Crypto Exchange Compliance in 2026: AML, KYC, MiCA, and Licensing Requirements

Crypto exchange compliance has crossed the threshold from voluntary best practice to hard legal obligation. MiCA is fully in force. FinCEN has collected hundreds of millions in fines from non-compliant exchanges. The FATF Travel Rule has been adopted by most major jurisdictions. If you operate a centralized exchange — whether spot, derivatives, or a hybrid — your compliance obligations are substantial, multi-jurisdictional, and evolving faster than most teams can track.

This guide covers what the requirements actually are in 2026, jurisdiction by jurisdiction, and what an operational compliance program looks like in practice.

What Compliance Requirements Apply to Crypto Exchanges

Crypto exchanges sit at the intersection of several regulatory regimes simultaneously. Unlike traditional financial services, where compliance obligations map neatly to a single regulatory framework, exchanges face overlapping requirements from anti-money laundering law, securities regulation, payments regulation, and consumer protection — often in multiple jurisdictions at once.

The core compliance obligations that apply to virtually all centralized exchanges, regardless of jurisdiction, are:

VASP Registration

Virtual Asset Service Provider (VASP) registration is now a baseline requirement in most jurisdictions that have implemented the FATF Recommendations. In its 2019 guidance, FATF established that VASPs — including exchanges — must register or obtain a license from their national financial intelligence unit or financial regulator before operating. As of 2026, over 50 jurisdictions have enacted VASP registration or licensing regimes.

Registration is distinct from licensing. Registration typically involves notification to the regulator and basic AML program requirements. Licensing involves a more intensive application process, ongoing supervision, and capital requirements. Many jurisdictions have moved from registration to full licensing as their regimes mature — the EU's MiCA being the most comprehensive example.

AML/KYC Program Requirements

Anti-Money Laundering (AML) obligations require exchanges to implement a risk-based AML program covering: customer identification and verification (Know Your Customer — KYC), customer due diligence (CDD) and enhanced due diligence (EDD) for higher-risk customers, transaction monitoring for suspicious activity, suspicious activity reporting (SAR filing) to the relevant financial intelligence unit, and record-keeping of transactions and customer information.

The risk-based approach means that the intensity of your AML controls must be proportionate to the risks your business faces. Exchanges serving retail customers in multiple jurisdictions with anonymous funding methods face higher risk than a B2B exchange with institutional clients. Your AML risk assessment drives your control design.

Travel Rule

The FATF Travel Rule requires that originating VASPs transmit beneficiary and originator information alongside virtual asset transfers above a threshold (generally $1,000 or €1,000). This was a standard requirement in traditional wire transfers — FATF extended it to crypto in 2019, and most major jurisdictions have now enacted it in domestic law.

Travel Rule compliance requires technical solutions to transmit the required data to receiving VASPs, a counterparty VASP verification process (to confirm the receiving institution is a compliant VASP), and handling of transfers from or to unhosted wallets.

MiCA Licensing for EU Exchanges — CASP Authorization

For exchanges operating in the European Union, the Markets in Crypto-Assets Regulation (MiCA) — which became fully applicable on December 30, 2024 — creates a comprehensive licensing regime. Exchanges providing crypto-asset exchange services must obtain Crypto-Asset Service Provider (CASP) authorization from a competent authority in a member state.

CASP authorization grants a passporting right across the entire EU single market: once authorized in one member state, the exchange can provide services across all 27 member states without separate national registrations. This is a significant advantage over the pre-MiCA patchwork of 27 different national VASP regimes.

