AML/CFT Crypto: Practical Guide for Professionals
Introduction
Mastering AML/CFT means securing your license and building trust.
Anti-money laundering and combating the financing of terrorism (AML/CFT) is at the heart of crypto-asset regulation. For PSANs and future CASPs, mastering these obligations is essential to obtain and maintain their license. This practical guide details the requirements, best practices, and compliance tools.
What you will learn:
- The AML/CFT regulatory framework applicable to crypto-assets
- Customer due diligence obligations (KYC)
- Detection and reporting of suspicious transactions
- Compliance tools and methodologies
- Sanctions for non-compliance
Table of Contents
- AML/CFT Regulatory Framework
- Customer Due Diligence (KYC)
- Risk-Based Approach
- Transaction Monitoring
- Suspicious Activity Report (SAR/TRACFIN)
- Asset Freezing
- Internal Organization
- Tools and Technologies
- Crypto Money Laundering Typologies
- Sanctions and Controls
- FAQ
1. AML/CFT Regulatory Framework
From FATF to French law, discover the anti-money laundering legal arsenal.
Applicable Texts
Hierarchy of Standards:
| Level | Text | Content |
|---|---|---|
| International | FATF Recommendations | Global standards |
| European | 6th AML Directive (AMLD6) | Transposed into national law |
| European | AMLR Regulation (2024) | Direct application |
| European | TFR (Travel Rule) | Fund transfers |
| French | CMF L. 561-1 et seq. | Detailed obligations |
| French | AMF/ACPR Guidelines | Practical interpretation |
Recent Developments
European AML Package (2024):
- AMLR Regulation: directly applicable obligations
- Creation of AMLA: European anti-money laundering authority
- Harmonization of thresholds and procedures
- Reinforcement for crypto-assets
Competent Authorities in France
| Authority | Role |
|---|---|
| AMF | PSAN registration, control |
| ACPR | AML/CFT opinion, institution control |
| TRACFIN | Receipt of suspicious activity reports |
| DG Trésor | Asset freezing, sanctions |
| Prosecutor | Criminal prosecutions |
2. Customer Due Diligence (KYC)
Knowing your customers is the cornerstone of your AML/CFT framework.
Identification and Verification
Natural Persons:
| Information | Document | Verification |
|---|---|---|
| Name, first names | ID card, passport | Visual check + database |
| Date/place of birth | ID card, passport | Consistency |
| Nationality | ID card, passport | - |
| Address | Proof < 3 months | Consistency check |
Legal Entities:
| Information | Document | Verification |
|---|---|---|
| Company name | Kbis < 3 months | Official register |
| Legal form | Bylaws | - |
| Registered office | Kbis | - |
| Legal representative | Kbis + ID | Identity verification |
| Beneficial owners (UBO) | UBO register, declaration | Threshold check (25%) |
Beneficial Owners (UBO)
Definition: Natural person who owns or controls (directly or indirectly) more than 25% of capital or voting rights.
Identification Cascade:
1. Identify holders > 25%
│
├──▶ Found → UBO identified
│
└──▶ Not found
│
2. Identify persons exercising
control through other means
│
├──▶ Found → UBO identified
│
└──▶ Not found
│
3. Effective director = UBO by default
Onboarding Process
Standard Process:
- Information collection: form, documents
- Verification: consistency check, databases
- Screening: PEP, sanctions, adverse media
- Risk classification: customer scoring
- Decision: acceptance, refusal, enhanced due diligence
- Documentation: evidence retention
Information Updates
Update Frequency:
| Risk Level | Frequency |
|---|---|
| Low | Every 5 years |
| Standard | Every 3 years |
| High | Annual |
| Very high | Semi-annual + continuous monitoring |
3. Risk-Based Approach
Adapt your controls to each profile for effective and proportionate compliance.
