AML Is Now the Biggest Regulatory Threat in Crypto — Here's What That Means for You

For years, the SEC was the bogeyman of crypto regulation. Every week brought another enforcement action, another subpoena, another argument about whether a given token was a security. That era isn't over — but it's no longer the primary threat.

According to a new report from blockchain security firm CertiK, anti-money laundering enforcement has surpassed securities cases as the top regulatory risk for crypto firms operating in the United States. U.S. AML fines reached $1.06 billion in just the first half of 2025. That's not a full-year number. That's six months.

At the same time, new Basel banking rules and mandatory audit requirements are tightening compliance obligations across the industry. And this week, Japan's Financial Services Agency, alongside three other government agencies, issued formal warnings to the country's real estate and crypto sectors, directing them to strengthen AML checks specifically around property transactions involving digital assets.

The message from regulators on both sides of the Pacific is consistent: the era of light-touch AML enforcement in crypto is over.

---

Why the Shift From SEC to AML?

The political winds around securities enforcement have shifted. Under the current U.S. administration, the SEC has pulled back from some of its more aggressive crypto cases. But that pullback hasn't translated into a regulatory holiday — it's translated into a different kind of enforcement priority.

AML is harder to argue your way out of. Securities classification debates involve legal gray areas, competing theories of what constitutes an investment contract, and genuine ambiguity about congressional intent. AML violations are more binary: either your platform has adequate know-your-customer procedures, transaction monitoring, and suspicious activity reporting, or it doesn't.

Federal prosecutors and the Financial Crimes Enforcement Network (FinCEN) have also historically operated with more independence from political cycles than the SEC. AML enforcement tends to be sticky regardless of who controls the White House.

The CertiK report notes that new Basel III-adjacent rules for banks that touch crypto are also raising the bar on what "adequate" compliance actually looks like. Banks providing services to crypto firms are under pressure to scrutinize those relationships more carefully, which trickles down into what their crypto-sector counterparts are required to document and demonstrate.

---

Japan's Property Market Warning Is a Preview of What's Coming

Japan's warning about crypto in real estate transactions is worth paying attention to because it illustrates how AML risk is expanding into new sectors — not just exchanges and wallets.

The concern is straightforward: when someone uses cryptocurrency to purchase real estate, the source of those funds is harder to verify than a bank wire with a traceable origination account. Buyers can obscure their identities through wallets, mixers, or multi-hop transfers. The property itself then becomes a cleaned asset.

Japan's four-agency warning directed both real estate firms and crypto businesses to implement stricter identity verification and fund-source documentation for property deals involving digital assets. That means the compliance obligation isn't just on crypto platforms — it's increasingly on any business that accepts crypto as consideration.

If you're a small business, a freelancer, or a professional services firm accepting cryptocurrency as payment, this trend is relevant to you. The expectation that you understand your customer and the source of their funds is migrating outward from exchanges to the broader ecosystem.

---

What This Means Practically for Crypto Users and Businesses

For exchange users: Expect more friction. Platforms under AML pressure are adding enhanced due diligence steps, particularly for larger transactions, withdrawals to unhosted wallets, and anything flagged by transaction monitoring systems. This isn't new, but the thresholds are tightening and the documentation requests are becoming more common.

For businesses accepting crypto payments: If your business takes Bitcoin, USDC, or any other digital asset as payment, you may want to think about whether you have any mechanism to document the transaction. That doesn't mean you need a full compliance department. But having a clear record of who paid you, for what, and in what amount is basic hygiene that will matter more as regulatory scrutiny expands.

For DeFi protocol operators: The Basel rules referenced in the CertiK report apply to banks, but the audit and documentation expectations are influencing how institutional counterparties evaluate which DeFi protocols they'll interact with. Protocols that can demonstrate meaningful AML controls — or that operate in regulated wrappers — are becoming more attractive to institutional capital than fully anonymous alternatives.

For self-custody users: This one is nuanced. Holding your own keys in a personal hardware wallet for personal use remains legal, and regulators have generally not targeted individual users for simply using self-custodial wallets. But the pressure on exchanges to document where funds go when they leave to unhosted wallets is intensifying. The practical effect is that moving large amounts from an exchange to cold storage may trigger additional verification requests before the exchange processes the transaction.

---

The Mandatory Audit Requirement Is the One to Watch

Buried in the CertiK report's findings is a detail that deserves more attention: mandatory audit requirements are reshaping crypto compliance obligations.

Historically, crypto firms could operate with relatively thin financial controls compared to traditional financial institutions. Third-party audits were often voluntary, proof-of-reserves disclosures were sporadic, and internal compliance teams were undersized relative to the complexity of what firms were doing.

That's changing. As regulators formalize their expectations — both through new rules and through enforcement actions that establish de facto standards — the audit requirement is becoming a baseline cost of operating in the sector. For smaller firms, that's a real operational burden. For users, it's actually good news: firms that can't meet audit standards will face increasing pressure to exit regulated markets or face enforcement.

---

The Bigger Picture

The regulatory evolution underway in crypto right now is less about whether crypto is legal and more about the conditions under which it's legal to operate. Securities enforcement will continue in some form. But AML is emerging as the harder, more durable constraint — the one that doesn't depend on political appointments or interpretive disagreements about the Howey test.

The $1.06 billion in first-half 2025 AML fines is a data point, not just a headline. It tells you that regulators have found a workable legal framework for enforcement, that courts are sustaining those actions, and that the compliance bar is being raised whether the industry is ready or not.

For users, the near-term impact is mainly about friction and documentation. For businesses, the question is whether your compliance infrastructure is keeping pace with what regulators now expect. For the industry as a whole, the shift from securities-focused enforcement to AML-focused enforcement is arguably a sign of maturation — painful and expensive maturation, but maturation nonetheless.

---