CASP Authorization Requirements

To obtain CASP authorization, exchanges must demonstrate:

• Legal entity establishment — the applicant must be legally established in an EU member state (a registered office, not just a branch or agency)
• Minimum own funds — exchanges must maintain minimum capital of €150,000 (or a higher amount based on fixed overhead requirements) at all times
• Governance arrangements — at least two independent directors with fit-and-proper approval from the competent authority; a management body with collective expertise covering crypto-asset markets, AML/CTF, technology, and business management
• Business plan and operating procedures — including the types of crypto-assets to be supported, custody arrangements, AML/KYC procedures, conflict of interest policy, and complaints handling procedures
• Safeguarding of client assets — client funds must be segregated from the exchange's own funds; detailed requirements apply to the custody of crypto-assets on behalf of clients
• IT and cybersecurity systems — exchanges must demonstrate robust ICT systems, including security measures, business continuity, and incident response
• Insurance or guarantee — exchanges providing custody services must hold professional indemnity insurance or an equivalent financial guarantee

Transitional Arrangements and Deadlines

MiCA includes transitional provisions allowing exchanges that were already operating in a member state before MiCA's application date to continue operating under national law until the earlier of: obtaining or being refused CASP authorization, or July 1, 2026. After July 1, 2026, no exchange can operate in the EU without full CASP authorization.

The pace of national authorization processes varies significantly by member state. Some jurisdictions (notably Germany, the Netherlands, and Ireland) have more established crypto-asset supervisory frameworks and higher processing capacity. Others are still building their authorization infrastructure. Exchanges that haven't yet filed their MiCA application in a chosen home member state are running short on time.

"MiCA's passporting right is the regulatory equivalent of unlocking the entire EU single market with a single key. But that key takes 6–18 months to obtain and costs millions in legal and compliance preparation. Exchanges that delayed this process until 2026 are in a difficult position."

Ongoing MiCA Compliance Obligations

Once authorized, CASPs face ongoing obligations including: annual reporting to the competent authority, notification of material changes to the business, ongoing AML/KYC compliance under the EU's Transfer of Funds Regulation (which implements the Travel Rule), market abuse monitoring and reporting, and DORA compliance for ICT risk management (applicable to CASPs as financial entities under DORA's scope).

US Requirements: FinCEN, BitLicense, and State-by-State Licensing

The US crypto exchange compliance landscape in 2026 remains uniquely fragmented, operating under a federal-state dual system with no single comprehensive licensing framework equivalent to MiCA.

FinCEN MSB Registration

At the federal level, exchanges that exchange or transmit virtual currencies must register with the Financial Crimes Enforcement Network (FinCEN) as Money Services Businesses (MSBs). FinCEN registration is mandatory and must be completed before beginning operations. It does not require regulatory approval — it is a registration process, not a licensing review — but it triggers ongoing AML obligations under the Bank Secrecy Act (BSA):

• Written AML program covering policies, procedures, and internal controls
• Designation of a compliance officer
• Employee training program
• Independent audit of the AML program
• Currency Transaction Reports (CTRs) for cash transactions above $10,000
• Suspicious Activity Reports (SARs) for transactions involving $5,000 or more where suspicious activity is detected
• Customer Identification Program (CIP) requirements
• Travel Rule compliance for transactions of $3,000 or more

FinCEN has taken significant enforcement action against exchanges that failed to register or failed to implement adequate AML programs. OKX's $504 million settlement in 2025 and Binance's $4.3 billion settlement in 2023 both involved FinCEN violations as a central element.

New York BitLicense

New York's BitLicense, issued by the New York Department of Financial Services (NYDFS), remains the most demanding state-level crypto license in the US. Any exchange that does business with New York residents — even if not incorporated in New York — may need a BitLicense or a limited purpose trust company charter.

BitLicense requirements include a minimum capitalization requirement, cybersecurity program requirements (New York's cybersecurity regulation Part 500 applies), AML/BSA compliance program, consumer protection requirements, and pre-approval for new products and material changes to the business. The application process is intensive and historically slow — average processing times have ranged from 12 to 36 months, though NYDFS has taken steps to streamline the process in 2025–2026.

