What Is AML in Crypto?

AML — "Anti-Money Laundering" — is the set of regulations requiring financial institutions to detect, prevent, and report suspicious transactions that could be facilitating money laundering, terrorist financing, or sanctions evasion. Crypto exchanges are subject to AML requirements in most major jurisdictions: the Bank Secrecy Act in the US, AMLD in the EU, FATF guidelines internationally.

Also known as: anti-money-laundering, aml compliance

Ask Stingray anything about AML

What AML compliance looks like

For a regulated crypto exchange:

  • Transaction monitoring — automated systems flag transactions matching suspicious patterns (structuring below reporting thresholds, transfers to sanctioned addresses, rapid in-and-out flows).
  • Sanctions screening — checking counterparty addresses against OFAC, UN, EU sanctions lists.
  • Suspicious activity reporting (SAR) — filing reports with FinCEN (US) or equivalent authorities when suspicious patterns are detected.
  • Customer due diligenceKYC at onboarding, enhanced due diligence for high-risk customers.
  • Record keeping — transaction logs retained for multiple years (typically 5+).
  • Training and compliance officer — dedicated AML programs with executive accountability.

The Travel Rule

FATF Recommendation 16 (the “Travel Rule”) requires that for cross-border transfers above specific thresholds:

  • The originator VASP (Virtual Asset Service Provider) must transmit originator/beneficiary info to the beneficiary VASP.
  • The beneficiary VASP must receive and validate.
  • Transfers to self-hosted wallets may require enhanced scrutiny.

Implementation has been patchy. Various providers (Notabene, TRP, Sumsub) offer Travel Rule compliance infrastructure; adoption is uneven across jurisdictions.

Notable AML enforcement actions in crypto

  • BitMEX (2020-2022) — $100M penalty for failing to implement effective AML program. Founders pleaded guilty.
  • Binance (2023) — $4.3B settlement with DOJ including AML violations, sanctions evasion, unlicensed operation. CZ stepped down as CEO.
  • Bittrex (2023) — $29M OFAC settlement for sanctions violations.
  • KuCoin (2024) — charges for BSA violations.

The trend is unmistakable: regulators have increasingly held crypto exchanges to the same AML standards as traditional financial institutions, and non-compliance is increasingly expensive.

AML and self-custody

Self-custody wallets aren’t themselves subject to AML requirements (there’s no “institution” to regulate). But the on-ramps and off-ramps are. Specific issues:

  • CEX deposits from unknown sources — large deposits from self-custody wallets (especially if they touched mixers, sanctioned addresses, or privacy tools) can trigger enhanced review.
  • Withdrawal restrictions — exchanges may restrict withdrawals to specific addresses, require additional verification, or freeze accounts with suspicious inflows.
  • Tainted funds — funds that passed through mixers (Tornado Cash before and after sanctions) or sanctioned bridges (Ronin hackers’ path to laundering) can be refused by downstream exchanges.

Privacy vs compliance tension

Crypto was designed with pseudonymity as a feature. AML regulation pushes in the opposite direction — toward transparency, KYC, and identifiable counterparties. Several tensions play out:

  • Privacy coins (XMR, ZEC) — delisted from many regulated exchanges due to compliance difficulty.
  • Mixers (Tornado Cash) — sanctioned by OFAC in 2022. The Treasury’s “secondary sanctions” approach extended liability to anyone interacting with sanctioned addresses, raising due-process and legal-clarity concerns.
  • CoinJoin, Samourai, WasabiBitcoin privacy tools under increasing regulatory scrutiny. Wasabi’s developers have been charged in some cases.

Risks and considerations

For users:

  • Your transaction graph is visible. Even if specific identifiers aren’t linked, chain analysis firms (Chainalysis, Elliptic) can often cluster addresses and identify flows.
  • Tainted fund risk — accepting a payment that previously touched sanctioned addresses can cause account freezes at your exchange.
  • Sanctions screening at the wallet level — compliant dApps are starting to implement on-chain sanctions screening. Some DEXs block sanctioned addresses.
  • Reporting obligations — most jurisdictions require reporting crypto income and sometimes holdings; tax compliance is adjacent but overlapping with AML.

For protocol builders, AML is increasingly a design consideration — products targeting regulated markets must have compliance features from day one.

See also on Stingray

Related terms

KYC KYC — "Know Your Customer" — is the compliance process by which financial institutions (including crypto exchanges) verify their customers' identities. MiCA MiCA (Markets in Crypto-Assets Regulation) is the European Union's comprehensive crypto regulatory framework, fully applicable since December 2024. CEX A CEX (centralized exchange) is a company-operated crypto trading venue that takes custody of users' funds.