorate has a 92%+ conviction rate and attached INR 30,036 crore in assets in FY 2024-25 alone -- enforcement is real and aggressive.
• Cross-border wire transfers above INR 5 lakh, cash transactions above INR 10 lakh, and any suspicious transactions must be reported to FIU-IND.
• Director and officer liability under Section 70 means personal prosecution is possible -- ensure adequate D&O insurance and compliance training.