SUNANDO ROY – On Banking, Finance and Society

Crypto exchanges now operate under supervisory expectations that look increasingly similar to those applied to traditional financial institutions, especially where jurisdictions have implemented the FATF Recommendations into domestic law. Platforms that treat AML as a documentation exercise rather than a core risk‑management function are finding themselves at the center of enforcement cases, de‑risking by banking partners, and loss of regulatory goodwill. Moving beyond checkbox compliance means embedding a genuinely risk‑based approach into customer due diligence, transaction monitoring, sanctions compliance, reporting, and record‑keeping for virtual assets.

Embedding a Risk-Based KYC and CDD Framework

FATF’s risk‑based approach (RBA) requires firms to identify, assess, and understand their money laundering and terrorist financing risks, and then apply commensurate mitigation measures, rather than identical controls for all customers and products. For crypto exchanges, this means segmenting customers into risk tiers—such as low, standard, and high risk—based on attributes including geography, product usage, delivery channels, and behavioral patterns, and then calibrating KYC requirements accordingly.

Basic tiers might allow limited functionality against simplified identification standards where national rules permit simplified due diligence, while standard tiers apply full CDD, including verification of identity and, where relevant, beneficial ownership. High‑risk tiers, which should capture PEPs, higher‑risk jurisdictions, complex ownership structures, and certain product combinations, require Enhanced Due Diligence (EDD), including explicit source‑of‑funds (SOF) checks, source‑of‑wealth (SOW) documentation where appropriate, and senior management approval to onboard or retain such relationships. When exchanges deploy EDD only after a regulatory finding—or after media exposure of a failure—it signals reactive compliance and undermines supervisory confidence in the entire control framework.

Dynamic Risk Scoring and Ongoing Monitoring

Static onboarding scores are fundamentally inconsistent with an RBA because customer risk changes over time as transaction volumes, counterparties, and use‑cases evolve. Exchanges therefore need dynamic risk‑scoring engines that incorporate transactional behavior, peer‑group benchmarks, sanctions and adverse media signals, and product shifts to adjust risk ratings over the life cycle of the relationship. Risk rating changes should be governed by clear methodologies, documented rationales, and periodic validation to avoid both over‑sensitivity (excessive false positives) and under‑sensitivity (missed risk).

Ongoing monitoring must go beyond generic rules imported from banking to address crypto‑specific typologies, such as rapid in‑and‑out flows via mixers, chain‑hopping, layering through privacy coins, and exposure to dark‑web markets. Scenario rules and machine‑learning‑based models can be deployed in combination, but both require regular tuning, back‑testing, and performance metrics that track alert conversion rates, investigation times, and true‑positive ratios. Without governance over model and rule changes, exchanges risk drift from regulatory expectations and may be unable to explain their monitoring logic during supervisory inspections.

Sanctions Screening, PEP Management, and the Travel Rule

As regulators extend sanctions, proliferation‑financing, and targeted human‑rights regimes to cover virtual assets, sanctions screening has become a non‑negotiable core control for VASPs. Leading exchanges implement multi‑layered screening programs that cover customer data, beneficial owners where applicable, and on‑chain wallet addresses, with continuous screening against updated sanctions lists, PEP databases, and relevant watchlists. FATF guidance on PEPs emphasizes the need for EDD, senior management approval, and enhanced ongoing monitoring for PEP customers and their close associates, which applies equally in the virtual asset context.

The Travel Rule—FATF Recommendation 16 applied to virtual assets—requires that originator and beneficiary information be collected and transmitted for qualifying transfers between VASPs, subject to local implementation. This is not simply a technical messaging requirement; it is an integral part of AML controls, enabling exchanges and authorities to trace value flows, disrupt cross‑border ML networks, and detect sanctionable activity. Exchanges that treat the Travel Rule as an afterthought or defer implementation until enforcement looms risk being classified as weak links in the cross‑border AML chain by both regulators and counterparties.

Suspicious Activity Reporting and Internal Escalation

Suspicious Transaction/Activity Reports (STRs/SARs) are central to the AML ecosystem because they feed national Financial Intelligence Units (FIUs) with operationally useful information. Going beyond checkbox compliance means building a structured internal escalation framework: front‑line teams and automated systems generate alerts; investigators apply consistent typology‑driven analysis; and decision‑makers document whether to file, and why, in a central SAR register.

Clear timelines aligned with national reporting requirements are critical, as late or incomplete filings are recurring themes in enforcement actions across the financial sector. Training programs should cover not only legal thresholds but also practical red flags for crypto‑specific typologies, ensuring that staff understand when to escalate and how to articulate suspicion in narratives. Where staff are unaware of SAR obligations or rely on informal discussions instead of structured processes, examiners will often conclude that the institution lacks an effective AML program irrespective of how sophisticated its technology stack appears.

