Web3 Compliance Regulatory Taxonomy

Version: 1.0 | Created: 2026-04-08

Purpose: Information architecture foundation for web3compliance.ai

---

Table of Contents

1. Regulatory Frameworks by Type
2. Key Jurisdictions
3. Compliance Program Components
4. Industry Standards & Best Practices
5. Emerging Topics
6. Site Information Architecture

---

1. Regulatory Frameworks by Type

1.1 VASP (Virtual Asset Service Provider) Regulations

Origin: FATF Recommendation 15 (2019, updated 2021)

Definition: Any entity that conducts one or more of: exchange between virtual assets and fiat, exchange between virtual assets, transfer of virtual assets, safekeeping/administration, participation in issuance/offering of virtual assets.

Key Requirements:

• Registration or licensing in operating jurisdictions
• Full AML/CFT program implementation
• Travel Rule compliance (see 1.4)
• Customer due diligence (CDD) and enhanced due diligence (EDD)
• Suspicious activity reporting
• Record keeping (minimum 5 years in most jurisdictions)

Jurisdictional Variations:

Jurisdiction	VASP Term Used	Primary Law
EU	CASP (under MiCA)	MiCA Regulation (EU) 2023/1114
US	MSB / Money Transmitter	BSA, state MTLs
UK	Cryptoasset business	MLR 2017 (amended)
Singapore	DPT Service Provider	Payment Services Act 2019
Japan	CAESP	PSA / FIEA
UAE	VASP	VARA Regulations
Hong Kong	VATP	AMLO (amended 2023)
Switzerland	VASP / Financial Intermediary	AMLA, FinIA

1.2 CASP (Crypto Asset Service Provider) Regulations — EU MiCA Framework

Primary Legislation: Markets in Crypto-Assets Regulation (EU) 2023/1114 Effective: Title III/IV (stablecoins) June 2024; Full application December 2024 Oversight: National Competent Authorities (NCAs) + EBA + ESMA

CASP License Categories:

1. Operation of a trading platform for crypto-assets
2. Exchange of crypto-assets for funds or other crypto-assets
3. Execution of orders for crypto-assets on behalf of clients
4. Placing of crypto-assets
5. Reception and transmission of orders on behalf of clients
6. Providing advice on crypto-assets
7. Providing portfolio management on crypto-assets
8. Providing transfer services for crypto-assets on behalf of clients
9. Custody and administration of crypto-assets on behalf of clients

Key MiCA Requirements:

• Registered office in an EU member state
• Minimum capital requirements (EUR 50K-150K depending on service)
• Governance arrangements (fit and proper management)
• Complaint handling procedures
• Conflict of interest policies
• Outsourcing policies
• Wind-down plans
• White paper requirements for token issuers
• Environmental impact disclosures (consensus mechanism)
• Passporting across EU member states once licensed

Token Classification under MiCA:

• Asset-Referenced Tokens (ARTs): Stablecoins pegged to multiple assets — EBA oversight
• E-Money Tokens (EMTs): Stablecoins pegged to single fiat — requires e-money license
• Utility Tokens: Access to goods/services on DLT — lighter regime
• Other Crypto-Assets: Catch-all — standard CASP rules apply
• Exclusions: NFTs (unique, non-fungible), CBDCs, security tokens (covered by MiFID II)

1.3 Custody Regulations

Core Issue: Who holds the private keys, and what legal obligations attach to that responsibility?

Models:

• Self-custody (non-custodial wallets) — generally unregulated at protocol level
• Third-party custody — heavily regulated in most jurisdictions
• Qualified custodian — SEC/FINRA concept for registered investment advisers
• MPC (multi-party computation) custody — emerging regulatory treatment
• Smart contract custody (DeFi protocols) — regulatory gray area

Key Regulatory Requirements by Jurisdiction:

Jurisdiction	Custody Requirement	Key Rule
US (SEC)	Qualified custodian for RIAs	Advisers Act Rule 206(4)-2; SEC Staff Accounting Bulletin 121 (SAB 121, rescinded 2025)
US (OCC)	National banks may custody crypto	OCC Interpretive Letter 1170 (2020)
US (State)	Trust company charters (NY BitLicense, WY SPDI)	State-specific
EU (MiCA)	Custody is a licensed CASP activity	MiCA Title V
UK	FCA registration for custodial activities	MLR 2017
Singapore	MAS licensing for DPT custody	PSA 2019
Hong Kong	SFC licensing for VA custody	SFO + AMLO
Switzerland	Banking license or FinTech license	Banking Act, FinIA
Japan	CAESP registration covers custody	PSA
UAE/ADGM	FSRA framework for custody	FSMR

Custody-Specific Obligations:

• Segregation of client assets from proprietary assets
• Proof of reserves / attestation requirements
• Insurance or bonding requirements
• Business continuity / disaster recovery for key management
• Bankruptcy remoteness of client assets
• Regular audits / SOC reporting

1.4 Travel Rule Compliance

Origin: FATF Recommendation 16 (extended to VASPs in 2019)

Requirement: When VASPs transfer virtual assets on behalf of a customer, they must obtain, hold, and transmit originator and beneficiary information.

Required Data Elements:

• Originator: Name, account number (wallet address), physical address or national ID or customer ID or date/place of birth
• Beneficiary: Name, account number (wallet address)

Threshold Variations:

Jurisdiction	Threshold	Notes
FATF Guidance	USD/EUR 1,000	Recommended minimum
US (FinCEN)	$3,000	Funds Transfer Rule / Travel Rule
EU (TFR)	EUR 0 (no threshold)	Transfer of Funds Regulation 2023/1113 — all transfers
Singapore	SGD 1,500	MAS Notice PSN02
Japan	No threshold	All transfers
Switzerland	CHF 1,000	FINMA guidance
UK	GBP 1,000 (proposed)	FCA consultation
Canada	CAD 1,000	FINTRAC

Travel Rule Solution Providers / Protocols:

• TRISA (Travel Rule Information Sharing Architecture) — open-source
• OpenVASP — open protocol
• Shyft/Veriscope
• Notabene
• Sygna Bridge (CoolBitX)
• TRP (Travel Rule Protocol) — UK/IVMs group
• TRUST (Travel Rule Universal Solution Technology) — US exchanges coalition

Implementation Challenges:

• Unhosted (self-hosted) wallet transactions — no counterparty VASP
• Sunrise issue — jurisdictions implementing at different speeds
• Attribution problem — linking wallet addresses to VASPs
• Interoperability between Travel Rule solutions
• Privacy coin transactions

1.5 AML/KYC Requirements Specific to Crypto

Customer Due Diligence (CDD) Tiers:

Simplified Due Diligence (SDD):

• Low-risk customers / low-value transactions
• Name, date of birth
• Basic identity verification
• Not available in all jurisdictions for crypto

Standard CDD:

• Government-issued ID verification
• Proof of address
• Beneficial ownership identification (25% threshold common)
• Purpose and nature of business relationship
• Source of funds (general)

Enhanced Due Diligence (EDD) — Triggers:

• PEP (Politically Exposed Person) status
• High-risk jurisdiction (FATF grey/black list)
• Complex/unusual transaction patterns
• High-value transactions (thresholds vary)
• Sanctions matches or near-matches
• Adverse media hits

Crypto-Specific KYC Considerations:

• Wallet attribution and blockchain analytics
• Source of crypto-assets (on-chain provenance)
• DeFi interaction history
• Mixer/tumbler usage detection
• Cross-chain transaction tracing
• NFT provenance verification

Ongoing Monitoring Requirements:

• Transaction monitoring (fiat and on-chain)
• Periodic KYC refresh (risk-based: 1-5 year cycles)
• Sanctions screening (real-time for transactions, daily/batch for customer base)
• PEP screening updates
• Adverse media monitoring

1.6 Securities Law — Token Classification

US Framework (SEC):

Howey Test (SEC v. W.J. Howey Co., 1946): A token is a security if it involves:

1. An investment of money
2. In a common enterprise
3. With an expectation of profits
4. Derived from the efforts of others

Key SEC Positions:

