Crypto Compliance: AML, KYC & Regulatory Requirements Guide

Crypto compliance is the anti-money-laundering and counter-terrorist-financing (AML/CFT) programme a regulated crypto business must run. Whether you operate as a VASP, a CASP or an MSB, the same component set applies: risk assessment, KYC/CDD, transaction monitoring, sanctions screening, the Travel Rule, suspicious-activity reporting, a named compliance officer, recordkeeping, training and independent audit.

What changes between jurisdictions is not the shape of the programme but the detail: who supervises you, what triggers registration, the threshold at which the Travel Rule bites and how soon you must report a suspicious transaction. This guide defines crypto compliance end to end, enumerates the pillars, walks the full component checklist, then compares the four regimes that matter most, FATF, the European Union, the United States and the United Kingdom, citing each from its primary source. For the licensing layer that sits beneath these obligations, see our complete crypto licensing guide.

What is crypto compliance?

Crypto compliance is the AML/CFT programme that a regulated crypto business, a VASP under FATF terminology, a CASP in the European Union, or an MSB and money transmitter in the United States, must build and maintain. In practice it is a written set of controls covering risk assessment, KYC/CDD, monitoring, sanctions screening, the Travel Rule, SAR reporting, an MLRO, recordkeeping, training and audit. Regulation (EU) 2024/1624 (AMLR) and 31 CFR 1022.210 set out the EU and US versions of the same obligation.

The word "compliance" can mean several things in crypto, so it pays to disambiguate early. If you mean tax reporting on gains and holdings, that is a separate topic covered in our crypto tax overview, not here. If you mean the authorisation or licence you need to operate, that is licensing compliance, addressed in our complete crypto licensing guide. On this page, "crypto compliance" means financial-crime compliance: the AML/CFT controls that prevent your platform from being used to launder money or finance terrorism.

Crypto compliance vs crypto licensing (and vs MiCA)

Compliance and licensing interlock but are not the same thing. A licence or registration gives you permission to operate; a compliance programme is what you run once you have it. In the European Union the distinction is explicit in law. The conduct and authorisation rules for crypto-asset service providers live in MiCA (Regulation (EU) 2023/1114), while the AML obligations sit in the AMLR and the Transfer of Funds Regulation. A MiCA-authorised CASP is an AMLR obliged entity: you cannot satisfy AML duties simply by holding a MiCA licence. For the conduct and authorisation side, see MiCA's EU conduct regime; for the global registration baseline, see VASP licensing.

AML vs KYC: how they relate

AML and KYC are often used interchangeably, but they are not equivalents. AML is the whole programme: every control listed above, working together to detect and deter money laundering and terrorist financing. KYC, more precisely customer due diligence (CDD), is one pillar inside that programme: the process of identifying and verifying the customer and the beneficial owner, then monitoring the relationship over time. The EU AMLR and UK MLR 2017 regulations 27 to 30 both treat CDD as a component, not the whole. For the detail on identity verification, onboarding and ongoing review, see our guide to crypto KYC requirements.

Who must comply? VASPs, CASPs, MSBs and FCA-registered firms

The AML/CFT obligation does not attach to "crypto" in the abstract. It attaches to a defined business class in each regime. If your activity falls into one of these categories, you are an obliged entity and must run a full compliance programme. If it does not, you may sit outside the perimeter, although the perimeter is widening across every major jurisdiction.

VASP (FATF) and CASP (EU)

FATF defines a virtual asset service provider (VASP) as any business conducting, for or on behalf of another person, activities such as exchange between virtual assets and fiat, exchange between virtual assets, transfer, safekeeping, or participation in financial services related to the offer or sale of a virtual asset. Under FATF Recommendation 15, VASPs must be licensed or registered and supervised for AML/CFT as financial institutions are. In the European Union the equivalent class is the crypto-asset service provider (CASP) under MiCA, which the AMLR names explicitly as an obliged entity. To understand registration at the activity level, see VASP licensing.

