• Jul 03, 2026
  • 17 min read

US Crypto Regulations: Federal and State Rules (2026)

A practical guide to how US crypto regulation works today—federal agencies, state licensing, and the laws now reshaping the landscape.

The US cryptocurrency regulatory landscape has changed quite a bit lately. Since President Donald Trump returned to the White House in 2025, his administration has adopted a pro-crypto stance, pushing for aggressive federal deregulation while also supporting legislation that has the potential to boost American dominance of crypto markets.

Two of the most headline-grabbing moves so far are the introduction of the GENIUS Act (the country’s first major federal crypto legislation) and the establishment of the Strategic Bitcoin Reserve and the United States Digital Asset Stockpile (signaling an intent to treat digital assets as a national strategic priority).

Meanwhile, key regulatory bodies—such as the Department of Justice's National Cryptocurrency Enforcement Team—have been disbanded, and the Securities and Exchange Commission (SEC) appears to be loosening its grip, even dropping major lawsuits against well-known crypto companies such as Gemini and Coinbase.

However, legislators have been pushing back, with the Digital Asset Market Clarity Act (‘the CLARITY Act’) being the most heavyweight current proposal. If it becomes law, the CLARITY Act would create new oversight for digital assets while imposing disclosure and consumer protection requirements.

This uncertain regulatory landscape leaves room for both opportunities and challenges.  A deregulatory approach could spark innovation and growth in the crypto sector. On the flip side, it raises serious concerns about consumer protection, financial stability, and the risk of increased criminal activity due to weakened regulatory oversight. However, if the CLARITY Act or other similar legislation becomes law, this could protect consumers and the financial system, but also create new compliance requirements for crypto businesses.

In this guide, we’ll take a closer look at the federal licensing requirements, review the current state of US crypto regulations, and explore how recent legal changes and the administration's policies are affecting the industry and what it all means for the future.

US federal crypto regulation overview

US crypto regulation continues to evolve through a combination of federal statutes, agency rules, enforcement actions, interpretive guidance, and state licensing regimes. Depending on the business model and the type of digital asset involved, a business may be subject to the Bank Secrecy Act, Financial Crimes Enforcement Network (FinCEN) regulations, securities laws, commodities laws, sanctions regulations, tax rules, and state digital asset or money transmission laws.

Until recently, federal regulation of crypto activity was grounded almost entirely in applying existing financial laws to digital assets, which produced inconsistencies given the distinctive nature of those assets. That foundation still does most of the work today, but it is no longer the whole picture, as Congress has begun enacting crypto-specific legislation, and more is under debate.

Entities engaged in the exchange, transfer, or custody of cryptocurrencies are typically classified as Money Services Businesses (MSBs) and must register with FinCEN. Such entities must implement comprehensive Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) programs, conduct customer identification procedures (KYC), submit Suspicious Activity Reports (SARs), and comply with the Travel Rule, which mandates the transmission of specific information during virtual asset transactions.

Beyond FinCEN, several federal agencies exert authority over different aspects of the sector. The Securities and Exchange Commission (SEC) treats digital assets it considers securities as subject to the securities laws and enforces accordingly. The Commodity Futures Trading Commission (CFTC) classifies certain cryptocurrencies, such as Bitcoin, as commodities and oversees the derivative markets based on them. The Office of Foreign Assets Control (OFAC) requires compliance with US sanctions programs, including screening clients and counterparties against designated lists.

The most significant recent change to this framework is the GENIUS Act, the first major federal statute written specifically for crypto. Signed into law in 2025, it requires payment stablecoins to be issued only by approved issuers, backed one-to-one by cash or short-term US Treasurys, with monthly public disclosure of reserves, protections for holders in the event of issuer insolvency, and full AML and sanctions obligations. The GENIUS Act does not displace the rest of the framework, so it is best understood as an important new component of federal crypto regulation rather than the sole federal law that crypto businesses in the US must follow.

A second measure, the CLARITY Act, is intended to go considerably further by creating a comprehensive regulatory framework for digital assets generally. Its key provisions would allocate jurisdiction between the SEC (for digital assets that are securities) and the CFTC (for digital commodities and their spot markets), establish registration categories for digital commodity exchanges, brokers, and dealers, and add disclosure and consumer protection requirements. As of 2026, it has passed the House and is under Senate consideration, but it is not yet law, and its enactment is not assured.

