Understanding Crypto AML: A Guide to Anti-Money Laundering Compliance Illicit activity involving cryptocurrency hit an estimated $51 billion in 2024, according to Chainalysis's 2025 Crypto Crime Mid-Year Update. That figure isn't just a headline — it's the backdrop against which regulators in the US, UK, EU, and Canada are intensifying enforcement, tightening registration requirements, and issuing penalties that reach into the billions.

This guide is written for crypto exchanges, custodians, wallet providers, stablecoin issuers, DeFi-adjacent platforms, and other VASPs navigating AML obligations across those four jurisdictions. Whether you're building a compliance program from scratch or auditing an existing one, you'll find a practical framework here covering core requirements, jurisdiction-specific rules, common red flags, and how to structure a defensible AML program.

TL;DR

  • Crypto AML covers the laws, regulations, and internal controls cryptocurrency businesses must maintain to prevent money laundering and terrorist financing.
  • Exchanges, custodians, wallet providers, and payment processors all face obligations: KYC, transaction monitoring, suspicious activity reporting, and the Travel Rule.
  • Non-compliance carries serious consequences — fines, license revocations, lost banking relationships, and reputational damage.
  • FATF sets the global baseline; the US, UK, EU, and Canada each enforce their own specific frameworks on top of it.
  • A formal AML program requires a designated compliance officer, documented policies, risk-based controls, and ongoing monitoring.

What Is Crypto AML and Why Does It Exist?

Anti-money laundering (AML) in the context of cryptocurrency refers to the collective body of laws, regulations, and internal controls designed to prevent criminals from using crypto platforms to launder proceeds of illegal activity or finance terrorism.

Crypto presents AML risks that traditional finance doesn't face in the same form. Three factors make it structurally different:

  • Pseudonymity — transactions are tied to wallet addresses, not verified identities, unless a platform enforces KYC
  • Decentralization and cross-border reach — transfers move across jurisdictions instantly, with no central authority to flag or freeze them
  • Fragmented regulatory oversight — responsibility for compliance is distributed, and gaps between jurisdictions are frequently exploited

Three structural crypto AML risk factors pseudonymity decentralization fragmented oversight

FATF's 2014 virtual currency risk assessment was the first major regulatory acknowledgment of these risks. It found that convertible virtual currencies could enable greater anonymity than traditional payment methods — prompting FATF to update its Recommendations in 2018–2019 to formally extend AML/CFT obligations to virtual assets and VASPs.

Who Qualifies as a VASP?

FATF defines VASPs broadly. If your business does any of the following, you're likely classified as a VASP and carry AML obligations:

  • Exchange between virtual assets and fiat currencies
  • Exchange between one or more forms of virtual assets
  • Transfer virtual assets on behalf of customers
  • Provide safekeeping or administration of virtual assets
  • Participate in financial services related to a virtual asset offering

In practice, this covers exchanges, custodians, wallet providers, and stablecoin issuers — and regulators are now extending scrutiny to certain DeFi protocols and NFT marketplaces as well.

AML vs. KYC: Not the Same Thing

These terms are often used interchangeably, but they're distinct. AML is the broader compliance framework — the full set of policies, controls, and reporting obligations. KYC (Know Your Customer) is a critical subset focused specifically on verifying customer identities and conducting due diligence before and during the customer relationship.

In practice, a firm with strong KYC but no transaction monitoring will onboard clean customers and miss the laundering that follows. AML requires both.

Why AML Compliance Is Critical for Crypto Businesses

The Cost of Getting It Wrong

Enforcement actions in crypto AML are no longer theoretical. In 2023, Binance pleaded guilty to Bank Secrecy Act violations and agreed to pay $4.3 billion in total penalties — the largest settlement in US Treasury Department history involving a virtual asset exchange. FinCEN's separate civil money penalty against Binance alone was $3.4 billion.

