Your Tech Legal Logo
Free Consultation
AML_CFT_CHECKLIST_v2026 - Web3 Compliance
FATF · Global Updated: Jan 2026 Live Document
COMPLIANCE INSTRUMENT

Web3 AML/CFT Compliance
Checklist

The definitive web3 legal services compliance checklist - 60+ actionable requirements mapped to FATF standards, jurisdiction-specific obligations, and operational best practice for VASPs, exchanges, DeFi protocols, and digital asset businesses.

60+ Checklist items
FATF aligned
40+ Jurisdictions
Clickable & trackable
Open Interactive Checklist
Overall Compliance Score ID: AML-CFT-2025-01
0%
Complete
KYC / CDD 0/12
AML Programme 0/10
Transaction Monitoring 0/10
Sanctions Screening 0/8
Travel Rule 0/8
Governance & Records 0/12
Interactive - check items below
Why This Checklist Exists

AML/CFT is Not Optional
for Web3 Businesses

FATF Recommendation 15 extended global AML/CFT standards to virtual assets and VASPs in 2019. Since then, regulators in 200+ jurisdictions have enacted domestic laws that make AML/CFT compliance a legal obligation - not a best practice - for any entity operating in the digital asset space.

Failure to maintain a compliant AML/CFT programme exposes your business to regulatory fines that can reach into the tens of millions, criminal prosecution of individual officers, suspension or revocation of licences, banking partner termination, and reputational damage that can be fatal to a growing business.

This checklist is structured around the core FATF requirements for VASPs - aligned with the most stringent global frameworks (UAE VARA, MAS PSA, HK SFC, EU MiCA) and translated into practical, implementable actions for web3 legal consulting clients.

Primary Framework Alignment
FATF Recommendations 10, 12, 15, 16, 20 · FATF Interpretive Note for R.15 · FATF Guidance on Digital Identity 2020 · FATF Updated Guidance for VAs and VASPs 2021
$4.3B
Crypto AML fines issued globally in 2023
200+
Jurisdictions with FATF-aligned VASP AML laws
48h
Typical regulator response window for STR acknowledgement
5 yr
Minimum record retention required across all major jurisdictions
Checklist Item Severity Key
CRITICAL Failure constitutes a criminal or regulatory offence. Must be resolved immediately.
HIGH Directly triggers regulator scrutiny. Resolve before licence application or audit.
MEDIUM Required for full compliance. May be phased in over a structured roadmap.
BEST PRACTICE Exceeds minimum requirements. Demonstrates mature compliance culture to regulators.

Interactive AML/CFT Checklist

Click each item to mark complete. Your progress is tracked in real time. For web3 legal services advisory on any item, consult our team.

0 / 60 items
01

Know Your Customer (KYC) / Customer Due Diligence (CDD)

Identity verification, risk classification, and ongoing monitoring of all customers - individual and corporate.

