Your Crypto Exchange Is Not AML-Compliant Just Because It Has a KYC Form
The regulated crypto industry has a dangerous blind spot: treating customer onboarding as the finish line. KYC is the starting gun , and regulators in the UAE, the UK, and internationally are running out of patience for exchanges that mistake a checkbox for a compliance programme.
The Compliance Myth That Keeps Regulators Up at Night
Walk into the compliance department of a mid-tier crypto exchange and ask how they manage AML risk. Odds are they will reach for a brochure about their customer onboarding flow , the ID document checks, the selfie verification, the politically-exposed-person screening. It looks thorough. It is not enough.
Know Your Customer (KYC) identity verification at the point of onboarding is one layer of anti-money laundering (AML) compliance. But it is a single layer in a system that regulators , from the UAE’s Virtual Asset Regulatory Authority (VARA) to the UK’s Financial Conduct Authority (FCA) , explicitly require to have many more. The gap between “we have KYC” and “we have a compliant AML programme” is precisely where financial crime happens, and precisely where enforcement actions land.
Under VARA Rulebook 2023 Art. 3.2, UK MLRs 2017 Reg. 28, and FATF Recommendation 10, ongoing monitoring of the business relationship is a mandatory, distinct obligation , separate from and in addition to customer identification at onboarding. A KYC form alone does not satisfy any of these obligations.
What KYC Does , and What It Categorically Does Not Do
KYC is a customer identification and verification process. It answers the question: Who is this person, and do we know enough about them to open a relationship? At onboarding, that typically means collecting identity documents, verifying liveness, screening against sanctions lists and PEP databases, and , for business customers , understanding beneficial ownership.
What KYC does not do is watch what the customer does after they walk through the door. It does not detect when a previously low-risk customer suddenly starts receiving funds from high-risk counterparties. It does not flag structuring patterns designed to avoid reporting thresholds. It does not identify blockchain addresses associated with darknet markets, ransomware wallets, or sanctioned entities. And it does not prompt a Suspicious Activity Report (SAR) or Suspicious Transaction Report (STR) when one is warranted.
“Transaction monitoring is not a feature of a compliance programme. Under FATF, UAE, and UK law, it is a fundamental, ongoing legal obligation , and the absence of effective monitoring is itself a predicate for regulatory action, regardless of how thorough the onboarding process was.”
, Synthesis of VARA Examination Framework + FCA FCG 3.2 + FATF R.10 requirements
The Five Dimensions of a Complete AML Programme
A compliant crypto exchange AML framework must cover all five of the following dimensions. KYC is only one of them.
-
1
Customer Identification & Verification (KYC/CDD)
Identity proofing, document verification, liveness detection, sanctions and PEP screening at onboarding. This is what most exchanges do reasonably well. It is necessary but insufficient.
-
2
Ongoing Transaction Monitoring (TM)
Automated, rule-based and/or machine-learning-driven surveillance of transaction flows to detect suspicious patterns in real time or near-real time throughout the entire lifecycle of the customer relationship. Required under VARA Art. 3.2, MLRs 2017 Reg. 28, and FATF R.10.
-
3
Blockchain Analytics & On-Chain Intelligence
VASP-specific requirement: tracing the provenance and destination of crypto assets using tools such as Chainalysis, Elliptic, or TRM Labs. On-chain analytics identify whether funds have passed through sanctioned addresses, mixing services, or high-risk exchanges , intelligence entirely invisible to KYC systems.
-
4
Periodic Customer Due Diligence Review (Enhanced CDD)
Scheduled re-verification of customer risk profiles, updated source-of-wealth assessment, and review of whether the actual transaction behaviour aligns with the declared business purpose. Required under Cabinet Decision 10/2019 Art. 7 (UAE) and JMLSG Part I Ch. 5 (UK).
-
5
SAR/STR Filing & Alert Governance
A documented process for escalating, investigating, and filing suspicious activity reports , including clear alert governance, case management, and audit trails that demonstrate the monitoring system is calibrated to risk. VARA inspectors specifically test STR ratios; low STR rates in high-risk environments are themselves a red flag.
