Glossary

KYC/AML

Know Your Customer and Anti-Money Laundering regulations requiring financial institutions to verify identities and monitor for illicit activity.

Key Takeaways

  • KYC (Know Your Customer) and AML (Anti-Money Laundering) are complementary regulatory frameworks: KYC covers identity verification, while AML encompasses the broader set of laws requiring financial institutions to detect and report suspicious activity.
  • Compliance is expensive and growing: financial institutions spend an average of $72.9 million per year on KYC/AML programs, with US and Canadian banks collectively spending over $60 billion annually on AML compliance alone.
  • Cryptocurrency businesses face the same obligations: exchanges, wallet providers, and money transmitters must register with FinCEN, implement AML programs, and comply with the transaction monitoring requirements of the Bank Secrecy Act.

What Is KYC/AML?

KYC/AML refers to the set of regulations that require financial institutions to verify the identities of their customers and monitor transactions for signs of money laundering, terrorist financing, and other financial crimes. KYC is the identity verification component: collecting names, addresses, and government-issued IDs when opening accounts. AML is the broader regulatory umbrella that includes KYC plus ongoing transaction monitoring, suspicious activity reporting, and sanctions screening.

In the United States, these requirements originate from the Bank Secrecy Act of 1970 (BSA), strengthened by the USA PATRIOT Act of 2001 and the Anti-Money Laundering Act of 2020 (AMLA). Internationally, the Financial Action Task Force (FATF) sets standards through its 40 Recommendations, which member countries adopt into domestic law. Any business that transmits, exchanges, or custodies money, including cryptocurrency businesses, must comply.

How It Works

KYC/AML compliance operates through layered processes designed to identify risks at onboarding and monitor them continuously. The US regulatory framework requires five pillars for every AML program:

  1. Designation of a BSA/AML Compliance Officer with authority and resources
  2. Written internal policies, procedures, and controls
  3. Ongoing employee training
  4. Independent testing and audit (at least annually)
  5. Risk-based customer due diligence (added by FinCEN in 2016 as the fifth pillar)

Identity Verification: CIP, CDD, and EDD

KYC operates through three tiers of increasing scrutiny, mandated under the USA PATRIOT Act:

Customer Identification Program (CIP) is the baseline. Financial institutions must collect a minimum of four data points: full legal name, date of birth, address, and a government-issued identification number. Identity is verified through documentary methods (passport, driver's license) or non-documentary methods (database checks, credit bureau queries). Records must be retained for the life of the account plus five years after closure.

Customer Due Diligence (CDD) builds on CIP by assessing the customer's risk profile. This includes identifying beneficial owners (anyone holding 25% or more of a legal entity), understanding the nature and purpose of the business relationship, and establishing a baseline of expected account activity.

Enhanced Due Diligence (EDD) applies to high-risk customers: those flagged as Politically Exposed Persons (PEPs), those operating in high-risk jurisdictions, or those engaging in high-volume or cross-border transactions. EDD involves deeper investigation into the source of funds, adverse media screening, and more frequent account reviews.

Transaction Monitoring and Reporting

Beyond identity verification, AML programs require continuous transaction monitoring to detect suspicious patterns. Two key reporting obligations exist in the US:

Suspicious Activity Reports (SARs) must be filed with FinCEN when a transaction of $5,000 or more involves a known suspect, or $25,000 or more when no suspect is identified. SARs must be submitted within 30 days of detection (60 days if no suspect is identified). Insider abuse triggers a filing obligation regardless of dollar amount.

Currency Transaction Reports (CTRs) are required for any cash transaction exceeding $10,000 in a single business day, whether in a single transaction or aggregated across multiple transactions. CTRs must be filed electronically within 15 calendar days. Deliberately breaking transactions into smaller amounts to avoid the $10,000 threshold, known as "structuring," is a federal crime.

