What is FATF Recommendation 15?

It requires countries to regulate VASPs for AML/CFT, including CDD, recordkeeping, SAR filing, and travel rule compliance for virtual asset transfers.

Does FinCEN regulate US crypto companies?

Yes. Administrators and exchangers of convertible virtual currency are MSBs subject to BSA AML program requirements and FinCEN registration.

What is the travel rule?

The travel rule requires transmitting institutions to share originator and beneficiary information with counterparties for certain funds and virtual asset transfers.

MiCA is the EU’s Markets in Crypto-Assets regulation authorizing and supervising crypto-asset service providers and imposing conduct and disclosure rules.

Do US firms need MiCA authorization?

US-domiciled firms generally need MiCA authorization or an EU partner to serve EU customers compliantly once MiCA fully applies.

How does crypto monitoring differ from bank monitoring?

Crypto monitoring adds blockchain analytics, wallet attribution, and VASP counterparty discovery alongside traditional KYC and transaction rules.

MiCA and FATF: Global Crypto Compliance Standards Explained

Crypto and virtual asset businesses operate at the intersection of federal MSB rules, state money transmitter licensing, global FATF standards, and—when serving Europe—the EU’s Markets in Crypto-Assets (MiCA) framework. Understanding how these layers fit together is essential for any VASP building a sustainable compliance program.

This guide explains MiCA and FATF expectations, how US travel rule requirements apply, and what fintechs should implement regardless of where they are domiciled.

FATF: the global baseline for VASPs

The Financial Action Task Force (FATF) sets international AML standards adopted by more than 200 jurisdictions. For virtual assets, Recommendation 15 and updated guidance require Virtual Asset Service Providers (VASPs) to:

Obtain licenses or registrations where required
Conduct CDD/KYC on customers
Maintain transaction records
Implement sanctions screening
File suspicious transaction reports with national FIUs (in the US, FinCEN SARs)
Comply with the travel rule for transmittals of virtual assets

US regulators align examination expectations with FATF even when local rule text differs. See What Is AML Compliance? for the US statutory frame.

FinCEN and US MSB treatment of virtual currency

FinCEN classifies administrators and exchangers of convertible virtual currency (CVC) as money services businesses. That triggers:

FinCEN Form 107 registration
Written BSA/AML program with the five pillars
SAR and recordkeeping obligations
OFAC sanctions compliance

Dealers in CVC must also evaluate state MTL requirements. Banking partners apply FATF-plus standards during diligence.

The travel rule in the United States

The travel rule requires transmitting financial institutions—including certain VASPs—to collect and transmit originator and beneficiary information alongside virtual asset transfers above applicable thresholds.

FinCEN’s rules and the Travel Rule Working Group industry efforts mean US VASPs should not treat on-chain transfers as anonymous by default. Implement counterparty VASP discovery, secure data exchange, and policies for unhosted wallet transfers with heightened monitoring.

Transaction monitoring must cover blockchain typologies—structuring, peel chains, mixer exposure—described further in Ongoing Customer Monitoring.

What is MiCA?

MiCA is the EU’s comprehensive crypto-asset regulatory framework, phased in from 2024–2026. It harmonizes authorization, disclosure, governance, and AML interfaces for:

Crypto-asset service providers (CASPs)
Stablecoin issuers (asset-referenced and e-money tokens)
Trading platforms and custodians

MiCA does not replace EU AML directives—it connects CASPs to AML/CFT supervisors and requires compliance with EU AML rules, including CDD, PEP screening, and suspicious transaction reporting to national FIUs.

US firms serving EU residents may need EU entities authorized under MiCA or partnerships with EU CASPs.

MiCA vs. US federal rules: practical comparison

Topic	US (FinCEN/BSA)	EU (MiCA + AMLD)
Licensing	FinCEN MSB + state MTLs	CASP authorization in member state
AML program	BSA five pillars	EU AML policies per supervisor
Travel rule	FinCEN requirements	EU transfer of funds / TFR crypto rules
Stablecoins	Emerging federal/state focus	Strict MiCA categories for ARTs/EMTs
Marketing to retail	SEC/CFTC securities analysis	MiCA disclosure and white paper rules

Operate globally with the strictest common denominator to avoid fragmented programs.