State-by-State Money Transmitter Licensing

Beyond New York, most US states require crypto exchanges to obtain a money transmitter license (MTL) before serving customers in that state. The Uniform Money Transmission Modernization Act (UMTMA), adopted by a growing number of states, creates some standardization, but requirements still vary significantly. Some states have enacted specific virtual currency licensing requirements; others apply existing money transmission statutes to crypto.

Operating across all 50 states requires, in practice, either: (a) obtaining licenses in each state where you have or expect customers, (b) implementing geographic restrictions for unlicensed states, or (c) partnering with a licensed money transmitter as a payments facilitator. Most major exchanges have chosen (a), which involves maintaining a dedicated state licensing team and ongoing renewal and compliance obligations in each state.

KYC/AML Implementation Checklist

A functional KYC/AML program for a crypto exchange needs to address the full customer lifecycle, from onboarding through ongoing monitoring to offboarding. The following checklist reflects the baseline requirements across major jurisdictions.

Customer Onboarding Tiers

Most exchanges implement a tiered onboarding model that applies progressively more intensive verification based on transaction volume and risk level:

• Tier 1 (basic access) — Email verification only; typically limited to small withdrawals (e.g., $500–$1,000/day) and no fiat on/off-ramp. Used to allow exploration of the platform with minimal friction.
• Tier 2 (standard KYC) — Government-issued photo ID verification (passport, national ID, or driver's license) plus liveness check (selfie or video verification to confirm the document holder is present). Unlocks standard trading and fiat functionality up to typical daily limits.
• Tier 3 (enhanced KYC) — Proof of address (utility bill, bank statement dated within 90 days), source of funds declaration, and potentially source of wealth documentation for high-volume customers. Required for large-volume accounts and professional/institutional customers.
• Enhanced Due Diligence (EDD) — Applied to Politically Exposed Persons (PEPs), customers from high-risk jurisdictions (FATF greylist/blacklist), and customers whose activity patterns are unusual relative to their stated profile. EDD typically involves senior management approval of the relationship and more frequent periodic reviews.

Transaction Monitoring

Ongoing transaction monitoring must flag activity that is inconsistent with the customer's stated profile or that matches known money laundering or terrorist financing patterns. Key monitoring scenarios include:

• Structuring (splitting transactions to stay below reporting thresholds)
• Rapid movement through the exchange — large deposits followed by immediate withdrawal to external wallets
• Transactions involving addresses flagged by blockchain analytics tools (sanctions, darknet markets, mixing services)
• Unusual activity patterns — dormant accounts suddenly becoming highly active
• High-risk counterparty addresses — peer-to-peer marketplace wallets, jurisdictionally restricted addresses

Blockchain analytics is now a compliance requirement in practice, even where not expressly mandated by regulation. Tools such as Chainalysis, Elliptic, and TRM Labs allow exchanges to screen incoming and outgoing transactions against known illicit addresses and assess risk scores for counterparty wallets. Regulators in the US, UK, and EU have made clear that exchanges relying solely on traditional financial monitoring without blockchain analytics are operating below expected standards.

SAR Filing

When transaction monitoring or other processes identify activity that may involve money laundering, terrorist financing, or fraud, exchanges must file a Suspicious Activity Report (SAR) — or its equivalent in the relevant jurisdiction — with the appropriate financial intelligence unit. Key SAR obligations:

• In the US, SARs are filed with FinCEN within 30 days of detecting suspicious activity (60 days if additional information is needed)
• In the EU, reports go to the national FIU of the member state where the CASP is authorized; timeframes vary by member state
• SAR tipping-off is prohibited — you cannot tell the customer that a SAR has been filed about them
• SARs do not automatically mean you must exit a relationship, but continued service following a SAR filing requires documented justification

Travel Rule Compliance

The FATF Travel Rule — Recommendation 16 as extended to VASPs — requires originating exchanges to collect and transmit beneficiary information alongside crypto transfers, and receiving exchanges to collect originator information on incoming transfers. As of 2026, the Travel Rule has been adopted in the EU (via the Transfer of Funds Regulation), the US (FinCEN's $3,000 threshold applies to virtual currency), the UK, Singapore, Switzerland, Canada, and most other major financial centers.

