Crypto AML Policy: How to Build an Effective Program
How to build a crypto AML program: the four pillars, risk-based approach, CDD/EDD, sanctions, Travel Rule, SAR reporting and a 9-step build order. Read on.
A crypto AML policy is the written document that sets your rules for preventing money laundering and terrorist financing. An AML program is the operating system that runs those rules across onboarding, monitoring and reporting. Three regimes converge on the same skeleton, because the United States and the European Union both transpose the FATF Standards into binding law for crypto businesses.
If you operate a crypto exchange, a custodian, a broker or any other virtual asset service, an AML program is not optional decoration. It is the control layer regulators inspect before they grant a license and the first thing they examine when something goes wrong. This guide walks through what an effective crypto AML program must contain, who is legally obliged to maintain one, the four (and fifth) pillars anchored to US law, the core controls every program operationalizes, and a nine-step order for building it from scratch. Every figure here traces to primary regulation: US 31 CFR 1022.210 and 31 CFR 1022.320, the EU AML Regulation (EU) 2024/1624, the EU crypto Travel Rule Regulation (EU) 2023/1113, and the FATF Updated Guidance for a risk-based approach to virtual assets.
For the wider regulatory picture across onboarding, monitoring and reporting, see our crypto compliance requirements hub.
Crypto AML policy vs AML program: what is the difference?
The terms are used interchangeably, but they are not the same thing. The policy is the document; the program is everything the document sets in motion. Getting the distinction right matters, because regulators do not award credit for a well-written policy that nobody operationalizes. Examination findings repeatedly turn on the gap between the two.
What a crypto AML policy is (the written document)
A crypto AML policy is the formal written statement of how your business identifies customers, screens for sanctions, monitors transactions, files suspicious activity reports and keeps records. It assigns responsibility, sets thresholds and defines escalation paths. Under the EU AML Regulation, obliged entities must maintain an internal control framework consisting of risk-based policies, procedures and controls with a clear division of responsibilities, proportionate to the size and risk of the business AML Regulation (EU) 2024/1624. The policy is the artifact that codifies that framework.
What a crypto AML program is (the operating system)
The program is the running system the policy describes: the people, the tools, the screening, the monitoring rules and the reporting workflow that actually prevent abuse. US law frames the standard in functional terms. A money services business must maintain a program "reasonably designed to prevent the money services business from being used to facilitate money laundering and the financing of terrorist activities," with scope "commensurate with the risks posed by the location and size of, and the nature and volume of the financial services provided" 31 CFR 1022.210. "Reasonably designed" and "commensurate with risk" are the legal tests. They mean your program must be sized to your actual exposure, not copied from a template that ignores it.
Is a crypto AML program legally required? (US MSB, EU CASP, FATF)
Yes, for most crypto businesses. Whether you are a US money services business, an EU crypto-asset service provider or a virtual asset service provider in a FATF-aligned jurisdiction, you are an obliged entity that must maintain an AML/CFT program. The legal hook differs by region, but the obligation converges.
| Regime | Who is obliged | Governing instrument | Reporting anchor |
|---|---|---|---|
| United States | Crypto exchangers and administrators treated as money services businesses (MSBs) | Bank Secrecy Act, 31 CFR 1022.210 | SAR ≥ USD 2,000, file within 30 days |
| European Union | Crypto-asset service providers (CASPs) as obliged entities | Regulation (EU) 2024/1624 (AMLR) + Regulation (EU) 2023/1113 (TFR) | STR to national FIU |
| FATF baseline | Virtual asset service providers (VASPs) worldwide | FATF Standards (R.1, R.10, R.11, R.12, R.15, R.16, R.18, R.20) | Suspicious transaction reporting (national) |
United States: crypto MSBs under the BSA
FinCEN treats convertible-virtual-currency exchangers and administrators as money transmitters and money services businesses subject to Bank Secrecy Act AML-program, recordkeeping and reporting duties, per its 2013 and 2019 guidance FinCEN CVC guidance. That classification triggers the full 31 CFR 1022 program requirement. If you intend to operate in the US, this obligation sits alongside starting a licensed crypto exchange at the state and federal level. (VERIFY: the FinCEN guidance page timed out during research; re-confirm the MSB classification against the live FinCEN source before publishing.)