0%
KYC-01 CRITICAL
Written Customer Onboarding Policy
A documented policy covering KYC requirements for all customer types (retail, professional, corporate, PEP, high-risk), tiering methodology, and approval procedures.
FATF R.10 · VARA AML-CFT Standards Sec. 3
KYC-02 CRITICAL
Identity Verification for All Retail Customers
Government-issued ID verification (passport, national ID, driving licence) for all retail customers prior to transacting. Must include name, DOB, nationality, and ID number.
FATF R.10 · MiCA Art. 89 · MAS PSN 02
KYC-03 HIGH
Proof of Address Verification
Utility bill, bank statement, or official correspondence (max 3 months old) confirming residential address for all retail customers. Digital delivery accepted in most jurisdictions.
FATF R.10 · FCA SYSC 6.3
KYC-04 CRITICAL
Corporate Customer Beneficial Ownership Verification
For all corporate customers: verify legal identity of entity, identify all beneficial owners holding 25%+ (or 10%+ for high-risk), verify UBO identity to the same standard as individual customers.
FATF R.10 · EU 5AMLD Art. 13
KYC-05 CRITICAL
PEP Identification & Enhanced Due Diligence
Screen all customers against PEP databases at onboarding and on an ongoing basis. Apply EDD to all PEPs: senior management approval required, source of wealth and source of funds verification mandatory.
FATF R.12 · MiCA Art. 89 · VARA AML Sec. 5
KYC-06 CRITICAL
Risk-Based Customer Risk Rating System
Documented, rules-based methodology for classifying customers as Low, Medium, or High risk at onboarding. Risk factors must include: geography, business type, transaction volume, product type, source of funds.
FATF R.10 · FATF RBA Guidance for VAs 2021
KYC-07 HIGH
Source of Funds & Source of Wealth Verification (EDD)
For high-risk customers, PEPs, and those transacting above defined thresholds: documentary verification of source of funds (payslips, tax returns, company accounts) and source of wealth (salary history, investment history, inheritance).
FATF R.10 · FCA SYSC 6.3.7
KYC-08 CRITICAL
Ongoing Due Diligence & Periodic Review
Systematic periodic review of customer profiles: High-risk customers reviewed at least annually, Medium-risk every 2–3 years, Low-risk every 3–5 years. Trigger-based reviews for material changes in customer behaviour.
FATF R.10 · VARA AML Sec. 3.4
KYC-09 HIGH
eKYC / Digital Identity Verification Solution
Automated document verification, liveness detection, and biometric matching solution for remote KYC. Must comply with local digital identity standards (UK DIATF, EU eIDAS, Singapore MyInfo, UAE UAE Pass equivalent).
FATF Digital ID Guidance 2020
KYC-10 HIGH
Customer Refusal & Exit Policy
Documented policy for refusing onboarding or terminating existing customer relationships where KYC cannot be completed satisfactorily. Includes STR filing obligation when refusal is ML/TF-related.
FATF R.10 · FCA SYSC 6.3
KYC-11 HIGH
High-Risk Country / Jurisdiction Restrictions
Documented policy applying EDD or prohibition to customers and transactions from FATF grey-listed and black-listed jurisdictions. Updated each time FATF publishes its jurisdictions list (typically February, June, October).
FATF R.19 · VARA CBUAE Notice
KYC-12 MEDIUM
Third-Party KYC Reliance & Outsourcing Controls
Where KYC is performed by or relied upon from a third party, a documented reliance agreement must exist. The VASP remains ultimately responsible. Third parties must themselves be regulated for AML/CFT purposes.
FATF R.17
02

AML/CFT Programme Structure

The foundational governance, policy, and organisational elements of a compliant AML/CFT programme.

0%
AML-01CRITICAL
ML/TF Business-Wide Risk Assessment
Documented assessment of the money laundering and terrorist financing risks inherent to your specific business: products, services, customers, geographies, and delivery channels. Updated at least annually and upon material business changes.
FATF R.1 · VARA AML Sec. 2 · MiCA Art. 89
AML-02CRITICAL
Appointed Money Laundering Reporting Officer (MLRO)
A named, senior individual appointed as MLRO with responsibility for AML/CFT compliance, STR filing, regulator liaison, and programme oversight. MLRO must be pre-approved by regulators in most jurisdictions (VARA, SFC, FCA, MAS).
FATF R.18 · FCA SYSC 6.3.9 · VARA AML Sec. 7
AML-03CRITICAL
Written AML/CFT Policies & Procedures Manual
Comprehensive written policies covering KYC, transaction monitoring, STR reporting, sanctions screening, record-keeping, Travel Rule, and staff training - reviewed and approved by senior management annually.
FATF R.18 · VARA AML Sec. 3
AML-04HIGH
Board-Level AML/CFT Oversight
The board receives regular AML compliance reporting (minimum quarterly). At least one board member is designated with AML oversight responsibility. Board minutes should reflect AML discussions and any remediation actions.
FATF R.18
AML-05CRITICAL
AML/CFT Staff Training Programme
All staff who handle customer relationships or transactions must receive AML/CFT training at induction and at least annually thereafter. Training must cover red flag recognition, STR reporting obligations, and specific crypto AML typologies. Records maintained.
FATF R.18 · VARA AML Sec. 9
AML-06HIGH
Independent AML/CFT Programme Audit
Annual independent assessment of the AML/CFT programme by an appropriately qualified and independent party (internal audit or external specialist). Findings reported to board. Remediation tracked and evidenced.
FATF R.18 · FCA SYSC 6.1.2
AML-07CRITICAL
Internal Suspicious Activity Reporting Mechanism
Formal channel for staff to report suspicions of ML/TF activity to the MLRO without alerting the customer (tipping-off prohibition). MLRO must assess each internal report and decide whether to file an external STR with the FIU.
FATF R.20 · UAE AML Law Art. 15
AML-08CRITICAL
STR Filing Capability with the Relevant FIU
Registered and capable of filing Suspicious Transaction Reports with the relevant Financial Intelligence Unit (UAE: goAML; UK: UKFIU; SG: STR Portal; EU: National FIU). MLRO must file within the timeframe specified by local law - typically 14–30 days of forming a suspicion.
FATF R.20
AML-09HIGH
Tipping-Off Prohibition Controls
Staff training and operational procedures ensuring that customers are never informed that they are the subject of an STR or AML investigation. Includes procedures for handling customer queries about account restrictions without tipping off.
FATF R.21
AML-10MEDIUM
Whistleblower / Protected Disclosure Channel
Secure, confidential channel for staff to report AML/CFT concerns without fear of retaliation. Protection from dismissal, demotion, or discrimination for good-faith AML reporters required in most jurisdictions.
FATF R.18 · EU Whistleblower Dir. 2019/1937
03

Transaction Monitoring

Automated and manual monitoring of customer transactions and on-chain activity for suspicious patterns.