Fundamental Principle
"Obliged entities shall apply customer due diligence measures based on money laundering and terrorist financing risks." — Article L. 561-4-1 CMF
Risk Mapping
Risk Factors to Evaluate:
OVERALL RISK = f(Customer, Product, Channel, Geography)
┌─────────────────────────────────────────────────────────────┐
│ CUSTOMER FACTORS │
│ • Nature (individual, company, association, trust) │
│ • PEP (Politically Exposed Person) │
│ • Business sector (gaming, art, construction...) │
│ • Reputation, adverse media │
│ • Transactional behavior │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ PRODUCT FACTORS │
│ • Potential anonymity (privacy coins) │
│ • Transaction complexity │
│ • Volume and frequency │
│ • Mixers, bridges, DeFi │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ CHANNEL FACTORS │
│ • Remote vs in-person relationship │
│ • Identity verification used │
│ • Payment methods │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ GEOGRAPHY FACTORS │
│ • Customer country of residence │
│ • Fund origin/destination │
│ • High-risk countries (FATF, EU) │
└─────────────────────────────────────────────────────────────┘
Customer Classification
Typical Scoring Grid:
| Score | Level | Measures |
|---|---|---|
| 0-25 | Low | Standard due diligence |
| 26-50 | Medium | Standard due diligence + |
| 51-75 | High | Enhanced due diligence |
| 76-100 | Very high | Enhanced due diligence + management approval |
Enhanced Due Diligence Measures
Mandatory Triggers:
- PEP (Politically Exposed Person)
- High-risk third country (EU list)
- Atypical or suspicious transactions
- Remote customer not verified in person
Additional Measures:
- Supplementary documents
- In-depth source of funds
- Hierarchical approval
- Enhanced transaction monitoring
- More frequent updates
4. Transaction Monitoring
Detect suspicious behavior in real-time to protect your platform.
Monitoring Objectives
Purposes:
- Detect atypical transactions
- Identify suspicious behavior
- Feed suspicious activity reports
- Keep risk profile up to date
Detection Scenarios (Red Flags)
Behavioral Alerts:
| Scenario | Description | Risk |
|---|---|---|
| Structuring | Splitting to avoid thresholds | High |
| Velocity | Suddenly high volume | Medium |
| Dormancy | Inactive account then intense activity | High |
| Mismatch | Profile/transaction inconsistency | Medium |
| Rapid in-out | Quick deposit and withdrawal | High |
| Round tripping | Funds returning to starting point | High |
Crypto-Specific Alerts:
| Scenario | Description | Risk |
|---|---|---|
| Mixer/Tumbler | Interaction with mixing services | Very high |
| Privacy coins | Transactions in Monero, Zcash... | High |
| Darknet | Addresses linked to black markets | Very high |
| Ransomware | Addresses associated with ransoms | Very high |
| Scam | Fraudulent project addresses | High |
| High-risk exchange | Transfers to unregulated platforms | Medium |
Blockchain Analysis
Elements to Analyze:
Incoming transaction
│
▼
┌─────────────────────────────┐
│ SOURCE ADDRESS │
│ ANALYSIS │
│ │
│ • History │
│ • Clustering │
│ • Known labels │
│ • Risk score │
│ • Hops from suspicious │
│ source │
└─────────────────────────────┘
│
▼
┌─────────────────────────────┐
│ PATTERN ANALYSIS │
│ │
│ • Amount │
│ • Frequency │
│ • Profile consistency │
│ • Transaction chain │
└─────────────────────────────┘
│
▼
Decision: OK / Alert / Block
5. Suspicious Activity Report (TRACFIN)
Report your suspicions to TRACFIN, a legal obligation under high confidentiality.
Reporting Obligation
Triggering Event:
"Obliged entities shall report to TRACFIN sums recorded in their books or transactions involving sums which they know, suspect or have good reason to suspect originate from an offense..." — Article L. 561-15 CMF
Reporting Criteria
Triggering Elements:
| Situation | Report |
|---|---|
| Suspicion of money laundering | Mandatory |
| Suspicion of terrorist financing | Mandatory |
| Doubt about customer identity | To consider |
| Unexplained atypical transaction | To consider |
| Refusal of justifications | Mandatory |
| Link to sanctioned country | Mandatory |
Reporting Procedure
Steps:
- Detection: automatic or manual alert
- Analysis: internal investigation
- Decision: report or close
- Writing: description of facts
- Transmission: via ERMES (TRACFIN platform)
- Follow-up: possible TRACFIN response
- Archiving: retention 5 years
Report Content
Elements to Include:
SUSPICIOUS ACTIVITY REPORT
│
├── Declarant identification (PSAN)
│
├── Identification of persons concerned
│ ├── Customer
│ ├── Counterparties
│ └── Beneficial owners
│
├── Transaction description
│ ├── Dates
│ ├── Amounts
│ ├── Crypto-assets involved
│ ├── Blockchain addresses
│ └── Transaction hashes
│
├── Suspicion grounds
│ ├── Observed indicators
│ ├── Risk analysis
│ └── Context
│
└── Attachments
├── KYC documents
├── Transaction records
└── Blockchain analysis
Confidentiality
⚠️ Absolute secrecy: Having filed a suspicious activity report must NEVER be disclosed to the customer concerned. This disclosure ("tipping-off") is criminally punishable.
6. Asset Freezing
Immediately block assets of sanctioned persons, an absolute obligation.
Freezing Obligation
Legal Framework: PSANs must freeze assets of persons and entities on sanctions lists.
