Crypto Compliance FAQ

The most referenced regimes are the EU's MiCA (Markets in Crypto-Assets) for issuers and service providers, the FATF Travel Rule adopted globally, the US BSA/FinCEN MSB rules, Singapore's PSA under MAS, the UAE VARA framework, Hong Kong's SFC licensing regime, and the UK's FCA crypto financial-promotions rules. Yirifi's Regulatory Database tracks 2,232+ regulations across 150+ jurisdictions and 1,200+ regulatory bodies.

The Travel Rule requires Virtual Asset Service Providers (VASPs) to share originator and beneficiary information for crypto transfers above a jurisdictional threshold (typically USD/EUR 1,000). It originated from FATF Recommendation 16 and has been adopted in the EU (via MiCA/TFR), Singapore, Switzerland, the US, and most major jurisdictions. Compliance teams must verify counterparty VASPs, transmit required data securely, and screen sanctions and PEP lists.

MiCA (Markets in Crypto-Assets) is the EU's unified crypto regulation effective from December 2024, with full application through 2025. It covers issuers of asset-referenced tokens and e-money tokens, and Crypto-Asset Service Providers (CASPs) offering custody, trading, exchange, portfolio management, or advice. Obligations include authorisation, governance, prudential requirements, market-abuse rules, whitepaper disclosures, and consumer protection.

KYC (Know Your Customer) verifies individual users through identity documents, liveness checks, and sanctions/PEP screening. KYB (Know Your Business) verifies corporate entities by checking registry filings, ultimate beneficial owners, directors, and corporate structure against sanctions and adverse-media sources. Crypto platforms typically run both before allowing fiat on/off ramps or high-value trading.

A Suspicious Activity Report (SAR) — called STR in some jurisdictions — is a confidential report filed with a Financial Intelligence Unit (FIU) when a regulated institution detects transactions that may indicate money laundering, terrorist financing, or other predicate offences. Filing is mandatory once a threshold of suspicion is reached, even without proof of a crime. Deadlines vary: FinCEN requires filing within 30 days of detection.

A Virtual Asset Service Provider (VASP) is any business that conducts one or more of: exchange between virtual assets and fiat, exchange between different virtual assets, transfer of virtual assets, safekeeping or administration, and participation in the issuance or sale of virtual assets. FATF Recommendation 15 requires VASPs to be licensed or registered and to comply with AML/CFT obligations equivalent to traditional financial institutions.

The Monetary Authority of Singapore (MAS) regulates Digital Payment Token (DPT) service providers under the Payment Services Act. Licensed firms must maintain AML/CFT controls, segregate customer assets, restrict retail marketing, meet prudential requirements, and follow the Travel Rule. MAS has also issued guidance on stablecoin issuance and retail access, with additional investor-protection measures effective from 2024.

The FATF grey list ("jurisdictions under increased monitoring") includes countries with strategic AML/CFT deficiencies that have committed to reform. Institutions typically apply enhanced due diligence to customers and counterparties from grey-listed jurisdictions. Being grey-listed raises correspondent-banking costs, dampens foreign investment, and signals elevated compliance risk to global regulators.

Enhanced due diligence is a deeper investigation applied to higher-risk customers, transactions, or jurisdictions. For crypto, triggers include politically exposed persons, high-risk countries, privacy-coin exposure, mixer usage, high-value transfers, and non-custodial wallet counterparties. EDD typically involves source-of-funds verification, ultimate beneficial owner checks, adverse-media scans, and ongoing monitoring with elevated thresholds.

KYC (Know Your Customer) verifies who a customer is at onboarding and at periodic review. KYT (Know Your Transaction) monitors the behaviour of those customers' transactions continuously — including counterparties, volumes, velocities, geographic exposure, and on-chain risk indicators. Together they form the backbone of a modern AML programme for digital assets.