• Bitcoin: Not a security (commodity per CFTC)
• Ethereum: Not a security (post-Merge position per SEC 2024-2025 guidance)
• Most ICO tokens: Securities
• Stablecoins: Generally not securities (context-dependent)
• NFTs: Case-by-case (fractional NFTs higher risk)
• Staking-as-a-service: May be securities (Kraken settlement 2023)
• Lending products: Securities (BlockFi settlement 2022)

Reves Test (for notes/debt instruments):

• Motivation of buyer and seller
• Plan of distribution
• Reasonable expectations of investing public
• Existence of alternative regulatory regime

EU Framework:

• MiFID II governs security tokens
• MiCA explicitly excludes "financial instruments" (those fall under MiFID II)
• DLT Pilot Regime (Regulation 2022/858) — sandbox for tokenized securities

Singapore:

• Securities and Futures Act (SFA) — "digital payment tokens" vs. "capital markets products"
• MAS applies substance-over-form approach

Switzerland:

• FINMA Token Classification (2018 ICO Guidelines):
  • Payment tokens
  • Utility tokens
  • Asset tokens (securities)
  • Hybrid tokens

Japan:

• Type I Securities: Security tokens (electronically recorded transferable rights)
• Type II Securities: Fund-type tokens
• Crypto-assets: Non-security tokens (PSA)

1.7 MiCA Deep Dive

Regulation Structure:

• Title I: Subject matter, scope, definitions
• Title II: Crypto-assets other than ARTs/EMTs (utility tokens, other)
• Title III: Asset-Referenced Tokens
• Title IV: E-Money Tokens
• Title V: Authorization and operating conditions for CASPs
• Title VI: Prevention of market abuse
• Title VII: Competent authorities
• Title VIII: Delegated acts, implementing acts
• Title IX: Transitional and final provisions

Key Implementing Measures (RTS/ITS by EBA and ESMA):

• Capital requirements calculation methodology
• Complaint handling procedures
• Conflict of interest management
• Sustainability indicators for consensus mechanisms
• White paper content and format
• Reserve asset requirements for ARTs/EMTs
• Recovery and redemption plans for ARTs/EMTs
• Significant token thresholds (ARTs: 5M holders or EUR 5B reserve)

Market Abuse Regime:

• Insider dealing prohibition
• Market manipulation prohibition
• Unlawful disclosure of inside information
• Applies to all crypto-assets admitted to trading

Reverse Solicitation:

• Third-country firms may provide services only if client initiates contact
• Very narrow — cannot be used as systematic market access strategy
• ESMA guidance expected to tighten interpretation

1.8 FATF Guidance and Recommendations

Key FATF Documents:

• Recommendation 15 (New Technologies) — updated June 2019
• Updated Guidance for a Risk-Based Approach to VAs and VASPs (October 2021)
• Targeted Update on Implementation (June 2023, July 2024)
• Report on DeFi and P2P Transactions (2024-2025)

FATF Virtual Asset Definitions:

• Virtual Asset (VA): Digital representation of value that can be digitally traded/transferred and used for payment/investment (excludes digital fiat, securities, other already-regulated financial assets)
• VASP: See Section 1.1

FATF "So-called Stablecoin" Guidance:

• Stablecoins are VAs under FATF definitions
• Governance body / centralized functions may qualify as VASP
• Must assess risk of mass adoption

FATF on DeFi:

• "Owner/operator" test — if a person has sufficient control/influence, they are a VASP
• Creators/developers/governance token holders may be covered
• Still evolving — no bright-line rule

FATF on NFTs:

• Generally NOT virtual assets if truly unique and used as collectibles
• NFTs that function as payment/investment instruments ARE VAs
• Fractionalized NFTs more likely to be treated as VAs

Grey List / Black List Implications:

• Countries on FATF grey list trigger EDD requirements
• Current grey list (as of early 2026): Nigeria, South Africa, Turkey, Vietnam, others — check current list
• Black list (high-risk): Myanmar, Iran, North Korea (DPRK)

1.9 Stablecoin Regulations

US:

• No comprehensive federal stablecoin law yet (multiple bills proposed: Clarity for Payment Stablecoins Act, GENIUS Act)
• OCC: National banks can issue stablecoins (Interpretive Letter 1174)
• State level: NY DFS — guidance for USD-backed stablecoins (June 2022)
• SEC: Generally not securities if properly structured (no yield, 1:1 backed)

EU (MiCA):

• E-Money Tokens (EMTs): Pegged to single fiat currency — requires e-money institution or credit institution license
• Asset-Referenced Tokens (ARTs): Pegged to baskets or commodities — MiCA Title III
• Reserve requirements: 100% liquid, high-quality assets
• Prohibition on interest/yield to token holders
• Significant EMTs/ARTs: Direct EBA supervision

UK:

• Fiat-backed stablecoins to be brought into payments regulation
• FCA + Bank of England + PSR shared oversight
• Digital Securities Sandbox provisions

Singapore:

• MAS Stablecoin Framework (August 2023, effective April 2024)
• Single-currency pegged (SCS) stablecoins regulated
• Reserve requirements: 100% in cash/cash equivalents
• Minimum base capital: SGD 1M or 50% of operating expenses
• MAS-regulated label for compliant stablecoins

Japan:

• Electronic Payment Instruments (EPI) under PSA amendment (June 2023)
• Only banks, fund transfer service providers, and trust companies can issue
• 100% reserve in deposits or government bonds

UAE:

• AED-pegged stablecoins: Only CBUAE-licensed entities
• Foreign-pegged stablecoins: Permitted with VARA/FSRA license
• Dirham-pegged stablecoin requirements forthcoming

1.10 DeFi Regulatory Approaches

Current Regulatory Positions:

Jurisdiction	Approach	Key Details
US (SEC)	Enforcement-driven	Actions against Uniswap, Lido; focus on whether protocol offers securities
US (CFTC)	Enforcement-driven	Ooki DAO action (liability for DAO token holders)
EU (MiCA)	Partially excluded	MiCA may apply where "decentralized in name only"; true DeFi largely outside scope
UK	Under review	FCA discussion paper on DeFi (2024-2025)
Singapore	Risk-based	MAS applies activity-based regulation; DeFi front-ends may be regulated
Japan	Cautious	FSA studying DeFi governance models
Switzerland	Activity-based	FINMA looks through to function/economic purpose

Key Regulatory Questions for DeFi:

• Who is the "operator" of a decentralized protocol?
• Are governance token holders liable? (Ooki DAO precedent)
• Do front-end interfaces trigger VASP/CASP obligations?
• How to apply KYC to permissionless protocols?
• Smart contract as "financial intermediary" — is code an entity?
• MEV (Maximal Extractable Value) — market manipulation?
• Oracle manipulation — market abuse?

Emerging DeFi Compliance Approaches:

• On-chain identity/KYC (Civic, Polygon ID, Worldcoin, Sismo)
• Compliant DeFi pools (Aave Arc, Compound Treasury — institutional)
• Permissioned DeFi front-ends with geofencing
• DAO legal wrappers (see 1.12)
• Regulatory sandboxes for DeFi experimentation

1.11 NFT Regulatory Treatment

General Position: NFTs are not uniformly regulated, but context matters.

When NFTs May Trigger Regulation:

• Fractionalized NFTs (securities risk — Howey analysis)
• NFTs with revenue-sharing or royalty rights (securities risk)
• NFTs used as payment instruments (VASP/MSB obligations)
• NFTs sold as investments with profit expectations (securities)
• High-value NFT sales (AML obligations — EU AMLD 5/6 for art dealers at EUR 10K+)
• NFT lending/borrowing platforms (DeFi + securities overlap)

Jurisdiction-Specific:

• EU: MiCA excludes unique/non-fungible NFTs; large collections of essentially fungible NFTs may fall under MiCA
• US: SEC case-by-case approach; Impact Theory enforcement action (2023) — NFTs sold as securities
• UK: FCA treats NFTs based on underlying rights/characteristics
• Singapore: MAS — substance over form; utility NFTs generally unregulated
• UAE: VARA includes NFTs in regulatory scope
• Hong Kong: SFC — NFTs representing securities are regulated

NFT-Specific AML Risks:

• Wash trading for money laundering
• Trade-based laundering through inflated prices
• Sanctions evasion through NFT marketplaces
• Royalty-based structuring
• Cross-chain NFT bridges as layering mechanism

1.12 DAO Legal Structures

The Problem: DAOs lack legal personality by default, creating unlimited liability for members.

