The era of optional crypto compliance is over
Murphy’s Law: The Crypto Law Firm
In late 2025, the DOJ fined OKX over $500 million for anti-money laundering failures that included weak KYC checks and billions in suspicious transactions moving across the platform. FinCEN hit Paxful with a $3.5 million penalty after the platform willfully violated the Bank Secrecy Act and facilitated roughly $500 million in illicit activity. The Central Bank of Ireland fined Coinbase Europe 21.5 million euros (about $25 million) in November 2025 for failing to monitor transactions between 2021 and 2025. Binance’s 2023 settlement with the DOJ and Treasury totaled $4.3 billion, and its founder served four months in federal prison.
These are the new baseline for enforcement, not the ceiling.
If you run a crypto exchange, a stablecoin issuer, a token project, a wallet provider, a payments platform, or a DeFi protocol with U.S. exposure, crypto compliance is the difference between operating legally and shutting down. This guide covers what U.S. law actually requires, how 2025 and 2026 reshaped the picture, and what an effective program looks like in practice.
Which crypto businesses need a compliance program
Almost all of them. The specific obligations differ, but the question is rarely whether you have compliance obligations. It is which ones.
- Crypto exchanges and trading platforms. If you facilitate buying, selling, or trading crypto assets for U.S. customers, FinCEN classifies you as a money services business (MSB). You must register with FinCEN, implement a written AML program, file suspicious activity reports, and comply with the Travel Rule for transfers above $3,000.
- Stablecoin issuers. The GENIUS Act, signed into law on July 18, 2025, brought payment stablecoin issuers under the Bank Secrecy Act. FinCEN and OFAC issued a joint proposed rule on April 8, 2026, that treats permitted payment stablecoin issuers (PPSIs) as financial institutions with mandatory AML and sanctions compliance programs. Comments close June 9, 2026, and the final rule takes effect 12 months after issuance.
- Custodians and wallet providers. If you hold crypto for U.S. customers or manage private keys on their behalf, you likely qualify as an MSB and face similar BSA obligations.
- Token issuers. Whether your token is a security, a digital commodity, a stablecoin, or a collectible affects which federal regulator has jurisdiction. That classification question needs to be answered before the token is launched, not after.
- DeFi protocols. Fully autonomous, immutable protocols occupy a gray zone, but developers, governance participants, and infrastructure providers with U.S. connections may have real OFAC and BSA exposure. The pending Senate Banking Committee amendment to the Responsible Financial Innovation Act would require DeFi trading protocols to implement risk management standards, and intermediaries using those protocols would have to comply with AML and sanctions laws.
- Crypto ATM operators. Digital asset kiosk operators face registration requirements and operational rules under both the Bank Secrecy Act and the pending Senate market structure legislation, including customer identification, transaction limits, holding periods, and disclosure obligations.
- Crypto payment processors, NFT marketplaces, and staking platforms. Depending on structure, these businesses may trigger BSA, SEC, CFTC, or state money transmitter obligations, sometimes all four.
If you are not sure which category you fall into, that uncertainty is itself a compliance issue. The first step for any crypto business is a clear-eyed assessment of what you do, who regulates it, and what obligations attach.
The four regimes every crypto business needs to understand
U.S. crypto compliance does not live in one statute. It lives in an overlapping stack of federal and state frameworks, each with its own regulators, rules, and penalties. Four regimes cover the majority of compliance risk for most businesses.
1. The Bank Secrecy Act and FinCEN
The BSA is the foundation of U.S. AML law. FinCEN enforces it, and for crypto businesses classified as MSBs or as permitted payment stablecoin issuers under the GENIUS Act, BSA compliance is non-negotiable.
A traditional MSB AML program has four pillars: written policies and procedures, a designated compliance officer, employee training, and independent testing. The reform framework FinCEN proposed in April 2026 would add a mandatory risk assessment and shift examiners toward evaluating whether programs are actually effective rather than whether they technically exist on paper. Minor deficiencies would not trigger significant enforcement. Systemic or material failures would.
Core BSA obligations include:
- Know-your-customer and customer identification program procedures
- Ongoing transaction monitoring for suspicious activity
- Suspicious Activity Report (SAR) filings
- Currency Transaction Reports (CTRs) where applicable
- Travel Rule compliance for transfers above $3,000, including collection and transmission of sender and beneficiary information
- Recordkeeping
2. OFAC sanctions
Every U.S. person, including every U.S. crypto business, must comply with OFAC sanctions. That means blocking, freezing, or rejecting transactions involving sanctioned individuals, entities, or jurisdictions, and reporting the blocked activity to OFAC. For crypto businesses, this obligation extends to blockchain addresses.
