AML Compliance for Crypto Exchanges: A 2026 Regulatory Map

The cryptocurrency exchanges are currently operating within well-defined regulatory frameworks in major jurisdictions. Travel Rule legislation has been passed in 85 jurisdictions of 117 (73%), and the Markets in Crypto-Assets Regulation (MiCA) issued by the EU is now fully implemented. The European and Middle Eastern regulators are withdrawing licenses and limiting access to platforms that do not comply. France issued 14 enforcement notices in Q4 2025 alone. BaFin in Germany prevented access to six offshore exchange domains that targeted German users without CASP authorization.

At crypto exchanges, compliance officers must determine whether the AML programs in place can withstand regulatory scrutiny in 2026. The guide navigates the regulatory requirements that all exchanges must now comply with, jurisdiction by jurisdiction, and identifies the areas of operation that remain weakest.

VASP Compliance Requirements: What the Global Framework Now Demands

A Virtual Asset Service Provider (VASP) is a designation developed by the Financial Action Task Force (FATF) in 2019. These subjects relate to anti-money laundering (AML) and counter-terrorist financing (CTF) regulations. These businesses are now obliged to comply with a complete set of requirements. They should perform Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) for riskier customers. They also need to screen against sanctions, report suspicious activities, and continuously monitor transactions. Such regulations resemble those that conventional financial institutions have to observe.

More than 60 jurisdictions will have either VASP registration or licensing by 2026. The FATF’s June 2025 Targeted Update assessed progress and identified notable gaps. About 59% of areas with Travel Rule laws have not yet made any supervisory findings or taken enforcement actions. However, this gap in enforcement is closing quickly.

FATF also specifically requested that greater cooperation and direct action be taken across borders and that target anonymity-enhancing technologies be targeted. Various jurisdictions have minor variations in regulatory expectations, yet overall AML core requirements are consistent across jurisdictions.

The pattern is consistent: registration is only the initial requirement. Operational AML controls are what regulators are now auditing.

MiCA Compliance for Crypto Exchanges: The EU’s Hard Deadline

MiCA entered into full force and effect on December 30, 2024. The regulation introduced a single EU-wide licensing system, the Crypto-Asset Service Provider (CASP) authorization, in place of the patchwork of national VASP registrations. Firms with pre-MiCA national law can temporarily transition under the grandfathering clause (Article 143(3)), and the transition period must end on July 1, 2026. After that date, unregistered CASPs will have to stop EU activities or face enforcement action.

The fragmentation challenge is real. Member States may apply transitional regimes of different lengths, and some national authorities may set earlier compliance expectations within that broader MiCA framework. For exchanges operating across multiple EU jurisdictions simultaneously, the shortest applicable transitional window governs. A CASP authorized in one member state may still face restrictions when serving clients in another member state whose transitional period has expired. Authorization cannot be relied upon until passporting is formally approved.

ESMA and national authorities have increased supervisory activities under MiCA, revealing inconsistency in approaches across jurisdictions as the regime is operationalised. Key MiCA AML requirements exchanges must meet before their transitional period closes:

• Fully implemented CDD and EDD processes, including for self-hosted wallet verification above €1,000
• Transfer of Funds Regulation (TFR) Travel Rule compliance on all CASP-to-CASP transfers, with no minimum threshold
• Transaction monitoring aligned with MiCA’s conduct-of-business rules
• MiCA’s prudential requirements vary by CASP activity type and may include differentiated capital thresholds and operational safeguards.
• Under the EU Transfer of Funds Regulation (TFR), CASPs must verify control of unhosted wallets for transactions above €1,000. (This is verification, not general transaction reporting.)

Non-compliance under MiCA is punishable by administrative fines of up to €5 million or 3–12.5% of annual turnover, as well as personal liability and loss of license for individual executives. Moreover, non-compliant operators are likely to face increasing market and regulatory pressure.

Blockchain AML Monitoring: From Policy to Operational Reality

On-chain transaction monitoring is where many crypto exchange compliance programs fail in practice. The pseudonymous nature of blockchain transactions creates risks that cannot be managed solely through policy. Regulators in 2026 assess whether monitoring controls are actively functioning in practice, not just documented.

Effective blockchain AML monitoring at a crypto exchange requires three integrated capabilities.

Transaction monitoring that applies behavioral typologies specific to virtual assets: layering transaction schemes involving multiple wallet hops, rapid chain-hopping schemes involving multiple blockchains, use of mixing services, and high-velocity micro-transactions that split large amounts below reporting thresholds. These are different patterns from the traditional wire fraud, and monitoring rules need to reflect that.

Counterparty screening at the point of transaction processing. Every outbound payment to an external wallet address should be screened against sanctions lists, darknet market wallet clusters, and known ransomware addresses before the transfer is executed, not after. Post-transaction discovery creates regulatory exposure that a SAR filing cannot fully remediate.

Continuous monitoring of customer accounts beyond onboarding checks. Customer risk profiles evolve over time, which means periodic and event-driven re-screening is required to identify new sanctions exposure, adverse media, or law enforcement links that static onboarding controls cannot capture.

Digital Assets AML: The Wallet Screening and Travel Rule Imperative

Two operational requirements define the frontier of digital assets AML for exchanges in 2026: crypto wallet screening and Travel Rule implementation.

Wallet Screening

Every crypto address an exchange interacts with has a traceable on-chain history. That history may include direct exposure to darknet markets, ransomware payments, sanctions-designated wallets, mixing services, or illicit gambling platforms. Wallet screening identifies this exposure at onboarding and during transactions. Without it, exchanges conduct CDD on the customer but ignore the counterparty.

Travel Rule

FATF Recommendation 16 requires VASPs to share originator and beneficiary information of crypto transfers. This requirement is enforced by regulations; the EU’s Transfer of Funds framework is one, along with regulations in other jurisdictions. Under the EU Transfer of Funds Regulation (TFR), there is no minimum threshold for Travel Rule data requirements for CASP‑to‑CASP transactions. For transfers to or from self-hosted (unhosted) wallets above €1,000, exchanges must verify whether the customer controls that wallet before processing.

Travel Rule interoperability, the ability of the sending VASP’s system to exchange structured data with the receiving VASP’s system, has largely been resolved through messaging protocols, including TRISA and Notabene’s commercial solution. But the “sunrise issue” persists: when a compliant VASP in a regulated jurisdiction sends to a counterpart in a jurisdiction where the rule has not yet been legislated, the receiving VASP cannot return the required data. Exchanges must maintain documented procedures to manage such scenarios and avoid regulatory gaps.

How AML Watcher Supports Crypto Exchange Compliance

AML Watcher addresses these gaps through real-time Crypto exchanges that are still struggling to detect real risk signals in high transaction volumes and, as a result, often go unnoticed and do not receive timely regulatory response.

Crypto wallet screening, Travel Rule counterparty due diligence, and transaction monitoring aligned with virtual asset risk patterns, enabling compliance teams to focus on actionable alerts and strengthen regulatory readiness.