AML Framework for Tokenization Platforms: Global Compliance Requirements

AML Compliance in the Tokenization Context

Anti-money laundering compliance for tokenization platforms is more demanding than for conventional financial services businesses in one critical respect: the pseudonymous nature of blockchain transactions creates a unique due diligence challenge. A compliance officer at a traditional bank can screen wire transfers for sanctions exposure through correspondent banking relationships. A compliance officer at a tokenization platform must assess the provenance of cryptocurrency inflows, the risk profile of on-chain counterparties, and the movement of assets through blockchain addresses — none of which map cleanly onto conventional AML frameworks.

Regulators globally have responded to this challenge through two mechanisms: extending existing AML frameworks to cover virtual asset service providers (VASPs), and adding VASP-specific requirements — particularly the FATF Travel Rule and blockchain analytics expectations — on top of the conventional AML baseline.

This guide addresses the full AML compliance framework for tokenization platforms, organized by the three functional pillars: Know Your Customer (KYC/CDD/EDD), Transaction Monitoring (including blockchain analytics), and Transfer of Funds (Travel Rule).

FATF Recommendation 16: The Travel Rule

FATF Recommendation 16, as amended by the FATF’s 2019 Guidance on Virtual Assets and VASPs, requires VASPs to collect, hold, and transmit originator and beneficiary information for virtual asset transfers above the applicable threshold ($1,000 / €1,000 / equivalent).

The Travel Rule is modeled on the wire transfer rule (FATF R.16 for conventional banks), but its implementation in the virtual asset context presents unique challenges that the conventional banking Travel Rule did not encounter.

Required Data Fields

Originator information (from the sending VASP):

• Originator’s name
• Originator’s account number (crypto wallet address or platform account ID)
• Originator’s physical address; OR national identity number; OR customer identification number; OR date and place of birth

Beneficiary information (to the receiving VASP):

• Beneficiary’s name
• Beneficiary’s account number (crypto wallet address or platform account ID)

Both fields must be transmitted with the transfer in a form that allows the receiving VASP to verify the information against its own KYC data for the beneficiary. The information must be available to relevant authorities upon request; it need not be included in the blockchain transaction itself (and technically cannot be for pseudonymous blockchains).

Jurisdictional Implementation Status (Q1 2026)

The Travel Rule has been implemented by most major VASP jurisdictions:

• EU: Implemented through the Transfer of Funds Regulation (TFR), as amended. Effective June 2023. Threshold: €1,000 (with no minimum for transfers between VASPs — all such transfers require Travel Rule data).
• UK: Implemented through amended MLRs. Effective September 2023. Threshold: £1,000.
• Singapore: Implemented through MAS Notice PSN01 amendment. Effective January 2024. Threshold: S$1,500.
• Hong Kong: Implemented through SFC licensing conditions for VATPs. Effective January 2024. Threshold: HKD 8,000.
• UAE: Implemented through CBUAE guidance and VARA requirements. Effective 2024. Threshold: AED 3,500.
• Switzerland: Implemented through revised AMLA and FINMA circular. Effective 2021. Threshold: CHF 1,000.
• US: Not yet formally implemented through binding regulation (FinCEN’s proposed Travel Rule for VASPs remains in rulemaking as of Q1 2026). US VASPs operating internationally must comply with counterpart VASP requirements.
• Bermuda: Not yet formally implemented, but BMA expects VASPs to apply FATF standards as best practice.

The Sunrise Problem

The “sunrise problem” refers to the period during which some jurisdictions have implemented the Travel Rule and others have not. A VASP in a compliant jurisdiction (e.g., Singapore) cannot transmit Travel Rule data to a VASP in a non-compliant jurisdiction (e.g., a VASP in a country with no Travel Rule implementation) because the receiving VASP has no systems to receive or process the data.

The FATF’s guidance addresses this through a risk-based approach: VASPs in compliant jurisdictions should treat transactions with VASPs in non-compliant jurisdictions with heightened scrutiny, and may need to apply additional controls (including enhanced due diligence and transaction monitoring) to mitigate the elevated risk.