UAE vs UK: Comparing AML Obligations for Crypto Exchanges
Both the UAE and UK have established clear, enforceable frameworks that treat transaction monitoring as a mandatory component of AML compliance , not an optional enhancement. The following table maps the key obligations side by side.
| Obligation | 🇦🇪 UAE Framework | 🇬🇧 UK Framework |
|---|---|---|
| KYC / CDD at Onboarding | VARA Rulebook Art. 3.2 + Cabinet Decision 10/2019 Art. 7 | MLRs 2017 Reg. 28 + JMLSG Guidance Part I, Ch. 5 |
| Ongoing Transaction Monitoring | Explicitly mandated , CBUAE/VARA inspections test TM calibration, alert governance, and STR ratios | Explicitly mandated , FCA FCG 3.2 sets minimum expectations; TM failure = enforcement action |
| Periodic CDD Review | Cabinet Decision 10/2019 Art. 7 , continuous CDD proportionate to risk profile | JMLSG Part I Ch. 5 , proportionate ongoing monitoring aligned with risk profile |
| Failure-to-Monitor Offence | UAE AML/CFT Law Art. 14 , financial institutions must monitor transactions on an ongoing basis | POCA 2002 s.330 , inadequate monitoring can constitute a criminal failure-to-disclose offence |
| Enforcement Posture | VARA can suspend or revoke licence for inadequate transaction monitoring; CBUAE Notice 2023/8 sanctions “tick-box” KYC | FCA can impose unlimited fines , e.g. Santander £108M for TM failures; thematic reviews TR14/16, TR18/2 |
| Regulatory Style | Prescriptive , VARA Rulebook is explicit on VASP-specific TM requirements | Principles-based , FCA FCG + case law; firms must demonstrate reasonable systems |
| Sources: VARA Rulebook 2023; Cabinet Decision 10/2019; UAE AML/CFT Law; CBUAE Notice 2023/8; MLRs 2017; FCA FCG 3.2; JMLSG 2023; POCA 2002; FCA Enforcement Decisions 2023. | ||
The UAE Regulatory Framework: Prescriptive, Enforceable, and VASP-Specific
The UAE has constructed one of the world’s most explicit crypto AML frameworks , and enforcement is active. VARA, established under Dubai Law 4/2022, is not a passive licensing body. Its inspection teams assess transaction monitoring systems with the same rigour as prudential regulators assess capital adequacy.
🇦🇪 UAE , Key Legal Provisions
- VARA Art. 3.2 Full AML programme mandatory , not merely onboarding KYC. Covers ongoing monitoring, transaction surveillance, and periodic review.
- CBUAE 2023/8 Explicitly sanctions VASPs demonstrating “tick-box” KYC without proportionate ongoing monitoring.
- Cab. Dec. Art. 7 Requires continuous customer due diligence and transaction monitoring proportionate to risk profile throughout the relationship.
- AML/CFT Art. 14 Specifically requires financial institutions to monitor transactions on an ongoing basis , not merely at point of onboarding.
- VARA Exam VARA inspectors assess TM calibration, alert governance, and STR ratios , not merely KYC form completeness.
🇬🇧 UK , Key Legal Provisions
- MLRs Reg. 28 Mandates ongoing monitoring of the business relationship , not merely customer verification at onboarding.
- FCA FCG 3.2 Explicitly warns that KYC without transaction monitoring is “not adequate.” Firms must have effective, risk-based monitoring systems.
- JMLSG Ch. 5 Requires proportionate ongoing monitoring aligned with risk profile; onboarding check alone is insufficient.
- FCA TR14/16 Thematic reviews found firms with strong KYC but deficient ongoing monitoring , led directly to enforcement action.
- POCA s.330 Inadequate monitoring can constitute a criminal failure-to-disclose offence under the proceeds-of-crime framework.
CBUAE Notice 2023/8 introduced a critical precedent for UAE-licensed VASPs: demonstrating “tick-box” KYC compliance without a proportionate ongoing monitoring system is itself grounds for regulatory sanction. The UAE regulator has explicitly rejected the argument that robust onboarding compensates for weak post-onboarding surveillance.