Taken together, federal policy has historically folded crypto into the existing financial framework, but the GENIUS Act and proposals such as CLARITY mark a clear move toward dedicated, crypto-specific legislation. The sections below examine these federal requirements in more detail. Note that requirements also vary by state, so state-level obligations should be reviewed separately.

US Federal agencies that regulate crypto: A closer look

The US has a variety of federal institutions regulating digital assets. The exact institution in charge will depend on whether the activity is money transmission, or whether the asset is a security or a commodity/derivative. The main ones include:

Several government agencies, while not directly regulating digital assets, contribute through related guidelines and initiatives:

  • Department of Justice (DOJ) now concentrates on major criminal activities involving cryptocurrencies, such as terrorism and drug trafficking, rather than regulatory infractions
  • The President’s Working Group (PWG) on Digital Asset Markets is responsible for developing a federal regulatory framework for digital assets, including stablecoins, and evaluating the creation of a strategic national digital assets stockpile.​ It was established in January 2025 and includes heads of key federal agencies like the SEC and CFTC. The PWG on Digital Asset Markets does not have a dedicated public website. However, information about its activities and related reports can be found through various official channels, including the ​US Department of the Treasury, the White House, and the SEC.

Note: Other Federal authorities can also regulate specific issues related to digital assets. For example, the Office of the Comptroller of the Currency (OCC) issues guidance allowing banks to custody digital assets and use stablecoins for payments under certain conditions, etc.

State-by-state crypto regulation

State law remains one of the most important variables for crypto businesses operating in the United States. A company may be compliant from a federal AML perspective and still require one or more state licenses to operate lawfully in a given jurisdiction.

While some states foster crypto innovation, others have implemented rigorous regulatory frameworks that pose challenges for virtual currency and other digital asset businesses.​

  • New York. The New York State Department of Financial Services (NYDFS) requires crypto businesses to obtain a BitLicense. It mandates comprehensive compliance measures, including Know Your Customer (KYC) protocols, capital requirements, and regular reporting.
  • California. Effective July 1, 2026, California's Digital Financial Assets Law (DFAL) will require crypto companies to get a license from the Department of Financial Protection and Innovation (DFPI). The law imposes strict requirements on digital asset businesses, including stablecoin issuers, and introduces big penalties for non-compliance, such as $100,000 per day for unlicensed activity (e.g., operating a crypto exchange without a DFPI license). ​​
  • Connecticut. Connecticut treats virtual currency similarly to fiat currency under its money transmitter licensing laws. Businesses that engage in virtual currency activities must obtain a money transmitter license and adhere to the same regulatory standards as traditional financial institutions.
  • Colorado. Some crypto exchanges require licensing as money transmitters under the Colorado Money Transmitters Act. However, the Colorado Digital Token Act of 2019 exempts certain crypto-related activity from Colorado's securities registration, broker-dealer, and salesperson licensing requirements.
  • Louisiana. Entities carrying out virtual currency business activities in Louisiana must be licensed, as set out in the 2020 Virtual Currency Business Act (unless certain exemptions apply).
  • Michigan. Individuals and entities providing money transmission services must be licensed under the terms of Michigan’s Money Transmission Services Act of 2006. The state’s Department of Insurance and Financial Services has clarified that “an administrator or exchanger is a money transmitter under federal regulations and should be registered as a money services business”.

Who is affected by US crypto rules?

At the federal level, several US agencies oversee different aspects of cryptocurrency activities. Each agency’s jurisdiction depends on the nature of the business and the classification of the digital assets. Below is a breakdown by regulatory authority, indicating which businesses are affected, under what circumstances, and what type of registration, license, or compliance is required.

1. FinCEN and money service business

FinCEN regulates businesses involved in the transmission of money, including cryptocurrencies, under the Bank Secrecy Act (BSA), including:

  • Centralized crypto exchanges (e.g., platforms facilitating crypto-fiat or crypto-crypto trades)
  • Crypto custodians holding user funds
  • Crypto payment processors
  • Custodial wallet providers

When? When a business accepts and transmits value that substitutes for currency or provides money transmission services.

Required authorization: Registration as a Money Services Business (MSB).

No formal license issued. Instead, registration and adherence to ongoing AML/CFT compliance obligations are mandatory.

