AML Compliance for Crypto Companies: What You Need to Know

Crypto businesses do not get a compliance exemption. FinCEN confirmed in 2013 — and has reiterated and enforced consistently since — that companies that accept and transmit cryptocurrency are money transmitters under the Bank Secrecy Act. That means every AML obligation that applies to traditional money services businesses applies to you too.

In practice, crypto companies often face additional compliance complexity beyond traditional MSBs. The pseudonymous nature of blockchain transactions, the speed of settlement, the global and borderless nature of crypto activity, and the rapidly evolving regulatory landscape all create elevated AML risk that FinCEN, OFAC, and international regulators take increasingly seriously.

This article covers what AML compliance requires for crypto businesses, what makes crypto-specific risk different from traditional MSB risk, and what enforcement trends fintechs in this space need to understand.

Crypto Businesses Are MSBs — What That Means Operationally

FinCEN's 2013 guidance established that cryptocurrency businesses operating as exchangers or administrators of virtual currency are money transmitters and therefore Money Services Businesses subject to full BSA requirements.

An exchanger is a business that exchanges cryptocurrency for fiat currency, other cryptocurrencies, or other value — including centralized exchanges, OTC desks, peer-to-peer exchange platforms, and certain crypto payment processors.

An administrator is a business that issues a type of cryptocurrency and has the authority to redeem or withdraw it from circulation — relevant primarily to stablecoin issuers and certain custodians with redemption authority.

Businesses that are generally not MSBs under this framework include individuals who mine cryptocurrency solely for their own account, users who hold and spend cryptocurrency for personal investment purposes, and certain software or infrastructure providers that do not take custody of customer funds or transmit value.

If your business takes custody of customer funds, facilitates transfers between parties, or enables customers to send value to third parties, MSB status almost certainly applies. This determination should be confirmed with qualified legal counsel before launch.

FinCEN Registration for Crypto Businesses

Crypto businesses that qualify as money transmitters must register with FinCEN as MSBs within 180 days of commencing operations. Registration is completed through FinCEN's BSA E-Filing System. Failure to register is a federal crime — and FinCEN has brought enforcement actions specifically targeting unregistered crypto businesses.

The Five AML Pillars Applied to Crypto

Internal Controls for Crypto Operations

Internal controls for crypto businesses must address risks that do not exist in traditional financial services.

Blockchain analytics is a foundational control for any crypto compliance program. Blockchain analytics tools — such as Chainalysis, Elliptic, and TRM Labs — analyze on-chain transaction history to provide risk scoring for wallet addresses and transaction histories, identifying connections to darknet markets, mixers, ransomware wallets, and other illicit activity.

Wallet screening requires checking cryptocurrency wallet addresses against OFAC sanctions lists and against blockchain analytics databases that identify wallets associated with sanctioned entities or illicit activity before processing transactions involving those addresses.

Travel Rule compliance is a specific obligation for crypto money transmitters discussed in detail below.

Cross-chain monitoring — tracking risk across multiple blockchain networks and asset types — is increasingly important as crypto activity spans Bitcoin, Ethereum, and numerous other networks.

KYC for Crypto Customers

KYC requirements for crypto businesses are substantively the same as for other MSBs. You must verify customer identity under a written CIP before allowing customers to transact.

Specific areas requiring heightened attention in crypto include customers attempting to transact with privacy coins such as Monero or Zcash that are designed to obscure transaction traceability, customers with blockchain transaction histories linked to high-risk or sanctioned addresses identified through blockchain analytics, customers attempting to use mixer or tumbler services to obscure the origin of funds, and high-volume traders whose transaction patterns suggest professional or institutional activity that may require enhanced due diligence.

Transaction Monitoring for Crypto

Standard transaction monitoring rules used in traditional financial services are insufficient for crypto without blockchain-specific augmentation.

Blockchain analytics tools provide risk scoring for on-chain activity that traditional monitoring cannot assess. Monitoring should flag transactions with wallets associated with sanctioned entities, darknet markets, mixers, ransomware, and fraud schemes. On-chain behavioral patterns such as unusual transaction structuring, rapid layering through multiple wallets, and circular transaction patterns are crypto-specific red flags that require crypto-specific monitoring rules.

The Travel Rule

The Travel Rule under the BSA requires financial institutions — including crypto money transmitters — to collect and transmit certain originator and beneficiary information when transmitting funds above $3,000.

