AML and CFT Compliance for Crypto Companies

AML and CFT Compliance for Crypto Companies

Cryptocurrency is sometimes regarded as a risky business because of shifts in the market, but the bigger concern may actually be AML and CFT compliance. Regulators around the world have turned their gaze to the power of virtual currencies, and it's imperative for crypto companies to put the necessary measures in place to meet newly enacted laws.

Owners of cryptocurrency companies also face the threat of growing illegal activity within the industry. In 2021, criminals laundered $8.6 billion in cryptocurrency, which was a 30% increase over the prior year. Understanding the nature of money laundering and financing of terrorism, as well as the ways that companies can go about countering them, is vital to the strength of the crypto market, the integrity of individual crypto businesses, and the protection of current and future investors.

What Is AML/CFT?

AML and CFT stand for anti-money laundering and counter-terrorism funding. The terms are used to describe a system of laws and regulations and are also commonly associated with security measures and protective tools that help lower the risk of fraud and criminal activity.

The History of AML/CFT

AML and CFT laws have a long history. In the United States, for example, the Bank Secrecy Act (BSA) of 1970 established recordkeeping and reporting requirements to help ensure that funds could be traced back to their original source and that illegal behavior could be prosecuted.

Since the passage of the BSA, several other important legislative developments have advanced the AML cause. The following laws were particularly impactful:

  • The Foreign Corrupt Practices Act (FCPA) of 1977 made it unlawful for United States citizens and entities to bribe foreign government officials to promote their business interests.
  • The Money Laundering Control Act of 1986 was the first United States law that made money laundering a federal crime.
  • The Annunzio-Wylie Anti-Money Laundering Act (AMLA) of 1992 established the requirement for Suspicious Activity Reports (SARs) and created the Bank Secrecy Act Advisory Group (BSAAG).
  • The PATRIOT Act of 2001, which legislators developed in response to the 9/11 terrorist attacks, made the financing of terrorism a criminal act in the United States and expanded existing anti-money laundering requirements.

From a more global perspective, there are several organizations that have been integral to the battle against money laundering and terrorist financing. Most significantly, the Financial Action Task Force was established in 1989 to develop international standards and policies that would combat money laundering and terrorism financing.

The International Monetary Fund (IMF) has also taken an active AML/CFT role. Furthermore, the United Nations Office on Drugs and Crime addressed AML in the 1998 Vienna Convention, 2001 Palermo Convention, and 2005 Merida Convention.

AML/CFT for Virtual Currencies

Regulators and legislators have spent decades crafting and enforcing laws against money laundering and terrorism financing. Virtual currencies, however, have only recently become a significant part of AML/CFT regulations.

The Fifth AML Directive

In the European Union, the release of the Fifth Anti-Money Laundering Directive, better known as AML 5, was a major step toward reducing criminal activity associated with digital assets. More specifically, the January 2020 directive included:

  • A legal definition for cryptocurrency
  • Requirements for crypto exchanges and businesses to follow the same regulations as other financial institutions
  • Restrictions on the anonymous use of virtual currencies

AML5 was also noteworthy in that it initiated registration requirements for cryptocurrency exchanges and wallets. Under this legislation, crypto businesses must register with local authorities, such as the Financial Conduct Authority in the United Kingdom.

Updates to the AMLA

In January 2021, the United States government made substantial amendments to the BSA for the first time since the PATRIOT Act when they enacted the Anti-Money Laundering Act of 2020.

This updated version of the AMLA is especially notable because it requires due diligence from businesses that deal in value that substitutes for money. In other words, cryptocurrency exchanges and similar businesses that deal in virtual assets are held to the same standards as other types of financial institutions. This was a major step forward in the creation of effective and enforceable United States cryptocurrency regulations.

Establishing the NCET

The updated AMLA was followed by another important development, the creation of the National Cryptocurrency Enforcement Team (NCET) in October 2021. This group is responsible for investigating cases that involve the criminal use of digital assets.

Why Is AML/CFT Important for Crypto Companies?

Preventing money laundering and terrorist financing should not be a concern that's exclusive to regulators and government agencies. There are many reasons why businesses involved in the buying, selling, trading, and exchanging of virtual currencies should be equally invested in these critical steps toward minimizing criminal activity.


Maintaining Compliance

AML/CFT compliance is essential to a business's long-term financial viability. Violations can carry hefty penalties. Consider some recent examples:

  • Larry Dean Harmon, the founder and operator of Helix and Coin Ninja, was fined $60 million by the Financial Crimes Enforcement Network (FinCEN) in October 2020. Harmon failed to register his businesses, did not implement an AML program, and never filed SARs on questionable transactions, all of which are required by the BSA.
  • In August 2022, the United States Department of the Treasury sanctioned Tornado Cash, a virtual currency mixer that they say has been used to launder more than $7 billion worth of virtual currency since 2019.
  • Also in August 2022, the New York Department of Financial Services penalized the crypto division of Robinhood for providing inadequate staff and resources for its cybersecurity and anti-money laundering program. Robinhood was fined $30 million for its compliance violations.
  • In October 2022, the United States Treasury Department fined Bittrex, an online currency exchange and cryptocurrency wallet service, $29.3 million for failed sanction compliance. The company ultimately agreed to pay a $24.3 million settlement.

