KYC/AML Operational Controls for Crypto Firms: Beyond the Checkbox

The Difference Between KYC/AML Compliance and AML Operations

There is a distinction that regulators understand and most crypto founders do not: the difference between having a compliance posture and running a compliance programme. Compliance posture means having an AML policy document, a registered money services business licence, and a named Money Laundering Reporting Officer (MLRO). It satisfies the first question a regulator asks. AML operations means running those controls daily: screening customers, triaging transaction monitoring alerts, escalating suspicious activity, filing Suspicious Activity Reports (SARs), and updating risk assessments as the threat landscape evolves.

The vast majority of crypto firms that have faced enforcement action were not operating without policies. They had policies. What they lacked was the operational infrastructure to implement those policies consistently. The gap between what is written in a compliance manual and what happens on the trading floor, in the customer onboarding queue, and in the transaction monitoring system is precisely where regulators focus their examinations.

This guide addresses that gap. It covers the regulatory requirements that apply to virtual asset service providers (VASPs) across the major jurisdictions, the operational controls required to meet those requirements, and the technology stack needed to run them at scale.

"Most crypto enforcement actions are not the result of firms having the wrong policies. They result from firms that had policies on paper but no operational programme to implement them. The gap between documented compliance and daily operations is where regulators look."

The Regulatory Landscape: What Applies to Crypto Firms

The regulatory environment for crypto AML has matured significantly since 2022. Firms operating across multiple jurisdictions must now navigate a layered set of obligations. The frameworks below are not optional for firms seeking institutional credibility or long-term operating licences.

FATF and the Travel Rule

The Financial Action Task Force (FATF) sets the global standard for AML/CFT. Its 2019 revision to Recommendation 16, commonly called the Travel Rule, requires VASPs to collect and transmit originator and beneficiary information for virtual asset transfers at or above the USD/EUR 1,000 threshold. This mirrors the wire transfer rules that have applied to banks for decades. The Travel Rule does not specify a single technology solution; it specifies an outcome: that receiving VASPs can identify who sent funds and sending VASPs can identify who received them.

FATF mutual evaluations now assess jurisdictions on their implementation of the Travel Rule for VASPs. Firms operating in jurisdictions rated non-compliant face increased correspondent banking pressure and de-risking by financial institutions.

MiCA and the EU Transfer of Funds Regulation

The Markets in Crypto-Assets Regulation (MiCA), which entered full effect in December 2024, requires crypto-asset service providers (CASPs) authorised in the EU to implement AML/CFT programmes consistent with the EU's Anti-Money Laundering Directive. The accompanying Transfer of Funds Regulation (TFR) applies the Travel Rule to all crypto transfers regardless of amount, removing the EUR 1,000 floor that applies elsewhere. For EU-regulated firms, every transfer requires accompanying customer data. See our guide to MiCA compliance obligations for the full authorisation requirements.

VARA in Dubai

The Virtual Assets Regulatory Authority (VARA) in Dubai requires all licensed VASPs to implement AML/CFT programmes under the UAE's Federal Decree-Law No. 20 of 2018 and VARA's own rulebook. Requirements include quarterly business risk assessments, transaction monitoring, sanctions screening against UN, OFAC, and UAE Central Bank lists, and a designated MLRO who must meet VARA's fit-and-proper criteria. Our guide to VARA compliance in Dubai covers the full licensing framework.

FCA Registration in the UK

In the United Kingdom, crypto firms must register with the Financial Conduct Authority (FCA) under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. Registration requires demonstrating that the firm has adequate AML systems and controls, a competent MLRO, and policies covering customer due diligence, transaction monitoring, and SAR filing. The FCA's rejection rate for VASP registrations has remained high, with the majority of applications withdrawn or refused due to inadequate AML frameworks.

FinCEN and the Bank Secrecy Act in the United States

US-facing crypto firms must register with the Financial Crimes Enforcement Network (FinCEN) as Money Services Businesses (MSBs) under the Bank Secrecy Act. MSB obligations include implementing a written AML programme, designating a compliance officer, conducting ongoing training, and filing Currency Transaction Reports (CTRs) and SARs. State-level money transmitter licences impose additional AML requirements. The Department of Justice and FinCEN have shown willingness to pursue criminal charges against founders and compliance officers personally when systemic AML failures are present.

