Skip to content
GammaFlowwGammaFloww
Regulation & Compliance

KYC/AML for Crypto Exchanges: Building the Compliance Stack

Every regulated exchange needs a KYC/AML program — identity verification, sanctions screening, transaction monitoring, and the FATF Travel Rule. Here's the stack, sourced to FATF.

GammaFloww TeamJune 20, 20262 min read

Whatever jurisdiction you license in, one requirement is universal: a working KYC/AML program. It's not a checkbox — it's an operational system that touches onboarding, every transaction, and your banking relationships. Get it wrong and you lose your licence (and your bank). Here's what the stack looks like.

The four pillars

1. KYC — Know Your Customer

Verify who your users are at onboarding: identity documents, proof of address, and liveness/biometric checks, with enhanced due diligence (EDD) for higher-risk customers. Risk-rate each customer so monitoring can be proportionate.

2. Sanctions & PEP screening

Screen customers (and often counterparties) against sanctions lists (OFAC, UN, EU) and politically-exposed-person lists — at onboarding and continuously, since lists change.

3. Transaction monitoring

Monitor activity for suspicious patterns — structuring, rapid in-out flows, links to illicit addresses — and file Suspicious Activity Reports (SARs) with the relevant financial-intelligence unit when thresholds are met. On-chain analytics tie wallet activity to risk scores.

4. The FATF Travel Rule

This is the crypto-specific one. FATF's Recommendation 16 — the "Travel Rule" — requires that for virtual-asset transfers at or above the USD/EUR 1,000 threshold, the originating VASP collects and transmits identifying information about both sender and recipient to the receiving VASP (FATF). FATF updated Recommendation 16 at its June 2025 plenary, with changes phasing in as jurisdictions adopt them (FATF: Travel Rule best practices).

How it fits together

LayerWhat it doesWhen it runs
KYC / identityVerify who the user isOnboarding + periodic refresh
Sanctions / PEPScreen against watchlistsOnboarding + continuous
Transaction monitoringDetect suspicious activityEvery transaction
Travel RuleShare originator/beneficiary dataTransfers ≥ ~$1,000
ReportingFile SARs / regulatory reportsOn trigger

What this means for an operator

Compliance is an ongoing operating cost and a licence condition — not a one-time setup. Most exchanges assemble it from specialist vendors (identity verification, chain analytics, Travel Rule networks) wired into the platform. It also intersects with your licence: the jurisdiction you choose sets the specific thresholds, reporting bodies, and record-keeping rules.

The takeaway

A crypto exchange's compliance stack is four layers — KYC, sanctions screening, transaction monitoring, and the FATF Travel Rule — running continuously, not once. Budget for it as core infrastructure, because regulators and banks treat it as the price of admission.

Sources
  1. Best practices on Travel Rule supervision (June 2025)FATF
  2. Financial Action Task Force (Recommendation 16 / Travel Rule)FATF

General information, not legal or compliance advice. AML obligations vary by jurisdiction and change over time — confirm current rules with your regulator, FATF guidance, and qualified counsel. As of 2026.

Thinking about launching your own venue?

GammaFloww is the white-label engine behind modern derivatives exchanges. See how fast you could go live.