EST · MMXXVI
Home/Jurisdictions/United States/Regulator aml audit defence in United States (federal + state MTL)
Compliance, AML & Travel Rule

Regulator aml audit defence in United States (federal + state MTL)

Regulator aml audit defence in United States (federal + state MTL). Cross-border digital-asset legal counsel for business – licensing, disputes and structuring.

A payments company holding a federal money-services-business registration and two state money-transmitter licences receives a FinCEN examination notice. The clock starts immediately. Every gap in transaction-monitoring logic, every incomplete Travel Rule (the obligation to pass originator and beneficiary data with a virtual-asset transfer) file, and every missing risk-assessment narrative becomes a potential finding – and findings have consequences that run from civil money penalties to licence revocation. Operating without an adequate AML (anti-money-laundering) program in the United States exposes the business to enforcement across two simultaneous tracks: federal and state.

The United States applies a layered compliance architecture to virtual asset service providers (VASPs). At the federal level, FinCEN administers the Bank Secrecy Act requirements; the SEC and CFTC each assert authority where tokens qualify as securities or derivatives; OFAC administers sanctions screening. At the state level, businesses serving US residents typically need a money-transmitter licence (MTL) from each state in which they operate, with each state regulator holding independent examination authority. This page explains how an AML audit defence is structured, what regulators look for, and where cross-border operators face the highest exposure.

The Federal AML Architecture: FinCEN, BSA and the VASP Perimeter

Any business that qualifies as a money services business (MSB) under the Bank Secrecy Act must register with FinCEN and maintain a written AML program. For crypto businesses, this covers exchanges, administrators of convertible virtual currencies, certain wallet providers and payment processors. The program must be risk-based, written, and approved by senior management – not a template adopted unchanged from a compliance vendor.

FinCEN examiners look beyond documentation. In our practice, the most common finding is a gap between the written program and actual operational controls: a policy that says "high-risk customers are reviewed quarterly" but a CRM that shows no completed reviews in eighteen months. That gap is treated as a failure of the program, not just a record-keeping error. FinCEN's examination authority under the Bank Secrecy Act extends to all registered MSBs, regardless of whether the business also holds a state MTL or a federal banking charter.

The OFAC layer adds a separate obligation. Sanctions screening is not part of the BSA/AML examination, but OFAC conducts its own civil enforcement reviews. A VASP that fails to screen wallet addresses against the SDN list – and particularly one that processes transactions from jurisdictions subject to comprehensive sanctions – faces potential strict-liability exposure. The two programs run in parallel, and a single transaction can trigger findings under both.

The process bridge from registration to examination typically begins with a document request letter, followed by an on-site or virtual examination period, a preliminary findings conference, and a formal response window. The timeline from notice to final report varies, but operators we advise plan for a multi-month process. Every day of that window is an opportunity to remediate – but only if the business acts immediately and strategically.

To assess your federal AML program posture before an examination notice arrives, contact OBOLUS at info@oboluslaw.com. The process above describes the standard path. Your facts – the entity structure, the user base geography, the product mix – change the risk profile significantly.

State MTL Examination Authority: Fifty Regulators, One Business

State money-transmitter examination is not a formality that follows federal clearance. Each state regulator – New York's NYDFS, California's DFPI, Texas's Department of Banking and others – holds independent authority to examine any licensee for AML program adequacy, consumer protection compliance and financial condition. A business that has resolved a FinCEN matter may still face open state examination proceedings.

NYDFS is the most demanding. Its BitLicense regime applies to businesses engaging in virtual-currency business activity with New York residents, and NYDFS examiners apply standards that, in practice, often exceed the federal floor. They expect real-time transaction monitoring, documented model-validation records for any automated screening system, and a designated compliance officer with demonstrable expertise – not simply a title. We have seen NYDFS findings issued for "inadequate" transaction-monitoring thresholds even where the federal examination produced no comparable deficiency.

Multi-state operators face a coordination problem. A single transaction can fall within the examination jurisdiction of multiple states if the originator and beneficiary reside in different states or if the business's infrastructure routes through a third state. The AML program must account for this explicitly. A program written to satisfy the lowest-common-denominator state standard will not survive a NYDFS or Illinois examination.

State examinations follow a broadly similar procedural structure to federal ones: document request, information production, field work, preliminary findings and a response period. The response period is critical. Regulators generally expect a written remediation plan, not just a rebuttal. A plan that identifies root causes, assigns ownership and sets measurable milestones is treated materially differently from one that disputes findings without committing to change.

What Regulators Actually Examine in a Crypto AML Audit

An AML audit of a crypto business covers five core areas, each with a distinct evidence burden. Understanding what examiners request – and what the gap between policy and practice looks like to them – is the first step in an effective defence.

