AML Cryptocurrency Regulations Around the World

Today, there are approximately 18,000 different cryptocurrencies and 460 crypto-exchanges. As of December 2022, the global crypto market cap amounts to $857.16B. According to the World Economic Forum, $91 billion worth of cryptos are traded every 24 hours, most of which are Bitcoin or Ethereum.

So, the adoption of cryptocurrencies by both individuals and businesses has jumped in recent years—as has the amount of related illegal activity. Through July 2022, almost $2 billion was stolen in crypto through hacks, compared to just under $1.2 billion at the same point in 2021. Money laundering through crypto is another problem. Last year criminals laundered $8.6bn of cryptocurrency—up by 30% from 2020.

Therefore, most countries are either implementing or tightening existing regulations on crypto.Although country-specific regulations are usually built on FATF recommendations, each legislation has its own specifics—and companies providing services involving virtual assets must be aware of these specifics. 

Is cryptocurrency regulated globally?

At the moment, cryptocurrency regulations already exist in many jurisdictions and continue to expand around the world. 

At the international level, there is the Financial Action Task Force (FATF), a global money laundering and terrorist financing watchdog. The FATF issues global standards to prevent the misuse of virtual assets, which are then implemented in one form or another in national law. 

In 2019, the FATF added amendments to Recommendation 15, based on which Virtual Asset Service Providers (VASPs) should be regulated in the same manner as financial institutions.

The Recommendation includes registration or licensing for VASPs at least in the jurisdiction where they are established, and compliance with AML regulations, such as Customer Due Diligence, KYC, transaction monitoring, sanctions screening, and other requirements.

Therefore, when it comes to registration or licensing, there are no global regulators for VASPs. According to the FATF, a company is considered a VASP if it provides the following services:

• Exchange between virtual assets and fiat currencies
• Exchange between one or more forms of virtual assets 
• Transfer of virtual assets
• Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets
• Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

The definition of VASP may also differ depending on the jurisdiction, since the FATF’s definitions and recommendations are not mandated. Thus, each jurisdiction introduces their own definition of VASP and related regulatory measures.

KYC in crypto

Today KYC checks (as part of CDD) are mandatory for crypto operations in most jurisdictions. 

KYC checks aim to identify and verify clients before establishing business relations, permitting transactions and other activities specified by law. The minimum information required during the client onboarding process depends on a given country’s legislation, but usually includes:

• the client’s full name;
• residential address;
• date of birth.

The above information then gets compared to government-issued documents submitted by the applicant.

During the onboarding process, KYC checks usually consist of the following steps:

• identification—the process of acquiring the client’s personal data;
• liveness check—the process of determining whether the client is a real person;
• verification—the process of cross-comparing personal data to government-issued documents;
• address verification—the process of determining whether the client comes from the claimed region. 

To conduct KYC quickly and properly, crypto services often delegate this to specialized third-party solutions.

Crypto transaction monitoring

Another AML requirement for VASPs is transaction monitoring. More specifically, , VASPs have to monitor customer activities and transactions on an ongoing basis in order to determine and report to authorities the following:

• if transactions are complex or unusually large
• a transactions of an unusual nature
• transactions that have no obvious economic or legal purpose
• if there is any suspicion of money laundering or terrorist financing,

The FATF outlines the following red flags of money laundering when observing transactions:

• Anonymous transactions. Use of private coins, trading on unlicensed exchanges or through proxies, use of the same IP address to operate numerous cryptocurrency wallets anonymously.
• Transactional behavior. Suspicious cryptocurrency transaction patterns, such as high transaction frequency in a short period of time or quick deposits and withdrawals of funds into a newly formed account.
• Geographic risks. Cryptocurrency transactions that are carried out into or out of high-risk nations or jurisdictions, or that send currency to exchanges outside of the customer’s home country. 
• Structured transactions. Multiple cryptocurrency transactions that are deliberately structured in amounts that do not trigger reporting thresholds. 
• Inadequate CDD. Cryptocurrency transactions involving accounts that have refused or avoided inquiries for identifying information.
• Money-mules. Elderly or financially vulnerable clients exploited as mules to carry out transactions for money launderers.

The FATF Travel Rule

The updated FATF Recommendations now require Virtual Asset Service Providers (VASPs) and financial institutions engaged in virtual asset (VA) transfers to follow the Travel Rule. This means collecting and sharing personal data of senders and recipients in a transaction. The FATF’s proposed threshold amounts to 1000$/€ for virtual asset transfers. Whereas if a transaction amount is lower than the threshold, VASPs can enjoy less stringent requirements (e.g., less information may be transferred). However, it should be noted that countries can establish their own thresholds or forego them altogether. This is stated in Recommendation 16, commonly referred to as the Travel Rule.

