AML/KYC Compliance Setup for Crypto Project
AML/KYC setup is not a one-time task, but building an operational process. Documents without technical implementation — paper. Technical implementation without documents — compliance violation. Need both.
Components of Complete AML/KYC Program
1. Risk-Based Approach (RBA)
Regulators require risk-based approach: compliance resources concentrated where risks higher. Means formal classification of customers and products by risk.
Customer Risk Score:
| Factor | Low Risk | Medium Risk | High Risk |
|---|---|---|---|
| Country | EU, US, AU | SE Asia, LatAm | FATF high-risk jurisdictions |
| Customer Type | Individual | Small business | Financial institution |
| Transaction Volume | < $1,000/month | $1,000-$10,000 | > $10,000 |
| Source of Funds | Known, documented | Partially known | Unknown |
| PEP Status | No | No (relative of PEP) | PEP |
Aggregate Risk Score determines CDD level: Simplified CDD (Low), Standard CDD (Medium), Enhanced CDD (High).
2. Customer Due Diligence (CDD) Procedures
Simplified CDD: minimal verification, transaction monitoring, no ongoing review. For Tier 0-1.
Standard CDD: identity identification and verification (document + liveness), PEP/sanctions check, understanding of business relationship purpose. For Tier 2.
Enhanced Due Diligence (EDD): Source of Funds + Source of Wealth documents, detailed background check, regular reviews (annually), real-time transaction monitoring. For Tier 3 and high-risk clients.
3. Policies and Procedures — Development
AML/CFT Policy: master document describing entire program.
KYC Procedure: step-by-step instructions for each tier — what collect, how verify, how document.
Transaction Monitoring Procedure: rules for alert generation, investigation procedure, SAR criteria.
SAR Procedure: when submit Suspicious Activity Report, to which authority, in what timeline (usually 15-30 days from discovery).
Record Retention Policy: how long retain KYC documents (usually 5-7 years), data security requirements.
4. Technical Systems
KYC provider: Sumsub / Onfido — webhook integration, tier management, applicant portal.
AML screening: Chainalysis KYT / Elliptic — wallet screening on deposits and withdrawals.
PEP/Sanctions screening: ComplyAdvantage, Refinitiv, or similar — screening on onboarding and periodically.
Transaction Monitoring: built into Chainalysis or custom — alert rules for structuring, velocity, geographic anomalies.
Compliance CRM: system for managing compliance cases, review tasks, SAR drafts. Can be custom or Hummingbird, ComplyAdvantage CRM.
5. Staff Training
FATF and most regulators require documented training program:
- Annual AML training for all employees
- Enhanced training for compliance team and customer-facing staff
- Training records (date, participants, content)
6. Compliance Officer Functions
Compliance Officer (MLR Officer in UK, MLRO) bears personal responsibility for AML program. Functions:
- Oversight of KYC/AML processes
- SAR submissions
- Regulatory reporting
- Internal audit coordination
- Regulatory change management (FATF, MiCA updates)
Ongoing Compliance: What To Do After Launch
Periodic review: annual AML policy review for relevance, risk assessment updates.
Regulatory updates: FATF updates recommendations, MiCA introduces new requirements — must track and implement.
Internal audit: annual independent review of AML program. Can be internal or external auditor.
De-risking review: periodic re-assessment of high-risk clients — is their risk score still relevant.
Setup Timeline
| Component | Timeline |
|---|---|
| Risk Assessment + Policy development | 2-3 weeks |
| KYC provider integration | 2-3 weeks |
| AML screening integration | 1-2 weeks |
| Transaction monitoring setup | 2-3 weeks |
| Compliance dashboard | 2-3 weeks |
| Staff training materials | 1 week |
Complete AML/KYC compliance system setup from scratch: 2-3 months.