Regulatory compliance
Oct 08, 2024
10 min read

AML and Anti-Fraud in the Crypto Industry: Complete Guide (2024)

Everything you need to know about fighting fraud in crypto and staying compliant with AML.

Alyssa Abrams

Alyssa Abrams

Senior Content Manager

Governments and institutions are intensifying their focus on Anti-Money Laundering (AML) compliance in crypto. There are a number of reasons for this. This includes

  1. the anonymity and decentralized nature of crypto transactions, making them attractive to criminals and
  2. the substantial losses they’ve incurred for users and businesses in recent years.

According to an FBI report, losses to crypto investment scams in the US alone totaled $3.94 billion in 2023—an increase of 53% over 2022.

Penalties for non-compliance and insufficient transaction monitoring are another pain point for businesses. In 2023, crypto companies faced over $5.8 billion in fines over inadequate AML programs. To mitigate this growing risk, crypto businesses should build robust AML policies and implement necessary compliance measures.

Let’s dive into the specifics of crypto AML compliance and how to get it done right. 

Money laundering is an ongoing concern in crypto, as criminals seek to exploit its anonymity and decentralized nature for illicit purposes. Several key trends have emerged in the realm of crypto money laundering:

  • Mixing services and tumblers: These are increasingly used to obfuscate the origin of funds by mixing them with those of other users, making it difficult to trace transactions back to their source.
  • Privacy coins: Privacy-focused cryptocurrencies like Monero, Zcash, and Dash offer enhanced privacy features, making it more challenging for authorities to track transactions and identify the parties involved.
  • Decentralized exchanges (DEXs): These allow users to trade cryptocurrencies without the need for a centralized authority, making it easier for criminals to exchange illicit funds with reduced risk of detection and regulation.
  • Peer-to-Peer (P2P) platforms: These enable direct transactions between users, often bypassing traditional financial institutions. While P2P platforms offer convenience and privacy, they can also be exploited for money laundering purposes.
  • Layered transactions: Criminals may employ sophisticated techniques such as layering, where multiple transactions are conducted across various wallets and exchanges to obscure the trail of illicit funds.
  • Crypto ATMs: These provide a convenient way to convert cryptocurrencies into cash or vice versa. However, they can also be used to launder money with minimal KYC/AML requirements.
  • Complex wallet structures: This includes multi-signature wallets and wallet clustering techniques, which enable criminals to further obfuscate the flow of funds and conceal their activities.
  • Non-Fungible Tokens (NFTs): Criminals have started utilizing NFTs to launder money by transferring illicit funds through their purchase and sale.
  • Ransomware: Crypto is a mainstay in  ransomware attacks, with criminals demanding ransom payments in crypto to avoid detection. 
  • Anonymizing services: Criminals leverage anonymizing services such as VPNs, Tor networks, and encrypted messaging apps to obfuscate their identities and cover their tracks while laundering funds.

What are the red flags of crypto money laundering?

There are several common red flags that may indicate suspicious activity:

  • Unusually large transactions, particularly when they are inconsistent with a customer’s known financial profile or trading history. 
  • Unusual transaction patterns, such as round-number transactions, repetitive patterns, or transactions with no apparent economic purpose.
  • Multiple transactions in quick succession and/or rapid movement of funds through multiple wallets or exchanges in a short period, especially if coupled with attempts to obfuscate the transaction trail.
  • Use of privacy coins like Monero, Zcash, or Dash and/or tumblers 
  • Geographic anomalies involving jurisdictions known for weak crypto AML regulations or high levels of financial crime, especially if they involve counterparties or entities with a history of illicit activity.
  • Dealing with unregistered or unlicensed companies, particularly those operating in jurisdictions with lax regulatory oversight.
  • Inconsistent or false customer information provided during the KYC process
  • High-risk industries and sectors  prone to money laundering, such as gambling, adult entertainment, or darknet marketplaces, should be subject to enhanced scrutiny.
  • Transactions involving PEPs or their associates, especially if they appear unrelated to their legitimate business activities

Suggested read: Politically Exposed Person (PEP)—All You Need to Know

The presence of one or more of these red flags doesn’t necessarily imply illicit activity. However, they do require proper due diligence and ongoing monitoring, as well as timely submission of suspicious activity reports and cooperation with law enforcement.

As the crypto industry matures, the importance of robust Anti-Money Laundering compliance cannot be overstated. The anonymity and decentralized nature of crypto make it a target for illicit activities, but this also means that businesses in the space have a responsibility to implement strong AML measures. This involves not just meeting regulatory requirements but proactively adopting advanced fraud detection solutions. In 2024-2025, the trend will continue towards stricter global regulations and enhanced scrutiny. Companies that fail to keep up will face significant penalties, but more importantly, they risk losing the trust of their customers.