Members of the FATF and FATF-style regional bodies are already beginning to incorporate the Travel Rule into their respective anti-money laundering (AML) laws. However, the implementation has spurred a number of problems. According to the FATF’s Targeted Update on Implementation of FATF Standards on Virtual Assets-VASPs, 29 out of 98 responding jurisdictions reported having passed Travel Rule legislation as of March 2022, while only 11 jurisdictions have begun implementing enforcement and supervisory measures. Most recently, Japan announced that it would bring crypto transactions under the Travel Rule by May 2023. In the UK, Regulation 5 (on cryptoasset transfers) of the Money Laundering and Terrorist Financing Regulations comes into force on September 1, 2023. A similar law is expected in Lithuania in 2025.

Crypto regulations around the globe

We’ve broken down several popular crypto jurisdictions below:

• Estonia

  Main regulator: Estonian Financial Intelligence Unit

  Main regulation: the Estonian Money Laundering and Terrorist Financing Prevention Act

  Who’s affected:

  • virtual currency wallet services

  • virtual currency exchange services (virtual currency against a fiat currency or a fiat currency against a virtual currency or a virtual currency against another virtual currency)

  • virtual currency transfer services

  • organizations, in the name or on behalf of an issuer of virtual currency, of a public or targeted offering or sale related to the issue of such currency, or the provision of any related financial services

  Travel Rule: implemented Read this article to learn why VASPs need to comply with local AML regulations: How the New Estonian AML Act Affects Virtual Currencies

• France

  Main regulator: Financial Markets Authority (AMF)

  Main regulation: Monetary and Financial Code, PACTE law

  Who’s affected: An actor may be considered a Digital Asset Service Provider (DASP) if it provides at least one of the following digital asset services, as mentioned in Article L. 54-10-2 of the Monetary and Financial Code: 1. The custody service on behalf of third parties of digital assets or access to digital assets, where applicable in the form of private cryptographic keys, with a view to holding, storing and transferring digital assets; 2. The service of buying or selling digital assets in legal tender; 3. The service of exchanging digital assets for other digital assets; 4. The operation of a digital asset trading platform; 5. The following services: a) the reception and transmission of orders for digital assets, meaning the act of receiving and transmitting buy or sell orders for digital assets on behalf of a client; b) the management of digital asset portfolios, meaning the act of managing, on a discretionary, client-by-client basis, portfolios that include one or more digital assets under a mandate given by a client; c) advice to investors in digital assets, which means giving personalized recommendations to a third party, either at their request or on the initiative of the service provider providing the advice, concerning one or more digital assets; d) digital asset underwriting, defined as the act of purchasing digital assets directly from a digital asset issuer, with a view to subsequently selling them; d) the guaranteed placement of digital assets, which consists in searching for buyers on behalf of a digital asset issuer and guaranteeing them a minimum amount of purchases by undertaking to buy the digital assets not placed; e) the non-guaranteed placement of digital assets, meaning the act of searching for buyers on behalf of a digital asset issuer without guaranteeing them an amount of purchases.” The registration requirement only refers to services listed in 1-4.

  Travel Rule: not implemented Read the whole article to understand how VASPs can comply with crypto regulations in France: France Tightens Cryptocurrency Regulations as of June 2021. Here’s Our Guide to Staying Compliant

• The Netherlands

  Main regulator: De Nederlandsche Bank

  Main regulation: The Money Laundering and Terrorist Financing Prevention Act (Wet ter voorkoming van witwassen en financieren van terrorisme—Wwft)

  Who’s affected:

  • natural persons or legal entities providing professional or commercial services for the exchange between virtual currency and fiat currency;

  • natural persons or legal entities that offer professional or commercial custodian wallets.

  At the moment the entities who offer crypto-to-crypto exchanges are still not regulated.

  Travel Rule: not implemented Read this article to understand regulations for VASPs in the Netherlands: Cryptocurrency Regulation in the Netherlands—How Companies Can Stay Compliant in 2022

• Switzerland

  Main regulator: Swiss Financial Market Authority (FINMA)

  Main regulation: Anti-Money Laundering Ordinance (AMLO-FINMA), Anti-Money Laundering Act (AMLA), AMLO-FINMA7

  Who’s affected: Financial intermediaries as specified in Articles 2 AMLA and 4 AMLO. As a rule, these include:

  • Virtual asset exchanges,

  • wallets

  • trading platforms, etc.

