CROSS-BORDER INVESTIGATIONS BETWEEN INDIA AND THE UAE

Key Takeaway

Three legal developments have materially changed the exposure calculus for Indian companies with operations in or through the United Arab Emirates (“UAE”). First, the Delhi High Court's ruling in Adnan Nisar v. Directorate of Enforcement in September 2024 confirmed that the Enforcement Directorate (“ED”) can investigate money laundering grounded in a foreign predicate offence where the proceeds reach India. Second, the UAE’s removal from the Financial Action Task Force (“FATF”) Grey List in February 2024 has made formal mutual legal assistance a more practical enforcement channel. Third,  India’s DPDP framework, including the Digital Personal Data Protection Rules (notified in November 2025) (“DPDP Rules 2025”), now requires companies to think much more carefully about how investigation data is collected, retained and shared across borders. Each development has concrete consequences for companies that have not yet adjusted their investigation frameworks.

I. Introduction

Indian companies have long maintained operating subsidiaries, holding structures, and regional finance entities in the UAE, with the bilateral investment framework between the two countries further strengthened by the India–UAE Comprehensive Economic Partnership Agreement, which entered into force on 1 May 2022, and the India–UAE Bilateral Investment Treaty, which entered into force on 31 August 2024.[1] When an enforcement inquiry or fraud allegation surfaces in one jurisdiction, it tends to generate legal exposure in the other jurisdiction.

The legal framework governing cross-border money laundering investigations has been in place since the Prevention of Money Laundering Act, 2002 (“PMLA”) was amended in 2009 and 2013. What has changed is how courts and enforcement agencies are applying it, and the tools now available to the ED when investigating India-UAE transactions. This article examines three developments that have altered the practical landscape. The first is the judicial consolidation of the ED's power to investigate foreign-origin predicate offences where proceeds reach India, and the procedural framework that now surrounds that power. The second is the operationalisation of the bilateral Mutual Legal Assistance Treaty (“MLAT”) architecture following the UAE's FATF delisting. The third is the emergence of India’s DPDP framework, including the Digital Personal Data Protection Act, 2023 (“DPDP Act 2023”) and the notified DPDP Rules 2025, which affects how cross-border evidence collection must be structured.

II. The ED's Jurisdiction over Foreign Predicate Offences

The 2009 amendment to the PMLA inserted Section 2(1)(ra),[2] which defines "offence of cross border implications" to cover, among other things, any offence committed outside India that corresponds to a scheduled offence where the proceeds are transferred to India. Read with Section 2(1)(ia),[3] which defines "corresponding law" to include any foreign criminal statute corresponding to a PMLA scheduled offence, the provision creates a deeming fiction: a foreign offence, once matched to a Part C scheduled offence, is treated as a predicate for PMLA purposes.

Two analytically distinct questions arise from this framework: first, whether the ED has substantive jurisdiction under Sections 2(1)(ra), 2(1)(ia) and Part C of the Schedule; and second, how that jurisdiction is exercised procedurally, including through Chapter IX of the PMLA in cross-border cases. These questions are related but must be kept separate.

In Adnan Nisar v. Directorate of Enforcement,[4] the Delhi High Court applied this framework to a US-origin cryptocurrency fraud. The court held that once the proceeds of crime are brought into India the money laundering offence is complete here, requiring no sanction under the Code of Criminal Procedure for acts committed abroad. Importantly, Section 60 of the PMLA, which governs action in India upon receipt of a request from a contracting State, authorises the ED to conduct a full inquiry and arrest accused persons on an incoming MLAT request, not merely to execute the steps mentioned in that request. However, one constraint applies: foreign law must be proved by expert evidence at trial,[5] and without such proof, the ED cannot invoke any Section 24 presumption requiring the accused to show assets are untainted.[6] This defence operates only at trial, not at the investigation or attachment stage.

Three subsequent cases illustrate the reach of this reasoning. In Banmeet Singh v. Directorate of Enforcement[7], the Uttarakhand High Court refused bail in an independent Indian PMLA prosecution initiated on the basis of information received from US authorities, holding that untraceable proceeds of drug trafficking remained subject to Indian prosecution notwithstanding a prior US conviction. In Amrit Pal Singh v. Directorate of Enforcement[8], the Delhi High Court denied anticipatory bail to the director of a Hong Kong company that had received fraudulent remittances from Indian shell entities. In Brij Bala Kapur,[9] PMLA proceedings extended to the directors of Indian companies that had routed Rs 428 crore in forged remittances to UAE and Hong Kong entities. Across all three, the ED's jurisdiction followed the proceeds regardless of where the predicate conduct occurred.

