AML/KYC Compliance for Crypto Companies:A Practical Guide (2026)

AML/KYC Compliance for Crypto Companies:A Practical Guide (2026)
Crypto & Digital Assets , , ,

AML/KYC Compliance for Crypto Companies:A Practical Guide (2026)

🔒 AML/KYC Compliance Guide 2026

AML/KYC Compliance for Crypto Companies:
A Practical Guide (2026)

What regulators check — and what trips companies up

A compliance programme that exists on paper is not a compliance programme. This guide covers what VARA, FCA, MiCA, and FATF-aligned regulators actually look for when they inspect a VASP — and the four failures that cost licences.

📋 6 sections · ~8 min read
🔍 FATF · MiCA · VARA · AIFC
Updated 2026
1
Why crypto AML/KYC is not a copy-paste from banking
Pseudonymity, Travel Rule, and operational vs paper compliance
2
What regulators actually require in 2026
FATF, MiCA TFR, VARA, and AIFC — the current baseline
3
The four core components of a crypto AML programme
CDD/KYC, transaction monitoring, SAR filing, record-keeping
4
KYC tiers: what risk-based approach means in practice
SDD, CDD, EDD — when each applies and what regulators expect to see
5
Travel Rule compliance: the part most companies get wrong
Hosted vs unhosted wallets, data transmission, and what "implemented" actually means
6
Common failures that cost licences — and the readiness checklist
The four inspection findings that appear most in 2024–2025 enforcement actions
⚡ Section 1

Why Crypto AML/KYC Is Not a Copy-Paste from Banking

Most early-stage crypto compliance programmes are built by copying a bank's AML framework and replacing "bank account" with "wallet." This is the wrong starting point. Crypto compliance has the same objectives as banking compliance — prevent money laundering, identify customers, report suspicious activity — but the risk model, the technical infrastructure, and the regulatory expectations are meaningfully different. Understanding the three differences below is the foundation for building a programme that actually works under inspection. See our AML/KYC compliance services for a full programme assessment.

Three ways crypto compliance differs from banking compliance
Why the gap matters
1
Pseudonymity changes the risk model On-chain identity

Traditional banking KYC assumes a direct link between a verified identity and an account. The account is the identity. In crypto, wallets are pseudonymous — the same person can control thousands of wallets, none of which are registered in their name. Counterparty wallets may have no KYC attached to them at all. This means that crypto compliance cannot rely on the assumption that a verified customer is the only person using their account.

The compliance logic in crypto must account for on-chain behaviour, not just identity documents. Who sent funds to your customer's wallet before they arrived? Did the source address appear on a sanctions list or have a known association with a mixer? Has the customer's transaction pattern changed in a way that suggests account sharing or a change in use? These questions do not arise in the same way in traditional banking because the account-to-identity link is assumed. In crypto, that link must be actively maintained.

What regulators expect: A blockchain analytics tool integrated into your transaction monitoring — not just used for periodic reviews. VARA, AIFC, and FCA inspectors ask whether on-chain risk signals feed into your alert generation, not just whether you have a Chainalysis or Elliptic subscription.
2
Travel Rule has no banking equivalent FATF Rec. 16

FATF Recommendation 16 — the Travel Rule — requires VASPs to collect and transmit originator and beneficiary information on virtual asset transfers above the threshold (USD/EUR 1,000 in most jurisdictions). Banks have SWIFT, which has carried originator/beneficiary data for decades. VASPs have no equivalent legacy infrastructure. Most crypto transactions — particularly on-chain transfers between wallets — were designed to be anonymous and carry no metadata.

The practical result is that VASPs must either use a dedicated Travel Rule solution (Notabene, Sygna Bridge, VerifyVASP, and others) to exchange data with counterparty VASPs, or implement bilateral data-sharing arrangements. The technology exists, but implementation requires integration effort, counterparty identification, and — critically — operational processes for what happens when the counterparty VASP does not respond or cannot be verified.

The gap most companies have: A written Travel Rule policy with no actual technical implementation. When regulators ask for evidence of Travel Rule compliance, they ask for logs of data transmitted to counterparty VASPs — not the policy document. If you cannot produce transmission records, the policy does not count.
3
Regulators test operationally, not on paper Inspection reality

VARA, the FCA, and AIFC inspectors have shifted their inspection methodology in 2024–2025. Earlier inspections focused heavily on documentation — does the firm have an AML policy, a risk assessment, a compliance manual? Current inspections go straight to operations: pull five transaction monitoring alerts from last quarter. Show us how they were reviewed. What is the rationale for the decision to clear them? Where is the SAR decision log? Show us three EDD files for PEP-status customers.

