Getting Started with Crypto Compliance
Why Compliance Matters in Crypto
Operating a crypto business without a compliance framework is not just risky — it is increasingly illegal. Regulators worldwide have moved past the "wait and see" phase. Whether you are running an exchange, a custodial wallet, a DeFi protocol with an identifiable operator, or a stablecoin issuer, you need a compliance program from day one.
The consequences of non-compliance are severe and escalating. FinCEN has fined crypto businesses millions for failing to register as Money Services Businesses. The SEC has pursued enforcement actions against token issuers, exchanges, and lending platforms. The FCA in the UK has rejected approximately 85% of crypto firm registration applications, shutting out firms that cannot demonstrate adequate controls. These are not theoretical risks — they are operational realities.
Identifying Your Regulatory Obligations
Before building anything, map every jurisdiction where you operate or serve customers. Each jurisdiction layers its own requirements:
| Jurisdiction | Primary Regulator | Key License/Registration | Primary Legislation |
|---|---|---|---|
| United States | FinCEN, SEC, CFTC, state regulators | MSB registration + state MTLs | Bank Secrecy Act, state money transmitter laws |
| European Union | National Competent Authorities (BaFin, AMF, CNMV, etc.) | CASP authorization | MiCA Regulation (EU 2023/1114) |
| United Kingdom | FCA | Crypto registration under MLR 2017 | Money Laundering Regulations 2017, FSMA 2023 |
| Singapore | MAS | Major Payment Institution (MPI) license | Payment Services Act 2019 |
| UAE | VARA, SCA, ADGM FSRA | VARA license or ADGM FSP license | Cabinet Resolution 111/2022, VARA regulations |
| Hong Kong | SFC, HKMA | VATP license under AMLO | Anti-Money Laundering Ordinance (Part 5B) |
| Japan | FSA/JFSA, JVCEA | CAESP registration | Payment Services Act (amended 2017, 2020) |
| Canada | FINTRAC, CSA | MSB registration + securities platform registration | PCMLTFA, Staff Notice 21-327 |
Start by identifying which rows apply to your business. If you serve customers in the EU, you need MiCA authorization. If you have US customers, you need FinCEN MSB registration and likely state money transmitter licenses. Most businesses need multiple registrations.
The Five Pillars of Crypto Compliance
A compliant crypto operation rests on five pillars. Each is mandatory in virtually every regulated jurisdiction.
1. Licensing and Registration
Most jurisdictions now require VASPs to register or obtain a license before operating. This is not optional — operating without a license is a criminal offense in many jurisdictions.
Key costs and timelines:
- EU (MiCA): EUR 50,000-150,000 minimum capital depending on service type; 3-6 months processing; legal costs EUR 100,000-300,000
- US (state MTLs): Surety bonds of $10,000-$5,000,000 per state; net worth requirements vary; 3-18 months per state; budget $50,000-150,000 per state in legal and application costs
- Singapore (MPI): SGD 250,000 base capital; 6-12 months processing time
- UK (FCA): No minimum capital for registration, but application costs average GBP 50,000-100,000 in legal fees; 6-12 months processing; high rejection rate (~85%)
See our full VASP Licensing Guide for jurisdiction-by-jurisdiction details.
2. AML/CFT Program
Every licensed crypto business must implement an Anti-Money Laundering and Counter-Financing of Terrorism program. The FATF Recommendations set the global baseline, but each jurisdiction adds specific requirements.
Minimum program elements (required everywhere):
- Written AML/CFT policies and procedures tailored to your business
- Designated compliance officer (MLRO in the UK/EU) with board-level reporting authority
- Business-wide money laundering / terrorist financing risk assessment, updated annually
- Customer Due Diligence (CDD) procedures — identity verification, beneficial ownership, ongoing monitoring
- Transaction monitoring — automated, continuous, with blockchain analytics integration
- Suspicious Activity Reporting (SARs/STRs) — filed within required timeframes (typically 30 days in the US, "as soon as practicable" in the UK)
- Sanctions screening — OFAC SDN List, EU Consolidated List, UN Sanctions List, HMT list
- Staff training — at onboarding and at least annually
- Independent testing — annual audit of the AML program by internal audit or external firm
- Record-keeping — minimum five years for all CDD and transaction records
See our full AML Program Design Guide for detailed implementation steps.
3. Know Your Customer (KYC)
KYC is the operational backbone of your AML program. Implement a tiered approach:
- Simplified Due Diligence (SDD) — Low-risk customers in jurisdictions that permit it. Limited verification, lower monitoring frequency.
- Standard CDD — Identity verification (government ID + proof of address), beneficial ownership identification for entities, purpose of relationship assessment.
- Enhanced Due Diligence (EDD) — Required for politically exposed persons (PEPs), customers from FATF grey/black list jurisdictions, complex ownership structures, and unusually large transactions. EDD means more documentation, more frequent reviews, and senior management approval.
Ongoing obligations: KYC is not a one-time event. Trigger-based and periodic reviews are required. Most jurisdictions expect at least annual review of high-risk customers, with lower-risk customers reviewed every 3-5 years.