KYC, CDD, and blockchain analytics

Customer onboarding for VASPs should follow risk-based CDD per Customer Due Diligence (CDD):

Verify identity for retail users
KYB for institutional market makers
Beneficial ownership for shell-prone entities
PEP and sanctions screening at onboarding and ongoing

Blockchain analytics tools assess exposure to illicit addresses—complementing—not replacing—traditional AML controls.

PEPs, adverse media, and high-risk wallets

OTC desks and high-limit accounts attract PEPs and sanctions evasion typologies. Apply EDD per Politically Exposed Persons (PEPs) and adverse media per Adverse Media Screening.

Unhosted wallet transactions may warrant additional scrutiny under FinCEN advisories on ransomware and mixer usage.

SARs and law enforcement cooperation

VASP compliance teams must file FinCEN SARs when red flags appear—mixer routing, chain hopping after stolen funds news, or customer misrepresentation of jurisdiction.

See FinCEN SAR Filing. Maintain five-year records per AML Record Retention.

Payment processors and embedded crypto

Payment platforms adding crypto ramps inherit VASP and MSB complexity. Read AML/KYC Compliance for Payment Processors and PSPs.

Building a unified global program

Map products to licensing triggers in each geography
Publish a group-wide AML policy with regional annexes
Centralize sanctions, PEP, and adverse media screening
Implement travel rule messaging with counterparties
Align monitoring rules across fiat and crypto rails
Train engineers and support on typologies
Test program effectiveness annually

Who must comply?

Any US VASP or fintech touching CVC likely has BSA obligations—confirm via Who Must Comply with BSA/AML?.

Design onboarding flows that collect required data without excessive drop-off—Compliant Client Onboarding.

Wallet custody models and compliance ownership

Custodial wallets place full CDD and monitoring duty on the VASP; non-custodial interfaces still face MSB analysis if you facilitate exchange or transmission. Map custody in architecture diagrams for examiners.

State licensing and securities overlays

Federal MSB registration does not preempt state money transmitter laws. A VASP serving US retail needs a state-by-state MTL map or a partner arrangement. Compliance budgets must include renewal fees and surety bonds.

The SEC and CFTC may classify certain tokens as securities or derivatives, triggering separate registration. AML teams should participate in token listing committees with legal.

Stablecoin issuers face intensifying scrutiny on reserve attestations and redemption rights. MiCA’s e-money token rules exceed US patchwork today—global issuers should benchmark against both.

Incident response for blockchain exploits should include SAR evaluation when customer wallets receive stolen funds, even if your platform did not cause the hack.

Engage law enforcement liaison programs where available; proactive reporting builds credibility during examinations.

Global operations desk

Assign ownership for EU MiCA readiness, US MSB registration renewals, and FATF mutual evaluation updates affecting correspondent relationships. A single roadmap prevents product teams from shipping features banned in one jurisdiction while marketed globally.

Examiner questions for US VASPs

Expect questions on unhosted wallet policies, mixer exposure rules, customer geography segmentation, and how travel rule gaps are closed when counterparty VASPs are unidentified. Maintain a written decision tree for when you freeze, restrict, or offboard based on blockchain analytics alerts. Document how your compliance team participates in product roadmaps for new tokens, chains, and payout corridors before launch announcements reach marketing.

Stablecoin redemption and AML

Stablecoin issuers should link redemption requests to source-of-funds reviews when sizes exceed policy thresholds, even if on-chain transfers appear technically clean. Cross-functional war games for token listing pauses help compliance keep pace with volatile markets.

Get started with Legaltalent

Building a defensible AML program takes the right policies, evidence, and tooling—not spreadsheets held together with hope. Legaltalent helps US fintechs and financial services firms automate KYC, sanctions screening, PEP checks, adverse media, and audit-ready recordkeeping in one platform.

Start your free trial and see how compliant onboarding and monitoring can scale with your business.

Practical next steps for your compliance program

Regulators expect documented policies, trained staff, and evidence that controls run in production—not slide decks. Map each obligation to an owner, a control, and a record type. Run tabletop exercises for SAR decisions, sanctions hits, and EDD escalations. When examiners or auditors arrive, they will ask for samples: show that your process is consistent, risk-based, and improving over time.

Technology should reduce manual error, not replace accountability. Automate identity verification, list screening, and case management, but keep human review for edge cases. Periodically validate vendor match quality and tune thresholds so you neither flood analysts with false positives nor miss material risk.