MSB / money transmitter (US)

In the United States, businesses that act as exchangers or administrators of convertible virtual currency are treated as money transmitters and therefore money services businesses (MSBs) under longstanding FinCEN guidance (FIN-2013-G001). A mere user of convertible virtual currency is not an MSB. An MSB must register with FinCEN, maintain a written AML program, keep records and file reports. If you are building an exchange in the US, those obligations attach at launch, which is why starting a licensed crypto exchange and standing up compliance run in parallel.

Registered cryptoasset firms (UK FCA)

In the United Kingdom, cryptoasset exchange providers and custodian wallet providers have been in scope of the Money Laundering Regulations 2017 since the 2019 amendment introduced regulation 14A. Such firms must register with the Financial Conduct Authority under the MLRs before operating; the FCA states that "registration under the MLRs is a legal requirement to carry on business." Supervision is risk-based and registered firms file an annual financial-crime return.

What are the pillars of a crypto AML program?

The cleanest enumerated baseline for the "pillars" of an AML program comes from US law. 31 CFR 1022.210 requires a money services business to develop, implement and maintain an effective written AML program built on four required elements. These four map cleanly onto FATF, EU and UK requirements, which is why the framing travels well across regimes even though the exact wording differs.

The four required elements (31 CFR 1022.210)

Under 31 CFR 1022.210, the four required elements of an MSB AML program are:

1. Internal policies, procedures and controls reasonably designed to assure compliance with the rules.
2. A designated compliance officer to assure day-to-day compliance with the program.
3. Training of appropriate personnel concerning their responsibilities under the program.
4. Independent review to monitor and maintain an adequate program.

The regulation adds that the program "shall be in writing" and that the MSB must make copies available to the Department of the Treasury for inspection on request. [S5]

The CDD "fifth pillar" and the senior-management caveat

You will often see a "fifth pillar" added to the four above: customer due diligence and beneficial-ownership identification. This framing is widely used and useful, but its legal source matters. The fifth pillar derives from FinCEN's 2016 Customer Due Diligence Final Rule (31 CFR 1010.230), not from 1022.210 itself. Importantly, the text of 31 CFR 1022.210 does not mention senior-management approval, so that requirement should not be attributed to this section. We flag the precise framing of the fifth pillar and senior-management sign-off for verification before publication (see Open questions).

The 10 components of a crypto compliance programme

The four pillars are a skeleton. A working crypto compliance programme contains around ten components that recur across every regime. The list below is the cross-regime checklist; each component is summarised here and, where a dedicated page exists, linked out so this hub stays a map rather than a maze.

Infographic 1 placement: the ten-component build-order ladder appears here, immediately under this introduction (see Infographics).

Governance, accountability and business-wide risk assessment

A compliant programme starts with governance, not paperwork. The board retains ultimate responsibility, a named compliance officer or MLRO runs day-to-day implementation, and the whole programme is anchored in a business-wide risk assessment that maps inherent money-laundering and terrorist-financing risk across customers, products, geographies and delivery channels. The EU AMLR requires this risk identification duty; UK MLR regulation 18 mandates the risk assessment; and the FATF risk-based approach is the principle that ties them together.

KYC / CDD onboarding (and EDD / SDD)

Customer due diligence is where most crypto firms feel the obligation first. At onboarding you must identify and verify the customer and the beneficial owner, understand the purpose of the relationship and risk-rate the customer. Higher-risk customers, such as politically exposed persons or those connected to high-risk third countries, attract enhanced due diligence; demonstrably low-risk relationships can take simplified due diligence. The AMLR and UK MLR regulations 27 to 36 set the CDD, EDD and SDD rules. For the operational detail, see crypto KYC requirements.

