March 22, 2026
Methodology About Contact
TOKENIZATION POLICY
The Vanderbilt Terminal for Digital Asset Policy
INDEPENDENT GLOBAL INTELLIGENCE FOR DIGITAL ASSET REGULATION
MiCA Full Enforcement: Jul 2026 ▲ CASP Licensing | GENIUS Act: Enacted ▲ Mar 2025 | SEC Enforcement: $4.7B ▲ 2024 Fines | VARA Licensed: 23 Entities ▲ +8 in 2025 | FATF Travel Rule: 58 Countries ▲ Adopted | BitLicense Holders: 36 ▲ New York | Regulated Jurisdictions: 72 ▲ Global | Tokenized RWA AUM: $17.2B ▲ +340% YoY | MiCA Full Enforcement: Jul 2026 ▲ CASP Licensing | GENIUS Act: Enacted ▲ Mar 2025 | SEC Enforcement: $4.7B ▲ 2024 Fines | VARA Licensed: 23 Entities ▲ +8 in 2025 | FATF Travel Rule: 58 Countries ▲ Adopted | BitLicense Holders: 36 ▲ New York | Regulated Jurisdictions: 72 ▲ Global | Tokenized RWA AUM: $17.2B ▲ +340% YoY |
Home US Federal Tokenization Policy FinCEN Cryptocurrency AML Requirements: Compliance Guide
Layer 1

FinCEN Cryptocurrency AML Requirements: Compliance Guide

Complete guide to FinCEN AML/KYC requirements for cryptocurrency businesses — BSA obligations, MSB registration, SAR filing, Travel Rule, and proposed DeFi regulations.

Advertisement

FinCEN Cryptocurrency AML Requirements: The Compliance Framework Every Crypto Business Must Master

The Financial Crimes Enforcement Network (FinCEN) occupies a foundational position in US digital asset regulation. While the SEC and CFTC debate jurisdiction over securities and commodities, FinCEN’s anti-money laundering and counter-terrorist financing (AML/CFT) requirements apply across all digital asset activities, regardless of how the underlying assets are classified. For any business that touches cryptocurrency — exchanges, wallet providers, payment processors, OTC desks, and increasingly DeFi interfaces — FinCEN compliance is not optional.

FinCEN’s Authority Over Crypto

Bank Secrecy Act Framework

FinCEN administers the Bank Secrecy Act (BSA), which requires financial institutions to assist government agencies in detecting and preventing money laundering. The BSA framework imposes obligations on “financial institutions,” a category that includes money services businesses (MSBs).

In 2013, FinCEN issued Guidance FIN-2013-G001 — “Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies” — which established that exchangers and administrators of virtual currency are MSBs subject to BSA requirements. This guidance was the foundational document establishing FinCEN’s jurisdiction over the cryptocurrency industry.

Money Services Business Classification

Under 31 CFR 1010.100(ff), an MSB includes any person engaged in the business of money transmission, which FinCEN defines as “the acceptance of currency, funds, or other value that substitutes for currency from one person and the transmission of currency, funds, or other value that substitutes for currency to another location or person by any means.” Virtual currency is “other value that substitutes for currency” under this definition.

Entities classified as MSBs for virtual currency activities include:

  • Centralized exchanges: Platforms that facilitate the exchange of virtual currency for fiat currency or other virtual currencies
  • OTC desks: Entities that facilitate large-volume virtual currency transactions
  • Payment processors: Entities that process virtual currency payments on behalf of merchants
  • Certain wallet providers: Hosted wallet providers that have the ability to transmit funds on behalf of customers (unhosted wallet providers are generally not MSBs unless they provide additional services)
  • Peer-to-peer exchangers: Individuals who exchange virtual currency as a business, even without a formal platform

Core BSA Obligations

Registration with FinCEN

All MSBs must register with FinCEN by filing FinCEN Form 107 within 180 days of beginning operations. Registration must be renewed every two years. Failure to register is a federal crime under 18 U.S.C. 1960, carrying penalties of up to 5 years imprisonment and fines.