For Latin American jurisdictions and DASP frameworks, see our guide to DASP compliance in Latin America.

Building a Customer Due Diligence Programme

Customer due diligence (CDD) is the foundation of every AML programme. Without knowing who your customers are, you cannot identify suspicious activity. Without ongoing CDD, your initial verification becomes outdated the moment your customer's risk profile changes.

The Risk-Based Approach

All major AML frameworks require a risk-based approach (RBA): the intensity of due diligence applied to a customer must be proportionate to the risk that customer presents. This means not all customers are treated identically at onboarding. A retail customer depositing small amounts from a domestic bank account presents a materially different risk profile from a corporate entity incorporated in a high-risk jurisdiction, transacting in large volumes, with a complex beneficial ownership structure.

A risk-based approach requires a written customer risk assessment methodology. This methodology must define the factors that elevate a customer's risk classification (geography, transaction volume, business type, PEP status, adverse media) and the due diligence tier triggered at each classification level.

Standard Customer Due Diligence

Standard CDD applies at onboarding for customers classified as lower or medium risk. It includes: identity verification (government-issued document plus biometric liveness check), address verification, sanctions screening against relevant lists (OFAC, UN, EU, UK, UAE), and Politically Exposed Person (PEP) screening. For corporate customers, standard CDD includes company registration verification and beneficial ownership identification to the natural person level, applying the threshold your jurisdiction requires (typically 10% or 25% ownership).

Identity verification should be conducted through an automated platform with a documented fraud detection capability. Manual document review without liveness detection is inadequate for remote digital onboarding and will not satisfy modern regulatory expectations.

Enhanced Due Diligence

Enhanced due diligence (EDD) applies when a customer's risk profile crosses the threshold defined in your risk assessment methodology. Standard EDD triggers include: presence on a PEP list or close association with a PEP; customer or counterpart domiciled in a FATF high-risk or monitored jurisdiction; complex or opaque corporate structure; transaction volumes materially above peer benchmarks; adverse media linking the customer or associated parties to financial crime; and source of funds that cannot be verified through standard means.

EDD requires additional evidence: source of wealth documentation, source of funds evidence, enhanced sanctions screening, adverse media screening through specialist databases, and senior management approval before onboarding proceeds. EDD customers require more frequent periodic review and lower alert thresholds in transaction monitoring.

Simplified Due Diligence

Simplified due diligence (SDD) is available under some jurisdictions where the customer or product is assessed as presenting very low money laundering risk. In practice, SDD is rarely appropriate for crypto VASPs: the pseudonymous nature of blockchain transactions and the global reach of crypto platforms mean that even apparently low-risk retail customers can rapidly escalate to high-risk activity. Firms that apply SDD broadly are exposed to regulatory challenge if that approach is not robustly justified in their risk assessment.

Ongoing KYC and Periodic Review

Initial onboarding KYC is not sufficient. AML regulations require that customer information remains accurate and that the firm's assessment of customer risk is updated when circumstances change. Ongoing KYC consists of two components: periodic review (scheduled re-verification based on risk tier, typically annually for high-risk and every two to three years for standard) and trigger-based re-KYC (initiated by a specific event, such as a significant change in transaction behaviour, a large unusual transaction, adverse media, or the customer informing the firm of a change in business or ownership).

Ongoing KYC requires a documented workflow and a system to track review due dates. Firms with large customer bases that attempt to manage ongoing KYC manually will find it becomes operationally unmanageable within months of growth, creating a backlog that constitutes a regulatory gap.

Transaction Monitoring: The Core of AML Operations

Transaction monitoring is the operational heart of an AML programme. It is the process by which the firm scans transactions in real time or near real time, applies rules and models to detect anomalous or suspicious patterns, generates alerts for investigation, and escalates credible alerts to SAR filing. Without transaction monitoring, a firm's CDD programme functions as a gate that filters at entry but does nothing to detect suspicious activity once a customer is inside.

