.png)
Sanctions Screening for Crypto / VASPs
Sanctions screening crypto controls are now core compliance infrastructure for exchanges, custodians, and other VASPs, as FATF, OFAC, the EU, and the UK continue tightening expectations around AML, Travel Rule compliance, and risk-based monitoring.
Sanctions screening has become a core compliance function for crypto exchanges, custodians, and other virtual asset service providers (VASPs) as global regulators intensify expectations around AML, Travel Rule implementation, and risk-based monitoring. With guidance from FATF, OFAC, the EU, and the UK making clear that digital assets do not reduce sanctions obligations, firms must now go beyond basic checks and adopt integrated controls that combine KYC, transaction monitoring, and blockchain analytics. The evolving threat landscape, including the growing use of stablecoins and cross-border illicit activity, means crypto businesses are increasingly judged on their ability to identify high-risk actors, detect indirect exposure, and respond to suspicious activity in real time.
{{snippets-guide}}
Why crypto companies and VASPs are so closely linked to sanctions screening
Sanctions screening matters in crypto because virtual assets do not remove sanctions obligations. OFAC states that its sanctions obligations apply regardless of whether a transaction is denominated in digital currency or traditional fiat currency, and its virtual currency guidance was published specifically to help the industry understand how sanctions requirements apply in this sector. OFAC also makes clear that digital currency addresses can appear on the SDN List, while warning that listed addresses are not likely to be exhaustive. That means a crypto business cannot rely only on simple wallet-address matching and assume the problem is solved.
That point is becoming more important, not less. FATF’s 2025 targeted update says the use of stablecoins by illicit actors has continued to increase, that most on-chain illicit activity now involves stablecoins, and that jurisdictions still face major challenges around offshore VASPs and effective supervision. FATF also noted that the largest single virtual asset theft in history, the $1.46 billion ByBit theft attributed to DPRK actors, showed how hard asset recovery remains in this sector.
For compliance teams, this means sanctions screening in crypto has to operate on multiple levels at once. It is not enough to screen a customer once at onboarding. Firms need to understand the person or entity behind the account, identify whether sanctions exposure exists directly or indirectly, and assess whether transaction patterns, wallet behavior, or counterparty exposure suggest evasion risk. In practice, crypto compliance is now a blend of sanctions controls, AML controls, and risk-based monitoring rather than a collection of isolated checks.
FATF requirements and why they matter for VASPs
At the global level, the FATF framework is the starting point. FATF Recommendation 15 and its Interpretive Note were updated to apply AML/CFT measures to virtual assets and VASPs, and FATF’s 2025 update says jurisdictions have made progress but still need stronger work on licensing, registration, supervision, and offshore risk mitigation. FATF also reported that 99 jurisdictions have passed or are in the process of passing legislation implementing the Travel Rule, which FATF describes as a key transparency requirement for cross-border payments.
For VASPs, the FATF message is significant for two reasons. First, crypto businesses should assume that AML, sanctions, and Travel Rule expectations are becoming more standardized across major jurisdictions, even if implementation is uneven. Second, FATF’s focus on offshore VASPs and borderless activity means firms cannot assume that weak local enforcement protects them from counterparties, de-risking pressure, or future enforcement exposure. The more a business touches regulated financial systems, stablecoins, or cross-border transfers, the more important FATF-aligned controls become.
United States: OFAC and FinCEN expectations
In the United States, crypto firms need to think about both sanctions law and Bank Secrecy Act obligations. OFAC’s industry-specific guidance for the virtual currency industry says it is intended to help the sector navigate and comply with OFAC sanctions, and OFAC’s FAQ guidance confirms that sanctions obligations do not change simply because the transaction is in digital currency rather than fiat. OFAC also allows users to search digital currency addresses in its Sanctions List Search tool, but because OFAC says listed addresses are not likely to be exhaustive, firms need broader controls than list matching alone.
FinCEN’s 2019 guidance remains foundational for the U.S. treatment of many virtual currency business models. FinCEN said the guidance was issued to remind persons subject to the Bank Secrecy Act how money services business regulations apply to business models involving convertible virtual currency, and it emphasized that the guidance consolidated existing rules rather than creating an entirely new regime. In practice, that means many crypto businesses that accept and transmit value can fall into regulated categories and face AML program, monitoring, and reporting duties.
Recent enforcement reinforces the point. In July 2025, FinCEN assessed a $3.5 million penalty against Paxful for willful BSA violations and said the platform facilitated more than $500 million in suspicious activity involving illicit actors, including activity involving Iran, North Korea, and Venezuela. That case is a strong reminder that crypto businesses are not judged only on growth and product design. They are judged on whether they can detect and control sanctions and AML risk in practice.
European Union: CASPs, the Travel Rule, and traceability
In the EU, crypto regulation is becoming more structured and more operational. Regulation (EU) 2023/1113 extended the transfer-of-funds framework to certain crypto-asset transfers, and the EBA’s 2024 guidance explains that the EU “travel rule” requires information accompanying transfers of funds and certain crypto-assets and specifies what CASPs and intermediary CASPs must do when information is missing or incomplete. The EBA also states that the purpose is to allow authorities to trace transfers where necessary to prevent, detect, or investigate money laundering and terrorist financing.