For crypto businesses, the Travel Rule means transmitting customer identification information alongside transactions between regulated entities. Implementation of the Travel Rule in crypto has been technically complex — different jurisdictions have different implementation approaches and the technical infrastructure for transmitting information between crypto platforms is still developing through industry-led protocols.

FATF's Recommendation 16 extended Travel Rule requirements internationally. Most major jurisdictions are implementing these requirements, making Travel Rule compliance an increasingly pressing global obligation for crypto businesses with cross-border transaction flows.

SAR Filing for Crypto

Crypto businesses must file SARs for transactions of $2,000 or more that meet the suspicious activity threshold. Common suspicious activity patterns specific to crypto include transactions involving OFAC-sanctioned wallet addresses, rapid layering of funds through multiple wallets or exchanges to obscure origin, structuring of transactions to avoid reporting thresholds, customers who refuse to complete required KYC verification, transactions involving wallets associated with known darknet market activity or mixer services, and ransomware-related transaction patterns identifiable through blockchain analytics.

OFAC Sanctions Compliance in Crypto

OFAC has been increasingly active in sanctions enforcement in the crypto space.

OFAC has listed specific cryptocurrency wallet addresses on the SDN List — meaning transactions with those addresses are prohibited regardless of the counterparty's identity. This requires crypto businesses to screen not just customer identities but individual wallet addresses against OFAC's published designations and blockchain analytics databases.

OFAC sanctioned Tornado Cash in 2022, making interactions with its smart contracts a potential sanctions violation for U.S. persons regardless of the purpose of the interaction. This action established that OFAC's sanctions authority extends to decentralized protocols and smart contracts — not just named individuals and entities.

OFAC has assessed civil penalties against multiple major cryptocurrency exchanges for processing transactions with sanctioned parties, with penalties reaching into the hundreds of millions of dollars.

What Regulators Are Focused On Right Now

FinCEN and OFAC enforcement in the crypto space has increased significantly over the past several years. Common themes in enforcement actions include failure to implement adequate KYC — particularly at peer-to-peer exchanges and OTC desks that operated with minimal customer verification, inadequate transaction monitoring without blockchain analytics capability that is specific to crypto transaction risks, sanctions screening failures including processing transactions with OFAC-designated wallet addresses, SAR filing failures for clearly suspicious patterns visible in publicly available blockchain data, and Travel Rule non-compliance including failure to collect and transmit required customer information.

Several landmark enforcement actions against major crypto exchanges resulting in penalties in the hundreds of millions of dollars have firmly established that regulators enforce BSA requirements against crypto businesses with the same seriousness as against traditional financial institutions.

Frequently Asked Questions

Does a DeFi platform need to comply with BSA/AML requirements? 

The application of BSA requirements to decentralized finance platforms is an evolving area of regulatory analysis. FinCEN has indicated that the key question is whether a business exercises control or sufficient influence over the transmission of value — if a developer or operator controls a DeFi protocol in a way that constitutes money transmission, BSA obligations may apply. Any business operating in or building DeFi applications should seek qualified legal counsel on their specific regulatory status.

Does a crypto business need state money transmitter licenses in addition to FinCEN registration? 

Yes. FinCEN registration is a federal requirement. State money transmitter licensing is a separate, parallel obligation. Most states require money transmitter licenses for crypto businesses that qualify as money transmitters under state law — and New York has a separate BitLicense regime specifically for virtual currency businesses. Operating in states without required licenses is a violation of state law independent of federal BSA compliance.

What is blockchain analytics and why is it required for crypto AML compliance? 

Blockchain analytics refers to technology that analyzes on-chain transaction data to assess the risk profile of cryptocurrency wallet addresses and transaction histories. Because blockchain transactions are pseudonymous rather than anonymous — they are visible on the public ledger but not immediately linked to real-world identities — blockchain analytics tools can identify wallets associated with sanctions violations, darknet markets, ransomware, and other illicit activity even when the wallet holder's identity is unknown. FinCEN examiners expect crypto businesses to have blockchain analytics capabilities as part of their transaction monitoring program.

How ComplyOne Helps

ComplyOne works with cryptocurrency businesses and crypto-adjacent fintechs to build BSA/AML compliance programs that address both standard MSB requirements and the crypto-specific dimensions of blockchain analytics, Travel Rule compliance, wallet screening, and OFAC sanctions — through compliance technology, advisory services, or both.

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your situation.