Crypto AML — anti-money-laundering for cryptocurrency — is the set of controls that keep cryptocurrency businesses from being used to move illicit funds. The rules borrow heavily from traditional finance but adapt to a public-ledger world where every transaction is visible and every counterparty has a verifiable on-chain history.

Who has to do crypto AML?

If your business takes custody of customer crypto, converts crypto to fiat (or the reverse), or facilitates transfers on behalf of others, you almost certainly fall under AML obligations in your jurisdiction. That includes centralized exchanges, OTC desks, custodians, payment processors, NFT marketplaces that handle fiat off-ramps, and an increasing number of DeFi front-ends.

In the United States, the relevant designation is "money services business" (MSB) under FinCEN. In the EU, the Markets in Crypto-Assets (MiCA) regulation and the 5th/6th AML Directives apply. The UK, Singapore, UAE, and most G20 countries have their own frameworks. The specifics differ; the obligations rhyme.

The five pillars of a crypto AML program

Regulators look for the same core controls across jurisdictions:

1. Customer Due Diligence (KYC)

Verify the identity of every customer before they can transact. Collect government ID, proof of address, and risk-based enhanced due diligence (EDD) for higher-risk customers such as politically exposed persons (PEPs).

2. Transaction Monitoring

Watch every deposit and withdrawal for patterns associated with money laundering — structuring, rapid movement, mixer use, sanctioned counterparties. On-chain monitoring is the crypto-specific layer added to the traditional rules-based engine.

3. Sanctions Screening

Screen every wallet address against OFAC, EU, UN, and UK sanctions lists at deposit, withdrawal, and on a periodic re-screen schedule. Sanctions exposure is strict liability — intent doesn't matter.

4. Suspicious Activity Reporting (SAR)

When monitoring flags something genuinely suspicious, file a SAR with your local Financial Intelligence Unit (FinCEN in the US, the NCA in the UK, etc.) within the statutory window. The bar is suspicion, not proof.

5. Recordkeeping

Retain customer identification, transaction records, screening results, SAR filings, and policies for the period your regulator specifies — typically 5 to 7 years. You will be audited; the records are what you'll be audited on.

What makes crypto AML different from traditional AML?

Two things. First, the data is public. Every Bitcoin or Ethereum transaction is observable on chain. That means you can — and are expected to — screen counterparty wallets, not just your customer's identity. Second, the data is permanent. A wallet's history doesn't disappear, which means a counterparty that was clean last week can become flagged today, and you're expected to re-screen periodically.

The flip side: crypto AML evidence is much stronger than its banking equivalent. A bank wire to "counterparty X" is a name and an account number. A crypto withdrawal to wallet 0xabc... gives you that wallet's full transactional history — every counterparty it has ever interacted with, every label that's been applied to it, every sanctions overlap. Used well, this is a significantly higher-quality signal than traditional finance has access to.

The on-chain analytics layer

Every meaningful crypto AML program now includes on-chain analytics. You need to be able to answer three questions for any wallet:

Is this address on a sanctions list, or does it have material exposure to one?
Is it flagged by any major threat-intelligence source — known scammer, hacker, darknet operator, mixer?
What entities is it directly or indirectly connected to — known exchanges, DeFi protocols, sanctioned addresses?

Enterprise platforms like Chainalysis, Elliptic, and TRM Labs answer these questions at scale, with deep entity-attribution data, for organizations that can spend $30K–$200K+ per year. For smaller teams, lighter-weight tools like WalletDNA cover the same screening questions at a price that lets you actually deploy a program.

A realistic starting workflow

If you're building a crypto AML program from scratch, a defensible starting workflow looks like this:

Write a policy. Document your customer risk-tiering, your monitoring rules, your screening cadence, your SAR criteria. A regulator's first ask is always the written policy.
Screen at the boundary. Every deposit address and every withdrawal address gets screened before funds move. Block, hold, or escalate based on the outcome.
Re-screen on a schedule. Run monitored wallets through screening at least weekly. New sanctions designations are issued constantly.
Keep evidence. For every screening event, save the report (PDF works) with the timestamp, the result, and the analyst decision.
Review quarterly. Look at false-positive rates, escalation outcomes, and missed events. Tune the policy.

Common mistakes

Treating KYC as the whole program. Identifying your customer is necessary but insufficient. The on-chain side matters as much or more.
One-time screening. A wallet's risk profile changes. Without re-screening, your view is stale within days.
No documentation. Decisions that aren't written down with their evidence are, for audit purposes, decisions that didn't happen.
Manual-only review at scale. If every transaction needs analyst eyes, the program will collapse under its own weight. Automate screening; reserve analyst time for genuine escalations.

Start screening today — free

10 free wallet analyses per month. Sanctions screening, risk score, AI narrative, PDF report. No credit card.

Try WalletDNA