European Union: CASPs as obliged entities under the AMLR
The EU AML Regulation names crypto-asset service providers as obliged entities that must run a full internal control framework, compliance function and customer due diligence regime AML Regulation (EU) 2024/1624. The Regulation applies from 10 July 2027 for most obliged entities; CASPs should confirm their specific application date as it firms up. An AMLR-compliant program is inseparable from VASP licensing and CASP authorization under MiCA. (VERIFY: confirm crypto-specific AMLR application timing before any time-sensitive copy.)
FATF: the global VASP baseline
The Financial Action Task Force requires every jurisdiction and every virtual asset service provider to apply a risk-based approach and a set of preventive measures, including customer due diligence, recordkeeping and suspicious transaction reporting FATF Updated Guidance. FATF's 2021 Updated Guidance covers VASP licensing, the application of the Standards to stablecoins, peer-to-peer risk and Travel Rule implementation. To understand exactly which businesses fall inside the net, see what counts as a VASP. (VERIFY: FATF's own domain returned HTTP 403 during research; FATF obligations are corroborated through implementing US and EU law, not quoted from FATF text. Re-fetch primary FATF sources before publishing any direct quotation or paragraph number.)
The risk-based approach: the foundation of any crypto AML program
The risk-based approach means you identify, assess and mitigate money-laundering and terrorist-financing risk proportionately, rather than applying a fixed checklist to every customer and transaction. It is the load-bearing principle of every regime above. US law demands a program "commensurate with the risks" 31 CFR 1022.210; the EU requires controls "proportionate to the nature of the business, including its risks and complexity" AML Regulation (EU) 2024/1624; FATF's Recommendation 1 sets the risk-based approach as the starting point FATF Updated Guidance. Everything that follows in your program inherits its calibration from the risk assessment. Skip it, and you cannot demonstrate that any control is "commensurate" with anything.
The four risk vectors (customers, products/services, geography, channels)
The EU AML Regulation requires a business-wide risk assessment that identifies inherent money-laundering and terrorist-financing risk, as well as the risk of non-implementation or evasion of targeted financial sanctions, across four dimensions AML Regulation (EU) 2024/1624:
- Customers: politically exposed persons, high-risk jurisdictions, entity types and ownership structures.
- Products and services: fiat on/off-ramps, custody, OTC desks, DeFi exposure, privacy coins and self-hosted-wallet support.
- Geography: the countries you serve and the jurisdictions your flows touch.
- Delivery channels: remote, non-face-to-face onboarding and the technology that mediates it.
Writing the business-wide risk assessment
To write the assessment, rate inherent risk across those four vectors, document the rating, date it and update it regularly so it can drive your controls. The output is a rated register, not a one-off memo. It is the first step in the build sequence below, and it is what makes every downstream control defensible. The FATF risk-based approach and the EU business-wide-assessment requirement both insist the document is current, not historical FATF Updated Guidance, AML Regulation (EU) 2024/1624. For the framework that sits above it, see the FATF guidelines for VASPs.
The four pillars of a crypto AML program (and the fifth)
US law sets four core elements that every money services business AML program must contain, codified at 31 CFR 1022.210(d)(1) through (d)(4) 31 CFR 1022.210. A fifth pillar, risk-based customer due diligence and beneficial ownership, is commonly cited and is layered in by FinCEN's separate CDD rule. The four statutory pillars are: policies and internal controls, a designated compliance officer, ongoing training, and independent review.
Pillar 1: policies, procedures and internal controls (1022.210(d)(1))
The program must include "policies, procedures, and internal controls reasonably designed to assure compliance with this chapter," covering customer identity verification, report filing, record creation and retention, and responses to law-enforcement requests 31 CFR 1022.210. This is the written core that the rest of the program implements.
Pillar 2: a designated compliance officer (1022.210(d)(2))
The business must "designate a person to assure day to day compliance with the program and this chapter," responsible for filing reports, managing records, updating procedures and training staff 31 CFR 1022.210. In other regimes this role is the MLRO or BSA officer; the function is identical.
Pillar 3: ongoing training and education (1022.210(d)(3))
The program must "provide education and/or training of appropriate personnel concerning their responsibilities under the program, including training in the detection of suspicious transactions" 31 CFR 1022.210. Detection training is named explicitly, not implied.
Pillar 4: independent review and testing (1022.210(d)(4))
The program must "provide for independent review to monitor and maintain an adequate program," with scope and frequency "commensurate with the risk." The review may be performed internally by staff who are not part of the compliance function 31 CFR 1022.210. Skipping this pillar, or letting the compliance team grade its own homework, is a recurring examination failure.
