Why crypto payments create AML risk

Unlike a bank transfer, where your bank performs sanctions screening and fraud checks before the funds reach you, a cryptocurrency payment arrives in your wallet with no intermediary screening. The funds could have come from a sanctioned individual, a darknet market, or a mixer designed to launder criminal proceeds — and you would have no way of knowing unless you check.

Receiving funds from a sanctioned source — even unknowingly — can constitute a sanctions violation under both UK and US law. The regulators' position is that ignorance is not an adequate defence if reasonable due diligence was not performed.

Who is regulated under UK AML law?

In the UK, businesses involved in cryptocurrency are regulated under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended. The Financial Conduct Authority (FCA) is the supervisory authority for cryptoasset businesses.

Businesses that must register with the FCA and comply with AML regulations include:

  • Cryptoasset exchange providers (businesses exchanging crypto for fiat or crypto-to-crypto)
  • Custodian wallet providers
  • Any business conducting certain financial activities using cryptoassets

However, even businesses that are not FCA-registered crypto firms — such as a retailer or professional services firm that accepts crypto as payment — have obligations under UK sanctions law administered by OFSI (Office of Financial Sanctions Implementation).

Sanctions screening for crypto payments

The minimum standard for any business accepting cryptocurrency should be to screen the sending wallet address against the OFAC SDN list and the UK OFSI consolidated list before accepting payment. This process takes seconds with the right tools and provides a documented record that due diligence was performed.

If the sending address matches a sanctioned entity, you should not accept the payment and should consider reporting to OFSI (UK) or OFAC (US, if applicable) depending on your jurisdiction.

Beyond sanctions screening — risk assessment

Thorough crypto payment due diligence goes beyond simply checking the sending address against a sanctions list. A professional wallet screening includes:

  • Checking whether the sending address has had any contact with mixers or tumblers
  • Checking whether funds originated from or passed through darknet markets
  • Assessing the overall risk score of the wallet's transaction history
  • Checking stablecoin blacklists (for USDT and USDC payments)

A wallet with a high risk score — even without a direct sanctions match — should prompt enhanced due diligence before a payment is accepted.

Practical steps for businesses

Before accepting any crypto payment of significance:

  1. Ask the payer for the sending wallet address in advance
  2. Screen the address against OFAC and OFSI sanctions lists
  3. Run a basic risk assessment — has this wallet had mixer or darknet contact?
  4. Document your screening process and results
  5. Only accept the payment if the screening is satisfactory

For high-value payments or ongoing crypto payment arrangements, a professional wallet screening report provides documented evidence of due diligence that can protect the business in the event of a regulatory enquiry.

What to do if you receive a suspicious payment

If you have already received a cryptocurrency payment that you now believe may be connected to fraud, sanctions violations, or money laundering:

  • Do not spend or transfer the funds immediately
  • Seek legal advice before taking any action
  • Consider obtaining a professional blockchain trace of the incoming payment
  • Consider whether you have Suspicious Activity Reporting (SAR) obligations under the Proceeds of Crime Act 2002
Tipping off: Under UK law, once you have reported a suspicious activity report to the National Crime Agency, you must not "tip off" the person involved that a report has been made. Take legal advice before discussing the matter with the payer.

The cost of getting it wrong

OFSI can impose significant civil financial penalties on businesses that breach UK financial sanctions, even without criminal intent. The maximum civil penalty is the greater of £1 million or 50% of the value of the breach. OFAC can impose even larger penalties for US-connected breaches.

For most businesses, the cost of a professional wallet screening report is trivial compared to the potential cost of a sanctions breach. It is a form of insurance.