Lists to Consult:
| List | Issuer | Update |
|---|---|---|
| EU Consolidated List | EU Council | Almost daily |
| French National List | DG Trésor | Variable |
| UN List | Security Council | Variable |
| OFAC List (US) | Treasury | Regular |
Freezing Procedure
Steps:
- Continuous screening: customer verification vs lists
- Match detected: immediate blocking
- Verification: match confirmation (homonym?)
- Effective freeze: prohibition of any movement
- Declaration: notification to DG Trésor
- Monitoring: until measure lifted
Freezing Scope
What is Frozen:
- All customer crypto-assets
- Any transfer attempt
- Any service benefiting the customer
- Including indirect assets
7. Internal Organization
Structure your teams and procedures for an operational AML/CFT framework.
Mandatory Functions
Typical AML/CFT Organization:
General Management
│
├──▶ AML/CFT Compliance Officer
│ │
│ ├── KYC/Onboarding Team
│ │
│ ├── Transaction Monitoring Team
│ │
│ └── TRACFIN Correspondent
│
└──▶ TRACFIN Declarant (can be the same)
AML/CFT Compliance Officer
Missions:
- Develop procedures
- Supervise their application
- Train staff
- Ensure regulatory watch
- Interface with authorities
- Reporting to management
Required Profile:
- Compliance experience
- Knowledge of crypto sector
- Integrity and independence
- Access to management
Staff Training
Training Program:
| Audience | Content | Frequency |
|---|---|---|
| All staff | General awareness | At hiring + annual |
| KYC Team | Identification procedures | Initial + quarterly |
| Monitoring Team | Alert detection | Initial + monthly |
| Management | Stakes and responsibilities | Annual |
Data Retention
Retention Periods:
| Data Type | Duration | Legal Basis |
|---|---|---|
| KYC Documents | 5 years after end of relationship | L. 561-12 CMF |
| Transactions | 5 years after execution | L. 561-12 CMF |
| Alerts and analyses | 5 years | L. 561-12 CMF |
| TRACFIN Reports | 5 years | Internal |
| Training | 5 years | Compliance evidence |
8. Tools and Technologies
Equip yourself with the best KYC and analytics solutions to automate compliance.
KYC Solutions
Onboarding Tools:
| Solution | Features | Blockchain-native |
|---|---|---|
| Onfido | ID verification, biometrics | No |
| Jumio | ID, liveness, AML screening | No |
| Sumsub | Full KYC suite | Yes |
| Synaps | Crypto-focused KYC | Yes |
| Persona | Flexible, API-first | No |
Blockchain Analytics Solutions
Investigation Tools:
| Solution | Blockchains | Strength |
|---|---|---|
| Chainalysis | 30+ | Leader, compliance |
| TRM Labs | 20+ | Institutions |
| Elliptic | 20+ | Historical |
| Crystal Blockchain | 15+ | EU-based |
| Scorechain | 10+ | Luxembourg |
Typical Features:
- Address risk scoring
- Flow tracing
- Wallet identification (exchange, darknet, mixer...)
- Automatic alerts
- Reports for regulators
Monitoring Solutions
Monitoring Platforms:
| Solution | Type | Specificity |
|---|---|---|
| Chainalysis KYT | Real-time | Transactions + addresses |
| Elliptic Lens | Real-time | Continuous screening |
| ComplyAdvantage | AML screening | Persons + entities |
| Refinitiv World-Check | PEP/Sanctions | Reference database |
Technical Architecture
Typical AML/CFT Stack:
┌─────────────────────────────────────────────────────────────┐
│ CLIENT LAYER │
│ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ Onboarding │ │ Compliance │ │
│ │ (KYC) │ │ Dashboard │ │
│ └──────────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ BUSINESS LAYER │
│ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ KYC │ │ Risk │ │ List │ │ Alert │ │
│ │ Engine │ │ Scoring │ │Screening│ │ Engine │ │
│ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ DATA LAYER │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Blockchain │ │ Sanctions │ │ Customer │ │
│ │ Analytics │ │ Lists │ │ Data │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────┘
9. Crypto Money Laundering Typologies
Identify money laundering patterns specific to crypto-assets to better detect them.