Rule-Based Versus Behavioural Monitoring

Rule-based monitoring applies fixed thresholds and patterns: flag any transaction above a defined amount, flag rapid movement of funds within a short period, flag transactions to or from a designated high-risk address. Rules are transparent, auditable, and easy to justify to regulators. Their weakness is that they are static. Sophisticated money launderers structure transactions specifically to avoid rule thresholds, and rules do not adapt to evolving typologies without manual intervention.

Behavioural or machine learning-based monitoring builds a baseline of normal activity for each customer and flags deviations from that baseline. A customer who suddenly transacts ten times their historical average, or begins interacting with counterparties in different jurisdictions, triggers an alert even if no fixed threshold is breached. Behavioural monitoring generates fewer false positives in mature deployments but requires sufficient transaction history to establish reliable baselines and greater operational expertise to tune.

Most enterprise-grade AML programmes use a combination: rules for known typologies and regulatory requirements, behavioural models for novel patterns and customer-specific anomaly detection.

Blockchain Analytics Integration

For crypto firms, transaction monitoring must extend to the blockchain layer. Blockchain analytics platforms, principally Chainalysis, Elliptic, and TRM Labs, analyse the on-chain history of wallet addresses to assess risk. They identify interactions with sanctioned addresses, mixers and tumblers, darknet markets, ransomware wallets, and high-risk exchanges. Every deposit address and withdrawal destination should be screened at the point of transaction, not only at onboarding.

Blockchain analytics tools assign risk scores to wallet addresses based on their direct interactions and the indirect exposure derived from tracing funds through multiple hops. A wallet that has not directly interacted with a sanctioned address but received funds that passed through one within a small number of hops will carry elevated indirect exposure. Firms must decide and document their policy for what level of indirect exposure triggers what operational response.

Alert Triage: From Alert Generation to Disposition

Alert generation is only the beginning of the process. The operational challenge is triage: the workflow by which each alert is reviewed, investigated, and dispositioned either as a false positive (closed with documented rationale) or escalated to the MLRO for SAR consideration. Alert triage requires trained analysts, a documented investigation process, and a case management system that creates an auditable record of every decision.

Common alert types in crypto transaction monitoring include: structuring (splitting transactions to stay below reporting thresholds), layering (rapid movement through multiple accounts to obscure the source of funds), high-risk address interaction (direct or indirect exposure to sanctioned or high-risk wallets), rapid in-out movement (funds received and immediately withdrawn with no apparent business purpose), and geographic anomalies (transactions inconsistent with the customer's declared business geography).

The ratio of alerts to SARs filed is a metric regulators examine. An excessively low SAR rate relative to alert volume suggests either that the alert rules are poorly calibrated or that the triage process is dismissing alerts without adequate investigation. An excessively high SAR rate suggests the firm lacks the analytical capability to distinguish genuine suspicion from noise.

The FATF Travel Rule: Operational Implementation

The Travel Rule is among the most technically demanding AML requirements for crypto VASPs. It requires that when a VASP sends a virtual asset transfer, it must transmit originator information (name, account number, address, national identity number or date of birth) and beneficiary information (name and account number) to the receiving VASP. The receiving VASP must be able to receive and process this information and make it available to authorities on request.

What Must Be Transmitted

At minimum, the sending VASP must transmit the originator's full legal name, account number (in crypto, typically the wallet address), and either a national identity number, customer identification number, or date of birth and place of birth. For the beneficiary, the full legal name and wallet address are required. Jurisdictions implementing the EU's Transfer of Funds Regulation require this for all transfers regardless of amount; FATF-aligned jurisdictions typically apply the threshold at USD/EUR 1,000.

Travel Rule Compliance Solutions

Several interoperability protocols and platforms have emerged to facilitate Travel Rule compliance between VASPs: Notabene, Veriscope (built on Celo), and the OpenVASP protocol. These platforms create a network through which VASPs can establish secure counterpart relationships and transmit customer data in an encrypted, auditable manner. Selecting a Travel Rule compliance solution requires assessing counterpart network coverage: a solution is only as valuable as the number of counterpart VASPs that are also connected to it.

