Building a Crypto Compliance Program
Learning Objectives
Describe essential compliance program elements as defined by regulators
Explain governance and oversight requirements including board responsibilities and compliance officer roles
Evaluate staffing and expertise needs for different sizes of crypto operations
Assess technology infrastructure requirements for KYC, monitoring, screening, and analytics
Understand testing, audit, and examination expectations for maintaining compliance
Both US and international regulators expect specific program elements:
FINCEN BSA COMPLIANCE PROGRAM PILLARS
1. Internal Controls
1. Independent Testing
1. Designated Compliance Officer
1. Training
1. Customer Due Diligence Procedures
OFAC'S FIVE ESSENTIAL COMPONENTS
- Management Commitment
- Risk Assessment
- Internal Controls
- Testing and Auditing
- Training
GOVERNANCE STRUCTURE
- Approve compliance policy
- Oversee compliance program
- Receive regular compliance reports
- Ensure adequate resources
- Understand compliance risks
- Implement board directives
- Allocate resources
- Support compliance function
- Address deficiencies
- Maintain compliance culture
- Regular meetings
- Cross-functional membership
- Review issues and trends
- Recommend policy changes
- Escalation point
COMPLIANCE OFFICER REQUIREMENTS
- AML expertise and experience
- Understanding of crypto/blockchain
- Regulatory knowledge
- Leadership capability
- Industry certifications (CAMS, etc.) beneficial
- Day-to-day program management
- Policy development and maintenance
- Monitoring and testing oversight
- SAR filing decisions
- Regulatory communication
- Training program oversight
- Board/management reporting
- Direct board access
- Independence from business lines
- Authority to reject customers/transactions
- Budget and staffing input
- Veto power on high-risk decisions
- Part-time or unqualified officer
- Reports to business line, not senior management
- Lacks authority to refuse transactions
- No direct board communication
- Inadequate resources
ESSENTIAL COMPLIANCE POLICIES
- Customer identification requirements
- Verification procedures
- Risk rating methodology
- Enhanced due diligence triggers
- Beneficial ownership requirements
- Ongoing monitoring
- Monitoring methodology
- Alert handling procedures
- Investigation requirements
- SAR determination criteria
- Documentation standards
- Lists screened
- Screening frequency
- Hit resolution procedures
- Blocking procedures
- Reporting requirements
- Data collection requirements
- Counterparty identification
- Protocol usage
- Unhosted wallet handling
- Record retention
- SAR triggers
- Investigation requirements
- Filing procedures
- Tipping off prohibition
- Record retention
PROCEDURE REQUIREMENTS
- Step-by-step instructions
- Role/responsibility clarity
- System references
- Exception handling
- Escalation paths
- Regular review schedule
- Update for regulatory changes
- Version control
- Approval documentation
- Available to relevant staff
- Searchable/organized
- Training reference
- Audit evidence
COMPLIANCE STAFFING BENCHMARKS
- 1 Compliance Officer
- 1-3 AML analysts
- Outsourced functions possible
- ~$300K-500K annually
- Chief Compliance Officer + Deputy
- 5-15 AML analysts
- Dedicated sanctions specialist
- Quality assurance
- ~$1M-5M annually
- Full compliance department
- 20-100+ staff
- Specialized teams
- Multiple compliance functions
- ~$10M-50M+ annually
- Alert volume drives analyst needs
- 24/7 coverage for global operations
- Language capabilities
- Technical expertise for crypto
COMPLIANCE TEAM CAPABILITIES
- AML/BSA knowledge
- Sanctions expertise
- Blockchain understanding
- Transaction analysis
- Investigation skills
- Blockchain technology
- Wallet types and behavior
- Exchange operations
- DeFi basics
- Blockchain analytics tools
- ACAMS certification
- Crypto compliance certifications
- Ongoing training
- Conference attendance
- Regulatory update awareness
COMPLIANCE TECHNOLOGY REQUIREMENTS
- Document verification
- Biometric verification
- Database checks
- Risk scoring
- Vendors: Jumio, Onfido, Veriff
- Rule engine
- Behavioral analytics
- Alert management
- Case management
- Vendors: Actimize, Chainalysis KYT
- Name screening
- Address screening
- List management
- Hit resolution
- Vendors: Dow Jones, World-Check, native exchange tools
- Transaction screening
- Risk scoring
- Investigation tools
- Attribution database
- Vendors: Chainalysis, Elliptic, TRM
- Protocol integration
- Data management
- VASP identification
- Vendors: Notabene, Sygna, TRUST membership
- Alert tracking
- Investigation workflow
- Documentation
- Reporting
- Vendors: Various, often custom
TECHNOLOGY COST ESTIMATES
- KYC: $50K-150K/year
- Blockchain analytics: $50K-200K/year
- Monitoring: Often bundled or custom
- Total: $150K-500K/year
- KYC: $200K-500K/year
- Blockchain analytics: $200K-1M/year
- Monitoring: $200K-500K/year
- Travel Rule: $100K-300K/year
- Total: $700K-2.5M/year
- Full enterprise solutions
- Custom integrations
- Multiple vendor relationships
- Total: $5M-20M+/year
- Most buy for core functions
- Custom for differentiation
- Integration costs significant
- Ongoing maintenance required
TESTING PROGRAM REQUIREMENTS
- Annual at minimum
- Risk-based additional testing
- Continuous monitoring elements
- All BSA/AML requirements
- Sanctions program
- Policies and procedures
- Training effectiveness
- Technology effectiveness
- Sample transaction testing
- Not performed by compliance function
- Internal audit or external firm
- Objectivity required
- Direct board reporting
- Testing methodology
- Sample selection
- Findings detail
- Recommendations
- Management response
- Remediation tracking
EXAM PREPARATION BEST PRACTICES
- Policies readily accessible
- Procedure documentation complete
- Training records organized
- SAR filing records
- Testing reports available
- Board reporting documented
- Compliance program documentation
