AML & KYC for Crypto Businesses: A Practical Compliance Guide

AML and KYC for crypto used to be optional in practice. The Travel Rule, MiCA, and FinCEN's 2025 enforcement push closed that gap. Compliance is now a baseline cost of operation.

This guide walks through what regulators actually expect from a crypto business in 2026: who counts as a VASP, how KYC tiers work, what the Travel Rule requires on the wire, how sanctions screening and transaction monitoring fit together, and what happens when you get it wrong.

Who is a VASP (and who pretends not to be)

The FATF defines a Virtual Asset Service Provider as any entity that conducts one or more of the following on behalf of another person: exchange between virtual assets and fiat, exchange between virtual assets, transfer of virtual assets, custody, or participation in financial services related to a virtual asset issuance.

In practice, this covers:

• Centralized exchanges and brokers
• Custodians and qualified custody platforms
• OTC desks
• Payment processors that touch crypto
• NFT marketplaces that act as intermediaries (most do)
• Staking-as-a-service providers that hold customer keys
• Some wallet providers, depending on custody model

The grey zone keeps shrinking. Self-custodial wallet apps with no transfer functionality are usually outside scope. Front-ends to DeFi protocols are increasingly being treated as VASPs in the EU and UK if they have an identifiable operator. "We're decentralized" is no longer a working defense once a regulator can serve papers on a legal entity, a multisig, or a foundation.

If you take custody of customer assets, route their transactions, or stand between users and a protocol, assume you are a VASP until counsel proves otherwise.

The KYC layers: tier 1 (basic), tier 2 (full), enhanced due diligence

KYC is risk-based. You apply more friction where the risk is higher. Most regulators expect a tiered model with clear thresholds.

The thresholds above are illustrative. Your actual numbers come from your risk assessment, which regulators expect you to document and revisit at least annually.

EDD applies when any of these are true: the customer is a Politically Exposed Person or close associate, the country of residence or operations is FATF-listed as high-risk, the business model is opaque, transaction volume is unusual relative to declared income, or the relationship involves correspondent crypto activity.

The Travel Rule: FATF Recommendation 16 in practice

FATF Recommendation 16 requires VASPs to share originator and beneficiary information for crypto transfers above a threshold (USD/EUR 1,000 in most jurisdictions, lower in some). The data must travel with the transaction or be transmitted out-of-band before the transfer settles.

What you actually have to send for an outbound transfer:

• Originator name
• Originator account identifier (typically the sending wallet address or internal account ID)
• Originator physical address, national ID number, customer ID, or date and place of birth
• Beneficiary name
• Beneficiary account identifier

For inbound transfers, you must receive and validate the same data, and you must screen the originator against sanctions lists before crediting the customer.

In practice, this is solved through messaging protocols like TRP, IVMS 101 payloads, and interoperability networks (Notabene, Sumsub Travel Rule, 21 Analytics, OpenVASP). Direct VASP-to-VASP communication only works where both sides are on the same network. For unhosted (self-custody) wallets, regulators allow risk-based exemptions, but you still need to identify the customer and apply enhanced monitoring on flows above the threshold.

The hard part is not the data. It is reconciling Travel Rule messages against on-chain settlement, handling rejections, and proving to a supervisor that you actually screened every relevant transfer.

Sanctions screening: OFAC, UK OFSI, EU consolidated list

Sanctions are strict liability. Intent does not matter. If you process a transaction for a sanctioned person or entity, you have violated the rule.

Three lists cover most crypto businesses:

• OFAC SDN list (US Treasury): applies to anyone with US nexus, including USD stablecoins, US customers, US infrastructure, or US correspondent relationships.
• UK OFSI consolidated list: applies to UK persons and any business operating in the UK.
• EU consolidated list: applies under the EU sanctions regime, including MiCA and the EU AML directives.

