They should evaluate whether the exchange can prove ownership, approval, and transaction lineage, not just whether it is formally licensed. The key test is whether compliance can reconstruct who controlled the account, who approved transfers, and how funds moved across the ecosystem. If those links are weak, the exchange may be usable for sanctions evasion even when it appears legitimate.
Why This Matters for Security Teams
State-linked cryptocurrency exchanges create a compliance problem that is partly legal, partly investigative, and partly technical. A licence, registration, or public website can look legitimate while the underlying account control, approval chain, and fund flow remain opaque. For compliance teams, the question is not whether the exchange exists, but whether it can support sanctions screening, ownership verification, and transaction reconstruction under scrutiny.
This is where governance and evidence matter more than branding. Current guidance from FATF Recommendations — AML and KYC Framework and the control discipline in NIST Cybersecurity Framework 2.0 both point toward traceability, accountability, and documented controls. That same mindset appears in NHIMG research on Ultimate Guide to NHIs — Regulatory and Audit Perspectives, where control ownership and auditability are treated as first-class security requirements. In practice, many compliance teams encounter weak provenance only after funds have moved through layered wallets and delegated approvals have already obscured who actually controlled the transaction.
How It Works in Practice
Evaluation should start with three evidence questions: who controlled the exchange account, who authorised transfers, and whether the transaction lineage can be reconstructed end to end. If any of those cannot be answered with logs, attestations, and independent records, the exchange may be operationally useful for evasion even if it is formally licensed. That is especially important where the exchange is state-linked, because control may sit with ministries, proxies, or affiliated entities rather than the named corporate operator.
A practical review usually combines compliance, intelligence, and technical verification. Teams should test whether the exchange can produce customer due diligence records, beneficial ownership disclosures, sanctions-screening evidence, transaction histories, and wallet attribution support. Where possible, request machine-readable audit trails, immutable logs, and evidence of segregation between user accounts and administrative privileges. NHIMG’s Top 10 NHI Issues is useful here because many of the same failure modes appear in exchange operations: over-privileged administrative access, weak lifecycle control, and poor visibility into who can act on behalf of the platform.
- Verify beneficial ownership and any government or quasi-government control structure.
- Confirm sanctions screening covers customers, counterparties, and wallet addresses.
- Require transaction lineage that links deposits, transfers, custodial changes, and withdrawals.
- Check whether admin actions are logged, reviewed, and retained for investigations.
- Assess whether the exchange can separate routine operations from privileged approvals.
From a control perspective, NIST SP 800-53 Rev 5 Security and Privacy Controls supports this kind of evidence-driven assessment, especially around access control, audit logging, and accountability. These controls tend to break down when the exchange operates through layered custodians, offshore affiliates, or opaque wallet infrastructure because the approval chain becomes fragmented across entities that do not share a single reliable record system.
Common Variations and Edge Cases
Tighter screening often increases onboarding friction and investigative cost, requiring organisations to balance transaction access against evidentiary confidence. That tradeoff is sharper with state-linked exchanges because not every legitimate platform will provide the same level of transparency, and current guidance suggests there is no universal standard for proving sovereign influence or indirect state control.
One edge case is partial transparency. An exchange may provide strong KYC artefacts but still fail on wallet attribution or internal approval evidence. Another is delegated operation, where a third party runs the exchange while a state actor retains effective control. In those situations, the issue is not just regulatory licensing but whether compliance can demonstrate who had the authority to move value at each step. For maturity benchmarking, Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is a useful analogue: if identities and privileges are not governed across their full lifecycle, the resulting gaps show up later as audit failures or abuse paths.
Best practice is to treat unresolved provenance gaps as risk indicators, not paperwork issues. Where evidence is incomplete, organisations should escalate enhanced due diligence, reduce exposure, and document the rationale for any continued relationship. This becomes especially important when the exchange sits in a sanctions-sensitive jurisdiction or uses cross-chain transfers that obscure source-of-funds continuity.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
FATF, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| FATF | Recommendation 10 | Customer due diligence is central to testing exchange ownership and provenance. |
| NIST CSF 2.0 | GV.RM-01 | Risk management governance fits compliance review of opaque exchange relationships. |
| NIST SP 800-53 Rev 5 | AU-2 | Audit events are needed to reconstruct who approved transfers and when. |
Confirm identity, beneficial ownership, and source-of-funds evidence before accepting exposure.
Related resources from NHI Mgmt Group
- How should financial services teams evaluate AI compliance platforms for examiner readiness?
- How do compliance teams evaluate whether cloud-stored credentials are adequately protected?
- Who should evaluate IAM platforms for fit: security, IAM, or compliance teams?
- How should security teams evaluate SaaS compliance claims before buying?