The Sunrise Problem

The sunrise problem refers to the operational challenge created by uneven implementation of the Travel Rule across jurisdictions. A VASP in a jurisdiction where the Travel Rule is in force will attempt to transmit customer data to a counterpart VASP in a jurisdiction that has not yet implemented the requirement. The counterpart VASP may have no mechanism to receive the data and no legal obligation to do so. Firms must have a documented policy for how to handle transactions with non-compliant counterpart VASPs: options include requiring manual verification, imposing lower transaction limits, or refusing transfers to counterparts that cannot demonstrate Travel Rule compliance.

Unhosted Wallet Handling

Transfers to and from unhosted (non-custodial) wallets present a distinct challenge because there is no counterpart VASP to receive Travel Rule data. Regulatory approaches vary: the EU's Transfer of Funds Regulation requires VASPs to collect beneficiary information for unhosted wallet transfers above EUR 1,000 and to verify that the unhosted wallet is controlled by the customer for transfers above EUR 1,000. A risk-based approach is required: firms must define when enhanced verification of unhosted wallet ownership is required and document those decisions.

Record Retention

Travel Rule records must be retained for the period specified by the applicable jurisdiction, typically five years from the date of the transaction. Records must include all transmitted and received originator and beneficiary data, any decisions made regarding non-compliant counterpart VASPs, and the outcome of any enhanced verification of unhosted wallets. These records must be producible to regulators on demand.

Suspicious Activity Reporting

Suspicious Activity Reports (SARs), known as Suspicious Transaction Reports (STRs) in some jurisdictions, are the mechanism by which financial institutions discharge their obligation to report suspected money laundering or terrorist financing to the relevant financial intelligence unit (FIU). For crypto firms, SAR filing is a core operational capability, not an occasional event.

The MLRO's Role

The Money Laundering Reporting Officer (MLRO) is the individual responsible for receiving internal suspicion reports, evaluating them, deciding whether to file a SAR, and submitting the report to the appropriate authority. The MLRO must have the seniority, independence, and authority to make filing decisions without interference from commercial or operational leadership. Regulators assess whether the MLRO role is substantive or nominal: an MLRO who is overruled by the CEO or who lacks the resources to review alerts properly is a regulatory liability.

The MLRO must be identified to the regulator in most jurisdictions and must meet fit-and-proper criteria. In the UK, the FCA requires MLROs to hold the SMF17 Senior Management Function designation. In the UAE, VARA requires the Compliance Officer to be approved by the authority.

SAR Filing Thresholds and Timeframes

SAR filing obligations are triggered by suspicion, not by a financial threshold. If a transaction monitoring alert leads to a genuine belief that funds may be the proceeds of crime or connected to terrorist financing, a SAR must be filed regardless of the transaction amount. Filing timeframes vary by jurisdiction: in the UK, SARs must be filed with the National Crime Agency (NCA) promptly; in the US, SARs must be filed with FinCEN within 30 days of initial detection (or 60 days if no suspect is identified); in the UAE, STRs must be filed with the Financial Intelligence Unit within two business days of the suspicion arising.

The Tipping-Off Prohibition

Once a SAR has been filed, or where the firm is considering filing, the tipping-off prohibition applies: the customer must not be informed that a report has been made or is being considered. This extends to all staff who have knowledge of the report. The tipping-off prohibition creates an operational challenge when a customer queries a transaction delay caused by a SAR investigation. Staff must be trained to handle these queries with a neutral response that does not reveal the underlying reason for the delay.

The prohibition also means that firms must not freeze accounts or close customer relationships in a manner that signals the existence of a SAR. Where a decision is made to exit a customer relationship following a SAR, the exit must be managed in a way that does not tip the customer off. Legal advice should be sought before taking visible action in relation to a customer who is the subject of a filed SAR.

Internal Reporting Chain

Every employee who has reason to suspect that a transaction or customer is connected to financial crime must report that suspicion internally to the MLRO. Internal reports must be documented. The MLRO reviews each internal report, may commission additional investigation, and decides whether to file externally. Critically: the MLRO must also document decisions not to file a SAR, with the rationale. An undocumented decision not to file is indistinguishable from a failure to consider filing.

AML Technology Stack for Crypto Firms

A credible AML programme cannot be run on spreadsheets and manual processes beyond the earliest stages of a firm's growth. The technology stack required to operate AML controls at scale across crypto-native workflows consists of several integrated components.