Sanctions Screening

All US persons and entities must screen customers and transactions against the Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list. This applies at onboarding, after transactions, and on an ongoing basis as OFAC updates its designations. Since November 2018, OFAC has included digital currency wallet addresses on the SDN list. Positive matches must be blocked and reported within 10 business days. Sanctions violations carry strict liability: penalties apply even without knowledge of the sanctioned party.

A Simplified Compliance Flow

Customer Onboarding:
  1. Collect identity data (name, DOB, address, ID number)
  2. Verify identity (documentary or non-documentary)
  3. Screen against OFAC/SDN sanctions lists
  4. Assess risk level (standard CDD or enhanced EDD)
  5. Establish expected activity baseline

Ongoing Monitoring:
  1. Monitor transactions against baseline
  2. Flag anomalies for review
  3. File SARs for suspicious activity ($5,000+ threshold)
  4. File CTRs for cash transactions ($10,000+ threshold)
  5. Re-screen against updated sanctions lists
  6. Periodic customer information refresh

International Frameworks

KYC/AML is not only a US requirement. The FATF, an intergovernmental body established in 1989 by the G7, sets global standards through its 40 Recommendations. Member countries implement these as domestic law, creating a patchwork of overlapping but not identical requirements.

FATF Recommendation 16, commonly called the "Travel Rule," requires Virtual Asset Service Providers (VASPs) to collect, verify, and transmit originator and beneficiary information alongside virtual asset transfers. As of mid-2025, 85 of 117 FATF jurisdictions (73%) have passed Travel Rule legislation, though roughly 59% of those have yet to fully enforce it.

In the European Union, the Markets in Crypto-Assets Regulation (MiCA) requires all crypto-asset service providers to obtain authorization by July 2026. The EU has also established a dedicated Anti-Money Laundering Authority (AMLA) headquartered in Frankfurt, operational since July 2025, which will directly supervise approximately 40 high-risk financial institutions including crypto firms. Beginning July 2027, EU regulations will ban privacy-enhancing coins and anonymous crypto wallets from regulated platforms. For a deeper look at stablecoin regulatory frameworks, see the MiCA and US stablecoin regulation research article.

Travel Rule thresholds differ by jurisdiction: the US applies a $3,000 threshold for cross-border transfers, while the EU requires originator and beneficiary data for all crypto-asset transfers regardless of amount.

KYC/AML and Cryptocurrency

Cryptocurrency businesses in the US that facilitate transactions for profit are generally classified as Money Services Businesses (MSBs) by FinCEN. This includes exchanges, hosted wallet providers, crypto ATM operators, OTC desks, and payment processors. Registration with FinCEN is required within 180 days of starting operations, with renewal every two years.

The GENIUS Act, signed into law in July 2025 as the first comprehensive US federal stablecoin legislation, explicitly subjects stablecoin issuers to the BSA. Issuers must register with FinCEN, implement KYC procedures, file SARs, screen against OFAC sanctions, and conduct real-time transaction monitoring. The act takes effect in January 2027.

Chain Analysis and On-Chain Surveillance

Bitcoin's pseudonymous design creates a tension with KYC/AML requirements. While users operate under public key addresses rather than real names, all transactions are recorded on a public, immutable ledger. This transparency has enabled a growing chain analysis industry.

Firms like Chainalysis, Elliptic, and TRM Labs provide transaction monitoring, wallet screening against sanctions lists, and risk scoring for counterparty due diligence. The cryptocurrency AML market reached $1.2 billion in 2025 and is projected to grow to $4.8 billion by 2034. These tools allow regulated entities to trace fund flows across blockchains, identify connections to known illicit addresses, and automate compliance workflows.

For businesses building on Bitcoin, understanding how on-chain activity intersects with compliance obligations is essential. The Bitcoin on/off-ramps guide explores how fiat-to-crypto transitions trigger specific KYC/AML requirements.

