AML/KYC in Custody-Travel Rule and Transaction Monitoring
Learning Objectives
Explain AML/BSA requirements applicable to crypto custody
Evaluate custodian AML programs and Travel Rule compliance
Assess transaction monitoring capabilities
Identify AML red flags in custody operations
Design institutional AML oversight for custody relationships
Custodians don't just hold assets—they're financial institutions with regulatory obligations. AML compliance is mandatory, not optional. Understanding custodian AML programs is essential for institutional due diligence and for ensuring your institution doesn't inadvertently engage with non-compliant providers.
AML/BSA FRAMEWORK:
- Banks
- Money services businesses (MSBs)
- Broker-dealers
- Trust companies
- AML program
- Customer identification (CIP)
- Record keeping
- Suspicious activity reporting (SAR)
- Currency transaction reporting (CTR)
FINANCIAL CRIMES ENFORCEMENT NETWORK (FINCEN):
Interprets BSA
Issues guidance
Enforcement authority
International coordination
2013: Virtual currency exchangers are MSBs
2019: Clarified custodian obligations
2020: Travel Rule application
2024-2025: Enhanced requirements
TRUST COMPANY REQUIREMENTS:
State BSA/AML requirements
May be state or federally examined
Often FinCEN registration
Similar to bank requirements
OCC examination
BSA compliance required
Federal oversight
Bank-level standards
AML PROGRAM ELEMENTS:
- Written AML policy
- Procedures for compliance
- Risk assessment methodology
- Escalation procedures
- Customer acceptance criteria
- Transaction monitoring rules
- High-risk customer procedures
- Asset-specific considerations
- Designated BSA/AML officer
- Sufficient authority
- Board reporting
- Independence
- Officer qualifications
- Reporting lines
- Resources allocated
- Authority demonstrated
- Employee training
- Role-appropriate training
- Annual minimum
- Documentation
- Training curriculum
- Completion tracking
- Effectiveness testing
- Crypto-specific content
- Regular independent audit
- Testing of controls
- Risk-based scope
- Findings remediation
- Audit frequency
- Auditor qualifications
- Findings history
- Remediation status
CUSTOMER IDENTIFICATION:
CIP REQUIREMENTS:
Name
Date of birth
Address
Identification number (SSN or equivalent)
Documentary verification
Legal name
Formation documents
Principal place of business
Identification number (EIN)
Beneficial ownership
BENEFICIAL OWNERSHIP (CDD RULE):
Identify 25%+ owners
Identify one control person
Verify identities
Update for changes
Institution identification
Authorized persons
Beneficial ownership
Investment manager (if applicable)
ENHANCED DUE DILIGENCE (EDD):
High-risk jurisdictions
PEPs (Politically Exposed Persons)
Complex structures
High-value transactions
Unusual activity
Senior management approval
Source of funds documentation
Enhanced monitoring
More frequent reviews
TRAVEL RULE:
TRADITIONAL TRAVEL RULE (31 CFR 103.33):
Requirement:
Wire transfers of $3,000+ must include
originator and beneficiary information
- Name of originator
- Account number
- Address or ID
- Name of beneficiary
- Account number
CRYPTO TRAVEL RULE:
FinCEN Position:
Travel Rule applies to virtual asset transfers
between VASPs/financial institutions
FATF Recommendation 16:
Global standard for virtual asset Travel Rule
$1,000/€1,000 threshold
Name
Account identifier (address)
Physical address, national ID, or customer ID
Place/date of birth (if address unavailable)
Name
Account identifier (address)
IMPLEMENTATION CHALLENGES:
No standardized protocol (multiple solutions)
Address ownership verification
Privacy considerations
Counterparty identification
Self-hosted wallet handling
Cross-jurisdictional differences
Threshold variations
Real-time requirements
TRAVEL RULE COMPLIANCE SOLUTIONS:
PROTOCOL OPTIONS:
Open standard
Certificate-based identity
Decentralized approach
Growing adoption
Standardized protocol
Multiple vendors
Interoperability focus
Commercial solution
Wide custodian adoption
Compliance automation
Network effects
Integration with analytics
Compliance workflow
Counterparty verification
CUSTODIAN EVALUATION:
- What Travel Rule solution is used?
- Which protocol(s) supported?
- How are counterparties verified?
- What's the coverage/network?
- How are unhosted wallets handled?