KYC and Identity Verification Platforms

Identity verification platforms automate the collection and verification of identity documents, biometric liveness checks, and sanctions and PEP screening at onboarding. Established providers include Jumio, Onfido (now part of Entrust), Sumsub, and Persona. Selection criteria should include accuracy rates for the document types and geographies of your customer base, API integration capability, audit trail completeness, and regulator acceptance in your jurisdiction. A KYC platform that cannot demonstrate its false accept and false reject rates provides no assurance that its verification outcomes are reliable.

Blockchain Analytics

Blockchain analytics is a category unique to crypto AML and is non-negotiable for any regulated VASP. The three dominant platforms are Chainalysis KYT (Know Your Transaction), Elliptic, and TRM Labs. Each maintains proprietary databases of attributed wallet addresses, exchange clusters, darknet market addresses, sanctioned entity wallets, mixer and tumbler addresses, and ransomware payment wallets. They integrate via API into exchange and custody platforms to provide real-time risk scoring on every transaction.

Differences between providers exist in attribution methodology, geographic coverage, and the granularity of their risk categorisation. Firms should evaluate providers against their specific customer geography and transaction typologies. Using blockchain analytics solely for periodic manual checks rather than real-time API integration is an approach that does not meet the operational standard expected by regulators in 2026.

Travel Rule Compliance Solutions

As discussed above, Travel Rule compliance requires a dedicated solution. Notabene and Veriscope are the most widely deployed. The choice of provider should be driven by counterpart VASP network coverage for the jurisdictions and counterparts relevant to your business, not by feature set alone. A Travel Rule solution with limited counterpart coverage provides incomplete compliance.

Case Management

Case management software provides the operational environment in which alert triage, SAR documentation, and customer investigation are conducted. It creates the audit trail that demonstrates to regulators that each alert was reviewed, each decision was documented, and each SAR was filed with a supporting evidence pack. Without a case management system, the SAR process is vulnerable to gaps, inconsistencies, and the loss of investigative records when staff leave. Suitable platforms include Actimize, NICE Actimize, and purpose-built AML case management tools available within compliance platforms like ComplyAdvantage.

Sanctions Screening

Sanctions screening must cover all relevant lists: OFAC (US), EU consolidated sanctions list, UK financial sanctions list, UN Security Council sanctions list, and jurisdiction-specific lists (UAE Central Bank, etc.). Screening must occur at onboarding, at each transaction, and on an ongoing basis as sanctions lists are updated. OFAC lists are updated without notice: a customer who was not sanctioned yesterday may be sanctioned today. Real-time or near-real-time screening against updated lists is operationally required, not daily batch screening.

Vendor Risk in the AML Tech Stack

Each technology vendor in the AML stack represents a concentration risk: if the blockchain analytics platform goes down during a high-volume trading period, the firm may be unable to screen transactions in real time. Contingency procedures must be documented for each critical vendor, including fallback screening processes and the authority to suspend transaction processing if screening capability is unavailable. Our guide to vendor risk management covers the broader framework for assessing and managing third-party dependencies.

Governance: The MLRO and AML Committee

Technology and process controls require governance to function. Without clear lines of accountability, decision-making authority, and board-level visibility, AML controls degrade over time as commercial pressures accumulate and operational shortcuts become habits.

MLRO Responsibilities and Independence

The MLRO is accountable for the design and operation of the AML programme. Specific responsibilities include: approving the AML policy and risk appetite; overseeing the transaction monitoring programme, including alert tuning and typologies; reviewing all internal suspicion reports; making SAR filing decisions; liaising with regulators and law enforcement; ensuring staff training is current; and producing the annual AML report for the board.

MLRO independence is a structural requirement. The MLRO must not report into revenue-generating functions and must have a direct line to the board or audit committee. In practice, at smaller firms this may mean the MLRO is the Chief Compliance Officer or a member of the executive team. What is not acceptable, and what regulators consistently cite in enforcement actions, is an MLRO whose filing decisions are subject to commercial veto.

