What is AML (Anti-Money Laundering)?

How it works

AML in the US is governed primarily by the Bank Secrecy Act (1970) and its post-9/11 expansions in the USA PATRIOT Act. Regulated entities — banks, securities firms, crypto exchanges classified as Money Services Businesses (MSBs) — must:

• Verify customer identities at onboarding (the KYC requirement)
• Monitor transactions for unusual patterns
• File Suspicious Activity Reports (SARs) with FinCEN when red flags appear
• File Currency Transaction Reports (CTRs) for cash transactions over $10,000
• Maintain records for 5+ years
• Train employees on detection
• Designate a compliance officer

Failure to comply can result in massive fines. Binance paid $4.3B in 2023 to settle US AML violations. HSBC paid $1.9B in 2012 for laundering Mexican drug cartel money.

What constitutes a "red flag" is broadly interpretive but includes:

• Large cash deposits or withdrawals just under reporting thresholds (structuring)
• Funds from high-risk jurisdictions (sanctioned countries, FATF blacklist)
• Rapid movement of funds through many accounts
• Customer behavior inconsistent with declared business or income
• Connection to known illicit-activity addresses (in crypto)

Example

A typical AML flow at a US crypto exchange:

1. New user signs up, completes KYC (driver's license, selfie, SSN)
2. Compliance system runs name through OFAC sanctions list, checks PEP databases
3. User's deposits and trading activity feed into transaction-monitoring software
4. System flags: user is wiring in $50k weekly from an account that's never funded the exchange before, then immediately moving USDC out to a wallet associated with a sanctioned mixer
5. Compliance officer reviews; if confirmed suspicious, files a SAR with FinCEN
6. FinCEN may share with FBI/IRS-CI; user is generally not notified

The whole system runs in the background and generates millions of SARs annually. Most are filed but never investigated; the ones that lead anywhere often inform multi-month money laundering or sanctions cases.

Why it matters

AML compliance shapes much of how US crypto users interact with the system:

• Why exchanges KYC. Required by law. Skipping KYC on a regulated US exchange isn't an option.
• Why exchanges restrict deposits/withdrawals to certain addresses. Tornado Cash sanctions made specific Ethereum addresses untouchable for US-regulated entities. Exchanges screen incoming and outgoing addresses against OFAC lists.
• Why "international" platforms gate US users. Operating in the US with US customers triggers FinCEN registration and full AML obligations. Many platforms geofence the US to avoid the cost.
• Why peer-to-peer crypto activity isn't AML-regulated the same way. Self-custody to self-custody transfers don't pass through a Money Services Business. The IRS still wants to know about taxable events; FinCEN doesn't get a transaction-monitoring view.
• Travel Rule extension to crypto. The 2022 update of FATF's Travel Rule requires VASPs (virtual asset service providers) to share originator/beneficiary info on transfers above $1,000–3,000. Implementation is still patchy globally.

For everyday users: AML obligations are mostly invisible — KYC at signup, occasional account questions about source of funds for large deposits, reports to the IRS at year-end. Behavior that triggers heightened review: large unexplained deposits, withdrawals to addresses with sanctions associations, rapid in-out activity that looks like layering. None of this is hostile to legitimate users; it's just the regulated environment exchanges operate in.