For crypto companies, this has direct operational implications. Screening cannot be treated as a narrow onboarding step if transfer traceability obligations continue throughout the life of the transaction. A CASP needs to know not only who its customer is, but whether originator and beneficiary information is complete, whether a transfer should proceed, and whether the transaction creates sanctions or AML escalation. In the EU model, sanctions screening crypto controls and Travel Rule controls increasingly work together rather than separately.
United Kingdom: FCA supervision and OFSI sanctions risk
In the UK, cryptoasset businesses providing certain services by way of business in the UK must register with the FCA under the Money Laundering Regulations, and the FCA states plainly that it is the AML/CTF supervisor of UK cryptoasset businesses under that regime. The FCA page was updated in February 2026, which shows this remains a live supervisory area rather than a frozen 2020-era framework.
The UK has also become more explicit about sanctions risk in this sector. In July 2025, the Office of Financial Sanctions Implementation published a sector-specific threat assessment for cryptoassets to support a risk-based approach to sanctions compliance. That publication matters because it confirms that UK authorities no longer view crypto sanctions exposure as incidental. It is now a distinct, assessed compliance risk requiring sector-specific controls.
For firms operating in or from the UK, that means AML registration and supervision are only part of the story. The sanctions perimeter also has to be managed actively, especially where customers, wallets, counterparties, or transaction flows may intersect with sanctioned persons, jurisdictions, or typologies.
What good sanctions screening looks like in crypto
Effective sanctions screening for crypto businesses should be broader than a one-time name check or a static wallet blacklist. At the customer level, firms need screening at onboarding and on an ongoing basis against sanctions lists, PEP datasets, and other relevant risk sources. At the transaction level, they need controls that can identify whether transfers involve high-risk jurisdictions, sanctioned parties, blocked wallet addresses, or patterns consistent with evasion. At the network level, they increasingly need blockchain analytics to identify indirect exposure, because OFAC itself warns that listed digital currency addresses are not exhaustive.
This is why crypto compliance teams often combine traditional screening with on-chain monitoring. A customer may pass a sanctions name screen but still create serious exposure if their wallet interacts with a sanctioned address cluster, a mixer tied to illicit finance, or a counterparty route associated with sanctioned jurisdictions. The control model therefore needs both identity-based and behavior-based screening.
How crypto companies and VASPs can reduce risk exposure
The first step is to stop treating sanctions screening as a narrow legal requirement and start treating it as live operational infrastructure. Firms should align onboarding, sanctions checks, wallet screening, Travel Rule controls, and transaction monitoring so that risk signals are not trapped in separate systems. A fragmented model almost always produces blind spots.
The second step is to build jurisdiction-specific logic into the compliance program. A VASP serving customers in the United States, European Union, or United Kingdom cannot rely on a generic global standard alone. U.S. firms need to understand both OFAC and FinCEN expectations. EU firms need to operationalize the Travel Rule framework for crypto transfers. UK firms need to account for both FCA AML supervision and UK financial sanctions exposure.
The third step is to strengthen ongoing monitoring. FATF’s 2025 update shows that illicit finance threats in crypto are evolving quickly, particularly around stablecoins, scams, DPRK-linked theft, and offshore VASP exposure. A one-time onboarding screen cannot adequately address a risk environment that changes this fast.
The fourth step is to improve auditability. Regulators increasingly expect firms to explain why a customer was onboarded, why a transfer was allowed, what data was checked, and what happened when an alert was generated. Crypto businesses that cannot document those decisions will struggle in an examination or enforcement context even if they have screening tools in place. OFAC’s guidance for the virtual currency industry is best read in that context: screening is part of a broader sanctions compliance program, not a substitute for one.
Conclusion
Sanctions screening crypto controls are now central to how VASPs manage financial crime risk. FATF’s latest work shows that global implementation is improving but still uneven, that Travel Rule expectations are expanding, and that stablecoins and offshore activity are increasing risk rather than reducing it. At the same time, U.S., EU, and UK regulators have made it clear that crypto businesses are subject to real sanctions and AML expectations, not a lighter parallel regime.
For crypto firms, the implication is straightforward. If you move value, custody assets, facilitate transfers, or provide virtual asset services, sanctions and AML screening must be embedded into the business model itself. The firms that reduce exposure most effectively will be the ones that combine strong KYC, sanctions screening, wallet analytics, Travel Rule controls, and ongoing monitoring into one defensible compliance workflow.
sanctions.io is a highly reliable and cost-effective solution for real-time screening. AI-powered and with an enterprise-grade API with 99.99% uptime are reasons why customers globally trust us with their compliance efforts and sanctions screening needs.
To learn more about how our sanctions, PEP, and criminal watchlist screening service can support your organisation's compliance program: Book a free Discovery Call.
We also encourage you to take advantage of our free 7-day trial to get started with your sanctions and AML screening (no credit card is required).