Ongoing transaction monitoring

Due diligence does not end at onboarding. You must monitor transactions on an ongoing basis against each customer's risk profile and refresh KYC periodically. The AMLR requires monitoring systems designed to detect transactions that might raise suspicion. In crypto this means watching on-chain and off-chain flows, flagging unusual patterns and escalating internally. Knowing what to look for is half the battle, which is why our guide to AML red flags in crypto catalogues the typologies that should trigger review.

Sanctions screening

Sanctions screening sits alongside monitoring but follows a different logic: it is rules-based, not risk-based, and the consequences of a miss are severe. You must screen customers, counterparties and wallet addresses against the relevant sanctions lists, then block or reject any match. Crucially for crypto, OFAC adds digital-currency wallet addresses to the SDN List, and US persons must block or reject sanctioned transactions whether they settle in fiat or crypto. Sanctions liability is strict, so penalties can attach even without intent.

Travel Rule, SAR/STR reporting and recordkeeping

Three operational obligations cluster together. The Travel Rule requires originator and beneficiary data to travel with crypto transfers; the EU sets this out in the Transfer of Funds Regulation and the US in 31 CFR 1010.410(f). Suspicious-activity reporting routes internal escalations through the MLRO to the financial intelligence unit; in the US, 31 CFR 1022.320 sets the thresholds and deadlines, while UK firms report to the NCA. Recordkeeping ties it together: CDD and transaction records are retained, commonly for five years. For the cross-border data-sharing detail, see the crypto Travel Rule.

Training, independent audit and tooling

The last cluster keeps the programme honest. Recurring, role-appropriate AML/CFT training is mandated across the EU AMLR, UK MLR regulation 24 and US 1022.210. Periodic independent testing, the fourth US pillar, checks that controls work in practice rather than only on paper. Underpinning monitoring and screening is tooling: blockchain analytics and screening software that make ongoing monitoring, sanctions screening and Travel Rule data exchange operationally feasible at scale.

How do FATF, EU, US and UK crypto compliance rules compare?

The same ten components apply everywhere, but the detail diverges. The table below is the headline comparison: who supervises, what triggers registration, the Travel Rule threshold, the suspicious-activity reporting rule and the key timing for each regime. This is the distinction most generic pages under-serve and the one founders most need before they choose a base of operations.

At-a-glance comparison table

Infographic 2 placement: this comparison is also rendered as the FATF vs EU vs US vs UK matrix (see Infographics).

The single sharpest contrast is the Travel Rule threshold: the EU applies it to every crypto transfer with no de-minimis, while the US sets a USD 3,000 floor. The second is timing: the EU's single-rulebook AMLR does not apply until 10 July 2027, whereas the US Bank Secrecy Act framework is longstanding.

Travel Rule thresholds compared: EU vs US vs FATF

The Travel Rule, FATF Recommendation 16 applied to virtual assets, requires that originator and beneficiary information accompany a transfer. The thresholds differ sharply. The EU Transfer of Funds Regulation sets no amount threshold: it applies to all crypto transfers regardless of size (Recital 30), with an additional ownership check for transfers above EUR 1,000 to self-hosted wallets (Article 14(5)). The US threshold under 31 CFR 1010.410(f) is USD 3,000. FATF recommends a USD/EUR 1,000 de-minimis floor, although that specific figure is carried from a secondary source and flagged for re-verification (see Open questions). For the full operational picture, see the crypto Travel Rule.

FATF: the global AML/CFT baseline for crypto

FATF does not regulate firms directly; it sets the global standard that member jurisdictions implement. For crypto, two Recommendations carry the weight. FATF Recommendation 15 was amended in October 2018 to cover virtual assets and VASPs, with the Interpretive Note (INR.15) and first guidance adopted in June 2019. Recommendation 16, the Travel Rule, was extended to virtual-asset transfers through INR.15. FATF Recommendations are non-binding, but jurisdictions that fail to implement them risk grey or black listing, which is why they shape law everywhere. Note that the FATF facts on this page are carried from a verified sibling source because fatf-gafi.org blocked direct retrieval; they are flagged for re-verification before publish.