Legal Wrapper Options:

Structure	Jurisdiction	Key Features
DAO LLC	Wyoming, Tennessee, Vermont (US)	Limited liability; on-chain governance recognized; algorithmic management
Foundation	Cayman Islands, Panama, Switzerland	No shareholders; purpose-driven; can hold treasury
UNA (Unincorporated Nonprofit Association)	US (multiple states)	No formal registration needed; COALA Model Law basis
Foundation Company	Guernsey, Jersey	Hybrid foundation-company; can issue tokens
Association	Switzerland (Verein)	Low-cost; member-based; widely used for protocol governance
Marshall Islands DAO LLC	Marshall Islands	Specific DAO legislation (2022); designed for decentralized governance
BVI Business Company	British Virgin Islands	Flexible corporate law; commonly used with DAO governance docs

Key Legal Issues for DAOs:

• Token holder liability exposure
• Tax treatment of DAO treasuries
• Regulatory obligations of governance participants
• Smart contract enforceability
• Dispute resolution mechanisms
• Fiduciary duties of delegates/multisig signers
• Securities classification of governance tokens
• Cross-jurisdictional recognition

1.13 Tax Reporting

OECD Crypto-Asset Reporting Framework (CARF):

• Adopted by OECD in August 2022, integrated into CRS in 2023
• Requires reporting on exchanges between crypto and fiat, crypto-to-crypto, and transfers
• Reporting entities: exchanges, brokers, ATM operators, certain DeFi protocols
• Reportable information: identity, TIN, transaction amounts, types, fair market values
• Implementation timeline: 2026-2027 for early adopters (48+ jurisdictions committed)
• Applies to: Crypto-Assets (broad definition including stablecoins, certain NFTs)

US Tax Reporting:

• IRS Form 8949 / Schedule D for capital gains/losses
• Infrastructure Investment and Jobs Act (2021): Expanded broker reporting (Form 1099-DA) — effective 2026 tax year
• Broker definition: Includes exchanges, certain DeFi front-ends (controversial, litigation ongoing)
• Staking rewards: Taxable as ordinary income at fair market value when received (Jarrett v. US implications)
• Airdrops: Taxable as ordinary income upon receipt
• Hard forks: Taxable when taxpayer has dominion and control
• DeFi yield: Taxable — characterization varies (interest, ordinary income, capital gain)
• NFT sales: Capital gains; collectibles rate (28%) may apply
• Wash sale rule: Not explicitly applied to crypto yet (but proposed legislation)

EU Tax Approaches:

• DAC8: Directive on administrative cooperation — crypto reporting aligned with CARF
• Country-by-country variation on capital gains treatment
• Germany: Tax-free after 1-year holding period (for non-yield-generating assets)
• Portugal: 28% flat rate on short-term gains (since 2023)
• France: 30% flat tax on crypto gains

Other Key Jurisdictions:

• UK: HMRC treats crypto as property; Capital Gains Tax applies; staking/DeFi yields are income
• Singapore: No capital gains tax; trading as business = income tax
• UAE: No personal income tax on crypto; corporate tax (9%) may apply to businesses
• Japan: Crypto gains taxed as miscellaneous income (up to 55%)
• Australia: CGT events; personal use exemption for sub-AUD 10K transactions
• South Korea: 20% tax on crypto gains above KRW 2.5M (implementation repeatedly delayed, effective 2027)

---

2. Key Jurisdictions

Tier 1 Jurisdictions

2.1 United States

Regulatory Bodies:

Agency	Scope
SEC	Securities (tokens classified as securities), exchanges, broker-dealers, investment advisers
CFTC	Commodities (Bitcoin, Ether), derivatives, futures
FinCEN	AML/KYC, MSB registration, Travel Rule
OCC	National bank crypto activities, custody
FDIC	Bank involvement with crypto, deposit insurance questions
IRS	Tax reporting, broker reporting
OFAC	Sanctions compliance (Tornado Cash designation)
State regulators	Money transmitter licenses, BitLicense (NY), trust charters (WY)

Key Legislation & Rules:

• Bank Secrecy Act (BSA) — AML framework
• Securities Act of 1933 / Securities Exchange Act of 1934
• Commodity Exchange Act (CEA)
• State money transmitter laws (50 states + territories)
• NY BitLicense (23 NYCRR Part 200)
• Wyoming Special Purpose Depository Institution (SPDI) Act
• FIT21 (Financial Innovation and Technology for the 21st Century Act) — status: passed House 2024, Senate progress TBD

Licensing Requirements:

• FinCEN MSB registration (federal) — all VASPs
• State money transmitter licenses (most states) — 40+ separate applications
• NY BitLicense or limited purpose trust charter
• SEC broker-dealer registration (if dealing in security tokens)
• CFTC registration (DCM, DCO, SEF) for derivatives platforms
• Federal banking charter or state trust charter for custody

Key Enforcement Trends:

• SEC enforcement-first approach (Ripple, Coinbase, Binance cases)
• OFAC Tornado Cash sanctions (challenged in court — mixed rulings)
• DOJ crypto fraud prosecutions (FTX, Celsius, etc.)
• IRS John Doe summons to exchanges for taxpayer information

2.2 European Union

Regulatory Bodies:

Body	Scope
ESMA	Securities markets, CASP oversight coordination, market abuse
EBA	Banking, significant stablecoins (ARTs/EMTs), AML
ECB	Monetary policy, CBDC (Digital Euro), systemic risk
National Competent Authorities	CASP licensing, day-to-day supervision
AMLA (new, launching 2025)	EU-wide AML authority

Key Legislation:

• MiCA (2023/1114) — primary crypto framework
• Transfer of Funds Regulation (2023/1113) — Travel Rule
• DLT Pilot Regime (2022/858) — tokenized securities sandbox
• AML Package (6AMLD, AMLR) — comprehensive AML reform
• DAC8 — tax reporting
• DORA (Digital Operational Resilience Act) — ICT risk management

Licensing:

• CASP license from any EU NCA — passportable across EU/EEA
• E-money institution or credit institution license for EMT issuance
• MiFID II license for security token activities

2.3 United Kingdom

Regulatory Bodies:

Body	Scope
FCA	AML registration, consumer protection, market conduct
Bank of England	Systemic stablecoins, financial stability
PSR	Payment systems
HMRC	Tax
HM Treasury	Policy and legislation

Key Legislation:

• Money Laundering Regulations 2017 (amended) — FCA AML registration for crypto
• Financial Services and Markets Act 2000 (FSMA) — being extended to crypto
• Financial Services and Markets Act 2023 — brought crypto into regulated activities
• Economic Crime and Corporate Transparency Act 2023
• Financial promotion regime — extended to crypto (October 2023)

Current Status:

• FCA AML registration required (notoriously strict — >80% rejection rate)
• Financial promotions regime live — all crypto ads require FCA approval or exemption
• Stablecoin regulation forthcoming
• Broader regulatory framework for crypto activities in development (phased approach)

2.4 Singapore

Regulatory Body: Monetary Authority of Singapore (MAS)

Key Legislation:

• Payment Services Act 2019 (PSA) — DPT (Digital Payment Token) service providers
• Securities and Futures Act (SFA) — security tokens
• Financial Advisers Act — crypto advisory services

License Types:

• Major Payment Institution (MPI) license — for DPT services above thresholds
• Standard Payment Institution (SPI) license — below thresholds
• Capital Markets Services (CMS) license — security tokens
• Recognized Market Operator — exchange services

Notable Requirements:

• No retail crypto advertising/marketing in Singapore
• Customer suitability assessments
• Segregation of customer assets
• MAS Stablecoin Framework (SCS-regulated stablecoins)
• Technology risk management guidelines (MAS TRM)

2.5 Hong Kong

Regulatory Bodies: Securities and Futures Commission (SFC), Hong Kong Monetary Authority (HKMA)

Key Legislation:

• Securities and Futures Ordinance (SFO)
• Anti-Money Laundering and Counter-Terrorist Financing Ordinance (AMLO) — amended 2023
• Payment Systems and Stored Value Facilities Ordinance

Licensing:

• Virtual Asset Trading Platform (VATP) license — mandatory from June 2023
• SFC Type 1 (dealing) and Type 7 (automated trading) licenses for VA platforms
• Dual licensing: SFC for securities + AMLO for non-security VAs
• Stablecoin issuer licensing regime (HKMA — Bill introduced 2024)

Notable:

• Retail trading permitted on licensed platforms (since June 2023)
• Insurance/compensation requirements for custody
• Mandatory hardware wallet storage for client assets (% threshold)

2.6 Japan

Regulatory Body: Financial Services Agency (FSA), JVCEA (self-regulatory)

Key Legislation:

• Payment Services Act (PSA) — crypto-asset exchange service providers (CAESPs)
• Financial Instruments and Exchange Act (FIEA) — security tokens
• Act on Prevention of Transfer of Criminal Proceeds — AML

Licensing:

• CAESP registration with FSA
• Type I Financial Instruments Business for security tokens
• Self-regulatory compliance with JVCEA rules

Notable:

• One of the earliest comprehensive crypto regulatory regimes (post-Mt. Gox)
• Mandatory cold wallet storage requirements (95%+ of client assets)
• Stablecoin regulation: Only banks, fund transfer companies, trust companies can issue
• Asset segregation via trust structures
• Travel Rule: No minimum threshold
• Stringent listing review process (JVCEA green list / individual review)

2.7 United Arab Emirates

Regulatory Bodies:

Body	Jurisdiction	Scope
VARA	Dubai	Comprehensive VA regulation
FSRA (ADGM)	Abu Dhabi (ADGM)	Financial services including crypto
CBUAE	Federal	Stablecoins, payment tokens
SCA	Federal (mainland)	Securities, commodities

VARA License Categories:

• Advisory services
• Broker-dealer services
• Custody services
• Exchange services
• Lending and borrowing services
• Management and investment services
• Transfer and settlement services

ADGM/FSRA:

• Financial Services Permission for regulated activities involving virtual assets
• Comprehensive framework since 2018 (one of the earliest dedicated regimes)
• Sandbox/RegLab for innovation testing

Notable:

• No personal income tax (attractive for crypto businesses)
• Multiple competing regulatory regimes within UAE
• VARA requires physical office in Dubai
• Marketing and advertising compliance requirements

2.8 Switzerland

Regulatory Body: FINMA (Swiss Financial Market Supervisory Authority)

Key Legislation:

• Anti-Money Laundering Act (AMLA)
• Financial Institutions Act (FinIA)
• Financial Services Act (FinSA)
• DLT Act (Federal Act on the Adaptation of Federal Law to Developments in DLT) — 2021
• Banking Act

License Types:

• FinTech license (up to CHF 100M deposits, no lending)
• Banking license (full banking activities)
• Securities firm license
• Financial intermediary SRO membership (AML compliance for lighter-touch activities)

Notable:

• DLT Act: World-first comprehensive DLT legislation
• "DLT trading facility" license category
• Segregation of crypto-assets in bankruptcy
• Crypto Valley (Zug) — established ecosystem
• FINMA ICO Guidelines (2018) — token classification framework
• Staking treated as deposit-taking only if guaranteed return

Tier 2 Jurisdictions

2.9 Australia

Regulatory Bodies: ASIC (securities/markets), AUSTRAC (AML/CTF), Treasury (policy)

Key Legislation:

• Anti-Money Laundering and Counter-Terrorism Financing Act 2006
• Corporations Act 2001 (for security tokens/financial products)
• Treasury consultation on comprehensive crypto licensing (2023-2025)

Current Status:

• Digital currency exchanges must register with AUSTRAC
• No bespoke crypto licensing yet — relying on existing financial services framework
• Token mapping consultation completed — framework expected
• ASIC enforcement actions against unlicensed crypto products

2.10 Canada

Regulatory Bodies: CSA (provincial securities regulators), FINTRAC (AML), OSFI (prudential)

Key Legislation:

• Provincial securities legislation (harmonized through CSA)
• Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)

Licensing:

• Crypto trading platforms: Registered as restricted dealers + marketplace members (CSA framework)
• MSB registration with FINTRAC
• Pre-registration undertakings for operating platforms

Notable:

• First country to approve Bitcoin/Ether spot ETFs
• CSA Staff Notice 21-327 — Guidance on crypto trading platforms
• Stablecoin framework: Value-Referenced Crypto Assets (VRCAs) — must be backed by fiat reserves

2.11 South Korea

Regulatory Bodies: Financial Services Commission (FSC), Financial Intelligence Unit (FIU), Korea Financial Intelligence Unit (KoFIU)

Key Legislation:

• Act on Reporting and Using Specified Financial Transaction Information (Special Financial Information Act) — amended 2021
• Virtual Asset User Protection Act (2024)

Licensing:

• VASP registration with KoFIU
• Information Security Management System (ISMS) certification from KISA
• Real-name bank account partnership (one VASP per bank)

Notable:

• Real-name account system — uniquely restrictive
• Virtual Asset User Protection Act (effective July 2024): Market manipulation, unfair trading prohibitions, custody requirements, insurance
• Institutional crypto participation restrictions being eased gradually
• Tax: 20% on gains above KRW 2.5M (postponed to 2027)

2.12 Brazil

Regulatory Bodies: Central Bank of Brazil (BCB), CVM (securities regulator)

Key Legislation:

• Crypto Assets Law (Law No. 14,478/2022) — Legal Framework for Virtual Assets
• CVM regulation for security tokens
• BCB regulation for VASPs (implementing rules)

Licensing:

• VASP authorization from BCB (regulations being finalized)
• CVM registration for security token platforms

Notable:

• BCB designated as primary regulator for crypto-assets (non-securities)
• Drex (Brazilian CBDC) pilot — implications for tokenized deposits
• Significant crypto adoption — one of top 10 markets globally
• Asset segregation requirements

2.13 India

Regulatory Bodies: RBI (central bank), SEBI (securities), Ministry of Finance

Key Legislation:

• No comprehensive crypto legislation yet
• Finance Act 2022 — 30% tax on crypto gains, 1% TDS on transactions
• Prevention of Money Laundering Act (PMLA) — extended to VDAs (Virtual Digital Assets) in 2023

Current Status:

• VDAs subject to AML/KYC under FIU-India reporting
• 30% flat tax on income from VDAs (no loss offset, no deductions)
• 1% TDS on all VDA transfers above INR 10,000
• Offshore exchanges required to register with FIU-India (Binance compliance action 2024)
• Comprehensive regulatory framework still under development
• India pushed CARF/crypto regulation at G20 presidency (2023)

Tier 3 Jurisdictions (Notable Regulations)

2.14 Summary Table

Jurisdiction	Regulatory Approach	Key Body	Status
Bahrain	Comprehensive	CBB	Licensed regime since 2019
Bermuda	Comprehensive	BMA	Digital Asset Business Act 2018
Cayman Islands	Comprehensive	CIMA	VASP Act 2020
Estonia	Restrictive (tightened)	FIU	Strict licensing since 2022 reform
France	MiCA transition	AMF	PSAN regime transitioning to MiCA
Germany	MiCA transition	BaFin	Crypto custody license since 2020
Gibraltar	Comprehensive	GFSC	DLT Provider framework since 2018
Ireland	MiCA transition	CBI	VASP registration under MiCA
Israel	Developing	ISA / BOI	AML regime; broader framework in progress
Liechtenstein	Comprehensive	FMA	Token and TT Service Provider Act (TVTG) 2020
Luxembourg	MiCA transition	CSSF	VASP registration
Malta	Comprehensive	MFSA	Virtual Financial Assets Act (VFA) 2018; transitioning to MiCA
Mexico	Moderate	CNBV / Banxico	FinTech Law 2018; VA definition; limited framework
Nigeria	Developing	SEC / CBN	SEC rules for digital assets; CBN lifted bank ban
Philippines	Moderate	BSP / SEC	VASP registration with BSP; SEC token guidance
South Africa	Developing	FSCA / SARB	FSCA declared crypto as financial product (2022); CASP licensing
Taiwan	Developing	FSC	AML guidelines; comprehensive framework in development
Thailand	Comprehensive	SEC / BOT	Digital Asset Business Act; licensed operators
Turkey	Developing	CMB / MASAK	Crypto payment ban; VASP regulation (2024-2025)
Vietnam	Restricted	SBV	No legal framework; de facto ban on payments; regulation pending