  • The written AML program: Does it address virtual-asset-specific risks? Is it dated, board-approved and current? Does it reflect the actual product set?
  • Customer due diligence and KYC: Are onboarding files complete? Are enhanced due diligence triggers documented and consistently applied? Are politically exposed persons identified and risk-rated?
  • Transaction monitoring: Are the monitoring rules calibrated to the business's risk profile? Are alerts reviewed and dispositioned with documented rationale? Are rule changes logged and tested?
  • Suspicious activity reporting (SARs): Is there a written SAR policy? Are filing decisions documented, including decisions not to file? Are SAR files complete and timely?
  • The Travel Rule: Does the business have a technical solution in place? Are counterparty VASP relationships vetted? Are unhosted wallet transactions handled per policy?

In our cross-border practice, the Travel Rule gap is the most common acute finding for internationally structured businesses. A business that collects originator and beneficiary data but fails to transmit it to the receiving VASP – or fails to retain it where transmission is not possible – has a Travel Rule violation regardless of how strong its KYC program is. The two obligations are legally separate.

How Does the Travel Rule Apply to a US-Licensed VASP?

The Travel Rule, as implemented in the United States under the Bank Secrecy Act, requires any financial institution – including a registered MSB – to pass originator and beneficiary information along with certain fund transfers above the applicable threshold. FinCEN has extended this principle to virtual-asset transfers through interpretive guidance, and the expectation has hardened considerably in recent examination cycles.

The practical compliance challenge is counterparty identification. When the receiving institution is another regulated VASP, the transferring business must identify it and transmit the required data. When the destination is an unhosted wallet – a wallet not held at a regulated institution – the compliance posture depends on risk categorisation, enhanced due diligence and, in some cases, transaction limits or enhanced monitoring. FinCEN has not finalised its unhosted-wallet rule, but examination practice has moved ahead of the formal rulemaking.

Cross-border transfers add complexity. A US-registered business sending assets to a recipient at a non-US VASP must comply with US Travel Rule obligations on the sending side and satisfy the receiving jurisdiction's requirements on receipt. Where the receiving jurisdiction applies a lower threshold or a different data standard, the US sender must still meet the higher US standard. In our practice, we routinely advise businesses operating on the US-EU corridor to build their compliance stack to the more demanding standard, whichever side that falls on in a given transaction.

The technical solution matters. A business that relies on manual Travel Rule data collection is likely to produce findings at examination. Automated solutions – whether a VASP messaging protocol or an API integration with a compliance platform – must be configured correctly and validated against actual transaction flows, not just tested on synthetic data.

Cross-Border Interaction: Banking, Tax and the Multi-Jurisdiction Operator

For a business that operates across borders – a common-law holding company with a US MSB registration, a European operating entity, and banking relationships in multiple jurisdictions – the US AML examination reaches further than many operators expect. FinCEN can examine the US entity's program even where the customer-facing activity is conducted by a non-US affiliate, if the US entity touches the transaction flow.

Banking relationships amplify the risk. US correspondent banks – the institutions that provide dollar-clearing services to non-US crypto businesses – conduct their own AML due diligence on their VASP clients. A regulatory finding against the US entity, even one that is resolved without penalty, can trigger a correspondent bank's internal review and, in the worst case, a decision to exit the relationship. Operators we advise in this position understand that the reputational consequence of a finding often lands before the formal enforcement consequence.

Tax interaction is a separate but related layer. The IRS treats virtual assets as property, and businesses that move assets across borders must consider both the US tax reporting obligations on the transactions themselves and the FBAR/FATCA reporting obligations on foreign accounts. An AML examination that surfaces unreported foreign account relationships creates secondary exposure to the IRS and, in egregious cases, to the Department of Justice. We map the AML, tax and banking layers as a single connected stack – because regulators increasingly treat them that way.

If a prior examination stalled your banking relationship or surfaced a compliance gap, a structured second read can identify the path forward. Contact OBOLUS at info@oboluslaw.com – our disputes and compliance desks work the problem together.

Micro-Matter: Multi-Regulator Examination Defence

In a recent matter, an exchange holding registrations in multiple US states received simultaneous examination notices from a state regulator and a federal agency, both focused on transaction-monitoring adequacy. The business had a written program but had not updated its monitoring rules following a product expansion eighteen months earlier. The gap between the current product set and the documented risk assessment was the central finding in both examinations. We coordinated the document production across both regulatory tracks, drafted the remediation plan addressing root-cause analysis, rule recalibration and ongoing testing protocols, and managed the response timelines so that concessions made to one regulator did not create adverse admissions before the other. Both matters were resolved without civil money penalties. The business retained its licences and its primary banking relationships.

What Are the Most Common Mistakes in an AML Audit Response?

The most damaging mistake in an AML audit response is over-disclosure. Businesses that respond to document requests by producing everything in their files – including internal gap analyses, draft policies and communications that pre-date remediation – hand the examiner a roadmap to additional findings. The document request defines the scope of production; legal advice should define what is produced and how it is characterised.

