KYC / AML for Crypto Startups

Why KYC / AML is the non-negotiable

Of everything a regulated crypto startup must do, KYC/AML is the single most enforced obligation globally. Licence revocations, criminal referrals, and the biggest crypto fines in history (Binance $4.3B, BitMEX $100M) were driven by AML failures — not token classification mistakes, not custody gaps. The regulator doesn't usually care if your token is perfectly classified; they care whether your AML stack catches bad actors.

The good news for founders: unlike token-classification grey zones, KYC/AML is a solved problem. The compliance playbook is mature, the vendors are battle-tested, and the regulatory expectations are documented. What startups underestimate is the operational cost — running an AML programme is closer to running an engineering team than a legal process.

The 5 components of an AML stack

A compliant AML programme has 5 operational layers. Each corresponds to a regulator expectation, and each usually maps to a vendor relationship.

1. Customer Identification Programme (CIP)

Also called KYC. At onboarding, you identify who the customer is. For individuals: full legal name, date of birth, residential address, national ID document, selfie / liveness check. For businesses (KYB): legal entity, registered address, ultimate beneficial owners, incorporation documents.

2. Customer Due Diligence (CDD) + Enhanced Due Diligence (EDD)

After identification, you assess risk. Standard due diligence: sanctions + PEP lists + adverse media. Enhanced due diligence for high-risk cases (PEP, high-value, high-risk jurisdiction origin): deeper source-of-funds evidence, beneficial ownership tracing.

3. Transaction monitoring

Every transaction is screened for patterns: structuring (multiple small transactions below reporting thresholds), layering (rapid transfers across wallets/chains), unusual velocity, mixer/tumbler exposure, counterparty sanctions. Machine-learning-based systems flag suspicious activity in real time.

4. Sanctions screening

At onboarding AND at every transaction, customers and counterparties are screened against OFAC SDN (US), EU Consolidated List, UK OFSI, UN Sanctions. Crypto-specific: wallet-address screening against OFAC's SDN-linked addresses. False positives (name similarities) are the main operational pain.

5. Suspicious Activity Reporting (SAR)

When something is flagged, a SAR / STR must be filed with the Financial Intelligence Unit (FinCEN in US, Tracfin in France, NCA in UK, MAS STRO in Singapore). Deadlines are strict (typically within 30 days of detection). Missed or wrong SARs are audit-critical.

Tiered KYC — the pragmatic pattern

Full KYC on every user is expensive (time, drop-off, vendor cost). Tiered KYC applies minimum verification at signup and escalates as the user transacts more. This is the norm in regulated crypto onboarding.

Thresholds above align roughly with MiCA Art. 73 + AMLD6 guidance. US MSB / BitLicense thresholds are stricter — many US platforms require full KYC from dollar 1. FATF Travel Rule threshold (€1K in EU, $3K in US) is usually the 'tier escalation' trigger.

The vendor landscape — who does what

Nobody builds a modern KYC/AML stack from scratch. The ecosystem is specialised and the vendors are mature.

KYC / identity (onboarding)

• Sumsub — all-in-one (ID, liveness, sanctions, Travel Rule). Dominant in EU crypto. ~€1-2 per full KYC.
• Onfido — UK-founded, strong document coverage (>1,200 ID types). Used by Revolut, Coinbase UK.
• Veriff — Estonian, strong in Baltics / EE / EU. Good pricing for early-stage startups.
• Persona — US-based, developer-friendly API, flexible flows. Popular with Web3 startups.

Sanctions + PEP + adverse media

• Refinitiv World-Check — the gold standard, used by banks. Expensive ($50-200K/year minimum).
• Dow Jones Risk & Compliance — competitor to Refinitiv.
• ComplyAdvantage — modern API-first alternative, more affordable, strong adverse media. Popular with fintechs.
• Sumsub sanctions — integrated in their KYC stack.

On-chain analytics (transaction monitoring + wallet screening)

• Chainalysis KYT + Reactor — the dominant on-chain analytics + investigations platform. Used by exchanges, FinCEN, Europol.
• Elliptic Navigator + Lens — strong competitor, especially in EU.
• TRM Labs — fast-growing, stronger coverage of newer chains. XRPL support.
• Merkle Science — APAC-focused, good for Asian exchanges.

SAR / STR filing software

• Most regulators offer a direct filing portal (FinCEN E-File, Tracfin ERMES, UK NCA SAR Online).
• Compliance OSes (Sumsub, Unit21, Hawk:AI) aggregate SAR generation + filing in one workflow.

The Chief Compliance Officer (CCO) role

In every licensed jurisdiction, you must name a senior individual accountable for the AML programme. Different regulators use different titles (MLRO in UK, Compliance Officer + MLRO in EU, BSA Officer + CCO in US), but the role is the same: they sign off on policies, review SARs, interface with regulators, and carry personal liability if things go wrong.

Requirements

• Fit-and-proper test from the regulator (clean criminal record, relevant experience, usually AML certification like CAMS or ICA).
• Local residency in the licensing jurisdiction (strict in UAE VARA, Singapore MAS, Switzerland FINMA).
• Sufficient seniority — cannot be junior or delegated. Typically reports directly to the board.
• Personal liability — in some jurisdictions (UK FCA, UAE VARA), the CCO can be personally fined or barred if the AML programme fails.

XRPL-specific considerations

If your startup uses XRPL, the core AML stack is the same but there are a few XRPL-specific angles:

Destination Tag resolution

Centralised XRPL wallets pool many users under one address with distinct Destination Tags. Your transaction monitoring must resolve address + tag to customer identity — this isn't something Chainalysis / TRM do automatically for your pool. Custom logic required.

IOU / Trust Line counterparty screening

When a user opens a Trust Line to a gateway (issuer), that's a counterparty relationship. You should sanctions-screen the gateway before allowing the trust line. Most chain-analytics vendors don't cover this XRPL primitive — you may need custom code on top of rippled.

freeze / globalFreeze for AML holds

XRPL protocol supports freezing individual trust lines (freeze flag) or all (globalFreeze). Use this for OFAC holds without moving the funds. Regulators generally accept this as a valid compliance primitive — it beats the admin-function approach on ERC-20.

rippling behaviour

When rippling is enabled on an account's trust lines, payments can route through without explicit consent — which could obscure transaction monitoring. Most compliant gateways disable rippling (NoRipple flag) on issuer accounts.