The fifth pillar: risk-based CDD and beneficial ownership
The widely cited fifth pillar is risk-based customer due diligence and beneficial ownership. It is not part of the 31 CFR 1022.210 text; it is layered in by FinCEN's CDD rule. Treat it as a commonly cited addition rather than a 1022.210 element. (VERIFY: FinCEN CDD rule 31 CFR 1010.230 was not fetched during research. Confirm beneficial-ownership and senior-management specifics against the primary source before asserting them.)
Core controls every crypto AML program must operationalize
The pillars are the governance shell. The controls below are what the program actually does day to day. Each one is grounded in a specific obligation, and each carries the numeric thresholds regulators test against.
CDD and EDD: customer due diligence tiers
Customer due diligence (CDD) is standard onboarding diligence: identify and verify the customer using reliable documents and sources, verify beneficial owners, and perform ongoing monitoring. Enhanced due diligence (EDD) is the heightened version for higher-risk situations such as politically exposed persons, high-risk third countries or unusual transaction patterns. The EU AML Regulation also imposes a prohibition on relationships with shell institutions and unregistered CASPs AML Regulation (EU) 2024/1624. For the onboarding mechanics in detail, see crypto KYC and customer due diligence.
Sanctions and targeted-financial-sanctions screening
Screen customers, counterparties and crypto addresses against applicable sanctions lists at onboarding and continuously. The EU treats evasion of targeted financial sanctions as an explicit dimension of the business-wide risk assessment AML Regulation (EU) 2024/1624. Sanctions screening is not a one-time onboarding check; lists change, and ongoing screening is the obligation. There is no dedicated sanctions page on this site; treat this as a core control summarized here and within the crypto compliance requirements hub.
Transaction monitoring (including blockchain analytics)
Calibrate monitoring rules and analytics to your risk assessment to detect structuring, transactions with no apparent lawful purpose, and patterns consistent with illicit funds. The US SAR triggers themselves make a useful rule library 31 CFR 1022.320. For crypto, add blockchain analytics to detect self-hosted-wallet exposure and nested-exchange misuse AML Regulation (EU) 2024/1624. For the behavioural indicators monitoring should catch, see AML red flags in crypto.
The Travel Rule for crypto transfers
The Travel Rule requires originator and beneficiary information to travel with crypto transfers. Under the EU Travel Rule Regulation, Article 14 requires the originator name, DLT address, account number and address (or official ID number, customer ID, or date and place of birth), plus the LEI where available, with equivalent beneficiary data Travel Rule Regulation (EU) 2023/1113. Critically, the EU applies no de-minimis threshold for crypto: transfers are subject to the same requirements regardless of amount, unlike the EUR 1,000 threshold for fiat funds Travel Rule Regulation (EU) 2023/1113. For implementation depth, see the crypto Travel Rule. (VERIFY: the FATF baseline USD/EUR 1,000 threshold and the June 2025 R.16 revision are corroborated via secondary sources; confirm current FATF text before stating a FATF figure.)
Handling self-hosted (unhosted) wallets and nested exchanges
Self-hosted wallets and nested exchanges are explicit EU risk vectors. The risk assessment must address self-hosted wallets and addresses, and providers must prevent and detect nested-exchange misuse of their accounts AML Regulation (EU) 2024/1624. For transfers to or from a self-hosted address above EUR 1,000, the provider must assess whether the address is owned or controlled by the originator Travel Rule Regulation (EU) 2023/1113.
SAR/STR reporting workflow
Build a suspicious-activity workflow that runs detection, internal escalation to the compliance officer, a filing decision and the filing itself. In the US, money services businesses must report suspicious transactions at or above USD 2,000 (and USD 5,000 for certain money-order and traveler's-check issuer reviews) where funds are illicit, are structured to evade the Bank Secrecy Act, serve no apparent lawful purpose, or facilitate crime, and must file within 30 calendar days of detection under strict confidentiality with no tipping-off 31 CFR 1022.320. In the EU, providers file suspicious transaction reports to the national Financial Intelligence Unit.
Recordkeeping and retention
Retain customer due diligence records, transaction records, Travel Rule data, and SAR/STR documentation. These records are commonly kept for five years under FATF Recommendation 11 and local rules, though the exact period depends on the jurisdiction 31 CFR 1022.320. Treat "five years" as the common baseline and confirm the precise rule for each jurisdiction you operate in. (VERIFY: the five-year figure is attributed to FATF R.11 via secondary sources; confirm against FATF primary and local statute.)
