Learn

What Is AML in Crypto? How Anti-Money Laundering Works for Businesses

Crypto-related fraud losses in the US reached $11.3 billion in 2025, according to the FBI's Internet Crime Complaint Center. For businesses moving that money, regulatory pressure is rising at the same pace. This guide covers what anti-money laundering requires from crypto businesses today.

June 9, 2026

TL;DR

  • AML, or anti-money laundering, is the set of laws and procedures that require crypto businesses to verify customers, monitor transactions for suspicious patterns, and file reports with financial authorities when something looks wrong.
  • Money laundering in crypto follows three stages: placement puts illegal funds into the system, layering obscures their origin, and integration brings them back as clean money.
  • Crypto businesses classified as Virtual Asset Service Providers face binding obligations including customer due diligence, transaction monitoring, Travel Rule compliance, and suspicious activity reporting.
  • Key regulatory deadlines in 2026 include the UK FCA authorization gateway opening on September 30 and GENIUS Act enforcement beginning in January 2027 in the US.

What Is AML in Crypto?

Anti-money laundering, or AML, refers to the set of laws and procedures that require financial institutions to detect and prevent the movement of illegally obtained funds.

For crypto businesses, that means verifying customers, flagging transactions that look out of place, and escalating unresolved cases to the relevant authority.

Any company that exchanges, transfers, or custodies digital assets on behalf of others qualifies as a Virtual Asset Service Provider, the regulatory category that triggers full AML obligations. The category works like a money services license: once a business fits the definition, the obligations follow.

The cost of ignoring those obligations is well documented. Crypto exchanges paid $927.5 million in AML-related fines in 2025 alone, more than any other sector tracked in U.S. enforcement actions that year.

Fines at that scale freeze banking relationships, trigger license reviews, and put operations at serious risk.

How Money Laundering Works: The Three Stages

Stage

What happens

How crypto is used

Placement

Illegal cash enters the financial system for the first time

Converting cash to crypto through unregulated exchanges or peer-to-peer platforms that skip identity checks

Layering

Funds move through a chain of transactions to hide their origin

Chain-hopping between cryptocurrencies, routing through mixers, using decentralized finance protocols across multiple wallets

Integration

Laundered funds re-enter the economy as legitimate income

Cashing out through exchanges, over-the-counter brokers, or crypto-friendly merchants, presenting proceeds as trading profits

What AML Requires from Crypto Businesses

Once a business is classified as a Virtual Asset Service Provider, it must register with regulators, verify customer identities, monitor transactions continuously, file suspicious activity reports, and keep records for however long local law requires.

More than 60 jurisdictions now require registration or licensing for these operators. Supervisors in those jurisdictions are auditing whether the controls work, with registration certificates treated as a minimum baseline.

For any business that qualifies, that means:

  • Registration and licensing: operating without authorization carries criminal exposure in those markets, and regulators are increasingly revoking licenses over weak controls.
  • Customer Due Diligence: verifying who account holders are before they transact, including government-issued ID, proof of address, and source of funds for higher-risk profiles.
  • Enhanced Due Diligence: a second screening layer required for high-risk customers, politically exposed persons, and transactions above defined thresholds.
  • Transaction monitoring: continuous review of platform behavior to flag patterns that indicate layering, structuring, or other laundering conduct.
  • Suspicious Activity Reports: formal filings sent to the relevant financial intelligence unit when a transaction or customer raises red flags that internal review can't clear.
  • Travel Rule: sharing sender and receiver information with counterpart businesses on transfers above $1,000 or equivalent.

Record-keeping: retaining client and transaction data for five years under most major frameworks, including the BSA and EU AML directives.

ML vs KYC: What Is the Difference?

KYC verifies who the customer is onboarding. AML is the broader program that includes KYC but also addresses transaction monitoring, suspicious activity reporting, and ongoing risk management for as long as that account remains active.