  Travel Rule: implemented Read further: Switzerland’s FINMA Pushes New AML Rules to Crypto Transactions

• Belgium

  Main regulator: Financial Services and Markets Authority—FSMA

  Main regulation: Law on the prevention of money laundering and terrorist financing and on the restriction of the use of cash

  Who’s affected:

  • exchange services between virtual and fiat currencies (VASPs);

  • custodian wallet providers

  Travel Rule: not implemented Check out this article to learn how to register a crypto business in Belgium: ​​Guide to Mandatory Registration as a Crypto Business in Belgium

• Singapore

  Main regulator: Monetary Authority of Singapore (MAS)

  Main regulation: the Payment Services Act (PSA)

  Who’s affected:

  • any service of facilitating the exchange of digital payment tokens, namely establishing or operating a Digital Payment Token (DPT) exchange, where the person that establishes or operates that DPT exchange comes into possession of any money or DPT;

  • any service that deals with digital payment tokens—namely buying or selling DPTs in exchange for money or any other DPT (either the same or a different type).

  However, the services defined as “dealing” in DPT do not include:

  • facilitating the exchange of DPTs;

  • accepting DPTs as a means of payment for the provision of goods or services;

  • using DPTs as a means of payment for the provision of goods or services.

  Singapore regulators are also planning to implement amendments to regulate crypto wallets.

  Travel Rule: implemented Read this article to get details on crypto regulations in Singapore: Singapore’s Digital Payment Token Regulations: Everything You Need to Know

• USA

  Main regulator: the Financial Crimes Enforcement Network (FinCEN), the Commodity Futures Trading Commission (CFTC), the United States Securities and Exchange Commission (SEC)

  Main regulation: United States Bank Secrecy Act (BSA) and amendments to it, provided by the Patriot Act, AMLA; FinCEN Implementing Act

  Who’s affected: AML/CFT obligations in the US apply to entities that the BSA defines as “financial institutions” such as futures commission merchants and introducing brokers obligated to register with the CFTC, money services businesses (MSBs) as defined by FinCEN, and broker-dealers and mutual funds obligated to register with the SEC. In 2019, FinCEN issued Guidance which clarified the application of the BSA to some business models operating in the virtual assets field. In 2021, AMLA also amended the BSA, expanding some definitions, in particular that “financial institutions” include “value that substitutes for currency”. Financial institutions now include, inter alia:

  • Businesses “engaged in the exchange of currency, funds, or value that substitutes for currency or funds”

  • A person who “engages as a business in the transmission of currency, funds, or value that substitutes for currency, including any person who engages as a business in an informal money transfer system or any network of people who engage as a business in facilitating the transfer of money domestically or internationally outside of the conventional financial institutions system”

  Travel Rule: implemented

• South Korea

  Main regulator: Financial Services Commission (FSC)

  Main regulation: Act on the Reporting and Use of Specific Financial Transaction Information

  Who’s affected: Services involved in the following business activities:

  • “Buying or selling virtual assets”

  • “The act of exchanging virtual assets with other virtual assets”

  • “Acts prescribed by Presidential Decree among acts of transferring virtual assets”

  • “The act of storing or managing virtual assets”

  • “Acts of brokering, arranging, or acting as an agent for the acts of 1) and 2)”

  • “Other acts prescribed by Presidential Decree that are highly likely to be used for money laundering and public intimidation financing in relation to virtual assets.”

  Travel Rule: implemented Read this article to get details on crypto regulations in South Korea: The New Crypto Regulations in South Korea: How to Prepare for the Changes

• Turkey

  Main regulator: Financial Crimes Investigation Board (MASAK), the Central Bank of the Republic of Turkey (CBRT)

  Main regulation: Regulation on the Disuse of Crypto Assets in Payments, Regulation on Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism

  Who’s affected: The AML law does not provide an explanation of the definition. According to the MASAK Guidance, crypto asset service providers mediate the buying and selling of crypto assets through electronic trading platforms.

  Travel rule: status unclear Read this article to get details on crypto regulations in Turkey: Turkey Enacts Its First Crypto Regulations: Here’s How Businesses Can Adapt

FAQ

• How are cryptocurrencies regulated in countries around the world?

  The FATF, a global anti-money laundering watchdog, issues standards and recommendations on cryptocurrency regulations, which are not legally binding. However, they are often reflected in local crypto legislation, sometimes with modifications. In general, in most jurisdictions, cryptocurrencies and companies providing such services (VASPs) are subject to AML regulation on par with financial institutions. Additionally, registration/licensing requirements are applicable to them.

• Who regulates crypto?

  VASPs are supervised on a national level. International organizations, like the FATF, issue standards and recommendations for VASP regulations, which each jurisdiction uses as the basis for developing their own legislation.

• Is crypto regulated by the government?

  Usually cryptocurrency is regulated by a government institution or agency, for example, a central bank or FIU.

• What regulations will be affecting crypto?

  On the EU level, Markets in Crypto-Assets (MiCA) project adoption is due. In addition, more jurisdictions are implementing the FATF Travel Rule (including Lithuania, the United Kingdom, Switzerland, etc.).