How to build a crypto AML program: a 9-step order
The controls above do not assemble themselves in any order. They build in sequence, because each step inherits its scope from the one before it. The risk assessment drives the controls; the controls feed the monitoring; the monitoring feeds the reporting. This nine-step order aligns to the US Bank Secrecy Act, the EU AMLR and TFR, and the FATF Standards.
Infographic 1 (process flow, the nine-step build order) appears here, directly under this intro, before Step 1.
Step 1: Business-wide risk assessment
Document inherent money-laundering, terrorist-financing and sanctions-evasion risk across the four vectors (customers, products and services, geography, delivery channels). Produce a rated, dated, regularly updated register. This is the foundation that drives every control "commensurate with risk" FATF Updated Guidance, AML Regulation (EU) 2024/1624.
Step 2: Written AML policy, procedures and internal controls (Pillar 1)
Codify the controls the risk assessment demands: customer identification and verification, beneficial-ownership identification, sanctions screening, transaction-monitoring rules, Travel Rule handling, the SAR/STR workflow, the recordkeeping schedule and law-enforcement response, with a clear division of responsibilities 31 CFR 1022.210, AML Regulation (EU) 2024/1624.
Step 3: CDD/EDD tiers
Define risk-tiered onboarding: standard CDD, simplified diligence for evidenced low risk, and enhanced due diligence for high-risk customers and patterns. Prohibit relationships with shell institutions and unregistered CASPs, and build ongoing-monitoring and periodic-review triggers AML Regulation (EU) 2024/1624.
Step 4: Sanctions / targeted-financial-sanctions screening
Screen customers, counterparties and crypto addresses against applicable lists at onboarding and continuously. Evasion of targeted financial sanctions is an explicit dimension of the EU business-wide risk assessment, so this control is not optional AML Regulation (EU) 2024/1624.
Step 5: Transaction monitoring
Stand up rules and analytics calibrated to the risk assessment to detect structuring, no-apparent-purpose transactions and illicit-funds patterns. Add blockchain analytics to surface self-hosted-wallet exposure and nested-exchange activity 31 CFR 1022.320, AML Regulation (EU) 2024/1624.
Step 6: Travel Rule implementation
Implement collection, holding and transmission of originator and beneficiary data. In the EU there is no de-minimis threshold for crypto, and self-hosted-address ownership must be assessed for transfers above EUR 1,000 Travel Rule Regulation (EU) 2023/1113.
Step 7: SAR/STR reporting
Operationalize the reporting workflow: detect, escalate to the compliance officer, decide, and file within the statutory window under strict confidentiality. In the US that means suspicious transactions at or above USD 2,000 filed within 30 calendar days 31 CFR 1022.320.
Step 8: Recordkeeping
Retain CDD, transaction, Travel Rule and SAR/STR records. Five years is the common baseline under FATF Recommendation 11 and local rules; confirm the exact period for each jurisdiction 31 CFR 1022.320.
Step 9: Governance pillars (officer, training, independent testing)
Appoint the compliance officer (Pillar 2), run risk-based ongoing training that includes suspicious-transaction detection (Pillar 3), and schedule independent review with risk-commensurate scope and frequency (Pillar 4) 31 CFR 1022.210, AML Regulation (EU) 2024/1624. Anchor this governance to your wider crypto compliance requirements framework.
From our practice. Across the crypto-licensing mandates we advise on from Zug, the programs that pass examination cleanly share one trait: the risk assessment was written first and every control was traced back to it. The programs that struggle almost always inverted the order, buying monitoring tooling or copying a policy template before they had documented their own exposure. We do not publish client metrics, but the pattern is consistent. Build Step 1 properly and the remaining eight steps inherit their scope from it.
Discovery CTA (place immediately after this section): Have questions about your specific situation? Book a free 15-minute discovery call with our licensed advisors, no commitment. Book a Call
Who runs the program? Roles and governance
A crypto AML program is a set of named responsibilities, not an abstract policy. Regulators expect to see who owns each function and how accountability flows from the board down to front-line staff.
The management body / board
The management body, or board, bears ultimate responsibility for AML/CFT compliance and approves the program. The EU AML Regulation makes this explicit: the management body holds ultimate responsibility and a designated management member oversees the policy AML Regulation (EU) 2024/1624. In the US the accountability is implicit through the program-adequacy standard.
The AML compliance officer (MLRO / BSA officer)
The compliance officer, called the MLRO in some regimes and the BSA officer in the US, is the designated person responsible for day-to-day compliance: filing reports, managing records, updating procedures, training staff and making SAR/STR decisions 31 CFR 1022.210, AML Regulation (EU) 2024/1624. This is Pillar 2 in operational form. There is no standalone officer-role page on this site; the detail is summarized here and within the compliance hub.
