Crypto AML Compliance in 2026: FATF, MiCA, and What's Next

The crypto industry's compliance landscape has undergone a fundamental transformation. What began as a largely unregulated frontier has become one of the most intensely scrutinised sectors in financial services. By 2026, the convergence of FATF standards, EU regulation through MiCA and the AML package, and aggressive enforcement actions has created a compliance environment where the cost of non-compliance far exceeds the cost of building robust AML programmes.

This guide covers the specific AML obligations facing crypto businesses in 2026 — not theoretical frameworks, but the practical requirements that regulators are actively enforcing and the gaps that continue to trip up even well-resourced firms.

The Travel Rule: Where Implementation Still Falls Short

FATF Recommendation 16 — the Travel Rule — requires that originator and beneficiary information travel with virtual asset transfers, mirroring the requirements that have existed in traditional wire transfers for decades. The principle is straightforward. The implementation has been anything but.

What the Travel Rule Requires

For crypto transfers, the originating VASP must collect and transmit to the beneficiary VASP: the originator's name, account number (wallet address), and physical address (or national identity number, or customer identification number, or date and place of birth). The beneficiary VASP must collect: the beneficiary's name and account number. This information must be transmitted immediately and securely alongside or before the transfer settles.

The Persistent Implementation Gaps

Despite years of development, Travel Rule compliance remains inconsistent across jurisdictions. The core problems:

• No universal messaging protocol: Multiple competing solutions exist — TRISA, TRP (Travel Rule Protocol by Notabene), OpenVASP, Sygna Bridge — but no single protocol has achieved universal adoption. VASPs using different protocols cannot communicate seamlessly, creating interoperability failures that result in incomplete data transmission.
• Jurisdiction gaps: Not all countries have implemented the Travel Rule for virtual assets. When a VASP in a compliant jurisdiction sends funds to a VASP in a non-compliant jurisdiction, the originating VASP faces a compliance dilemma: block the transfer, proceed without counterparty data, or attempt manual information exchange.
• Unhosted wallet transfers: Transfers to and from self-custodied wallets (not held at a VASP) present the most significant challenge. The EU's Transfer of Funds Regulation recast requires CASPs to collect originator information for all transfers, including those involving unhosted wallets above €1,000. In practice, verifying that information for a self-custodied wallet is technically difficult and operationally burdensome.
• Threshold inconsistencies: FATF recommends applying the Travel Rule to transfers of $1,000/€1,000 or more, but national implementations vary. Some jurisdictions apply no threshold (all transfers), others use higher thresholds. This creates arbitrage opportunities and compliance uncertainty for cross-border transfers.

For a deeper dive into Travel Rule implementation strategies, see our FATF Travel Rule compliance guide.

MiCA: VASP Registration and Operational Requirements

The Markets in Crypto-Assets Regulation (MiCA) entered full application in December 2024 for crypto-asset service providers (CASPs), following the stablecoin provisions that applied from June 2024. By April 2026, the transitional period for existing operators has ended in most member states, and the full regulatory framework is operational.

CASP Authorisation Under MiCA

MiCA requires any entity providing crypto-asset services in the EU to obtain authorisation from the national competent authority (NCA) of its home member state. Crypto-asset services include: custody and administration of crypto-assets, operation of a trading platform, exchange of crypto-assets for funds or other crypto-assets, execution of orders, placing of crypto-assets, providing advice, and portfolio management.

The authorisation requirements include:

• Prudential requirements: Minimum own funds ranging from €50,000 to €150,000 depending on the service category, plus higher of fixed overhead requirement or a percentage of client assets under custody.
• Governance: Management body members must meet fit-and-proper requirements including good repute, knowledge, skills, and experience. At least one member of the management body must be resident in the EU.
• AML/CFT compliance: Full compliance with AMLD requirements, including customer due diligence, ongoing monitoring, suspicious transaction reporting, and record-keeping. MiCA's authorisation process specifically verifies AML programme adequacy.
• Operational resilience: Business continuity plans, ICT security requirements (aligned with DORA for systemically significant CASPs), and client asset segregation.
• Consumer protection: Complaints handling procedures, conflicts of interest policies, and marketing communication standards.

Our comprehensive MiCA compliance guide for 2026 covers the full authorisation process and ongoing obligations in detail.