0%
TXN-01CRITICAL
Automated Transaction Monitoring System (TMS)
Deployed automated TMS that monitors all customer transactions in real-time or near real-time against documented scenario rules. System must generate alerts for review, log all alerts and dispositions, and retain data for the required period.
FATF R.10 · VARA AML Sec. 6
TXN-02CRITICAL
Blockchain Analytics Tool Integration
On-chain analytics solution (Chainalysis, Elliptic, TRM Labs, Crystal, or equivalent) integrated into transaction workflows for wallet address risk scoring, counterparty identification, and transaction tracing. Alerts reviewed by trained AML analysts.
FATF VASP Guidance 2021 · VARA AML Sec. 6.2
TXN-03HIGH
Cash Transaction / CTR Threshold Monitoring
Monitoring and reporting of large cash or fiat transactions above regulatory thresholds. Includes structuring (smurfing) detection - identifying patterns of transactions designed to stay below reporting thresholds.
FATF R.10
TXN-04HIGH
Crypto ML/TF Typology-Based Monitoring Scenarios
TMS rules and scenarios designed specifically for crypto AML typologies: mixer/tumbler usage, chain-hopping, layering via DeFi protocols, NFT wash trading, P2P exchange usage, and high-frequency micro-transactions.
FATF Typologies Report 2021
TXN-05HIGH
Alert Management & Disposition Procedures
Documented SLAs and procedures for analyst review of TMS alerts: triage, investigation, documentation of rationale for disposition (close/escalate/STR), supervisor sign-off for critical alerts, and escalation path to MLRO.
FATF R.10 · VARA AML Sec. 6
TXN-06MEDIUM
TMS Model Validation & Tuning
Annual validation of TMS rules and thresholds: false positive rate analysis, detection rate assessment against known typologies, scenario effectiveness review, and documented tuning log. Results reported to compliance and board.
FATF R.10
TXN-07HIGH
Unhosted (Self-Custodied) Wallet Risk Management
Policy and controls for transactions involving unhosted wallets: risk-based thresholds, blockchain analytics screening of unhosted wallets, enhanced monitoring, and where required (EU TFR), collection of originator/beneficiary information above €1,000.
EU TFR Art. 14 · FATF VASP Guidance 2021
TXN-08MEDIUM
DeFi Protocol & Smart Contract Interaction Monitoring
For customers interacting with DeFi protocols, bridges, or DEXs: risk assessment of protocol counterparties, flagging of interactions with high-risk contracts (mixers, unregulated bridges), and enhanced review triggers for DeFi-derived funds.
FATF VASP Guidance 2021
TXN-09MEDIUM
Negative News & Adverse Media Screening
Systematic adverse media screening for all high-risk customers and all new institutional onboardings: at onboarding and on an ongoing basis. Automated screening tools integrated with human review for material hits.
FATF R.10 · FCA SYSC 6.3
TXN-10BEST PRACTICE
Correspondent VASP Due Diligence
For VASPs receiving funds from, or sending funds to, other VASPs: conduct and document AML/CFT due diligence on counterparty VASPs. Verify VASP is registered/licensed, assess quality of their AML programme, and apply enhanced scrutiny to high-risk VASP counterparties.
FATF VASP Guidance 2021
04

Sanctions Screening

Screening customers, transactions, and wallet addresses against global sanctions lists - OFAC, EU, UN, and local regimes.

