Anti-money-laundering (AML) and counter-financing-of-terrorism (CFT) rules are the reason KYC exists. They are also the least understood layer of the crypto ecosystem for everyday users, who see the paperwork without seeing the framework that produces it. This guide maps that framework neutrally.
1. The Financial Action Task Force. The FATF is an intergovernmental body that publishes 40 Recommendations forming the backbone of AML/CFT law worldwide. Its Travel Rule — Recommendation 16 — requires virtual asset service providers to collect and transmit originator and beneficiary information on transfers above a defined threshold, usually USD 1,000. Every major jurisdiction that hosts a licensed crypto exchange has translated FATF recommendations into local statute.
2. Regional implementations. In the United States, FinCEN oversees Bank Secrecy Act compliance and requires MSBs — including most crypto venues — to register and file suspicious activity reports. In the EU, AMLD5 brought virtual asset providers into scope and MiCA is layering on a full authorization regime through 2025 and 2026. The UK's FCA operates a dedicated crypto-asset registration list. Singapore, Japan, Hong Kong, the UAE, and Switzerland each maintain their own equivalents.
3. Customer Due Diligence. CDD is the operational term for what most users experience as KYC: identity verification, sanctions screening, PEP screening, and beneficial-ownership disclosure. Enhanced Due Diligence (EDD) adds source-of-funds documentation, transaction-purpose statements, and adverse-media checks for higher-risk profiles.
4. Transaction monitoring. Once a user is onboarded, licensed venues run continuous transaction monitoring — rules-based and, increasingly, machine-learning models — to flag patterns that resemble structuring, layering, or high-risk counterparty exposure. A flagged transaction triggers an internal review, and, if warranted, a suspicious activity report to the relevant financial-intelligence unit.
5. Sanctions screening. Every user and every counterparty is screened against OFAC, EU consolidated sanctions, UN sanctions, and comparable lists at onboarding and on an ongoing basis. Matches trigger an immediate hold and, in most cases, a mandatory report. Sanctions screening is one of the most heavily enforced areas of AML/CFT — fines routinely reach the hundreds of millions.
6. The Travel Rule in practice. When a verified user sends assets to another exchange, the sending venue must transmit the originator's identity and account information to the receiving venue if the transfer exceeds the threshold. Industry protocols like TRP, IVMS 101, and Notabene have emerged to standardize this exchange.
7. Why this matters to individual users. AML/CFT rules explain almost every friction point a user encounters: why address verification takes days, why a large withdrawal triggers a source-of-funds request, why a deposit from an unhosted wallet asks for a self-declaration, and why a support ticket about a paused withdrawal gets a formal, cautious response. Each of these frictions maps to a specific regulatory obligation.
8. The evolving landscape. Regulation is tightening. MiCA in the EU, the digital asset frameworks emerging in the UK and US, and the FATF's ongoing revisions all point toward broader Travel Rule scope, lower thresholds, and more granular reporting. Users who understand the direction of travel can anticipate friction rather than being surprised by it.
AML and CFT are not obstacles invented by exchanges — they are the legal architecture that makes regulated crypto markets possible. Reading verification requirements through that lens turns paperwork into information about how the ecosystem actually functions.