OFAC publishes a list of designated cryptocurrency wallet addresses on its Specially Designated Nationals list. Crypto businesses are expected to screen wallet addresses against this list before processing transactions, which is technically distinct from traditional payment screening because blockchain transactions are irreversible once broadcast. Your controls have to operate before confirmation, not after.
The GENIUS Act’s sanctions compliance program requirement, implemented in the April 2026 FinCEN/OFAC proposal, was the first time federal law explicitly mandated that a specific category of U.S. persons maintain an effective sanctions compliance program. OFAC’s five pillars track closely with AML program requirements: senior management commitment, risk assessment, internal controls, testing and auditing, and training.
Enforcement is accelerating. In September 2025, the DOJ filed a civil forfeiture action to recover approximately $584,741 in stablecoins tied to a defendant charged with exporting electronic components to Iran in violation of U.S. sanctions. In January 2026, OFAC designated two UK-based exchanges connected to Iranian financier Babak Zanjani for processing approximately $1 billion in funds linked to the IRGC.
3. Securities laws and the SEC
If your token, staking service, or investment product is a security, the SEC has jurisdiction. The March 2026 joint SEC/CFTC interpretation provided significant clarity: Bitcoin, Ethereum, Solana, XRP, and 12 other major crypto assets are now classified as digital commodities rather than securities. The Howey test still applies, but the framework now recognizes that investment contracts can end once a project is functional and sufficiently decentralized.
For crypto businesses, this creates a narrower set of securities obligations than existed under the prior administration, but meaningful obligations remain. Tokenized securities, investment contracts tied to crypto assets, certain staking arrangements, and platforms that facilitate trading of digital securities all face SEC requirements. For a fuller breakdown of the current framework, see our SEC crypto regulations guide.
4. Commodities laws and the CFTC
The CFTC has authority over digital commodity spot markets and derivatives. If your business lists futures, options, or swaps on digital commodities, or operates as a futures commission merchant accepting crypto as collateral, CFTC rules apply. The House-passed CLARITY Act and the pending Senate market structure bill would significantly expand CFTC jurisdiction over digital commodity exchanges, brokers, and dealers. If those bills pass in anything close to their current form, many businesses currently operating in regulatory ambiguity will need to register and file.
State-level compliance: the money transmitter licensing maze
Federal compliance is the floor. Depending on your business and the states where you operate, you may also need money transmitter licenses (MTLs) at the state level. State MTL requirements vary wildly. Some states require full MTL registration for any business that transmits crypto for third parties. Others have issued no-action relief or passed crypto-specific statutes that carve out certain activities.
Getting state licensing wrong is one of the most common and most expensive compliance failures for crypto startups. Operating without a required MTL can trigger state enforcement actions, consent orders, refund obligations, and personal liability for officers. Getting the license itself is slow and resource-intensive, often involving surety bonds, capital minimums, and ongoing reporting.
What an effective crypto compliance program actually includes
Every effective program shares the same basic architecture.
A written program that matches your actual business
Compliance documents that do not describe what the business actually does are worse than useless. They tell examiners the program is performative. Your policies, procedures, and risk assessment should accurately describe your products, your customers, your geographic footprint, and the specific risks your business creates. If you offer staking but your program does not mention it, that is a problem.
A qualified compliance officer with real authority
The BSA requires a designated compliance officer. That person has to have the expertise, seniority, and independence to actually run the program. Compliance officers who report into product or engineering, who cannot say no to business initiatives, or who lack the resources to do the job are a recurring finding in enforcement actions.
Transaction monitoring that operates pre-broadcast
This is the area where crypto compliance diverges most sharply from traditional finance. Blockchain transactions are irreversible once confirmed, so your screening has to happen before the transaction is broadcast to the network. Effective programs use blockchain analytics tools like Chainalysis, Elliptic, or TRM Labs to screen wallet addresses for connections to sanctioned parties, known fraud operations, darknet markets, and high-risk jurisdictions.
Automated screening is necessary but not sufficient. Effective programs also include thresholds for manual review, clear escalation procedures, and documented decisions. If a regulator reviews a suspicious transaction a year from now, you need to show who made the decision to process or block it, what information they considered, and why.
SAR filings that actually describe what happened
FinCEN wants useful SARs. Narratives copy-pasted from a template, missing transaction hashes, or lacking enough context to understand the red flags do not help law enforcement and do not protect the filer. Train your compliance team to write a SAR that a criminal investigator can use.
Independent testing
Your compliance program has to be tested by someone independent of the people who run it. For smaller businesses, that usually means hiring outside auditors. For larger ones, internal audit may work if internal audit is genuinely independent. FinCEN and OFAC have both flagged that in-house audits often lack the independence and expertise to meaningfully evaluate a compliance program.
Training that is not a check-the-box video
Employees at every level of a crypto business need training tailored to their roles. Customer service teams need to identify and escalate red flags. Engineers need to understand what OFAC screening actually does. Executives need to understand what personal liability looks like when it arrives.
