AML regulations for US crypto firms: A 2025 guide

Cryptocurrencies and virtual assets (VAs) continue to go from strength to strength in the US. Fuelled in part by the announcement of a US strategic crypto reserve, activity and innovation are strong in the sector, building on a longer-term trend of increasing popularity. 

At the same time, while the anonymity of crypto and VA transactions has attracted a wide range of customers to these technologies, it has left them open to exploitation by criminals who use them to launder money and evade detection. In 2024, an estimated $51 billion in value was received by illicit crypto addresses, with crypto receiving the second-heaviest regulatory fines out of all sectors. 

US regulators face the task of keeping crypto secure while encouraging continued dynamism. As the US financial landscape experiences a period of widespread innovation, crypto firms looking to position themselves at the forefront of the industry should make sure they are well-prepared to demonstrate AML regulatory compliance and adapt to future changes. 

Crypto regulations in the US 

The Bank Secrecy Act (BSA) is the most important piece of AML/CFT legislation in the US. Crypto firms, alongside all other FIs and certain other businesses, must comply with it. The BSA sets out requirements around AML oversight, customer due diligence (CDD), ongoing monitoring, record-keeping, and reporting. 

First introduced in 1970, it has been amended on several occasions. In 2001, the US introduced the Patriot Act, extending the BSA to prevent terrorist financing alongside money laundering. In 2020, the Anti-Money Laundering Act was introduced: among other measures, it explicitly brought crypto and virtual asset service providers (VASPs) under the scope of the BSA. 

Under BSA rules, crypto firms must: 

• Create AML compliance programs: You must implement and maintain a risk-based AML compliance program consisting of written policies and procedures to help employees detect and prevent financial crime. The program should be overseen by a compliance officer, include compliance training for all employees, and be tested through a regular schedule of independent audits. 
• Conduct CDD: Your organization must have customer identification programs to establish and verify all customer identities and the nature of their relationship with them. The ‘CDD Final Rule’ is an amendment to the BSA that obliges you to establish all accounts’ ultimate beneficial owners (UBOs). It was created to prevent the misuse of corporate ownership structures. 
• Carry out ongoing monitoring: Firms must monitor customer profiles and transactions on an ongoing basis to detect suspicious transactions and update customer information for continued accuracy. 
• Keep records: Your firm must keep records of your compliance policies, customer accounts, and transaction reports for five years. 
• Report suspicious activity: You must report all transactions you believe may be linked to the proceeds of a crime to the Financial Crimes Enforcement Network (FinCEN) using suspicious activity reports (SARs). 

The Travel Rule 

The BSA has included a section known as the “Travel” rule since 1996, which requires you to include identifying information with all transfers over the value of $3000. This includes: 

• The name, address, FI, and account or virtual wallet number of the sender. 
• The value and date of the transaction. 
• The name, address, FI, and account or virtual wallet number used by the recipient. 

Although the rule predates virtual assets, it has become closely associated with AML regulation for VASPs. The Financial Action Task Force (FATF) has recommended that all countries implement a version of the Travel Rule because of the specific AML risks the virtual asset sector faces. In 2019, FinCEN issued a notice confirming this applied to all VASPs. 

The State of Financial Crime 2025

Uncover the compliance trends you need to know in our report, based on a survey of 600 industry professionals and packed with expert analysis.

Download your copy

The regulatory outlook for crypto in the US  

In January 2025, the White House issued an executive order on “strengthening American leadership in digital financial technology.” This established a working group to create a new regulatory framework for digital assets, with the explicit purpose of supporting the sector’s growth. It also prohibited the development of a US central bank digital currency (CBDC), with the government instead favoring a reserve of existing cryptocurrencies. The working group will recommend maintaining or repealing current crypto regulations later this year, followed by a potential wider reconsideration of the sector’s regulatory structure. 

This aligns with an anticipated lighter-touch approach to financial regulation from the second President Trump administration. However, the extent to which enforcement actions reflect this remains to be seen. In 2024, regulators focused strongly on non-compliance in the crypto sector, issuing several severe penalties. One VASP was fined tens of millions of dollars for transaction monitoring failings, which had caused $9 billion in suspicious payments to be missed. 

Whether regulators change their approach or not, the rising popularity of VAs – one report states that 40 percent of adults worldwide own crypto – means your risk exposure is likely to grow along with your customer base. 

How to prepare your firm for compliance 

Adopting advanced AML technology can help you balance regulatory requirements with business goals. Software solutions using artificial intelligence (AI) and machine learning (ML) allow you to automate repetitive, lower-risk compliance tasks, keeping your compliance spend in check while retaining expert oversight over high-risk cases. If your organization specializes in virtual assets, or has expanded to offer crypto services, then you should make the most of your ability to innovate and tech-first approach by: 

• Conducting risk-based due diligence: To reduce unnecessary delays in onboarding new customers, calibrate your CDD checks to their risk levels. Higher-risk customers require enhanced due diligence (EDD), such as extra identification checks or source of funds (SOF) and source of wealth (SOW) checks. 
• Screening payments in real-time: With customers expecting instant payments and regulators demanding security, you should implement a payment screening solution that is fed with real-time sanctions and watchlist data and is capable of processing transactions quickly and at scale. 
• Adopting tailored transaction monitoring: Rather than using legacy solutions that struggle to adapt to the demands of virtual assets, prioritize a data-agnostic solution that can incorporate crypto data, such as wallet addresses, allowing you to recognize suspicious patterns of value transfers or conversions into fiat. 
• Using an API-based solution: An Application Programming Interface (API) allows different software components to communicate and transfer information with a set of tools and protocols. In its guidance on implementing the Travel Rule, the FATF advises firms to use API technology, allowing AML workflows to be integrated with customer and risk information.

Reporting suspicious transactions: If any information attached to payments may indicate a customer’s involvement in money laundering, terrorist financing, or other financial crimes, your staff must escalate cases to your compliance team further and report any suspicious activity to the appropriate financial intelligence unit (FIU) where true positives are identified. 

Automated compliance solutions for crypto firms

For crypto firms, success depends on demonstrating AML regulatory compliance and strong protections against financial crime. ComplyAdvantage uses cutting-edge AI and ML technology to support business growth by streamlining compliance and allowing firms to grow their customer base securely. If your organization works with crypto, you can benefit from a compliance solution with: 

• Payment screening that doesn’t compromise on speed: Process 99 percent of transactions in under half a second with significant reductions in false positive rates. Make sure your financial crime controls support instant payments rather than delaying them. 
• Real-time updates to risk data: Our proprietary data helps you screen customers and payments against sanctions lists, watchlists, politically exposed person (PEP) data, and adverse media. We use automated systems for 24/7 monitoring, meaning you receive updates without delay. 
• Data security safeguards: Balance your compliance requirements with the ability to keep your customers’ personal information safe and private. ComplyAdvantage’s solutions meet all data protection requirements, including the gold standards of GDPR compliance and ISO27001 certification. 
• Fully integrated data and platforms: Boost efficiency and reduce compliance workflows by removing siloed data split across multiple systems. With ComplyAdvantage, compliance analysts can access all the details they need to make swift case decisions on a single screen. 

This article is part of a series on the state of global crypto regulations in 2025. Find out more by reading the other articles in the series: 

• AML regulations for UK crypto firms: Top compliance tips 
• AML regulations for Australian crypto firms: How to comply