← Back to guides

AML Program Design for Crypto Businesses

2026-04-05 · Web3 Compliance AI

The Regulatory Foundation

Every jurisdiction that regulates crypto requires VASPs to maintain an AML/CFT program. The FATF Recommendations provide the global baseline, but your program must satisfy the specific requirements of each jurisdiction where you operate. In the US, this means the Bank Secrecy Act (BSA) and FinCEN regulations. In the EU, the Anti-Money Laundering Directives (AMLD) and now MiCA. Each mandates specific program elements.

Five Pillars of an AML Program

1. Written Policies and Procedures

Your AML policy document must cover: customer identification and verification procedures, risk assessment methodology, transaction monitoring rules, suspicious activity reporting procedures, sanctions screening protocols, record-keeping requirements, and escalation procedures. This is not a template exercise — your policies must reflect your actual business model, products, customer base, and risk profile.

2. Designated Compliance Officer

Appoint a qualified AML Compliance Officer with direct reporting to senior management or the board. This person must have authority to make decisions independently of the business line, access to all necessary information, and sufficient resources (staff and technology). In many jurisdictions, the compliance officer must be individually approved by the regulator.

3. Risk Assessment

Conduct a business-wide risk assessment covering: customer risk (who are your customers?), product/service risk (which products are higher risk?), geographic risk (which jurisdictions are involved?), delivery channel risk (how do customers interact with you?), and transaction risk (what patterns indicate potential ML/TF?). Update this assessment at least annually and whenever your business model changes materially.

4. Customer Due Diligence (CDD)

Implement a tiered CDD approach:

  • Simplified Due Diligence (SDD) — For demonstrably low-risk customers in jurisdictions that permit it.
  • Standard CDD — Identity verification, beneficial ownership identification, purpose of the business relationship.
  • Enhanced Due Diligence (EDD) — For high-risk customers including PEPs, customers from high-risk jurisdictions, complex ownership structures, and unusual transaction patterns. EDD means more information, more frequent reviews, and senior management sign-off.

5. Ongoing Monitoring and Reporting

Transaction monitoring must be continuous, not periodic. Implement automated rules and alerts for: transactions above reporting thresholds, structuring patterns, rapid movement of funds, transactions involving high-risk jurisdictions, and behavior inconsistent with the customer's profile. When monitoring triggers an alert, investigate promptly. File Suspicious Activity Reports (SARs) within the required timeframe — typically 30 days of detecting the suspicious activity.

Crypto-Specific Considerations

Blockchain analytics tools are essential for crypto AML programs. They provide: wallet risk scoring, transaction tracing, exposure to sanctioned entities or darknet markets, and cluster analysis. Integrate these tools directly into your transaction monitoring workflow — do not rely on manual checks.

Training

All staff must receive AML training at onboarding and at least annually. Training must cover: recognizing red flags specific to crypto, escalation procedures, regulatory obligations, and consequences of non-compliance. Document all training and maintain attendance records.

Independent Testing

Your AML program must be independently tested — either by internal audit or an external firm — at least annually. The test should assess whether your policies are adequate, whether they are being followed, and whether your monitoring systems are effective.