III. The UAE's FATF Delisting and Bilateral Enforcement Channels

The FATF removed the UAE from its list of jurisdictions under increased monitoring on 23 February 2024.[10] The UAE had been grey-listed since March 2022 following a mutual evaluation that identified deficiencies in its anti-money laundering and counter-terrorism financing regime. FATF recognised that the UAE had made significant progress in addressing previously identified AML/CFT deficiencies, including in areas relevant to international cooperation.

India and the UAE are parties to a bilateral MLAT covering mutual assistance in the investigation and prosecution of crime, including collection of evidence, examination of witnesses, and execution of attachment or freezing orders.[11] Chapter IX of the PMLA provides the domestic statutory framework through which reciprocal assistance is operationalised. Section 60 of the PMLA authorises the ED to effect attachment and seizure on receipt of a letter of request from a contracting state. As the court in Adnan Nisar confirmed (see above), the ED's powers on receipt of an incoming MLAT request extend beyond mere execution of the specific steps requested.[12]

The practical significance of the UAE’s FATF delisting lies in what it signals about the UAE’s outbound cooperation posture. During the grey-listing period, FATF had identified weaknesses in the effectiveness of the UAE’s international cooperation and mutual legal assistance framework. Consequently, demonstrable improvement on international cooperation was one of the commitments the UAE had to fulfil to achieve removal. A letter of request from the ED to Dubai, during that period, was being routed into a system that FATF had formally flagged as underperforming on exactly this metric. Post de-listing in 2024, that constraint no longer applies.

The procedural architecture now works as follows: Chapter IX of the PMLA operationalises reciprocal assistance with contracting States. Specifically, Section 56 provides the framework for reciprocal arrangements with foreign countries. Section 57 covers outbound requests from India: where evidence located abroad is required in the course of a PMLA investigation, the Special Court may issue a letter of request to the contracting State. By contrast, Section 60 addresses incoming requests and execution within India on receipt of a request from a contracting State. Through the treaty channel, the UAE’s competent authority may, under UAE law, compel production of banking records, transaction data, and beneficial ownership information from financial institutions in Dubai. The ED obtains what amounts to a coercive disclosure order executed under UAE law.

This is materially different from a company’s own internal investigation: a company cannot compel its UAE subsidiary to produce records over the objection of local management or local counsel, and it has no mechanism to reach records held by UAE banks with which it transacted.  The ED, by contrast, can access such records through a coercive state-to-state process unavailable to a private company, subject to the treaty route and UAE law. An investigation that opens as a domestic PMLA inquiry in Delhi can reach banking records in Dubai through a single letter of request, which the company’s internal investigation may never have been able to access independently. Crucially, those records are obtained under conditions that make them usable as evidence in Indian criminal proceedings, which is something that informal internal disclosure cannot guarantee.

IV. The DPDP Framework and Cross-Border Evidence Collection

Internal investigations are, in operational terms, evidence collection exercises. The DPDP Act 2023 and the DPDP Rules 2025[13] govern how that collection is conducted whenever personal data of Indian data principals is involved.

 The DPDP Act 2023 adopts a negative-list approach to cross-border transfers, and the DPDP Rules 2025 have been notified with staggered commencement dates.[14] Personal data may generally be transferred outside India unless the Central Government notifies a restricted jurisdiction, subject always to any more protective restrictions under sector-specific law.[15] The UAE has not been designated a restricted jurisdiction as of March 2026. Transfers of personal data from India to the UAE are therefore permissible under the current framework, which matters for investigations in which evidence must be reviewed by a UAE-based legal counsel or later produced through formal state-to-state cooperation channels.

Two qualifications, however, limit that default position. The investigation-related exemption under Section 17(1)(c) disapplies certain data protection obligations where processing is necessary for the prevention, detection, investigation, or prosecution of offences under Indian law.[16] Whether and to what extent a privately conducted internal investigation would fall within the statutory carve-outs remains unsettled in practice.  The Data Protection Board of India has not issued interpretive guidance on this question, and building investigation protocols around an exemption of uncertain scope carries regulatory risk.

