Crypto AML compliance in the U.S. has moved from a checkbox exercise to a high-stakes operational discipline. Enforcement actions against OKX (over $504 million in penalties), Paxful ($3.5 million civil penalty from FinCEN), and others have made one thing clear: regulators are no longer satisfied with policy documents that describe a program. They want evidence that the program actually ran.

For compliance officers and AML teams at crypto exchanges and VASPs, that shift changes the job. The question is not just “do we have the right policies?” It is “can we show how every alert was reviewed, every SAR decision was made, and every high-risk customer was assessed?”

Most U.S.-operating exchanges and custodial wallet providers are classified as money transmitters under FinCEN guidance, which makes them MSBs subject to the full Bank Secrecy Act. A defensible program requires more than registration.

A complete crypto AML program covers:

The real differentiator is auditability. A program that can show how every alert was reviewed, every escalation was decided, and every SAR narrative was supported will survive examination. A program that cannot will not.

Why Crypto AML Compliance Got Harder, and More Expensive

Enforcement has shifted from warnings to nine-figure penalties. In 2024, crypto companies paid $5.1 billion in fines globally. In the first half of 2025 alone, regulators issued 139 fines totaling $1.23 billion, a 417% increase over the prior period, according to Fenergo’s H1 2025 enforcement report.

The pattern in major U.S. enforcement actions is consistent. Regulators are not penalizing companies for missing a single control. Regulators are penalizing companies for operating at scale while running programs that were structurally inadequate from the start.

Enforcement snapshot: two cases every crypto compliance team should study

OKX (2025): The DOJ found that OKX had processed over $5 billion in suspicious transactions. Penalties exceeded $504 million. The failures cited included weak KYC practices that allowed anonymous or pseudonymous accounts to transact at volume, inadequate sanctions screening, and monitoring that did not match the risk profile of the business.

Paxful (2025): FinCEN assessed a $3.5 million civil penalty for willful BSA violations. The consent order cited failure to maintain an effective AML program, failure to register as an MSB, and failure to file SARs on transactions that should have been reported. Paxful operated a peer-to-peer platform with high exposure to high-risk jurisdictions and did not build controls commensurate with that risk.

What Regulators Are Actually Measuring

FinCEN and OFAC are not checking whether a policy document exists. They are asking:

The cost of a weak program is not just the fine. It includes remediation costs, monitor fees, licensing friction, and the operational drag of rebuilding controls under regulatory scrutiny.

Step 1: Confirm Whether Your Business Is an MSB and Map Your Regulatory Perimeter

Before building any controls, map what the business actually does and what that triggers. FinCEN’s 2019 guidance on convertible virtual currency is still the foundational document. The core rule: if a business accepts and transmits convertible virtual currency on behalf of another person, it is a money transmitter, and therefore an MSB.

What Triggers MSB Classification

State-Level Overlays

Federal MSB registration with FinCEN is the floor, not the ceiling. Several states impose additional licensing requirements that carry stricter KYC, AML, and audit obligations:

Mapping Your Regulatory Perimeter

Before writing a single policy, document the following:

This scoping exercise determines the risk profile of the program, which in turn determines the depth of controls required across every subsequent step.

Step 2: Build the Written AML Program and Governance Structure First

The written AML program is not a formality. Under 31 U.S.C. § 5318, every MSB must maintain a written AML program that is reasonably designed to prevent the business from being used to launder money or finance terrorism. FinCEN expects that program to be commensurate with the risk profile of the business, not a generic template.

The Four BSA Pillars

Every written AML program must address all four of the following:

Governance Design: What Most Programs Get Wrong

The four pillars describe what the program must contain. Governance determines whether the program actually runs. A well-designed governance structure covers:

Governance Checklist

The programs that fail examination are rarely missing a policy. They are missing the operational evidence that the policy was followed.

