AML Program Design for Crypto Businesses

The Regulatory Foundation

Every jurisdiction that regulates crypto requires VASPs to maintain an AML/CFT program. The FATF Recommendations provide the global baseline, but your program must satisfy the specific requirements of each jurisdiction where you operate.

Jurisdiction	Primary AML Legislation	Regulator	Key Requirements
United States	Bank Secrecy Act (BSA)	FinCEN	MSB registration, SAR filing, CTR filing ($10,000+), Travel Rule ($3,000+)
EU	AMLD6, MiCA, Transfer of Funds Regulation	National Competent Authorities, EBA	CASP AML program, Travel Rule (no threshold), risk-based approach
United Kingdom	Money Laundering Regulations 2017, POCA 2002	FCA	Registration, SAR filing to NCA (UKFIU), Travel Rule (no threshold)
Singapore	Payment Services Act 2019, CDSA	MAS	MPI license, PSN02 AML/CFT notice, Travel Rule (SGD 1,500+)
Canada	PCMLTFA	FINTRAC	MSB registration, STR filing, large transaction reports ($10,000 CAD+)
Japan	Act on Prevention of Transfer of Criminal Proceeds	JFSA, JVCEA	CAESP registration, STR filing, Travel Rule compliance
Hong Kong	AMLO (Part 5B), Drug Trafficking Ordinance	SFC, HKMA	VATP license, STR filing, customer due diligence
UAE	Federal AML Law, VARA regulations	SCA, VARA, ADGM FSRA	VASP license, STR filing, Travel Rule (AED 3,500+)

The table above shows minimum requirements. In practice, you must read the specific regulations, guidance notes, and enforcement actions in each jurisdiction where you operate. The rest of this guide walks through building a program that satisfies these requirements.

Five Pillars of an AML Program

1. Written Policies and Procedures

Your AML policy document must cover every operational aspect of your compliance program. This is not a template exercise — regulators will test whether your policies reflect your actual business model, products, customer base, and risk profile.

Required policy components:

Customer Identification Program (CIP) — How you verify customer identity at onboarding. Acceptable documents, verification methods (manual vs. automated), and exception handling.
Customer Due Diligence (CDD) procedures — Standard CDD, Enhanced Due Diligence (EDD) triggers and procedures, Simplified Due Diligence (SDD) criteria where permitted.
Beneficial ownership identification — How you identify and verify ultimate beneficial owners (UBOs) for entity customers. The EU requires identifying all persons holding 25%+ ownership; the US requires 25%+ under the CDD Rule (31 CFR 1010.230).
Risk assessment methodology — Customer risk scoring model, transaction risk indicators, geographic risk factors, product risk assessment.
Transaction monitoring rules — Specific rules, thresholds, and scenarios. How alerts are generated, triaged, investigated, and resolved.
Suspicious Activity Reporting (SAR/STR) — Filing criteria, internal escalation process, regulatory timeframes, and record-keeping requirements.
Sanctions screening protocols — Lists screened, screening frequency, fuzzy matching parameters, alert handling, blocking and rejection procedures.
Travel Rule procedures — Data collection requirements, counterparty VASP verification, handling of failed exchanges, record-keeping.
Record-keeping requirements — Retention periods (minimum five years), storage requirements, retrieval capabilities.
Escalation procedures — When and how to escalate issues to senior management, the board, or regulators.

Practical tip: Write your policies in plain language. Regulators test whether staff understand and follow the policies. A 200-page policy that nobody reads is worse than a 30-page policy that everyone follows.

2. Designated Compliance Officer

Appoint a qualified AML Compliance Officer (often called MLRO in the UK and EU) with direct reporting to senior management or the board.

Regulatory requirements for the compliance officer:

Authority — Must be able to make decisions independently of the business line. Cannot be overruled by sales or product teams on compliance matters.
Access — Full access to all customer data, transaction records, and business information needed to perform the role.
Resources — Sufficient staff, budget, and technology to run the compliance program effectively.
Regulatory approval — In many jurisdictions (including the EU under MiCA, Singapore under PSA, and UAE under VARA), the compliance officer must be individually approved by the regulator through a fit-and-proper assessment.
Seniority — In the US, FinCEN expects the compliance officer to be a senior employee. Under MiCA, the compliance function must report to the management body.

