If you operate an exchange, DeFi protocol, OTC desk, or payment processor that handles stablecoins, you need a compliance program — or at minimum, a documented risk-assessment process. Regulatory expectations have sharpened since 2021: OFAC has designated specific blockchain addresses on its sanctions list, stablecoin issuers have collectively frozen billions of dollars in USDT and USDC, and enforcement agencies worldwide increasingly expect crypto businesses to screen transactions with the same rigor applied to traditional financial services. This guide covers practical steps for blacklist monitoring, transaction screening, and defensible risk policies, drawing on the expectations reflected in OFAC's virtual currency compliance guidance, FinCEN's 2019 virtual currency guidance, and FATF's VASP guidance.
Who needs compliance?
The short answer: any business that custodies, routes, converts, or regularly accepts stablecoins should assess its compliance obligations. The regulatory landscape varies by jurisdiction, but the underlying counterparty and sanctions risk is universal. In the US, OFAC sanctions apply to all US persons regardless of whether a crypto-specific law exists. In the EU, MiCA requires licensed crypto-asset service providers to implement transaction monitoring and risk management. Globally, the FATF's travel rule is being adopted by an increasing number of jurisdictions, extending AML obligations to virtual asset service providers.
Centralized Exchanges
Highest regulatory burden. Must comply with local AML laws, typically requiring full KYC, ongoing transaction monitoring, suspicious activity reporting (SARs), and sanctions screening. Most jurisdictions require a license or registration.
DeFi Protocols
Evolving landscape. Jurisdictions increasingly expect DeFi projects to implement address screening, especially those with governance tokens, admin keys, or fiat on/off ramps. The FATF has indicated that DeFi applications may qualify as VASPs depending on their degree of centralization.
OTC Desks
High-value, low-volume transactions amplify per-transaction risk. Counterparty due diligence is critical because a single large transfer involving a sanctioned entity can trigger enforcement action.
Payment Processors
Processing stablecoin payments for merchants requires screening both sides of each transaction — the payer's source of funds and the recipient's risk profile.
Even without explicit regulation, there's liability
Many jurisdictions haven't passed crypto-specific compliance laws yet, but that doesn't eliminate risk. Knowingly or negligently processing funds involving blacklisted addresses can expose your business to civil liability, loss of banking relationships, and regulatory action. A documented compliance program is your strongest defense.
Core requirements
Regardless of your business type, effective stablecoin compliance rests on four pillars:
Real-Time Blacklist Monitoring
Know when addresses in your system get blacklisted. Retroactive blacklisting means an address that was clean when you transacted with it can be frozen days or weeks later, turning a completed transaction into a compliance incident. Issuers like Tether and Circle maintain independent blacklists that change without advance notice, separate from government sanctions lists.
- API access to blacklist data across all chains you support
- Real-time alerts when blacklist events affect addresses in your system
- Historical lookup to screen new customer addresses against past activity
Transaction Screening
Screen transactions before they execute. Inbound deposits from blacklisted or high-risk addresses should be flagged immediately. Outbound withdrawals to such addresses should be blocked or routed to manual review. Post-execution screening is necessary too, but catching issues before funds move is far more effective than attempting recovery afterward.
- Pre-transaction screening hooks for both deposits and withdrawals
- Configurable risk thresholds tailored to your risk appetite
- A review queue for compliance staff to evaluate flagged transactions
Proximity Analysis
Direct blacklist matches are only part of the picture. An address one or two hops from a blacklisted address may carry elevated risk. Proximity analysis measures how many transaction steps separate an address from a known risk source, enabling you to assess indirect exposure and apply enhanced due diligence proportionally.
- Graph analysis capability to trace transaction flows
- Hop-count calculation relative to known risk sources
- Risk scoring that incorporates proximity alongside other signals
Audit Trail
Document everything. When regulators, law enforcement, or auditors review your handling of a specific transaction, you need records showing what data you checked, when you checked it, what risk score was assigned, and what action was taken. Incomplete records undermine even the best screening system.
- Timestamped logs of all screening decisions with data inputs
- Risk scores recorded at the time of each transaction evaluation
- Documentation of manual review decisions including reviewer and rationale
Transaction screening framework
Here's a practical four-stage framework for implementing transaction screening:
Pre-Transaction Check
Before accepting a deposit or processing a withdrawal:
- Check if the address appears on any stablecoin issuer blacklist
- Calculate proximity to blacklisted or sanctioned addresses
- Cross-reference against sanctions lists (OFAC SDN, EU Consolidated, UN)
- Review transaction history for patterns associated with mixers, high-risk bridges, or rapid fund movement
Risk Scoring
Assign a composite risk score based on weighted factors. The weights below are illustrative — calibrate them to your risk appetite and regulatory requirements:
A directly blacklisted address should score 100 regardless of other factors. For non-blacklisted addresses, the composite score reflects the number and strength of risk signals present.
Decision Matrix
Map risk scores to predefined actions. These thresholds are starting points — adjust based on your business type, jurisdiction, and risk tolerance:
Post-Transaction Monitoring
Screening doesn't end when a transaction completes:
- Log all screening results and the action taken
- Monitor for retroactive blacklisting of addresses you've transacted with
- Update user risk profiles based on accumulated transaction patterns
- Generate periodic compliance reports for internal review and regulatory readiness
Building risk policies
Your screening framework needs clear, written policies that your team follows consistently.
Define your risk appetite
Different businesses operate under different regulatory regimes and risk tolerances. A US-regulated exchange will adopt stricter policies than a DeFi protocol serving non-US users, but both need a documented, defensible position.
Your risk appetite should reflect your regulatory jurisdiction, the assets you handle, and the nature of your transactions. Document the rationale behind your chosen thresholds — regulators want to see that you made a deliberate, informed decision, not that you picked numbers arbitrarily.
Document exception processes
Real-world compliance isn't binary. You need clear, repeatable processes for edge cases:
False positives
What happens when a legitimate user is flagged? Document the evidence required to clear them, who has authority to approve the override, and how the decision is recorded.
Time-sensitive transactions
How do you handle urgent transactions that land in manual review? Define escalation paths, maximum review times, and fallback procedures.
Borderline cases
What about transactions that score just below your block threshold? Consider requiring additional verification or enhanced monitoring for a defined period.
Implementation checklist
Use this checklist to track your compliance program build-out. Each category represents a necessary component of effective stablecoin compliance:
Data Sources
Screening System
Policies & Documentation
Monitoring & Reporting
Frequently asked questions
Do DeFi protocols need a compliance program?
It depends on the protocol's structure and jurisdiction. The FATF considers DeFi applications with a controlling party to be VASPs subject to AML requirements. In the EU, MiCA applies to crypto-asset service providers regardless of whether they operate through smart contracts. Even where regulation is unclear, screening addresses against stablecoin blacklists and sanctions lists reduces legal and reputational risk.
How often should screening data be updated?
Blacklist events can happen at any time without advance notice. For effective compliance, your screening data should update continuously or as close to real-time as your data provider supports. At minimum, run batch updates daily. Sanctions lists from OFAC, the EU, and the UN update on their own schedules, but additions can be immediate.
What is the minimum compliance program for a small crypto business?
At minimum: screen every inbound and outbound address against current stablecoin blacklists and the OFAC SDN list before processing. Log every screening result. Document your screening policy in writing. This baseline won't satisfy every regulatory framework, but it demonstrates good-faith effort and creates a foundation to build on as your program matures.