What does a compliant AML programme look like for a digital asset business?

A compliant AML programme for a digital asset business under UK MLRs 2017 must include: a business-wide risk assessment (BWRA); an AML policy approved by the board; a designated MLRo (SMF17 under SMCR); CDD, SDD and EDD procedures with specific triggers; beneficial ownership verification; PEP and sanctions screening; transaction monitoring calibrated to the firm's risk profile; on-chain analytics for crypto-asset transactions; Travel Rule compliance; SAR submission procedures; 5-year record retention; and annual AML training.

Is on-chain analytics mandatory for crypto compliance?

On-chain analytics (tools such as Chainalysis or Elliptic) are not explicitly mandated by name in the MLRs 2017, but the FCA treats them as a baseline expectation for any regulated firm processing crypto-asset transactions. Without on-chain analytics, a firm cannot demonstrate adequate transaction monitoring of on-chain activity, which is a fundamental AML obligation.

What is the UK Travel Rule for crypto assets?

The UK Cryptoasset Travel Rule came into force on 1 September 2023 under amended MLRs 2017. It requires UK VASPs to collect and transmit originator and beneficiary information with crypto-asset transfers of £1,000 or more. There is no de minimis threshold for crypto-to-crypto transfers. VASP counterparty verification is required before transmitting information to an unknown counterparty.

What does the FCA look for in an AML audit of a crypto firm?

The FCA's AML supervisory reviews of crypto-asset firms typically examine: whether the BWRA is specific to the firm's business model; whether CDD is proportionate to actual risk (not just policy-level); whether transaction monitoring rules are calibrated, not default vendor settings; whether on-chain analytics are implemented and alerts are reviewed; whether Travel Rule obligations are met; and whether the MLRo has genuine authority, independence, and adequate resource.

AML/KYC for Digital Asset Businesses: Building a Framework That Survives FCA Scrutiny, Arca Compliance

The FCA's Position on Crypto AML in 2026

The FCA has been unambiguous about its expectations for AML/KYC in digital asset businesses. Its supervisory assessments have consistently found the same gaps: business-wide risk assessments that are generic rather than specific to the firm's actual business model; transaction monitoring that relies on default vendor rules without calibration; and MLRo functions that exist on paper but lack genuine authority and resource.

The FCA's repeated findings in supervisory reviews and S166 skilled person reports are not random, they reflect a structural problem. Many digital asset businesses built their AML frameworks rapidly, often from templates, and have not revisited them as the business evolved. The result is a compliance infrastructure that describes what the firm intends to do rather than what it actually does, and that satisfies the letter of the requirements rather than their substance.

What the FCA is looking for

The FCA does not assess AML compliance by reading your policy documents. It assesses whether the controls described in those documents are actually implemented, calibrated to your specific risk profile, and operated by people with the authority and resource to make them work. A forty-page AML policy that does not reflect the firm's actual customer base, transaction volumes, or product risk will not pass scrutiny, and increasingly, the FCA can tell.

The Business-Wide Risk Assessment, The Foundation Everything Else Depends On

The business-wide risk assessment (BWRA) is mandatory under MLRs 2017 Regulation 18. It must be documented, reviewed annually, and updated whenever there is a material change to the business model, product range, customer base, or geographic exposure. It is also the document that drives the calibration of every other AML control, the CDD thresholds, transaction monitoring rules, enhanced due diligence triggers, and training content should all be derived from the risk assessment.

For digital asset businesses, the BWRA must address the specific risk vectors that are material to crypto operations, not just the standard headings from a bank's risk assessment template. These include: on-chain transaction risk (mixer usage, chain-hopping, dark web exposure); off-ramp and on-ramp risk (fiat entry and exit points as high-risk transaction types); custody risk (customer assets held on-chain versus in cold storage); and geographic risk that accounts for the borderless nature of crypto transactions, not just the domicile of the customer.

Common failures in BWRA design

Generic risk rating without business-specific evidence, rating customer risk as "medium" without documenting why, what evidence supports that rating, and how it maps to the firm's actual customer profile
Product risk that doesn't reflect the product, a staking product that allows third-party delegation has different risk characteristics from a simple custody product; these cannot be rated identically
Geographic risk that ignores on-chain geography, customers in low-risk jurisdictions can transact on-chain with counterparties in high-risk jurisdictions; the BWRA must address this
Annual review that is not actually a review, updating the date on an unchanged document is not a review; it is a fiction that will be identified in supervisory review

CDD, EDD and KYC, The Proportionality Trap

Customer due diligence under MLRs 2017 Regulations 27–38 operates on a risk-based model: standard CDD for most customers, simplified CDD (SDD) where the risk is demonstrably lower, and enhanced due diligence (EDD) for higher-risk customers, relationships, and transactions. The calibration of these thresholds against the firm's actual risk profile is where most digital asset businesses fall short.