The second qualification arises under the sector-specific savings provision in Section 38, which preserves obligations under other laws that confer greater protection on personal data.[17] For financial sector entities, the RBI's Master Directions on Fraud Risk Management require preservation of evidentiary records, and the 2018 data localisation circular requires payment system data to remain within India. Transferring payment data offshore in the course of an investigation may satisfy the DPDP default while breaching an obligation the DPDP Act does not displace.

V. What This Means for Indian Companies

On PMLA exposure, the case law together confirms that the ED's jurisdictional reach follows the proceeds rather than the place of the underlying conduct. Brij Bala Kapur and Amrit Pal Singh demonstrate that both the Indian entities that route proceeds abroad and the foreign entities that receive them can face PMLA scrutiny. Companies should review intercompany transactions, related-party remittances, and intra-group funding arrangements through a PMLA lens: the question is whether inbound flows from Dubai-side entities, if the ED were to characterise them as proceeds of a scheduled offence, could sustain a case under Indian law. That assessment requires dual-jurisdiction legal advice and cannot rest on the UAE-side characterisation of the transaction alone.

Three features of the PMLA investigation framework bear directly on how an internal investigation in this context should be designed. First, statements recorded in response to Section 50 summons are judicial proceedings and are regularly relied upon by the ED in bail applications and in the prosecution complaint.[18] The legal counsel should advise each person summoned (such as suspects, relevant officers, or custodians) before they respond to the summons, and the order in which employees are summoned should be decided in advance. A statement from a lower-level employee obtained early in the investigation can narrow the factual positions available to a senior officer later in the same proceedings. UAE-based employees present a specific risk: they are unlikely to have prior exposure to the PMLA framework, may assume that a summons issued from India carries no immediate consequence for them, and may give statements that are inconsistent with those of their India-based counterparts. Getting this wrong at the Section 50 stage is difficult to remedy later.

Second, in Sarla Gupta v. Directorate of Enforcement[19] the Supreme Court held that a person from whose premises documents are seized is entitled to copies of all seized material, including documents not relied upon in the prosecution complaint. The practical consequence is that materials produced during an internal investigation (such as interview notes, forensic reports, and document reviews) that are subsequently seized by the ED during a search under Section 17 or 18 become part of the record accessible to every accused in the PMLA proceedings, including co-accused and their counsel. A company cannot, at that point, treat those materials as confidential. This means that the question of privilege must be addressed before evidence is collected, not after. Communications between the company and its counsel, made for the purpose of seeking legal advice, attract legal professional privilege and should be kept separate from factual materials gathered in the course of the investigation. Where an external forensic firm or auditor is engaged, clear instructions should record the purpose for which their findings are being obtained and to whom they are addressed.

Third, in Anirudh Pratap Agarwal v. Enforcement Directorate[20] the Delhi High Court held that the ED must record written reasons to believe before conducting a search, forward those reasons and the supporting material to the Adjudicating Authority under Section 17(2), and complete the retention and confirmation procedure before any property can be treated as frozen. A communication from the ED that does not follow this sequence (for instance, an informal direction to a bank to freeze an account without a formal provisional attachment order) is not a lawful freezing direction, and a financial institution that acts on it without verifying procedural compliance does so at its own risk. Companies and their banks should verify the procedural basis of any ED communication before treating it as operative.

On cross-border evidence, companies should map where relevant documents sit before any internal investigation expands to UAE-side materials. If documents are held on UAE servers or by UAE affiliates, transferring them to India for review raises obligations under the DPDP framework: the legal basis for the transfer must be identified before the transfer takes place, and sector-specific obligations (including the RBI's data localisation requirements for payment system data) must be assessed separately. Penalties for data security failures under the DPDP Act reach up to INR 250 crore, and the manner of collection may itself generate regulatory exposure and evidentiary challenges in subsequent proceedings.

Lastly, under Section 70 of the PMLA,[21] every person who was in charge of and responsible for the conduct of the company at the relevant time may face personal liability if the underlying transaction is found to constitute a predicate offence. The defences of lack of knowledge and exercise of due diligence are available, but they require affirmative evidence: board minutes, escalation records, compliance reports, and contemporaneous documentation of the oversight exercised over the Dubai-side transaction. A company that cannot produce that documentation when it is needed will find both defences difficult to sustain. Finally, for PMLA complaints filed on or after 1 July 2024, Kushal Kumar Agarwal[22] confirms that the accused is entitled to be heard under Section 223(1) of the Bharatiya Nagarik Suraksha Sanhita, 2023 (“BNSS”) before the Special Court takes cognizance. This is an opportunity to place on record objections to the sufficiency and procedural regularity of the complaint before the court is seized of the matter, and it is one that requires prior preparation of the legal and factual response to the prosecution complaint.