Step 3: Stand Up Bank-Grade KYC and KYB, Not Startup-Era Onboarding

Weak onboarding is the root cause of most downstream compliance failures. If identity data is incomplete, sanctions screening produces false negatives. If entity verification is shallow, monitoring misses the beneficial owner behind the transaction. If risk classification is absent, every customer gets the same treatment regardless of exposure.

Regulators and FATF guidance make clear that crypto exchanges are expected to run KYC and KYB processes at the same standard as traditional financial institutions, not the lighter identity checks common in early crypto onboarding.

Individual KYC: Minimum Requirements

Risk-based friction applies throughout. A retail customer in a low-risk jurisdiction with a small initial deposit requires a different onboarding depth than a customer in a high-risk geography initiating large transfers from day one.

Business KYB: What Crypto Exchanges Often Miss

Business onboarding is where programs most commonly fall short. The minimum KYB stack should cover:

Why Weak KYC Breaks Everything Downstream

KYC is not just an onboarding control. It is the data foundation for every downstream process.

The OKX enforcement action is instructive here. Regulators found that weak KYC allowed anonymous or pseudonymous accounts to transact at scale. The monitoring and sanctions failures that followed were downstream consequences of the same root cause.

Step 4: Layer Sanctions Screening with Blockchain and Behavioral Monitoring

Sanctions compliance and transaction monitoring are separate disciplines that must work together. A program that screens at onboarding but not throughout the customer lifecycle will miss the customer who was clean at signup and flagged by OFAC six months later.

OFAC’s sanctions compliance guidance for the virtual currency industry is explicit: controls should apply at onboarding, during the customer relationship, and at the transaction level. Blocked property must be reported to OFAC within 10 business days. The expectation is not just name screening; it includes wallet-level controls, IP and geolocation signals, and counterparty risk assessment.

The Layered Control Model

Tuning for Signal Quality, Not Just Volume

The most common monitoring failure is not a missing rule. It is a miscalibrated one. Programs that generate excessive false positives degrade in two ways:

Alert tuning is a continuous process, not a one-time setup. Programs should track false positive rates by rule, escalation rates by alert type, and SAR conversion rates by typology. These metrics tell you whether the monitoring program is calibrated to the actual risk profile of the customer base.

Handling Sanctions Hits: What the Process Must Include

When a sanctions match is identified, the program needs a documented response workflow:

False positives on sanctions matches must also be documented. If a name match is cleared as a false positive, the record should show what evidence was reviewed and why the match was rejected. That documentation is what survives an exam.

Step 5: Build a SAR Workflow That Is Consistent, Documented, and Regulator-Ready

SAR filing is where many crypto compliance programs show their weakest seams. The rule is straightforward: MSBs must file a SAR with FinCEN within 30 days of detecting a transaction or pattern of transactions involving $2,000 or more that the business knows, suspects, or has reason to suspect involves funds from illegal activity, is designed to evade reporting requirements, or lacks a lawful purpose.

The operational challenge is not the filing itself. It is the workflow that produces a defensible SAR under volume.

The SAR Workflow: Five Stages That Must Be Explicit

What Makes a SAR Defensible

Regulators reviewing SAR quality look for three things:

The fragile handoff: The most common breakdown is between monitoring and investigation. An alert fires, gets triaged to a queue, and sits until an analyst picks it up. If the triage decision is not documented, the case history is incomplete from step one. Design the workflow so the triage decision itself is a recorded event.

Continuing SAR Obligations

If suspicious activity continues after an initial SAR filing, a continuing SAR must be filed every 90 days. Programs need a mechanism to track open SAR subjects, flag continued activity, and trigger the follow-on filing without manual calendar management.

Step 6: Operationalize the Travel Rule Before Volume Forces the Issue

The Travel Rule for virtual assets requires that for transfers at or above $3,000, the transmitting financial institution must pass originator and beneficiary information to the receiving institution. FinCEN’s rule applies to MSBs, and most U.S. crypto exchanges fall within scope.

The rule text is not the hard part. Execution is.