0%
SAN-01CRITICAL
Real-Time OFAC, EU & UN Sanctions Screening
All customers screened against OFAC SDN, EU Consolidated Sanctions List, UN Consolidated List, and applicable local lists at onboarding and in real-time as list updates occur. No transaction may proceed for a sanctioned person or entity.
OFAC · EU Reg. 269/2014 · FATF R.6
SAN-02CRITICAL
On-Chain Wallet Address Sanctions Screening
All incoming and outgoing wallet addresses screened against OFAC-designated crypto wallet lists (including Tornado Cash, Hydra Market, etc.) and blockchain analytics risk scores. Transactions to/from sanctioned addresses must be blocked and reported.
OFAC · 31 CFR Part 578
SAN-03CRITICAL
Sanctions Hit Management & Blocking Procedure
Documented procedure for handling sanctions matches: true-hit assessment, blocking and freezing of funds, mandatory reporting to relevant authorities (OFAC, HMT, CBUAE), and record-keeping. Escalation to legal counsel and board.
OFAC · UK OFSI · CBUAE
SAN-04HIGH
Sanctions List Update Frequency & Monitoring
Sanctions lists updated daily (or more frequently where the sanctions provider pushes real-time updates). Process in place to re-screen existing customer base when new designations are added.
FATF R.6
SAN-05HIGH
Name Matching Threshold & Fuzzy Logic Controls
Sanctions screening system configured with appropriate fuzzy matching settings to catch name variants, transliterations, and aliases. Documented matching threshold policy balancing false positive management against miss risk.
OFAC · FATF R.6
SAN-06HIGH
Sanctions Compliance Training
Dedicated sanctions compliance training for all relevant staff - including the unique sanctions risks in the crypto context (designated addresses, jurisdiction restrictions, beneficial ownership controls). Annual refresh with records kept.
FATF R.6 · OFAC
SAN-07MEDIUM
Geographic IP / Location Restrictions
Technical controls blocking access from OFAC-sanctioned territories (Iran, North Korea, Syria, Cuba, Crimea, etc.) at the platform level, supplemented by VPN detection. Not a substitute for name-based sanctions screening.
OFAC
SAN-08BEST PRACTICE
Sanctions Evasion Detection Controls
Specific monitoring for sanctions evasion typologies: use of shell company structures to obscure sanctioned UBOs, chain-hopping to move funds away from sanctioned addresses, front company arrangements, and use of privacy coins by sanctioned persons.
OFAC · FATF Typologies Report 2021
05

FATF Travel Rule

Collection and transmission of originator and beneficiary information for virtual asset transfers - the most operationally complex VASP obligation.

0%
TRV-01CRITICAL
Travel Rule Technical Solution Deployed
A Travel Rule messaging solution (Notabene, Sygna, VerifyVASP, TRP, TRUST, or equivalent) deployed and integrated into transaction flows for virtual asset transfers above the local threshold (USD/EUR 1,000 in most jurisdictions; USD/EUR 0 in some).
FATF R.16 · EU TFR · MAS PSA Sch 3
TRV-02CRITICAL
Outgoing Transfer - Originator Data Collection & Transmission
For all outgoing transfers above threshold: collect and transmit to the receiving VASP the originator's name, address (or customer ID for VASP-to-VASP), national ID/passport number/DOB, and account number (wallet address). Data transmitted before or simultaneously with the transfer.
FATF R.16
TRV-03CRITICAL
Incoming Transfer - Beneficiary Verification
For all incoming transfers above threshold: verify the beneficiary is a customer of the VASP, that the wallet address belongs to that customer, and that the received originator data is complete and plausible. Flag and hold transfers where data is missing or implausible.
FATF R.16
TRV-04HIGH
Unregistered VASP & Sunrise Problem Policy
Policy for handling transfers to/from VASPs that are not Travel Rule compliant (unregistered VASPs, jurisdictions not yet implemented). Risk-based approach: enhanced monitoring, threshold restrictions, or prohibition for high-risk non-compliant VASP counterparties.
FATF VASP Guidance 2021
TRV-05HIGH
VASP Counterparty Identification & Verification
Process for identifying whether a receiving or sending address belongs to a regulated VASP counterparty (VASP directory tools, Travel Rule protocol discovery, or direct VASP outreach). Maintained registry of known VASP counterparties and their Travel Rule capabilities.
FATF R.16
TRV-06MEDIUM
Travel Rule Data Security & Privacy Controls
Personal data transmitted under the Travel Rule protected with appropriate encryption and access controls. GDPR and local data privacy law considerations addressed in Travel Rule data-sharing arrangements, including data minimisation and cross-border transfer safeguards.
FATF R.16 · GDPR Art. 46
TRV-07HIGH
Travel Rule Data Record Retention
All Travel Rule originator and beneficiary data retained for the period required by local law (minimum 5 years in most jurisdictions). Data retrievable for regulator inspection. Retention schedule aligned with your overall data governance policy.
FATF R.11
TRV-08BEST PRACTICE
Travel Rule Compliance Testing & Assurance
Periodic testing of Travel Rule implementation: sample-based review of transmitted data quality, review of missing data exception handling, counterparty response rate analysis, and reconciliation of Travel Rule data against transaction records.
FATF R.16
06

Governance, Record-Keeping & Data

The operational infrastructure for AML/CFT data retention, regulatory reporting, and compliance governance.

