Virtual Currency / Crypto AML

There's a persistent myth that crypto sits outside the rules. It doesn't. FinCEN made its position clear years ago: convertible virtual currency, C-V-C, value that substitutes for or acts like real currency, is within the Bank Secrecy Act framework, and many businesses dealing in it are money services businesses.

The anchoring document is FinCEN's twenty-nineteen guidance, F-I-N two-thousand-nineteen dash G-zero-zero-one, issued May ninth, twenty-nineteen, which consolidated how the existing MSB rules apply to convertible-virtual-currency activities. So the question for a crypto fintech isn't whether the BSA applies, it's whether your specific activity makes you a money transmitter. This lecture is about answering that, and about how AML actually works when the ledger is a public blockchain.

The test is the same functional one we met in lecture two: does the business accept value, here convertible virtual currency, from one person and transmit it to another. Apply that, and most crypto exchanges, many custodial wallet providers, and many transfer and on-ramp or off-ramp services are money transmitters under thirty-one C-F-R ten-ten point one-hundred f-f, with obligations under Part ten-twenty-two. The twenty-nineteen guidance walks through a long list of business models, hosted wallets, decentralized applications, peer-to-peer exchangers, mixing services, and explains how the money-transmission analysis applies to each.

Some models, like a pure provider of software with no custody and no acceptance-and-transmission of value, may fall outside, but that is fact-specific and narrowly read. The fintech lesson: don't assume 'we're just crypto' exempts you. Run the functional test, and if value moves through your hands, assume MSB status until counsel tells you otherwise.

If you're a money transmitter, the consequences are everything we've already covered. You register with FinCEN under ten-twenty-two point three-eighty, you build the program pillars, you run a Customer Identification Program and customer due diligence on your users, you monitor activity for suspicious patterns, you file suspicious activity and currency transaction reports, you comply with the Travel Rule for crypto transmittals, and you screen against OFAC sanctions. In other words, a crypto fintech that's an MSB has the same obligations as any other MSB; the asset is just different.

The practical wrinkle is that crypto compresses time and geography, value moves globally in seconds, so the same controls have to operate faster and across a borderless network. None of that reduces the obligations; it raises the bar on execution.

Here's what's genuinely different and, in some ways, an advantage. Public blockchains are transparent: every transaction is permanently recorded. They're pseudonymous, not anonymous, addresses, not names.

Blockchain-analytics tools exploit that by clustering addresses that belong to the same actor and tracing the flow of funds across the chain, so you can see where a customer's crypto came from and where it's going. A crypto fintech uses this to screen wallets and transactions for exposure to illicit sources, funds touching darknet markets, mixers and tumblers, sanctioned addresses, ransomware payments, or known theft. So your monitoring expands: you risk-score not just the account holder, as in traditional AML, but the on-chain counterparties and the provenance of the assets themselves.

A deposit from a freshly mixed source is a red flag a bank never had to consider; a crypto fintech absolutely does.

Globally, the frame is set by the Financial Action Task Force. F-A-T-F Recommendation fifteen addresses new technologies and brought virtual-asset service providers, VASPs, squarely into the standards: countries should require VASPs to be licensed or registered and to apply the full set of AML and sanctions obligations, including customer due diligence and reporting. And Recommendation sixteen, the Travel Rule, was extended to virtual-asset transfers, which is the source of the crypto Travel Rule challenge we discussed.

The reality on the ground is uneven: jurisdictions implement these standards at different speeds, creating arbitrage gaps that illicit actors exploit by routing through weaker regimes. A serious crypto fintech designs for the strictest applicable standard and assumes convergence is coming, rather than chasing the most permissive jurisdiction and getting caught flat when the rules tighten.

Let's lock it in. FinCEN's twenty-nineteen guidance confirms convertible virtual currency is within the BSA, and the functional money-transmitter test sweeps in most exchangers and custodial crypto businesses, with the full program obligations that follow. The crypto-specific tools are blockchain analytics, which let you trace fund provenance and risk-score on-chain counterparties, an advantage banks never had.

Globally, F-A-T-F Recommendation fifteen brings VASPs into scope and Recommendation sixteen extends the Travel Rule to virtual assets. Self-check: does your crypto activity pass the functional money-transmitter test, and if so, can you point to a full program plus on-chain screening? Next, we turn to a state-level obligation that federal registration does not satisfy: money transmitter licensing across the states.