What the FCA expects to find in a KYC process

CDD procedures specific to the customer types the firm actually onboards, the procedure for onboarding a retail customer, an institutional VASP counterparty, and a DAO treasury account are not the same and should not read as if they are
Beneficial ownership verification that goes beyond Companies House checks, for corporate customers with layered ownership structures, UBO identification at the 25% threshold must be documented with supporting evidence, not assumed
EDD triggers that are genuinely risk-based, not just PEPs, high-risk third countries, and transactions above a threshold, but triggers that reflect the specific elevated-risk scenarios in the firm's business model
Ongoing monitoring that is real, re-verification of customer information at meaningful intervals, triggered by specific events as well as time-based, and documented in the customer file

The PEP proportionality point

The Economic Crime and Corporate Transparency Act 2023 amended the PEP definition to require proportionality in how UK domestic PEPs are treated. The FCA has since clarified that UK domestic PEPs should not automatically be treated as high-risk, they must be assessed individually. Several firms have been applying blanket enhanced due diligence to all PEPs without this assessment, which the FCA now considers disproportionate and potentially a breach of the legislation.

The MLRo Function, What the FCA Actually Expects

Every regulated digital asset business must designate a Money Laundering Reporting Officer. Under the Senior Managers and Certification Regime, the MLRo is an SMF17 function, meaning the individual must be approved by the FCA, has personal regulatory accountability for the discharge of that function, and must have appropriate seniority, authority, and resource to do so.

The FCA has repeatedly found, in both supervisory reviews and enforcement actions, that MLRo functions in smaller regulated firms are token appointments. An individual who is simultaneously the MLRo, the Compliance Officer, and a revenue-generating employee of the business does not have the independence the role requires. An MLRo who does not have direct access to the board, who cannot escalate concerns without going through the business, and who does not have a budget to act on identified gaps is not genuinely fulfilling the SMF17 function.

What the MLRo must be able to demonstrate

Direct access to the board and senior management without routing through commercial management
Authority to refuse to process a transaction or terminate a customer relationship without requiring approval from a revenue line
An annual MLRo report submitted to and reviewed by the board, covering SAR volumes, identified trends, training completion, and control gaps
Documented SAR review and decision process, every SAR considered should have a file note explaining the decision, whether or not a report was made to the NCA
CPD and ongoing development relevant to financial crime in digital assets, the FCA expects the MLRo to be current on the specific typologies affecting the firm's business model

Transaction Monitoring, Calibration Is Everything

Transaction monitoring systems are a mandatory AML control for regulated digital asset businesses. The FCA does not require a specific type of system, rules-based, machine learning, or hybrid are all acceptable, but it does require that whatever system is used is calibrated to the firm's specific risk profile, and that the calibration is documented and reviewed regularly.

The most common failure the FCA finds in transaction monitoring is the use of default vendor rules without customisation. A system installed with the vendor's out-of-the-box rules and never tuned to the firm's actual customer base, transaction patterns, and product risk generates alerts that are not meaningful for that firm. High false-positive rates that are not addressed suggest the monitoring is not genuinely operational. Low alert volumes that do not reflect the firm's risk profile suggest the rules are not set correctly. Both are red flags in supervisory review.

What calibration actually means

Rules thresholds set against the firm's actual customer transaction patterns, a threshold calibrated for a retail FX business is not appropriate for a crypto exchange processing institutional volumes
Alert volumes that are manageable and actually reviewed, an alert backlog that is not cleared is worse than a poorly calibrated system, because it suggests the compliance resource is insufficient for the transaction volume
A documented methodology for tuning, why specific thresholds were set, what data they were set against, and when they were last reviewed
A documented escalation process, what happens when an alert is raised, who reviews it, what the decision options are, and how decisions are recorded

On-Chain Analytics, Now a Baseline Expectation

For digital asset businesses processing on-chain transactions, on-chain analytics tools are no longer optional. The FCA treats them as a baseline expectation, not an enhancement. Without on-chain analytics, a firm cannot demonstrate adequate transaction monitoring of crypto-asset activity, which is a fundamental AML obligation.

Tools such as Chainalysis, Elliptic, TRM Labs, and Crystal are the most widely used. The choice of tool matters less than how it is used. An on-chain analytics tool that is run on customer wallet addresses at onboarding but not on an ongoing basis during the relationship provides limited protection. The risk associated with a wallet address can change over time as the blockchain history of that address evolves.

What an effective on-chain analytics programme looks like

Screening at onboarding, every customer wallet address screened against risk indicators before the relationship commences
Ongoing monitoring, periodic re-screening of known customer addresses; event-triggered screening when unusual transaction patterns are identified
Counterparty screening, for exchanges and custodians, screening of counterparty addresses on inbound and outbound transactions above defined thresholds
Risk indicator policy, documented policy on what risk indicators trigger what level of response (enhanced review, EDD, potential SAR, transaction refusal)
Staff training on blockchain analysis, the compliance team must be able to interpret analytics outputs, not just run the tool

The mixer exposure question

Transactions with exposure to mixing services, Tornado Cash, Wasabi, and similar, remain a significant risk indicator. OFAC sanctioned Tornado Cash in 2022 and the sanctions remain in force despite legal challenges. A UK-regulated firm that processes transactions with significant mixer exposure without a documented risk assessment and escalation decision is exposed to both regulatory and sanctions risk.