VARA is the Virtual Assets Regulatory Authority of Dubai, established under Law No. 4 of 2022. It licences and supervises virtual-asset activities within the Emirate of Dubai (excluding the DIFC). Licensable activities include advisory, broker-dealer, custody, exchange, lending, payments, VA management, and investment. VARA's rulebook covers market conduct, compliance, technology risk, and consumer protection.

A Politically Exposed Person (PEP) is an individual entrusted with a prominent public function — heads of state, senior politicians, senior judicial or military officials, and their close associates and family members. Crypto platforms must screen for PEPs at onboarding, apply enhanced due diligence, obtain senior-management approval, and monitor PEP accounts with elevated scrutiny throughout the customer lifecycle.

Adverse media screening checks customers against news, regulatory actions, court filings, and watchlists for negative information indicating involvement in financial crime, fraud, corruption, or sanctions. Modern screening uses NLP to reduce false positives and surface relevant hits from millions of sources in dozens of languages. It is mandatory under most AML regimes as part of ongoing due diligence.

FinCEN treats most crypto activity as Money Services Business (MSB) activity under the US Bank Secrecy Act. Registered MSBs must implement AML programmes, file Currency Transaction Reports and Suspicious Activity Reports, maintain records, and — under proposed rules — collect counterparty information for transfers involving unhosted wallets above specific thresholds. State-level money-transmitter licensing applies on top of federal registration.

SupTech (Supervisory Technology) refers to technology used by regulators and supervisory authorities to monitor, analyse, and enforce compliance across the firms they oversee — automated data collection, risk surveillance, and reporting analytics are typical applications. RegTech, by contrast, is technology used by regulated firms to meet their own compliance obligations. Yirifi supports both sides: its Regulatory Database and risk analytics tools are used by regulated firms for RegTech purposes and by government bodies for SupTech applications.

Regulatory risk for a new product launch is the risk that a product or service triggers licensing, disclosure, or conduct obligations the firm did not anticipate — or operates in a jurisdiction where the activity is restricted or prohibited. Assessment requires mapping the product's features to the regulatory frameworks of each target jurisdiction before launch, not after. Business managers can use Yirifi's Regulatory Database and Use Case Builder to identify applicable obligations early and resolve gaps before they become enforcement events.

DeFi compliance refers to the application of AML/CFT, market integrity, and consumer protection obligations to decentralised finance protocols and the firms that interface with them. Obligations vary by jurisdiction but converge on whether a protocol has a sufficiently centralised party — developer, governance token holder, or front-end operator — that regulators can hold accountable. FATF guidance, MiCA's provisions for fully decentralised protocols, and FinCEN's 2019 guidance on anonymising services collectively frame the current international standard.

Stablecoin regulation covers the issuance, redemption, reserve management, and distribution of tokens designed to maintain a stable value relative to a fiat currency, commodity, or basket. Key regimes include MiCA Title III and IV (EU), the UK's Financial Services and Markets Act 2023 amendments, MAS's Payment Services Act stablecoin framework, and ongoing US federal legislation targeting dollar-pegged stablecoins. Obligations differ materially between e-money tokens and asset-referenced tokens under MiCA, and between payment stablecoins and commodity-backed tokens in other jurisdictions.

A Crypto-Asset Service Provider (CASP) is any legal person or undertaking that provides one or more crypto-asset services to clients on a professional basis under the EU's Markets in Crypto-Assets Regulation (MiCA), which came into full effect in December 2024. Regulated services include custody, operation of a trading platform, exchange, transfer of crypto-assets, execution of orders, placement, reception and transmission of orders, portfolio management, and advice. CASPs must be authorised by a national competent authority in an EU member state and comply with organisational, conduct, and prudential requirements set out in MiCA Title V.

