A robust compliance system is not just about manually checking passports; it involves a comprehensive process with three layers: decision-making procedures, AML transaction monitoring, and effective data collection (KYC/SOF).
Let’s explore the inner workings of a compliance mechanism based on current FATF standards and the real practices of AML officers.
Procedural Layer: Decision-Making Algorithm
The foundation of any VASP is a formalized data flow. Decisions regarding the blocking or successful processing of transactions cannot be based on an individual's mood. They are made within a cascading risk assessment model for each specific case. This mechanism remains universal for all.
Source: AMLOfficer.Stage I. Automatic Preliminary Assessment (DP-1, Automatic)
The first stage of risk determination is the AML check of the transaction. Once a transaction enters the service's wallet, it undergoes an AML service that verifies the source of funds.
Task. Automatic identification and filtering of transactions containing critical risk indicators (Severe Risk) without operator involvement.
Logic. The AML service checks the transaction for high-risk assets in the sender's wallet (e.g., sanctions, terrorism financing, ransomware, dark web, scams).
Outcome. Either "Automatic Confirmation" or "Red Flag" (alert).
Stage II. Risk Qualification (DP-2, Manual)
The alert is forwarded to a first-line specialist. Here, a manual analysis is conducted to check for false positives.
Case. A client transferred funds from a mixer, but the amount is insignificant, and the wallet history is clean.
Decision. The specialist assesses the company's risk appetite. If the transaction falls into the "Critical Risk" category (sanctions, terrorism, ransomware, scams), a full incident (case) is created.
Stage III. In-Depth Investigation (Investigation Team)
This is a key stage of internal compliance. A senior officer gets involved here.
Case Study. An in-depth OSINT investigation is conducted, documents (KYC/SOF) are requested, and a relationship graph is constructed.
DP-3 (Manual). Final assessment within the company.
Decision. If the client cannot explain the source of funds or if a connection to illegal activity is evident (critical risk), the VASP must prepare a Suspicious Activity Report (SAR) and submit it to the regulator.
Stage IV. Regulatory Oversight
After submitting the SAR, the initiative shifts to the financial intelligence unit (FIU).
Response Analysis. The regulator analyzes the received data.
DP-4 (Semi-Automatic). Assessment of the validity of suspicions at the state level.
Decision. If the regulator identifies a crime, an investigation report is generated, and the case is forwarded to law enforcement.
Stage V. Law Enforcement (Law Enforcement Agencies)
The final stage: the exchange acts as a witness, executor, or data source. This leads to a criminal investigation and court proceedings, resulting in a court decision (DP-5, Manual):
- Not Guilty. The transaction is deemed legitimate (legal transaction), and the funds are unfrozen;
- Guilty. The assets are classified as illegal (illegal transaction), leading to fines or confiscation.
Important for VASP: After the third stage (submission of the SAR), the provider loses control over the process. Attempting to return funds to the user at stages IV and V without the authorization of competent authorities may be classified as a legal violation.
OSINT as a Necessary Tool for Security
The OSINT process within a VASP must be formalized just like KYC and on-chain analysis. This requires a standardized methodology: which sources are checked first, how screenshots and links are recorded, how the reliability of sources is assessed, and how OSINT results are integrated into the final risk scoring of the case.
OSINT should not depend on the analyst's subjective approach. Conclusions must be reproducible, verifiable, and understandable for external auditors or the FIU.
The combination of on-chain analytics and OSINT significantly enhances decision-making quality at the DP-3 level. If the AML service signals high risks but OSINT does not confirm a connection to actual illegal activity, the case may remain in "increased risk without SAR" status under enhanced monitoring.
However, if OSINT reveals signs of a fraudulent project, activity on dark web platforms, or sanctions evasion—even with a partially "clean" on-chain trace—this becomes grounds for escalation, blocking, and filing a SAR/STR.
The table below is designed for systematic risk assessment identified through OSINT at DP-2/DP-3 levels and their direct link to specific decisions—from conducting EDD and setting limits to blocking and filing SARs.