Where Travel Rule Programs Break in Practice

Building a Workable Travel Rule Process

Define policy for each scenario before volume makes ad hoc decisions the default:

Start building this process early. Teams that wait until transaction volume is high find that Travel Rule exceptions accumulate faster than the process can handle them. The exception queue becomes the compliance risk.

What a Scalable Crypto Compliance Operating Model Looks Like

The six steps above describe what to build. This section addresses how to run it without the program becoming a bottleneck as the business grows.

The goal is not full automation of compliance judgment. A scalable operating model reduces the volume of manual, repetitive, undocumented work so analysts can focus on decisions that actually require human expertise.

The Operating Model: Three Tiers

Auditability as a Strategic Requirement

Auditability is not a feature. It is the mechanism by which a compliance program proves it ran.

A scalable program preserves audit trails at every tier:

Compliance teams that automate casework and audit trails rather than building manual processes find that the program scales without proportional headcount growth, and that the audit record produced is more consistent and defensible than one built on analyst notes.

The compliance team’s real job is not to process every alert. It is to ensure that every decision, automated or human, is documented, reproducible, and defensible. That is the standard regulators apply. It should be the standard the program applies to itself.

Final Checklist: Launch Your First 90 Days Without Blind Spots

Use this sequence to prioritize the build without creating gaps that compound later.

Days 1-30: Foundation

Days 31-60: Controls

Days 61-90: Operationalize

Do not delay SAR workflow design or Travel Rule exception handling. Both become exponentially harder to retrofit once transaction volume is high. Build the process when the stakes are low and the backlog is manageable.

Frequently Asked Questions

Do all crypto exchanges need to register as MSBs with FinCEN?

Not all, but most U.S.-operating exchanges do. Under FinCEN’s 2019 guidance on convertible virtual currency, any business that accepts and transmits virtual currency on behalf of another person qualifies as a money transmitter and therefore an MSB. Centralized exchanges, custodial wallet providers, and peer-to-peer platforms facilitating transfers all fall within scope. Non-custodial wallet software providers generally do not, though FinCEN guidance continues to evolve.

What is the difference between sanctions screening and transaction monitoring in crypto AML?

Sanctions screening checks customers and wallet addresses against OFAC and other watchlists to identify prohibited parties, and it applies at onboarding, throughout the customer lifecycle, and at the transaction level. Transaction monitoring, by contrast, analyzes behavioral patterns and on-chain activity to detect suspicious conduct such as structuring, rapid cycling, or exposure to illicit funds. Both are required, and they must work together — screening catches known bad actors, while monitoring catches suspicious behavior from otherwise clean-looking accounts.

How long does a crypto company have to file a SAR after detecting suspicious activity?

MSBs must file a SAR with FinCEN within 30 calendar days of detecting a transaction or pattern of transactions involving $2,000 or more that the business knows, suspects, or has reason to suspect involves funds from illegal activity. If suspicious activity continues after the initial filing, a continuing SAR must be filed every 90 days. The SAR and all supporting case documentation must be retained for five years.

What are the biggest penalties crypto companies have faced for AML failures?

OKX paid over $504 million in penalties in 2025 after the DOJ found it had processed more than $5 billion in suspicious transactions with weak KYC, inadequate sanctions screening, and monitoring that did not match its risk profile. FinCEN assessed Paxful a $3.5 million civil penalty for willful BSA violations including failure to maintain an effective AML program and failure to file SARs. According to Fenergo, regulators issued 139 fines totaling $1.23 billion in the first half of 2025 alone, a 417% increase over the prior period.

What does the Travel Rule require for crypto transfers?

For virtual asset transfers at or above $3,000, the transmitting institution must pass originator and beneficiary information to the receiving institution. This includes collecting and exchanging identity data between VASPs using an interoperable messaging protocol. Transfers to self-hosted wallets require enhanced due diligence and documented exception handling. When counterparty data cannot be verified, the program needs a documented hold or escalation process before the transfer proceeds.

If the operational side of building this program is where your team needs support, Sphinx automates casework, audit trails, and alert disposition for crypto compliance teams running at scale.