A VASP (Virtual Asset Service Provider) is the FATF-standard term for any entity conducting virtual asset activities subject to AML/CFT obligations under the FATF Recommendations — it is a policy classification, not a licence. An MSB (Money Services Business) is a US regulatory category defined by FinCEN that includes certain virtual currency exchangers and administrators under the Bank Secrecy Act. A CASP is the EU's MiCA-specific licensed category for crypto-asset service providers — legally distinct from the VASP definition and carrying its own authorisation and conduct requirements. The same entity may qualify as a VASP under FATF standards, an MSB under FinCEN rules, and a CASP under MiCA simultaneously.

OFAC requires all US persons — and in some programmes, non-US persons — to screen virtual currency transactions against its Specially Designated Nationals (SDN) list and applicable country-based sanctions programmes, regardless of whether the transaction occurs on a centralised or decentralised platform. OFAC guidance published in 2021 and 2022 clarifies that sanctions apply to crypto transactions in the same way they apply to fiat transactions, and that compliance programmes should include blockchain analytics capable of identifying sanctions exposure. Penalties for violations can include civil monetary fines and criminal referral regardless of whether the violation was wilful.

Blockchain transaction monitoring is the continuous, automated review of on-chain activity to detect patterns that indicate financial crime, sanctions exposure, or policy violations — it encompasses rule-based alerts, behavioural analytics, and clustering across wallets and counterparties. KYT (Know Your Transaction) is a narrower term, originally coined by Chainalysis, that refers specifically to real-time risk scoring of individual transactions at the point of processing. In practice, a full monitoring programme combines KYT-style transaction scoring with broader entity-level and network-level analysis that KYT alone does not provide.

NFT AML risk refers to the potential for non-fungible tokens to be used as a vehicle for money laundering through wash trading, layering via high-value art and collectibles markets, or peer-to-peer transfers that obscure the origin of illicit funds. FATF's 2021 Updated Guidance on Virtual Assets notes that certain NFTs — particularly those used for payment or investment purposes — may fall within the VASP definition and trigger AML/CFT obligations for platforms facilitating their trade. Regulatory treatment varies by jurisdiction, but the trend across FATF member states is toward treating high-value NFT marketplaces as subject to at minimum enhanced due diligence requirements.

Crypto custody regulation governs the safekeeping of digital assets on behalf of clients, covering segregation of client assets, key management standards, insurance requirements, capital buffers, and operational resilience. Supervisory responsibility varies by jurisdiction: in the EU, MiCA places custody under CASP authorisation requirements with ESMA and national competent authorities as supervisors; in the US, oversight is fragmented across the OCC (for nationally chartered banks), state trust charters, and SEC guidance on qualified custodians; in the UK, FCA authorisation under the Financial Services and Markets Act applies. Most major jurisdictions now require custodians to hold client assets off-balance-sheet and demonstrate proof of reserves.

Launching a new crypto product typically triggers legal questions across three areas: characterisation (is the token a security, payment instrument, or commodity — and does that change across jurisdictions?), licensing (does the activity require a VASP, CASP, or equivalent licence in the target markets?), and consumer obligations (what disclosure, suitability, and complaints-handling rules apply?). The answers differ by product type and jurisdiction, and regulatory characterisation has shifted significantly as MiCA, FIT21, and national frameworks matured through 2024–2026. Legal advisors need current regulatory text, enforcement history, and cross-jurisdictional comparisons — exactly what Yirifi's Regulatory Database provides.

AML screening for wallets combines on-chain analytics with off-chain intelligence to score a wallet address for exposure to sanctioned entities, darknet markets, mixers, ransomware, and fraud. A risk engine traces fund flows across hops, attributes clusters to known entities, and returns a risk score plus evidence. Institutions typically screen at onboarding, before outbound transfers, and continuously for held positions.

A wallet risk score is a numerical assessment of how likely a blockchain address is to be linked to illicit activity. It is derived from on-chain heuristics (clustering, path tracing, counterparty exposure) and off-chain intelligence (sanctions lists, law-enforcement data, known exchange attributions). Scores typically map to tiers like Low, Medium, High, and Prohibited, driving decisions on onboarding, enhanced due diligence, or rejection.