2. SEC and security token rules

Regulates businesses dealing with financial instruments classified as securities under US law, including certain digital assets:

  • Platforms trading digital assets deemed securities
  • Issuers of tokens that qualify as securities (e.g., security token offerings, some ICOs)
  • Crypto investment advisors and custodians handling security tokens

When? When digital assets meet the Howey Test criteria and are considered "investment contracts" or otherwise qualify as securities.

Required authorization: 

  • Registration of securities offerings (unless qualifying for an exemption such as Regulation D, Regulation S, or Regulation A+).
  • Alternative Trading System (ATS) license for platforms facilitating secondary trading of securities
  • National Securities Exchange license for larger trading venues
  • Investment Adviser registration for firms managing security tokens on behalf of clients
  • Qualified Custodian status for custodians holding securities.

3. CFTC and crypto derivatives

The CFTC regulates businesses involved with commodities and derivatives related to digital assets under the Commodity Exchange Act (CEA):

  • Platforms offering futures, swaps, or options contracts on cryptocurrencies
  • Entities providing leveraged or margined crypto trading to retail clients

When? 

  • When offering derivatives based on cryptocurrencies (e.g., Bitcoin futures)
  • When retail commodity transactions involve leverage or margin

Required authorization:

  • Registration as a Futures Commission Merchant (FCM) (for platforms facilitating customer futures trading)
  • Registration as a Commodity Pool Operator (CPO) or Commodity Trading Advisor (CTA) if managing pooled crypto investment products
  • Registration as a Swap Dealer if facilitating crypto swaps

Crypto licensing and compliance steps

Navigating the US crypto regulatory landscape remains complex, with a mix of federal rules and diverse state-level laws. Individual states continue to enforce their own distinct requirements, which impact how crypto businesses approach licensing and compliance. This means that what’s true for crypto compliance in one state may not be true in another, which makes it essential for crypto companies to stay informed about the different rules.

Companies should map their activities before deciding what registrations or licenses are needed. The analysis should begin with whether the business is handling customer funds, transmitting value, dealing in fiat on-ramps or off-ramps, issuing stablecoins, offering custody, operating a trading venue, or listing instruments that may be securities or derivatives. 

If the business falls within FinCEN’s MSB framework, it may need to register using FinCEN Form 107 and implement a risk-based AML/CFT program. If securities laws apply, additional SEC, Financial Industry Regulatory Authority (FINRA), or adviser-related obligations may arise. If derivatives laws apply, CFTC and NFA obligations may also follow.

How to register with FinCEN

  1. Determine the Money Service Business (MSB) status. Confirm that your business qualifies as an MSB under the Bank Secrecy Act (BSA). If your business transmits funds (e.g., crypto exchanges, custodial wallets, or payment processors), it is likely considered an MSB.
  2. Register with FinCEN:
    1. Complete and file FinCEN Form 107 through the BSA E-Filing System.
    2. Registration must be completed within 180 days of starting MSB activities.
  3. Develop and implement an AML program:
    1. Include written policies, customer due diligence procedures, and independent review protocols.
    2. Appoint a compliance officer.

How to register with the SEC

  1. For token issuers (securities offerings):
    1. Assess token classification. Apply the Howey Test to determine if your digital asset is a security (e.g., security tokens).
    2. Choose a path. Register with the SEC via Form S-1 (public offering), or use an exemption.
  2. For trading platforms (ATS or exchange):
    1. Apply to register as an ATS:
      1. File Form ATS with the SEC.
      2. Register as a broker-dealer with FINRA (via Form BD).
    2. For a full national securities exchange license. Submit a Form 1 application and follow the SEC rulemaking and approval process.
  3. For investment advisers:
    1. Register via the SEC's Investment Adviser Registration Depository (IARD).
    2. File Form ADV and establish a compliant business structure.
    3. Maintain ongoing disclosure, recordkeeping, and fiduciary duties.
  4. For custodians:
    1. Apply for Qualified Custodian status if holding digital securities.
    2. Must meet certain standards (e.g., bank or trust company, broker-dealer, or futures commission merchant).

How to register with the CFTC

  1. For FCMs (e.g., futures platforms):
    1. Register with the National Futures Association (NFA):
      1. Submit Form 7-R via the NFA's ORS portal.
      2. Designate a compliance officer.
      3. Provide proof of capital and operational readiness.
    2. Undergo background checks.
  2. For CPOs and CTAs:
    1. Register through the NFA, using Form 7-R (filed by both CPO and CTAs) or Form 8-R for each principal and associated person.
    2. Submit a Disclosure Document for approval.
    3. Provide regular financial and investor reports.
  3. For swap dealers:
    1. Determine if swap dealing activity exceeds CFTC thresholds.
    2. Register with the CFTC and NFA.
    3. Establish robust compliance, documentation, and margin procedures.

