Subscribe to the Non-Human & AI Identity Journal
Home FAQ NHI & Agent Identity in the Broader IAM Ecosystem Why do crypto exchanges create AML and sanctions…
NHI & Agent Identity in the Broader IAM Ecosystem

Why do crypto exchanges create AML and sanctions risk beyond direct customers?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: NHI & Agent Identity in the Broader IAM Ecosystem

Crypto exchanges can route activity through intermediaries, wallets, and offshore touchpoints that blur the line between direct and indirect exposure. That makes them a compliance issue even when they are not the end user. The risk grows when identity resolution is weak, because suspicious activity can look ordinary unless the organisation can connect related accounts and counterparties.

Why This Matters for Security Teams

Crypto exchanges are not just customer-facing marketplaces. They sit in the path of deposits, withdrawals, wallet hops, and third-party services that can conceal the true source, destination, or control of funds. That creates AML and sanctions exposure even when the exchange never directly onboards the ultimate beneficial owner. Controls must therefore look beyond account registration and into transaction adjacency, wallet clustering, and counterparty risk.

This is where identity resolution becomes a compliance control, not just a security feature. If the exchange cannot reliably connect linked accounts, shared devices, reused infrastructure, or coordinated counterparties, it can miss sanctions evasion patterns that appear ordinary at the surface. Guidance from the FATF Recommendations — AML and KYC Framework makes clear that customer due diligence alone is not enough when risk is inherited through intermediaries and payment chains.

NHIMG research on Ultimate Guide to NHIs — Why NHI Security Matters Now shows why this matters operationally: 92% of organisations expose NHIs to third parties, which is a useful analogue for exchange ecosystems where exposure is often indirect and hard to trace. In practice, many security and compliance teams detect the pattern only after a suspicious flow has already been processed, rather than through intentional networked-risk review.

How It Works in Practice

Exchanges create indirect AML and sanctions risk because the relevant compliance object is often not the named customer alone. A single account may be funded by one party, controlled by another, and used to move value to a third. Offshore entities, nested services, custodians, payment processors, and self-hosted wallets can all disrupt straightforward screening. Current guidance suggests treating these relationships as risk-bearing contexts that require ongoing monitoring, not one-time onboarding checks.

A practical program combines KYC, transaction monitoring, sanctions screening, and graph-based relationship analysis. The goal is to identify patterns such as shared funding sources, repeated withdrawal destinations, rapid peel chains, or clusters of accounts that behave like a coordinated network. In this model, identity data, device signals, IP reputation, and wallet analytics all support the same question: is the exchange dealing with one customer, or a managed network of related actors?

  • Screen customers and counterparties at onboarding and continuously during the relationship.
  • Monitor for typologies such as layering, structuring, chain hopping, and rapid movement to higher-risk jurisdictions.
  • Correlate accounts using device, behavioural, and infrastructure signals to detect linked control.
  • Escalate cases where beneficial ownership, source of funds, or wallet control cannot be reasonably established.

This is also where NHI-style governance becomes relevant. Exchange infrastructure relies on API keys, service accounts, automation, and third-party integrations that can move funds, query balances, or trigger withdrawals. NHIMG’s Top 10 NHI Issues highlights how weak visibility and excessive privileges can create hidden pathways for abuse. The same lesson applies to exchanges: if non-human access is not tightly governed, compliance teams may not be able to trust the transaction trail they are reviewing. These controls tend to break down when exchanges rely on fragmented vendor data because linked activity cannot be resolved into a single defensible risk view.

Common Variations and Edge Cases

Tighter sanctions and AML controls often increase friction, false positives, and operational cost, requiring organisations to balance user experience against regulatory defensibility. That tradeoff becomes sharper in high-volume markets, where legitimate trading patterns can resemble obfuscation if the monitoring model is too coarse.

There is no universal standard for this yet, especially where decentralised wallets, hosted custody, and cross-border payment rails intersect. Best practice is evolving toward risk-based monitoring that adapts thresholds by jurisdiction, asset type, and counterparty exposure. For example, a retail customer sending funds to a known exchange wallet is not equivalent to a newly created account routing funds through multiple hops into a sanctioned region.

Edge cases also matter for operational resilience. Sudden changes in chain analytics coverage, sanctions lists, or third-party screening feeds can create blind spots if the exchange has not designed for fallback review and manual escalation. The NIST Cybersecurity Framework 2.0 is useful here because it reinforces governance, detection, and response as connected functions rather than isolated controls. For exchanges, that means AML and sanctions review must be integrated with security telemetry, not treated as a separate after-the-fact process.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-63 set the technical controls, while DORA, NIS2 and PCI DSS v4.0 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0GV.RM-01Risk governance is needed for indirect AML and sanctions exposure across exchange relationships.
NIST SP 800-63IAL2Identity proofing strength affects how confidently exchanges can link customers to risky activity.
DORAICT risk managementOperational resilience matters when screening, analytics, or vendor feeds fail in real time.
NIS2Risk management measuresExchange platforms depend on resilient monitoring, logging, and third-party controls.
PCI DSS v4.012.10Incident response discipline supports rapid action when suspicious flows or abuse are detected.

Define and review risk appetite for indirect exposure, then tie monitoring thresholds to that appetite.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org