Institutions combine real-time wallet screening, transaction monitoring rules tuned for blockchain behaviour, and case-management workflows feeding suspicious-activity reporting. Typical signals include structuring, mixer usage, sanctioned counterparties, rapid in-out flows, and cross-chain obfuscation. Findings are escalated to compliance officers who investigate and, when warranted, file a SAR or STR with the relevant Financial Intelligence Unit.

Sanctions screening checks customer identities, wallet addresses, counterparty VASPs, and transaction paths against lists such as OFAC SDN, UN Consolidated, EU Consolidated, HMT, and national lists. Crypto screening must also catch exposure by tracing fund flows — a wallet is "tainted" if it received value from a sanctioned address within a defined number of hops. Yirifi continuously monitors 1,200+ regulatory bodies for list updates.

Policies should be reviewed at least annually, and immediately on material regulatory change, corporate restructuring, or new product launch. In crypto specifically, update triggers include new MiCA technical standards, OFAC designations, Travel Rule threshold changes, and new high-risk jurisdiction listings. Yirifi customers typically use the Regulatory Database to auto-surface relevant updates per policy area.

On-chain analytics is the practice of analysing public blockchain data — transactions, addresses, smart-contract events — to attribute entities, trace flows, and detect illicit activity. Core techniques include address clustering, heuristic grouping, graph analysis, and machine-learning classification. On-chain analytics underpins wallet risk scoring, investigations, market surveillance, and regulatory reporting.

AI accelerates regulatory interpretation, transaction monitoring, case investigation, and reporting. Large language models summarise new regulations, extract obligations, and draft policy updates. ML models classify transactions, reduce false positives, and surface subtle risk patterns. Yirifi runs 6 specialised AI agents across risk, regulation, governance, legal, business, and investment workflows, grounded in 500+ compliance use cases.

A compliance AI agent is purpose-built to reason over regulatory text, jurisdiction-specific obligations, and firm-specific policies — not general web content. Unlike a general chatbot, each agent is scoped to a defined task such as impact assessment, SAR drafting, or sanctions screening, and every answer is grounded in cited source material rather than probabilistic text generation. Yirifi deploys 6 specialised AI agents trained on 2,232+ regulations so compliance teams get answers they can trace back to the publishing authority.

Governance in crypto regulatory compliance refers to the frameworks, policies, and oversight structures that ensure a firm's compliance programme operates effectively and is accountable to senior management and regulators. It covers the three-lines-of-defence model (operational compliance, risk oversight, internal audit), board-level reporting on regulatory risk appetite, and the documentation that allows regulators and examiners to verify governance is functioning. For crypto firms, governance is increasingly scrutinised because regulators are moving from activity-based rules to accountability-based supervision — where firms must demonstrate not just what they did, but who was responsible.

Institutional crypto due diligence is the structured process by which institutional investors — hedge funds, asset managers, pension funds, family offices — assess the regulatory compliance, risk profile, and governance quality of crypto-related investments. It covers counterparty assessment (the exchange, protocol, or issuer involved), regulatory compliance (does the entity hold appropriate licences?), on-chain risk (transaction history and wallet exposure), and ongoing monitoring (flag if the regulatory or risk profile changes post-investment). As institutional allocations to digital assets have grown, so have LP and regulator expectations for documented, repeatable due diligence processes.

A compliance marketplace is a curated catalogue of vetted compliance tools, data providers, and service vendors relevant to crypto and digital asset operations — covering areas like transaction monitoring, KYC/AML, sanctions screening, reporting platforms, and custody solutions. Rather than sourcing and evaluating vendors independently, compliance teams can discover, compare, and procure from a pre-assessed set of providers. Yirifi's Compliance Marketplace covers 1,845+ vendors categorised by function, jurisdiction, and regulatory use case, with standardised due diligence already completed so teams bypass the vendor assessment phase.