-

KYC

AML

What it does

Verifies who the customer is

Monitors what the customer does

When it runs

At onboarding

Continuously

Output

Identity confirmation

Transaction alerts, risk scores, reports

Covers

Identity documents, sanctions screening

Monitoring, suspicious activity reports, Travel Rule

The OKX case shows what happens when that second layer is missing. OKX paid $504 million in penalties in early 2025 after regulators found five years of suspicious transactions processed without adequate oversight controls, despite running identity checks at signup.

Key AML Regulations Crypto Businesses Face in 2026

For firms operating across borders, AML compliance follows separate national frameworks with requirements and deadlines that vary significantly by region.

Bank Secrecy Act and the GENIUS Act: United States

The Bank Secrecy Act, the US law requiring financial institutions to report suspicious activity and maintain records, has covered crypto businesses since 2013, when FinCEN first classified crypto exchanges as money services businesses.

The GENIUS Act, signed into law on July 18, 2025, extended that framework to stablecoin issuers for the first time, treating them as financial institutions under the BSA. Full enforcement begins January 2027.

FATF Travel Rule: Global

The Financial Action Task Force, an intergovernmental body whose standards shape domestic law across 200 jurisdictions through its 39 members and 9 regional bodies, mandates that crypto businesses pass along sender and receiver details on transfers above $1,000.

The rule targets layering directly: moving money without identity data is one of the primary ways criminals create distance between funds and their origin at scale.

EU AMLA: Europe

The EU launched its Anti-Money Laundering Authority on July 1, 2025, with crypto firms as an explicit supervisory priority. Direct oversight of the highest-risk firms is scheduled for 2028, with a common rulebook already taking shape across all 27 member states.

UK FCA Authorization Gateway: United Kingdom

The UK's Financial Conduct Authority opens its authorization gateway on September 30, 2026. Existing AML registrations don't carry over. Every crypto business with UK exposure must apply for fresh authorization or face restrictions on taking new business until approval is granted.

Tools and Technology Crypto Businesses Use for AML Compliance

Transaction volumes make manual review unworkable at scale. Three categories of tools cover the gap.

Blockchain Analytics

These platforms trace fund movements across public blockchains, score wallets by risk level, and flag exposure to known illicit addresses.

The three most widely used are Chainalysis, used by regulators and banks across dozens of blockchains; TRM Labs, focused on live cross-chain screening and sanctions matching; and Elliptic, which covers hundreds of crypto assets and added automated alert review in 2025, cutting analyst review time by around 50%.

The blockchain analytics market reached $2.5 billion in 2025, driven by tightening regulation and growing demand from banks and exchanges.

Identity Verification and Sanctions Screening

These tools run document checks, liveness scans, and sanctions screening against lists maintained by bodies like the US Office of Foreign Assets Control and the EU.

Running all three in-house requires significant compliance infrastructure. For crypto businesses evaluating infrastructure partners, AML coverage has become a standard part of that evaluation.

On/off-ramp providers like Mercuryo build KYC, AML screening, and Travel Rule support into their integration layer, reducing the compliance infrastructure that platforms need to build independently. Regulatory obligations under frameworks like the GENIUS Act and Travel Rule, however, remain in the responsibility of each entity operating as a VASP or digital asset service provider in their respective jurisdictions.

Frequently Asked Questions

Does AML Apply to Crypto Exchanges?

Yes. Crypto exchanges are classified as Virtual Asset Service Providers in over 60 jurisdictions and must comply with the same anti-money laundering obligations as traditional financial institutions. Including customer verification, transaction monitoring, and filing suspicious activity reports with regulators.

What Is the Difference Between AML and KYC in Crypto?

The main difference between AML and KYC is scope. KYC verifies identity onboarding. AML is the full ongoing program that includes monitoring, risk scoring, and regulatory reporting.

What Happens If a Crypto Business Fails AML Compliance?

Penalties include fines, license revocation, and criminal prosecution. In 2025, U.S. enforcement actions against crypto exchanges totaled $927.5 million, more than any other financial sector that year. In serious cases, authorities freeze banking relationships and restrict operations entirely.

Buy Crypto