While complying with AML and CFT regulations may require additional effort, planning, and financial investments, it is ultimately an important form of self-protection against potentially devastating consequences. Tools like AMLBot are an important part of building a compliant crypto business.

Increasing Risk

The use of cryptocurrency for money laundering and terrorist financing is currently at a relatively low level, but experts anticipate that its use will likely grow as the market continues to expand. As a result, it's crucial that legitimate cryptocurrency businesses seize this moment to implement the best possible AML programs that they can.

Why is cryptocurrency appealing to bad actors? The Office of the Director of National Intelligence addressed this point quite well in September 2021 when it released detailed guidance for first responders who might encounter situations in which cryptocurrency is being used for illegal purposes. Specifically, the document addressed the fact that cryptocurrency is:

  • Convenient: Criminal gangs can access cryptocurrency exchanges and services from essentially any connected device in the world.
  • Pseudonymous: Cryptocurrency accounts use pseudonyms, or alternate names, rather than an individual's legal name, which allows a degree of anonymity for each transaction.
  • Inconsistently regulated: While regulations have certainly progressed, they are far from consistent, often differing significantly between continents, countries, and even states.
  • Fast: Cryptocurrency transaction speeds are not as fast as some other forms of currency, but their generally quick speeds, particularly in combination with pseudonymity, make them attractive prospects for criminal enterprises.

Criminals in the crypto world are also capitalizing on developing technologies. For instance, decentralized cross-chain bridges are an unregulated option that allows criminals to transfer value between blockchains. This allows them to evade centralized systems that would inevitably trace and freeze their transactions.

According to recent reports, the cross-chain bridge known as RenBridge has been used to launder more than $540 million in illicit funds. While these cross-chain bridges help expand the market, they are very vulnerable to cyber risks like hacking and criminal activities including money laundering.

Establishing Trust with Customers

Although money, and the chance to get more of it, is at the heart of any financial service, most investors and customers are unwilling to take risks without first establishing trust. The only way to build such a foundation is by demonstrating that a business is secure and keeps customer needs in mind.

By observing AML and CFT protocols, crypto businesses show that they are concerned about the confidentiality of every client's sensitive information, the protection of their investors' portfolios, and the integrity of their own operations. If your business finds itself laundering illicit funds, even unknowingly, it can cast a permanent shadow on your company, and customers may lose trust in your principles and security measures that no amount of effort will allow you to regain.

Promoting a Safer Marketplace

AML/CFT measures are ultimately in the best interest of everyone. They lower the profitability of money laundering and elevate the risk of criminal activity, which in turn can help prevent terrorist acts.

They also help empower investigators to better investigate financial crimes, allowing them to recover funds for victims and prosecute criminal groups. For example, in 2020, the United States Justice Department announced that it had successfully seized more than 300 cryptocurrency accounts worth millions of dollars belonging to terrorist groups, including al-Qaeda. The recovered funds can be contributed to the United States Victims of State Sponsored Terrorism, which supports individuals who were injured during terrorist acts.

What Is the Difference Between Money Laundering and Financing of Terrorism?

AML and CFT regulations often go hand in hand and are typically addressed within the same legislation. However, that doesn't mean that they are one and the same. There are important distinctions between money laundering and terrorism financing, and it's essential that businesses understand the differences so that they can recognize each type of activity when it occurs.

Money Laundering

Money laundering allows criminals to disguise the enterprise that they used to generate money. In order for any financial activity to be classified as money laundering, the funds involved must have resulted from criminal activity, such as:

  • Drug trafficking
  • Human trafficking
  • Smuggling
  • Corruption

Because cryptocurrencies are pseudonymous and can cross international borders, they offer a logical alternative for criminals who want to hide the source of their funds. Mixing services and cryptocurrency exchanges have become popular as a means of laundering dirty money.

Financing of Terrorism

Terrorists are groups or individuals who use violence or the threat of violence to create fear within a large group or population. The most powerful terrorist groups require significant amounts of money to fund their activities, which can span years and cover thousands of miles of territory.

Unlike money laundering, in which the origin of the funds is key, terrorism financing can come from both legitimate and illegitimate sources. If the money is used to support terrorist activity, it doesn't matter whether the original funds came from a charitable organization or extortion. It's the intended use of the funds, not the source, that dictates whether the funding is illicit.

What Are the FATF Recommendations for AML/CFT?

In response to the growing risks associated with money laundering and financing of terrorism, the FATF developed a thorough series of recommendations. The recommendations have since been widely accepted as the global AML/CFT standards.