While federal crypto regulation in the US is complex and evolving, a methodical approach to identifying applicable business activities and following the right registration path will ensure a strong legal foundation. In many cases, registration involves not just filing forms, but also building an internal compliance infrastructure that satisfies ongoing regulatory obligations.

Please note that in each case, you should check your state regulations and requirements. 

Stablecoin regulation in the US

Stablecoins are a type of digital asset backed by specific real-world assets or collections of assets, such as a country’s currency. They are seen as less volatile than unbacked cryptocurrencies (such as Bitcoin), and their usage has surged in recent years, with total supply reaching USD 208 billion in 2025—a 28% increase on the previous year. 

Last year, the US introduced groundbreaking stablecoin regulation in the form of the Guiding and Establishing National Innovation for U.S. Stablecoins Act (GENIUS Act). The GENIUS Act creates a regulatory framework for payment stablecoins, providing regulatory clarity that could boost adoption.

Key provisions of the GENIUS Act include limiting who can issue stablecoins, requiring issuers to back stablecoins with 1:1 cash reserves or short-term Treasurys, and imposing a duty to disclose their reserves each month. Stablecoin holders also benefit from legal protections against issuer insolvency.

Crucially for compliance purposes, stablecoin issuers must meet the same AML (including KYC) and sanctions requirements that apply to financial institutions.

The GENIUS Act will take effect 18 months after its date of enactment (i.e., on January 18, 2027) or 120 days after regulators issue any final regulations implementing the Act (whichever comes first).

DeFi regulation in the US

Decentralized finance (DeFi) refers to financial services such as lending, borrowing, and trading that run on public blockchains through smart contracts, without the banks, brokers, or exchanges that intermediate traditional finance. The sector is large but highly volatile: total value locked (TVL) across DeFi protocols stood at roughly $72 billion in mid-June 2026, down from about $114 billion at the start of the year.

DeFi sits awkwardly within a regulatory system built around intermediaries. US rules generally attach obligations to an identifiable entity that controls customer funds or facilitates transactions, so the core unresolved question is who, if anyone, plays that role in a genuinely decentralized protocol. FinCEN's long-standing position is that the analysis turns on control: a person who accepts and transmits, or otherwise has control over, customer value functions as a money transmitter and is therefore an MSB under the Bank Secrecy Act, with the associated AML/CFT obligations. A person who only publishes software or provides a non-custodial interface generally is not. In practice, the centralized access points to DeFi, such as hosted front-ends and fiat on- and off-ramps, are far more likely to trigger BSA obligations than the underlying protocol.

The most concrete recent federal action specific to DeFi moved in a deregulatory direction. In April 2025, Congress used the Congressional Review Act (CRA) to repeal the IRS "DeFi broker" rule, which would have required front-end DeFi service providers to collect customer information and report transactions on Form 1099-DA. As a result, non-custodial DeFi providers are not subject to those reporting and KYC-collection requirements, while custodial exchanges that move customers between fiat and crypto remain subject to broker reporting under separate, surviving regulations. Because the repeal was enacted through the CRA, Treasury and the IRS cannot issue a substantially similar rule without new legislation.

Pending legislation may change the picture again, but in a targeted way. The CLARITY Act, as it has developed in the Senate during 2026, leans toward regulating the centralized intermediaries that interact with DeFi protocols, for example, by requiring them to implement risk-management standards, while expressly protecting software developers and the right to self-custody. It does not impose the full intermediary regime on truly decentralized protocols themselves. The bill is not yet law, however, and its enactment is not assured, so DeFi-specific federal rules remain limited for now. Importantly, the absence of third-party reporting does not eliminate tax or enforcement exposure: taxpayers remain responsible for reporting their own gains, and the IRS continues to use tools such as John Doe summonses and blockchain analytics to pursue unreported activity.

The future of US crypto regulation

US crypto regulations are significantly changing. The Trump administration is taking a hands-off approach, trying to encourage innovation in the crypto space, though this has sparked some worries about how things will be monitored and enforced. At the same time, Congress is looking into new laws to bring oversight to the world of digital assets, which could increase crypto compliance obligations.