Red flags in OSINT for crypto investigations. Source: AMLOfficer.Note: The specified categories of "red flags" are used solely for internal risk assessment and should not be directly communicated to the client to avoid information disclosure (tipping off) and violations of AML legislation.
Now, let’s move on to the next logical level—AML triggers, which are on-chain and behavioral indicators that cause an address or transaction to fall into the high-risk zone and may be blocked.
AML Triggers: What Specifically Gets Blocked?
All assets are categorized by risk. The "cleanliness" of a transaction depends on the source of the funds.
Source: AMLOfficer.According to risk classification, blocking is almost inevitable when interacting with high and critical risk categories. These include:
- Direct or indirect links to dark web marketplaces.
- Funds associated with fraudulent stores or scam projects;
- Tools for obfuscating transaction trails;
- Funds obtained through hacker extortion;
- Stolen assets;
- Addresses under sanctions.
If on-chain and OSINT analysis shows a connection to these categories, the exchange is not being overly cautious—it is fulfilling a security requirement.
Instrumental Layer: What Tools Are Used for Analysis?
Modern crypto compliance is impossible without AML services for transaction analysis: VASPs must check each transaction.
An effective AML service includes:
- Clustering. Understanding that the address bc1q… belongs to a specific exchange or dark web platform;
- Graph Visualization. Tracking the chain of fund movement (Peeling chains, mixing);
- Risk Assessment. Assigning a risk level to the transaction.
Within a risk-oriented approach, companies use several independent AML sources to validate risk assessments. For example, AMLOfficer acts as an aggregator, allowing transactions and wallets to be checked simultaneously through four AML providers.
Data Layer: KYC/SOF Guide
The most challenging question for VASPs is: what documents should be requested? Here, the RBA (Risk-Based Approach) principle applies. Requirements must be adaptive.
We have created a decision matrix based on jurisdictional risks. Use the table below as a cheat sheet when setting internal policies.
Document request matrix for VASPs. Source: AMLOfficer.KYC as an Indicator for Compliance Decisions
For VASPs and crypto exchanges, KYC is not just an "entry filter"; it is a formalized framework through which almost all compliance logic regarding the client and their transactions passes. The KYC profile sets the initial risk level, depth of monitoring, and threshold after which a case goes for manual review or escalation to SAR/STR. Each DP stage—from automatic scoring to final escalation—essentially answers one question: "Who exactly are we serving?".
A risk-oriented approach in KYC means that the crypto service pre-defines in its policy the types of clients, products, and jurisdictions, and then determines a set of mandatory compliance controls for each risk profile.
For clients from fully regulated jurisdictions (USA, EU/MiCA, UAE, Singapore, etc.), this typically involves standard CDD: identification, document verification, sanctions, and PEP checks, and the purpose of business relationships.
For high-risk clients or complex structures, EDD is applied—with an expanded package, UBO verification, and enhanced monitoring. The procedure matrix also incorporates triggers: which events—volume increases, entering new countries, connections to mixers, negative media—require updating the KYC profile and revising limits.
The KYC policy should clearly distinguish between "basic KYC" and enhanced user verification. The Source of Funds (SOF) explains where the money for a specific operation comes from—e.g., salary, asset sale, or OTC transaction. The Source of Wealth (SOW) describes how the client's overall wealth was formed and whether it aligns with their declared profile.
For most users, a point SOF for individual operations is usually sufficient. A complete SOW package is applied for large transactions, dealings with PEPs, offshore structures, and other high-risk profiles. Without satisfactory SOF/SOW for a high-risk client, the case cannot be "closed in green" and must either remain under enhanced monitoring or be escalated.
KYC Document Checklist for Crypto Services
Basic KYC (Individuals, CDD). The minimum requirement for account opening and low/medium limits:
- Personal information: Full name, date of birth, citizenship, residential address, contact phone number, email;
- Identification document: Passport, ID card, international passport, driver's license (if permitted by local law);
- Proof of address: Utility bill, bank statement, tax notification, official letter from a government agency, rental agreement/extract from the registry—usually no older than three months;
- Selfie/liveness check: Photo/video with the document in hand or biometric verification via an app;
- Confirmation of service usage purpose: Brief description (trading, P2P, investments, payments).