---

3. Compliance Program Components

3.1 What a Compliant Crypto Operation Needs

Governance:

• Board-level compliance oversight
• Designated compliance officer (MLRO in UK/EU)
• Compliance committee / reporting lines to board
• Documented compliance policies and procedures manual
• Independent compliance audit function
• Compliance training program for all staff
• Whistleblower program

Technology Infrastructure:

• Transaction monitoring system (on-chain and fiat)
• Blockchain analytics integration
• KYC/identity verification platform
• Sanctions screening engine
• Case management system
• Regulatory reporting tools
• Secure record-keeping / data archival
• Incident response system

Risk Framework:

• Enterprise-wide risk assessment (updated at least annually)
• Customer risk scoring model
• Product/service risk assessment
• Geographic risk assessment
• Channel/delivery risk assessment
• New product approval process
• Third-party/vendor risk management

3.2 Compliance Officer Requirements

Jurisdiction	Requirement	Key Details
US (FinCEN)	BSA Officer	Designated individual responsible for BSA/AML compliance
EU (MiCA)	Compliance function	Senior management responsibility; fit and proper assessment
UK (FCA)	MLRO (Money Laundering Reporting Officer)	Senior Management Function (SMF17); FCA-approved individual
Singapore (MAS)	AML/CFT Compliance Officer	Senior management level; named in license application
Hong Kong (SFC)	Responsible Officer	Licensed individual; Type 1/7 RO; MIC for AML
Japan (FSA)	Compliance Officer	Part of internal control framework
UAE (VARA)	Compliance Officer	Must be UAE-resident; VARA-approved

Common Requirements:

• Sufficient seniority and authority
• Direct access to board/senior management
• Independence from business lines
• Adequate resources and budget
• Relevant experience and qualifications (CAMS, ICA, ACAMS)
• Background checks / fit and proper assessment
• Ongoing training requirements

3.3 Transaction Monitoring

Fiat Transaction Monitoring:

• Structuring detection (transactions just below reporting thresholds)
• Velocity checks (frequency/volume patterns)
• Round-dollar/even-amount detection
• Geographic risk-based alerts
• Peer group analysis
• Behavioral change detection

On-Chain Transaction Monitoring:

• Direct interaction with sanctioned addresses
• Indirect exposure (N-hop analysis) to sanctioned/illicit addresses
• Mixer/tumbler usage (Tornado Cash, Wasabi, etc.)
• Darknet marketplace interactions
• Ransomware wallet interactions
• Scam/fraud address exposure
• Cross-chain bridge monitoring
• High-risk protocol interactions (flagged DeFi protocols)
• Unusual transaction patterns (round amounts, rapid movement, peel chains)
• UTXO analysis (for Bitcoin-based chains)
• Smart contract interaction risk scoring

Key Blockchain Analytics Providers:

Provider	Strengths
Chainalysis	Market leader; KYT, Reactor; broadest chain coverage
Elliptic	Strong on cross-chain analytics; Holistic screening
TRM Labs	Real-time monitoring; strong API; growing government use
CipherTrace (Mastercard)	Integrated payment ecosystem; DeFi coverage
Scorechain	EU-based; strong privacy coin analytics
Crystal (Bitfury/Crystal Intelligence)	Visualization; investigation tools
Merkle Science	APAC focus; Compass for transaction monitoring
Solidus Labs	Market surveillance; market manipulation detection
AnChain.AI	AI-driven; smart contract auditing
Nansen	On-chain analytics; wallet labeling; DeFi focus

Tuning Considerations:

• False positive rate management (industry average: 90-95% false positives)
• Risk-based thresholds (not one-size-fits-all)
• Regular model validation and back-testing
• Scenario-based vs. rules-based vs. AI/ML-based approaches
• Cross-product monitoring (fiat + on-chain combined view)

3.4 Sanctions Screening

Key Sanctions Lists:

List	Issuer	Scope
SDN List	OFAC (US)	Specially Designated Nationals
Consolidated List	EU	EU sanctions targets
Consolidated List	UK (OFSI)	UK sanctions targets
Consolidated List	UN	UN Security Council designations
SECO Sanctions	Switzerland	Swiss sanctions
MAS Sanctions	Singapore	Singapore sanctions
DFAT Consolidated List	Australia	Australian sanctions

Crypto-Specific Sanctions Considerations:

• Wallet address screening (OFAC has designated specific addresses: Tornado Cash, Blender.io, Lazarus Group addresses, etc.)
• Smart contract address screening
• Secondary sanctions risk (facilitating sanctioned parties)
• Screening for sanctioned jurisdictions (DPRK, Iran, Syria, Russia, Crimea)
• Real-time vs. batch screening trade-offs
• Fuzzy matching for name screening (transliteration, aliases)
• Network analysis — identifying sanctions evasion patterns
• VPN/geolocation detection for sanctioned jurisdictions

OFAC Compliance for Crypto — Key Guidance:

• OFAC "Framework for OFAC Compliance Commitments" (2019) — applies to crypto
• OFAC FAQ on virtual currency (updated regularly)
• Tornado Cash SDN designation (August 2022) — legal challenges ongoing
• Strict liability regime — no intent requirement for OFAC violations
• Voluntary self-disclosure strongly encouraged

3.5 Record Keeping Requirements

Minimum Retention Periods:

Jurisdiction	Period	Key Records
US (BSA)	5 years	CDD, transaction records, SARs
EU (AMLD/MiCA)	5 years (up to 10)	CDD, transaction records, communications
UK (MLR)	5 years	CDD, transaction records
Singapore (PSA)	5 years	CDD, transaction records
Hong Kong (AMLO)	6 years	CDD, transaction records
Japan (PSA)	7 years (tax) / 5 years (AML)	All transaction records
UAE (VARA)	8 years	All business records
FATF Recommendation	5 years minimum	CDD, transaction records

Records to Maintain:

• Customer identification documents and verification records
• Transaction records (fiat and on-chain, including wallet addresses)
• Blockchain analytics reports and risk scores
• Correspondence and communications with customers
• SAR/STR filings and supporting documentation
• Internal investigation files
• Compliance training records
• Board/committee meeting minutes related to compliance
• Policy and procedure versions (change log)
• Risk assessment documents
• Third-party due diligence records

3.6 Reporting Obligations

Suspicious Activity Reporting:

Jurisdiction	Report Type	Filed With	Key Threshold
US	SAR (Suspicious Activity Report)	FinCEN	$5,000+ (MSBs: $2,000+)
US	CTR (Currency Transaction Report)	FinCEN	$10,000 cash
EU	STR (Suspicious Transaction Report)	National FIU	No threshold (suspicion-based)
UK	SAR	NCA (UKFIU)	No threshold (suspicion-based)
Singapore	STR	STRO	No threshold
Hong Kong	STR	JFIU	No threshold
Japan	STR	JAFIC	No threshold
UAE	STR/SAR	FIU (goAML)	No threshold
Australia	SMR (Suspicious Matter Report)	AUSTRAC	No threshold
Canada	STR	FINTRAC	No threshold

Other Reporting Obligations:

• Large transaction reports (e.g., US CTR, Australia threshold transaction reports)
• International funds transfer instructions (Australia, Canada)
• Cross-border wire transfer reports
• Terrorist property reports
• Sanctions match reports to relevant authority
• Annual compliance reports to regulators (jurisdiction-specific)
• Breach/incident notifications
• Material change notifications (business model, beneficial ownership, etc.)

