KYC and AML Requirements for Crypto in the United States

Introduction to Crypto KYC Compliance in the United States

The regulatory landscape for cryptocurrency and digital asset businesses in the United States is among the most complex in the world. Unlike jurisdictions that have adopted unified crypto-specific legislation, the US relies on a patchwork of federal and state regulations that impose overlapping — and sometimes conflicting — obligations on Virtual Asset Service Providers (VASPs).

At the federal level, the Bank Secrecy Act (BSA) and its implementing regulations, administered by the Financial Crimes Enforcement Network (FinCEN), form the backbone of KYC and AML obligations for crypto businesses. Layered on top are potential registration and compliance requirements from the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC), depending on the nature of the digital assets involved. For a foundational overview of identity verification principles, see our resource on what is KYC.

FinCEN and the Bank Secrecy Act (BSA)

Money Services Business (MSB) Classification

FinCEN has consistently held since its 2013 guidance (FIN-2013-G001) that exchangers and administrators of convertible virtual currencies are Money Services Businesses (MSBs). Specifically, most crypto exchanges, over-the-counter (OTC) desks, hosted wallet providers, and certain DeFi front-end operators fall within the definition of "money transmitter" under 31 CFR 1010.100(ff)(5).

MSB registration with FinCEN is mandatory and must be completed within 180 days of establishment. Failure to register is a federal crime under 18 U.S.C. 1960, carrying penalties of up to five years imprisonment.

Core BSA Compliance Obligations

Once registered, crypto MSBs must implement a comprehensive AML program that includes:

1. Written AML policies and procedures: Tailored to the specific risks of the crypto business.
2. Designation of a compliance officer: A qualified individual responsible for day-to-day AML program management.
3. Ongoing employee training: All relevant staff must receive regular AML training.
4. Independent testing: The AML program must be audited by an independent party on a periodic basis.

Customer Identification Program (CIP)

Under FinCEN's CIP rule, MSBs must collect and verify the identity of each customer at the time a relationship is established or a qualifying transaction is conducted. Required information includes:

• Full legal name
• Date of birth
• Residential address
• Government-issued identification number (SSN for US persons; passport number or equivalent for non-US persons)

Verification can be documentary (government-issued photo ID) or non-documentary (cross-referencing data against reliable databases). Many crypto companies leverage AI-powered verification platforms like Joinble to automate document authentication, biometric matching, and database cross-checks — reducing onboarding friction while satisfying FinCEN requirements.

Suspicious Activity Reports (SARs)

Crypto MSBs must file SARs with FinCEN for any transaction of USD 2,000 or more that the business knows, suspects, or has reason to suspect involves funds derived from illegal activity, is designed to evade BSA reporting requirements, or has no apparent lawful purpose. SARs must be filed within 30 calendar days of initial detection and retained for five years.

Currency Transaction Reports (CTRs)

Transactions in currency exceeding USD 10,000 must be reported via CTRs. While the applicability of CTRs to crypto-to-crypto transactions has been debated, FinCEN has proposed rules that would extend reporting to certain digital asset transactions. Firms should monitor regulatory developments closely.

The Travel Rule

FinCEN's Travel Rule (31 CFR 1010.410(f)) requires MSBs to collect, retain, and transmit certain information when funds transfers exceed USD 3,000. For crypto transactions, this means that when a customer sends digital assets to an external wallet through a VASP, the originating institution must collect and pass along the sender's and recipient's identifying information. Industry solutions such as the TRISA and Travel Rule Universal Solution Technology (TRUST) protocols are emerging to facilitate compliance.

State-by-State Licensing Requirements

The BitLicense and State Money Transmitter Licenses

Beyond federal registration, crypto businesses must navigate a labyrinth of state-level licensing. The most well-known state framework is New York's BitLicense, administered by the New York Department of Financial Services (NYDFS). The BitLicense imposes its own capital requirements, cybersecurity standards, and consumer protection obligations, including detailed KYC and AML provisions.

Most other states require crypto businesses to obtain a money transmitter license (MTL). Requirements vary significantly:

• Application fees range from a few hundred dollars to tens of thousands.
• Surety bond requirements can reach USD 1 million or more in certain states.
• Net worth minimums differ by jurisdiction.
• AML program documentation must typically be submitted with the application.

A handful of states — including Montana and certain others — do not require money transmitter licenses, while states like Wyoming have adopted crypto-friendly legislation that provides alternative regulatory paths for Digital Asset Business entities.

Practical Implications for KYC

State licensing authorities frequently conduct their own examination of an applicant's KYC controls. A crypto firm licensed in 40 states may face 40 different examination cycles, each probing the adequacy of customer identification, transaction monitoring, and SAR filing. Maintaining a centralized, automated KYC infrastructure is essential. Joinble's identity verification platform helps crypto firms standardize their onboarding across jurisdictions, applying consistent document verification and biometric checks regardless of which state's requirements are being met.

