Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) requirements form the regulatory foundation for every crypto business operating in a regulated jurisdiction. The Financial Action Task Force (FATF) establishes the global standard through 40 Recommendations adopted by more than 200 member jurisdictions, while regional frameworks — the EU’s 6th Anti-Money Laundering Directive (AMLD6), the US Bank Secrecy Act (BSA), and the UK Money Laundering Regulations — translate those standards into enforceable national law. A crypto subledger that captures complete transaction records, counterparty data, and audit trails provides the operational infrastructure for satisfying AML/CTF obligations across all applicable jurisdictions.
What Are AML and CTF Requirements for Crypto Organizations?
AML/CTF requirements are a set of legal obligations designed to prevent the use of financial systems for money laundering, terrorist financing, and proliferation financing. The compliance framework applies to any entity classified as a virtual asset service provider (VASP) under FATF standards or as a crypto-asset service provider (CASP) under EU law.
The Financial Action Task Force introduced Recommendation 15 in June 2019, extending AML/CTF obligations explicitly to virtual assets and VASPs. Recommendation 15 requires every jurisdiction to apply the full suite of FATF preventive measures — customer due diligence, record-keeping, suspicious transaction reporting, and sanctions screening — to entities providing virtual asset services. The FATF’s “Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers,” published in October 2021, further clarified the scope and application of these obligations.
AMLD6 (Directive (EU) 2024/1640) establishes the EU’s harmonized AML/CTF framework. AMLD6 defines 22 categories of predicate offenses for money laundering, including tax crimes, cybercrime, and environmental crime. Penalties under AMLD6 reach up to 10% of annual turnover or a minimum of EUR 1 million for legal persons, whichever is higher. Criminal liability extends to natural persons — officers and compliance staff — who facilitate or fail to prevent money laundering through willful neglect.
The Anti-Money Laundering Authority (AMLA), headquartered in Frankfurt, commenced operations in 2025 as the EU’s dedicated AML/CTF supervisory body. AMLA assumes direct supervision of selected high-risk obliged entities — including crypto-asset service providers — starting in 2028. Until that date, national competent authorities retain primary supervisory responsibility, with AMLA coordinating cross-border enforcement actions and issuing binding technical standards.
AML/CTF obligations operate on a risk-based approach. Crypto businesses assess the money laundering and terrorist financing risks associated with their products, services, customers, and geographic exposure. Risk assessments are documented, reviewed annually, and made available to supervisory authorities upon request.
What KYC and Customer Due Diligence Obligations Apply to Crypto?
Know Your Customer (KYC) is the process of verifying a customer’s identity, understanding the nature of the customer’s activities, and assessing the money laundering risk posed by the business relationship. KYC obligations apply at onboarding, during the business relationship, and whenever suspicion arises regarding the identity or activity of a customer.
Customer Identification Program (CIP)
A Customer Identification Program (CIP) is the first component of KYC, requiring the collection and verification of identifying information before establishing a business relationship. Regulated crypto businesses collect 4 minimum data points from individual customers: full legal name, date of birth, residential address, and a government-issued identification number.
Verification is performed against independent, reliable sources. Document-based verification relies on government-issued photo identification — passports, national identity cards, or driver’s licenses. Electronic verification cross-references customer-supplied data against commercial databases, credit bureaus, or government registries. Biometric verification, including facial recognition matched against identity documents, provides an additional layer of assurance for remote onboarding.
Corporate customers undergo a more extensive CIP process. Beneficial ownership identification is required for all legal entities. The EU’s beneficial ownership threshold stands at 25% — any natural person holding 25% or more of shares, voting rights, or ownership interest in a legal entity is identified and verified. The US Corporate Transparency Act lowered the reporting threshold to 25% for beneficial ownership reports filed with FinCEN, effective January 2024.
Simplified, Standard, and Enhanced Due Diligence
Crypto businesses apply 3 levels of customer due diligence based on the assessed risk of the customer relationship.
Simplified Due Diligence (SDD) applies to customers assessed as low risk. SDD permits reduced identity verification — for example, verifying name and date of birth without requiring proof of address. SDD is permitted only where the jurisdiction’s risk assessment supports the lower standard and where transaction volumes remain below defined thresholds. The EU’s AML Regulation restricts SDD to specific product categories and customer types explicitly enumerated in the legislation.
Standard Customer Due Diligence (CDD) is the baseline requirement applied to all customers not qualifying for SDD or triggering EDD. Standard CDD requires full identity verification, beneficial ownership identification for legal entities, an understanding of the purpose and intended nature of the business relationship, and ongoing monitoring of transactions. CDD documentation is retained for a minimum of 5 years after the end of the business relationship.