Compensation benchmark: Experienced crypto compliance officers command USD 150,000-300,000+ depending on jurisdiction and seniority. Underpaying leads to underqualified hires or rapid turnover — both create regulatory risk. See our Building a Compliance Team Guide for detailed hiring guidance.

3. Risk Assessment

Conduct a business-wide risk assessment covering five dimensions. This assessment drives every other element of your AML program — it determines your CDD tiers, monitoring rules, and resource allocation.

Customer risk factors:

Customer type (individual, corporate, trust, fund)
Source of wealth and source of funds
PEP status (domestic and foreign politically exposed persons, family members, close associates)
Adverse media and prior enforcement history
Sanctions list presence
Occupation and industry sector

Product and service risk factors:

Privacy coins and mixing services (highest risk)
Cross-chain bridges and DeFi protocol interactions
Peer-to-peer transfers vs. exchange-mediated
Fiat on/off ramp activity
Custody vs. non-custody services
NFT and token launch facilitation

Geographic risk factors:

FATF grey list jurisdictions (increased monitoring) — currently includes Nigeria, South Africa, Turkey, and others
FATF black list jurisdictions (high-risk, call for action) — currently Myanmar, Iran, North Korea
OFAC comprehensively sanctioned countries — Cuba, Iran, North Korea, Syria, Crimea region
Jurisdictions with weak AML supervision or high corruption indices
Tax haven jurisdictions

Delivery channel risk factors:

Non-face-to-face onboarding (standard for crypto, but higher risk than in-person)
Third-party introducers and white-label arrangements
API-only access without standard KYC flows

Transaction risk factors:

Large or rapid transfers inconsistent with customer profile
Structuring patterns (just-below-threshold transactions)
Transactions involving high-risk jurisdictions
Transactions with newly created wallets
Patterns consistent with layering (rapid movement across multiple wallets)

Update frequency: At least annually and whenever your business model changes materially (new products, new jurisdictions, significant growth in customer base).

4. Customer Due Diligence (CDD)

Implement a tiered CDD approach calibrated to your risk assessment.

Simplified Due Diligence (SDD):

Permitted in some jurisdictions for demonstrably low-risk customers
Reduced verification requirements (e.g., name and date of birth only)
Lower ongoing monitoring frequency
Not permitted under US BSA — all customers require full CDD
Under MiCA, SDD is available only where the risk assessment justifies it

Standard CDD — required for all customers:

Identity verification — Full legal name, date of birth, residential address. Verify against government-issued photo ID. Use electronic verification where possible with manual fallback.
Beneficial ownership identification — For entity customers, identify all UBOs above the applicable threshold (25% in the EU and US).
Purpose and intended nature of the business relationship — Document why the customer is using your service and expected transaction patterns.
Source of funds — For transfers above certain thresholds, establish where the funds originate.
Ongoing monitoring — Continuous transaction monitoring against the customer's established profile.

Enhanced Due Diligence (EDD) — required for high-risk customers:

PEPs — Senior management approval to establish the relationship. Establish source of wealth and source of funds. Enhanced ongoing monitoring.
High-risk jurisdictions — Additional documentation, more frequent reviews, enhanced monitoring.
Complex ownership structures — Trace ownership through multiple layers. Document the rationale for accepting the relationship.
Unusual transaction patterns — When transactions deviate significantly from the customer's profile.

Ongoing CDD review schedule:

Risk Tier	Review Frequency	Trigger Events
High risk	Every 12 months	Any SAR filing, adverse media, sanctions hit
Medium risk	Every 24 months	Significant change in transaction pattern
Low risk	Every 36-60 months	Material change in customer profile

5. Ongoing Monitoring and Reporting

Transaction monitoring must be continuous, not periodic. For crypto businesses, this means combining traditional rule-based monitoring with blockchain analytics.