Good Indicators:
✅ Multiple protocol support
✅ Wide network participation
✅ Automated compliance
✅ Clear procedures for gaps
Concerns:
⚠️ No Travel Rule solution
⚠️ Manual processes only
⚠️ Limited network
⚠️ Unclear procedures
```
SELF-HOSTED (UNHOSTED) WALLET HANDLING:
REGULATORY POSITION:
Enhanced recordkeeping
Counterparty identification
Transaction limits considered
Final rule pending
Varies by jurisdiction
Enhanced due diligence typical
Transaction monitoring
Documentation requirements
CUSTODIAN APPROACHES:
No transfers to unhosted wallets
Only VASP-to-VASP transfers
Simplified compliance
Unhosted transfers allowed
Enhanced verification
Self-attestation
Monitoring
INSTITUTIONAL CONSIDERATIONS:
Custodian must accept unhosted
Documentation for compliance
Verification procedures
Travel Rule implications
Less concern
But withdrawal rights matter
Exit strategy implications
TRANSACTION MONITORING:
PURPOSE:
Detect suspicious activity for SAR filing
MONITORING ELEMENTS:
Threshold triggers
Pattern detection
Velocity monitoring
Geographic flags
Deviation from profile
Unusual patterns
Peer comparison
Historical analysis
Transaction tracing
Cluster analysis
Risk scoring
Attribution
CRYPTO-SPECIFIC MONITORING:
Rapid movements
Round-trip transactions
Layering patterns
Structuring below thresholds
Sanctioned addresses
Darknet markets
Mixing services
High-risk entities
Transaction flow
Counterparty identification
Risk scoring
OFAC screening
BLOCKCHAIN ANALYTICS PROVIDERS:
MAJOR PROVIDERS:
Market leader
KYT (Know Your Transaction)
Reactor investigation
Government clients
Enterprise focus
Navigator platform
Risk scoring
UK origin
Compliance focus
Risk management
Institutional clients
Growing presence
CAPABILITIES:
Real-time screening
OFAC/sanctions check
Risk scoring
Alert generation
Entity identification
Exchange identification
Service identification
Risk categorization
Transaction tracing
Source/destination analysis
Mixing detection
Pattern recognition
CUSTODIAN EVALUATION:
- What analytics provider is used?
- What coverage (XRP included)?
- Real-time or batch screening?
- What risk thresholds trigger review?
- How are alerts investigated?
SUSPICIOUS ACTIVITY REPORTING (SAR):
SAR REQUIREMENTS:
Transactions $5,000+ involving suspected crime
Any insider abuse
Patterns suggesting laundering
Other suspicious circumstances
Within 30 days of detection
60 days if no suspect identified
Maintain for 5 years
Confidential (no disclosure)
CRYPTO-SPECIFIC CONSIDERATIONS:
Structured transactions
Mixing service use
Darknet market connections
Rapid movement patterns
Jurisdictional arbitrage
Unusual counterparty patterns
No SAR notification to client
But may affect services
Account closure possible
No disclosure of SAR
CUSTODIAN EXPECTATIONS:
- Clear escalation procedures
- Adequate staffing
- Investigation capability
- Timely filing
- Quality filings
OFAC SANCTIONS:
OFFICE OF FOREIGN ASSETS CONTROL:
Administers US sanctions
SDN (Specially Designated Nationals) list
Country sanctions
Sectoral sanctions
Sanctions apply to crypto
SDN addresses published
Strict liability
No de minimis exception
SDN LIST AND CRYPTO:
OFAC publishes crypto addresses
Associated with sanctioned entities
Must be screened
Any transaction prohibited
North Korean addresses
Ransomware addresses
Sanctioned exchange addresses
Individual SDN addresses
SCREENING REQUIREMENTS:
All transactions
All counterparties
All addresses
Before execution
List updates
Rescreening
Alert investigation
Documentation
CUSTODIAN SANCTIONS EVALUATION:
SCREENING PROGRAM:
- How is OFAC screening performed?
- What screening vendor/tools?
- Real-time or batch?
- How often are lists updated?
- What's the alert process?