VI. Conclusion

The three developments examined in this article do not operate in isolation. The ED's expanded cross-border reach, a now-functional MLAT channel, and a live data protection framework together create an enforcement environment that Indian companies with UAE structures have not previously had to navigate. The practical steps identified in this article, including reviewing transaction structures, designing investigation protocols, and mapping data flows before any inquiry expands, are not precautionary in the abstract. For companies that have not yet taken them, the risk is that the first occasion on which they are addressed is after the ED has already acted.

[1] India-UAE Comprehensive Economic Partnership Agreement, entered into force 1 May 2022; India-UAE Bilateral Investment Treaty, entered into force 31 August 2024.

[2] Prevention of Money Laundering Act 2002 (“PMLA”), s. 2(1)(ra), inserted by the Prevention of Money Laundering (Amendment) Act, 2009.

[3] PMLA, s. 2(1)(ia).

[4] Adnan Nisar v Enforcement Directorate 2024 SCC OnLine Del 6498.

[5] ibid; Bharatiya Sakshya Adhiniyam 2023, s. 57; Hari Shanker Jain v Sonia Gandhi (2001) 8 SCC 233; Mundipharma AG v Wockhardt Ltd. 1990 SCC OnLine Del 269.

[6] PMLA, s 24.

[7] Banmeet Singh v Enforcement Directorate 2025 SCC OnLine Utt 4094 (Second Bail Application); Banmeet Singh v Enforcement Directorate, 2025 SCC OnLine Utt 158 (First Bail Application).

[8] Amrit Pal Singh v Enforcement Directorate 2025 SCC OnLine Del 4613.

[9] Brij Bala Kapur v Enforcement Directorate 2024 SCC OnLine Del 846.

[10] Financial Action Task Force, ‘Outcomes FATF Plenary, 21–23 February 2024’ (FATF, Paris, February 2024).

[11] Treaty Between the Republic of India and the United Arab Emirates on Mutual Legal Assistance in Criminal Matters; PMLA, ss 56, 57 and 60.

[12] Adnan Nisar (n 4).

[13] Digital Personal Data Protection Act 2023; Digital Personal Data Protection Rules 2025, G.S.R. 846(E), notified 13 November 2025.

[14] Specifically, Rules 1, 2, and 17–21 came into force on publication (13 November 2025); Rule 4 comes into force one year after publication; and Rules 3, 5–16, 22, and 23 come into force eighteen months after publication. See DPDP Rules 2025, r 1(2)-(4).

[15] DPDP Act 2023, s 16(1); DPDP Rules 2025, r 15. Rule 15 will come into full force in May 2027; however, no jurisdiction has been designated as restricted, and companies should structure their evidence-collection protocols now in anticipation of the framework's full operation.

[16] DPDP Act 2023, s 17(1)(c).

[17] DPDP Act 2023, s 38; Reserve Bank of India, Reserve Bank of India (Fraud Risk Management in Commercial Banks (including Regional Rural Banks) and All India Financial Institutions) Directions 2024, RBI/DOS/2024-25/118DOS.CO.FMG.SEC. No.5/23.04.001/2024-25 (15 July 2024); RBI Circular on Storage of Payment System Data,  DPSS.CO.OD.No 2785/06.08.005/2017-18 dated (06 April 2018).

[18] Banmeet Singh (n 7) (First Bail Application), citing Rohit Tandon v Directorate of Enforcement (2018) 11 SCC 46.

[19] Sarla Gupta v Directorate of Enforcement (2025) 7 SCC 626.

[20] Anirudh Pratap Agarwal v Enforcement Directorate, Misc. Appeal (PMLA) 21 of 2024 (Delhi High Court).

[21] PMLA, s 70.

[22] Kushal Kumar Agarwal v. Enforcement Directorate 2025 SCC OnLine SC 1221, relying on Tarsem Lal v Enforcement Directorate (2024) 7 SCC 61.

Co-authored by Pranshu Gupta