Who Is Covered

The Travel Rule applies to transfers between two VASPs. Transfers from a VASP to an unhosted (self-custodied) wallet are a gray area that has been resolved differently by different jurisdictions. The EU's Transfer of Funds Regulation requires exchanges to collect and verify beneficiary information for transfers to unhosted wallets above €1,000 — though the verification obligation is subject to risk-based implementation. The US and UK have taken a more permissive approach for smaller retail transfers but require enhanced scrutiny for larger transfers to unhosted wallets.

Technical Implementation

The technical challenge of Travel Rule compliance is substantial. There is no single universal protocol — industry bodies have developed competing standards including IVMS101 (the FATF-endorsed data standard for beneficiary/originator information) and protocols including OpenVASP, TRP (Travel Rule Protocol), and solutions from commercial providers including Notabene, Sygna, and VerifyVASP. Exchanges must implement a solution that can:

• Identify when an outgoing transfer requires a Travel Rule message
• Verify that the receiving address belongs to a compliant VASP (not an unhosted wallet)
• Transmit the required originator information to the receiving VASP securely and before or simultaneously with the transfer
• Receive and process incoming Travel Rule messages from sending VASPs
• Handle cases where the receiving VASP cannot be identified (a genuine problem given the global patchwork of VASP registries)

Record-Keeping Requirements

Across all major jurisdictions, exchanges must maintain detailed records of customer identity, transactions, and compliance decisions. The key record-keeping requirements are:

• Customer identity records — copies of all identification documents collected during onboarding, verification results, and any enhanced due diligence documentation. Retention period: minimum 5 years from the end of the customer relationship (longer in some jurisdictions — the EU AML Directive requires 5 years, extendable to 10 years by member states)
• Transaction records — complete records of all transactions, including counterparty addresses, amounts, timestamps, and any blockchain transaction identifiers. Minimum 5-year retention from the transaction date
• Travel Rule records — records of all Travel Rule messages sent and received, including originator and beneficiary information
• SAR and compliance decision records — records of all SAR filings and the analysis underlying them, as well as documented decisions not to file where a concern was investigated but not escalated
• AML program documentation — written AML policies and procedures, risk assessments, training records, and independent audit reports

Data residency requirements add complexity for exchanges with global operations. The EU's GDPR limits the transfer of customer personal data to non-EEA countries without appropriate safeguards. Exchanges must design their record-keeping architecture to satisfy both the retention requirements and the data residency constraints.

Ongoing Compliance — Tracking Regulatory Changes

The compliance obligations described above are not static. The regulatory framework for crypto exchanges is one of the fastest-evolving areas of financial services regulation globally. In any given month in 2026, compliance-relevant publications are being issued by FATF, ESMA, EBA, the FCA, FinCEN, the SEC, the CFTC, the CFTC, NYDFS, and dozens of national regulators.

What's actively changing in 2026 includes:

• MiCA technical standards — ESMA continues to issue regulatory technical standards and guidelines under MiCA, including on conflicts of interest, custody standards, and disclosure requirements. Each new publication adds detail to CASP obligations.
• FATF mutual evaluations — FATF's ongoing country assessments are producing recommendations for national regulators to tighten their VASP regimes. Countries receiving adverse ratings face pressure to increase enforcement.
• US legislative developments — the FIT21 Act and subsequent rulemaking by the SEC and CFTC continue to define the securities vs. commodity classification of specific tokens, with direct implications for whether exchanges need broker-dealer registration for specific assets.
• Travel Rule technical standards — jurisdictions continue to refine their unhosted wallet rules, VASP registry requirements, and sunrise issue handling (how to treat transfers from jurisdictions that haven't yet enacted the Travel Rule).
• AML Regulation (AMLA) — the EU's new Anti-Money Laundering Authority (AMLA) is being established in Frankfurt and will take direct supervisory responsibility for certain high-risk CASPs. The AMLA's first selection of directly supervised entities is expected in 2025–2026, and the regulatory expectations of direct AMLA supervision are significantly more intensive than national AML supervision.

