Crypto AML

A practical guide to anti-money laundering compliance for virtual assets: what FATF requires of VASPs, how transaction monitoring works on-chain, which tools identify high-risk addresses, when to file a suspicious activity report, and how to build a programme that satisfies regulators without generating excessive false positives.

Try cmply — Request Demo
Key principle: Crypto AML is a risk-based framework, not a zero-tolerance system. The goal is proportionate controls — blocking clearly illicit funds while allowing legitimate users to transact without unnecessary friction.

Crypto AML Programme: Know → Monitor → Report → Document

Know your customer (KYC/CDD)

Verify user identity at onboarding using CDD procedures. Establish the expected transaction profile. Apply enhanced due diligence (EDD) for high-risk users, PEPs, and high-value accounts.

Monitor transactions on-chain

Screen wallet addresses at deposit and withdrawal using blockchain analytics. Flag exposure to mixers, sanctioned entities, darknet markets, and other illicit clusters. Re-screen periodically for ongoing relationships.

Report suspicious activity

File SARs (or STRs) with your jurisdiction's FIU when you identify transactions you know or suspect involve criminal proceeds. Do not tip off the subject of a SAR filing.

Document everything

Maintain records of KYC data, screening results, compliance decisions, and SAR filings for the required retention period (typically 5 years). Regulators examine the audit trail — not just the existence of controls.

What Crypto AML Is — and Who It Applies To

Crypto AML is the set of controls, policies, and tools that virtual asset businesses use to detect and prevent money laundering through blockchain transactions. It encompasses customer due diligence, ongoing transaction monitoring, wallet address screening, sanctions checking, and suspicious activity reporting.

KYC / CDDTransaction MonitoringVASP ObligationsSanctions ScreeningSAR / STR Filing

Regulated entities (legally required)

Exchanges, custodians, OTC desks, fiat on-ramps, and payment processors are classified as VASPs under FATF Recommendation 15 and must apply full AML/CFT controls.

ExchangesCustodiansPayment processors

DeFi protocols (evolving obligations)

Fully decentralised protocols without a central operator remain in regulatory grey territory — but frontend operators, deployer teams, and governance multisigs face increasing scrutiny.

DeFi frontendsDeployer teamsGrowing exposure

Crypto AML in Numbers: Illicit Activity Scale (2024–2026)

$24.2B
Illicit crypto volume 2023
$11.5B
Sent to sanctioned entities
0.34%
Share of all crypto flagged
72%
Illicit crypto via VASPs

Risk Categories in Crypto AML Screening

Low (0–25)
Proceed
Medium (26–74)
EDD
High (75–100)
Block/SAR
CategorySeverityCompliance response
Sanctioned entity (OFAC SDN)CriticalImmediate block; SAR mandatory for US-nexus VASPs
Mixer / tumblerHighBlock above threshold; source-of-funds request; possible SAR
Darknet marketHighBlock; SAR filing strongly recommended
RansomwareHighBlock; SAR; check jurisdiction-specific restrictions
Fraud / scamMedium–HighAssess victim vs participant; enhanced review; consider SAR
Unregulated P2P exchangeMediumEnhanced due diligence; source-of-funds documentation
Regulated exchangeLowProceed; standard monitoring

FATF Travel Rule and Crypto AML Requirements (2026)

The FATF Travel Rule (Recommendation 16) extends the traditional wire-transfer information requirement to virtual asset transfers. VASPs must collect and transmit originator and beneficiary identity data with each transfer above the jurisdiction threshold.

  • Standard threshold: USD/EUR 1,000 in most jurisdictions.
  • EU Transfer of Funds Regulation (TFR, 2023): no minimum — all transfers require identity data.
  • US BSA / FinCEN: Travel Rule applies above USD 3,000 for MSBs.
  • Unhosted wallets: transfers above threshold require proof of wallet ownership and EDD.
Travel Rule compliance and transaction monitoring are parallel obligations — passing originator data does not discharge the duty to screen funds for illicit exposure.

Best Practices for Crypto AML Teams

  • Write a risk-appetite statement before configuring any tool. Vendor defaults are a starting point, not a policy.
  • Screen on deposit and withdrawal, not just onboarding. A clean wallet at signup can interact with a sanctioned entity six months later.
  • Train staff to interpret category breakdowns, not just scores. Direct sanction exposure at 2% of a wallet's history requires immediate action. Indirect P2P at four hops requires documentation.
  • Document every decision with policy citations. "Score = 82, §4.3 requires block for mixer exposure >75" is defensible. "Tool flagged it" is not.
  • Track your false positive rate quarterly. Above 10–15% cleared accounts signals miscalibrated thresholds.
  • Stay current with FATF and local guidance. The virtual asset regulatory framework is evolving faster than most financial sectors.
Most common mistake: Treating a high score as conclusive without reading the category breakdown. A wallet can score 80 driven entirely by indirect P2P contact at four hops — which requires documentation, not blocking.

Frequently Asked Questions

What is crypto AML and why does it matter?+

Crypto AML (anti-money laundering) is the set of controls, policies, and tools that virtual asset businesses use to detect and prevent money laundering through blockchain transactions. It encompasses KYC/CDD at onboarding, ongoing transaction monitoring, sanctions screening, and SAR filing. FATF Recommendation 15 requires VASPs to apply AML controls equivalent to traditional financial institutions — with active enforcement frameworks in the EU (MiCA/TFR), US (FinCEN/BSA), and UK (FCA).

What are the core components of a crypto AML programme?+

A complete programme includes: (1) KYC/CDD at onboarding; (2) ongoing transaction monitoring at every deposit and withdrawal; (3) sanctions screening against OFAC SDN and equivalent lists; (4) Travel Rule compliance for transfers above jurisdiction thresholds; (5) SAR/STR filing with the relevant FIU; and (6) record-keeping for the required retention period.

When is a SAR required?+

A SAR is required when you know, suspect, or have reasonable grounds to suspect a transaction involves proceeds of crime or terrorist financing. This covers: direct OFAC-sanctioned wallet exposure, near-direct darknet or ransomware interaction, structuring behaviour, and customers whose on-chain activity is inconsistent with their stated source of funds. Never tip off the subject — disclosure is prohibited and can be a criminal offence.

Can crypto AML screening produce false positives?+

Yes — false positives are inherent to probabilistic heuristic clustering. Common scenarios: CoinJoin users, large exchange hot wallets shared across thousands of customers, and addresses recently re-attributed to newly-identified illicit entities. Build a documented dispute resolution process and track your false positive rate quarterly — above 10–15% cleared accounts signals miscalibrated thresholds.

How does crypto AML differ from traditional financial AML?+

The obligations are structurally similar — KYC, monitoring, SAR filing — but the technical tools differ fundamentally. Traditional AML monitors bank account names and transaction narratives; crypto AML monitors blockchain address graphs. Crucially, the complete transaction history of every wallet address is permanently visible on-chain — enabling analytics tools to trace fund flows across years in seconds. FATF considers well-implemented crypto AML potentially more effective than traditional financial monitoring.

Ready to automate your crypto AML screening?

cmply provides real-time risk intelligence on any wallet address — entity identification, transaction tracing, and AML flags across 20+ blockchains.

Request a demo