Where crypto businesses usually fail
Years of enforcement actions reveal the same pattern of failures. The most common ones are also the most preventable.
- Inconsistent KYC. Onboarding customers without meaningful identity verification, or applying verification inconsistently across geographies, has been a recurring theme in major enforcement actions.
- Alerts nobody reviews. A transaction monitoring system that generates alerts without follow-through is worse than no system at all, because it shows the business knew something was off and did nothing.
- No sanctions screening of wallet addresses. Screening customer identities against OFAC lists without also screening counterparty wallet addresses leaves a significant exposure gap.
- Compliance officers without authority. A compliance officer who cannot stop a product launch, cannot hire staff, and cannot escalate directly to the board is a compliance officer in name only.
- Ignoring state licensing requirements. Many crypto startups operate nationally without analyzing MTL obligations state by state. Remediation costs are substantial when a state regulator catches up.
- Static risk assessments. A risk assessment written at company formation and never updated does not reflect the actual risk profile of a growing business. Regulators expect ongoing reassessment as products, customers, and geographies change.
How Murphy’s Law helps crypto businesses build and defend compliance programs
Murphy’s Law is a crypto law firm founded by Liam Murphy, Esq., a University of Pennsylvania Law School graduate whose career includes building OFAC, BSA, and AML compliance programs, interpreting SEC securities law for crypto clients, structuring DeFi products to comply with CFTC rules, and defending executives and companies against government enforcement actions.
At Paul Hastings, Liam defended DeFi and NFT companies facing government scrutiny. At Selendy Gay, he drafted complaints against crypto fraudsters, including Terraform Labs. At McKool Smith, he represented the Celsius trust in post-bankruptcy litigation.
Murphy’s Law advises crypto businesses on the full range of crypto compliance consulting work, including:
- Initial classification analysis for tokens, products, and business models
- BSA and AML program design, including written policies, risk assessment, and procedures
- OFAC sanctions compliance program development
- Travel Rule implementation
- Blockchain analytics vendor selection and integration
- Compliance officer training and program testing
- Response to FinCEN, OFAC, SEC, CFTC, and state regulator inquiries
- GENIUS Act readiness for stablecoin issuers
- Money transmitter licensing strategy and state filings
Liam prefers advising clients to resolve regulatory matters quietly when possible. Murphy’s Law is equipped to litigate when the situation calls for it.
Frequently asked questions about crypto compliance
Is my crypto business required to register with FinCEN?
If your business transmits crypto on behalf of customers, exchanges crypto for fiat or other crypto, or acts as a payment processor, it likely qualifies as a money services business under FinCEN regulations and must register. Stablecoin issuers will face separate registration and program requirements under the GENIUS Act once the FinCEN and OFAC rule takes effect.
What is the Travel Rule and who does it apply to?
The Travel Rule requires financial institutions, including crypto MSBs, to collect and transmit sender and beneficiary identifying information for transfers above $3,000. Implementation is technically challenging for on-chain transfers, and FinCEN has indicated that good-faith efforts and documented compliance frameworks satisfy current expectations. The technology is still catching up to the legal requirement.
Do DeFi protocols have compliance obligations?
It depends on the level of decentralization and the structure of the protocol. Fully autonomous, immutable protocols with no U.S. developers or governance participants face fewer direct obligations. Protocols with U.S. developers, centralized governance, or custodial user interfaces may face meaningful OFAC and BSA exposure. The pending Senate market structure legislation would formalize risk management requirements for DeFi trading protocols.
What happens if my crypto business receives a subpoena or regulatory inquiry?
Engage experienced crypto counsel immediately. How your business responds in the first days of an inquiry often determines whether the matter becomes a small correction, a consent order, or a full enforcement action. Do not produce documents, make statements, or engage directly with regulators without counsel reviewing your approach first.
How much does a crypto compliance program cost to build?
Costs vary with business complexity, geographic footprint, product mix, and whether you are building from scratch or remediating an existing program. For a growing crypto startup, a full initial build that covers policies, procedures, risk assessment, training materials, vendor selection, and independent testing typically runs in the tens to low hundreds of thousands of dollars. Ongoing annual maintenance is a smaller but recurring cost. The alternative, an enforcement action with multi-million dollar penalties, is much more expensive.
Does Murphy’s Law offer consultations for crypto businesses?
Yes. Murphy’s Law offers free initial consultations. Contact Liam Murphy through murphyslawcrypto.com or call 913-575-0540 to discuss your compliance needs.
Build the program before you need it
The crypto businesses that survive the next several years will be the ones that treat compliance as infrastructure, not paperwork. Regulators are no longer grading on a curve. The enforcement actions of late 2025 and early 2026 make clear that “we are a crypto company, the rules are unclear” is not a defense that works anymore.