3.7 Risk Assessment Frameworks

Enterprise-Wide Risk Assessment (EWRA):

Customer Risk Factors:

• Customer type (individual, corporate, trust, foundation, DAO)
• Jurisdiction of customer (domicile, nationality, operations)
• Industry/business type
• PEP status
• Source of wealth / source of funds
• Transaction behavior vs. stated purpose
• On-chain risk profile (wallet history, interactions)
• Length of relationship
• Adverse media

Product/Service Risk Factors:

• Anonymity features (privacy coins, mixers)
• Speed of settlement
• Cross-border nature
• Complexity of product
• New/innovative product (higher inherent risk)
• Cash-in/cash-out points
• DeFi protocol interactions

Geographic Risk Factors:

• FATF grey/black list countries
• Sanctioned jurisdictions
• Countries with weak AML/CFT frameworks
• High corruption index countries (Transparency International CPI)
• Known drug/human trafficking source countries
• Tax haven jurisdictions

Channel/Delivery Risk Factors:

• Non-face-to-face onboarding
• Third-party reliance
• Use of intermediaries or agents
• Unhosted wallet transactions
• P2P transaction platforms
• API/programmatic access

Risk Scoring Methodology:

• Inherent risk assessment (before controls)
• Control effectiveness assessment
• Residual risk calculation
• Risk appetite statement
• Risk tolerance thresholds
• Regular review and update cycle (annual minimum)

---

4. Industry Standards & Best Practices

4.1 ISO 27001 for Crypto

Applicability: Information security management system — applies to all crypto businesses handling sensitive data and digital assets.

Crypto-Specific Considerations:

• Key management procedures (generation, storage, rotation, destruction)
• Cold storage / air-gapped systems security
• Multi-signature wallet procedures
• HSM (Hardware Security Module) integration
• Smart contract deployment security
• Node infrastructure security
• API security for exchange integrations
• Incident response for private key compromise

Certification:

• Third-party audit by accredited certification body
• Annual surveillance audits
• 3-year recertification cycle
• Many regulators accept ISO 27001 as evidence of security controls

4.2 SOC 2 for Crypto Companies

Trust Service Criteria:

• Security (Common Criteria) — always included
• Availability — important for exchanges and trading platforms
• Processing Integrity — critical for transaction processing
• Confidentiality — customer data, transaction data
• Privacy — personal information handling

Crypto-Specific Controls:

• Digital asset custody controls
• Private key management
• Transaction signing procedures
• On-chain monitoring controls
• Smart contract change management
• Wallet segregation controls
• Hot/cold wallet transfer procedures

Types:

• SOC 2 Type I: Point-in-time design assessment
• SOC 2 Type II: Operating effectiveness over a period (6-12 months) — more valuable

Who Requires It:

• Institutional clients (hedge funds, family offices, corporates)
• Banking partners
• Insurance underwriters
• Some regulators accept as supporting evidence

4.3 CCSS (CryptoCurrency Security Standard)

Developed by: CryptoCurrency Certification Consortium (C4)

10 Aspects of Security:

1. Key/Seed Generation — Entropy requirements, deterministic generation
2. Key Storage — Physical/digital protection of private keys
3. Key Usage — Transaction signing, multi-signature requirements
4. Key Compromise Policy — Response protocols for suspected compromise
5. Keyholder Grant/Revoke Policy — Access management for key holders
6. Data Sanitization Policy — Secure destruction of key material
7. Proof of Reserve — Verification of asset holdings
8. Log Audits — Transaction and system activity logging
9. Audit Recommendations — Remediation of identified vulnerabilities
10. Penetration Testing — Regular security testing

Security Levels:

• Level I: Basic security (single key, basic protections)
• Level II: Enhanced security (multi-sig, redundant key storage)
• Level III: Maximum security (geographically distributed, advanced HSMs)

4.4 Proof of Reserves

What It Is: Cryptographic verification that a custodian holds sufficient assets to cover all client balances.

Approaches:

Method	Description	Assurance Level
Merkle Tree Proof	Hash tree of customer balances; customers can verify inclusion	Medium
zk-Proof of Solvency	Zero-knowledge proof that assets >= liabilities without revealing details	High
Third-Party Attestation	Accounting firm attestation (e.g., Mazars, Armanino)	Medium-High
On-Chain Verification	Public wallet addresses with known balances	Low-Medium (doesn't prove liabilities)
Full Audit	Comprehensive financial audit including liabilities	Highest

Limitations:

• Point-in-time snapshot (may not reflect ongoing solvency)
• Doesn't capture off-chain liabilities without full audit
• Borrowed assets can inflate reserves temporarily
• Multi-chain complexity (assets across many chains)
• Privacy concerns for large balance holders

Regulatory Direction:

• Japan: Mandatory quarterly Proof of Reserves (FSA)
• EU (MiCA): Reserve asset requirements for stablecoin issuers
• US: SEC interest in Proof of Reserves for registered entities
• Industry trend toward regular, standardized PoR attestations

4.5 Smart Contract Auditing Standards

Audit Process:

1. Specification review (requirements vs. implementation)
2. Automated analysis (static analysis, symbolic execution)
3. Manual code review (line-by-line expert review)
4. Formal verification (mathematical proofs of correctness)
5. Economic/incentive analysis (game theory, MEV risks)
6. Findings report (critical, high, medium, low, informational)
7. Remediation verification (re-review of fixes)

Key Audit Firms:

Firm	Specialization
Trail of Bits	Security research; deep technical audits
OpenZeppelin	Solidity focus; extensive library of reviewed contracts
Consensys Diligence	Ethereum ecosystem; MythX platform
Halborn	Broad chain coverage; pen testing + smart contract
CertiK	Formal verification; large volume of audits
Quantstamp	Automated + manual; insurance integration
Spearbit	Decentralized audit network; senior auditors
Cyfrin	Education-focused; competitive audits (CodeHawks)

Standards and Frameworks:

• OWASP Smart Contract Top 10
• SWC Registry (Smart Contract Weakness Classification)
• EEA EthTrust Security Levels Specification
• Ethereum Smart Contract Best Practices (ConsenSys)
• Solidity Security Considerations (Solidity docs)

Bug Bounty Programs (Complementary):

• Immunefi (largest Web3 bug bounty platform)
• HackerOne (general, some crypto programs)
• Code4rena (competitive auditing)
• Sherlock (audit marketplace with coverage)

4.6 Insurance and Bonding Requirements

Types of Insurance for Crypto Businesses:

Type	Coverage
Crime/Specie Insurance	Theft of digital assets (hot/cold storage)
Professional Indemnity / E&O	Errors in service delivery
Directors & Officers (D&O)	Management liability
Cyber Insurance	Data breaches, system failures, ransomware
Commercial Crime	Employee dishonesty, social engineering fraud
Custody Insurance	Client asset losses (institutional requirement)

Regulatory Insurance Requirements:

• Hong Kong SFC: Licensed VATPs must maintain compensation arrangements (insurance + other)
• Japan FSA: Mandatory trust arrangement for customer assets
• Bermuda BMA: Minimum insurance requirements for DAB licensees
• Singapore MAS: Safeguarding requirements (not specifically insurance)
• EU MiCA: Own funds requirements (capital buffers rather than insurance)

Insurance Market Status (2026):

• Limited capacity — few insurers underwrite crypto risk
• Key insurers: Lloyd's of London syndicates, Arch, Evertas (Canopius), Breach Insurance
• Premiums high relative to coverage limits
• Common exclusions: Hot wallet losses, smart contract exploits, regulatory action
• On-chain insurance: Nexus Mutual, InsurAce, Neptune Mutual (parametric models)

---

5. Emerging Topics

5.1 AI in Compliance Monitoring

Current Applications:

• Transaction monitoring — ML models reduce false positives by 40-60% vs. rules-based systems
• Customer risk scoring — dynamic, behavioral risk models
• SAR narrative generation — LLM-assisted drafting of suspicious activity reports
• Document verification — OCR + AI for ID verification, document fraud detection
• Adverse media screening — NLP-based real-time media monitoring
• Pattern recognition — detecting emerging typologies before formal guidance exists
• Regulatory change management — AI-powered tracking of regulatory updates across jurisdictions

Emerging Applications:

• On-chain behavioral analytics — AI classification of wallet behavior patterns
• Predictive compliance — identifying likely future regulatory requirements
• Automated regulatory reporting — AI-generated filings
• Conversational compliance — chatbot-driven policy guidance for business teams
• Smart contract risk scoring — AI assessment of DeFi protocol safety

Key Vendors:

Vendor	Focus
ComplyAdvantage	AI-native AML data and screening
Featurespace	Adaptive behavioral analytics (ARIC)
WorkFusion	AML automation (SARs, screening, CDD)
Hummingbird	Case management + AI-assisted SAR filing
Lucinity	Human-centered AI for AML
Napier AI	AI-powered transaction monitoring and screening
SymphonyAI (Sensa)	Financial crime analytics
Unit21	No-code rules + ML for transaction monitoring
Sardine	Fraud + compliance; crypto-native
Sumsub	Identity verification + transaction monitoring

Regulatory Perspective on AI in Compliance:

• Regulators generally supportive but require explainability
• Model risk management expectations (SR 11-7 principles for AI models)
• Human-in-the-loop requirements for SAR decisions
• Bias and fairness concerns in automated decision-making
• GDPR/data privacy implications of AI processing

5.2 On-Chain Compliance

What It Means: Using blockchain data and tooling to meet compliance obligations directly from on-chain activity.

