Virtual Asset Service Provider AML Obligations
Cryptocurrency exchanges, custodians, and decentralized finance platforms face a distinct set of anti-money-laundering obligations that align with traditional financial institution rules—and in some cases exceed them. Virtual asset service provider AML requirements include mandatory customer verification, the FATF travel rule (which mandates transmission of customer information alongside cryptocurrency transfers), and suspicious transaction monitoring. These rules treat a Bitcoin exchange much like a bank, despite the underlying technology’s pseudonymous design, and apply across nearly all major regulatory jurisdictions.
Definition of Virtual Asset Service Providers
A Virtual Asset Service Provider (VASP) is any natural person or entity that offers one or more of the following services as a business: exchange of virtual assets for fiat currency; exchange of one virtual asset for another; transfer of virtual assets; safekeeping or administration of virtual assets or related accounts; and participation in or facilitation of the transfer of virtual assets.
This definition casts a wide net. It includes:
- Centralized exchanges (Coinbase, Kraken, Binance)—the most obvious cases, where users deposit fiat, trade crypto, and withdraw
- Custody providers (Coinbase Custody, Gemini, Fidelity Digital Assets)—institutions that hold crypto on behalf of clients
- Wallet providers—companies like BlockFi or Celsius that hold private keys for users
- DeFi protocol operators—arguably those platforms that facilitate swaps or lend tokens, though application is still evolving
Peer-to-peer transfers between individuals’ private wallets, by contrast, typically fall outside the VASP definition and are not subject to FATF rules—though national regulators may impose additional rules on self-hosted wallet use.
The FATF Travel Rule
The Financial Action Task Force, an intergovernmental organization setting money-laundering standards, adopted a critical rule in 2019: the travel rule for virtual assets. It mirrors an existing rule for traditional wire transfers: when a customer initiates a crypto transfer above a certain threshold, the sending VASP must transmit identifying information about the originator and beneficiary to the receiving VASP.
The threshold is set at approximately €7,500 (about $8,000–$9,000 USD at typical exchange rates). Above that amount, the sending exchange must collect and pass along the following data about both parties:
- Full legal name
- Account number or unique identifier
- Date of birth (for natural persons)
- Nationality or country of incorporation
- Address or country of residence
In practice, this requirement created immense technical and operational friction. Traditional banking systems use standardized formats (SWIFT) and intermediary correspondent banks to relay this information. Cryptocurrency, by design, does not have a built-in messaging layer for attaching metadata to transactions. Most major exchanges have adopted third-party compliance vendors (such as Chainalysis, TRM Labs, or Elliptic) to automate the data collection, matching, and sharing.
If a VASP cannot verify the recipient’s identity—because the receiving VASP will not share it, or because the transfer is to a non-regulated wallet—the sending VASP may be required to block or reject the transfer. This rule effectively prohibits exchanges from sending large amounts to unhosted wallets or to exchanges that fail to comply.
Customer Verification and KYC
VASPs must implement Know Your Customer (KYC) programs that meet or exceed traditional bank standards. This includes:
- Identity verification: Collecting government-issued photo ID, and often biometric matching or liveness checks
- Beneficial ownership: Identifying the natural person behind a corporate account
- Ongoing monitoring: Verifying that customer information remains current; re-verifying at intervals or upon suspicious activity
- Enhanced Due Diligence (EDD): For higher-risk customers (political figures, high-net-worth individuals, or users in high-risk jurisdictions), gathering additional documentation and source-of-funds verification
US regulations, enforced by FinCEN, require VASPs to verify a customer’s identity before opening an account and to maintain records of that identity. Many VASPs also screen customers’ wallets and addresses against sanctions lists (such as OFAC lists) to prevent transactions with blacklisted entities.
Suspicious Activity Monitoring and Reporting
VASPs must establish transaction monitoring systems to detect and investigate suspicious activity. Indicators include:
- Structuring: Multiple small transactions deliberately split to avoid the €7,500 travel-rule threshold
- Rapid movement: Deposits immediately followed by withdrawals to different wallets or addresses
- Layering: Complex chains of transfers across multiple wallets or addresses to obscure a transaction’s origin
- Jurisdiction red flags: Transfers involving sanctioned countries, high-risk jurisdictions, or entities subject to sanctions
- Use of mixing services: Sending crypto through a tumbler or mixing protocol that deliberately obscures transaction history
When a VASP identifies a suspicious transaction, it must file a Suspicious Activity Report (SAR) with the relevant financial intelligence unit. In the US, this is FinCEN. In Europe, it is the national Financial Intelligence Unit (FIU). Unlike a CTR, which is triggered automatically, a SAR reflects the institution’s judgment that a transaction warrants investigation.
SARs filed by VASPs are confidential and not disclosed to the customer. Filing a SAR, however, does not block the transaction—it has already occurred. Rather, it alerts law enforcement to patterns of suspicious behavior.
Differences from Traditional Banking
While VASPs must meet many of the same AML standards as banks, several features of crypto create unique compliance challenges:
- Pseudonymity: Cryptocurrency transactions are recorded on a public ledger, but wallet addresses are initially pseudonymous. A VASP must therefore match addresses to customer identities.
- Cross-border frictionlessness: A traditional wire transfer requires consent from multiple intermediaries. A crypto transfer can be initiated unilaterally; the VASP’s role is to verify the parties, not to facilitate the actual settlement.
- Decentralization: Some crypto transfers occur peer-to-peer, outside any VASP’s oversight. This creates a “black hole” in the regulatory view.
- Speed: Crypto transactions settle in minutes; traditional wires take days. Compliance teams have a compressed timeline to investigate and block transfers if necessary.
Enforcement and Practical Impact
Regulators are beginning to enforce VASP compliance rules. FinCEN has issued Enforcement Findings against exchanges that failed to implement adequate AML controls (Ripple Labs agreed to a $700 million settlement in 2023 for various violations). The US Treasury has also sanctioned mixing services and delisted compliant VASPs if they transact with sanctioned wallets.
For crypto users, this means most mainstream exchanges now require extensive identity verification and refuse to interact with high-risk addresses or unhosted wallets. The result is a bifurcated ecosystem: regulated VASPs with full KYC/travel-rule compliance serve mainstream users; decentralized protocols and unhosted wallets remain available but are increasingly isolated from the regulated financial system.
See also
Closely related
- KYC (Know Your Customer) — Identity verification standards applying to all financial institutions.
- Suspicious Activity Report — How institutions report suspected money laundering.
- OFAC Sanctions Compliance — Screening against US and international sanctions lists.
- AML Compliance in Financial Institutions — Broader anti-money-laundering frameworks.
- Beneficial Ownership Verification — Identifying natural persons behind corporate accounts.
Wider context
- Cryptocurrency Exchange — Operational structure of crypto trading platforms.
- Blockchain Fundamentals — How distributed ledgers record transactions.
- Cryptocurrency Regulation — Broader regulatory approach to digital assets.
- FATF (Financial Action Task Force) — International money-laundering standard-setter.
- Money Laundering — The broader process VASPs help prevent.