This shift matters because it means the quality of your AML programme is now measured by what your compliance team does day-to-day, not what your policy says they should do. A programme that has excellent documentation but inconsistent operation — reviewers clearing alerts in bulk, EDD files without source of wealth analysis, SARs filed late or not at all — will fail an operational inspection even if the paperwork is perfect. See our full compliance framework services for gap analysis against current inspection standards.

⚠️
The documentation-operations gap
Having an AML policy document is not the same as having an AML programme. Regulators have started treating the gap between documentation and operations as a compliance failure in itself — not just a control weakness. If your written procedures describe a process that your team does not actually follow, you have two problems: the operational gap, and the misrepresentation of your controls to your regulator.
📋 Section 2

What Regulators Actually Require in 2026

The regulatory baseline for crypto AML/KYC has risen significantly since 2022. If you benchmarked your programme against 2022 standards and have not reviewed it since, you are likely behind — particularly on Travel Rule implementation and unhosted wallet treatment. Below is the current minimum requirement across the three frameworks that most VASPs and CASPs operate under. Our crypto licensing services include a full regulatory mapping for your jurisdiction.

🌍
FATF & Travel Rule
The global standard — applies everywhere
Global floor

FATF Recommendation 16 — the Travel Rule — is the baseline requirement for all VASPs globally. Any jurisdiction with a FATF-aligned regulatory framework (which includes the UAE, EU, UK, Singapore, and Kazakhstan/AIFC) requires VASPs to implement it. The standard requires VASPs to collect and transmit originator and beneficiary data on transfers above the USD/EUR 1,000 threshold.

  • Originator data required: name, account number (wallet address), physical address or national identity number or date and place of birth
  • Beneficiary data required: name, account number (wallet address)
  • Applies to all transfers above USD/EUR 1,000, whether to another VASP or to an unhosted wallet
  • Counterparty VASP must be identified and verified as a legitimate VASP — no data transmission to shell entities
  • Records must be retained for minimum 5 years and available on regulatory request
🇪🇺
MiCA Title VI (EU)
Transfer of Funds Regulation — from December 2024
EU CASPs

From December 2024, CASPs authorised under MiCA must comply with the revised Transfer of Funds Regulation (TFR), which implements the FATF Travel Rule into EU law with additional requirements. MiCA TFR goes beyond the FATF baseline in several respects — most importantly for unhosted wallets. Our MiCA compliance service covers the full TFR requirements for EU CASPs.

  • Full Travel Rule implementation required for all CASP-to-CASP transfers above EUR 0 (no de minimis threshold at the CASP level)
  • Unhosted wallet transfers above EUR 1,000 require the CASP to collect and verify wallet ownership — self-declaration alone is insufficient above EUR 1,000
  • On-chain analysis required for unhosted wallet transfers to assess risk before processing
  • Batch transfers require individual Travel Rule data per originator — no aggregation
  • Counterparty CASP verification: must confirm the counterparty is a licensed CASP before transmission
🏛️
VARA / AIFC / other jurisdictions
Regional frameworks — FATF-aligned with local specifics
Regional

Outside the EU, the two most important regulatory frameworks for crypto companies are VARA (Dubai/UAE) and AIFC (Kazakhstan). Both are FATF-aligned but have jurisdiction-specific requirements that go beyond the FATF baseline in operational terms.

  • VARA (Dubai): detailed AML/CFT Rulebook published in 2023; mandatory MLRO appointment; transaction monitoring system required (not spreadsheets); annual AML risk assessment; VARA inspections now include operational testing of TMS alerts
  • AIFC (Kazakhstan): FATF-aligned framework; risk-based approach with documented methodology; annual AML audit by an approved external auditor required; Travel Rule compliance required for transfers above USD 1,000
  • FCA (UK): Cryptoasset businesses must register under the MLRs; TFR compliance required from January 2024; FCA has issued 3 enforcement actions related to TFR non-compliance in 2024
  • MAS (Singapore): PSA framework; Travel Rule implemented via MAS Notice PSN02; VASPs must use a designated Travel Rule solution
📈
The direction of travel
The regulatory floor is rising globally and consistently. A programme that was sufficient in 2022 is likely non-compliant today — particularly on Travel Rule implementation, unhosted wallet treatment, and the operational evidence standards that regulators now apply at inspection. The question is not whether your jurisdiction requires these controls — it does. The question is whether your programme can demonstrate compliance when asked.
🔧 Section 3

The Four Core Components of a Crypto AML Programme

A complete AML programme has four components, and regulators check all four. Missing or under-developed controls in any one of them is enough to trigger a formal finding. The left column names the component; the right column describes what regulators actually look for when they inspect it — not what the regulations say, but what the evidence requirement is in practice. Our AML/KYC compliance services cover gap assessment across all four areas.