Enhanced Due Diligence (EDD) applies to high-risk scenarios. EDD is mandatory in 4 situations: politically exposed persons (PEPs) and their family members or close associates, customers domiciled in high-risk third countries identified by the FATF or the European Commission, complex or unusually large transactions with no apparent economic purpose, and business relationships involving correspondent banking arrangements. EDD measures include obtaining senior management approval, establishing the source of funds and source of wealth, and conducting intensified ongoing monitoring.
Ongoing Monitoring and Periodic Review
Ongoing monitoring is the continuous surveillance of customer transactions to detect activity inconsistent with the business’s knowledge of the customer. Transaction monitoring systems compare each transaction against the customer’s established profile, flagging deviations that exceed defined thresholds or match known typology patterns.
Periodic reviews reassess the customer’s risk rating at defined intervals. High-risk customers undergo review every 12 months. Standard-risk customers undergo review every 36 months. Low-risk customers undergo review every 60 months. Trigger events — changes in beneficial ownership, adverse media, sanctions list additions, or unusual transaction spikes — initiate ad hoc reviews outside the periodic cycle.
What Is the FATF Travel Rule and How Does It Apply to Crypto Transfers?
The FATF Travel Rule (Recommendation 16) is the requirement for financial institutions and VASPs to obtain, hold, and transmit originator and beneficiary information alongside wire transfers and virtual asset transfers. The Travel Rule aims to ensure that law enforcement authorities and financial intelligence units trace the flow of funds across intermediaries.
FATF Recommendation 16 requires the ordering VASP to collect 5 data elements for the originator: name, account number (wallet address), physical address (or national identity number, or customer identification number, or date and place of birth), and the name and account number of the beneficiary. The beneficiary VASP verifies that the required originator information accompanies the transfer before making funds available to the recipient.
The EU Transfer of Funds Regulation (TFR — Regulation (EU) 2023/1113) implements the Travel Rule with a critical distinction: the TFR applies a zero threshold. Every crypto-asset transfer, regardless of amount, requires full originator and beneficiary identification data. Traditional wire transfers under the EU’s funds transfer regulation apply the Travel Rule only above EUR 1,000. The TFR’s zero threshold reflects the EU legislature’s assessment that crypto-asset transfers present higher anonymity risks.
The US FinCEN Travel Rule (31 CFR 103.33(g)) applies a $3,000 threshold. Transfers below $3,000 are exempt from Travel Rule information-sharing requirements, though the transmitting institution still performs standard CDD. FinCEN proposed lowering the threshold to $250 in 2020, but the proposal was withdrawn. The $3,000 threshold remains unchanged as of March 2026.
Technical implementation of the Travel Rule across VASPs relies on 4 primary messaging protocols: TRISA (Travel Rule Information Sharing Architecture), TRP (Travel Rule Protocol developed by Notabene), OpenVASP (an open-source protocol by the OpenVASP Association), and TRUST (Travel Rule Universal Solution Technology developed by Coinbase and other US exchanges). Interoperability between protocols remains a challenge. The Travel Rule working group under the FATF’s Virtual Assets Contact Group published interoperability guidelines in 2024, but no single protocol has achieved universal adoption.
Transfers to unhosted wallets (self-custodial wallets not controlled by a VASP) present a compliance gap. The EU TFR requires CASPs to collect and verify the name of the person controlling the unhosted wallet for transfers exceeding EUR 1,000. Below that threshold, CASPs still assess the risk of the transfer. The FATF’s 2021 guidance recognized the challenge of applying the Travel Rule to peer-to-peer transfers and deferred prescriptive requirements, recommending that jurisdictions monitor developments.
What Suspicious Activity Reporting Obligations Exist for Crypto?
Suspicious activity reporting is the obligation of regulated entities to file reports with the relevant financial intelligence unit (FIU) when a transaction or pattern of transactions raises suspicion of money laundering, terrorist financing, or other predicate offenses.
SAR/STR Filing Requirements
A Suspicious Activity Report (SAR) in the US or a Suspicious Transaction Report (STR) in the EU is a confidential filing submitted to the national FIU. FinCEN receives SARs from US-registered money services businesses, including crypto exchanges, through the BSA E-Filing System. EU member state FIUs receive STRs from obliged entities in formats specified by national legislation.
Filing timelines vary by jurisdiction. US entities file SARs within 30 calendar days of detecting suspicious activity. The UK’s Proceeds of Crime Act requires filing a SAR with the National Crime Agency before proceeding with a suspicious transaction — a “consent regime” that pauses the transaction until the NCA grants or denies consent within 7 working days. EU member states typically impose 24-hour to 5-business-day filing deadlines from the point of suspicion.