Core Capabilities:

• Wallet screening (sanctioned addresses, dark market, mixers)
• Transaction tracing (source and destination of funds, multi-hop analysis)
• Cluster analysis (identifying wallets controlled by the same entity)
• DeFi interaction risk scoring
• Cross-chain tracking (bridge transactions, atomic swaps)
• Token provenance (history of specific tokens/NFTs)
• Real-time alerting on high-risk transactions

Major Platforms:

Platform	Key Products
Chainalysis	KYT (Know Your Transaction), Reactor (investigation), Kryptos
Elliptic	Holistic (cross-chain), Navigator (screening), Lens (investigation)
TRM Labs	TRM Forensics, TRM Transaction Monitoring, TRM Sanctions
CipherTrace (Mastercard)	Inspector, Sentry (DeFi monitoring)
Merkle Science	Compass (monitoring), Tracker (investigation)
Crystal Intelligence	Crystal Expert, Crystal Blockchain Analytics
Scorechain	Blockchain Analytics Suite (strong on privacy coins)

On-Chain Identity / Compliance Protocols:

• ERC-3643 (T-REX) — permissioned token standard with on-chain compliance
• EIP-5484 — Consensual Soulbound Tokens (identity attestations)
• Polygon ID — zero-knowledge identity verification
• Worldcoin / World ID — biometric proof of personhood
• Civic Pass — on-chain gating for compliant access
• Verite — open-source credential standard for DeFi compliance
• Chainlink CCIP — cross-chain compliance data sharing

5.3 RegTech Solutions

Categories of Crypto RegTech:

1. Identity & Onboarding:

   • Sumsub, Jumio, Onfido, Veriff — ID verification
   • Chainalysis KYT, Elliptic — wallet screening at onboarding
   • World ID, Polygon ID — decentralized identity

2. Transaction Monitoring:

   • Chainalysis KYT, TRM Labs, Elliptic — on-chain
   • Featurespace, NICE Actimize — fiat transaction monitoring
   • Sardine, Unit21 — fraud + compliance combined

3. Screening:

   • ComplyAdvantage, Dow Jones, Refinitiv — sanctions + PEP + adverse media
   • OFAC SDN API — direct screening
   • Chainalysis Sanctions Oracle (on-chain)

4. Reporting:

   • Hummingbird, WorkFusion — SAR generation and filing
   • TaxBit, Lukka, Ledgible — tax reporting and 1099-DA
   • Eventus Systems — trade surveillance

5. Regulatory Intelligence:

   • Ascent RegTech — regulatory change management
   • CUBE — regulatory intelligence
   • Corlytics — regulatory risk analytics

6. Governance, Risk, Compliance (GRC):

   • Chainalysis, Elliptic — enterprise compliance platforms
   • LogicGate, StandardFusion — GRC platforms
   • MetricStream, ServiceNow GRC — enterprise GRC

5.4 Cross-Border Regulatory Harmonization

Current Harmonization Efforts:

Initiative	Scope	Status
FATF Standards	Global AML/CFT	Most influential; 200+ jurisdictions
MiCA (EU)	27 EU member states	Live (2024); global influence as regulatory template
OECD CARF	Global tax reporting	48+ jurisdictions committed; 2026-2027 implementation
IOSCO Crypto Recommendations	Global securities	18 recommendations (Nov 2023); voluntary
FSB Crypto Framework	Global financial stability	High-level recommendations (July 2023)
BIS/CPMI PFMI	Global market infrastructure	Application to stablecoin arrangements
G20 Roadmap	Global coordination	Endorsed FSB/IOSCO/FATF frameworks

Key Friction Points:

• US vs. EU regulatory divergence (enforcement vs. legislation)
• Securities classification inconsistency across jurisdictions
• DeFi regulatory approach divergence
• Privacy/data protection vs. AML transparency conflicts
• Stablecoin regulation fragmentation
• NFT treatment inconsistency
• Travel Rule implementation speed variation (sunrise problem)

Mutual Recognition / Equivalence:

• EU MiCA third-country provisions — limited equivalence path
• No broad mutual recognition agreements for crypto licensing yet
• Singapore/Hong Kong cooperation on tokenization
• UK equivalence determinations pending post-Brexit

5.5 CBDC Implications for Compliance

CBDC Projects (Status as of early 2026):

CBDC	Stage	Compliance Implications
Digital Euro (ECB)	Preparation phase	Offline/online tiers; privacy vs. AML balance; holding limits
Digital Yuan (e-CNY)	Advanced pilot	Tiered KYC (anonymous small, full KYC large); 23 cities
Digital Pound (UK)	Design phase	"Platform model"; privacy safeguards; holding limit (~GBP 10-20K)
FedNow / Digital Dollar (US)	Research	Political uncertainty; FedNow live (not CBDC)
Digital Rupee (India)	Pilot	Wholesale + retail; bank-distributed
mBridge (BIS)	Pilot	Cross-border wholesale CBDC; multi-country
Project Dunbar (BIS)	Completed	Multi-CBDC platform; cross-border settlement

Compliance Implications:

• Programmable compliance (automatic AML rules in CBDC design)
• Tiered anonymity (small transactions anonymous, large require KYC)
• Disintermediation risk for banks (holding limits as mitigation)
• Cross-border CBDC interoperability standards needed
• Privacy vs. surveillance concerns
• Impact on stablecoin market (potential displacement)
• Offline transaction compliance challenges
• Implications for commercial bank business models

5.6 Tokenized Real-World Assets (RWA) Regulations

Asset Classes Being Tokenized:

• Government bonds (US Treasuries — Ondo, Franklin Templeton, BlackRock BUIDL)
• Corporate bonds
• Real estate (commercial and residential)
• Commodities (gold — Paxos Gold, Tether Gold)
• Private equity / venture capital fund interests
• Trade finance receivables
• Carbon credits
• Art and collectibles
• Infrastructure assets

Regulatory Frameworks:

Jurisdiction	Framework	Status
EU	DLT Pilot Regime (2022/858)	Live; sandbox for tokenized securities
EU	MiCA (for non-security tokens)	Live
EU	MiFID II (for security tokens)	Existing framework applies
US	SEC regulation (Reg D, Reg S, Reg A+)	Existing exemptions used for tokenized securities
Singapore	MAS Project Guardian	Pilot; institutional tokenization
UK	FCA Digital Securities Sandbox	Launching 2025
Switzerland	DLT Act	Live; "DLT Securities" recognized
Japan	STO regime (FIEA)	Live; security token offerings
Hong Kong	SFC tokenization guidance	Institutional focus
UAE (ADGM)	Comprehensive framework	Live

Key Compliance Considerations for RWA:

• Dual compliance: DLT/crypto regulations + underlying asset regulations
• Transfer restrictions (jurisdictional lock-outs, accredited investor checks)
• KYC/AML at issuance AND secondary transfer
• On-chain enforcement of compliance (ERC-3643, Polymesh, etc.)
• Custody of underlying asset vs. custody of token
• Regulatory reporting for tokenized securities
• Tax treatment of tokenized assets (jurisdiction-dependent)
• Cross-border transfer complications
• Oracle risk (real-world data feeds into smart contracts)
• Bankruptcy treatment of tokenized assets