Smaller firms aren't exempt. BitMEX received a $100 million civil penalty in 2021 for willful AML failures. Bittrex faced a $29 million enforcement action in 2022. In the UK, CB Payments Limited (Coinbase's UK entity) was fined £3.5 million in 2024 for repeatedly serving high-risk customers in breach of FCA requirements. In Canada, FINTRAC issued Binance a CAD $6 million administrative penalty in 2024 for PCMLTFA non-compliance.

Beyond the Fine

The financial hit is often the smallest consequence. AML failures also trigger:

  • Loss of sponsor bank access — banks terminate or refuse relationships with crypto firms that can't demonstrate mature AML controls
  • License revocation or registration denial — regulators can suspend or refuse operating licenses
  • Platform delistings — exchanges and payment rails cut off non-compliant firms
  • Investor withdrawal — institutional investors conduct compliance due diligence; program failures surface in pre-deal reviews
  • Reputational damage — public enforcement actions are permanent and searchable

Five consequences of crypto AML non-compliance beyond regulatory fines infographic

The Startup Trap

Early-stage crypto firms consistently underinvest in compliance at exactly the moment it matters most. Sponsor bank reviews, institutional investor due diligence, and licensing applications all scrutinize AML programs closely. A weak AML policy found during bank onboarding doesn't cause a delay. It kills the deal.

Fraxtional works directly with crypto startups to build AML programs that pass sponsor bank review — covering policy documentation, transaction monitoring frameworks, and BSA Officer support before those gatekeeping reviews begin.

Core Components of a Crypto AML Program

Customer Identification Program (CIP)

Before onboarding any customer, crypto businesses must collect and verify:

  • Government-issued photo ID
  • Proof of address
  • For business customers: beneficial ownership information (names, ownership percentages, and identity documentation for individuals owning 25% or more)

CIP is the entry point to everything else. Weak identity verification at onboarding creates downstream problems in transaction monitoring, SAR filing, and regulatory examinations.

Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)

Standard CDD involves risk-rating each customer based on:

  • Background checks and adverse media screening
  • Source of funds and wealth
  • Geographic risk (high-risk jurisdictions per FATF)
  • PEP (Politically Exposed Person) and sanctions screening
  • Expected transaction behavior versus actual patterns

That risk rating determines the intensity of ongoing monitoring applied to the account.

Enhanced Due Diligence (EDD) applies when the risk rating is high. EDD triggers include:

  • PEP status
  • High-volume or high-value trading activity
  • Customers from FATF-listed high-risk or monitored jurisdictions
  • Complex corporate structures with opaque beneficial ownership

EDD requires deeper source-of-funds documentation, more frequent account reviews, and senior management sign-off in many cases.

Transaction Monitoring and Suspicious Activity Reporting

Ongoing transaction monitoring means watching for red flags in real time — not just at onboarding. Compliance teams must monitor for:

  • Structuring — breaking large amounts into smaller transactions to avoid reporting thresholds
  • Chain-hopping — moving funds across multiple wallets or blockchains to obscure the trail
  • Mixer and tumbler usage — services designed to anonymize transaction histories
  • Dormant account activity — sudden large withdrawals after extended inactivity
  • Profile inconsistency — transaction volumes or types that don't match the customer's declared business purpose

When monitoring identifies suspicious activity, firms must file a Suspicious Activity Report (SAR) — called an STR in Canada — with the relevant financial intelligence unit. In the US, MSBs must file SARs for suspicious activity involving $2,000 or more within 30 days of detection. Failing to file is itself a violation.