Piotr Antypiuk

Head of Crypto Product

What is crypto AML?

Anti-money laundering (AML) refers to the set of regulations, policies, and procedures designed to prevent and detect money laundering and other illicit activities. Crypto AML measures aim to ensure that cryptocurrency exchanges, wallet providers, and other virtual asset service providers (VASPs) comply with regulatory requirements. VASPs must therefore comply with applicable AML regulations and licensing requirements in the jurisdictions where they operate. This may include registering with regulatory authorities, obtaining licenses or approvals, and undergoing periodic audits or examinations to ensure compliance.

Suggested read: AML Cryptocurrency Regulations Around the World

What are the AML requirements for crypto?

  1. Risk assessment. Conducting a risk assessment is essential to identify and mitigate potential AML risks specific to the cryptocurrency business. Implementing risk-based AML measures allows companies to allocate resources effectively and address high-risk areas.
  2. Know Your Customer (KYC) and Customer Due Diligence (CDD). KYC procedures involve verifying the identities of customers and collecting relevant information to establish their legitimacy. This typically includes collecting personal information such as government-issued ID, proof of address, and, in some cases, conducting enhanced due diligence for high-risk customers. CDD involves assessing the risk associated with each customer and implementing appropriate measures to mitigate those risks. This may include ongoing monitoring of customer accounts and transactions, as well as periodic reviews of customer information.
  3. Cryptocurrency transaction monitoring. VASPs are required to monitor transactions on their platforms for suspicious activity, such as large or unusual transactions, transactions involving high-risk jurisdictions, or patterns indicative of money laundering or other illicit activities.
  4. Reporting suspicious activity. VASPs are obligated to report any suspicious transactions or activities to the relevant authorities, such as financial intelligence units (FIUs), to aid in the investigation and prevention of money laundering and other financial crimes.

Suggested read: Complete Guide to Suspicious Activity Reports

  1. Compliance programs. VASPs are required to establish and maintain comprehensive AML compliance programs that outline their policies, procedures, and controls for preventing money laundering and complying with regulatory requirements.

Suggested read: 6 Key Steps to a Successful Anti-Money Laundering (AML) Program in 2024

  1. Record-keeping. Cryptocurrency businesses are required to maintain accurate records of customer information, transactions, and AML compliance activities. These records may be subject to inspection by regulatory authorities.
  2. Employee training. Cryptocurrency businesses must provide AML training to their employees to ensure they understand their obligations and are equipped to identify and report suspicious activity effectively.

What is a crypto KYC/AML policy?

Know Your Customer (KYC) and Anti-Money Laundering (AML) policies outline the procedures and requirements crypto businesses must follow to verify the identities of their customers and prevent illicit activities such as money laundering and terrorism financing. While specific policies may vary depending on the jurisdiction and the nature of the cryptocurrency business, here is a general overview:

  • Customer identification. Cryptocurrency businesses are required to collect personal information from their customers, including government-issued identification documents (e.g., passport, driver’s license) and proof of address (e.g., utility bills, bank statements).
  • Identity verification. Cryptocurrency businesses must verify the authenticity of the information provided by customers through various verification methods, such as identity document scans, biometric verification, or third-party identity verification services.
  • Risk assessment. Cryptocurrency businesses must conduct risk assessments to determine the level of risk associated with each customer and transaction. This may involve assessing factors such as the customer’s location, transaction volume, and source of funds.
  • Enhanced Due Diligence (EDD). For high-risk customers or transactions, cryptocurrency businesses are required to conduct enhanced due diligence, which may include additional verification steps, ongoing monitoring, and increased scrutiny of transactions.
  • Crypto transaction monitoring and ongoing monitoring. Cryptocurrency businesses must monitor transactions on their platforms for suspicious activity, such as large or unusual transactions, transactions involving high-risk jurisdictions, or patterns indicative of money laundering or other illicit activities.

Crypto Travel Rule and AML

The Travel Rule was implemented by the Financial Action Task Force (FATF) to set international standards for combating money laundering, terrorist financing, and other illicit financial activities. The FATF introduced an extension of the Travel Rule for Virtual Asset Service Providers (VASPs) to enhance transparency and regulatory oversight within the cryptocurrency industry.