FATF 40 Recommendations: The 2025 Update

FATF completed its latest revision of the 40 Recommendations in 2025, with significant implications for the virtual asset sector. The key changes relevant to crypto AML:

Expanded VASP Definition

The updated Recommendation 15 and its interpretive note expand the definition of VASP to explicitly cover DeFi protocols that have identifiable controllers or governance structures, NFT platforms where NFTs function as payment instruments or investment vehicles, and cross-chain bridge operators. This expansion addresses the regulatory arbitrage that has existed since the original 2019 VASP guidance, where protocols structured as "decentralised" avoided VASP classification despite having identifiable teams, governance tokens, and treasury functions.

Strengthened Mutual Evaluation Criteria

FATF's mutual evaluation methodology now explicitly assesses whether jurisdictions have implemented effective supervision of VASPs. Countries that fail to demonstrate effective VASP supervision risk being added to the increased monitoring list (the "grey list"), which carries significant consequences for their financial sector's correspondent banking relationships.

Peer-to-Peer Transaction Guidance

The updated guidance acknowledges that peer-to-peer crypto transactions (between two unhosted wallets) cannot be directly regulated through VASP-focused rules. Instead, FATF recommends that jurisdictions implement: reporting requirements for on-ramp and off-ramp transactions that may involve P2P activity, blockchain analytics requirements for VASPs to identify patterns suggesting P2P use for money laundering, and consideration of whether large-scale P2P activity constitutes unlicensed money transmission.

6AMLD and Crypto: Criminal Liability Expansion

The Sixth Anti-Money Laundering Directive (6AMLD), which EU member states were required to transpose by December 2020, expanded the scope of money laundering criminal liability in ways that directly affect the crypto sector.

Key 6AMLD provisions relevant to crypto:

• 22 harmonised predicate offences: Including cybercrime, which encompasses many crypto-specific illicit activities. This means that aiding or facilitating money laundering involving proceeds of cybercrime (ransomware payments, exchange hacks, cryptojacking) carries criminal penalties across all EU member states.
• Criminal liability for legal persons: Crypto businesses — not just individuals — can face criminal prosecution for money laundering. A VASP that fails to implement adequate controls and thereby facilitates money laundering faces corporate criminal liability.
• Self-laundering criminalisation: 6AMLD criminalises self-laundering (laundering the proceeds of one's own crime) across the EU. This closes a gap that previously existed in some member states and is particularly relevant for crypto-native crime where the perpetrator directly converts proceeds through exchanges.
• Minimum penalties: 6AMLD establishes a minimum maximum penalty of four years' imprisonment for money laundering, with aggravated offences carrying higher minimums. The harmonisation means that there is no longer a "soft jurisdiction" within the EU for money laundering prosecution.

Transaction Monitoring for Crypto

Effective transaction monitoring is the operational core of crypto AML compliance. Unlike traditional banking, where transaction monitoring relies on structured payment data, crypto transaction monitoring must account for the unique characteristics of blockchain transactions.

On-Chain Monitoring Requirements

A comprehensive crypto transaction monitoring programme must include:

• Wallet screening: Real-time screening of deposit and withdrawal addresses against sanctions lists, darknet market addresses, mixing service addresses, and addresses associated with known illicit activity. This requires integration with blockchain analytics providers (Chainalysis, Elliptic, TRM Labs, or equivalent).
• Transaction pattern analysis: Automated detection of structuring (splitting transactions to avoid thresholds), rapid movement through multiple wallets (layering), interaction with high-risk services (mixers, privacy coins, cross-chain bridges to privacy chains), and unusual transaction volumes relative to customer profile.
• Cross-chain tracking: As users increasingly move assets across multiple blockchains via bridges, monitoring must extend beyond a single chain. A user who deposits Bitcoin, bridges to Ethereum via Wrapped BTC, swaps to USDT, and withdraws on Tron is executing a layering sequence that single-chain monitoring would miss.
• DeFi interaction monitoring: Tracking customer interactions with DeFi protocols flagged for illicit activity, including sanctioned protocols like Tornado Cash and its forks.