SEC and CFTC Considerations

When Is a Token a Security?

The SEC applies the Howey Test to determine whether a digital asset constitutes an investment contract — and therefore a security. If a token is classified as a security, the issuer, exchange, or broker-dealer handling it becomes subject to SEC registration and compliance obligations, including Regulation AML under the Securities Exchange Act and FINRA's KYC rules.

SEC-registered broker-dealers and alternative trading systems (ATSs) must implement Customer Identification Programs under SEC Rule 17a-8 and FINRA Rule 3310, which incorporate the BSA's CIP requirements and add additional suitability and know-your-customer obligations.

CFTC Oversight

Digital assets classified as commodities — most notably Bitcoin and Ether — fall under the CFTC's jurisdiction when traded as derivatives (futures, options, swaps). Crypto derivatives platforms must register as Designated Contract Markets (DCMs) or Swap Execution Facilities (SEFs) and comply with the CFTC's customer identification and AML requirements.

Even in the spot market, the CFTC retains anti-fraud and anti-manipulation authority, and has brought enforcement actions against unregistered platforms facilitating leveraged retail commodity transactions in crypto.

Sanctions Compliance and OFAC

All US persons and businesses, including crypto firms, must comply with the sanctions programs administered by the Office of Foreign Assets Control (OFAC). This means screening customers and wallet addresses against the Specially Designated Nationals (SDN) list and blocking or rejecting transactions involving sanctioned persons, entities, or jurisdictions.

OFAC has added cryptocurrency wallet addresses to the SDN list and issued guidance clarifying that sanctions obligations apply equally to virtual currency transactions. Crypto firms should integrate wallet screening tools alongside traditional identity verification to ensure comprehensive compliance.

Building a Compliant Crypto KYC Program

An effective KYC program for a US crypto business should include:

• Tiered verification: Risk-based thresholds that apply lighter verification for low-value transactions and full CIP for higher-risk or higher-value activity.
• Document authentication: Automated validation of government-issued IDs using AI-driven optical character recognition and fraud detection.
• Biometric verification: Liveness detection and facial matching to prevent identity spoofing.
• Blockchain analytics: On-chain monitoring to identify transactions involving high-risk wallets, mixers, or darknet markets.
• Ongoing monitoring: Continuous transaction surveillance and periodic re-verification of customer information.

Joinble's AI-powered identity verification integrates seamlessly into crypto onboarding flows, combining document verification, biometric matching, and sanctions screening in a single API call. This allows exchanges and wallet providers to deliver a frictionless user experience without compromising on regulatory compliance.

Enforcement Trends and Recent Actions

FinCEN, the SEC, the CFTC, and state regulators have all intensified enforcement against crypto businesses with inadequate KYC and AML controls. Notable actions include multimillion-dollar penalties against exchanges that failed to register as MSBs, operated without state licenses, or did not file SARs. The Department of Justice has also pursued criminal charges against individuals who facilitated money laundering through unregistered crypto platforms.

These enforcement trends underscore the importance of building compliance infrastructure from day one rather than retrofitting it after regulatory scrutiny begins.

FAQ

Does every crypto business in the US need to register with FinCEN?

Most crypto businesses that exchange, transmit, or custody virtual currencies on behalf of customers qualify as Money Services Businesses and must register with FinCEN. Certain exceptions may apply — for example, users who transact solely for their own account or software developers who create non-custodial protocols. However, FinCEN interprets the MSB definition broadly, and firms should seek legal counsel. For more on identity verification basics, see our what is KYC guide.

What is the difference between the BitLicense and a state money transmitter license?

The BitLicense is specific to New York and covers virtual currency business activity conducted with New York residents. It imposes additional requirements beyond a standard money transmitter license, including cybersecurity mandates and consumer protection disclosures. In most other states, crypto businesses apply for a general money transmitter license that covers fiat and virtual currency transmission.

How does the Travel Rule apply to cryptocurrency transactions?

FinCEN's Travel Rule requires that when a crypto MSB transmits funds worth USD 3,000 or more on behalf of a customer, it must collect and pass the sender's and recipient's identifying information to the next institution in the payment chain. Industry protocols like TRISA are being developed to facilitate this data exchange between VASPs in a privacy-preserving manner.

Can crypto companies use automated KYC solutions to satisfy FinCEN requirements?

Yes. FinCEN does not prescribe specific verification methods, allowing firms to use both documentary and non-documentary approaches. AI-powered identity verification platforms that perform document authentication, biometric matching, and database cross-referencing are widely used and accepted, provided they deliver reliable results and maintain proper audit trails.

What happens if a crypto firm operates without proper KYC and AML controls?

Consequences include FinCEN civil money penalties, state enforcement actions (including license revocation), SEC or CFTC charges if securities or derivatives are involved, and potential criminal prosecution under 18 U.S.C. 1960 for operating an unlicensed money transmitting business. Penalties have reached hundreds of millions of dollars in recent cases.