Classic Schemes Adapted
1. Structuring (smurfing):
Criminals → Multiple small deposits → Exchange → Consolidation → Cash out
2. Layering via exchanges:
BTC sale → Buy XMR → Exchange XMR→ETH → Exchange ETH→USDT → Withdrawal
3. Trade-based laundering:
Fictitious NFT purchase at inflated price = laundering via "art sale"
Crypto-Specific Schemes
4. Mixing services:
BTC → Mixer/Tumbler → "Clean" BTC (multiple addresses)
5. Chain hopping:
ETH (Ethereum) → Bridge → AVAX (Avalanche) → Bridge → Arbitrum
6. DeFi obfuscation:
Funds → Liquidity pool → Farming → Harvest → Swap → Cash out
7. Privacy coins:
BTC → Swap XMR → Untraceable transactions → Swap BTC → Clean wallet
High-Risk Indicators
Priority Red Flags:
| Indicator | Risk Score | Action |
|---|---|---|
| Mixer interaction | 🔴 Very high | Freeze + in-depth analysis |
| Darknet exposure | 🔴 Very high | Freeze + TRACFIN |
| Ransomware linked | 🔴 Very high | Freeze + TRACFIN |
| High-risk exchange | 🟠 High | Enhanced due diligence |
| Privacy coin conversion | 🟠 High | Justification required |
| Unusual pattern | 🟡 Medium | Analysis |
10. Sanctions and Controls
Fines up to 5 million, authorities don't joke with AML/CFT.
Sanctions Regime
Administrative Sanctions (AMF/ACPR):
| Violation | Maximum Sanction |
|---|---|
| Lack of procedures | Up to €5M |
| Failure to report to TRACFIN | Up to €5M |
| Lack of due diligence | Up to €5M |
| Non-compliance with freezing | Up to €5M |
| Repeat offense | License withdrawal |
Criminal Sanctions:
| Violation | Sanction |
|---|---|
| Money laundering | 5 years + €375,000 |
| Aggravated money laundering | 10 years + €750,000 |
| Failure to report to TRACFIN | €22,500 |
| Tipping-off | €22,500 |
| Freezing violation | 7 years + €750,000 |
Authority Controls
Types of Controls:
| Type | Method | Frequency |
|---|---|---|
| Document-based | Document request | Variable |
| On-site | In-situ inspection | Every 2-4 years |
| Thematic | Focus on one topic | Ad hoc |
| Post-incident | After problem | Reactive |
On-Site Control Process:
- Notification (few weeks before)
- Preparatory document submission
- Inspector arrival (several days)
- Staff interviews
- Customer file review
- Procedure testing
- Preliminary report
- Entity observations
- Final report
- Possible sanctions
11. FAQ
Practical Questions
Q: What AML/CFT team size for a PSAN?
A: It depends on business volume. As a guide:
- < 10,000 customers: 1-2 dedicated persons
- 10,000 - 100,000 customers: 3-5 persons
-
100,000 customers: structured team (5-15+)
The more automation, the fewer human resources needed for processing, but analysis remains human.
Q: Can I outsource AML/CFT?
A: Partially. Operational tasks (KYC, screening) can be outsourced, but responsibility remains with the PSAN. The compliance officer and decisions must stay internal.
Q: What budget for AML/CFT compliance?
A: Annual estimates:
- Tools (KYC, analytics, screening): €50-200k
- Staff: €100-500k
- Training: €10-30k
- External audit: €20-50k
- Total: €200-800k depending on size
Regulatory Questions
Q: What to do when in doubt about a transaction?
A: In case of serious doubt, report to TRACFIN. It's better to report a false positive than miss a real case. TRACFIN doesn't sanction good faith reports.
Q: Should I refuse a PEP customer?
A: No, being a PEP is not grounds for automatic refusal. Enhanced due diligence applies: source of funds, management approval, increased monitoring. Refusal is only justified if risks are unacceptable.
Q: Should my customers' wallets be monitored continuously?
A: Yes, monitoring must be continuous, not just at onboarding. Blockchain analytics tools enable real-time monitoring of your customers' addresses.
Conclusion
AML/CFT compliance is an essential pillar for any PSAN. It represents a significant but indispensable investment for the company's sustainability and reputation.
Key Points to Remember:
- Risk-based approach: adapt measures to risk level
- Rigorous KYC: foundation of the entire framework
- Continuous monitoring: transactions and behavior
- TRACFIN reporting: legal obligation when suspicious
- Documentation: everything must be traced and retained
- Training: continuous staff awareness
Recommendations for PSANs:
✅ Invest in performant tools (analytics, KYC) ✅ Recruit experienced compliance profiles ✅ Exhaustively document all procedures ✅ Regularly train all staff ✅ Anticipate regulatory developments (AMLR, AMLA) ✅ Consider compliance as a competitive advantage
AML/CFT is not just a constraint: it contributes to crypto sector legitimization and protects the company from reputational and legal risks.
Article updated December 2025. Information presented is educational and does not constitute legal advice. Consult a qualified professional for your specific situation.