AML Committee

Larger firms benefit from an AML Committee that brings together the MLRO, the Chief Risk Officer, the Chief Operating Officer, the Head of Product (for reviewing the risk implications of new features), and legal counsel. The committee meets regularly (monthly at minimum for active firms, quarterly at minimum for smaller operations) to review programme metrics, emerging typologies, regulatory developments, and escalated cases requiring senior decision-making. The committee's decisions and the rationale behind them must be documented in meeting minutes retained for audit purposes.

Board Reporting

The board carries ultimate accountability for the firm's AML compliance. The MLRO must report to the board at least annually, presenting a comprehensive account of programme performance: alert volumes and disposition rates, SAR filing volumes and outcomes, CDD exceptions and remediation, training completion rates, regulatory developments, and any material weaknesses identified in the programme. The board must demonstrate, through documented discussion and challenge, that it takes its AML oversight responsibility seriously. Boards that rubber-stamp MLRO reports without substantive engagement provide a regulatory risk indicator.

Annual Independent AML Audit

An independent review of the AML programme, conducted by a party not involved in its day-to-day operation, is a requirement in most jurisdictions and a best practice in all of them. The review assesses whether the programme meets regulatory requirements, whether controls are operating as documented, and whether identified weaknesses have been remediated. Audit findings must be tracked to completion, with the board informed of any material findings and the remediation timeline.

Common Enforcement Actions Against Crypto Firms and What Triggered Them

Enforcement history in crypto AML is instructive. The failures that have resulted in landmark regulatory actions share a common thread: not the absence of AML policies, but the absence of an operational programme to implement them.

BitMEX: $100 Million FinCEN Settlement

In 2020 and 2021, BitMEX and its founders faced charges from the US Department of Justice and FinCEN, resulting in a $100 million settlement. The core finding was that BitMEX had deliberately failed to implement an adequate AML programme despite operating as an MSB under US law, accepting US customers, and processing billions of dollars in derivatives trading. The firm had no KYC programme for the majority of its operating history and no SAR filing capability. This was not a nuanced regulatory disagreement about calibration; it was the near-total absence of operational controls.

Binance: $4.3 Billion DOJ Settlement

The 2023 Binance settlement with the US Department of Justice, FinCEN, and OFAC totalled $4.3 billion, making it the largest corporate criminal settlement in the history of the Bank Secrecy Act. The statement of facts detailed systematic failures: Binance processed transactions for customers in sanctioned jurisdictions including Iran, Syria, and Cuba; its transaction monitoring system was configured to exclude high-volume customers from screening; and compliance staff were directed to prioritise user growth over AML controls. Critically, internal communications showed that compliance officers had raised concerns that were overridden by commercial leadership. The personal criminal plea of founder Changpeng Zhao underscored that AML failures at this scale can result in individual criminal liability, not merely corporate fines.

Bitfinex and the OFAC Nexus

OFAC enforcement actions in crypto have consistently highlighted the inadequacy of sanctions screening at many exchanges. The common thread is that firms applied sanctions screening at onboarding but did not screen wallet addresses at the point of transaction. A customer who passed KYC at onboarding can subsequently move funds to or from a sanctioned wallet. Real-time transaction-level sanctions screening, not a one-time customer check, is the operational standard.

The Pattern Across Enforcement Actions

Three operational failures appear repeatedly across enforcement actions against crypto firms: inadequate customer due diligence that allowed high-risk customers to onboard without appropriate scrutiny; transaction monitoring systems that were present but misconfigured, excluded high-value customers, or had alert queues that were not resourced for triage; and sanctions screening that was periodic rather than real-time. In each case, the firm had a compliance policy that purported to address these areas. The operational reality was different.

This pattern explains why regulators are increasingly focused not on what policies a firm has documented, but on what evidence it can produce that those policies were implemented consistently in the period under examination. Transaction monitoring logs, alert triage records, SAR filing histories, and training records are what survive a regulatory examination. Policies without operational records are a liability, not a defence.

Firms seeking to establish or strengthen their AML operations function should begin with a gap assessment against the controls above before engaging regulators or institutional counterparties. A programme that cannot demonstrate operational evidence for each control will not withstand examination. Our DORA compliance requirements guide covers the adjacent operational resilience obligations that apply alongside AML controls for EU-regulated crypto firms.