TL;DR: NFT marketplaces reached $2 billion in sales in 2021, yet even large platforms often fall short of AML requirements, according to Sumsub’s guide on compliance for NFT businesses. The operational gap is no longer theoretical: marketplaces need controls that can withstand regulatory scrutiny before legislation catches up.
At a glance
What this is: A Sumsub guide argues that NFT marketplaces need AML controls now, not after regulation tightens.
Why it matters: It matters to IAM practitioners because marketplace onboarding, user verification, and identity governance often determine whether fraud, compliance, and access controls can scale together.
By the numbers:
- The NFT market is booming; 2021 has already seen $2 billion in sales.
👉 Read Sumsub's guide on how NFT marketplaces can become AML compliant
Context
NFT marketplaces sit at the intersection of user identity, transaction monitoring, and regulatory compliance. As volumes grow, the core question is not whether the sector is expanding, but whether identity and AML controls are mature enough to keep pace with that growth.
For IAM and compliance teams, the issue is familiar: onboarding controls, verification depth, and audit readiness often lag the business model. In marketplaces handling digital assets, weak identity governance can quickly become a fraud and regulatory exposure problem.
Key questions
Q: How should NFT marketplaces approach AML compliance as they scale?
A: Start with risk-based onboarding, then extend controls into transaction monitoring, escalation, and record retention. NFT marketplaces scale safely when identity verification is tied to business risk, not applied as a one-time gate. Compliance teams should design evidence trails that support both operational fraud review and regulatory audit needs.
Q: Why do NFT marketplaces struggle to stay compliant across regions?
A: Because AML requirements, identity proofing expectations, and reporting duties vary by jurisdiction. A control model that works in one market can fail in another if it cannot adapt to local rules. Teams need a compliance architecture that supports policy variation without breaking the user experience or audit trail.
Q: What breaks when identity verification is too shallow in NFT platforms?
A: Shallow verification makes it easier for bad actors to register, transact, and re-enter after enforcement actions. It also weakens the evidence needed to prove due diligence during reviews or investigations. In practice, the platform can grow quickly while its ability to explain user risk falls behind.
Q: Who should own AML compliance in an NFT marketplace?
A: Ownership should be shared across compliance, IAM, fraud, and legal, with one accountable programme lead. That structure prevents gaps between who approves identity, who detects suspicious activity, and who responds to regulatory questions. In regulated marketplaces, fragmented ownership is usually where control failure begins.
Technical breakdown
AML controls for NFT marketplace onboarding
NFT marketplaces rely on customer due diligence, identity verification, and transaction monitoring to reduce illicit activity. In practice, AML compliance means being able to identify users, assess risk, and trace activity across accounts and wallets when required by regulators. The challenge is that marketplace growth often outpaces control design, so identity checks become fragmented across registration, payments, and secondary market activity. Where verification is shallow, bad actors can move through the platform with limited friction.
Practical implication: align onboarding, verification, and monitoring so the compliance model follows the full user lifecycle, not just account creation.
Why future legislation changes the operating model
The guide frames AML readiness as a forward-looking requirement because NFT regulation is still developing across jurisdictions. That means marketplaces cannot rely on a single static compliance posture. They need evidence that policies, identity checks, and records can adapt to different legal expectations without reworking the entire platform each time the regulatory environment changes. In identity terms, this is a governance problem as much as a fraud problem.
Practical implication: design controls that can be adjusted by jurisdiction, product line, and risk tier without rebuilding the identity stack.
Compliance, fraud prevention, and user access governance
NFT compliance programs work only when fraud prevention and access governance are treated as one operating model. If identity proofing is weak, account abuse becomes easier. If access and transaction controls are inconsistent, suspicious behaviour is harder to detect and prove. The result is a governance gap between who can join the platform and what they can do once inside it. For regulated marketplaces, that gap is where most operational risk accumulates.
Practical implication: connect verification, fraud detection, and audit logging so compliance evidence is available before an investigation starts.