You screen against these at:

1. Onboarding (customer name, beneficial owners, directors)
2. Every transaction (counterparty, originator, beneficiary)
3. Every wallet address you interact with (against OFAC's specially designated wallet list)
4. Periodic refresh of your existing customer base when lists update

OFAC publishes specific crypto wallet addresses on the SDN list (Tornado Cash addresses, Lazarus Group wallets, ransomware operator addresses). Chainalysis, TRM Labs, Elliptic, and Scorechain provide live feeds. Block at the protocol level. Document every block.

Transaction monitoring: rules-based vs behavioral

Transaction monitoring is where most compliance teams burn the most hours. Two approaches, usually combined:

Rules-based triggers an alert when a transaction crosses a defined threshold or pattern. Common rules: structuring (multiple deposits just under reporting thresholds), velocity spikes, rapid in-out flows, unusual counterparties, exposure to mixers or sanctioned entities, peer-to-peer cash-out patterns.

Behavioral uses statistical baselines per customer. The system learns what normal looks like for each account, then flags deviations. A retail user suddenly moving USD 200,000 in stablecoins to a new exchange is a behavioral anomaly even if no rule fires.

Rules are auditable and explainable. Regulators love them. Behavioral models catch novel patterns that rules miss but are harder to defend in an exam.

A working stack uses both. Rules cover the obligations you must meet (structuring, sanctions, threshold reporting). Behavioral analytics covers the long tail of novel money-laundering typologies that no static rule anticipated.

False positives are the real cost. Industry baselines run 90-95% false positive rates on rules-based systems. Tuning your thresholds, adding contextual data (KYC tier, customer age, prior alerts), and using on-chain enrichment from Chainalysis or TRM cuts that meaningfully.

SARs and suspicious activity reporting

When a transaction or pattern crosses your suspicion threshold, you file a Suspicious Activity Report (SAR), called an STR in some jurisdictions. The mechanics vary:

• US: file with FinCEN within 30 days of detection (45 if no suspect identified). Goes through the BSA E-Filing system.
• EU: file with the relevant national Financial Intelligence Unit (FIU). Timelines vary by member state but generally "without delay" once suspicion is established.
• UK: file a SAR with the National Crime Agency. Defence Against Money Laundering (DAML) SARs allow you to seek consent to proceed with a transaction.
• Singapore: file an STR with the Suspicious Transaction Reporting Office (STRO).

You cannot tell the customer you filed. Tipping off is a separate criminal offense in most jurisdictions. Keep the SAR file segregated from the customer-facing account record.

The standard is "reasonable grounds to suspect," not "proof." If you wait for proof, you are too late.

The MiCA framework for crypto-asset service providers

MiCA layers on top of EU AML directives; it does not replace them. CASPs operating under MiCA must comply with the EU's 6th Anti-Money Laundering Directive (6AMLD) and the recast Transfer of Funds Regulation (TFR), which is the EU's Travel Rule implementation.

What MiCA + 6AMLD + TFR require together:

• A documented AML/CFT policy approved by the management body
• A designated Money Laundering Reporting Officer (MLRO) with direct reporting line to the board
• Customer due diligence at onboarding and ongoing
• Travel Rule data on every transfer (no de minimis threshold in the EU since 2024)
• Sanctions screening against the EU consolidated list and national lists
• Transaction monitoring with documented typologies
• SAR filing to the national FIU
• Record retention for 5 years minimum
• Annual independent audit of the AML program

The TFR's removal of the de minimis threshold matters operationally. Every euro of crypto transferred in or out of an EU CASP needs Travel Rule data. There is no "small transfer" exception.

For more on MiCA itself, see MiCA Regulation: What It Means for Crypto Businesses in Europe.

US: FinCEN, BSA, state money transmitter licenses

In the US, the regulatory layering is heavier. A crypto business that touches US customers typically faces:

• Federal: FinCEN registration as a Money Services Business (MSB), full Bank Secrecy Act compliance program, OFAC sanctions program, SAR filing
• State: money transmitter licenses in most states (49 of them have separate regimes), with separate exams, capital requirements, and surety bonds
• Sectoral: SEC, CFTC, or NYDFS BitLicense depending on activity and state of operation

The BSA program has five mandatory pillars:

1. A designated BSA Compliance Officer
2. Written internal policies, procedures, and controls
3. Ongoing training of relevant personnel
4. Independent testing (typically annual)
5. Customer due diligence with beneficial ownership identification

FinCEN's 2025 enforcement push focused on inadequate transaction monitoring and untimely SAR filings. Multiple settlements ran into eight figures, with personal liability extending to compliance officers in some cases.

