Crypto compliance in 2026: AML, sanctions and what’s ahead

The regulatory landscape 

United States

The Financial Action Task Force (FATF) continues to set the global standard for AML and CFT measures in the crypto space. In its June 2025 update, FATF highlighted persistent gaps in the implementation of its recommendations for virtual assets and virtual asset service providers (VASPs), particularly around the travel rule, which requires originator and beneficiary information to accompany transactions.

FATF urged jurisdictions to strengthen enforcement, improve cross-border cooperation and address anonymity-enhancing technologies that increase money laundering and terrorist financing risks. This global push underscores the expectation that crypto firms adopt robust compliance frameworks aligned with FATF standards, regardless of local regulatory maturity.

The U.S. has historically lagged in creating a unified federal framework for crypto regulation. That changed in July 2025, with the passage of the GENIUS Act, a landmark law that brought payment stablecoins under the Bank Secrecy Act (BSA). The GENIUS Act mandates comprehensive AML and sanctions compliance, including customer due diligence, transaction monitoring, suspicious activity reporting and Office of Foreign Assets Control (OFAC) screening.

GENIUS Act enforcement authority spans multiple agencies, including the U.S. Treasury, Federal Reserve and Office of the Comptroller of the Currency (OCC), with the Financial Crimes Enforcement Network (FinCEN) and OFAC playing central roles in oversight and penalties.

Most crypto firms in the U.S. remain classified as Money Services Businesses (MSBs) under FinCEN regulations, requiring registration and adherence to BSA and related regulations. However, the absence of a dedicated federal regulator with continuous supervisory powers has left gaps in AML and sanctions oversight. State-level regimes, such as New York’s BitLicense, add complexity but do not provide uniform standards.

A significant development came in December 2025, when the OCC granted conditional trust charters to five crypto firms, an expansion that builds on the 2021 precedent in which four firms were granted conditional charters. Of that earlier cohort, only Anchorage Digital Bank successfully met all OCC requirements and converted its conditional charter into an operational national trust bank. The other firms, Protego Trust Bank, Paxos Trust Company and BitGo Trust Company ultimately did not convert.

“FATF has set the global baseline: crypto firms must meet AML and sanctions standards regardless of jurisdiction,” said Kyle Daddio, Grant Thornton Risk Advisory Services Partner and AML & Sanctions Practice Leader. “As federal oversight expands, crypto’s integration into the financial system now comes with full AML and sanctions accountability.”

These charters mark a shift toward deeper integration into the federal banking system, subjecting firms to rigorous AML and sanctions compliance requirements, comparable to traditional banks. This move signals that federal oversight, and the expectations that come with it, are here to stay.

Other jurisdictions

In the United Arab Emirates (UAE), the AML framework for the crypto industry was established by Federal Decree-Law No. (20) of 2018 on AML and CFT. This framework was further strengthened in October 2025 with Federal Decree-Law No. (10) of 2025, which introduced provisions for Combatting Proliferation Financing (CPF) and ensured alignment with FATF standards.

The UAE Central Bank leads enforcement, supported by free-zone regulators such as the Financial Services Regulatory Authority (FSRA) in the Abu Dhabi Global Market (ADGM), which adopted the FATF Travel Rule in 2023 and issued guidance in 2025 requiring firms to avoid anonymous counterparties.

The UAE’s trajectory reflects its ambition to position itself as a global leader in crypto compliance.

Across the European Union (EU), the Markets in Cryptoassets Regulation (MiCA) of 2023 introduces sweeping compliance obligations for cryptoasset service providers (CASPs), aimed at strengthening AML and CFT controls. These obligations include expanded Know Your Customer (KYC) and due diligence, enhanced transaction monitoring and suspicious transaction reporting obligations.

CASPs must obtain a valid license to operate legally within the EU, ensuring only compliant and well-regulated entities participate in the market.

Additionally, the creation of the EU Single Rulebook for AML and CFT is set to harmonize AML regulation and enhance cooperation among financial intelligence units (FIUs). With the launch of its powers and responsibilities in July 2025, the new Anti-Money Laundering Authority (AMLA) made it clear that firms engaging in cryptoasset activities in the EU need to have strong protections against money laundering and terrorist financing.

In the United Kingdom (UK), crypto businesses have been required to register with the Financial Conduct Authority (FCA) since January 2020, under the Money Laundering Regulations 2017 (MLR). This framework is now set to change significantly with the introduction of the FCA’s new cryptoasset authorization gateway.

The application period for firms wishing to undertake newly defined cryptoasset-regulated activities will run from Sept. 30, 2026 to Feb. 28, 2027. Firms undertaking these activities will need to be authorized by the FCA under the Financial Services and Markets Act 2000 (FSMA), with the appropriate permissions in place when the new regime commences in October 2027.