Recommendations 15 and 16 and the risk-based approach

Under Recommendation 15, countries must identify and assess virtual-asset ML/TF risk, license or register VASPs, supervise them for AML/CFT and apply the full preventive-measures toolkit, treating VASPs as financial institutions. Recommendation 16 requires VASPs to obtain, hold and transmit required originator and beneficiary information with each transfer. Running through both is the risk-based approach: identify, assess and mitigate risk proportionately, applying more scrutiny where risk is higher, rather than treating every customer the same.

European Union: AMLR, AMLD6, the TFR and AMLA

The European Union is moving from a patchwork of national transpositions to a single rulebook. Four instruments matter for crypto compliance: the AML Regulation (AMLR), the sixth AML Directive (AMLD6), the Transfer of Funds Regulation (TFR) and the regulation establishing the new AML Authority (AMLA). Together they harmonise AML obligations across the bloc and bring crypto firms squarely within scope. To see how this AML layer fits with the conduct rules, read MiCA's EU conduct regime.

AMLR 2024/1624 obligations and the 10 July 2027 application date

The AMLR (Regulation (EU) 2024/1624) is the directly-applicable single rulebook. It entered into force on 19 June 2024 and applies from 10 July 2027. It names CASPs as obliged entities and mandates a risk assessment, internal policies and controls, CDD with beneficial-ownership verification, EDD for higher-risk relationships, SDD for low-risk, suspicious-transaction reporting to the FIU, recordkeeping, a day-to-day compliance officer plus a management-body member overseeing implementation, and training. AMLD6 (Directive (EU) 2024/1640) adds national-mechanism rules, and AMLA (Regulation (EU) 2024/1620), seated in Frankfurt, will coordinate supervision. The 2027 application date is a freshness point: many competing pages still cite the older AMLD5-era framework.

The EU crypto Travel Rule (TFR 2023/1113)

The Transfer of Funds Regulation (Regulation (EU) 2023/1113) is the EU crypto Travel Rule. It requires CASPs to ensure that crypto transfers carry prescribed originator and beneficiary information (Article 14), with no de-minimis threshold: it applies to all crypto transfers regardless of amount (Recital 30). For transfers above EUR 1,000 to self-hosted or unhosted wallets, the originator's CASP must take adequate measures to assess whether the address is owned or controlled by the originator (Article 14(5)). The TFR applies from 30 December 2024, aligned to MiCA.

United States: BSA, FinCEN and OFAC

US crypto compliance rests on the Bank Secrecy Act, administered by FinCEN, plus the sanctions regime administered by OFAC. The two work together: FinCEN governs the AML program and reporting, while OFAC governs sanctions, including the screening of wallet addresses. Note that the FinCEN classification facts here are corroborated internally but the canonical FinCEN text was not retrieved this session; they are flagged for re-verification.

AML program and SAR filing (31 CFR 1022.210 / 1022.320)

An MSB must maintain the four-element written AML program under 31 CFR 1022.210, available to Treasury on request. On reporting, 31 CFR 1022.320 requires a suspicious activity report for transactions involving or aggregating at or above USD 2,000, filed within 30 calendar days of initial detection. SARs and supporting documents are retained for five years and are strictly confidential: a firm may not disclose that a SAR has been filed.

OFAC sanctions and the SDN List

OFAC sanctions apply regardless of whether value moves in fiat or crypto. OFAC adds digital-currency and wallet addresses to the SDN List, and its Sanctions List Search tool lets firms screen by digital-currency address. US persons must block or reject sanctioned transactions, and liability is strict. OFAC also publishes a framework setting out the components of a sound sanctions-compliance programme; the precise five-component enumeration is widely cited but was not retrieved this session, so we cite it cautiously and flag it for verification (see Open questions). The verified point stands: wallet addresses are on the SDN List and must be screened.