Rule-based monitoring scenarios:

Transactions above CTR thresholds (USD $10,000 in the US, CAD $10,000 in Canada)
Transactions just below reporting thresholds (structuring detection)
Rapid movement of funds through the platform (deposit and quick withdrawal)
Transactions involving high-risk jurisdictions
Transactions inconsistent with the customer's profile or stated purpose
Multiple accounts linked to the same individual or device
Dormant accounts with sudden large-volume activity

Blockchain analytics monitoring:

Wallet risk scoring on deposits — flag wallets with exposure to sanctioned entities, darknet markets, ransomware, or mixers
Counterparty risk assessment — assess the risk profile of counterparty wallets
Cluster analysis — identify related wallets and patterns
Real-time sanctions screening of on-chain addresses

SAR/STR filing requirements by jurisdiction:

Jurisdiction	Filing Deadline	Filing Method	Threshold
US (FinCEN)	30 days from detection	BSA E-Filing	Suspicious, no dollar minimum
UK (NCA/UKFIU)	As soon as practicable	SAR Online	Suspicious, no dollar minimum
Singapore (STRO)	As soon as practicable	SONAR system	Suspicious, no dollar minimum
Canada (FINTRAC)	30 days	FINTRAC reporting	Suspicious, no dollar minimum
EU member states	Varies by member state	National FIU portal	Suspicious, no dollar minimum

Critical rule: Never tip off the customer. In most jurisdictions, disclosing that a SAR has been or will be filed is a criminal offense (tipping-off prohibition).

Crypto-Specific Considerations

Traditional AML programs were designed for bank accounts and wire transfers. Crypto introduces unique challenges that your program must address explicitly.

Blockchain analytics tools are mandatory, not optional. Regulators expect them. Leading providers include Chainalysis (KYT and Reactor), Elliptic (Lens and Navigator), and TRM Labs. These tools provide:

Wallet risk scoring before processing transactions
Transaction tracing through multiple hops
Exposure analysis to sanctioned entities, darknet markets, mixers, and ransomware
Cluster analysis linking related addresses
Real-time alerts when counterparty wallets are newly designated

Unhosted wallet transfers require special procedures. When a customer sends to or receives from a self-custodied wallet, you cannot verify the counterparty through a VASP directory. Many jurisdictions (including the EU under the Transfer of Funds Regulation) require additional verification steps for unhosted wallet transfers above certain thresholds — including proof of wallet ownership.

DeFi interactions create monitoring challenges. When customers bridge assets to DeFi protocols, your visibility into subsequent transactions decreases. Document how your monitoring program handles DeFi exposure and what risk mitigation measures you apply.

Training

All staff must receive AML training at onboarding and at least annually. Tailor training to job functions:

Front-line staff (KYC, customer support): Red flag recognition, escalation procedures, tipping-off prohibition
Transaction monitoring analysts: Alert investigation, SAR drafting, blockchain analytics tools
Senior management and board: Regulatory obligations, program governance, personal liability
Engineering/product teams: Privacy and data handling requirements, building compliance into product design

Document all training: dates, attendees, content covered, assessment results. Regulators review training records during examinations.

Independent Testing

Your AML program must be independently tested at least annually — either by internal audit (if sufficiently independent) or an external firm with AML expertise.

Testing scope:

Policy adequacy — Are policies comprehensive and current?
Policy adherence — Are staff following the policies?
Monitoring effectiveness — Are rules detecting the right activity? Sample-test cleared alerts and escalated cases.
SAR quality — Are SARs well-written and filed on time?
Technology effectiveness — Are screening and monitoring tools performing as expected?
Training adequacy — Is training comprehensive and current?

Output: A written report with findings, risk ratings, and remediation recommendations. Track remediation to closure. Share results with senior management and the board.

Common Pitfalls

Generic policies — Copying a template AML policy without customizing it to your business model. Regulators will immediately identify this during an examination.
Over-reliance on automation — Automated monitoring generates alerts. Humans must investigate them. Never auto-clear alerts without qualified human review.
Ignoring blockchain analytics — Name screening alone is not sufficient for crypto. Regulators expect on-chain transaction analysis.
Delayed SAR filing — In the US, 30 days means 30 days. Late filings are themselves violations.
Inadequate record-keeping — If you cannot produce complete records during a regulatory examination, expect findings and potential enforcement action.
Compliance officer without authority — A compliance officer who can be overruled by the business is not a compliance officer. Regulators test this.

Resources

FATF: Recommendations and Virtual Assets Guidance
FinCEN: BSA/AML Guidance for MSBs
FCA: Crypto registration guidance
MAS: PSN02 AML/CFT Notice for DPT providers
EBA: MiCA AML Guidelines
ESMA: CASP supervision guidance