Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk How should crypto firms handle AML compliance across…
Governance, Ownership & Risk

How should crypto firms handle AML compliance across multiple jurisdictions?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

They should build a control map that ties each jurisdiction’s AML and CFT obligations to a specific owner, evidence source, and review cadence. The key is not to centralise every rule, but to standardise how obligations are translated into monitoring, reporting, and escalation workflows across the business.

Why This Matters for Security Teams

For crypto firms, aml compliance is not just a legal checklist. It is a control-mapping problem that spans transaction monitoring, sanctions screening, customer due diligence, suspicious activity escalation, and evidence retention across multiple regulators. The hard part is that obligations rarely align neatly: a process that satisfies one jurisdiction may be insufficient, overbroad, or poorly documented in another. That is why current guidance favours jurisdiction-specific obligation mapping tied to named owners and testable controls, rather than a single global policy.

Firms that treat AML as a one-time legal review often miss how quickly operating models change. New products, self-custody flows, cross-border customers, and outsourced analytics can all shift the compliance burden. A useful starting point is the FATF baseline in the FATF Recommendations — AML and KYC Framework, then translate it into operational evidence and review cadence. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives is relevant here because crypto compliance increasingly depends on the integrity of non-human workflows, not just policy documents.

In practice, many security teams encounter AML control gaps only after an audit finding, regulator inquiry, or incident has already exposed inconsistent evidence collection.

How It Works in Practice

The most reliable operating model is to treat each jurisdiction as a control variant, not a separate program. Start with a master obligation register that breaks AML duties into concrete tasks: identity verification, risk scoring, monitoring thresholds, alert triage, case management, filing timelines, record retention, and governance approvals. Then assign each task to an accountable owner, a system of record, and a test method. This approach mirrors the discipline behind the NIST Cybersecurity Framework 2.0, where governance, detection, and response are translated into measurable outcomes.

In practice, firms should separate global standards from local overlays. For example, a common customer onboarding workflow may feed different rule sets for sanctions screening, source-of-funds checks, suspicious activity reporting, and retention by jurisdiction. Evidence should be generated as part of the workflow, not reconstructed later for audit. That means immutable case notes, time-stamped alert decisions, exportable screening logs, and documented escalation paths. The control environment should also cover third-party tools used for chain analytics, screening, and case management, because outsourcing does not outsource accountability. NHIMG’s Lifecycle Processes for Managing NHIs is useful because the same governance issue appears in service accounts, automation tokens, and API-driven compliance workflows.

  • Maintain one global AML control map with jurisdiction-specific deltas.
  • Define control owners for legal, compliance, security, and operations.
  • Link each obligation to evidence sources such as logs, cases, and approvals.
  • Test monitoring thresholds and escalation paths on a fixed review cadence.
  • Document exceptions when local law conflicts with the global operating model.

These controls tend to break down when transaction monitoring and case handling are split across multiple vendors without a single evidence model, because investigators cannot reliably prove what was screened, who approved it, or which rule set applied.

Common Variations and Edge Cases

Tighter AML controls often increase operational overhead, requiring organisations to balance standardisation against local legal nuance. There is no universal standard for every jurisdictional edge case, especially where crypto activity overlaps with travel rule implementation, privacy restrictions, or local reporting thresholds. Current guidance suggests preserving a common governance spine while allowing country-specific procedures for filing, escalation, and retention.

The main edge cases involve product and entity structure. A central exchange, a brokerage, a custody service, and a DeFi-facing interface may face different AML expectations even when they share the same customer base. Cross-border groups also need a decision rule for conflicts: if one jurisdiction requires stronger KYC or longer retention, the firm may need to apply the stricter control globally for that product line. That should be documented as a deliberate risk decision, not hidden inside operations.

Crypto firms should also pay close attention to non-human identities because automated screening, wallet-risk scoring, and reporting pipelines often run through service accounts and API keys. Weak governance here can undermine the entire AML chain, even when the policy is sound. The broader control lesson from NHIMG’s Top 10 NHI Issues is that accountability fails fastest where automation is treated as infrastructure rather than a governed control surface. In short, multi-jurisdiction AML compliance is less about finding one perfect rule set and more about proving disciplined local adaptation.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RM-01Multi-jurisdiction AML needs governed risk decisions and assigned accountability.
NIST SP 800-53 Rev 5AU-2AML evidence depends on complete audit logging and traceable review actions.

Set ownership for each AML obligation and review jurisdictional risk changes on a fixed cadence.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org