NHI Mgmt Group analysis
AML readiness is fundamentally an identity governance problem, not just a legal one. NFT marketplaces cannot separate user verification from access control and transaction oversight without creating blind spots. The article’s core message is that compliance becomes operational only when identity proofing, monitoring, and lifecycle controls are designed together. Practitioners should treat the marketplace account as a governed identity, not a sign-up form.
Fast-growing digital asset platforms amplify the cost of weak onboarding. When a marketplace scales faster than its verification model, fraudulent actors inherit the same access path as legitimate users. That is not a niche compliance issue, it is a governance failure that affects auditability, trust, and escalation response. Practitioners should view onboarding as the first control point in the compliance chain.
Jurisdictional change is the real stress test for NFT compliance. A control set that works in one market can collapse when applied across multiple regulatory regimes. The practical lesson is that compliance architecture must support evidence, policy variation, and reviewability at scale. Practitioners should build for change rather than assume a fixed ruleset.
Marketplace identity risk spans human identity, fraud controls, and lifecycle governance. NFT operations require the same discipline IAM teams use for regulated customer journeys: proofing, risk scoring, logging, and exception handling. The difference is that asset transfer and identity misuse can happen at platform speed. Practitioners should align compliance ownership across IAM, fraud, and legal teams instead of treating them as separate workstreams.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how quickly identity blind spots become governance blind spots.
- For the lifecycle side of this problem, read NHI Lifecycle Management Guide for the operational controls that make access review and offboarding usable at scale.
What this signals
NFT marketplaces are a reminder that compliance architecture fails when identity governance is treated as a front-door check only. Once a platform starts processing value, verification, logging, and exception handling need to move together. The practical signal for programme owners is that onboarding controls must be reviewed alongside fraud monitoring and audit evidence, not separately.
The next maturity step is control consistency across regions and product flows. Teams that can vary policy by jurisdiction without breaking evidence collection will be better positioned when regulation tightens, while those that cannot will keep reacting after the fact.
For practitioners
- Strengthen onboarding verification Require risk-based identity verification before users can transact, not just before they create accounts. Tie verification depth to transaction limits, geography, and asset type so compliance checks scale with exposure.
- Map AML controls to the full user lifecycle Review how access, wallet linkage, and transaction permissions change after registration, escalation, and account recovery. The goal is to keep compliance evidence intact across the entire user lifecycle, not only at entry.
- Prepare for jurisdiction-specific control changes Document which AML controls vary by market and which remain global. Use that mapping to speed policy updates when new local rules affect KYC, recordkeeping, or escalation thresholds.
- Unify fraud and compliance evidence Make sure suspicious activity alerts, verification results, and audit logs can be reviewed together. This reduces the chance that a compliant-looking account still carries unresolved fraud risk.
Key takeaways
- NFT marketplace AML compliance depends on identity governance, not just policy language.
- Growth without lifecycle-aware verification creates a compliance gap that regulators will eventually test.
- Practitioners should align onboarding, monitoring, and audit evidence so AML controls remain usable as the platform scales.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Marketplace onboarding and access decisions depend on verified identity and least privilege. |
| NIST CSF 2.0 | DE.CM-1 | AML monitoring relies on continuous detection of suspicious platform behaviour. |
| NIST SP 800-63 | Identity proofing and authentication principles matter for regulated marketplace onboarding. |
Apply assurance-based identity proofing and authentication methods that match marketplace risk.
Key terms
- AML compliance: Anti-money laundering compliance is the set of controls that help an organisation detect, prevent, and report suspicious financial activity. In marketplaces, it usually combines identity verification, transaction monitoring, recordkeeping, and escalation procedures so the business can prove due diligence to regulators.
- Identity proofing: Identity proofing is the process of establishing that a user is who they claim to be before granting access or transaction rights. In regulated digital platforms, it supports AML, fraud prevention, and auditability by creating a defensible link between the account and a real person or entity.
- User lifecycle governance: User lifecycle governance is the discipline of managing identity from registration through access changes, recovery, escalation, and offboarding. In compliance-heavy environments, it ensures the platform can explain who did what, when, and under which approval or verification state.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Sumsub: How NFT Marketplaces Can Become AML Compliant. Read the original.
Published by the NHIMG editorial team on 2026-06-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