The Compliance Cost Burden

KYC/AML compliance represents a significant operational expense. Financial institutions spend an average of $72.9 million per firm annually on AML/KYC operations, with UK institutions at the highest average ($78.4 million) followed by US institutions ($72.2 million). US and Canadian banks collectively spend over $60 billion per year on AML compliance, and global spending is projected to reach $51.7 billion by 2028.

Regulatory penalties for non-compliance add further pressure. Global AML/CFT/sanctions penalties totaled $3.8 billion in 2025, with the crypto sector alone accounting for over $1 billion. Notable enforcement actions include a $500 million guilty plea from OKX for AML failures, a $297 million penalty against KuCoin, and a $100 million fine against BitMEX.

AI adoption in compliance is accelerating rapidly: usage of AI tools in KYC/AML programs surged from 42% of firms in 2024 to 82% in 2025, driven by the need to reduce manual review costs while improving detection accuracy.

Privacy and Compliance: The Core Tension

KYC/AML requirements exist in fundamental tension with privacy and self-custody principles. Bitcoin was designed to enable peer-to-peer transactions without trusted intermediaries. Regulators require those intermediaries to verify identities and surveil transactions. This creates pressure points wherever crypto meets the traditional financial system: at on-ramps and off-ramps, at exchanges, and at any business that custodies funds on behalf of users.

The EU's 2027 ban on privacy coins and anonymous wallets represents the most aggressive regulatory stance to date. FATF guidance urges all jurisdictions to treat anonymity-enhancing technologies as money laundering risks. On the other side, zero-knowledge proofs and selective disclosure protocols offer potential middle ground: proving compliance without revealing all underlying data.

Layer 2 solutions like Spark operate in this landscape by enabling fast, low-cost Bitcoin transfers while maintaining the self-custodial properties that reduce counterparty risk. The compliance obligations apply at the application layer: businesses building on these protocols implement KYC/AML at their own service boundary rather than at the protocol level.

Use Cases

  • Exchange onboarding: centralized exchanges verify user identities before allowing trading or withdrawals, typically requiring government-issued ID and proof of address
  • Stablecoin issuance: stablecoin issuers like those behind fiat-backed stablecoins must comply with BSA requirements and the GENIUS Act for minting and redemption
  • Cross-border payments: remittance corridors and correspondent banking relationships require Travel Rule compliance for both fiat and crypto transfers
  • Payment processing: any business acting as a payment facilitator or processor handling crypto must implement risk-based AML controls
  • DeFi access points: while decentralized protocols themselves may not perform KYC, the front-end interfaces and fiat on-ramps connecting users to those protocols increasingly do

Risks and Considerations

Regulatory Fragmentation

KYC/AML requirements vary significantly across jurisdictions. The "sunrise issue" in Travel Rule compliance illustrates this: VASPs in compliant jurisdictions must exchange originator and beneficiary data, but counterparts in non-compliant jurisdictions may lack the infrastructure to receive or transmit that data. Businesses operating across borders must navigate overlapping and sometimes contradictory requirements.

False Positives and Financial Exclusion

Automated risk scoring and sanctions screening systems generate significant false positive rates. Legitimate customers may have accounts frozen or closed due to name matches, geographic flags, or transaction patterns that trigger alerts. In aggregate, overly broad compliance programs can exclude entire populations from financial services, particularly in developing economies.

Data Security

KYC processes collect and store highly sensitive personal information: government IDs, addresses, financial records. This creates honeypot targets for data breaches. Financial institutions must secure this data for the life of the account plus at least five years, creating long-lived attack surfaces.

Evolving Regulatory Landscape

The regulatory environment is shifting rapidly. The GENIUS Act, MiCA, the EU AMLA, FATF Travel Rule adoption, and privacy coin bans all represent significant changes within a two-year window (2025 to 2027). Businesses building in the crypto space must architect compliance systems that can adapt to new requirements without complete redesign. Keeping current with regulatory frameworks is essential for any business handling digital assets.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.