What VARA Inspectors Actually Test
Understanding the VARA Examination Framework is essential for any VASP operating or seeking to operate in Dubai or under UAE federal licensing. VARA inspection teams do not simply review onboarding documentation. They assess:
- Transaction Monitoring Calibration: Is the TM system tuned to the firm’s actual risk profile? Are thresholds set at plausible risk-based levels, or are they set so high that virtually no alerts fire?
- Alert Governance: Is there a documented, staffed process for investigating alerts? Are investigations time-bound? Is there a second-line review of first-line decisions?
- STR Ratio Analysis: VARA inspectors compare a firm’s STR filing rate against peer benchmarks and the firm’s own transaction volumes. Anomalously low STR rates in high-volume or high-risk segments are treated as evidence of inadequate monitoring , not clean business.
- Blockchain Analytics Integration: For VASPs, VARA expects on-chain analytics to be embedded into the transaction monitoring workflow , not used as an ad hoc investigation tool after the fact.
The UK Regulatory Framework: Principles-Based, Case-Law Driven, and Financially Severe
The UK’s approach to crypto AML operates on a principles-based model anchored in the Money Laundering Regulations 2017 and the FCA’s Financial Crime Guide , but “principles-based” does not mean lenient. The FCA has demonstrated a clear willingness to impose landmark fines where transaction monitoring failures are identified, irrespective of how well-designed the firm’s KYC process was.
In 2023, the FCA fined Santander UK £108 million specifically for failures in transaction monitoring , not for KYC deficiencies. The firm’s onboarding controls were not at issue. The enforcement action targeted the firm’s failure to adequately monitor transactions after the relationship began. This precedent is directly applicable to crypto exchanges operating under UK registration.
The FCA’s Financial Crime Guide: Reading the Plain Language
FCA FCG 3.2 does not leave room for interpretation. It states explicitly that KYC without transaction monitoring is “not adequate.” The Guide sets out minimum expectations for what a transaction monitoring system should do: it must be risk-based, calibrated to the firm’s customer base, reviewed periodically, and capable of generating actionable intelligence that leads to SAR filings where appropriate.
The JMLSG Guidance reinforces this in Part I, Chapter 5, requiring that ongoing monitoring be proportionate to the assessed risk of the customer relationship. A customer assessed as low-risk at onboarding who subsequently exhibits high-risk transaction patterns must be detected , and the firm must be able to demonstrate that its systems were capable of making that detection.
Beyond civil penalties, firms and individuals should note that inadequate transaction monitoring can engage criminal liability under POCA 2002 s.330. Where a relevant person knows or suspects , or has reasonable grounds for knowing or suspecting , that another person is engaged in money laundering, and that suspicion arises in the course of business, failure to disclose is a criminal offence. Inadequate monitoring systems that suppress the generation of that suspicion do not create a defence , they amplify the firm’s exposure.
FATF & International Standards: The Global Floor for Crypto AML
The Financial Action Task Force sets the international baseline that both UAE and UK domestic law implements. FATF’s position is unambiguous: customer due diligence is a continuous process, not a one-time event. For virtual asset service providers specifically, the 2021 FATF Guidance on Virtual Assets elevates these obligations further.
Customer Due Diligence
Ongoing monitoring is a core CDD requirement globally. Onboarding check alone is non-compliant with international standards in any jurisdiction that has adopted the FATF Recommendations.
VASPs & New Technologies
Specifically applies ongoing monitoring obligations to VASP relationships, proportional to ML/TF risk. On-chain analytics are implicitly required for effective monitoring of virtual asset flows.
AML Principles
Stress that monitoring of transactions is a distinct and mandatory obligation separate from customer identification. The two are legally and operationally separate requirements.
AML Guidelines
Emphasises that KYC is a continuous process , not a one-time event , covering the full lifecycle of the customer relationship, from onboarding to termination.