Red Flags for Suspicious Activity

FATF and national FIUs have published extensive crypto-specific red flag indicators. The most operationally relevant:

1. Transactions involving addresses linked to darknet markets, ransomware, or scam campaigns
2. Use of mixing or tumbling services immediately before or after transacting with the VASP
3. Rapid movement of funds through the platform with no apparent economic purpose
4. Inconsistency between the customer's stated source of funds and their on-chain transaction history
5. Multiple accounts funded from the same external wallet or cluster
6. Transactions structured just below reporting or Travel Rule thresholds
7. Use of privacy coins (Monero, Zcash shielded transactions) for deposits followed by rapid conversion to mainstream assets
8. Deposits from jurisdictions on FATF's grey or black list with immediate conversion and withdrawal

KYC and KYB for Crypto Businesses

Customer due diligence in crypto goes beyond collecting identity documents. The sector-specific requirements reflect the unique risks of virtual assets.

Customer Due Diligence (KYC)

Standard CDD for crypto customers must include: identity verification using government-issued documents, liveness checks to prevent synthetic identity fraud, proof of address, source of funds declaration for deposits above risk-based thresholds, and ongoing monitoring of transaction activity against the declared customer profile.

Enhanced due diligence (EDD) triggers specific to crypto include: customers with significant exposure to privacy coins, customers whose on-chain history shows interaction with high-risk protocols, PEP status, customers from high-risk jurisdictions, and customers with business relationships involving unhosted wallets handling large volumes.

Business Due Diligence (KYB)

For corporate and institutional clients — an increasingly significant segment as institutional crypto adoption grows — KYB requirements include: company registration verification, UBO (Ultimate Beneficial Owner) identification for all individuals holding 25% or more of the entity, verification of the entity's regulatory status (is it a licensed VASP, a fund, a trading firm?), and assessment of the entity's own AML controls where relevant.

Enforcement Actions: The Binance Precedent

The November 2023 Binance settlement — $4.3 billion in penalties, criminal guilty plea by the company, and the resignation and criminal prosecution of CEO Changpeng Zhao — fundamentally changed the enforcement landscape for crypto AML.

The enforcement action was based on: wilful failure to implement adequate AML controls, failure to register as a money services business in the US, sanctions violations (processing transactions involving Iran, Cuba, Syria), and conspiracy to conduct unlicensed money transmission. The penalty magnitude — the largest in FinCEN and OFAC history for a financial institution — established that crypto businesses face penalties comparable to or exceeding those applied to traditional banks.

Post-Binance, other significant enforcement actions include:

• KuCoin (2024): Indicted by the US DOJ for operating an unlicensed money transmitting business and conspiracy to violate the Bank Secrecy Act. Settled for over $297 million.
• OKX (2025): Fined in multiple jurisdictions for AML deficiencies, including inadequate transaction monitoring and failure to file suspicious activity reports in a timely manner.
• Tornado Cash sanctions (ongoing): OFAC's designation of the Tornado Cash smart contract addresses continues to generate enforcement and litigation, with implications for all DeFi protocols regarding sanctioned entity interaction.

The pattern is clear: regulators have moved from warning to action. The days of regulatory forbearance for the crypto sector are over.

Building a Compliant Crypto AML Programme

For CASPs operating in or serving EU customers in 2026, the minimum viable AML programme includes:

1. MLRO appointment: A designated Money Laundering Reporting Officer with sufficient seniority, independence, and resources. For MiCA-authorised CASPs, this is a regulatory requirement.
2. Risk assessment: A documented, regularly updated business-wide risk assessment covering customer risk, product/service risk, geographic risk, delivery channel risk, and new technology risk.
3. CDD programme: Risk-based customer due diligence with tiered verification levels, EDD triggers, and ongoing monitoring.
4. Transaction monitoring: Automated on-chain and off-chain transaction monitoring with blockchain analytics integration, tuned alert rules, and documented investigation procedures.
5. Travel Rule compliance: Integration with at least one Travel Rule protocol, with fallback procedures for counterparties using different or no protocol.
6. Sanctions screening: Real-time screening of wallet addresses and customer identities against OFAC SDN, EU consolidated sanctions list, UK OFSI, and UN sanctions lists.
7. SAR filing procedures: Documented procedures for identifying, escalating, and filing suspicious activity reports with the relevant FIU, with metrics on filing timeliness.
8. Training programme: Regular AML training for all staff, with enhanced training for compliance and customer-facing roles, covering crypto-specific typologies.
9. Independent audit: Annual independent audit of the AML programme by a qualified external party.
10. Regulatory monitoring: Systematic tracking of AML regulatory changes across operating jurisdictions — FATF updates, MiCA implementing measures, national transpositions, and enforcement guidance.