United Kingdom: MLR 2017 and FCA registration

The United Kingdom brought crypto firms into its AML perimeter through the Money Laundering Regulations 2017. Since the 2019 amendment, cryptoasset exchange providers and custodian wallet providers (regulation 14A) must run a full programme: risk assessment (regulation 18), policies and controls (regulation 19), CDD (regulations 27 to 30), EDD including PEPs (regulations 33 to 36), training (regulation 24) and recordkeeping (regulation 40).

FCA registration and the nominated officer (MLRO)

Registration with the FCA under the MLRs (regulations 54 to 60) is a legal precondition to carrying on business; the FCA applies a fit-and-proper test and supervises on a risk-based basis, with registered firms filing an annual financial-crime return. Firms appoint a nominated officer (the MLRO) who receives internal suspicious-activity reports and reports onward to the National Crime Agency. A UK crypto Travel Rule start date of 1 September 2023 is commonly cited; it was not on the FCA page retrieved and is flagged for verification (see Open questions).

The MLRO / crypto compliance officer role

Every regime requires a named, accountable individual at the centre of the programme. That person, the money laundering reporting officer (MLRO) in the UK, the compliance officer in the EU and the US, owns day-to-day AML compliance and channels suspicion to the financial intelligence unit. The role is not a formality: regulators expect the holder to have the seniority, knowledge and independence to act, and they hold the firm accountable when the function fails.

How the role differs across the EU, UK and US

The accountability structure differs in emphasis. Under the EU AMLR, a compliance officer handles day-to-day implementation while a management-body member oversees it and the board retains ultimate responsibility. In the UK, firms appoint a nominated officer (MLRO) who reports to the NCA, plus where applicable a board-level officer responsible for compliance (MLR 2017). In the US, 31 CFR 1022.210 simply requires the firm to "designate a person" to assure day-to-day compliance: the BSA compliance officer.

How to build a crypto compliance programme (and where we help)

Building a programme is less about producing documents and more about sequencing decisions correctly. The order below is the one that fails audits least often: governance and risk assessment first, because everything downstream calibrates to your risk profile, then customer-facing controls, then monitoring and reporting, then the supporting functions. Where the work touches a specialised area, we link to the relevant detail page, and our advisory team in Zug helps founders and compliance officers scope and stand up each layer.

Programme build order, step by step

1. Governance and risk assessment. Appoint the compliance officer or MLRO, secure board ownership and complete the business-wide ML/TF risk assessment.
2. KYC / CDD onboarding. Identify and verify the customer and beneficial owner, risk-rate them, and set EDD and SDD pathways. See crypto KYC requirements.
3. Ongoing monitoring. Monitor transactions against each customer's risk profile and refresh KYC periodically.
4. Sanctions screening. Screen customers, counterparties and wallet addresses against OFAC, UN, EU and UK lists at onboarding and continuously.
5. Travel Rule. Collect, hold and transmit originator and beneficiary data on transfers, and handle self-hosted-wallet cases.
6. SAR / STR reporting. Build internal escalation to the MLRO and onward to the FIU within the applicable deadline.
7. Recordkeeping. Retain CDD, transaction and SAR records, commonly for five years.
8. Training. Deliver recurring, role-appropriate AML/CFT training.
9. Independent audit. Commission periodic independent testing of the whole programme.
10. Tooling. Deploy blockchain analytics and screening software to make monitoring and screening operationally feasible.

To turn this sequence into a documented policy, see how to build an AML policy.

Common pitfalls and audit-readiness

From our practice advising crypto founders and compliance officers, the programmes that hold up under examination share a pattern: governance is settled before controls are written, the risk assessment is a living document rather than a template, and every control leaves an evidence trail a regulator can follow. The most common failures are the reverse: a polished policy with no board ownership, a risk assessment copied from a peer, and monitoring rules nobody can explain. We do not publish client counts, but the lesson is consistent across the work we see: a written programme that mirrors your actual risk and produces auditable evidence is the difference between a clean review and a remediation order.