The Travel Rule mandates that financial institutions, including cryptocurrency exchanges and wallet providers, must share certain customer information when conducting transactions above a certain threshold. The purpose of the Travel Rule is to enhance anti-money laundering (AML) efforts and combat illicit financial activities by ensuring that relevant information about parties involved in transactions is shared between financial institutions. This helps to facilitate the tracing and monitoring of funds and enhances transparency in the financial system.

Key aspects of the Travel Rule in the context of crypto include:

  • Thresholds: The Travel Rule typically applies to cryptocurrency transactions above a certain threshold (e.g., $1,000 or €1,000).
  • Information sharing: When a covered transaction occurs, the originating financial institution (e.g., cryptocurrency exchange) is required to transmit certain information about the transaction, including sender and receiver details, to the receiving financial institution (e.g., another exchange or wallet provider).
  • Compliance obligations: Financial institutions subject to the Travel Rule must implement appropriate systems and procedures to comply with its requirements, including establishing secure channels for information transmission, verifying the identity of counterparties, and maintaining records of transactions and associated information.
  • Security and privacy: VASPs are required to exchange customer data securely in a standardized format to ensure data privacy and protection while complying with the Travel Rule requirements.
  • Regulatory oversight: Regulatory authorities enforce compliance with the Travel Rule and may impose penalties or sanctions on financial institutions that fail to comply with its requirements.
  • Global implementation: The Travel Rule is being adopted by regulatory authorities worldwide. However, implementation approaches and timelines may vary by jurisdiction.

Suggested read: What is the FATF Travel Rule? The Ultimate Guide to Compliance (2024)

Become a crypto compliance expert!

Join Sumsub’s free crypto Travel Rule course starting on October 3, 2024. Master compliance with practical insights from industry leaders.

Register now
Become a crypto compliance expert!

What is cryptocurrency fraud?

When it comes to crypto fraud, it can either be an isolated type of crime—such as stealing funds from a crypto wallet—or part of an elaborate scheme aimed at concealing the origins of ill-gotten proceeds.

The crypto industry is a target for a variety of fraudulent schemes. These schemes can be divided into two main categories:

  1. Obtaining a digital wallet. These schemes focus on gathering personal information to access a client’s digital wallet.
  2. Crypto transfers. These schemes focus on tricking a client into sending crypto to a fraudulent account.

Both types of schemes are becoming more advanced by the day, conditioning victims to believe they’re working with trustworthy individuals or companies.

Types of cryptocurrency fraud

The main types of fraud in crypto can be classified as follows:

1. Identity fraud and synthetic identity fraud occur when a fraudster opens an account for illegal activity using fake information, fabricated photos, deepfakes, pre-recorded videos, or masks to spoof identity verification systems.

2. Gaining access to a user’s accounts/funds relies on psychological manipulation and typically occurs on social platforms. Another tactic is creating fake apps, confusing clients about the app’s legitimacy. Scammers trick users into giving away their credentials through social engineering techniques, including phishing, pretexting, falsified human interaction, and other methods.

3. Chargeback fraud in crypto operates similarly to traditional finance. It occurs when scammers attempt to claim a refund using:

  • fake or stolen documents
  • compromised accounts
  • fake identities

As crypto-to-crypto transactions can’t be refunded, chargeback fraud can only occur when fiat is exchanged for crypto via debit/credit card.

4. Money muling occurs when criminals use others to transfer illicit funds. Money mules are typically users with a clean banking history and no criminal record, allowing them to move criminal money without being noticed. Money mules are recruited through online job offers, dating sites, or darknet forums. Recruiters lure individuals by promising easy money or deceiving vulnerable populations, such as the elderly.

5. Ransomware is malicious software that encrypts or blocks data and often demands payment (usually in crypto) to regain access.

6. Pump and dump is a quick act by the perpetrators, it can also happen on financial institutions that inflate artificially some currency through fake news and suddenly sells it before price crashes.

7. Fraudulent ICOs happen when there is a promotion of a new crypto (or token) via an ICO, that promoters disappear after contribution from the investors.

8. Ponzi schemes are an ordinary crime not only in the crypto industry but in general. The newcomers pay to become part of the “investment” and the earlier investors are paid with this money, in other words, there is no real gain, just a handover of money. This scheme ends when there is a lack of new investors.

