Anti-money laundering (AML) compliance is mandatory for cryptocurrency businesses worldwide. Exchanges, custodians, payment processors, and DeFi protocols all face growing regulatory pressure to implement effective AML programs. This guide explains the core requirements — from customer verification and transaction monitoring to the Travel Rule — and shows how a risk-based approach ties them together.
The Regulatory Landscape
AML regulations for cryptocurrency have evolved rapidly since the Financial Action Task Force (FATF) updated its Recommendations in 2019 to explicitly cover virtual asset service providers (VASPs). That update triggered national legislation across dozens of countries, bringing crypto businesses under AML frameworks previously reserved for traditional financial institutions.
In the United States, the Bank Secrecy Act (BSA) requires money services businesses (MSBs) — including cryptocurrency exchanges and certain wallet providers — to register with FinCEN, implement AML programs, file suspicious activity reports (SARs), and maintain transaction records. FinCEN's 2019 guidance on virtual currency business models remains the foundational reference for how existing BSA rules apply to crypto businesses.
In the European Union, AML obligations flow through the Anti-Money Laundering Regulation (AMLR) and transfer-of-funds rules, while MiCA imposes additional prudential, disclosure, and conduct requirements on crypto-asset service providers and stablecoin issuers. The EU's Anti-Money Laundering Authority (AMLA) centralizes enforcement oversight across member states.
Other major markets — including Singapore, Japan, South Korea, the UAE, and Brazil — have each adopted VASP licensing and AML regimes aligned with FATF standards. The specifics vary, but the core principle is universal: crypto businesses must identify their customers, monitor transactions for suspicious activity, and report concerns to authorities.
KYC vs KYT: Know Your Customer vs Know Your Transaction
Traditional AML compliance centers on Know Your Customer (KYC): verifying customer identity at onboarding and periodically throughout the relationship. Exchanges screen customers against sanctions lists, verify identity documents, and assess risk profiles before granting access. KYC remains the foundation of any AML program.
Cryptocurrency introduces something traditional finance lacks — transparent, public transaction data. Every blockchain transfer is visible, traceable, and permanent. This creates the opportunity for Know Your Transaction (KYT): analyzing on-chain activity associated with an address rather than relying solely on the identity of its owner.
KYT examines where funds originate and where they flow. It checks whether deposits come from sanctioned addresses, mixing services, darknet marketplaces, or high-risk jurisdictions. It assesses risk based on the full transaction graph, not just the immediate counterparty.
The most effective AML programs combine both approaches. KYC establishes who a customer claims to be. KYT reveals what their funds are actually doing on-chain. When these signals align, compliance teams have high confidence. When they diverge — for example, a customer claiming retail trading activity whose deposits consistently originate from high-risk addresses — it signals a need for enhanced investigation.
Transaction Monitoring
Transaction monitoring is the ongoing process of analyzing customer activity for patterns that may indicate money laundering, terrorist financing, or sanctions evasion. For crypto businesses, this involves both on-chain monitoring (blockchain analysis) and off-chain monitoring (platform behavior such as login patterns, withdrawal frequency, and account changes).
Effective monitoring requires clearly defined rules and thresholds that generate actionable alerts. Common approaches include:
Sanctions screening checks every deposit and withdrawal address against OFAC, EU, and UN sanctions lists in real time. A direct match requires immediate blocking and reporting. Beyond exact matches, effective screening also identifies addresses controlled by or closely connected to sanctioned entities.
Blacklist proximity analysis measures the graph distance between transaction addresses and known blacklisted entities. Direct matches are straightforward, but addresses one or two hops from a sanctioned or blacklisted entity also warrant review. Proximity scoring assigns graduated risk based on the number of intermediary transactions separating an address from a flagged entity.
Structuring detection identifies patterns where users split activity into smaller amounts to avoid reporting thresholds. In the US, currency transaction reports (CTRs) apply at $10,000, and crypto businesses maintain additional SAR and internal risk-monitoring thresholds. Repeated transactions just below these triggers can indicate deliberate structuring.
Rapid movement of funds flags accounts where deposits are quickly withdrawn to external addresses, suggesting pass-through activity rather than legitimate trading or holding.
Mixer and privacy tool interaction detects deposits originating from mixing services, privacy coins, or chain-hopping patterns designed to obscure fund origins. Because mixers are specifically designed to break transaction trails, any interaction with these services elevates risk and typically warrants investigation.
The Travel Rule
The FATF Travel Rule requires financial institutions to transmit sender and recipient identifying information when transferring funds above a threshold amount. Originally designed for bank wire transfers, it now applies to VASPs sending cryptocurrency on behalf of customers.
