KYC and AML requirements for crypto startups should be addressed before a product goes live, not after the first account freeze, bank rejection, subpoena, tax inquiry, or fraud complaint. A California crypto startup may need to evaluate federal Bank Secrecy Act obligations, FinCEN money services business rules, OFAC sanctions screening, state licensing, tax reporting, fraud controls, and criminal exposure before accepting users or moving customer funds.

Not every crypto project has the same compliance duties. A non-custodial software tool, token issuer, centralized exchange, hosted wallet, payment processor, DeFi front end, staking service, kiosk operator, or OTC desk may face different rules. The legal analysis depends on what the startup actually does, who controls assets, whether value is accepted and transmitted, whether California residents are served, and whether the business is operating in the United States.

KYC and AML requirements for crypto startups: who may be covered?

Under FinCEN guidance, a person who only uses convertible virtual currency to buy goods or services is generally not treated as a money services business for that activity alone. A business that accepts and transmits convertible virtual currency, or buys and sells it as a business, may be treated as a money transmitter unless an exemption or limitation applies.

Crypto startups that may need AML review include:

• Centralized exchanges
• Hosted wallet providers
• Crypto payment processors
• OTC trading desks
• Crypto kiosks and ATMs
• Stablecoin or token redemption platforms
• Custodial staking services
• Platforms that move customer funds between wallets, chains, or counterparties

Founders should avoid assuming that calling a product “decentralized,” “peer-to-peer,” “self-custody,” or “software only” resolves the issue. Regulators and prosecutors usually look at function, control, custody, marketing, and transaction flow rather than labels.

KYC and AML requirements for crypto startups before onboarding users

KYC means “know your customer.” In crypto, it usually refers to procedures for collecting and verifying customer information, understanding account purpose, screening for sanctions and fraud risk, and monitoring transactions. AML means “anti-money laundering,” which refers to controls designed to prevent, detect, report, and respond to illicit finance.

A startup's onboarding process may need to address:

• Customer name, address, date of birth, and identifying information
• Business entity verification and beneficial ownership information
• Document verification and fraud checks
• Sanctions screening against restricted persons, regions, and entities
• Wallet risk screening and blockchain analytics
• IP address, device, geolocation, and VPN risk indicators
• Source-of-funds and source-of-wealth questions for higher-risk users
• Enhanced review for politically exposed persons or high-risk jurisdictions

Customer identification procedures should match the startup's risk. A low-risk analytics product may not need the same controls as a custodial exchange. A platform that accepts customer assets, processes withdrawals, supports high-risk tokens, or serves users across borders will usually need a more formal compliance program.

Core AML program elements before launch

A covered money services business generally needs a written AML program that is reasonably designed to prevent the business from being used for money laundering or terrorist financing. For crypto startups, that program should be operational, not just a policy document saved in a folder.

Core AML program elements often include:

• A written risk assessment
• Internal policies and procedures
• A designated compliance officer
• Employee training
• Independent testing or review
• Suspicious activity monitoring and escalation
• Recordkeeping procedures
• Sanctions screening and wallet monitoring
• Procedures for subpoenas, law enforcement requests, and account holds

Startups should also decide who has authority to freeze accounts, reject transactions, file reports, contact law enforcement, and communicate with users. Weak escalation procedures can create serious problems when a fraud victim, bank, regulator, or investigator asks why suspicious transactions were allowed to continue.

Transaction monitoring and crypto red flags

Crypto transaction monitoring should focus on the startup's actual risk profile. Some risks appear through account behavior. Others appear on-chain through wallet histories, mixers, bridges, darknet exposure, ransomware indicators, phishing wallets, sanctioned addresses, or rapid movement through multiple assets.

Red flags may include:

• New accounts receiving large deposits followed by immediate withdrawals
• Repeated transactions just below internal review thresholds
• Use of mixers, tumblers, or high-risk bridges
• Deposits from wallets tied to hacks, scams, or ransomware
• Multiple accounts using shared devices, IP addresses, or identity documents
• Customers who refuse to explain source of funds
• False invoices, fake employment documents, or altered screenshots
• Transactions involving sanctioned regions, blocked persons, or high-risk exchanges

When suspicious activity appears, the startup should preserve records and follow its escalation process. The same transaction history that creates AML concern may later become evidence in crypto money laundering cases or a federal crypto wire fraud investigation.

Sanctions screening and blocked wallet risks

OFAC sanctions compliance is separate from AML, but the two often overlap. A crypto startup should consider whether customers, counterparties, wallet addresses, jurisdictions, exchanges, and smart contracts create sanctions risk. OFAC has made clear that sanctions compliance applies to virtual currency transactions as well as fiat currency transactions.

A startup may need controls for:

• Screening customers and beneficial owners
• Screening wallet addresses before deposits or withdrawals
• Detecting high-risk jurisdiction indicators
• Blocking or rejecting prohibited transactions when required
• Documenting sanctions alerts and resolutions
• Filing required reports or seeking guidance when appropriate

Sanctions mistakes can lead to account freezes, rejected banking relationships, regulatory inquiries, and enforcement exposure. A startup should not wait until a listed wallet, ransomware payment, or prohibited counterparty appears in the transaction history.

Tax reporting, staking, and DeFi product design

KYC and AML planning should connect with tax reporting. Customer records, wallet histories, transaction ledgers, reward calculations, and cost basis data may all matter when users, the IRS, or state tax agencies request information. A startup that cannot produce reliable records may face user complaints, audits, and business disruption.

If the IRS contacts a founder or platform about digital asset activity, a documented crypto tax audit defense strategy may be needed to reconcile exchange records, wallet activity, customer data, and business books.