- Risk assessment
- Policy and procedure manuals
- Training materials and records
- Sample transaction testing
- SAR filing examples
- Alert disposition samples
- Compliance committee minutes
- Outdated policies
- Incomplete documentation
- High false positive closure rates
- Inadequate staffing
- Training gaps
- Unresolved audit findings
- Board unawareness
- Assign examination coordinator
- Prepare document packages in advance
- Brief relevant staff
- Respond promptly to requests
- Document all discussions
- Address findings promptly
For investors assessing exchange compliance quality:
COMPLIANCE QUALITY INDICATORS
Strong compliance indicators:
✓ Licensed in major jurisdictions (US, EU, Japan)
✓ Published compliance leadership team
✓ Transparent compliance policies
✓ Regular transparency reports
✓ Blockchain analytics partnership disclosed
✓ No history of major regulatory action
✓ Strong banking relationships
✓ Timely response to compliance inquiries
Weak compliance indicators:
✗ Licensed only in permissive jurisdictions
✗ Anonymous or unknown compliance team
✗ No published policies
✗ History of regulatory enforcement
✗ Banking relationship difficulties
✗ Minimal KYC requirements
✗ No apparent transaction monitoring
✗ Serves sanctioned jurisdictions
1. Check licensing (regulatory databases)
2. Research compliance leadership
3. Review published policies
4. Search for enforcement history
5. Assess KYC requirements (your experience)
6. Evaluate banking options
7. Consider industry reputation
For evaluating ODL corridor compliance:
ODL PARTNER COMPLIANCE ASSESSMENT
- VASP licensing in jurisdiction
- Full AML program
- Travel Rule capability
- Sanctions screening
- Ongoing monitoring
- Regulatory good standing
- What licenses does partner hold?
- What is their regulatory history?
- Do they have adequate compliance staffing?
- What technology infrastructure exists?
- How do they handle Travel Rule?
- What is their sanctions screening approach?
- Have they passed regulatory examinations?
- Unlicensed or minimally licensed
- Regulatory enforcement history
- Inadequate compliance infrastructure
- Banking relationship issues
- Unable to demonstrate Travel Rule compliance
- Sanctions screening gaps
---
✅ Regulators expect specific program elements. BSA pillars, OFAC framework are documented expectations. Programs lacking elements face enforcement.
✅ Compliance requires significant investment. Staff, technology, testing all cost money. Compliance is not free.
✅ Program quality varies significantly across exchanges. Some invest heavily; others cut corners. Quality is assessable.
✅ Examination preparation matters. Well-prepared institutions fare better in regulatory examinations.
⚠️ Optimal compliance investment level. How much is enough? Balance between cost and effectiveness debated.
⚠️ Technology evolution. Best-in-class solutions change. Today's leaders may not be tomorrow's.
⚠️ Regulatory expectation evolution. Requirements increase over time. Future requirements uncertain.
🔴 "All licensed exchanges have good compliance." Licensing is minimum threshold. Quality varies significantly above that floor.
🔴 "Small exchanges can't have good compliance." Size limits capacity but doesn't prevent quality. Proportionate programs can be effective.
🔴 "Technology solves compliance." Technology enables, humans decide. Understaffing defeats good technology.
🔴 "Compliance is one-time setup." Ongoing effort required. Maintenance, updates, testing continuous.
Assignment: Create a checklist that an investor could use to evaluate whether an exchange has adequate AML/KYC infrastructure. Include 20+ specific items across key program elements.
- Cover all program elements (governance, policies, staffing, technology, testing)
- Include specific, assessable items
- Indicate what public information reveals
- Note red flags and positive indicators
- Make it usable for practical assessment
Time investment: 2-3 hours
1. What are the four (or five) pillars of a BSA compliance program?
Answer: C - Internal controls, independent testing, designated compliance officer, training (and CDD for larger institutions)
2. What authority should a compliance officer have?
Answer: B - Direct board access, independence from business lines, authority to reject transactions
3. What is independent testing?
Answer: C - Regular audits by parties independent from compliance function, covering all requirements
4. What is a strong indicator of exchange compliance quality?
Answer: B - Licensed in major jurisdictions with no enforcement history and transparent compliance leadership
5. Why is compliance technology expensive for crypto exchanges?
Answer: C - Multiple systems needed (KYC, monitoring, screening, analytics) plus integration and maintenance
- Travel Rule implementation details
- Blockchain analytics capabilities and limits
- DeFi compliance challenges
- Privacy technology implications
- Complete compliance program structure
- Evaluating exchange compliance quality
- Personal compliance obligations
- ODL corridor assessment
- Future compliance trends
- Investment thesis integration
End of Lesson 10
Total words: ~4,800
Estimated completion time: 55 minutes reading + 2-3 hours for deliverable
Key Takeaways
Compliance programs require specific elements.
Internal controls, independent testing, designated officer, training. All are required, not optional.
Governance and oversight are essential.
Board involvement, qualified compliance officer, clear reporting lines. Culture starts at top.
Staffing and expertise must match risk.
Larger exchanges need more staff. Crypto expertise is essential. Underinvestment creates risk.
Technology infrastructure is complex and expensive.
KYC, monitoring, screening, analytics all needed. Build vs. buy decisions significant.
Testing and audit validate effectiveness.
Independent testing, examination preparation, continuous improvement. Programs degrade without maintenance. ---