Trained staff and the independent reviewer
Front-line and appropriate personnel must be trained on their responsibilities and on detecting suspicious transactions, with conflict-of-interest controls so staff do not handle AML tasks for customers they are personally close to 31 CFR 1022.210, AML Regulation (EU) 2024/1624. The independent reviewer can be internal non-compliance staff or an external party, with scope and frequency commensurate with risk.
US vs EU vs FATF: how AML program obligations differ
The skeleton is shared, but the specific thresholds, reporting rules and governing instruments differ. Obligations also differ by license, so a business operating in more than one region must build to the strictest applicable standard. This table sourced US and EU figures only; other jurisdictions are not covered here and must be researched against their own regulators.
| Regime | Who is obliged | Reporting rule | Travel Rule threshold | Key instrument |
|---|---|---|---|---|
| United States | Crypto MSBs (CVC exchangers/administrators) | SAR for suspicious transactions ≥ USD 2,000, file within 30 days | FATF-aligned (confirm per state/federal) | BSA, 31 CFR 1022.210 / .320 |
| European Union | CASPs as obliged entities | STR to national FIU | No de-minimis for crypto; self-hosted assessed above EUR 1,000 | AMLR (EU) 2024/1624 + TFR (EU) 2023/1113 |
| FATF baseline | VASPs worldwide | National suspicious transaction reporting | USD/EUR 1,000 per jurisdiction (VERIFY) | FATF Standards (R.15, R.16) |
Reporting thresholds and deadlines compared
In the US, suspicious transactions at or above USD 2,000 must be reported within 30 calendar days of detection 31 CFR 1022.320. In the EU, the obliged entity files a suspicious transaction report with the national Financial Intelligence Unit; the trigger is suspicion rather than a fixed dollar floor. The practical lesson is that a US-style numeric threshold does not map cleanly onto the EU suspicion-based regime, and a program serving both must implement both logics.
Travel Rule thresholds compared
The EU applies no de-minimis threshold for crypto transfers, while requiring self-hosted-address ownership assessment above EUR 1,000 Travel Rule Regulation (EU) 2023/1113. The FATF baseline applies a USD/EUR 1,000 threshold for virtual-asset transfers in most jurisdictions, but this is corroborated through secondary sources and the June 2025 FATF Plenary revised Recommendation 16. (VERIFY: confirm the current R.16 text and the FATF threshold against FATF primary before stating the FATF figure; the EU "no crypto de-minimis" and "self-hosted above EUR 1,000" figures are solid from the TFR.)
Why crypto AML programs fail an audit (and how to avoid it)
The most common audit failures are not exotic. They cluster around documentation, operationalization and the controls crypto businesses most often neglect. A well-built program is, in large part, the absence of these failures.
Documentation and operationalization gaps
The two most frequent findings are a missing or undocumented risk assessment, which means no control can be shown to be "commensurate with risk," and a policy that exists on paper but was never operationalized in onboarding or monitoring 31 CFR 1022.210, AML Regulation (EU) 2024/1624. Both are avoidable by building Step 1 first and proving each control traces back to it.
Testing, Travel Rule and self-hosted-wallet blind spots
The remaining failures recur with crypto businesses specifically:
- Skipped or self-graded independent testing (Pillar 4 not performed or run by the compliance team itself) 31 CFR 1022.210.
- Travel Rule gaps, including applying a fiat-style threshold where EU crypto has none Travel Rule Regulation (EU) 2023/1113.
- Self-hosted-wallet and nested-exchange blind spots AML Regulation (EU) 2024/1624.
- Late or missing SAR/STR filings, or tipping off the customer 31 CFR 1022.320.
- Untrained staff with no detection training, and doing business with shell institutions or unregistered CASPs AML Regulation (EU) 2024/1624.
Using an AML policy template the right way
An AML policy template can speed up drafting, but it cannot be the program. A compliant template must cover the pillars plus customer due diligence and enhanced due diligence, sanctions screening, transaction monitoring, the Travel Rule, reporting and recordkeeping, and it must reflect your actual risk rather than invented or copied regulatory text 31 CFR 1022.210, AML Regulation (EU) 2024/1624. The risk: a generic template ignores the four risk vectors and produces exactly the "policy-on-paper" finding that fails audits. Use a template as a structure, then populate it from your own risk assessment. If you are also navigating authorization, this program work runs in parallel with starting a licensed crypto exchange and VASP licensing.