Good Indicators:
✅ Real-time screening
✅ Multiple list coverage
✅ Automated blocking
✅ Clear escalation
✅ Regular list updates
Concerns:
⚠️ Batch-only screening
⚠️ Manual processes
⚠️ Delayed list updates
⚠️ Unclear escalation
BLOCKCHAIN SANCTIONS SCREENING:
Screen deposit addresses
Screen withdrawal addresses
Screen incoming transactions
Secondary hop analysis
Multi-hop analysis
Risk scoring integration
Blockchain analytics tool
Investigation capability
AML DUE DILIGENCE CHECKLIST:
PROGRAM STRUCTURE:
□ Written AML policy
□ BSA officer identified
□ Training program
□ Independent testing
□ Board oversight
CUSTOMER IDENTIFICATION:
□ CIP procedures
□ Beneficial ownership
□ EDD triggers defined
□ Documentation standards
TRANSACTION MONITORING:
□ Monitoring system
□ Blockchain analytics
□ Alert investigation
□ SAR capability
TRAVEL RULE:
□ Solution implemented
□ Protocol coverage
□ Counterparty verification
□ Gap handling
SANCTIONS:
□ OFAC screening
□ Real-time capability
□ List update frequency
□ Blocking procedures
DOCUMENTATION REQUEST:
□ AML policy summary
□ Recent audit results
□ Training overview
□ Technology stack
ONGOING AML OVERSIGHT:
ANNUAL REVIEW:
□ AML audit results
□ Program changes
□ Enforcement actions (industry)
□ Regulatory developments
QUARTERLY:
□ Significant incidents
□ Staff changes (BSA officer)
□ System changes
□ Material findings
EVENT-DRIVEN:
□ Regulatory action against custodian
□ Material breach
□ Program deficiency reported
□ Industry enforcement trends
RED FLAGS:
Immediate Concern:
🚩 Regulatory enforcement action
🚩 SAR filing about custodian
🚩 Sanctions violation
🚩 Material audit findings
Elevated Concern:
⚠️ BSA officer departure (unreplaced)
⚠️ Audit exceptions
⚠️ System failures
⚠️ Staff reductions in compliance
---
✅ AML requirements apply to crypto custody - Regulatory framework clear
✅ Travel Rule is being implemented - Solutions exist, adoption growing
✅ Blockchain analytics enable compliance - Tools mature and effective
✅ Sanctions screening is mandatory - OFAC applies to crypto
⚠️ Travel Rule standardization - Multiple protocols, fragmented
⚠️ Self-hosted wallet treatment - Regulatory approach evolving
⚠️ Enforcement priorities - Selective enforcement patterns
⚠️ International coordination - Jurisdiction differences
📌 Assuming custodian compliance is sufficient - Institution has own obligations
📌 Ignoring AML in due diligence - Material risk if custodian deficient
📌 Underestimating sanctions risk - Strict liability, severe penalties
📌 Not monitoring ongoing compliance - Programs can deteriorate
AML compliance is table stakes for institutional custody. Custodians must have robust programs, and institutions must verify this through due diligence. AML deficiencies at a custodian create regulatory, reputational, and operational risk for clients.
Assignment: Conduct an AML compliance assessment of a custody provider.
- Part 1: AML Program Evaluation (1.5 pages)
- Part 2: Travel Rule Assessment (1 page)
- Part 3: Transaction Monitoring Review (1 page)
- Part 4: Sanctions Compliance Evaluation (1 page)
- Part 5: Recommendations (0.5 pages)
Format: Professional assessment, 5 pages maximum
Time Investment: 3-4 hours
1. What are the four required elements of a BSA/AML program?
Answer: B - Internal policies, compliance officer, training, independent testing
2. What information must be transmitted under the Travel Rule?
Answer: C - Originator and beneficiary name, account identifiers, and address/ID
3. What is the primary purpose of blockchain analytics in custody?
Answer: A - Transaction monitoring and sanctions screening
4. How should OFAC sanctions screening be performed?
Answer: D - Real-time screening of all transactions and addresses
5. Why is AML due diligence important when selecting a custodian?
Answer: B - Custodian AML deficiencies create regulatory and reputational risk
End of Lesson 11
Total Words: ~4,100
Estimated Completion Time: 55 minutes reading + 3-4 hours for deliverable
Key Takeaways
AML/BSA requirements fully apply to crypto custody
- No exemption for digital assets
Travel Rule implementation is advancing
- Solutions exist, evaluate custodian compliance
Transaction monitoring requires blockchain analytics
- Standard tools expected
Sanctions screening must be real-time
- OFAC compliance mandatory
Institutions must conduct AML due diligence on custodians
- Part of overall evaluation ---