Upcoming federal crypto proposals

Several key federal initiatives and proposals are shaping the future of crypto regulation:

  • Digital Asset Market Clarity Act (‘the CLARITY Act’). Currently still making its way through Congress, the CLARITY Act would create a regulatory framework for cryptocurrency if it becomes law. The Act sets rules for how digital assets are issued, traded, and regulated, while distinguishing between digital asset securities and digital commodities, with the SEC overseeing the first and the CFTC overseeing the second.
  • The SEC’s Draft Strategic Plan for fiscal years 2026-2030. Objectives of this plan include providing “a firm regulatory foundation for digital assets and distributed ledger technologies through a rational, coherent, and principled approach” and ensuring “crypto markets have clear and principled rules of the road, anchored in statute, that promote innovation while maintaining the highest degree of investor protection”.
  • Office of the Comptroller of the Currency (OCC) notice of proposed rulemaking on implementing the GENIUS Act. This notice proposes comprehensive rules for stablecoin issuance, reserves, redemption rights, custody arrangements, and supervisory authority, including a prohibition on issuers paying interest or yield to holders of stablecoins.

Trends shaping crypto compliance in the US

Several emerging trends are influencing the trajectory of crypto compliance:​

  • Stablecoin regulation. With the increasing adoption of stablecoins for payments and remittances, regulators are increasingly focused on ensuring their stability, transparency, and compliance with financial laws.
  • Privacy coins scrutiny. Privacy-focused cryptocurrencies are under more scrutiny due to concerns about their potential use in illicit activities, which prompts discussions on implementing stricter AML/KYC measures.
  • Regulating decentralized finance. The balance between innovation in decentralized platforms and ensuring adequate oversight remains a central debate, which affects policy decisions and regulatory frameworks. 
  • Regulatory sandboxes. There is growing interest in establishing regulatory sandboxes that enable controlled experimentation with new technologies and business models while managing risks.
  • Global regulatory coordination. As digital assets transcend borders, international cooperation among regulators is becoming crucial to address cross-border transactions and enforcement challenges.

Suggested read: Regulatory Sandboxes—a Bridge Between Regulators and Business Innovation

AML and KYC rules for a crypto firm

Anti-money laundering (AML) and countering the financing of terrorism (CFT) requirements, including Know Your Customer (KYC) obligations, remain core elements of the regulatory framework for cryptocurrency businesses operating in the United States. A crypto firm is subject to these obligations when it falls within one of the financial institution categories defined under the Bank Secrecy Act (BSA), which is administered by FinCEN. In practice, most crypto firms qualify as Money Services Businesses (MSBs), though that is not the only way the BSA can apply.

AML/CFT obligations are not limited to firms registered as MSBs. Certain entities that are also regulated by the SEC or CFTC separately fall within the BSA's definition of a financial institution and must maintain AML programs on that basis, for example, broker-dealers in securities (including those operating alternative trading systems that handle security tokens) and futures commission merchants (FCMs).

The source and scope of these duties matter. Only certain enumerated categories of financial institutions within the SEC and CFTC frameworks are subject to BSA AML program requirements. Registration with the SEC or CFTC does not by itself create an AML program obligation, and not all registrants are covered. Where these obligations do apply, they arise under the BSA and FinCEN's implementing regulations and are distinct from the market-regulation requirements imposed under the Securities Exchange Act of 1934 and the Commodity Exchange Act (CEA). For these entities, BSA compliance is typically examined through their functional regulator or self-regulatory organization, but the underlying obligation stems from the BSA, not from securities or commodities law.

Why identity verification matters for crypto firms in the US

Identity verification continues to be a cornerstone of AML/KYC compliance for crypto businesses.

  • Risk mitigation. Robust identity verification helps prevent fraud, money laundering, and terrorist financing by ensuring that users are who they claim to be. ​
  • Onboarding integrity. Effective KYC procedures ensure that only legitimate users access crypto platforms, maintaining the integrity of the user base.
  • Regulatory compliance. Adherence to identity verification protocols is essential to meet legal obligations and avoid penalties.