The Travel Rule

SAR filing addresses suspicious activity after the fact. The Travel Rule takes a different approach — it requires VASPs to share customer data proactively on every qualifying transfer. Implemented through FATF Recommendation 16, the rule requires VASPs to collect, verify, and transmit originator and beneficiary information on virtual asset transfers above applicable thresholds. Thresholds vary:

Jurisdiction Threshold Effective Date
United States $3,000 Confirmed 2019 (FinCEN guidance)
European Union €1,000 30 December 2024 (TFR)
United Kingdom £1,000 equivalent 1 September 2023
Canada CAD $1,000 1 June 2021

Travel Rule virtual asset transfer thresholds comparison across US UK EU Canada

Technical implementation — how originator and beneficiary data is transmitted between VASPs — remains one of the most operationally complex elements of crypto compliance, particularly for firms operating across multiple jurisdictions with different messaging standards.

Appointing a Compliance Officer

Most jurisdictions require a named, accountable compliance officer. The title varies:

  • US: BSA Officer
  • UK: MLRO (Money Laundering Reporting Officer)
  • Canada: CAMLO (Chief Anti-Money Laundering Officer) or Compliance Officer per FINTRAC terminology

This person is legally accountable for the firm's AML program — not just a signatory on documents. That distinction matters during regulatory examinations.

For early-stage crypto firms that can't justify a full-time senior hire, a fractional compliance officer model provides the required named accountability without the cost of a permanent executive. Fraxtional places named Directors into BSA Officer, MLRO, and CAMLO roles, giving crypto startups compliance leadership that holds up to regulator, sponsor bank, and auditor scrutiny.

Crypto AML Regulations: What US, UK, EU, and Canadian Businesses Must Know

United States

FinCEN classifies most VASPs as Money Services Businesses (MSBs) under the Bank Secrecy Act. As an MSB, a crypto firm must:

  • Register with FinCEN
  • Implement a written AML program
  • File SARs (threshold: $2,000 for suspicious transactions) and CTRs (threshold: $10,000 cash transactions)
  • Maintain a Customer Identification Program
  • Comply with the Funds Travel Rule for transfers of $3,000 or more

The Anti-Money Laundering Act of 2020 (AMLA) strengthened beneficial ownership requirements through the Corporate Transparency Act and introduced a FinCEN whistleblower program. AMLA's language explicitly covers businesses transmitting "currency, funds, or value that substitutes for currency or funds", capturing crypto firmly within scope.

United Kingdom

UK crypto firms must register with the FCA under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (MLRs). Requirements include:

  • FCA registration before conducting in-scope cryptoasset activity
  • A documented AML/CTF risk assessment
  • Appointment of a named MLRO
  • CDD, EDD, and ongoing monitoring meeting FCA expectations
  • Travel Rule compliance from 1 September 2023

The FCA's 2024 enforcement action against CB Payments Limited is worth noting: the firm repeatedly onboarded high-risk customers in breach of its own requirements. The case signals that the regulator has moved from registration scrutiny to active enforcement.

European Union

The EU framework for crypto AML now operates across two interconnected regulations:

  • MiCA (Markets in Crypto-Assets Regulation) — applies from 30 December 2024, requiring CASP authorization that includes fit-and-proper checks and AML obligations
  • Transfer of Funds Regulation (TFR / Regulation EU 2023/1113) — extends originator and beneficiary information requirements to crypto-asset transfers, with a €1,000 threshold for self-hosted wallet verification

CASPs are full obliged entities under the EU AML framework, subject to CDD, EDD for high-risk counterparties, and Travel Rule compliance.

Canada

Canada's framework is notable for its explicit reach beyond borders. Foreign exchanges serving Canadian customers must register as MSBs with FINTRAC and comply with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). Obligations include:

  • FINTRAC MSB registration (including foreign MSBs dealing in virtual currencies)
  • A documented compliance program with appointed compliance officer
  • Record-keeping requirements
  • Suspicious Transaction Reports (STRs) and Large Virtual Currency Transaction Reports
  • Travel Rule compliance for virtual currency transfers of CAD $1,000 or more (effective June 2021)

FINTRAC's CAD $6 million penalty against Binance in 2024 confirmed that foreign exchanges serving Canadian customers are within scope, regardless of where they're headquartered.