In practice, VASPs assess counterpart VASPs’ compliance posture before sending transfers. This has driven the development of VASP directories and compliance attestation databases (including OpenVASP, Notabene’s network, and Sygna’s network) that allow VASPs to verify counterpart compliance status before initiating transfers.

Technical Solutions for Travel Rule Compliance

The Travel Rule requires technical infrastructure to transmit beneficiary and originator data securely between VASPs. Several competing protocols and platforms have emerged:

TRISA (Travel Rule Information Sharing Architecture): An open-source, decentralized protocol for VASP-to-VASP Travel Rule data exchange. TRISA uses public key cryptography to encrypt data during transmission. VASPs register with the TRISA directory service and exchange data through peer-to-peer connections without a central intermediary.

Notabene: A commercial Travel Rule compliance platform. Notabene provides a VASP network directory, data transmission infrastructure, and compliance workflow tools. It supports multiple data standards (IVMS101, TRISA, OpenVASP) and integrates with most major custody and exchange platforms.

Sygna Bridge: A commercial platform operated by CoolBitX. Sygna Bridge provides Travel Rule data exchange between participating VASPs and has significant adoption in the Asian market, particularly among Singapore and Hong Kong-licensed VASPs.

OpenVASP: An open standard developed by Bitcoin Suisse. OpenVASP provides a protocol specification for VASP identification and Travel Rule data exchange. It has been implemented by several European VASPs.

Shyft Network / Veriscope: A blockchain-based Travel Rule protocol. Veriscope uses on-chain attestations for VASP identity verification and off-chain channels for data transmission.

Compliance officers should evaluate Travel Rule solutions based on: geographic coverage (which counterpart VASPs are on the same network), data standard compatibility (IVMS101 is the emerging global standard), integration effort with existing custody and transaction systems, and cost.

KYC: CDD and EDD Requirements

Customer due diligence (CDD) for tokenization platforms follows the standard FATF risk-based framework, with VASP-specific additions for blockchain-native risk indicators.

Standard CDD (All Customers)

Individual customers:

• Full legal name (matching government-issued ID)
• Date of birth
• Nationality
• Residential address
• Government-issued identity document (passport, national ID card)
• Proof of address (utility bill, bank statement — within 3 months)

Corporate customers:

• Full legal name and registration details
• Country of incorporation and legal form
• Registered address and principal place of business
• Directors and senior managers (identity verification)
• Beneficial owners (to the 25% threshold, or lower for higher-risk customers)
• Source of funds (business revenues, investment proceeds, etc.)

Refresh frequency: CDD information should be refreshed at minimum every 3 years for standard-risk customers, annually for higher-risk customers.

Enhanced Due Diligence (EDD) Triggers

EDD is required when standard CDD reveals elevated risk indicators. Common EDD triggers for tokenization platforms:

• Customer is from an FATF grey-listed or blacklisted jurisdiction
• Customer is a politically exposed person (PEP) or associated with a PEP
• Customer’s source of funds is inconsistent with their stated profile
• Transaction patterns that are inconsistent with stated purpose of account
• Blockchain analytics alert indicating association with high-risk addresses
• Structuring patterns suggesting attempt to avoid reporting thresholds
• Customer requesting unusual anonymity or refusing to provide standard documentation

EDD measures include:

• Senior management approval for the relationship
• Source of wealth documentation (bank statements, tax returns, business accounts)
• Enhanced ongoing monitoring with lower alert thresholds
• Periodic manual review of transaction patterns
• Additional identity verification through alternative channels

Beneficial Ownership: The 25% Threshold

FATF guidance and most national implementations require disclosure of beneficial owners down to the natural person level, with a 25% ownership or control threshold as the standard trigger. Some jurisdictions apply a lower threshold:

• VARA applies a 10% threshold for UBO disclosure
• MAS applies 25% but requires disclosure of any person who exercises effective control regardless of percentage ownership
• FCA applies 25% but expects assessment of whether anyone below 25% exercises effective control

For tokenization platforms with complex corporate structures — holding companies, trusts, investment vehicles — the beneficial ownership analysis requires a full ownership chain analysis. Nominee shareholders do not break the chain; the ultimate natural person behind any nominee arrangement must be identified.