SARs and STRs include transaction details (dates, amounts, wallet addresses, counterparties), the basis for suspicion, customer identification data, and a narrative description of the suspicious activity. Complete and detailed narratives significantly increase the value of SARs to law enforcement. FinCEN processed more than 4.6 million SARs in fiscal year 2024, with crypto-related SARs representing a growing share.
Red Flag Indicators for Crypto Transactions
Red flag indicators are observable patterns or behaviors that suggest a transaction involves illicit proceeds. The FATF published a “Virtual Assets Red Flag Indicators” report in September 2020, identifying 6 categories of red flags specific to virtual assets.
The 6 FATF red flag categories for crypto transactions are listed below:
- Technological features — Use of privacy coins (Monero, Zcash shielded transactions), mixing services, tumblers, or chain-hopping (rapid conversion across multiple crypto-assets) to obscure transaction trails.
- Transaction patterns — Structuring transactions just below reporting thresholds, rapid movement of funds through multiple wallets, or large volumes of transactions with no apparent economic rationale.
- Anonymity indicators — Use of unhosted wallets, newly created wallets, VPN or Tor connections for account access, or reluctance to provide identification during onboarding.
- Sender/receiver profiles — Transactions involving sanctioned addresses, addresses linked to darknet marketplaces, or addresses associated with ransomware campaigns.
- Source of funds — Funds originating from high-risk jurisdictions, gambling platforms, peer-to-peer exchange platforms, or initial coin offering (ICO) proceeds with no identifiable business purpose.
- Geographic risk — Customers operating from or transacting with jurisdictions on the FATF black list or grey list, or jurisdictions with no AML/CTF framework for virtual assets.
Each crypto business calibrates automated detection rules to flag transactions matching these indicators. Flagged transactions undergo manual review by the compliance team before a SAR/STR filing determination is made.
Tipping-Off Prohibitions
Tipping-off is the act of disclosing to a customer or third party that a SAR/STR has been filed or that a suspicious activity investigation is underway. Tipping-off is a criminal offense in most jurisdictions. Article 39 of AMLD6 prohibits any person subject to AML/CTF obligations from disclosing the existence or content of a SAR to the customer concerned or to any third party. Violations carry criminal penalties, including imprisonment.
The prohibition creates operational challenges. Customer-facing staff are trained to avoid inadvertent disclosure — for example, explaining account freezes or transaction delays without referencing the SAR filing. Internal information barriers restrict SAR-related data to the compliance function and senior management.
Exceptions exist for disclosures between obliged entities within the same group, between obliged entities involved in the same transaction, and between professionals (lawyers, auditors) subject to professional secrecy obligations. Disclosures to supervisory authorities and law enforcement are always permitted and required.
How Do Crypto Businesses Build an AML Compliance Program?
To build an effective AML compliance program, crypto businesses implement 5 foundational pillars recognized by regulators worldwide. FinCEN, the FCA, and ESMA all evaluate AML programs against these 5 structural elements during supervisory examinations.
Develop written AML/CTF policies and procedures
The compliance manual documents all AML/CTF policies: CDD procedures for each customer type, transaction monitoring rules and thresholds, SAR/STR filing procedures, sanctions screening protocols, and record-keeping requirements. Policies are approved by senior management and reviewed annually.
Appoint a designated compliance officer
A named Money Laundering Reporting Officer (MLRO) or Chief Compliance Officer holds direct responsibility for AML/CTF compliance. The compliance officer maintains sufficient authority, independence, and access to resources. AMLD6 requires the compliance officer to report directly to the management body.
Implement a risk-based employee training program
All employees receive AML/CTF training upon hiring and at least annually thereafter. Training covers red flag recognition, SAR filing obligations, tipping-off prohibitions, and sanctions awareness. Front-line staff receive role-specific training on CDD procedures and suspicious activity escalation.
Conduct independent testing and audit
An independent party — internal audit or an external firm — tests the AML program annually. The audit evaluates the effectiveness of policies, the adequacy of transaction monitoring, the quality of SAR filings, and the accuracy of risk assessments. Findings are reported to senior management with remediation timelines.
Perform enterprise-wide risk assessment
A documented risk assessment identifies and evaluates the money laundering and terrorist financing risks specific to the business. The assessment considers products and services offered, customer types served, geographic exposure, transaction channels, and delivery mechanisms. Risk ratings inform the calibration of CDD levels and monitoring thresholds.