The Travel Rule: A VASP-Specific Layer KYC Alone Cannot Satisfy
FATF Recommendation 16 , the Travel Rule , requires VASPs to collect, hold, and transmit originator and beneficiary information for virtual asset transfers above the de minimis threshold. This is a distinct obligation from KYC that requires bilateral information sharing between the sending and receiving VASP at the point of each qualifying transaction. No KYC form , however thorough , satisfies Travel Rule compliance, because Travel Rule obligations attach to each individual transaction, not to the customer relationship at inception.
FATF’s 2021 Virtual Asset Guidance explicitly expects VASPs to use blockchain analytics tools as part of their risk-based approach to ongoing CDD. Screening counterparty addresses before and after transactions , not just at onboarding , is increasingly treated as a baseline expectation by both VARA and the FCA. Firms that cannot demonstrate on-chain screening of transaction counterparties face heightened regulatory scrutiny.
What a Compliant Transaction Monitoring Programme Actually Requires
For crypto exchanges specifically, an adequate transaction monitoring programme has both technical and governance components. The following represents the baseline that UAE VARA inspectors and UK FCA reviewers expect to find.
| Component | Minimum Requirement | Best Practice |
|---|---|---|
| TM System | Rule-based alerts calibrated to risk profile | ML-augmented behavioural analytics + rules |
| Blockchain Analytics | Pre-transaction address screening | Real-time + post-transaction on-chain monitoring |
| Alert Governance | Documented investigation workflow with time limits | Second-line review + escalation matrix + case management system |
| STR/SAR Filing | Documented process; filings proportionate to volumes | STR rate benchmarking vs. peer cohort; quality review of filings |
| Threshold Review | Annual review of TM calibration | Quarterly or event-driven recalibration + back-testing |
| Periodic CDD | Risk-based review cycle (e.g. high-risk: annual) | Trigger-based refresh when transaction behaviour diverges from stated profile |
| Travel Rule | VASP-to-VASP information sharing for qualifying transactions | Automated Travel Rule solution integrated with TM workflow |
| Audit Trail | Records of all alerts, decisions, and filings | Immutable logs accessible to regulators; retention per jurisdiction requirements |
AML Compliance for Crypto Exchanges , Key Questions Answered
Does a strong KYC process reduce our transaction monitoring obligations?
No. Under every applicable regulatory framework , UAE VARA, UK MLRs 2017, and FATF Recommendation 10 , transaction monitoring is a legally distinct and separate obligation from customer identification. A robust KYC process may allow you to calibrate your monitoring approach (for example, applying lower alert thresholds to higher-risk customers), but it cannot substitute for monitoring itself.
CBUAE Notice 2023/8 explicitly rejects the argument that strong onboarding controls compensate for weak post-onboarding surveillance. FCA FCG 3.2 reaches the same conclusion for UK-registered firms.
What does VARA actually look for during an inspection of a UAE VASP?
VARA’s examination framework goes well beyond reviewing onboarding documentation. Inspectors specifically assess: (1) transaction monitoring system calibration , are thresholds set at risk-plausible levels?; (2) alert governance , is there a staffed, documented, time-bound process for investigating and closing alerts?; (3) STR ratio analysis , does the firm’s suspicious transaction report filing rate reflect the risk level of its customer base and transaction volumes?; and (4) blockchain analytics integration , are on-chain screening tools embedded in the TM workflow?
A firm that presents a well-designed KYC programme but cannot demonstrate an equivalent level of sophistication in its ongoing monitoring will face regulatory concern, regardless of how thorough the onboarding process appears.
Is blockchain analytics mandatory for crypto exchanges, or just best practice?
The regulatory language is increasingly clear that on-chain analytics are an expected component of a risk-based AML programme for VASPs. FATF’s 2021 Guidance on Virtual Assets explicitly contemplates on-chain analytics as part of the risk-based approach to ongoing CDD. VARA’s examination framework treats blockchain analytics integration as an expected capability, not a voluntary enhancement.
In practical terms: a crypto exchange that cannot demonstrate on-chain screening of transaction counterparties , both incoming and outgoing , cannot credibly claim to have an adequate ongoing monitoring system under any of the applicable frameworks.