 Record Keeping, Data Governance, and Regulator-Ready Evidence

FATF standards and many national frameworks require retention of CDD information, transaction records, and STR/SAR documentation for at least five years, often longer where investigations are ongoing. For exchanges, this extends to logs of KYC verification steps, risk assessments and changes, screening results and resolutions, monitoring alerts and investigations, SAR decisions, and training records, all held in a secure and retrievable format.

Good record keeping is not merely an archival requirement; it is what allows a firm to evidence that controls operated as designed, to defend itself during reviews, and to support law‑enforcement investigations. Fragmented documentation, inconsistent data fields across systems, and the inability to reconstruct why decisions were taken at particular points in time are red flags for supervisors assessing whether the AML framework is effectively implemented. Data‑governance practices—covering data lineage, quality assurance, access control, and privacy—are increasingly seen as integral to AML effectiveness assessments rather than purely operational concerns

Culture, Governance, and Supervisory Engagement

Beyond policies and systems, supervisors focus on governance—how AML risk is owned, overseen, and resourced at the board and senior management level. Exchanges that move beyond checkbox compliance typically have risk appetite statements that explicitly address ML/TF and sanctions risk, regular reporting on key AML metrics to the board, and independent assurance through internal audit or external reviews.

Culture is visible in how quickly issues are escalated, whether compliance has a seat at the product‑design table, and whether commercial objectives can override risk decisions without formal challenge. Constructive engagement with regulators—through transparent dialogue, timely self‑disclosure of material issues, and proactive enhancement of controls in response to thematic findings—often differentiates platforms that are allowed to grow from those that face restrictions or license withdrawals. Ultimately, crypto exchanges that internalize AML as a strategic differentiator can access better banking relationships, institutional clients, and cross‑border partnerships than those that view it solely as a cost center.

Recommendations – Summing it up

• Align KYC and AML frameworks with the FATF risk‑based approach, not one‑size‑fits‑all controls.
• Define clear risk tiers (low, standard, high) and map each tier to specific, documented CDD and EDD requirements.
• Implement dynamic risk scoring that updates customer risk ratings based on behavior, volumes, and counterparties over time.
• Tailor transaction‑monitoring rules to crypto‑specific typologies such as mixers, chain‑hopping, and high‑risk darknet exposure.
• Run continuous sanctions and PEP screening on customers, beneficial owners, and relevant wallet addresses with documented case handling.
• Operationalize the Travel Rule for eligible virtual‑asset transfers, integrating it into both compliance and technical workflows.
• Build a structured SAR/STR escalation process with clear thresholds, timelines, and a central, auditable case register.
• Maintain robust record‑keeping and data governance so every risk decision, alert, and filing can be evidenced to supervisors.
• Strengthen governance by giving compliance a formal voice in product design, risk appetite setting, and strategic decisions.
• Treat AML capability as a commercial differentiator—key to banking relationships, institutional clients, and regulatory trust—rather than a pure cost.

Glossary

• AML (Anti‑Money Laundering): A framework of laws, regulations, and internal controls designed to prevent and detect the concealment of criminal proceeds and the financing of terrorism.[fatf-gafi]​
• CDD (Customer Due Diligence): The process of identifying and verifying customers, understanding the nature of the business relationship, and conducting ongoing monitoring to ensure activities are consistent with risk profiles.[fatf-gafi]​
• EDD (Enhanced Due Diligence): Additional, more intrusive measures applied to higher‑risk customers or situations, such as PEPs or high‑risk jurisdictions, including detailed SOF/SOW checks and senior management approvals.[lexisnexis]​
• FATF (Financial Action Task Force): An inter‑governmental body that sets international standards for combating money laundering, terrorist financing, and proliferation financing through its Recommendations.[fatf-gafi]​
• FIU (Financial Intelligence Unit): A national agency responsible for receiving, analyzing, and disseminating STRs/SARs and related information to competent authorities.[fatf-gafi]​
• KYC (Know Your Customer): The customer identification and verification component of CDD, often used as shorthand for the broader suite of onboarding due‑diligence activities.[fatf-gafi]​
• PEP (Politically Exposed Person): An individual entrusted with a prominent public function, along with their close family members and associates, who presents elevated corruption and ML/TF risk and requires EDD.[lexisnexis]​
• STR/SAR (Suspicious Transaction/Activity Report): A report submitted to the FIU when a transaction or pattern of behavior gives rise to knowledge, suspicion, or reasonable grounds to suspect ML/TF or other predicate offences.[fatf-gafi]​
• Travel Rule (FATF Recommendation 16): A requirement that certain originator and beneficiary information accompany qualifying funds and virtual‑asset transfers between institutions or VASPs, to support traceability and sanctions/AML screening.[fatf-gafi]​
• VASP (Virtual Asset Service Provider): A business that conducts activities such as exchange between virtual assets and fiat, exchange between virtual assets, transfer, safekeeping, and participation in financial services related to an issuer’s offer or sale of a virtual asset.[fatf-gafi]​