The 5-pillar framework is not optional. Regulatory examinations assess each pillar independently. A deficiency in any single pillar — for example, outdated training or an untested monitoring system — constitutes a program violation regardless of the strength of the remaining pillars. Enforcement actions by FinCEN, the FCA, and EU national authorities consistently cite pillar deficiencies as the basis for penalties.
What AML Record-Keeping Requirements Apply to Crypto?
AML record-keeping requirements mandate the retention of all customer due diligence documentation, transaction records, and SAR/STR filings for a minimum of 5 years. The 5-year retention period is the global baseline established by FATF Recommendation 11. Certain jurisdictions impose longer periods — the US BSA requires 5 years for most records but 7 years for SAR supporting documentation retained by some financial institutions.
Transaction records include 7 minimum data elements: the date of the transaction, the amount and denomination (crypto-asset type), the wallet addresses of both originator and beneficiary, the identity of the customer initiating the transaction, the identity of the counterparty (where known), the nature or purpose of the transaction, and the exchange rate applied at the time of execution.
CDD records encompass all documents collected during customer identification and verification: copies of identity documents, beneficial ownership declarations, source of funds documentation, risk assessments, and records of any EDD measures applied. Records of the business relationship — including correspondence, account opening forms, and product agreements — are retained alongside CDD documentation.
SAR/STR records receive the highest protection. The filing itself, all supporting documentation (transaction analysis, internal memoranda, escalation records), and the determination rationale are preserved in a secure, access-controlled repository. Records are not disclosed to the customer and are made available to law enforcement and supervisory authorities upon request.
The connection between AML record-keeping and the crypto subledger is direct. A subledger that records every transaction with full counterparty data, timestamps, asset classifications, and cost basis calculations provides the documentary foundation for AML record-keeping. Subledger entries serve as the authoritative transaction record during regulatory examinations and law enforcement inquiries.
Retention periods commence from the date of the transaction for transaction records and from the end of the business relationship for CDD documentation. Automated retention policies with scheduled destruction dates prevent both premature deletion and indefinite retention — the latter creating data protection conflicts under GDPR and similar privacy frameworks.
How Does AML/CTF Interact with MiCA and VASP Registration?
To operate legally in the EU, a crypto-asset service provider obtains MiCA authorization from a national competent authority. The MiCA authorization process evaluates AML/CTF compliance as a prerequisite condition. Article 62 of MiCA explicitly requires applicants to demonstrate compliance with AMLD6, including the existence of adequate internal AML/CTF policies, a designated MLRO, and a risk-based approach to customer due diligence.
MiCA authorization and AML/CTF obligations are structurally linked. A CASP authorized under MiCA automatically qualifies as an obliged entity under AMLD6. The dual status means that AML/CTF supervisory authorities — national FIUs, national AML supervisors, and (from 2028) AMLA — exercise jurisdiction over the same entity that the NCA supervises for MiCA prudential requirements. Coordination between MiCA supervisors and AML supervisors follows protocols established in AMLA’s supervisory cooperation framework.
The Anti-Money Laundering Authority (AMLA) introduces a third supervisory layer. AMLA, headquartered in Frankfurt, commenced operations in 2025 with a mandate to directly supervise up to 40 high-risk obliged entities across the EU financial sector. Selected CASPs — those assessed as presenting the highest money laundering or terrorist financing risk based on cross-border activity, transaction volumes, and risk exposure — transition from national AML supervision to AMLA direct supervision in 2028.
National VASP registration regimes served as the primary AML/CTF gateway for crypto businesses before MiCA. Jurisdictions including France (PSAN registration), Germany (BaFin crypto custody license), and the Netherlands (DNB registration) required AML/CTF compliance as a condition of registration. MiCA replaced these national registration regimes with a unified EU framework, but the underlying AML/CTF requirements carried over in full — and in many cases were strengthened.
The interaction extends to enforcement. AML/CTF violations by a MiCA-authorized CASP trigger consequences under both frameworks. The AML supervisor imposes penalties under AMLD6 (up to 10% of annual turnover or EUR 1 million minimum). The MiCA supervisor independently assesses whether the AML violation constitutes a breach of MiCA authorization conditions, potentially leading to suspension or revocation of the CASP license. Dual enforcement creates compounding regulatory risk for non-compliant operators.
Record-keeping obligations under AML/CTF and MiCA converge on the same infrastructure requirement. MiCA Article 68 mandates 5-year retention of all transaction and order records. AMLD6 mandates 5-year retention of CDD and transaction records. A unified audit preparation process that addresses both frameworks simultaneously eliminates duplication and ensures consistent documentation across regulatory examinations.