The second common mistake is under-resourcing the remediation. Regulators do not close findings on a written promise alone. They expect evidence – updated procedures, re-trained staff, recalibrated monitoring rules, tested SAR workflows. A response that commits to remediation but does not demonstrate it within the response period is treated as incomplete, and the matter remains open. Open matters are harder to manage and harder to explain to banking partners.

The third mistake is treating the state and federal tracks as independent. In our practice, we have seen businesses make representations to a state regulator about the scope of their product that were inconsistent with representations made to FinCEN. Both regulators communicate. Inconsistencies become independent findings. A coordinated response strategy – one that accounts for both tracks simultaneously – is not optional for multi-jurisdictional operators.

A common assumption in this space is that a single offshore licence is sufficient to serve US-based clients without triggering US regulatory jurisdiction. That assumption is incorrect. The US applies regulatory jurisdiction based on the location of the customer and the nature of the activity, not solely on the location of the entity. A business structured offshore that accepts US customers into a crypto exchange or stablecoin redemption product is likely operating as an unregistered MSB under US law and is exposed to FinCEN enforcement, OFAC action and, depending on the asset, SEC or CFTC jurisdiction – without the procedural protections that a licensed entity would have in an examination.

Self-Assessment: Is Your AML Program Examination-Ready?

The following questions reflect the core areas a US regulator will assess. A "no" or "unsure" answer to any of them is a gap that should be closed before an examination notice arrives.

  • Is your written AML program dated within the last twelve months and approved by a senior officer or the board?
  • Does the program explicitly address your current product set, including any products added since the last review?
  • Are your transaction-monitoring rules documented, with a written rationale for each threshold?
  • Is there a log of all alert dispositions, including the analyst's rationale for closing without a SAR filing?
  • Do you have a Travel Rule solution in production, and is it validated against live transaction data?
  • Are your counterparty VASP due diligence files current and stored in a retrievable format?
  • Is your OFAC screening applied at onboarding and on an ongoing basis as sanctions lists update?
  • Is your MLRO (money-laundering reporting officer) a named individual with documented authority and adequate resources?

If the answer to more than two of these questions is "no" or "unsure," the program is likely to produce examination findings. We map the licence stack across operating, custody and payment layers before you commit to a remediation path – because the remediation path depends on the full picture, not just the finding in front of you.

Related at OBOLUS

FAQ

What does the Travel Rule require from a VASP?

The Travel Rule requires a VASP to collect and transmit originator and beneficiary identifying information alongside a virtual-asset transfer above the applicable threshold. In the United States, this obligation applies under the Bank Secrecy Act to registered MSBs. The transmitting institution must identify the receiving institution and send the required data; where the receiving institution is an unhosted wallet, enhanced due diligence and risk-based controls apply. Non-compliance is treated as an AML program deficiency at examination.

Who must act as MLRO for a crypto firm?

US regulators expect the AML compliance function to be led by a designated compliance officer with demonstrable qualifications and sufficient authority and resources to act independently. There is no universal US title of "MLRO," but FinCEN and state regulators – particularly NYDFS – assess whether the compliance officer role is genuinely empowered or merely nominal. The individual must have direct access to the board or senior management, documented authority to file SARs, and adequate staffing to execute the program. Outsourced compliance functions are permissible but carry additional oversight obligations for the licensee.

How do regulators audit crypto AML programs?

US regulators audit crypto AML programs by reviewing the written program against the actual product set, testing transaction-monitoring logic against live transaction data, sampling alert dispositions and SAR filing decisions, and interviewing the compliance officer. State regulators such as NYDFS may also conduct targeted examinations focused on a single risk area – for example, Travel Rule compliance or sanctions screening. The examination typically concludes with a preliminary findings letter; the business has a response window to address findings and demonstrate remediation before a final report issues.

OBOLUS is an independent digital-asset law boutique acting only for businesses. We advise exchanges, custodians, token issuers and funds on licensing across 70+ jurisdictions, on disputes and on-chain asset recovery across 25+ forums, and on the tax, banking and compliance obligations that surround them. Digital assets are the entirety of our practice. Operators we advise routinely present a complete, validated compliance file before examination notices arrive – because the time to build the program is before the regulator asks for it. To discuss your situation, contact info@oboluslaw.com.

By Victor Olsen, Regulatory & Compliance Analyst – specialising in AML program design, examination defence and Travel Rule implementation for US-registered and cross-border virtual-asset businesses.

This publication is general information about the law and does not constitute legal advice. It is not a substitute for advice tailored to your circumstances. OBOLUS accepts no liability for action taken or not taken on the basis of this material. For advice on your situation, contact info@oboluslaw.com.

Tell us the task — we'll map your options in 30 minutes.

Fixed-fee packages with defined scope and SLAs. The first call is free and under NDA. Business clients only.

Map your optionsinfo@oboluslaw.com · t.me/oboluslaw · reply < 2 hours