Component
The four pillars of a crypto AML programme
CDD / KYC Pillar 1
Customer Due Diligence — the process of identifying customers, verifying their identity, understanding the nature of their business, and assessing the risk they pose. The foundation on which all other controls depend.
What regulators check
Is the process documented and consistently applied? Regulators pull a sample of customer files and check: Is identity verified against official documents? Is beneficial ownership established for corporate customers? Is source of funds collected for higher-risk customers? Are files updated when customer risk profile changes? Static KYC files — collected once at onboarding and never revisited — are a consistent inspection finding.
Transaction Monitoring Pillar 2
Automated monitoring of transaction patterns against defined rules and thresholds, generating alerts for human review. In crypto, this includes both fiat transaction monitoring and on-chain blockchain analytics.
What regulators check
Are alerts generated, reviewed, and documented? Regulators ask: What system do you use? How are alert thresholds set? Show us the alert queue from last month. How many were cleared and how many escalated? Who reviewed them, and when? What is the rationale recorded for clearing an alert? Bulk alert clearance with no review record is treated as no monitoring at all.
SAR / STR Reporting Pillar 3
Suspicious Activity Reports (SARs) or Suspicious Transaction Reports (STRs) — the formal process for reporting suspicious activity to the relevant financial intelligence unit (FIU). A legal obligation in all FATF-aligned jurisdictions.
What regulators check
Is there a documented decision process? Regulators look for: How does a suspicion get raised — by TMS alert, by staff report, or by customer complaint? Who makes the decision to file or not file a SAR? Is the no-file decision documented with rationale? Are SARs filed within the legally required timeframe? Is there evidence of internal escalation to the MLRO before filing? Late SARs and undocumented no-file decisions are enforcement triggers.
Record-keeping Pillar 4
Retention of all KYC files, transaction records, SAR decisions, training records, and AML policy documentation for the minimum required period — typically 5 years from the end of the customer relationship in most jurisdictions.
What regulators check
Are records complete, retained, and retrievable? Regulators issue information requests and expect responses within defined timeframes. Common failures: KYC records stored in multiple systems with no central index, SAR decision logs not retained separately from case management, training records not maintained, blockchain analytics reports not saved with the transaction file they relate to. Records must be retrievable within days, not weeks.
🔍
The weakest pillar in practice
Transaction monitoring is where most crypto companies have the weakest operational controls. Alert fatigue — too many low-quality alerts, not enough reviewer time — leads to bulk clearance with no documented rationale. Inspectors treat this as a control failure equivalent to having no transaction monitoring. The solution is not fewer alerts, but better alert quality and a documented review process for every alert disposition.
📊 Section 4

KYC Tiers: What Risk-Based Approach Means in Practice

A risk-based approach does not mean doing less. It means calibrating the depth of your due diligence to the risk the customer actually presents. In practice, this requires documented criteria for assigning customers to tiers, evidence that the criteria are applied consistently, and EDD files that demonstrate substantive analysis — not just additional documents.

The three CDD tiers — what each requires in practice
Risk-based approach
1
Simplified Due Diligence (SDD) Rarely appropriate

SDD applies where regulation explicitly permits a reduced level of customer identification — typically for customers who are themselves regulated financial institutions, listed company accounts, or low-value accounts where risk is demonstrably minimal. SDD is not a discretionary option that firms can apply based on their own judgment — it requires a documented regulatory basis.

The most common SDD error in crypto companies is applying SDD to customers simply because they are low-volume, have been on the platform a long time, or are "known" to staff. None of these are grounds for SDD. Most crypto companies over-apply SDD, which means their CDD programme is under-performing at the bottom of the risk scale. If challenged, the firm must demonstrate not just that they considered the customer low risk, but that the applicable regulation permits SDD for that customer category.