Regulatory intelligence is the ongoing, structured monitoring and analysis of regulatory change as it affects a firm's specific activities and jurisdictions — it is forward-looking and operational. Legal research retrieves and interprets existing law; regulatory intelligence tracks new rules, consultations, enforcement actions, and supervisory priorities in real time and surfaces their implications before they become compliance gaps. For crypto firms operating across multiple jurisdictions, regulatory intelligence is critical because the pace and volume of regulatory change exceeds what manual monitoring and quarterly legal reviews can keep up with. Yirifi's Regulatory Database is built for this operational cadence.

A people marketplace for compliance connects firms with independent compliance experts, fractional CCOs, legal specialists, and regulatory advisors on demand — for project work, periodic reviews, or standing advisory arrangements. It differs from a recruitment agency in that engagements are scoped and time-limited (a regulatory impact assessment, a specific jurisdiction review, a board presentation) rather than employment relationships. For small teams or firms entering new markets, a people marketplace provides access to specialist expertise without the cost and commitment of a full-time hire. Yirifi's People Marketplace connects firms with vetted compliance professionals across 40+ specialisations.

A compliance knowledge base is a centralised, searchable repository of a firm's internal compliance documents — policies, SOPs, past regulatory opinions, training materials, and procedure guides — combined with the external regulatory content relevant to the firm's activities. For crypto teams, having a unified knowledge base matters because compliance work spans multiple jurisdictions, product lines, and regulatory frameworks simultaneously; without it, institutional knowledge lives in email threads and shared drives. Yirifi's Knowledge Base ingests both internal documents and external regulatory content, making everything queryable through the AI agents so teams get answers grounded in their own policies alongside the regulatory database.

A solutions-first approach to compliance means building a programme around the specific business model, jurisdictions, and product types of the firm — rather than applying a generic framework and hoping it fits. For crypto businesses, this matters because the same activity (for example, facilitating token swaps) carries different regulatory obligations depending on whether it is classified as a payment service, a securities activity, or an exchange function in different markets. A solutions-first approach identifies those obligations upfront and builds workflows, monitoring, and reporting to exactly that scope — reducing compliance gaps and unnecessary overhead. Yirifi's solution pages and Use Case Builder are designed to support this approach from day one.

Yirifi tracks 2,232+ regulations across 150+ jurisdictions and 1,200+ regulatory bodies in a single knowledge graph. AI agents map obligations to a client's licensed activities, surface applicable rules, generate change alerts, and power chat-based research. Risk Analytics ties on-chain screening to the same regulatory taxonomy so compliance teams can move from regulation to evidence in minutes instead of weeks.

SOC 2 is an audit standard from the AICPA that evaluates a service organisation's controls around security, availability, processing integrity, confidentiality, and privacy. It is not a legal requirement but is widely expected by institutional buyers of crypto infrastructure. Many compliance platforms also pursue ISO 27001 — Yirifi is ISO 27001 certified — which covers information-security management systems more broadly.

Yes — and this is one of the most common entry points. Yirifi maps the exact obligations attached to each licence type across 150+ jurisdictions, so pre-licence teams can build a compliance programme to spec before the examiner arrives. You avoid both under-building (gaps that delay authorisation) and over-building (spend on obligations you will not carry). Most pre-licence teams start with the Regulatory Database and Use Case Builder, then activate the AI agents as the programme matures. See also: Which Yirifi product should I start with?

Crypto compliance is the practice of meeting anti-money-laundering (AML), counter-terrorist-financing (CFT), sanctions, and consumer-protection obligations when dealing with digital assets. It covers customer due diligence, wallet screening, transaction monitoring, sanctions checks, suspicious activity reporting, and jurisdiction-specific rules such as MiCA in the EU or the Travel Rule under FATF Recommendation 16.