FATF as the Global Baseline

All four jurisdictions have implemented FATF's Recommendations as the foundational standard. FATF Recommendation 15 extended AML/CFT measures to virtual assets and VASPs. Recommendation 16 is the source Travel Rule standard. For any business operating across multiple jurisdictions, FATF alignment provides a single compliance baseline that satisfies the core obligations of each framework at once.

Best Practices for Building a Crypto AML Compliance Program

Effective crypto AML programs share three structural elements: a documented risk foundation, automated monitoring calibrated to crypto's speed and volume, and an audit trail that holds up under regulatory scrutiny. Here's how each works in practice.

Start With a Formal Risk Assessment

Before building controls, document where your risks actually are.

A risk-based program allocates scrutiny and resources in proportion to risk — not uniformly across every customer and product. Inputs should include:

  • Product type and transaction volume
  • Customer base geography and profile
  • Exposure to high-risk jurisdictions per FATF
  • Crypto-specific risk factors (custody model, self-hosted wallet interactions, DeFi integrations)

The output should be a prioritized findings document — not a generic checklist — that maps identified risks to specific controls and owners.

Implement Automated Monitoring and Sanctions Screening

Manual review doesn't scale for crypto transaction volumes. Effective programs use:

  • Blockchain analytics tools to trace wallet histories and identify exposure to sanctioned addresses
  • AML screening against OFAC's SDN list, the UK Sanctions List, and the UN Security Council Consolidated List
  • Transaction monitoring rules calibrated to your specific business model — not generic thresholds borrowed from traditional banking

Build a Training, Record-Keeping, and Audit Framework

Three non-negotiables that regulators check in every examination:

  1. Staff training — everyone with AML responsibilities must be trained, and training records must be documented
  2. Record retention — customer records and transaction logs must be retained for at least five years in most jurisdictions
  3. Independent audit — the AML program should be reviewed and independently audited regularly to identify gaps before regulators do

Three-pillar crypto AML audit framework training record-keeping independent review

Regulators treat an absence of independent audit as a control gap in itself. A program that can't demonstrate third-party review — with documented findings and remediation tracking — is harder to defend in an examination, regardless of how well the underlying controls actually function.

Frequently Asked Questions

What is AML in crypto?

Crypto AML is the legal and operational framework that cryptocurrency businesses must maintain to detect, prevent, and report money laundering and terrorist financing — covering internal policies, customer due diligence, transaction monitoring, and mandatory reporting obligations.

Who needs to comply with crypto AML regulations?

Any business classified as a VASP carries AML obligations in its operating jurisdiction. That includes exchanges, custodians, wallet providers, stablecoin issuers, and crypto payment processors. DeFi protocols and NFT marketplaces may also fall within scope depending on how regulators classify their activities.

What are the consequences of failing to comply with AML rules in crypto?

Consequences include regulatory fines (ranging from hundreds of thousands to billions of dollars), license suspension or revocation, loss of sponsor bank relationships, and lasting reputational damage. Enforcement activity across the US, UK, EU, and Canada has escalated sharply since 2021.

What is the Travel Rule and does it apply to my crypto business?

The Travel Rule requires VASPs to share originator and beneficiary information on virtual asset transfers above set thresholds — $3,000 in the US, €1,000 in the EU, £1,000 equivalent in the UK, and CAD $1,000 in Canada. If your platform processes transfers between wallets or between VASPs, it almost certainly applies.

Do crypto startups need to appoint a dedicated compliance officer?

Yes. The US, UK, and Canada all require a named, accountable compliance officer (BSA Officer, MLRO, or CAMLO respectively). Startups can meet this requirement through fractional or part-time compliance leadership arrangements, which provide the named accountability regulators require without the cost of a full-time executive hire.

How often should a crypto AML program be reviewed or updated?

AML programs should be reviewed at minimum annually. Any material change — new products, new customer segments, geographic expansion, or regulatory updates — should trigger an immediate review.