Travel Rule Compliance, Two Years In, FCA Is Now Checking

The UK Cryptoasset Travel Rule came into force on 1 September 2023 under amendments to MLRs 2017. The FCA has been monitoring industry implementation since then and has begun active compliance review. The gaps we are seeing across supervised firms in 2026 are consistent and largely avoidable.

What the UK Travel Rule requires

For transfers of £1,000 or more, originator name, account identifier, and address must travel with the transfer; beneficiary name and account identifier must be received
For crypto-to-crypto transfers, there is no de minimis threshold; information must accompany every transfer regardless of value
VASP counterparty verification, before transmitting Travel Rule information to a counterparty VASP, the sending firm must verify that the counterparty is itself subject to AML/CTF obligations equivalent to UK requirements
Unhosted wallet due diligence, where transfers involve self-hosted wallets, EDD is required for transfers above £1,000, including assessment of the relationship between the customer and the wallet

The most common Travel Rule gaps

Counterparty VASP verification that is based on the counterparty's CASP registration in a favourable jurisdiction rather than an assessment of their actual AML standards
Sunrise issue policies that are vague, firms must have a documented policy for handling transfers to or from jurisdictions where the Travel Rule is not yet implemented, including a risk-based decision on whether to process or hold
No process for handling incomplete or missing data, what happens when a transfer arrives without the required originator information, and who is authorised to make the processing decision
Travel Rule obligations not reflected in customer onboarding, customers should be informed at onboarding that Travel Rule information will be collected and transmitted, and that transfers cannot proceed without it

Fraud Typologies, The AML Gap Most Digital Asset Businesses Have

AML/KYC programmes for digital asset businesses frequently cover money laundering risk in detail and address fraud risk only superficially or not at all. This is a material gap. Fraud and money laundering are related but distinct, a firm can have a strong AML programme and still be a conduit for fraud proceeds because the fraud controls are inadequate.

The fraud typologies most relevant to digital asset businesses include: authorised push payment (APP) fraud, where victims are manipulated into sending crypto to fraudster-controlled addresses; account takeover, where legitimate customer accounts are compromised and used to extract assets; mule activity, where customer accounts are used to receive and forward fraud proceeds; and romance scams and investment fraud, where victims are led to deposit funds they believe are going to legitimate platforms.

What fraud controls a digital asset business needs

A fraud risk assessment specific to the firm's products and customer base, not a general fraud policy borrowed from a bank's template
Transaction monitoring rules calibrated for fraud patterns, not just AML patterns, the two are different
Account takeover detection, behavioural analytics or heuristic rules that identify unusual login patterns, withdrawal requests to new addresses, and large rapid outflows
Customer communication about fraud, active warnings to customers about scam risks, particularly for retail customers in high-value products
Victim restitution process, clear policy on what happens when a customer reports having been a fraud victim, including the decision process for freezing assets and engaging with law enforcement

SAR Reporting, The Process That Has to Work Under Pressure

The SAR submission process must work in practice, not just in the policy document. The most important test of any SAR process is whether it functions when the MLRo is unavailable, when the case is complex and uncertain, and when commercial pressure to complete a transaction is high.

Under POCA 2002, a firm that knows or suspects that property is the proceeds of crime is committing a money laundering offence if it deals with that property without either making a SAR and obtaining consent (the DAML regime) or making an "authorised disclosure" after the fact. The tipping-off prohibition means that the customer cannot be informed that a SAR has been made or is being considered.

The decision log requirement

Every transaction that is reviewed for SAR consideration, whether or not a report is ultimately made, should have a documented decision. If the MLRo reviews a suspicious alert and decides not to submit a SAR, that decision should be recorded: what was considered, why the suspicion did not meet the threshold, and who made the decision. The absence of decision logs is consistently cited by the FCA as a weakness in supervisory reviews.

AML Training, Role-Specific, Not Annual E-Learning

MLRs 2017 Regulation 24 requires regulated firms to provide appropriate training to their employees in AML/KYC. The FCA treats generic annual e-learning modules as inadequate for all but the most peripheral employees. For operational and compliance staff in a digital asset business, training must be role-specific, current, and reflective of the firm's actual risk profile and the typologies it faces.

This means different training content for: the MLRo and compliance team (deep AML/KYC content, blockchain analysis, typology awareness); operations and customer-facing staff (red flags in customer onboarding, escalation procedures, fraud indicators); and the board (regulatory accountability, SMCR obligations, MLRo report interpretation). Completion records must be maintained, and the training content must be updated when the regulatory environment or the firm's risk profile changes materially.

How Arca Compliance Can Help

Arca Compliance advises digital asset and fintech businesses on AML/KYC programme design, gap analysis, MLRo advisory, and independent audit. We build programmes that are specific to the firm's business model and risk profile, not adapted from templates, and that are designed to satisfy FCA supervisory review, not just tick a policy box.

We also provide on-call MLRo advisory for complex cases and board-ready gap analysis reports for firms preparing for FCA review. Engagements are taken by introduction only. If you have a specific matter to discuss, the right next step is a direct introduction through Galore.club.