Practical rule: If you are not certain that your regulation explicitly permits SDD for this customer type, apply standard CDD. The downside of CDD on a low-risk customer is minor administrative cost. The downside of incorrectly applied SDD on inspection is a formal finding.
2
Standard Customer Due Diligence (CDD) The default tier

Standard CDD is the baseline for all customers who do not qualify for SDD and do not present elevated risk factors. It requires: identity verification against official documents, address verification, business purpose and nature of the anticipated relationship, basic source of funds (for most retail crypto customers, this means the origin of the funds used to fund the account — salary, business income, savings — not a full wealth statement).

Two operational failures appear consistently at inspection. First, static KYC files — collected once at onboarding in 2021 and never updated, even when the customer's transaction profile or risk indicators have changed. Standard CDD must be refreshed periodically (annually for medium-risk, immediately when a material change occurs). Second, incomplete beneficial ownership information for corporate customers — company registration documents are collected but the ultimate beneficial owner behind the holding structure is not identified or verified.

  • ✓ Identity verified against government-issued ID
  • ✓ Address verified (utility bill, bank statement)
  • ✓ Source of funds documented (basic)
  • ✓ Beneficial ownership confirmed for corporates
  • ✓ KYC refreshed periodically or on trigger event
3
Enhanced Due Diligence (EDD) Substantive analysis required

EDD is triggered by elevated risk indicators. The most common EDD triggers in crypto are: PEP status or close association with a PEP; high-risk jurisdiction of residence or business; unusual or high-volume transaction patterns; business type that presents elevated ML/TF risk (exchange, mixer-adjacent, gambling, high-value assets); and source of funds that cannot be verified through standard documentation.

EDD must include source of wealth analysis, not just source of funds. Source of funds identifies where the specific money in the transaction came from. Source of wealth identifies how the customer accumulated the wealth they hold overall. For a customer depositing USD 500,000, source of funds might be "wire from personal account at Barclays." Source of wealth requires understanding whether that wealth was earned, inherited, generated through business, or otherwise acquired — and seeing evidence to support it.

  • ⚡ PEP status or PEP family/close associate
  • ⚡ High-risk jurisdiction
  • ⚡ Unusual transaction patterns or volume
  • ⚡ Business type: exchange, mixer-adjacent, gambling
  • ⚡ Source of funds cannot be verified
  • ⚡ Large transaction volume relative to stated business
🚨
EDD is not a checkbox
Regulators expect to see an EDD file with substantive analysis — not just more documents. An EDD file that contains a passport, a utility bill, a bank statement, and a source of wealth declaration form with three lines of text is not EDD. The file must show: who the client is, where the money comes from, why the risk is acceptable at this level, and who in the compliance chain approved the relationship. The approval record is as important as the analysis — undocumented EDD approvals are treated as no approval at all.
🔗 Section 5

Travel Rule Compliance: The Part Most Companies Get Wrong

The Travel Rule is the compliance area where the gap between policy and practice is widest. Most crypto companies have a Travel Rule policy. Far fewer have a Travel Rule implementation. Regulators now ask for evidence of actual data transmission — not a policy that says you will transmit. The requirements differ significantly between transfers involving another VASP and transfers to or from unhosted wallets, as detailed below. For a full compliance gap assessment, see our AML/KYC compliance services.

