Crypto’s regulatory center of gravity has shifted, according to a 2026 CertiK report. The firm found that anti-money-laundering and financial-crime enforcement have overtaken securities classification disputes as the industry’s dominant legal risk, with AML fines topping $900 million in the first half of 2025 alone.
The change marks a practical reset for crypto compliance teams. Instead of treating AML as a back-office function, exchanges, custodians and stablecoin issuers now face mounting pressure to build real-time monitoring, sanctions screening and third-party controls into the core of their operating models.
Enforcement Moves From Token Status to Financial Crime
CertiK’s report points to a sharp contrast in enforcement patterns. SEC crypto penalties fell from $4.9 billion in 2024 to $142 million in 2025, while AML and financial-crime actions expanded across jurisdictions. Regulators have increasingly targeted weak KYC, sanctioned counterparties, suspicious-activity reporting failures and systemic AML control gaps.
The record is broad. Binance paid $4.3 billion in November 2023 over systemic AML control failures and SAR deficiencies. In 2025, OKX paid $504 million over unlicensed money transmission and weak KYC, KuCoin paid $297 million over unlicensed money transmission and BSA violations, and BitMEX faced $100 million and related penalties for BSA and AML violations.
The trend continued into late 2025 and 2026. Coinbase Europe Limited in Ireland was fined €21.5 million, or about $25 million, for AML/CFT transaction-monitoring breaches. Paxful received a $3.5 million FinCEN penalty for willful BSA violations in April 2026. South Korea’s Coinone was fined roughly $3.5 million and suspended for three months over AML and KYC failures. In the U.S., a sham technology company case resulted in a $330 million fine and a 12-year prison sentence tied to money laundering, while the UK FCA carried out coordinated April 2026 raids on eight locations over illegal peer-to-peer crypto trading that bypassed AML protocols.
The enforcement tone has hardened with the underlying fraud environment. The FBI’s Internet Crime Complaint Center described the period as a “golden age of online financial fraud driven by crypto,” a phrase that captures why regulators are now treating illicit-finance controls as a market-access requirement rather than a compliance formality.
Travel Rule, Stablecoins and Licensing Raise the Bar
Global policy is reinforcing the pivot. The FATF Travel Rule has become a baseline expectation for VASPs, with originator and beneficiary data transmission now a practical requirement for cross-border operations in 2026.
Legislative changes have added pressure. The U.S. GENIUS Act of July 2025 brought payment stablecoins under the Bank Secrecy Act and expanded AML obligations. In Europe, MiCA and the Anti-Money Laundering Authority, launched in July 2025, aim to harmonize AML standards across member states. The UAE strengthened its regime through Federal Decree-Law No. 10 of 2025.
The UK is also tightening its framework. The Financial Conduct Authority has increased enforcement and announced a new crypto authorization gateway, with applications scheduled from September 30, 2026, to February 28, 2027. The new regime is set to begin in October 2027.
AML compliance is now a strategic infrastructure priority. CertiK frames the required response as a combination of governance, technology and process, including board-level accountability, dynamic risk assessments, AI-driven blockchain analytics and real-time Know-Your-Transaction systems.
Third-party due diligence, enhanced KYC, CDD and EDD, secure recordkeeping and independent testing have moved from best practice to enforcement focal points. Smart-contract audits and transparent stablecoin reserves are also converging into de facto requirements for licensing, institutional access and banking relationships.
The market-access consequences are becoming clearer. Firms that invest early in transaction monitoring, sanctions screening and vendor oversight are more likely to retain banking, custody and institutional partnerships. Those that lag face de-risking, exclusion and escalating enforcement exposure as AML becomes the industry’s defining regulatory test.