What Is AML in Crypto? How Anti-Money Laundering Works for Businesses
Crypto-related fraud losses in the US reached $11.3 billion in 2025, according to the FBI's Internet Crime Complaint Center. For businesses moving that money, regulatory pressure is rising at the same pace. This guide covers what anti-money laundering requires from crypto businesses today.

TL;DR
- AML, or anti-money laundering, is the set of laws and procedures that require crypto businesses to verify customers, monitor transactions for suspicious patterns, and file reports with financial authorities when something looks wrong.
- Money laundering in crypto follows three stages: placement puts illegal funds into the system, layering obscures their origin, and integration brings them back as clean money.
- Crypto businesses classified as Virtual Asset Service Providers face binding obligations including customer due diligence, transaction monitoring, Travel Rule compliance, and suspicious activity reporting.
- Key regulatory deadlines in 2026 include the UK FCA authorization gateway opening on September 30 and GENIUS Act enforcement beginning in January 2027 in the US.
What Is AML in Crypto?
Anti-money laundering, or AML, refers to the set of laws and procedures that require financial institutions to detect and prevent the movement of illegally obtained funds.
For crypto businesses, that means verifying customers, flagging transactions that look out of place, and escalating unresolved cases to the relevant authority.
Any company that exchanges, transfers, or custodies digital assets on behalf of others qualifies as a Virtual Asset Service Provider, the regulatory category that triggers full AML obligations. The category works like a money services license: once a business fits the definition, the obligations follow.
The cost of ignoring those obligations is well documented. Crypto exchanges paid $927.5 million in AML-related fines in 2025 alone, more than any other sector tracked in U.S. enforcement actions that year.
Fines at that scale freeze banking relationships, trigger license reviews, and put operations at serious risk.
How Money Laundering Works: The Three Stages
Stage | What happens | How crypto is used |
|---|---|---|
Placement | Illegal cash enters the financial system for the first time | Converting cash to crypto through unregulated exchanges or peer-to-peer platforms that skip identity checks |
Layering | Funds move through a chain of transactions to hide their origin | Chain-hopping between cryptocurrencies, routing through mixers, using decentralized finance protocols across multiple wallets |
Integration | Laundered funds re-enter the economy as legitimate income | Cashing out through exchanges, over-the-counter brokers, or crypto-friendly merchants, presenting proceeds as trading profits |
What AML Requires from Crypto Businesses
Once a business is classified as a Virtual Asset Service Provider, it must register with regulators, verify customer identities, monitor transactions continuously, file suspicious activity reports, and keep records for however long local law requires.
More than 60 jurisdictions now require registration or licensing for these operators. Supervisors in those jurisdictions are auditing whether the controls work, with registration certificates treated as a minimum baseline.
For any business that qualifies, that means:
- Registration and licensing: operating without authorization carries criminal exposure in those markets, and regulators are increasingly revoking licenses over weak controls.
- Customer Due Diligence: verifying who account holders are before they transact, including government-issued ID, proof of address, and source of funds for higher-risk profiles.
- Enhanced Due Diligence: a second screening layer required for high-risk customers, politically exposed persons, and transactions above defined thresholds.
- Transaction monitoring: continuous review of platform behavior to flag patterns that indicate layering, structuring, or other laundering conduct.
- Suspicious Activity Reports: formal filings sent to the relevant financial intelligence unit when a transaction or customer raises red flags that internal review can't clear.
- Travel Rule: sharing sender and receiver information with counterpart businesses on transfers above $1,000 or equivalent.
Record-keeping: retaining client and transaction data for five years under most major frameworks, including the BSA and EU AML directives.
ML vs KYC: What Is the Difference?
KYC verifies who the customer is onboarding. AML is the broader program that includes KYC but also addresses transaction monitoring, suspicious activity reporting, and ongoing risk management for as long as that account remains active.