---

6. Site Information Architecture

6.1 Recommended Primary Navigation

web3compliance.ai
|
+-- Regulations
|   +-- By Framework (MiCA, FATF, Travel Rule, AML/KYC, Securities, etc.)
|   +-- By Jurisdiction (country-by-country profiles)
|   +-- By Asset Type (tokens, stablecoins, NFTs, RWA, DeFi)
|   +-- Regulatory Updates (news feed / tracker)
|
+-- Compliance Toolkit
|   +-- Program Builder (what you need for compliance)
|   +-- Risk Assessment Templates
|   +-- Policy Templates Library
|   +-- Vendor Directory (RegTech, analytics, legal, audit)
|   +-- Licensing Guide (by jurisdiction)
|
+-- Intelligence
|   +-- Enforcement Tracker (actions, fines, settlements)
|   +-- Regulatory Change Feed (global legislative tracker)
|   +-- Consultation Tracker (open consultations, comment periods)
|   +-- Industry Analysis & Reports
|
+-- Learn
|   +-- Compliance Fundamentals (guides by topic)
|   +-- Certification Prep (CAMS, ICA, etc.)
|   +-- Glossary / Taxonomy
|   +-- Case Studies
|
+-- Tools (future)
|   +-- Jurisdiction Comparison Tool
|   +-- Token Classification Analyzer
|   +-- Sanctions Screening Check
|   +-- Travel Rule Requirements Lookup
|   +-- Regulatory Calendar

6.2 Content Types and Their Fit

Content Type	Purpose	Update Frequency	Audience Value
Jurisdiction Profiles	Comprehensive country-by-country regulatory breakdown	Quarterly + event-driven	Very High — core reference
Framework Guides	Deep dives on specific regulatory frameworks (MiCA, FATF, Travel Rule)	When regulations change	Very High — educational + reference
Regulatory Tracker / Feed	Real-time updates on regulatory changes, consultations, enforcement	Daily/weekly	High — keeps professionals current
Enforcement Database	Searchable database of enforcement actions, fines, settlements	Event-driven	High — risk intelligence
Compliance Templates	Downloadable policy templates, risk assessment frameworks, checklists	Quarterly	High — practical utility
Vendor Directory	Categorized directory of RegTech, analytics, legal, audit firms	Monthly	Medium-High — procurement aid
Analysis / Commentary	Expert analysis of regulatory developments and their implications	Weekly	High — thought leadership
Comparison Tools	Interactive tools comparing regulations across jurisdictions	Quarterly	Very High — unique value prop
Glossary / Taxonomy	Definitions and classifications	As needed	Medium — reference utility
Webinars / Events	Expert discussions on compliance topics	Monthly	Medium — community building
Newsletter	Curated regulatory intelligence digest	Weekly	High — retention and engagement
API Access	Programmatic access to regulatory data	Continuous	Medium — developer audience

6.3 Content Prioritization for Launch

Phase 1 — Core Reference (Launch):

1. Tier 1 jurisdiction profiles (8 countries)
2. Top 5 framework guides (MiCA, FATF/VASP, AML/KYC, Travel Rule, Securities/Token Classification)
3. Regulatory tracker feed
4. Glossary/taxonomy
5. Homepage with clear value proposition

Phase 2 — Practical Tools (Month 2-3): 6. Tier 2 jurisdiction profiles (5 countries) 7. Compliance program builder / checklists 8. Enforcement tracker database 9. Vendor directory 10. Newsletter launch

Phase 3 — Differentiation (Month 4-6): 11. Jurisdiction comparison tool (interactive) 12. Remaining jurisdiction profiles 13. Policy template library 14. Token classification guide (interactive) 15. Analysis/commentary program (weekly)

Phase 4 — Platform (Month 6-12): 16. API access for regulatory data 17. Community features 18. Premium/subscription tier 19. Certification prep content 20. Webinar program

6.4 Competitive Positioning

Existing Players:

Competitor	Focus	Gap
Elliptic / Chainalysis blogs	On-chain compliance, product marketing	Not independent; vendor-biased
CoinDesk / The Block	News	Not compliance-focused; not structured for practitioners
FATF / IOSCO / FSB	Standard setting	Too high-level; not practitioner-friendly
Law firm blogs (Linklaters, A&O, etc.)	Legal analysis	Fragmented; not aggregated; not crypto-native
Comply Advantage resources	AML focus	Product marketing; limited crypto-specific depth

web3compliance.ai Differentiation:

• Independent (not tied to any vendor)
• Crypto-native (built by people who understand both compliance AND Web3)
• Practitioner-focused (tools, templates, actionable guidance — not just news)
• Global scope with jurisdiction-level depth
• Structured taxonomy (not just articles — navigable, queryable knowledge base)
• Real-time regulatory tracking across all jurisdictions
• Interactive comparison tools (unique in market)

6.5 Audience Segments

Segment	Needs	Key Content
Compliance Officers at Crypto Companies	Operationalize regulations, build programs, pass audits	Templates, guides, vendor directory, tracker
Legal Counsel (in-house and law firms)	Regulatory analysis, jurisdiction comparison, enforcement trends	Jurisdiction profiles, analysis, enforcement database
Regulators and Policymakers	Peer jurisdiction analysis, industry standards	Framework guides, comparison tools, industry standards
TradFi Compliance Moving to Crypto	Translation of existing knowledge to crypto context	Fundamentals, glossary, program builder
Founders / CEOs of Crypto Startups	What licenses do I need? What does compliance cost?	Licensing guide, program builder, cost analysis
RegTech Vendors	Market intelligence, partnership opportunities	Vendor directory listing, industry analysis
Investors (VCs, Institutional)	Due diligence on regulatory risk	Jurisdiction profiles, enforcement tracker

---

Appendix A: Key Acronyms

Acronym	Full Name
AMLA	Anti-Money Laundering Act / Authority (context-dependent)
AMLD	Anti-Money Laundering Directive (EU)
ART	Asset-Referenced Token (MiCA)
BSA	Bank Secrecy Act (US)
CAESP	Crypto-Asset Exchange Service Provider (Japan)
CAMS	Certified Anti-Money Laundering Specialist
CARF	Crypto-Asset Reporting Framework (OECD)
CASP	Crypto-Asset Service Provider (EU/MiCA)
CBDC	Central Bank Digital Currency
CCSS	CryptoCurrency Security Standard
CDD	Customer Due Diligence
CTR	Currency Transaction Report
DAO	Decentralized Autonomous Organization
DeFi	Decentralized Finance
DLT	Distributed Ledger Technology
EDD	Enhanced Due Diligence
EMT	E-Money Token (MiCA)
EWRA	Enterprise-Wide Risk Assessment
FATF	Financial Action Task Force
FIEA	Financial Instruments and Exchange Act (Japan)
FSRA	Financial Services Regulatory Authority (ADGM)
KYC	Know Your Customer
MiCA	Markets in Crypto-Assets (EU)
MLRO	Money Laundering Reporting Officer
MSB	Money Services Business
NFT	Non-Fungible Token
PEP	Politically Exposed Person
PSA	Payment Services Act (Singapore/Japan)
RWA	Real-World Assets
SAR	Suspicious Activity Report
SDD	Simplified Due Diligence
STR	Suspicious Transaction Report
TFR	Transfer of Funds Regulation (EU)
VA	Virtual Asset
VARA	Virtual Assets Regulatory Authority (Dubai)
VASP	Virtual Asset Service Provider
VATP	Virtual Asset Trading Platform (Hong Kong)

Appendix B: Key Dates and Timelines

Date	Event
2018	Gibraltar DLT framework; Malta VFA Act; Bermuda DAB Act; Liechtenstein TVTG
2019	FATF Recommendation 15 (VAs/VASPs); Singapore PSA enacted
2020	US OCC crypto custody letter; FATF 12-month review
2021	Switzerland DLT Act; FATF Updated Guidance; US Infrastructure Act (broker definition)
2022	EU MiCA adopted; OECD CARF; Terra/Luna collapse; FTX collapse; OFAC Tornado Cash
2023	EU MiCA published (June); Hong Kong VATP regime (June); Japan stablecoin rules; Singapore stablecoin framework; UK FSMA 2023; South Korea VAUPA
2024	MiCA Title III/IV effective (June); Full MiCA application (Dec); EU TFR effective; Hong Kong licensing deadline; South Korea VAUPA effective
2025	MiCA grandfathering period ends; EU AMLA operational; UK stablecoin regulation; CARF early adopters begin
2026	CARF reporting begins; US broker reporting (1099-DA) effective; Ongoing MiCA implementation
2027	CARF broad implementation; South Korea crypto tax effective