The Office of Financial Sanctions Implementation HM Treasury (OFSI) cryptoassets threat assessment (PDF - 3.06MB), published in July 2025, highlights that UK cryptoasset firms have under-reported suspected breaches of financial sanctions to OFSI since they were added to the list of relevant firms in sanctions regulations in August 2022.

Recent enforcement trends

The crypto industry’s compliance journey since 2023 is a cautionary tale of mounting regulatory pressure, record-breaking penalties and evolving enforcement strategies. As AML and sanctions rules have tightened globally, regulators have made clear that compliance is nonnegotiable.

2023: The wake-up call

November 2023 marked a turning point when the U.S. Treasury announced its largest-ever settlement. Binance, the world’s biggest crypto exchange, was subject to $4.3 billion penalty stemming from ineffective AML controls, transactions with sanctioned entities and failures in suspicious activity reporting. Beyond the financial hit, the case included criminal charges, a compliance monitor, and the CEO’s resignation, an unmistakable signal that regulators were ready to act decisively.

Earlier in 2023, Bitzlato, a lesser-known crypto exchange, was the target of a joint enforcement action by U.S. and international authorities. The exchange was accused of laundering funds linked to ransomware operations and darknet markets. Law enforcement agencies seized Bitzlato’s assets, arrested its founder and shut down the platform in a coordinated global operation.

This event is widely cited as a significant example of global cooperation in crypto enforcement and highlights the increasing scrutiny on exchanges facilitating illicit activity.

2025: Mixed signals

In January 2025, the SEC dismissed its civil case against Coinbase, citing its new Crypto Task Force’s focus on rulemaking over punitive measures. This marked a moment of regulatory recalibration with a suite of other proceedings dropped, including the civil enforcement case against crypto exchange Kraken and the criminal proceedings against Binance.

While the SEC signaled a regulatory reset in 2025 by pausing or dismissing several high-profile crypto cases, AML and sanctions related enforcement actions continued. Other U.S. regulators, including the Department of Justice (DOJ) and FinCEN advanced enforcement actions against the crypto industry.

In late 2025, the DOJ fined OKX over $500 million for AML failures, including weak KYC checks and billions in suspicious transactions. FinCEN also hit Paxful with a $3.5 million penalty for willful BSA violations after facilitating $500 million in illicit activity.

Meanwhile, while Coinbase may have avoided penalties in the U.S., across the Atlantic the Central Bank of Ireland issued its first-ever enforcement action in the crypto sector. In November 2025, the regulator fined Coinbase Europe Limited 21.5 million euros (about $25 million) for breaching AML and CFT transaction monitoring obligations between 2021 and 2025.

In its publication of the action, the Central Bank emphasized that the unique technological features of crypto, combined with its anonymity-enhancing capabilities and cross-border nature make it particularly attractive to criminals seeking to move illicit funds.

This underscores why firms offering crypto services must implement robust controls to detect and report suspicious transactions promptly.

Opportunities and challenges ahead: 2026 and beyond

Expanded implementation of the FATF Travel Rule, enhanced sanctions screening and new obligations under U.S. and EU laws will raise the bar for compliance programs worldwide. Divergent rules across jurisdictions add complexity, requiring significant investment in governance, technology and expertise to manage cross-border obligations effectively.

To remain resilient and competitive in this heightened environment, crypto firms must focus on building and enhancing their AML and sanctions programs.

Key focus areas for building and strengthening compliance

1. Robust governance and oversight: Senior leadership should be actively engaged in the AML and sanctions program, providing meaningful challenges, oversight and strategic direction. This involvement must set the tone from the top by demonstrating an unwavering commitment to a strong culture of compliance. Firms must ensure adequate resourcing and support for compliance functions and maintain strong oversight of third-party service providers to demonstrate accountability.
2. Dynamic and tailored risk assessments: Risk assessments should be tailored to the individual risks facing the firm, reflecting the unique mix of products, services customer base and geographic exposure. Inherent risks, an evaluation of the effectiveness of control environments, and an overall residual risk rating should be clearly documented. Action plans should be tracked to completion to address identified gaps promptly.
3. Advanced transaction and blockchain monitoring: Firms should leverage advanced blockchain analytics to gain real‑time visibility into on‑chain transactions, identify high‑risk wallet exposures, trace complex fund flows and enrich alerts with actionable intelligence, supporting faster, more accurate investigations and suspicious activity reporting. When paired with traditional AML monitoring, these tools enable scalable, technology-driven compliance capability.
4. Technology: Firms should implement controls to detect and prevent prohibited access, including screening of U.S. users attempting to open accounts or engaging in trading activity while masking their location using VPNs or other obfuscation tools. Firms with global operations should also establish separate, fully licensed U.S. subsidiaries to support regulated U.S. trading activity.