Anti-money laundering compliance has two halves. The first is knowing your customer, verifying identity and assessing risk at onboarding. The second is watching what those customers do and reporting the transactions that matter to the authorities. This guide is about the second half: your reporting obligations under India's Prevention of Money Laundering Act.
For banks, NBFCs, payment firms, and other reporting entities, PMLA reporting is not a background task. Missed, late, or poor-quality filings carry monetary penalties and regulatory action, and enforcement has intensified sharply. Getting the reporting right, consistently and at scale, is now a core compliance discipline.
What PMLA reporting requires
The Prevention of Money Laundering Act, 2002 (PMLA) requires designated reporting entities to furnish information about specified transactions to the Financial Intelligence Unit – India (FIU-IND), the national agency that receives and analyses financial intelligence and passes it to law enforcement.
The obligation flows primarily from Section 12 of the PMLA, read with the Prevention of Money-Laundering (Maintenance of Records) Rules, 2005. Together they require reporting entities to maintain prescribed records, run customer due diligence, and file transaction reports through the channels FIU-IND specifies in consultation with sectoral regulators such as the RBI, SEBI, and IRDAI.
Two roles anchor the framework inside each institution. The Principal Officer is the nodal point responsible for filing reports to FIU-IND, and the Designated Director is the senior or board-level individual accountable for overall AML compliance. Both must be appointed formally, and their details communicated to FIU-IND. Coordination between FIU-IND and the RBI tightened further with a Memorandum of Understanding signed in April 2025 to streamline how reporting entities file and how intelligence is shared.
Who is a reporting entity?
PMLA reporting obligations apply to a broad and expanding set of entities. Under the Act, a reporting entity includes banking companies, financial institutions such as NBFCs and housing finance companies, and intermediaries registered with SEBI such as stockbrokers, mutual funds, and portfolio managers. Insurance companies, payment system operators, and authorised dealers are covered too.
The perimeter has widened in recent years. Persons carrying on designated businesses and professions, including real estate agents and dealers in precious metals and stones, fall within scope. And following 2023 amendments, Virtual Digital Asset service providers, crypto exchanges and similar platforms, are now reporting entities required to register with FIU-IND and meet the full AML obligations. FIU-IND has acted against offshore platforms that failed to register, demonstrating that location outside India is not a shield.
If your institution handles high-value or high-risk financial transactions in India, PMLA reporting is almost certainly mandatory, and registration with FIU-IND is the starting point.
The main report types under PMLA
Reporting entities file several distinct report types, each triggered by a different condition. Understanding which applies is the foundation of compliant reporting.
Suspicious Transaction Report (STR). The most important and most sensitive report. An STR is filed whenever a transaction gives rise to a reasonable suspicion of money laundering or terrorist financing, regardless of amount. STR filing is substance-based, not threshold-based: a small transaction can warrant an STR if the circumstances are suspicious.
Cash Transaction Report (CTR). Filed for cash transactions exceeding ₹10 lakh in a month, including a series of linked cash transactions that together cross the threshold. Unlike the STR, the CTR is purely threshold-based, so even genuine, legitimate transactions above the limit must be reported.
Cross-Border Wire Transfer Report (CBWTR). Required for cross-border wire transfers above ₹5 lakh, a key tool in detecting trade-based money laundering.
Counterfeit Currency Report (CCR). Filed when counterfeit or forged currency is encountered.
Non-Profit Organisation Transaction Report (NTR). Covers specified transactions involving non-profit organisations.
A critical rule runs across all of this: tipping-off is strictly prohibited. Under the PMLA, a reporting entity, its directors, and its employees must keep the fact of filing, and the content of any STR, strictly confidential. No information about an STR may be disclosed to the customer or any unauthorised person, before, during, or after filing.
Timelines and how reports are filed
The timelines are strict and differ by report type. A Suspicious Transaction Report must be filed within seven working days of the reporting entity forming its suspicion. Cash Transaction Reports and other specified reports such as NTRs are due by the 15th of the month following the transactions. Reports are submitted electronically through FIU-IND's reporting portal, FINGate 2.0.
Record-keeping obligations run alongside the reporting itself. Reporting entities must preserve client identification and transaction records for at least five years, and must retain sufficient detail to reconstruct individual transactions, their nature, amount, date, and the parties involved, for investigation purposes. Where records relate to an ongoing investigation or a transaction already disclosed to FIU-IND, they must be kept until the case is confirmed closed.
FIU-IND also increasingly expects a consolidated monthly report covering key metrics, compliance status, and reporting statistics, and it places heavy emphasis on the quality of STRs, not just their timeliness. A report filed with incomplete client KYC, missing counterparty information, or vague grounds for suspicion is a compliance weakness even if it was filed on time.
Where PMLA reporting goes wrong
Understanding the obligations is straightforward. Meeting them consistently, across high transaction volumes and multiple report types, is where reporting entities struggle.
The recurring failure points are these. Detection is the hardest: identifying genuinely suspicious activity in a flood of transactions is difficult with manual monitoring, and weak detection produces both missed STRs and low-quality ones. Timelines are unforgiving, and the seven-working-day STR window leaves little room for manual bottlenecks. Report quality suffers when the data needed, KYC details, transaction history, counterparty information, sits in disconnected systems that a human has to stitch together under time pressure. And the tipping-off prohibition means the whole process has to be handled with strict confidentiality controls.
How Finnulate supports PMLA reporting
Finnulate supports the compliance programme around PMLA reporting, keeping the obligations, controls, and evidence behind your filings structured, monitored, and audit-ready.
- Regulatory ingestion and requirement extraction: Changes to PMLA rules and FIU-IND directions are ingested and converted into structured obligations and tasks, so reporting requirements stay current as the framework evolves.
- Lineage across regulatory change: When FIU-IND updates a reporting requirement or timeline, lineage shows exactly which controls and processes are affected.
- Continuous monitoring through the Autonomous Compliance Module: Rule-based checks monitor whether reporting controls, from threshold triggers to filing deadlines, are operating as intended.
- No-code rule building with validation: Compliance teams define and test monitoring logic for reporting obligations without engineering support, and validate rules against historical data.
- Audit readiness by design: Every check, decision, and filing-related action is logged with timestamps and ownership, producing the defensible record FIU-IND and regulators expect, while supporting the confidentiality the tipping-off rule demands.
- Plain-language explainability: Reporting logic and outcomes are explained in business terms for the Principal Officer, Designated Director, auditors, and regulators.
PMLA reporting is the enforcement-facing half of your AML programme, and it is unforgiving of manual error. Between substance-based STRs, threshold-based CTRs, strict timelines, absolute confidentiality, and a growing regulatory emphasis on report quality, the reporting burden has outgrown what spreadsheets and manual monitoring can reliably handle. Automation does not replace the judgement of the Principal Officer, it gives that judgement better data, earlier detection, and a defensible evidence trail. To see how Finnulate helps institutions manage PMLA reporting at scale, book a demo.