AML Program Requirements

Every MSB must develop, implement, and maintain an effective AML program that includes:

  1. Internal policies, procedures, and controls designed to ensure ongoing compliance with the BSA
  2. Designation of a compliance officer responsible for ensuring day-to-day compliance
  3. Ongoing employee training on AML obligations, customer identification, suspicious activity detection, and record retention
  4. Independent review of the AML program by qualified parties (auditors, consultants, or internal audit function)
  5. Risk assessment that identifies and evaluates money laundering and terrorist financing risks based on the MSB’s products, services, customers, and geographic locations

Customer Identification and Verification (KYC)

While the BSA does not use the term “KYC” explicitly, FinCEN requires MSBs to verify customer identity for transactions at or above applicable thresholds. The scope of verification depends on the transaction type and risk level:

  • Standard customer identification: Name, address, date of birth, and government-issued identification number for transactions at or above applicable thresholds
  • Enhanced due diligence (EDD): Additional verification for high-risk customers, PEPs (politically exposed persons), and customers from high-risk jurisdictions
  • Ongoing monitoring: Continuous transaction monitoring to detect suspicious patterns

Suspicious Activity Reports (SARs)

MSBs must file SARs with FinCEN for any transaction or pattern of transactions involving $2,000 or more that the MSB “knows, suspects, or has reason to suspect” involves:

  • Funds derived from illegal activity or conducted to disguise funds derived from illegal activity
  • A transaction designed to evade BSA reporting requirements
  • A transaction that has no business or apparent lawful purpose
  • A transaction involving the use of the MSB to facilitate criminal activity

SARs must be filed within 30 calendar days of detecting the suspicious activity. The filing is confidential — MSBs are prohibited from disclosing to the subject of the SAR that a filing has been made (the “tipping-off” prohibition).

Currency Transaction Reports (CTRs)

MSBs must file CTRs on FinCEN Form 112 for each transaction in currency (cash) exceeding $10,000 in a single day. While most crypto transactions do not involve physical currency, CTR requirements apply to cash-to-crypto and crypto-to-cash transactions at physical locations or ATMs.

Recordkeeping Requirements

BSA recordkeeping requirements for MSBs include:

  • Transaction records: Maintain records of all transactions of $3,000 or more, including the name and address of the customer, the amount and nature of the transaction, and the date
  • Identity records: Retain copies of identification documents used to verify customer identity
  • Five-year retention: All records must be retained for five years from the date of the transaction
  • Availability: Records must be available for inspection by FinCEN and law enforcement upon request

The Travel Rule

Application to Virtual Currency

FinCEN’s implementation of the FATF Travel Rule requires financial institutions, including MSBs, to collect, retain, and transmit certain information with funds transfers of $3,000 or more. For virtual currency transfers, this means:

The originating institution must collect and transmit:

  • Name of the originator
  • Account number of the originator (or virtual asset wallet address)
  • Address of the originator
  • Amount of the transfer
  • Execution date
  • Name and account number of the beneficiary

The receiving institution must:

  • Receive and retain the originator information
  • Verify that it has been provided
  • Make it available to law enforcement upon request

Technical Implementation Challenges

The Travel Rule presents unique challenges for virtual currency:

  • Unhosted wallets: Transfers to and from unhosted (self-hosted) wallets may not have a counterpart institution to receive Travel Rule data
  • Interoperability: No universal standard exists for transmitting Travel Rule data between VASPs — competing protocols include TRISA, OpenVASP, Shyft, and Sygna
  • Privacy coins: Privacy-enhancing cryptocurrencies may technically prevent compliance with Travel Rule requirements
  • Threshold monitoring: The $3,000 threshold requires institutions to monitor the US dollar equivalent of crypto transfers in real time

FinCEN’s Proposed Unhosted Wallet Rule

FinCEN proposed a rule in 2020 (withdrawn and re-proposed in modified form) that would require MSBs to:

  • Collect counterparty information for transactions with unhosted wallets exceeding $3,000
  • File CTRs for transactions with unhosted wallets exceeding $10,000
  • Maintain records of transactions with unhosted wallets between $3,000 and $10,000

This proposed rule has been one of the most controversial regulatory proposals in the crypto industry, with opponents arguing it is technically infeasible for many transaction types and would drive activity to non-compliant platforms.