- | KYC | AML |
|---|---|---|
What it does | Verifies who the customer is | Monitors what the customer does |
When it runs | At onboarding | Continuously |
Output | Identity confirmation | Transaction alerts, risk scores, reports |
Covers | Identity documents, sanctions screening | Monitoring, suspicious activity reports, Travel Rule |
The OKX case shows what happens when that second layer is missing. OKX paid $504 million in penalties in early 2025 after regulators found five years of suspicious transactions processed without adequate oversight controls, despite running identity checks at signup.
Key AML Regulations Crypto Businesses Face in 2026
For firms operating across borders, AML compliance follows separate national frameworks with requirements and deadlines that vary significantly by region.
Bank Secrecy Act and the GENIUS Act: United States
The Bank Secrecy Act, the US law requiring financial institutions to report suspicious activity and maintain records, has covered crypto businesses since 2013, when FinCEN first classified crypto exchanges as money services businesses.
The GENIUS Act, signed into law on July 18, 2025, extended that framework to stablecoin issuers for the first time, treating them as financial institutions under the BSA. Full enforcement begins January 2027.
FATF Travel Rule: Global
The Financial Action Task Force, an intergovernmental body whose standards shape domestic law across 200 jurisdictions through its 39 members and 9 regional bodies, mandates that crypto businesses pass along sender and receiver details on transfers above $1,000.
The rule targets layering directly: moving money without identity data is one of the primary ways criminals create distance between funds and their origin at scale.
EU AMLA: Europe
The EU launched its Anti-Money Laundering Authority on July 1, 2025, with crypto firms as an explicit supervisory priority. Direct oversight of the highest-risk firms is scheduled for 2028, with a common rulebook already taking shape across all 27 member states.
UK FCA Authorization Gateway: United Kingdom
The UK's Financial Conduct Authority opens its authorization gateway on September 30, 2026. Existing AML registrations don't carry over. Every crypto business with UK exposure must apply for fresh authorization or face restrictions on taking new business until approval is granted.
Tools and Technology Crypto Businesses Use for AML Compliance
Transaction volumes make manual review unworkable at scale. Three categories of tools cover the gap.
Blockchain Analytics
These platforms trace fund movements across public blockchains, score wallets by risk level, and flag exposure to known illicit addresses.
The three most widely used are Chainalysis, used by regulators and banks across dozens of blockchains; TRM Labs, focused on live cross-chain screening and sanctions matching; and Elliptic, which covers hundreds of crypto assets and added automated alert review in 2025, cutting analyst review time by around 50%.
The blockchain analytics market reached $2.5 billion in 2025, driven by tightening regulation and growing demand from banks and exchanges.
Identity Verification and Sanctions Screening
These tools run document checks, liveness scans, and sanctions screening against lists maintained by bodies like the US Office of Foreign Assets Control and the EU.
Running all three in-house requires significant compliance infrastructure. For crypto businesses evaluating infrastructure partners, AML coverage has become a standard part of that evaluation.
On/off-ramp providers like Mercuryo build KYC, AML screening, and Travel Rule support into their integration layer, reducing the compliance infrastructure that platforms need to build independently. Regulatory obligations under frameworks like the GENIUS Act and Travel Rule, however, remain in the responsibility of each entity operating as a VASP or digital asset service provider in their respective jurisdictions.
Frequently Asked Questions
Does AML Apply to Crypto Exchanges?
Yes. Crypto exchanges are classified as Virtual Asset Service Providers in over 60 jurisdictions and must comply with the same anti-money laundering obligations as traditional financial institutions. Including customer verification, transaction monitoring, and filing suspicious activity reports with regulators.
What Is the Difference Between AML and KYC in Crypto?
The main difference between AML and KYC is scope. KYC verifies identity onboarding. AML is the full ongoing program that includes monitoring, risk scoring, and regulatory reporting.
What Happens If a Crypto Business Fails AML Compliance?
Penalties include fines, license revocation, and criminal prosecution. In 2025, U.S. enforcement actions against crypto exchanges totaled $927.5 million, more than any other financial sector that year. In serious cases, authorities freeze banking relationships and restrict operations entirely.