The compliance tooling stack

A workable AML/KYC stack for a mid-size VASP usually combines:

• Identity verification: Sumsub, Onfido, Persona, Veriff
• Sanctions and PEP screening: ComplyAdvantage, Refinitiv World-Check, Dow Jones
• Blockchain analytics: Chainalysis, TRM Labs, Elliptic, Scorechain
• Travel Rule: Notabene, Sumsub Travel Rule, 21 Analytics, OpenVASP
• Transaction monitoring and case management: Hummingbird, Unit21, Sardine, in-house tooling
• Audit and record retention: depends on stack; expect 5+ year retention with full export capability

Buy where you have to, build where the integration is core to your product. The reporting layer (turning all of this into something a regulator or auditor can read) is where most teams underspend. Wag3s Trust handles the reporting, audit trail, and retention layer for crypto businesses that do not want to build it from scratch.

For broader operational security context, see Crypto Security for Finance Teams.

Cost of non-compliance (real cases)

The numbers are public. Use them as a budgeting reference, not a scare tactic.

• Binance (2023, US). USD 4.3 billion settlement with DOJ, FinCEN, OFAC, and CFTC for AML and sanctions failures. Founder pleaded guilty, served prison time, paid USD 50 million personally. The company operates under a multi-year monitorship.
• BitMEX (2022). USD 100 million CFTC and FinCEN penalty for failing to implement an AML program. Founders pleaded guilty individually and paid an additional USD 30 million personally.
• Bittrex (2022). USD 29 million combined OFAC and FinCEN penalty for serving customers in sanctioned jurisdictions and inadequate SAR filing. Filed for bankruptcy in 2023.
• Kraken (2023). USD 30 million SEC settlement on staking, plus separate ongoing AML scrutiny.

The pattern: regulators do not need the business to fail. They impose monitorships, lookback obligations, and personal liability. The cost of running an inadequate program over five years usually exceeds the cost of running a real one.

FAQ

Do I need a Compliance Officer if I have ten employees?

Yes. The MLRO or BSA Officer role is mandatory regardless of headcount. It can be outsourced in some jurisdictions, but accountability cannot be. The named person is personally responsible.

Can I rely on my exchange partner's KYC?

Sometimes, with documented reliance under a written agreement and only where the underlying CDD meets your own standard. Reliance does not transfer the obligation. If their KYC fails, you are still on the hook.

What about non-custodial wallets and DeFi front-ends?

The trend is toward inclusion. The EU TFR, the FATF 2023 update, and the US Treasury's 2024 illicit finance risk assessment all point to expanding scope. If you operate a front-end with any centralized infrastructure, plan as if you are in scope.

How long should I retain KYC and transaction records?

Five years minimum in most jurisdictions, longer in some (seven years in Singapore, ten years in some EU states for certain records). Retention starts from the end of the customer relationship or the date of the transaction, whichever is later.

What does an AML program actually cost?

For a small VASP, expect EUR 200,000-500,000 per year in tooling, headcount, and audits. Mid-size, EUR 1-3 million. Large, into the tens of millions. The Binance settlement is the alternative.

Further reading

• Product: Wag3s Trust — compliance reporting, audit trail, and record retention for crypto businesses
• Product: Wag3s Ledger — on-chain transaction history and AML-ready audit exports
• MiCA Regulation: What It Means for Crypto Businesses in Europe
• Crypto Security for Finance Teams
• FATF Recommendation 16 — Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs
• FinCEN — BSA Compliance Manual and Crypto Guidance

This article is for informational purposes only and does not constitute legal or compliance advice. AML/KYC obligations vary by jurisdiction. Consult qualified counsel and compliance specialists for guidance specific to your operations.