This is where most exchange compliance teams underestimate the challenge. Building and implementing the initial compliance program is hard enough. Maintaining it — keeping policies, procedures, and controls aligned with the latest guidance across all active jurisdictions — is an ongoing operational commitment that doesn't scale with manual monitoring methods.

RegPulse monitors over 500 regulatory sources — including ESMA, EBA, FATF, FinCEN, NYDFS, the FCA, and 30+ other regulators relevant to crypto exchanges — and delivers alerts the same day new guidance, consultations, or enforcement publications are released. Compliance teams using RegPulse spend less time hunting for updates and more time acting on them. Start a free trial to see which sources are relevant to your jurisdiction and business model.

Common Compliance Failures and Enforcement Examples

Regulatory enforcement against crypto exchanges has generated a substantial body of case studies in what compliance failure looks like at scale. The patterns are remarkably consistent.

Inadequate KYC and Customer Due Diligence

Binance (2023, $4.3 billion) — The Department of Justice, FinCEN, OFAC, and CFTC jointly resolved the largest corporate criminal fine in history against an MSB. The violations included operating as an unregistered MSB, willful failure to implement adequate KYC, and processing transactions for users in sanctioned jurisdictions. Binance's compliance failures were structural — KYC was inadequate by design, not by oversight.

OKX / Okcoin (2025, $504 million) — FinCEN and DOJ enforcement found that OKX had operated in the US market without MSB registration, with significant gaps in its AML program including inadequate SAR filing and transaction monitoring.

Sanctions Screening Failures

BitPay (2021, $507K OFAC penalty) — BitPay processed transactions for users in sanctioned jurisdictions due to inadequate geographic filtering at the time of transaction processing. The violations were self-reported and BitPay cooperated with the investigation — resulting in a significantly reduced penalty — but the case established that exchanges bear responsibility for screening even when users attempt to obscure their location.

Travel Rule Non-Compliance

Multiple FinCEN enforcement actions in 2024–2025 focused specifically on Travel Rule compliance failures — exchanges transmitting or receiving transfers above the threshold without the required originator or beneficiary information. Regulators have made clear that "technical difficulty" of Travel Rule implementation is not a defense — exchanges have had years to implement compliant solutions.

2026 Outlook for Exchange Regulation

Several developments will define the regulatory environment for crypto exchanges in the remainder of 2026 and into 2027.

MiCA transitional deadline (July 1, 2026) — The end of national transitional arrangements will force a significant number of exchanges to either obtain CASP authorization or exit the EU market. Expect significant market restructuring, particularly among smaller exchanges and exchanges based in jurisdictions with limited supervisory capacity.

AMLA direct supervision — The EU's new Anti-Money Laundering Authority begins direct supervision of selected high-risk CASPs. Direct supervision by a pan-EU body raises the compliance bar significantly compared to national oversight.

US market structure legislation — FIT21 implementation continues to define the regulatory perimeter for digital asset exchanges. SEC and CFTC rulemaking on digital asset securities and commodities will clarify — and in some cases restrict — what exchanges can list without additional registrations.

FATF 4th round mutual evaluations — FATF's evaluation of major financial centers is identifying gaps in VASP regulation enforcement. Countries receiving adverse ratings face domestic political pressure to increase supervision and enforcement, translating into more intensive regulatory scrutiny for exchanges in those jurisdictions.

AI in compliance monitoring — Regulators are increasingly expecting exchanges to use advanced transaction monitoring tools, including AI-powered behavioral analytics. The days of rule-based monitoring catching most suspicious activity are ending as both the volume of transactions and the sophistication of evasion techniques increase.