In practice, a sending VASP must transmit the customer's name, account identifier, and address to the receiving VASP alongside the blockchain transaction. The FATF de minimis threshold is 1,000 USD/EUR, though individual jurisdictions may adopt different levels. FATF's 2021 updated guidance remains the primary international baseline.
Implementation is technically challenging because blockchain transactions carry no native identity data. Industry solutions — including TRISA (Travel Rule Information Sharing Architecture), OpenVASP, and various proprietary protocols — create parallel communication channels between VASPs for exchanging identity data alongside on-chain transfers.
Transfers to non-custodial wallets complicate matters further. When a customer withdraws to a self-hosted wallet, no receiving VASP exists to accept the data. Jurisdictions handle this differently: some require the sending VASP to collect and retain recipient identity information regardless, while others apply the Travel Rule only to VASP-to-VASP transfers. Businesses operating across multiple jurisdictions must track these variations carefully.
The Risk-Based Approach
FATF recommends, and most jurisdictions require, a risk-based approach (RBA) to AML compliance. Rather than applying uniform scrutiny to every customer and transaction, businesses allocate resources according to assessed risk levels. Higher-risk customers and transactions receive enhanced due diligence, while lower-risk ones receive standard treatment.
Risk assessment for crypto businesses considers four dimensions:
Customer risk depends on identity, location, source of wealth, and transaction behavior. A high-volume trader in a high-risk jurisdiction warrants more scrutiny than a retail customer in a well-regulated market.
Product risk varies by service type. Privacy coins, mixing services, and cross-chain bridges carry higher inherent risk than spot trading of major tokens.
Geographic risk considers the AML regimes, active sanctions programs, and corruption levels of jurisdictions involved in transactions.
Transaction risk is assessed per transaction using on-chain analysis. Graph-based proximity scoring is a primary tool for evaluating transaction risk in real time, assigning quantified risk based on the address's connections across the blockchain.
Building an Effective AML Program
A complete crypto AML program integrates five components:
- A documented AML policy approved by senior management, defining risk appetite, compliance obligations, and escalation procedures.
- Onboarding procedures including identity verification, sanctions screening, and initial risk assessment.
- Ongoing transaction monitoring combining on-chain analytics with behavioral analysis.
- A trained compliance team empowered to investigate alerts, file SARs, and make risk-based decisions.
- Regular independent audits ensuring the program remains effective as business operations and the regulatory landscape evolve.
Technology is essential but not sufficient. Automated screening handles clear-cut cases efficiently, but edge cases require experienced compliance professionals who understand both regulatory requirements and the technical nuances of blockchain transactions. The strongest programs combine analytics tools with skilled human judgment.
As the industry matures, effective AML compliance is increasingly a competitive advantage. Businesses with strong programs attract institutional customers, maintain banking relationships more readily, and face lower regulatory risk. Demonstrating genuine commitment to compliance builds trust with customers, partners, and regulators.
Frequently Asked Questions
What is the difference between KYC and KYT in crypto compliance?
KYC (Know Your Customer) verifies a customer's identity through document checks and sanctions screening at onboarding. KYT (Know Your Transaction) analyzes on-chain blockchain activity to assess where funds originate and where they flow. Effective crypto AML programs use both — KYC establishes claimed identity, while KYT verifies actual fund behavior on the blockchain.
What does the FATF Travel Rule require for crypto businesses?
The Travel Rule requires VASPs to transmit sender and recipient identifying information when transferring cryptocurrency above a threshold amount — 1,000 USD/EUR under FATF standards, though jurisdictions may differ. Sending and receiving VASPs exchange this data through protocols such as TRISA or OpenVASP alongside the on-chain transfer.
What triggers a suspicious activity report (SAR) at a crypto exchange?
Common SAR triggers include transactions involving sanctioned addresses, deposits from mixing services or darknet marketplaces, structuring patterns designed to avoid reporting thresholds, rapid pass-through of funds, and significant discrepancies between a customer's stated activity and their actual on-chain behavior.
How does blockchain transaction monitoring work?
Blockchain transactions are publicly visible and permanently recorded, enabling analysis that traces fund flows across the entire transaction graph. Unlike traditional finance — where monitoring is limited to activity within a single institution — crypto monitoring assesses risk based on the full history and connections of an address across the blockchain.
Is a risk-based approach required for crypto AML compliance?
Yes. FATF and most national AML regimes require a risk-based approach, meaning businesses allocate compliance resources according to assessed risk levels rather than applying uniform scrutiny. Higher-risk customers, jurisdictions, products, and transactions receive enhanced due diligence, while lower-risk activity receives standard treatment.