ComplianceMarch 28, 202611 min read

Exchange Compliance in 2026: AML Obligations, Travel Rule, and the New Regulatory Landscape

A comprehensive guide to cryptocurrency exchange compliance obligations in 2026, covering AML/KYC requirements, the Travel Rule, MiCA, and enforcement trends.

M
Meridian Nexus Labs
Intelligence Research

The regulatory landscape for cryptocurrency exchanges has transformed dramatically over the past two years. What was once a fragmented patchwork of guidance and enforcement actions has coalesced into a structured compliance framework that exchanges ignore at their peril. This article maps the current obligations and emerging requirements that define exchange compliance in 2026.

The AML/KYC Foundation

Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements form the bedrock of exchange compliance. In the United States, cryptocurrency exchanges are classified as Money Services Businesses (MSBs) under FinCEN regulations, subjecting them to the Bank Secrecy Act (BSA) and its implementing regulations. This means exchanges must:

Register with FinCEN and maintain that registration. Operating without registration is a federal crime, as several early exchange operators discovered through enforcement actions.

Implement a written AML program that includes internal policies and procedures, designation of a compliance officer, ongoing employee training, and independent review. The program must be risk-based, meaning it should be calibrated to the specific risks posed by the exchange's customer base, product offerings, and geographic exposure.

Conduct Customer Due Diligence (CDD) at onboarding and on an ongoing basis. This includes verifying customer identity, understanding the nature and purpose of the customer relationship, and conducting ongoing monitoring to identify suspicious activity. Enhanced Due Diligence (EDD) is required for higher-risk customers, including politically exposed persons (PEPs) and customers from high-risk jurisdictions.

File Suspicious Activity Reports (SARs) when the exchange knows, suspects, or has reason to suspect that a transaction involves funds derived from illegal activity, is designed to evade BSA requirements, or has no apparent lawful purpose. The SAR filing threshold for MSBs is $2,000, significantly lower than the $5,000 threshold for banks.

The Travel Rule: Implementation Reality

The Financial Action Task Force (FATF) Travel Rule — requiring Virtual Asset Service Providers (VASPs) to exchange originator and beneficiary information for transfers above a threshold — has moved from theoretical requirement to operational reality. In the United States, FinCEN's Travel Rule applies to transfers of $3,000 or more. The EU's Transfer of Funds Regulation, implemented alongside MiCA, applies to all crypto-asset transfers regardless of amount.

The practical challenge of Travel Rule compliance is interoperability. Multiple messaging protocols have emerged — including TRISA, OpenVASP, and Sygna Bridge — but no single standard has achieved universal adoption. Exchanges must either support multiple protocols or risk being unable to transact with counterparties using different systems.

For transfers involving self-hosted wallets (where there is no counterparty VASP to exchange information with), exchanges face additional obligations. The EU requires exchanges to verify the ownership of self-hosted wallets for transfers above €1,000. In practice, this means exchanges must implement wallet verification procedures — typically requiring the customer to sign a message with the wallet's private key or complete a micro-transaction.

MiCA: The European Framework

The Markets in Crypto-Assets Regulation (MiCA), which became fully applicable in December 2024, represents the most comprehensive regulatory framework for crypto-assets globally. For exchanges operating in or serving EU customers, MiCA introduces several significant obligations:

Authorization requirements. Crypto-Asset Service Providers (CASPs) must obtain authorization from their home member state's competent authority. The authorization process requires demonstrating adequate governance, capital, and operational capabilities.

Prudential requirements. CASPs must maintain minimum capital (either €50,000, €125,000, or €150,000 depending on the services provided) and must hold client assets in segregated accounts.

Market abuse provisions. MiCA extends market abuse prohibitions — including insider dealing, market manipulation, and unlawful disclosure of inside information — to crypto-asset markets. Exchanges must implement surveillance systems to detect and report potential market abuse.

Disclosure requirements. Issuers of crypto-assets must publish a white paper meeting specific content requirements, and exchanges must ensure that listed assets comply with these requirements.

Blockchain Analytics as a Compliance Tool

Regulators increasingly expect exchanges to use blockchain analytics as part of their AML programs. Transaction monitoring that relies solely on traditional financial indicators — transaction size, frequency, and counterparty — is no longer sufficient. Exchanges must also monitor the on-chain provenance of funds.

This means screening incoming transactions against known risk indicators: sanctioned addresses (OFAC's SDN list now includes numerous cryptocurrency addresses), addresses associated with darknet markets, ransomware, or fraud, and addresses linked to mixing services or privacy protocols. The depth of screening expected varies by jurisdiction and risk profile, but the direction is clear — exchanges that cannot demonstrate on-chain transaction monitoring are falling below the regulatory standard.

Intelligence APIs play a critical role in this process by providing real-time risk scoring for transactions and counterparties. The key requirement is that the API's risk assessments are explainable — regulators and auditors need to understand why a transaction was flagged, not just that it was. APIs that provide detailed attribution data, confidence scores, and verifiable evidence trails are essential for defensible compliance programs.

Enforcement Trends

Enforcement actions in 2025 and early 2026 signal the priorities of regulators worldwide. Several trends are notable:

Increasing penalties. Fines for AML failures have escalated significantly. FinCEN, the SEC, and the CFTC have all imposed penalties in the hundreds of millions for compliance failures at major exchanges. The message is clear: compliance is cheaper than non-compliance.

Personal liability. Regulators are increasingly pursuing individual compliance officers and executives, not just the corporate entity. This trend raises the stakes for compliance professionals and underscores the importance of documented, defensible compliance programs.

Cross-border coordination. Enforcement actions increasingly involve coordination between multiple jurisdictions. The days of regulatory arbitrage — operating from a permissive jurisdiction to serve customers in stricter ones — are ending as regulators share information and coordinate enforcement.

Building a Defensible Program

For exchanges navigating this landscape, the path forward requires investment in three areas: technology (blockchain analytics, transaction monitoring, Travel Rule messaging), people (qualified compliance officers with cryptocurrency expertise), and process (documented policies, regular risk assessments, independent audits). The exchanges that treat compliance as a competitive advantage — rather than a cost center — will be best positioned as the regulatory framework continues to mature.

crypto exchange complianceAML cryptocurrency 2026Travel Rule cryptoMiCA complianceKYC exchange requirements
Previous
Transaction Tracing Methodology: How Blockchain Forensics Maps the Flow of Funds
Next
Crypto Asset Recovery: The Legal Process from Identification to Seizure