Anti-money laundering regulations apply to crypto exchanges and financial services the same way they apply to banks, and since 2020, enforcement has grown dramatically. Binance paid a $4.3 billion settlement with US regulators in 2023, the largest in crypto history. Coinbase, Kraken, BitMEX, and others have all faced regulatory action. Understanding AML in crypto matters whether you’re using exchanges or building in the space, and knowing what triggers compliance reviews can save significant headaches.
What is AML in cryptocurrency and how does it apply to exchanges?
Anti-Money Laundering (AML) regulations require financial services companies to detect and report suspicious activity that might represent money laundering, terrorist financing, or other financial crimes. In crypto, the primary regulatory framework:
- Bank Secrecy Act (BSA): US exchanges are Money Services Businesses (MSBs) registered with FinCEN. Required to implement AML programs, file Suspicious Activity Reports (SARs), and comply with Currency Transaction Reports for large transactions.
- FATF Travel Rule: Financial Action Task Force guidance (adopted into law by most major jurisdictions) requires exchanges to transmit sender and receiver information for crypto transfers above $3,000 (US) or €1,000 (EU). VASP-to-VASP transfers must include originator and beneficiary information, similar to wire transfer regulations.
- MiCA (EU): The Markets in Crypto-Assets regulation, effective 2024-2025, imposes AML obligations on crypto-asset service providers in the EU including transaction monitoring, beneficial ownership records, and suspicious transaction reporting.
- OFAC sanctions screening: US exchanges are required to screen transactions against OFAC’s Specially Designated Nationals list, and block transactions involving sanctioned addresses. Chainalysis and Elliptic provide blockchain analytics tools for this screening.
How do crypto exchanges implement AML monitoring?
- Transaction monitoring: Automated systems flag transactions above thresholds, structuring patterns (multiple just-below-threshold transactions), interactions with high-risk addresses (mixers, darknet markets, sanctioned entities), and unusual transaction volume for a customer’s history.
- Blockchain analytics: Chainalysis, Elliptic, and TRM Labs trace transaction history through the blockchain, categorizing wallet clusters by their association with exchanges, DeFi, gambling, mixers, or illicit activity. A deposit from an address associated with a darknet market triggers review regardless of the dollar amount.
- Enhanced due diligence: High-value customers, customers from high-risk jurisdictions, PEPs (Politically Exposed Persons, politicians and government officials), and unusual account activity trigger additional document requests and manual review.
- SAR filing: US exchanges filed record numbers of SARs to FinCEN in 2023-2024. SARs are not public but feed into law enforcement databases used for financial crime investigations.
What does the Tornado Cash sanction mean for AML in DeFi?
In August 2022, the US Treasury’s OFAC sanctioned Tornado Cash, an Ethereum privacy mixer. This was unprecedented: sanctioning a protocol (smart contract code) rather than a company or individual. Key consequences:
- US persons are prohibited from interacting with Tornado Cash smart contract addresses
- The sanctioning of immutable code created a legal and philosophical controversy, can code be property of an entity that can be sanctioned?
- The 5th Circuit Court of Appeals ruled in 2024 that immutable Tornado Cash contracts cannot be sanctioned as “property”, a significant legal win for the crypto privacy space
- The case established that DeFi protocols face novel regulatory challenges that existing sanction frameworks weren’t designed for
- For compliance purposes: any DeFi application that screens for OFAC sanctions must block addresses known to have interacted with sanctioned entities, Aave, Uniswap, and others block sanctioned address connections to the front-end interfaces
Frequently Asked Questions
Does using crypto make you subject to AML laws?
Individual crypto users are generally not subject to direct AML compliance obligations, those apply to exchanges, custodians, and other financial service providers. However, transactions with clearly criminal intent (drug purchases, sanctions evasion, ransomware payments) are criminal regardless of the payment method. And if your exchange flags your account for suspicious activity based on transaction patterns, you may face account freezing, enhanced verification requests, or SAR filings that could draw law enforcement attention, even if your activity is legal.
Can crypto transactions be traced by regulators?
For Bitcoin and Ethereum, yes, blockchain analytics firms (Chainalysis, Elliptic, TRM Labs) have become sophisticated at tracing on-chain activity. Government agencies including the IRS, FBI, and DOJ contract with these firms and have successfully traced and seized crypto from ransomware operators, darknet markets, and exchange hackers. The claim that “crypto is anonymous” is inaccurate for transparent-ledger blockchains, it’s pseudonymous, and pseudonymity breaks once your real identity is linked to a wallet (via exchange KYC, IP address tracking, or on-chain clustering). Privacy coins (Monero) offer stronger anonymity, which is why they’ve been delisted from regulated exchanges.
What triggered Binance’s $4.3 billion AML settlement?
The November 2023 DOJ, FinCEN, and OFAC settlement found Binance had knowingly allowed sanctioned entities (Iranian, Russian, North Korean users), darknet market users, and ransomware operators to use the platform. Binance willfully violated the BSA by failing to implement effective AML programs while processing $898 million in transactions with sanctioned entities. Changpeng Zhao pleaded guilty and resigned. Binance retained a compliance monitor for 5 years and agreed to a $4.3B settlement. The case established that scale and global reach don’t exempt crypto exchanges from the same AML obligations as traditional financial institutions.