Suggested read: KYC and AML—Key Differences and Best Practices

US crypto Travel Rule compliance

In the US, Travel Rule compliance for cryptocurrency transactions is grounded in the Bank Secrecy Act (BSA) and enforced by FinCEN. The international standard refers to obligated firms as Virtual Asset Service Providers (VASPs), but the US has no separate VASP category. Instead, the obligation falls on any business that qualifies as a money transmitter, and therefore a Money Services Business (MSB), under the BSA, because it accepts and transmits, or otherwise controls, convertible virtual currency on a customer's behalf. In practice, this covers crypto exchanges, custodians, and custodial wallet providers, but generally not providers of purely non-custodial software that never take control of customer funds.

For any transmission of $3,000 or more, these entities must obtain, retain, and transmit specified originator and beneficiary information, passing it to the next financial institution in the transfer chain, such as the counterparty VASP. FinCEN proposed lowering this threshold to $250 for cross-border crypto transfers back in 2020, but that change has not been finalized, so $3,000 remains the applicable threshold.

VASP data collection rules

Data that VASPs must collect under the Travel Rule includes:

  • The name and address of the originator and beneficiary
  • Name and address or numerical identifier of the originator's financial institution
  • The amount and date of the transaction
  • And other relevant identifiers (like wallet addresses or transaction hashes).

You can read more about Travel Rule compliance requirements in the US in our country-specific guidance.

Non-compliance can lead to enforcement actions or penalties, especially as regulators ramp up scrutiny.

Suggested read: Explore Travel Rule Implementation

Crypto compliance checklist

Depending on the firm’s business model and regulatory perimeter, the following controls are commonly relevant to US crypto compliance:

  1. Customer Due Diligence (CDD). Implement procedures to identify and verify the customers, using a risk-based approach. 
  2. Beneficial ownership identification. Determine and document the natural persons who own or control legal entity customers, as required under FinCEN’s CDD Rule (31 CFR 1010.230). ​
  3. Ongoing monitoring. Continuously monitor customer transactions and update risk profiles; detect unusual or suspicious activity. ​
  4. Reporting obligations. File Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) as mandated by FinCEN and other required filings in a timely and accurate manner. ​
  5. Transaction monitoring. Establish automated systems to monitor and analyze customer transactions in real time, flagging suspicious behavior or patterns that may indicate money laundering or terrorist financing activities.
  6. Development of internal AML/CFT rules and policies. Create and regularly update a comprehensive set of internal policies, procedures, and controls tailored to your company’s risk exposure, ensuring alignment with AML/CFT legal requirements.
  7. Employee training. Conduct ongoing AML/CFT training programs for all relevant staff to ensure they understand regulatory obligations, recognize suspicious activity, and know how to escalate issues appropriately.
  8. Independent audits. Schedule regular independent reviews of your AML/CFT program to evaluate its effectiveness, identify gaps, and implement recommended improvements, ensuring your compliance framework remains robust and up to date.
  9. Sanctions compliance. Companies must screen customers and transactions against lists maintained by the OFAC and block prohibited transactions involving sanctioned individuals or jurisdictions. Depending on where a company operates and with whom it does business (including its offices, clients, subsidiaries, and payment flows), it may also be subject to other sanctions regimes, including those of the UN, the EU, the UK (OFSI), and other national authorities, as well as the extraterritorial reach of certain US secondary sanctions.
  10. Appointment of key officers. Designate a qualified compliance officer (e.g., BSA/AML Officer) responsible for implementing and overseeing the AML/CFT program, maintaining communication with regulators, and ensuring accountability at the management level.
  11. Travel Rule compliance. Ensure that the required information about the originator and beneficiary of digital asset transfers is collected, verified, and transmitted.
  12. Recordkeeping. Detailed transaction and customer records must be maintained for at least five years and made available to regulators upon request.

By adhering to these practices, crypto companies can navigate the regulatory environment effectively and safeguard their operations.​

Suggested read: Customer Due Diligence (CDD): The Process and Its Types

Sanctions screening and OFAC checks

The Office of Foreign Assets Control (OFAC) is the government body that administers and enforces economic sanctions against countries, regions, entities, and individuals for the US. OFAC has previously confirmed that sanctions compliance obligations apply to virtual currency transactions in exactly the same way as they do to traditional fiat currency. All individuals and entities in the US must meet these obligations, which include checking OFAC sanctions lists and blocking any transactions involving sanctioned countries, regions, entities, and individuals.

OFAC can impose civil penalties for sanctions violations. For example, in September 2025, digital asset exchange ShapeShift AG agreed to pay a $750,000 settlement to resolve its potential civil liability for transactions apparently in breach of multiple sanctions programs.

