For years, the dominant regulatory threat in crypto was the Securities and Exchange Commission. Registration violations, unregistered securities offerings, enforcement actions against exchanges — that framing shaped how founders built, how lawyers advised, and how investors hedged. That era is not over, but it has been eclipsed.
Anti-money laundering enforcement is now the top legal risk in the crypto industry, and the gap is widening fast.
According to a new report from blockchain security firm CertiK, U.S. AML fines against crypto entities hit $1.06 billion in just the first half of 2025 — surpassing SEC penalties for the same period. Layered on top of that are incoming Basel banking standards and mandatory audit requirements that will force crypto firms to operate more like traditional financial institutions whether they want to or not.
This is not a temporary trend. It is a structural shift in how governments are choosing to fight crypto-adjacent financial crime — and the compliance infrastructure required to survive it does not resemble what most projects have built.
Why AML Enforcement Is Accelerating
The SEC's crypto enforcement model was always somewhat awkward. To bring a securities case, regulators had to argue that a given token was an investment contract — a classification that many projects disputed aggressively and courts handled inconsistently. AML cases carry no such ambiguity.
AML law applies to any entity that touches financial value transfer. If you move money — or assets that function like money — you are expected to know your customer, monitor transactions, and report suspicious activity. Blockchain transactions are pseudonymous, not anonymous, and chain analysis tools have matured to the point where regulators can trace fund flows with significant precision. That makes prosecution easier, not harder, than in traditional finance.
The pattern emerging is that regulators are increasingly treating crypto exchanges, mixers, OTC desks, and payment rails as financial intermediaries subject to the same obligations as banks — without the grace period that the industry spent a decade lobbying for.
Japan's financial regulators reinforced this globally on April 28, when four government agencies issued a joint warning to crypto firms and real estate companies about the money laundering risks of crypto-facilitated property transactions. The directive instructs industry bodies to enforce stricter KYC and AML checks specifically when digital assets are involved in property deals — a clear signal that regulators are identifying specific sectors where crypto's transparency deficit is being exploited.
What Basel Rules and Mandatory Audits Actually Mean
The CertiK report flags two structural changes that go beyond fine totals: new Basel banking rules and mandatory audit requirements.
Basel III and emerging Basel IV frameworks are being applied, in various jurisdictions, to financial institutions that hold or transact in crypto assets. These rules impose capital requirements tied to the risk profile of digital asset holdings — which regulators classify as high-risk by default. For any institution bridging traditional finance and crypto, this raises the cost of holding digital assets on behalf of customers and could constrain which products they offer.
Mandatory audit requirements represent a parallel track. Several jurisdictions are moving toward requiring crypto exchanges and custodians to undergo third-party financial audits on a regular schedule — not the voluntary proof-of-reserve disclosures that became fashionable after FTX, but formal audits with legal accountability attached. The difference is significant. A voluntary disclosure carries no legal penalty if it turns out to be inaccurate. A statutory audit does.
Together, these changes push crypto compliance costs toward the institutional end of the scale. Firms that built lean, deliberately under-resourced compliance functions will face a choice: invest in infrastructure or face existential regulatory exposure.
The Infrastructure Gap
Here is where this becomes a technology story, not just a legal one.
Most crypto firms do not have compliance infrastructure remotely comparable to what traditional financial institutions operate. Legacy banks run sophisticated transaction monitoring systems, employ large compliance teams, file thousands of Suspicious Activity Reports annually, and maintain detailed records that satisfy regulators in dozens of jurisdictions simultaneously. The average crypto exchange is nowhere near that level of operational sophistication.
Closing that gap requires real investment in tooling: on-chain analytics, identity verification, transaction screening, sanctions list integration, automated SAR filing, and audit-ready record-keeping. Several companies — Chainalysis, Elliptic, TRM Labs, and others — have built meaningful businesses serving this need. But adoption remains uneven, and many smaller projects have treated compliance as an afterthought or a future problem.
The regulatory trajectory makes clear that it is a present problem.
There is a secondary dimension here: protocol-level compliance. Decentralized protocols have generally argued that they are not financial intermediaries — that they are software, not businesses, and therefore not subject to AML obligations. That argument is increasingly under stress. Regulators in multiple jurisdictions are testing it, and at least some enforcement actions are likely to be directed at protocol developers or front-end operators even where no centralized exchange exists. How courts ultimately resolve that tension will define whether DeFi can operate in regulated markets at all.
What This Means for Builders and Holders
If you are building in crypto, the compliance calculus has changed. Designing a product that moves value and assuming that AML obligations can be dealt with later is no longer a viable approach. The fine totals are large enough to be company-ending, and regulators have demonstrated they will pursue enforcement even against firms that did not think of themselves as financial services businesses.
For investors, the AML compliance posture of a project or exchange is now a material risk factor in the same way that smart contract audit quality has been since 2020. A firm that is under-resourced on compliance is carrying regulatory tail risk that does not show up on a balance sheet until it is too late.
The Polymarket situation — currently in talks with the CFTC to reopen its main exchange to U.S. users — is instructive here. A prediction market platform that blocked U.S. users precisely because it could not satisfy regulatory requirements is now pursuing formal approval. That is what navigating the new environment looks like: proactive engagement with regulators, willingness to accept oversight, and the compliance infrastructure to back it up.
The Broader Picture
The crypto industry spent years arguing that it should be regulated differently from traditional finance because it worked differently. Regulators have spent the last two years demonstrating that they largely disagree — and that they have the enforcement tools to back their position.
AML compliance is not a crypto-specific innovation problem. The rules exist, the obligations are defined, and the technology to satisfy them is available. What has been missing is the willingness to treat compliance as a core function rather than an obstacle. That calculation is being forced by a $1.06 billion enforcement year — and the numbers are almost certainly going higher before they go lower.
---