Hosted wallet transfers (VASP-to-VASP)
When your customer sends to another VASP's customer
VASP-to-VASP
Data required
Originator data you must transmit: full name, account number (wallet address on your platform), physical address or national identity number or date and place of birth. This must be transmitted to the receiving VASP before or simultaneously with the transaction.
Beneficiary data you must transmit: full name and account number (beneficiary wallet address). The receiving VASP must also transmit beneficiary data back to you for incoming transfers — you are required to verify it against your records.
Counterparty VASP identification: you must verify that the receiving VASP is a legitimate, licensed VASP — not a shell or unlicensed entity. This requires VASP due diligence: licence verification, jurisdiction check, sanctions screening. Transmitting Travel Rule data to an unverified "VASP" does not satisfy the obligation.
Sunrise problem (counterparty non-compliance): if the counterparty VASP does not have Travel Rule capability, you must decide whether to proceed. Most regulators require a risk-based decision with a documented rationale — not an automatic block. The decision and its basis must be recorded.
Notabene Sygna Bridge VerifyVASP CipherTrace TRISA OpenVASP
Unhosted wallet transfers
When your customer sends to or from a self-custody wallet
Higher risk
Enhanced checks
!
EUR/USD 1,000 threshold triggers enhanced checks: under MiCA TFR and most FATF-aligned frameworks, transfers to or from unhosted wallets above the threshold require additional verification that the wallet belongs to your customer or a named third party. Self-declaration alone is insufficient above the threshold under MiCA.
!
Wallet ownership verification methods: micro-transaction test (customer sends a small amount from the wallet to confirm control), cryptographic signature (customer signs a message with the wallet's private key), or third-party on-chain attestation. The method must be documented and the evidence retained with the transaction record.
!
On-chain analysis required: before processing an unhosted wallet transfer, VASPs must assess the wallet's on-chain history using a blockchain analytics tool. Wallets with exposure to mixers, sanctioned addresses, or dark market transactions must be treated as high-risk and subject to enhanced review — regardless of the customer's KYC status.
!
Ongoing monitoring of unhosted wallet counterparties: a wallet cleared today may have subsequent exposure to high-risk activity. Periodic re-screening of known unhosted wallet addresses associated with customers is required — not just point-in-time checks at the time of the first transfer.
📌
The gap regulators find most often
Most crypto companies have a Travel Rule policy but no operational implementation. When regulators ask for evidence of Travel Rule compliance, they ask for logs of actual data transmitted to counterparty VASPs — transaction IDs, counterparty VASP identifiers, timestamps, and the originator/beneficiary data transmitted. If you cannot produce these logs, your Travel Rule policy is non-compliant regardless of how well it is written. Integration with a Travel Rule solution is a technical requirement, not a future-state aspiration.
🚨 Section 6

Common Failures That Cost Licences — and the Readiness Checklist

The four failures below account for the majority of VASP licence suspensions and enforcement actions in 2024–2025 across VARA, the FCA, and AIFC-supervised firms. They are not sophisticated edge cases — they are basic operational gaps that exist because compliance infrastructure was not built to match the written programme. The readiness checklist that follows lets you assess your position before an inspection does it for you. For a structured gap assessment, see our compliance framework services.

The four licence-threatening failures regulators find most often
2024–2025 enforcement
1
Alert fatigue with no documentation TMS failure

Transaction monitoring generates alerts — sometimes hundreds per day for active platforms. When the alert queue is too large and the review team too small, the practical response is bulk clearance: marking alerts as reviewed without actually reviewing them, or applying a single generic rationale across multiple unrelated alerts. This is the most common single finding in VASP inspections.

Why it is treated as a critical failure: regulators treat bulk alert clearance as equivalent to having no transaction monitoring at all. If you cannot demonstrate that a human reviewed the alert, understood the transaction pattern, and made a reasoned decision to clear or escalate — with that rationale recorded — the monitoring system is treated as non-functional for compliance purposes.

Fix: Reduce alert volume by improving rule calibration and thresholds. Each alert disposition must have a named reviewer, a review date, and a written rationale — even if that rationale is brief. Cleared alerts need documented reasons; escalated alerts need a decision trail to the MLRO and from the MLRO to a SAR filing decision.
2
EDD files that are not EDD KYC failure

A file labelled "Enhanced Due Diligence" that contains a passport, a utility bill, a bank statement, and a brief note saying "PEP reviewed — relationship approved" is not EDD. It is standard CDD with a label. Regulators have become increasingly explicit about this: EDD must contain substantive analysis, not just additional documents.

What a valid EDD file contains: a narrative account of who the client is and their business history; source of wealth analysis with supporting evidence (not just a declaration form); the specific risk factors that triggered EDD and how they were assessed; the senior compliance officer or MLRO approval record with date and basis for the decision; and an ongoing monitoring note confirming the EDD will be refreshed at defined intervals.

Fix: Create an EDD template that requires completion of each element — narrative, source of wealth evidence, risk factor assessment, approval record. An EDD file that cannot be completed against the template should not be approved to onboard. The MLRO's sign-off must be on the file, not in a separate email chain.
3
Travel Rule as policy, not practice TFR failure

A VASP has a Travel Rule policy document that describes how it will collect and transmit originator and beneficiary data. The policy is well-drafted and references FATF Recommendation 16 correctly. The VASP has never transmitted Travel Rule data to a counterparty VASP. No Travel Rule solution is integrated. When a regulator asks for transmission logs, there are none.

Why this is treated as a fundamental failure: the Travel Rule is a legal obligation, not a target. Having a policy that describes compliance but no operational implementation is — from the regulator's perspective — worse than having no policy, because it demonstrates that the firm is aware of the obligation and has chosen not to implement it. This is the framing that leads to formal enforcement rather than a remediation notice.

