Crypto Compliance, AML, KYC & Licensing

Anti-money laundering (AML) refers to laws, regulations, and procedures designed to detect and prevent the conversion of criminal proceeds into seemingly legitimate assets. Money laundering is often described in three stages: placement (introducing illicit funds into the financial system), layering (moving them through complex transactions to obscure their trail), and integration (returning the now-disguised money to the criminal as apparently clean funds). Because cryptocurrencies move quickly across borders and can be split across many addresses, regulators treat them as a money-laundering and terrorist-financing risk and apply AML rules to the businesses that handle them.

Know your customer (KYC) is the identity-verification component of an AML program. Before letting someone transact, a regulated business confirms who they are and assesses the risk they pose. KYC is part of a broader practice called customer due diligence (CDD), which can escalate to enhanced due diligence (EDD) for higher-risk customers, such as those in high-risk jurisdictions or politically exposed persons (PEPs).

A typical AML/KYC program for a crypto business includes several pillars:

• Customer identification and verification at onboarding, and re-verification when risk changes.
• Ongoing transaction monitoring to flag unusual patterns, such as rapid in-and-out transfers or links to sanctioned or high-risk addresses.
• Sanctions and watchlist screening against lists maintained by bodies such as the US Office of Foreign Assets Control (OFAC).
• Suspicious activity reporting to the relevant financial intelligence unit (for example, a Suspicious Activity Report, or SAR, in the United States).
• Recordkeeping of identity data and transactions for a period set by local law (commonly around five years).
• A designated compliance officer, staff training, and independent testing of the program.

The global baseline for these expectations comes from the Financial Action Task Force (FATF), an intergovernmental standard-setter. Its recommendations are not binding law themselves, but most countries translate them into national rules, which is why AML/KYC requirements look broadly similar worldwide even though the details differ.

For everyday users, KYC is the verification step you complete when signing up to a regulated exchange or custodial wallet. The goal is to tie an account to a real, verified person so that funds can be traced if law enforcement requests it. While each platform designs its own flow, you will usually be asked for some combination of the following:

• Personal details: full legal name, date of birth, residential address, and sometimes nationality and tax identification number.
• Government-issued photo ID: a passport, national ID card, or driver's license.
• Proof of address: a recent utility bill, bank statement, or similar document.
• A liveness or selfie check: a photo or short video to confirm you match your ID and are a real person.
• Source-of-funds or source-of-wealth information for larger accounts or higher-risk activity.

Many platforms use tiered verification: a basic tier with low deposit and withdrawal limits, and higher tiers that unlock larger limits and more features once additional checks are passed. Verification is increasingly automated, with document scanning and biometric checks handled by specialized identity-verification vendors, though manual review still applies to edge cases.

It helps to understand why exchanges insist on this. A platform that lets anonymous users move large sums risks heavy fines, loss of banking relationships, and even criminal liability for its operators. KYC also protects users by making account takeover and impersonation harder. The trade-off is privacy: KYC necessarily collects sensitive personal data, so it is worth checking how a platform stores and protects that information, and being cautious about unregulated services that ask for documents without a clear security and licensing track record.

A few practical tips: use platforms that are licensed or registered in your jurisdiction, expect to re-verify periodically, keep your registered details current, and be aware that withdrawals to or from certain addresses may trigger additional questions under transaction-monitoring rules.

Operating a crypto business legally almost always requires authorization from a financial regulator. The exact label, scope, and cost vary widely by jurisdiction, but the underlying expectation is consistent: demonstrate that you can operate safely, protect customers, and run an effective AML program.

The best-known US example is New York's BitLicense, administered by the New York State Department of Financial Services (NYDFS) and in force since 2015. It applies to firms conducting "virtual currency business activity" involving New York or New York residents. Reporting from 2026 indicates an application fee in the region of $5,000, a substantial surety-bond or capital requirement, and detailed submissions covering ownership, business plans, cybersecurity, consumer protection, and AML controls. Many applicants report total first-year costs ranging into the hundreds of thousands of dollars once legal, technology, and audit expenses are included. Because these figures and thresholds can change, confirm the current requirements directly with NYDFS before relying on them.

Elsewhere in the United States, most crypto businesses must register with the federal Financial Crimes Enforcement Network (FinCEN) as a money services business (MSB) and obtain money transmitter licenses (MTLs) in each state where they operate, which is a costly, state-by-state process. In the European Union, the Markets in Crypto-Assets (MiCA) regulation now provides a single, harmonized framework: its main provisions became applicable on 30 December 2024, and a transitional period for existing firms runs in most member states up to 1 July 2026, after which an authorized Crypto-Asset Service Provider (CASP) license is required to serve EU clients. MiCA also imposes specific reserve and transparency rules on stablecoin issuers. Other hubs run their own regimes, such as the United Kingdom's FCA registration for cryptoasset firms, and licensing frameworks in Singapore, Hong Kong, and elsewhere.

The common thread across these regimes is that a license is not a one-time formality. It comes with ongoing reporting, audits, capital and cybersecurity standards, and the regulator's power to fine or revoke. Given how much the details differ and how fast they evolve, businesses should obtain jurisdiction-specific legal advice rather than assume one country's rules apply elsewhere.

For a crypto company, compliance is an operational discipline rather than a single checkbox. Building a credible program generally involves the following steps:

• Map your obligations. Determine which regulators have jurisdiction based on where you are incorporated, where your customers are, and what services you offer. A business serving users in several countries may face overlapping AML, licensing, data-protection, and tax rules.
• Register and license appropriately. Complete federal and state registrations (such as a FinCEN MSB registration and state MTLs in the US) or regional authorizations (such as a MiCA CASP license in the EU) before going live.
• Write and maintain AML/KYC policies. Document your risk assessment, CDD and EDD procedures, sanctions screening, transaction-monitoring rules, and reporting workflows, and review them regularly as rules and products change.
• Appoint a compliance officer and train staff. A named, accountable individual should own the program, with periodic training for employees and independent testing or audit of controls.
• Implement the Travel Rule. When transmitting virtual assets above the applicable threshold, regulated firms must collect and pass on originator and beneficiary information to the next institution. The US threshold under the Bank Secrecy Act is currently $3,000 (a long-proposed reduction to $250 for certain cross-border transfers has not been finalized as of 2026), while the EU applies the rule with effectively no minimum threshold. FATF revised its Recommendation 16 in June 2025 to strengthen and broaden these payment-transparency expectations. Because adoption is uneven across countries, firms also wrestle with the "sunrise issue," where a compliant exchange tries to transact with a counterparty in a country that has not yet implemented the rule.
• Keep records and report. Retain identity and transaction data for the legally required period and file suspicious activity reports and any large-transaction or currency reports your jurisdiction mandates.

Beyond the formal program, exchanges typically invest heavily in security (encryption, multi-factor authentication, cold storage of customer assets, and continuous threat monitoring) because a breach is both a customer-protection failure and, in many regimes, a reportable compliance event. The hardest part for many businesses is operating across multiple jurisdictions at once, since a control that satisfies one regulator may fall short of another. Two recurring tensions sit underneath all of this: the cost and complexity of compliance, which can be especially heavy for smaller firms, and the friction between regulatory transparency and the privacy and decentralization that drew many people to crypto in the first place. None of the above substitutes for tailored legal and compliance advice for your specific situation.

Do I have to complete KYC to use cryptocurrency?

What is the difference between AML and KYC?

What is the crypto Travel Rule?

Does every crypto business need a license like the BitLicense?

Is my personal data safe when I complete exchange KYC?