Basic KYC (Legal Entities, CDD). For corporate clients and structures:
- Founding documents: Certificate of Incorporation, Articles of Association, extract from the commercial register;
- Company details: Full name, legal address, registration number, tax number;
- Ownership and management structure: Ownership chart, list of directors and authorized signatories;
- UBO documents: IDs and Proof-of-Address of each beneficiary with a share above the established threshold, usually 25%;
- Business description: Type of activity, main counterparties/markets, expected volumes, and purpose of operations in the crypto service.
Additional Documents for EDD (Enhanced Due Diligence). Applied to high-risk clients/jurisdictions, PEPs, complex structures, and abnormal behavior:
- Income verification (for individuals): Salary certificate, employment contract, tax returns, bank account statements, asset sale agreements, inheritance, dividends;
- Business legality confirmation (for legal entities): Financial statements (audited if necessary), key contracts/invoices for main flows, licenses and permits from regulators if the business is regulated;
- Additional risk questionnaires: PEP declaration, information on position, public status, countries of presence, sources of capital;
- Enhanced media and sanctions checks (adverse media, expanded sanctions/PEP lists) with results documented in the client file.
Documents for Source of Funds (SOF). Requested for specific operations/flows if the amount, frequency, or on-chain risks exceed the threshold:
- Bank statement confirming the receipt of funds entering the crypto service;
- Invoices, contracts, acts for transactions that formed the deposit (e.g., sale of goods/services);
- Proof of asset sale: Contracts and payments for the sale of real estate, vehicles, business shares, securities;
- Documents for crypto sources: Statements from other exchanges, reports from wallets, on-chain tracing when migrating assets between services.
Documents for Source of Wealth (SOW). Used for large volumes, VIP clients, complex offshore structures, PEPs, and other high-risk categories:
- Consolidated description of wealth history: A brief summary from the client on how their capital was formed (business, investments, inheritance, asset sales);
- Supporting documents for key sources of wealth: Share in a business (founding documents, financial statements, dividend decisions), investments (brokerage reports, documents for the sale of shares), inheritance/gifts (wills, gift agreements, court decisions), income from professional activities (contracts, fees, IP licenses).
Internal Checklist for KYC File. To ensure compliance decisions are defensible, the KYC file must contain not only documents but also metadata:
- Log of all versions of the client questionnaire and data updates;
- Date and result of document verification (ID, address, UBO), provider/method used;
- Screenshots/reports on sanctions, PEP, and adverse media with the date of verification;
- Decision on risk level, limits, and need for EDD/SOF/SOW indicating the officer and date;
- Links to related cases (alerts, investigations, SAR/STR) if applicable.
KYC Risks and Action Algorithms When They Arise
Source: AMLOfficer.Red Lines: Abuse and Excessive Document Requests
It is important to remember: VASP is a private company, not a prosecutor's office. In compliance practice, there is a concept of "excessive and unlawful information requests" (Abusive Information Requests)—demands that violate the data minimization principle.
This approach stems from the risk-based approach in AML (risk-based approach, AML-RBA), GDPR requirements, and the practices of financial intelligence units (FIUs): the volume and depth of requested information must be proportional to the identified risk level and justified in the client file.
According to recommendations and common sense, a compliance officer should not request from the client:
- Bank statements from third parties (the client's counterparties);
- Internal accounting reports and tax returns (unless this is the only way to confirm SoW for high-risk clients);
- Notarized affidavits;
- Audit reports.
Requesting these documents is legitimate only with an official request from competent authorities (court, law enforcement). Including them in the exchange's standard checklist is a sign of unprofessionalism and a risk of legal claims from users.
Effective compliance is a balance between business security and achieving goals (conversion). To maintain this balance:
- Implement automatic monitoring at the entry point;
- Use a risk matrix (see the table above) to avoid burdening "clean" clients with excessive checks.
To reduce the risk of dealing with high-risk crypto assets, use data from multiple AML providers. This approach is already implemented in AMLOfficer.
If the situation requires more detailed analysis, service specialists can provide consultations and recommendations.
Text: AMLOfficer Team