Compliance solutions for crypto firms

As regulatory scrutiny intensifies at both the federal and state levels, businesses that exchange, transfer, or custody virtual assets face growing pressure to detect suspicious activity and prevent financial crime. Two areas matter most: transaction monitoring and compliance with the Travel Rule requirements. Both are central to meeting anti-money laundering (AML) obligations and protecting the integrity of your operations.

Sumsub's Crypto Monitoring solution screens cryptocurrency transactions and the counterparty wallets behind them, so you can assess risk and automatically act on suspicious activity, whether a transfer is still pending or already confirmed on-chain.

You can also screen individual wallets directly, for example, at onboarding or as part of ongoing client due diligence. The solution combines blockchain analytics, entity attribution, and sanctions data from leading providers, and surfaces the results through ready-made rule bundles, the Dashboard, and the API.

Crypto Monitoring suits any business that handles virtual assets, including VASPs, exchanges, custodians, fintechs, banks, payment processors, OTC desks, and crypto-native platforms. It helps you protect users from exposure to illicit funds, meet AML, sanctions, and Travel Rule obligations, and reduce manual compliance workload.

Sumsub's Travel Rule solution is a complete compliance platform for virtual asset transfers, both within the US and internationally. It enables the secure, real-time exchange of the originator and beneficiary information regulators require, and the Travel Rule SDK brings that compliance directly into deposit and withdrawal workflows. Flexible integration options, including API, SDK, and integrated protocols, let it fit any tech stack.

The harder problem in Travel Rule compliance is not domestic versus international reach; it is protocol fragmentation. Different VASPs adopt different Travel Rule protocols, and those protocols do not natively communicate, so whether you can exchange the required data with a given counterparty depends on cross-protocol interoperability. Sumsub addresses this by supporting multiple protocols, including its own and four of the leading global systems, so you can transmit originator and beneficiary information to a counterparty VASP regardless of which protocol it uses or where it operates. That coverage closes the interoperability gaps that would otherwise block outbound transfers, letting you scale across borders without compromising compliance.

Crypto Industry Report 2026

Crypto is entering its regulated maturity era. Learn about the state of the crypto industry in the 2026 report Sumsub’s experts have made for you.

Get the report
Crypto Industry Report 2026

FAQ: US crypto regulations

  • Is crypto legal in the US?

    Yes, cryptocurrency is legal in the US, but the activities involving crypto are subject to both federal and state regulations that vary by activity, asset type, and jurisdiction.

  • Who regulates cryptocurrency in the US?

    Multiple agencies share oversight, including the SEC, CFTC, FinCEN, IRS, and relevant state regulators. Each focuses on different aspects, such as securities, commodities, AML compliance, and taxation.

  • Do crypto exchanges need a license in the US?

    Often yes, but it depends on the services offered and where the business operates, and the requirements sit at two levels. At the federal level, a crypto exchange that transmits virtual assets is typically a Money Services Business and must register with FinCEN, which is a registration requirement rather than a license. At the state level, the business generally also needs money transmitter licenses in each state where it operates, obtained state by state. Depending on the activity, further requirements may apply, such as SEC registration or oversight for dealing in securities, CFTC-regulated approvals for derivatives, state or federal requirements for custody, and obligations under the GENIUS Act for stablecoin issuance.

  • How do state crypto laws differ?

    States vary widely—some, like Wyoming, are crypto-friendly states with tailored frameworks, while others, like New York, impose strict licensing through regulations like the BitLicense or money transmission requirements for covered digital asset activity.

  • What are the AML rules?

    As part of their AML compliance obligations, crypto businesses must implement customer due diligence, transaction monitoring, and reporting systems in line with FinCEN and BSA guidelines. Know Your Customer rules require robust customer identity verification and risk assessment as part of an overall AML framework.

  • Is a license required to operate a cryptocurrency business?

    It depends on the activity and the level of regulation involved. At the federal level, a business that transmits virtual assets is generally a Money Services Business and must register with FinCEN, which is a registration requirement rather than a license. At the state level, a license, typically a money transmitter license, is often required for activities such as handling fiat transactions, custodial services, stablecoin issuance, or money transmission, and this varies from state to state. A state license may not be required if the business only facilitates crypto-to-crypto trades or personal transactions and the relevant state does not mandate one. Because obligations differ across both levels, review federal and state requirements together before concluding that no license or registration applies.