Fix: Select and integrate a Travel Rule solution before the next regulator engagement. The solution list is not long — Notabene, Sygna Bridge, VerifyVASP, and a handful of others. Integration typically takes 4–12 weeks depending on technical complexity. Until integration is complete, document each affected transaction with the manual Travel Rule data exchange or the documented sunrise-problem rationale for proceeding without it.
4
Compliance officer in title only Governance failure

The VASP has a designated MLRO or compliance officer. That person's name appears on the licence application and the AML policy document. In practice, they have no access to transaction data, have not reviewed any TMS alerts, have not signed off on any EDD files, and have not filed or reviewed any SAR decisions. They are a named individual with no documented compliance function.

The regulatory consequence: a compliance officer with no documented authority and no evidence of operational function is treated as a governance failure at the licence level — not a staffing oversight. VARA, the FCA, and AIFC all require the compliance officer to be genuinely empowered to perform the function. "Genuinely empowered" means access to systems, documented sign-off authority, evidence of regular reporting to the board or senior management, and records of decisions made.

Fix: The MLRO must have a documented terms of reference establishing their access rights, decision authority, and reporting line. Minutes of board or senior management meetings must reflect compliance officer reports. SAR decisions must be documented by the MLRO by name and date. If the current MLRO cannot perform these functions due to other role conflicts, the firm must appoint someone who can — a named MLRO in a shared service, an external compliance provider, or a dedicated hire.
🚨
These are not edge cases
These four failures appear most frequently in VASP licence suspensions and enforcement actions in 2024–2025. They are not found in outlier firms with obviously bad compliance cultures — they are found in companies that believed their written programmes were sufficient. The pattern is consistent: the policy exists; the operation does not match the policy; the regulator finds the gap before the firm does.
🗂️ AML/KYC Readiness Checklist — 12 questions before your next inspection
Self-assessment
📋
Can you produce the last 30 days of TMS alert dispositions, with reviewer names and rationale for each?
Regulators ask for this on the first day of inspection. If the answer is no, your transaction monitoring controls are not evidenced.
Required day 1
📋
Do your EDD files contain source of wealth analysis with supporting evidence — not just additional identity documents?
Pull 3 EDD files at random and check whether they contain a narrative, source of wealth evidence, and an approval record. If not, your EDD programme needs rebuilding.
Check now
📋
Can you produce Travel Rule data transmission logs for transactions above threshold in the last 90 days?
If you have no Travel Rule solution integrated, the answer is no. This is a critical gap that must be remediated before the next regulator contact.
Critical gap if no
📋
Does your MLRO have documented sign-off authority, system access, and a record of having reviewed TMS alerts and SAR decisions?
If the MLRO's name is on documents but not on reviewed alerts or SAR decisions, the governance function is not evidenced.
Check now
📋
Is your KYC programme refreshed periodically — not just collected once at onboarding?
Customer files must be updated when risk profiles change and on a periodic schedule. Static 2021 KYC files are a standard inspection finding in 2025–2026.
Operational check
📋
Do you have an on-chain analytics tool integrated into your TMS — not just available for ad hoc review?
Blockchain analytics must feed into alert generation, not just be used when something already looks suspicious. A subscription that is not integrated into monitoring does not satisfy the requirement.
Operational check
📋
Can you produce a SAR decision log showing all instances where suspicion was raised internally and the decision made to file or not file?
The no-file decision is as important to document as the SAR filing itself. Undocumented no-file decisions are an enforcement trigger.
Required
📋
Have all staff who handle transactions or customer accounts received AML training in the last 12 months — with records retained?
Training records must be kept and available. One-time onboarding training that was delivered 3 years ago and not refreshed does not satisfy the ongoing training obligation.
Annual requirement
Need a Gap Assessment Before Your Next Regulatory Inspection?

WCR Legal works with VASP and CASP licence holders on AML/KYC programme assessments — identifying operational gaps against current inspection standards before regulators do. We focus on what the evidence shows, not what the policy says.

🔒 AML/KYC Assessment Crypto Licensing Services →
Confidential · No commitment required · Response within 1 business day
Tag
Oleg Prosin

Oleg Prosin is the Managing Partner at WCR Legal, focusing on international business structuring, regulatory frameworks for FinTech companies, digital assets, and licensing regimes across various jurisdictions. Works with founders and investment firms on compliance, operating models, and cross-border expansion strategies.

view all posts

Related Posts