Blockchain Analytics: The On-Chain Monitoring Requirement

Blockchain analytics is not explicitly required by most regulatory frameworks, but it is functionally mandatory. Regulators in Singapore, Hong Kong, the UK, and the EU have all published guidance or supervisory expectations that VASPs should use blockchain analytics tools to assess the risk of incoming and outgoing cryptocurrency transfers.

The three market-leading blockchain analytics providers are:

Chainalysis: The largest blockchain analytics firm globally by VASP customer count. Chainalysis Reactor provides investigation and visualization tools; Chainalysis KYT (Know Your Transaction) provides real-time transaction screening APIs. Chainalysis data covers Bitcoin, Ethereum, and most major blockchains. Pricing scales with transaction volume; annual contracts for MPI/CASP-scale operations typically range from $60,000 to $250,000.

Elliptic Navigator: Elliptic’s analytics platform covers transaction and wallet screening across 100+ blockchains. Elliptic’s particular strength is in DeFi protocol coverage — its analytics extend to smart contract interactions, which is particularly relevant for tokenization platforms that use DeFi infrastructure. Annual contracts: $50,000–$200,000.

TRM Labs: TRM Labs provides transaction monitoring APIs and compliance workflow tools. TRM has strong coverage of emerging blockchains and is particularly noted for its regulatory-grade audit trails. Annual contracts: $40,000–$180,000.

All three platforms provide:

• Real-time wallet screening against OFAC SDN and other sanctions lists
• Risk scoring for wallet addresses based on exposure to known illicit services (darknet markets, ransomware, mixers, scam addresses)
• Transaction path analysis showing funds flow through blockchain hops
• Alerts when screened wallets have indirect (2nd or 3rd-hop) exposure to high-risk counterparties

Alert disposition: The compliance value of blockchain analytics depends entirely on what happens when an alert is generated. Every platform must have documented alert review procedures: who reviews alerts, within what timeframe, what escalation steps apply, and when a suspicious activity report is filed. Regulators examining blockchain analytics programs look first at the alert disposition process, not the technology itself.

US BSA Requirements and SAR Filing

For tokenization platforms with US operations or US person exposure, the Bank Secrecy Act (BSA) imposes AML program requirements enforced by FinCEN. Virtual asset businesses that qualify as money services businesses (MSBs) — including cryptocurrency exchanges and cryptocurrency dealers — must:

• Register with FinCEN as a MSB
• Implement a written AML program with internal controls, independent testing, designated AML Officer, and training
• File Currency Transaction Reports (CTRs) for cash transactions exceeding $10,000
• File Suspicious Activity Reports (SARs) for transactions of $2,000 or more that involve suspicious activity — with an upper threshold of $5,000 for MSB SARs
• Maintain records of transactions above $3,000 and transmit originator/beneficiary information for wire transfers above $3,000 (pending finalization of the Travel Rule for VASPs)

SAR filing practice: SAR filings are confidential — no tipping off the customer. The SAR must describe the suspicious activity in sufficient detail for law enforcement to pursue if warranted. Common grounds for SAR filing in tokenization contexts: customer provides inconsistent source of funds information, blockchain analytics reveals high-risk wallet exposure, customer structures transactions below reporting thresholds, customer refuses to provide EDD documentation when requested.

FinCEN has signaled that it expects VASPs to file SARs for all transactions involving OFAC-sanctioned wallets, regardless of whether the platform was aware of the sanctions exposure at the time of transaction. This imposes a retroactive monitoring obligation — platforms must screen historical transactions when new sanctions designations are published.

Further information: FATF Guidance on Virtual Assets (2021)

Related Resources

• Travel Rule Compliance Guide
• How to Get a MiCA CASP License: AML Requirements
• FCA Crypto Registration: AML Standards
• Jurisdiction Comparison Tool
• Regulatory Encyclopedia