Anti-fraud program for crypto companies

An effective anti-fraud program is crucial for preventing, detecting, and responding to fraudulent activities in the crypto space. Fraud detection requires a multi-layered approach that includes:

  1. Transaction monitoring: Continuous real-time monitoring of transactions is critical. Advanced algorithms can flag unusual activities such as large, rapid transactions, transfers to high-risk jurisdictions, or patterns that indicate “pump and dump” schemes. This approach helps detect fraud early.
  2. Know Your Customer (KYC) Verification: Fraudsters often use fabricated identities, deepfakes, and fake documents to create accounts. By integrating robust KYC verification tools, companies can verify user identities using biometric checks, document verification, and liveness detection. KYC procedures are not just for compliance but act as a barrier to fraudulent account creation.
  3. Behavioral analytics: By analyzing user behavior and identifying deviations from normal patterns (e.g., location changes, unusual login times, or access from multiple IP addresses), businesses can detect potential fraud early on. This step also helps in identifying money mules or compromised accounts.
  4. Fraud detection software and AI-driven tools: Machine learning algorithms can be trained to detect fraud patterns that would be missed by traditional methods. For example, AI can predict fraudulent activities by recognizing patterns in transaction data that correlate with previous fraud cases.
  5. Crypto mixing detection: Companies need to monitor for suspicious transactions involving crypto mixers and tumblers, which are often used to obscure the origins of illicit funds. Anti-fraud tools can identify transaction patterns involving these privacy techniques, allowing companies to flag or block them.

Suggested read: Crypto Hygiene: Tips and Best Practices for Clean Crypto

Several global and local regulations mandate that companies adopt anti-fraud mechanisms to protect the integrity of the financial system and protect consumers:

  • FATF (Financial Action Task Force) Recommendations: These guidelines urge businesses to adopt a risk-based approach to identify and mitigate fraud. The FATF specifically calls for the continuous monitoring of transactions and customer activity to detect red flags.
  • European Union’s 5th and 6th AML Directives (5AMLD & 6AMLD): These directives not only impose stricter AML requirements but also address the importance of identifying fraud patterns. The directives mandate that businesses strengthen fraud detection efforts in areas like identity theft, money laundering, and tax evasion.
  • MiCA Regulations: The MiCA (Markets in Crypto-Assets) Regulations in the EU emphasize the need for fraud prevention mechanisms, particularly for crypto platforms, exchanges, and wallet providers. These rules ensure that fraud, such as the misuse of privacy wallets and ICO fraud, is mitigated through compliance measures and robust anti-fraud programs.
  • TFR (Regulation (EU) 2023/1113): The EU Transfer of Funds Regulation, as defined in the MiCA Regulations, provides the Travel Rule, mandating the sharing of specific information about the originator and beneficiary during fund transfers. The TFR requires CASPs to collect data about the originator and beneficiary of transfers, verify this information, and share it with counterparties to manage risks in crypto-asset transfers. It also mandates the implementation of Enhanced Due Diligence (EDD) measures for third-country counterparty CASPs, verification of control or ownership of unhosted wallets, and compliance with AML/CFT measures, among other requirements.

To effectively combat fraud and ensure compliance, companies need specialized tools and strategies. This is where Sumsub can play a key role in supporting fraud prevention and compliance. With our suite of KYC, KYB, and transaction monitoring solutions, we can help crypto platforms detect fraudulent activities, verify identities, and meet regulatory requirements. Here’s how:

Conclusion

While AML compliance is critical for crypto businesses, an effective anti-fraud strategy is equally important for protecting against the increasing threat of fraud. Through a robust anti-fraud program—encompassing transaction monitoring, KYC verification, and advanced behavioral analytics—companies can reduce fraud risk, stay compliant, and ensure trust within the crypto ecosystem. 

Leveraging tools like those offered by Sumsub can help businesses stay ahead of both regulatory demands and fraudulent schemes. By being proactive, crypto platforms can build a more secure environment, protecting both themselves and their customers from the diverse and evolving threats in the crypto world.

AMLCryptoFinancial InstitutionsKYCPenaltiesReportingRisk-Based ApproachSumsub Multiverse Future of FinanceTransaction MonitoringTravel Rule

Explore more

Anti-Money Laundering (AML) Policy: Step-by-Step Guide (with Template)
Anti-Money Laundering (AML) Policy: Step-by-Step Guide (with Template)
Alyssa Abrams

Alyssa Abrams

Senior Content Manager

AML/KYC Guide to The UAE—New Laws and Regulations for 2024
AML/KYC Guide to The UAE—New Laws and Regulations for 2024
Oraz Kereibayev

Oraz Kereibayev

Content Manager

AML Investigation and Case Management: Learn How to Effectively Spot and Report Money Laundering
AML Investigation and Case Management: Learn How to Effectively Spot and Report Money Laundering
Alyssa Abrams

Alyssa Abrams

Senior Content Manager