4. Travel Rule Compliance
FATF Recommendation 16 requires VASPs to share originator and beneficiary information for crypto transfers. Thresholds vary significantly by jurisdiction:
| Jurisdiction | Threshold | Effective |
|---|---|---|
| United States | $3,000 | Since 2019 (FinCEN clarification) |
| EU | EUR 0 (no threshold) | December 30, 2024 (TFR recast) |
| United Kingdom | GBP 0 (no threshold) | September 2023 |
| Singapore | SGD 1,500 | PSN02 effective |
| Switzerland | CHF 1,000 | FINMA ordinance |
| UAE | AED 3,500 | CBUAE regulation |
You need a technical solution — TRISA, OpenVASP, TRP, or a commercial provider like Notabene — plus counterparty VASP verification procedures. See our Travel Rule Implementation Guide for protocol comparisons and implementation steps.
5. Record-Keeping and Reporting
Regulators expect detailed records maintained for at least five years (often longer). This includes:
- Customer identification and verification records
- Transaction histories (on-chain and off-chain)
- Risk assessments and their periodic updates
- SAR/STR filings and investigation records
- Compliance audit trails and independent testing reports
- Travel Rule data exchanges (successful and failed)
- Training records and attendance logs
Periodic reporting obligations vary by jurisdiction. Many regulators require quarterly or annual returns covering transaction volumes, customer counts, suspicious activity statistics, and compliance program updates.
Building Your Compliance Roadmap
Phase 1: Foundation (Months 1-3)
- Map jurisdictional obligations — List every jurisdiction where you operate or serve customers
- Hire or appoint a compliance officer — This must happen before launch, not after
- Draft AML/CFT policies — Tailored to your specific business model and customer base
- Select compliance tooling — Transaction monitoring, blockchain analytics, sanctions screening, case management
- Begin licensing applications — Start with your primary jurisdiction; these take months
Phase 2: Build (Months 3-6)
- Implement KYC procedures — Onboarding flows with identity verification and risk assessment
- Deploy transaction monitoring — Automated rules plus blockchain analytics integration
- Implement sanctions screening — Real-time transaction screening plus batch customer re-screening
- Establish Travel Rule solution — Choose a protocol or vendor, integrate into transaction flow
- Train all staff — Document the training and maintain records
Phase 3: Operate (Ongoing)
- File SARs/STRs as required — within regulatory timeframes
- Conduct periodic reviews — Risk assessments annually, high-risk customer EDD reviews
- Engage independent testing — Annual AML program audit
- Monitor regulatory changes — New legislation, guidance updates, enforcement trends
- Report to regulators — Periodic returns as required by each jurisdiction
Common Mistakes
The most frequent compliance failures in crypto — each of which can result in enforcement actions, fines, or loss of banking relationships:
Launching without proper licensing — Operating unlicensed is a criminal offense in most jurisdictions. FinCEN, the FCA, and MAS have all taken action against unlicensed operators.
Treating KYC as a one-time event — Onboarding verification is just the start. Ongoing monitoring, periodic reviews, and trigger-based EDD are all required.
Failing to file SARs in a timely manner — In the US, SARs must be filed within 30 days of detecting suspicious activity. Delayed filing is itself a violation.
No blockchain analytics — Raw sanctions list screening is not sufficient. Regulators expect blockchain analytics tools to detect indirect exposure to sanctioned entities, darknet markets, and mixers.
Underestimating the Travel Rule — The EU's Transfer of Funds Regulation applies to all crypto transfers with no threshold. Many firms discovered this requirement too late.
Ignoring state-level requirements — In the US, FinCEN MSB registration does not exempt you from state money transmitter licensing. Most states require separate licenses.
Insufficient record-keeping — Five years is the minimum. If you cannot produce complete records during a regulatory examination, expect findings.
Budget Planning
Compliance costs vary dramatically by jurisdiction and business size, but as a baseline for a startup crypto exchange:
| Category | Annual Cost Range (USD) |
|---|---|
| Compliance staff (2-3 people) | $300,000-600,000 |
| Transaction monitoring software | $50,000-200,000 |
| Blockchain analytics (Chainalysis, Elliptic, etc.) | $50,000-150,000 |
| Sanctions screening | $20,000-80,000 |
| Legal counsel (per jurisdiction) | $50,000-200,000 |
| Licensing fees and applications | $25,000-500,000 |
| Independent audit/testing | $30,000-75,000 |
| Training and certification | $10,000-30,000 |
| Total (single jurisdiction) | $535,000-1,835,000 |
These are not optional costs. Budget for compliance as a core business function, not an afterthought.
Next Steps
Compliance is not a checkbox — it is an ongoing operational function that must evolve with your business and the regulatory landscape. Use the guides in this series to build out each pillar:
- AML Program Design — Detailed program architecture
- VASP Licensing Guide — Jurisdiction-by-jurisdiction licensing
- Travel Rule Implementation — Protocol selection and integration
- Sanctions Screening — OFAC, EU, UN compliance
- Building a Compliance Team — Hiring and team structure
- MiCA Compliance Checklist — EU-specific requirements