How does the UK’s POCA 2002 s.330 create exposure for TM failures?
POCA 2002 s.330 creates a criminal offence of failure to disclose where a person knows or suspects , or has reasonable grounds for knowing or suspecting , that another person is engaged in money laundering. For compliance purposes, the critical point is that the “reasonable grounds” standard is an objective one.
A firm whose transaction monitoring system is so poorly calibrated that it suppresses the generation of suspicion cannot use the absence of alerts as a defence. Where a court finds that an adequate monitoring system would have generated reasonable grounds for suspicion, the failure to have such a system is not a neutral fact , it is part of the firm’s exposure.
What is the Travel Rule and why does KYC not satisfy it?
The Travel Rule (FATF Recommendation 16, implemented in the UAE under VARA’s Rulebook and in the UK under the Money Laundering and Terrorist Financing (Amendment) Regulations 2022) requires VASPs to collect and transmit originator and beneficiary information for virtual asset transfers above the applicable threshold.
KYC processes establish the identity of your own customers at onboarding. The Travel Rule requires you to also obtain information about counterparty customers at other VASPs for each qualifying transaction , information that simply does not exist in your KYC database. Compliance requires bilateral VASP-to-VASP information exchange at the transaction level, typically via a Travel Rule protocol solution (e.g. TRISA, OpenVASP, or a commercial provider).
How often must we review and update our transaction monitoring thresholds?
There is no universal prescribed frequency in any of the applicable frameworks, because all three regulatory regimes , UAE VARA, UK FCA, and FATF , take a risk-based approach. That said, the baseline expectation is that TM calibration is reviewed at least annually, and that reviews are triggered by: (1) significant changes to the customer base or product mix; (2) regulatory guidance updates; (3) back-testing results that reveal systematic under-detection or over-detection; and (4) changes in the firm’s risk appetite or risk assessment.
VARA’s examination framework specifically tests whether TM thresholds are set at plausible risk-based levels. A threshold so high that it generates no alerts in a high-volume environment is a regulatory red flag, not evidence of a clean book.
The Regulatory Verdict Is Unanimous
Whether your exchange operates under UAE VARA, UK FCA oversight, or any jurisdiction that has adopted the FATF Recommendations, the legal position is the same: a KYC form at onboarding is a necessary but deeply insufficient component of AML compliance.
Ongoing transaction monitoring, risk-based periodic CDD, blockchain analytics, and a robust STR governance framework are not enhancements to consider , they are mandatory obligations under black-letter law. Regulators in both the UAE and UK have demonstrated an active willingness to enforce against firms that conflate the two.
Key Takeaways for Crypto Exchange Compliance Officers
If there is a single message to take from this analysis, it is this: compliance begins at onboarding, but it does not end there. The regulatory frameworks examined , VARA Rulebook 2023, UAE AML/CFT Law, MLRs 2017, FCA FCG, JMLSG Guidance, FATF Recommendations 10 and 15, Wolfsberg Principles, and Basel Committee Guidelines , all converge on the same point.
- KYC is the beginning of the relationship, not the completion of your AML obligations. The moment a customer is onboarded, the ongoing monitoring obligation activates.
- Transaction monitoring must be calibrated to your actual risk profile , not set at thresholds designed to minimise alert volumes.
- For VASPs specifically, blockchain analytics are an expected component of an effective monitoring programme, not an optional add-on.
- STR/SAR filing rates are a compliance signal. VARA inspectors and FCA reviewers both benchmark filing rates against transaction volumes and peer cohorts.
- Periodic CDD review is a legal obligation , the risk profile established at onboarding must be updated as the customer relationship develops and transaction behaviour evolves.
- Enforcement is real and financially severe. The Santander £108M fine is the most visible recent example, but it is not an outlier , it is an illustration of the regulatory direction of travel.
The crypto industry has made genuine progress on KYC infrastructure. The compliance gap that remains , and the gap that regulators are actively targeting , lies in the space between onboarding a customer and monitoring what they actually do. Closing that gap is not optional.