0%
GOV-01CRITICAL
5-Year Transaction Record Retention
All transaction records (including on-chain and off-chain) retained for a minimum of 5 years from the date of the transaction (or customer relationship end date, whichever is later). Records must be retrievable in response to a regulator request within 5 business days.
FATF R.11
GOV-02CRITICAL
5-Year CDD & KYC Record Retention
All customer due diligence records (identity documents, risk assessments, source of funds evidence, EDD files) retained for 5 years after the end of the customer relationship. Where required by local law (e.g. UAE), extended to 8 years.
FATF R.11 · UAE AML Law Art. 16
GOV-03HIGH
Annual MLRO Compliance Report to Board
Annual report from the MLRO to the board covering: AML programme effectiveness assessment, STR statistics, training completion rates, audit findings and remediation status, and planned programme enhancements. Board minutes to reflect review and discussion.
FATF R.18 · FCA SYSC 6.3.11
GOV-04HIGH
Regulatory Reporting Capability
Systems and processes to produce AML regulatory reports required by the relevant regulator within prescribed timeframes. Includes periodic AML returns (where required), annual regulatory filings, and ad hoc requests. Regulator portal access established and tested.
VARA · MAS · FCA
GOV-05HIGH
AML Data Governance & Privacy Law Compliance
AML data retention obligations reconciled with data privacy law (GDPR, DIFC Data Protection Law, Singapore PDPA). Legal basis for processing KYC and transaction data established and documented. Data subject rights procedures account for AML retention overrides.
GDPR Art. 17 vs. FATF R.11
GOV-06MEDIUM
Compliance Calendar & Regulatory Change Management
Maintained compliance calendar tracking all regulatory reporting deadlines, policy review dates, audit schedules, and training due dates. Process for monitoring regulatory changes (FATF updates, new local laws) and incorporating them into the AML programme in a timely manner.
FATF R.18
GOV-07HIGH
New Product & Service AML Risk Assessment
Mandatory AML/CFT risk assessment before launching any new product, service, or market. Compliance sign-off required before go-live. New products with novel ML/TF risks require enhanced controls designed prior to launch - not patched in afterwards.
FATF R.1 · VARA AML Sec. 2
GOV-08MEDIUM
AML Technology Systems Documentation
Comprehensive documentation of all AML technology systems: data flows, integration architecture, vendor details and SLAs, system access controls, change management procedures, and business continuity arrangements for critical AML systems.
FATF R.18
GOV-09MEDIUM
AML Incident Response & Breach Procedure
Documented procedure for responding to AML/CFT compliance failures, regulatory notices, and enforcement contacts. Includes escalation path, legal privilege preservation, voluntary disclosure decision-making, and remediation evidence gathering protocols.
VARA · FATF R.18
GOV-10BEST PRACTICE
AML Programme Effectiveness Metrics & KPIs
Defined KPIs for the AML programme: STR filing rate, alert-to-STR conversion rate, average alert closure time, training completion rate, audit finding closure rate, and periodic comparison against industry benchmarks. Reported quarterly to the board.
FATF R.33 · Effectiveness Methodology
GOV-11MEDIUM
Correspondent Banking & Fiat Rail AML Controls
AML controls specifically for fiat on/off ramp activity: SWIFT/SEPA transaction screening, correspondent bank due diligence, and reconciliation of fiat transaction records with on-chain activity to detect conversion-based layering.
FATF R.10 · R.13
GOV-12BEST PRACTICE
AML/CFT Gap Analysis Against Local Regulator Rulebook
Formal gap analysis of your AML/CFT programme against the specific requirements of your primary regulator's AML rulebook (VARA AML-CFT Standards, MAS PSA Notice, FCA SYSC 6.3, MiCA Art. 89). Gaps documented and tracked to remediation. Refreshed annually.
VARA · MAS · FCA · MiCA
AML/CFT Advisory - Web3 Legal Consulting

Gaps in Your Checklist?
We Fix Them.

Our specialist web3 legal services team has designed and implemented AML/CFT programmes for 300+ exchanges, VASPs, DeFi protocols, and digital asset businesses across 40+ jurisdictions. From a quick gap analysis to a full programme build - we have you covered.

AML gap analysis against your specific regulator's rulebook
Full AML/CFT programme design and implementation
MLRO-as-a-Service and ongoing compliance retainer
48-hour emergency response for regulator actions
Recommended

Email Us for AML Review

Contact our AML specialists to review your compliance checklist and identify priority regulatory gaps.

Email Us

Emergency Consultation

Regulatory action, enforcement notice, or urgent AML issue? Our team responds within 48 hours.

+91-884-763-3244
WhatsApp Icon
Chat with us