Product design matters. A custodial staking product may raise issues involving taxable staking rewards, while swaps, lending, liquidity pools, yield farming, and wrapped assets can create DeFi tax reporting problems. Compliance planning should address what records the platform will collect, how rewards will be calculated, and what users can download at tax time.

Fraud prevention as part of KYC and AML controls

Fraud controls are not just customer service. They can affect AML obligations, banking relationships, civil claims, and criminal exposure. Crypto startups should design systems to detect scams, account takeover, wallet drainers, fake exchange behavior, and suspicious withdrawal patterns before customer funds disappear.

Fraud controls may include:

• Withdrawal delays for new devices or changed credentials
• Risk scoring for destination wallets
• Velocity controls for deposits and withdrawals
• Manual review for high-risk transfers
• Customer warnings before irreversible withdrawals
• Escalation procedures for victims and law enforcement requests
• Preservation policies for logs, IP data, wallet addresses, and communications

Victims who try to recover stolen cryptocurrency often need fast exchange notices and transaction records. Startups that ignore reports of pig butchering crypto scams, SIM swap crypto theft, or a fake crypto exchange scam may face legal, reputational, and regulatory consequences.

Startups should also warn users about follow-up fraud. A victim who has already lost funds may be targeted by a secondary crypto recovery scam that promises special access, guaranteed recovery, or fake government assistance.

Wallet drainers, wrong-address transfers, and support records

Operational support records can become legal evidence. A startup should decide how it will respond when a customer reports a malicious approval, wrong network transfer, compromised wallet, or mistaken destination address.

A customer who loses assets through a malicious wallet drainer may need approval histories, destination addresses, timestamps, and support communications. A user who sent crypto to the wrong wallet may need deposit records, supported-chain policies, and technical recovery information.

Startups should avoid making promises they cannot keep. If recovery is impossible, support should say so carefully. If recovery may be possible, the process, fees, timing, and limitations should be documented.

Government seizure, subpoenas, and account holds

Crypto startups should have a plan for subpoenas, warrants, preservation requests, seizure warrants, forfeiture notices, and law enforcement inquiries. The team should know who reviews legal process, who preserves records, who communicates with investigators, and when outside counsel should be involved.

Questions about whether agents can seize cryptocurrency can arise quickly when a platform holds customer assets or private keys. If the government seizes Bitcoin or another digital asset, the startup may need to address custody, notice, forfeiture deadlines, customer communications, and conflicting ownership claims.

A startup should not delete logs, move assets without authority, tip off a target when prohibited, or give informal legal opinions to customers. Legal process should be handled through a documented procedure.

California licensing and launch planning

California startups must consider state law in addition to federal AML rules. Beginning July 1, 2026, certain companies engaging in digital financial asset business activity with or on behalf of California residents must be licensed by the California Department of Financial Protection and Innovation or have submitted a completed application, unless an exemption or other rule applies.

Activities that may require California licensing analysis include exchanging, transferring, storing, administering, or providing custody of digital financial assets for California residents. Crypto kiosk operators may face additional requirements. A startup should evaluate state licensing early because licensing, surety, policies, financials, compliance systems, and application materials can take time to prepare.

State licensing does not replace federal AML obligations. A company may need both state licensing analysis and federal FinCEN, OFAC, tax, and law enforcement response procedures.

Where KYC and AML crypto startup issues are handled

FinCEN is part of the U.S. Department of the Treasury, 1500 Pennsylvania Avenue NW, Washington, DC 20220. FinCEN handles Bank Secrecy Act administration, MSB registration, BSA reporting systems, guidance, and certain civil enforcement issues. OFAC, also within the Treasury Department, handles sanctions compliance, reporting, licensing, and sanctions enforcement.

In California, the Department of Financial Protection and Innovation has a main office at 651 Bannon Street, Suite 300, Sacramento, CA 95811, and supervises many financial services providers. The DFPI handles digital financial asset licensing and related supervision for covered California activity. These agencies operate independently and have no affiliation with Bulldog Law.

If a matter becomes criminal, it may involve the Department of Justice, IRS Criminal Investigation, Homeland Security Investigations, the FBI, or a federal court. In Southern California, federal criminal proceedings may be handled in the United States District Court for the Central District of California, including the First Street courthouse at 350 West 1st Street, Los Angeles, CA 90012.

Pre-launch checklist for crypto founders

Before launch, founders should slow down enough to build compliance into the product. A rushed launch can create problems that are expensive to fix later.

• Map the product's fund flow and custody model
• Determine whether the business may be an MSB or money transmitter
• Review California licensing requirements before serving California residents
• Create a written risk assessment
• Build KYC, sanctions, and transaction monitoring procedures
• Design suspicious activity escalation and reporting workflows
• Preserve wallet, customer, support, and transaction records
• Prepare subpoena, seizure, and law enforcement response procedures
• Coordinate AML controls with tax reporting and customer statement systems
• Review marketing language for unsupported compliance claims

KYC and AML requirements for crypto startups lawyers in California

KYC and AML requirements for crypto startups can affect product design, licensing, banking, tax records, customer onboarding, fraud response, sanctions screening, and criminal exposure. A startup that waits until after launch may face account freezes, user claims, regulatory demands, or law enforcement inquiries before its compliance program is ready.

Bulldog Law helps California crypto founders, businesses, and users evaluate digital asset compliance issues, fraud risks, tax concerns, exchange disputes, account freezes, and government seizure matters. The firm can review wallet flows, platform terms, compliance policies, subpoenas, transaction records, and launch plans to help identify practical legal next steps.