Blog Login
AML

AML Policy: How to Build One for Your Company

A

Anzar Dewani

1 hour ago

Cryptocurrency companies are required to maintain a written AML policy. Here is what a crypto AML policy must include, how it differs from a standard fintech AML policy, and how to build one that satisfies FinCEN and sponsor bank requirements.

Crypto AML Policy: How to Build One for Your Company

Any cryptocurrency company that qualifies as a Money Services Business under FinCEN regulations is required to have a written anti-money laundering policy — commonly called an AML policy or BSA/AML compliance program. This is not optional and the absence of a written AML policy is one of the most common findings in FinCEN examinations of crypto businesses.

A crypto AML policy has the same structural requirements as any other MSB's AML policy — but the content must address the specific risks and regulatory expectations of the cryptocurrency space. This guide covers how to build one.

Why Crypto Companies Need an AML Policy

FinCEN's BSA regulations require all Money Services Businesses to maintain a written BSA/AML compliance program. Most crypto businesses — including cryptocurrency exchanges, virtual currency dealers, and crypto payment processors — qualify as MSBs as money transmitters. For a foundational overview of what makes a company an MSB and what compliance looks like, see our guide on AML compliance for crypto.

The written AML policy is the foundational document of the compliance program — the document that describes how your company identifies, assesses, and mitigates money laundering risk, and how it implements its BSA obligations. Without a written policy, the rest of your compliance activities lack structure and cannot be demonstrated to regulators.

The Five Core Components

A crypto AML policy must include all five components required for MSB AML programs under the BSA.

1. Internal Policies, Procedures, and Controls

This section is the core of the policy — the specific policies and procedures your company implements to detect and prevent money laundering. For a crypto company, this must address:

Customer identification and KYC procedures — how you identify and verify the identity of your customers at onboarding, including specific procedures for different customer categories (individual customers, business customers, and any categories specific to your platform).

Blockchain analytics and transaction monitoring — crypto companies have unique capabilities for monitoring transactions using blockchain analytics tools. Your policy must describe what blockchain analytics tools you use, what alerts they generate, and how those alerts are reviewed and resolved.

Suspicious activity identification and SAR filing — the procedures for identifying suspicious transactions and customer activity, escalating potential suspicious activity for review, and filing Suspicious Activity Reports with FinCEN when required.

OFAC sanctions screening — the procedures for screening customers, beneficial owners, and transactions against OFAC's sanctions lists, including the technical tools used and the process for reviewing and resolving potential matches.

Recordkeeping — the specific records your company maintains, how long they are retained, and the systems used for retention.

2. A Designated Compliance Officer

Your AML policy must identify a designated compliance officer — an individual who is responsible for implementing and monitoring the AML program. The policy should include the compliance officer's name and title, their specific responsibilities, and the reporting structure that gives them independence and access to leadership.

3. Ongoing Employee Training

The policy must describe how employees receive AML training — the content, frequency, and documentation of training. For crypto companies, training must address the specific red flags associated with cryptocurrency transactions and the specific tools and procedures your company uses for compliance.

4. Independent Testing

The BSA requires independent testing — an audit function that assesses the effectiveness of the AML program. The policy must describe how this testing is conducted, how frequently, and by whom. For early-stage crypto companies, this testing is often conducted by a qualified outside firm rather than internal audit.

5. Customer Due Diligence

FinCEN's 2016 CDD rule added a fifth pillar for covered financial institutions — Customer Due Diligence and beneficial ownership requirements. For crypto companies serving business customers, the policy must address how beneficial ownership of business customers is identified, verified, and monitored.

Crypto-Specific Policy Content

Beyond the standard five pillars, a crypto AML policy should specifically address elements unique to the cryptocurrency compliance context.

Risk Assessment

The policy should document your company's AML risk assessment — an analysis of the specific money laundering risks associated with your products, customers, geographies, and transaction channels. For crypto companies, the risk assessment should address the specific risks associated with cryptocurrency transactions: pseudonymity, transaction irreversibility, high transaction speeds, and the potential for privacy coin usage.

Blockchain Analytics

Your policy should specifically address your approach to blockchain analytics — the tools and methodologies used to analyze the blockchain history of funds received and sent, the transaction monitoring logic that generates alerts, and the investigation process when blockchain analytics identifies concerning patterns (for example, funds with exposure to sanctioned addresses or darknet markets).

Virtual Asset Risk Categories

Your policy should address how your company treats different categories of virtual assets from a risk perspective — the heightened risk associated with privacy coins, the treatment of high-risk blockchain addresses, and any limitations on the virtual assets your platform supports based on their risk characteristics.

Frequently Asked Questions

How long should a crypto AML policy be?

There is no required length. A policy for an early-stage crypto business with a narrow product scope might be 15 to 25 pages. A policy for a mature exchange with multiple products, customer types, and geographies might be significantly longer. The policy should be long enough to accurately describe your compliance program — not longer, and not shorter.

How often should the crypto AML policy be updated?

The AML policy should be reviewed at least annually and updated whenever there are material changes to your business model, products, customer base, or applicable regulations. Given the pace of change in crypto regulation, annual review is a minimum — many active crypto compliance programs review their policies more frequently.

Does a crypto AML policy need to be approved by the board?

FinCEN's regulations require senior management approval for the AML program. For a corporation with a board, board-level approval of the AML policy is a best practice. The policy should document the approval and the date of most recent approval.

How ComplyOne Helps

ComplyOne builds tailored crypto AML policies for cryptocurrency companies — from early-stage platforms building their first compliance program to established exchanges updating existing documentation to reflect current regulatory expectations.

 

 

Talk to the ComplyOne team to get started.

The information in this article is for general educational purposes and does not constitute legal or regulatory advice. Consult a qualified compliance professional for guidance specific to your crypto business model.

Share this article:

Related Articles