FATF 40 Recommendations

The original 40 recommendations created in 1990 were specific to money laundering. Following the 9/11 attack, the FATF developed an additional nine separate recommendations intended for terrorism funding. However, the special recommendations were eventually incorporated into the FATF's guidelines because a combined AML/CFT system is intended to address both issues simultaneously.

The FATF's official AML/CFT recommendations are:

  1. Assessing risks and applying a risk-based approach
  2. National cooperation and coordination
  3. Money laundering offense
  4. Confiscation and provisional measures
  5. Terrorist financing offense
  6. Targeted financial sanctions related to terrorism and terrorist financing
  7. Targeted financial sanctions related to proliferation
  8. Non-profit organizations
  9. Financial institution secrecy laws
  10. Customer due diligence
  11. Record-keeping
  12. Politically exposed persons
  13. Correspondent banking
  14. Money or value transfer services
  15. New technologies
  16. Wire transfers
  17. Reliance on third parties
  18. Internal controls and foreign branches and subsidiaries
  19. Higher-risk countries
  20. Reporting of suspicious transactions
  21. Tipping-off and confidentiality
  22. Designated non-financial businesses and professions (DNFBPs): customer due diligence
  23. DNFBPs: other measures
  24. Transparency and beneficial ownership of legal persons
  25. Transparency and beneficial ownership of legal arrangements
  26. Regulation and supervision of financial institutions
  27. Powers of supervisors
  28. Regulation and supervision of DNFBPs
  29. Financial intelligence units
  30. Responsibilities of law enforcement and investigative authorities
  31. Powers of law enforcement and investigative authorities
  32. Cash couriers
  33. Statistics
  34. Guidance and feedback
  35. Sanctions
  36. International instruments
  37. Mutual legal assistance
  38. Mutual legal assistance: freezing and confiscation
  39. Extradition
  40. Other forms of international cooperation

While the FATF's recommendations were initially intended for traditional forms of finance, like banking and wire transfers, they have been updated as the popularity of virtual currencies has grown.

FATF Recommendations for Virtual Currencies

In addition to the AML/CFT recommendations, the FATF has also issued guidance for virtual currencies. Originally issued in 2015, this guidance includes definitions of essential terms and explores how the original recommendations should apply to businesses that deal with digital assets. For example, the virtual currencies guidance clarifies that:

  • Countries should require virtual asset service providers (VASPs) to register or apply for a license
  • Countries should supervise VASPs like other financial institutions
  • VASPs should implement preventative measures like those used by other financial institutions

These measures have heavily influenced the development of AML/CFT regulations worldwide.

What Are the Required AML/CFT Measures?

It's important to note that required AML/CFT measures differ widely between locations, so businesses should always verify that they are following the most current regulations for their jurisdiction. In general, however, there are two key points provided by the FATF that regulators require of crypto companies.

Travel Rule

The FATF made a crucial recommendation when it suggested that VASPs abide by the Travel Rule, which had long been in place for other financial institutions. The Travel Rule requires VASPs to capture identifying information for senders and recipients involved in crypto transactions over a certain threshold. In the European Union, there is no minimum threshold, meaning that this information is necessary for every transaction. In other countries, the threshold is higher, such as in the United States, where the threshold under the BSA is $3,000.

To comply with the Travel Rule, VASPs should:

  • Exchange know-your-customer (KYC) information for the sender and recipient
  • Conduct sanctions screenings to confirm that neither party is on a sanctions list
  • Monitor transactions
  • Investigate any suspicious transactions
  • Submit a completed SAR to the appropriate agency when necessary

Failure to comply with the Travel Rule can result in costly fines and penalties.

Know-Your-Customer (KYC)

KYC is a critical AML/CFT measure and central to the FATF's guidelines. When crypto companies implement KYC procedures, they verify the identities of customers. This may seem counter to the notion of cryptocurrencies, which are inherently intended to be somewhat anonymous, but customer verifications play a significant part in reducing criminal activity.

Keep in mind that KYC measures are not universal, so one exchange may have measures in place that another does not. In many cases, however, exchanges require new customers to share their:

  • Legal names
  • Government-issued IDs
  • Current addresses
  • Birthdates

Collecting this information is part of the first stage of most KYC measures, also known as the Customer Identification Program (CIP). Many VASPs also perform Customer Due Diligence (CDD), in which they use background checks and transaction histories to assess risks. The final stage of a typical KYC program is Continuous Monitoring, which involves reviewing transactions to detect criminal activity.



Cryptocurrency companies already face a number of cyber risks, including ransomware and outages. Violations of AML/CFT regulations are simply another threat to avoid. Businesses can take advantage of available resources and tools to ensure their compliance and avoid penalties and sanctions.

AMLBot offers a full range of services to improve your business's AML/CFT compliance, including automated KYC, AML screening, and FATF audits. Schedule a free consultation to learn more about how AMLBot can reduce your level of risk, simplify your AML/CFT processes, and help you maintain full regulatory compliance.