OFAC Sanctions Compliance

Sanctions Screening Obligations

While OFAC (Office of Foreign Assets Control) operates separately from FinCEN, MSBs must implement sanctions compliance programs that include:

  • Customer screening: Screening all customers against the SDN (Specially Designated Nationals) list and other OFAC sanctions lists
  • Transaction screening: Screening virtual currency transactions for connections to sanctioned addresses
  • Blockchain analytics: Using blockchain analytics tools to identify transactions linked to sanctioned entities, jurisdictions, or addresses
  • Sanctions address lists: Monitoring OFAC’s published list of sanctioned virtual currency addresses

OFAC Enforcement in Crypto

OFAC has been increasingly active in the crypto space:

  • Tornado Cash (2022): OFAC designated the Tornado Cash smart contract addresses as SDNs, marking the first sanctioning of an autonomous smart contract protocol. This designation was challenged in court, with the Fifth Circuit partially overturning it in 2024.
  • Blender.io (2022): OFAC designated this cryptocurrency mixing service for facilitating North Korean money laundering
  • Chatex (2021): OFAC designated this crypto exchange for facilitating ransomware payments

DeFi and FinCEN

Regulatory Uncertainty

The application of BSA requirements to DeFi protocols presents the most significant open question in FinCEN’s regulatory framework. Key issues include:

  • Who is the MSB? When a smart contract facilitates virtual currency exchange without a centralized operator, who bears BSA obligations? FinCEN’s guidance suggests that developers, deployers, and governance token holders may be liable, but formal rulemaking has not resolved the question.
  • Technical feasibility: Many DeFi protocols cannot technically implement KYC or SAR filing because they operate as permissionless smart contracts without user identity infrastructure
  • 2023 Proposed Rule: FinCEN proposed expanding the definition of “financial institution” to explicitly include certain DeFi activities, but the final rule has been subject to extended comment periods and revisions

FinCEN’s Position

FinCEN has stated that the obligation to comply with BSA requirements exists regardless of the technology used to facilitate the transaction. In public statements, FinCEN leadership has indicated that:

  • The use of smart contracts does not exempt activity from BSA requirements
  • Persons who deploy, maintain, or profit from DeFi protocols may be liable as MSBs
  • The “decentralized” label does not override the substance of the activity

Penalties for Non-Compliance

BSA violations carry severe penalties:

Civil Penalties

  • Up to $293,052 per violation (adjusted for inflation) for negligent violations
  • Up to the greater of $1,172,209 or twice the amount involved for willful violations
  • Each day of a continuing violation may constitute a separate offense

Criminal Penalties

  • Willful violation of BSA: Up to 5 years imprisonment and $250,000 fine
  • Operating an unlicensed MSB (18 U.S.C. 1960): Up to 5 years imprisonment
  • Structuring transactions to evade reporting: Up to 10 years imprisonment
  • Money laundering (18 U.S.C. 1956): Up to 20 years imprisonment and $500,000 fine

Notable Enforcement Actions

  • Binance (2023): $4.3 billion in penalties (combined FinCEN, OFAC, and DOJ) for systematic AML failures, as detailed in the US federal crypto enforcement tracker
  • BitMEX (2022): $100 million in penalties for operating without AML program
  • BTC-e (2017): $110 million penalty and criminal conviction of operator Alexander Vinnik

What This Means for Your Business

For exchanges and platforms: BSA compliance is the non-negotiable baseline for operating in the US. Build your AML program before launching — retroactive compliance after enforcement action is catastrophically more expensive. Budget for compliance technology (blockchain analytics, transaction monitoring, sanctions screening) as a core operating cost, not an afterthought.

For DeFi developers: FinCEN’s posture toward DeFi is evolving but clearly hostile to the notion that decentralization creates a compliance exemption, a theme echoed in the broader CFTC digital commodity regulation landscape. If you develop, deploy, or profit from a protocol that facilitates virtual currency exchange, evaluate your potential BSA obligations with qualified counsel.

For compliance officers: Focus on risk-based program design. FinCEN expects your AML program to be calibrated to your actual risk profile — cookie-cutter programs are insufficient. Invest in training, independent review, and regular risk assessment updates. SAR filing quality matters — FinCEN tracks narrative quality and completeness.

For institutional investors: Verify that your counterparties — exchanges, custodians, and OTC desks — maintain robust BSA compliance programs. Due diligence on counterparty AML practices is increasingly expected by regulators and is essential for risk management.

Advertisement
FinCENAMLKYCBank Secrecy Actmoney services businesscrypto compliance
Related Articles
CFTC Digital Commodity Regulation: Jurisdiction and Enforcement
CLARITY Act: Digital Asset Market Structure and Classification
Investing in Tokenized Assets: Institutional Guide 2026
SEC Regulation D for Tokenized Securities Offerings
Advertisement
Network Intelligence

Institutional Access

Coming Soon