By Magnus Müller · Reviewed by Magnus Müller · Last updated: 2026-06-14
Frequently asked questions
What is a crypto AML policy and how is it different from an AML program?
The policy is the written document that sets your rules; the program is the operating system that runs them across onboarding, monitoring and reporting. Regulators inspect both, and the most common failure is a sound policy that was never operationalized into a working program.
What are the four (or five) pillars of an AML program?
Policies and internal controls, a designated compliance officer, ongoing training, and independent review, all set out in 31 CFR 1022.210. A fifth pillar, risk-based customer due diligence and beneficial ownership, is commonly cited and layered in through FinCEN's separate CDD rule.
Is my crypto exchange legally required to have an AML program?
Yes if you are a US money services business or an EU crypto-asset service provider; both are obliged entities that must maintain an AML/CFT program. FATF-aligned jurisdictions impose equivalent duties on virtual asset service providers, so most crypto exchanges fall inside the obligation.
What does "risk-based approach" mean for a crypto business?
It means you identify, assess and mitigate money-laundering and terrorist-financing risk proportionately, so controls are commensurate with risk rather than a fixed checklist. US law requires a program commensurate with risk, and the EU requires controls proportionate to the nature and complexity of the business.
How do I write an AML risk assessment for a crypto company?
Rate inherent risk across customers, products and services, geography and delivery channels, document the rating, date it, and update it regularly so it can drive your controls. The EU also requires you to capture the risk of evading targeted financial sanctions. The output is a rated, current register.
Who must be the AML compliance officer, and what do they do?
A designated person responsible for day-to-day compliance: filing reports, managing records, updating procedures, training staff and making SAR/STR decisions. The board or management body holds ultimate responsibility for the program, while the officer executes it operationally.
What is the difference between CDD and EDD, and when does EDD apply?
CDD is standard customer due diligence: identify and verify the customer and beneficial owner using reliable sources. EDD is enhanced diligence for higher-risk situations such as politically exposed persons, high-risk third countries or unusual transaction patterns. The EU also prohibits relationships with shell institutions and unregistered CASPs.
What is the Travel Rule and does it apply to crypto transfers? Is there a minimum amount?
Originator and beneficiary data must travel with crypto transfers. Under EU rules there is no de-minimis threshold for crypto, unlike the EUR 1,000 threshold for fiat funds, so the requirement applies regardless of transfer amount. The FATF baseline threshold should be confirmed per jurisdiction.
How are self-hosted (unhosted) wallets handled in an AML program?
They are an explicit risk vector that the risk assessment must address. Under EU rules, for transfers above EUR 1,000 the provider must assess whether the self-hosted address is owned or controlled by the originator, and must also detect and prevent nested-exchange misuse.
When must I file a SAR/STR, and what is the threshold and deadline?
In the US, suspicious transactions at or above USD 2,000 must be reported within 30 calendar days of detection, with strict confidentiality and no tipping-off. In the EU, providers file suspicious transaction reports with the national Financial Intelligence Unit on suspicion.
What records must a crypto AML program keep, and for how long?
Customer due diligence, transaction, Travel Rule and SAR/STR records, commonly retained for five years under FATF Recommendation 11 and local rules. The exact retention period depends on the jurisdiction, so confirm the specific rule for each country you operate in.
How often does the AML program need independent testing or audit?
Scope and frequency must be commensurate with risk under 31 CFR 1022.210, so a higher-risk crypto business tests more often and more deeply. The review can be performed internally by staff outside the compliance function or by an external party.
What sanctions-screening obligations does a crypto AML program have?
Screen customers, counterparties and crypto addresses against applicable lists at onboarding and continuously, not just once. Evasion of targeted financial sanctions is an explicit dimension of the EU business-wide risk assessment, so screening must be ongoing and recalibrated as lists change.
Can I use an AML policy template, and what must it contain to be compliant?
A template must cover the pillars plus CDD and EDD, sanctions screening, transaction monitoring, the Travel Rule, reporting and recordkeeping, and it must reflect your actual risk rather than invented regulatory text. Use it as a structure, then populate it from your own documented risk assessment.
What are the most common reasons crypto AML programs fail an audit?
No documented risk assessment, a policy that exists only on paper, skipped or self-graded independent testing, Travel Rule and self-hosted-wallet gaps, and late or missing SAR/STR filings. Untrained staff and dealings with shell institutions or unregistered CASPs are also recurring findings.