What Does a Crypto AML Compliance Program Include?
If you are launching a crypto business in 2026, one of the first questions you will face is: what does a crypto AML compliance program include? The answer is not a single document but a comprehensive framework of policies, procedures, and systems designed to prevent money laundering and terrorist financing. Regulators across Europe and beyond now require licensed crypto-asset service providers (CASPs) to implement a strong AML program that covers everything from customer due diligence to suspicious transaction reporting.
This guide breaks down every component of a crypto AML compliance program, drawing on the latest regulatory standards under MiCA and national regimes like Estonia, Lithuania, and Panama. Whether you are applying for a Lithuania crypto license or exploring Panama as a cost-effective alternative, understanding these requirements is essential. Consulting24 has helped over 500 crypto firms build compliant programs. Here is what you need to know.
1. Overview: What Is a Crypto AML Compliance Program?
A crypto AML compliance program is a documented set of internal policies, controls, and procedures that a crypto business implements to comply with anti-money laundering regulations. It is not optional: every regulated crypto exchange, wallet provider, or custodian must have one. The program covers how the business identifies customers, monitors transactions, reports suspicious activity, and trains staff. In 2026, the EU's MiCA regulation sets a harmonised standard, while non-EU hubs like Panama offer their own frameworks.
Key elements include a written AML policy, a risk assessment, customer due diligence (CDD) procedures, transaction monitoring systems, record-keeping, and a suspicious transaction reporting (STR) process. The program must be approved by senior management and reviewed regularly. Without a compliant program, you cannot obtain or maintain a crypto license in most jurisdictions.
2. Who Needs a Crypto AML Compliance Program?
Any entity that provides crypto-asset services as defined by local law needs an AML compliance program. This includes exchanges, custodial wallet providers, crypto ATMs, and brokers. In the EU under MiCA, the scope covers 15 service categories, including custody, exchange, transfer, and advisory services. Even if you are a decentralised finance (DeFi) project that touches fiat or regulated tokens, you may fall under AML obligations.
Founders often ask: does a small startup need the same program as a large exchange? Yes, the requirements are proportional to risk, but the core components are the same. Regulators expect a risk-based approach, meaning you can scale controls to your business size, but you cannot skip any element. Consulting24 advises clients to build a program that meets the highest standard from day one, as it saves time and cost later.
3. License Type and Regulator
The specific requirements for your AML program depend on your license type and regulator. In the EU, MiCA designates national competent authorities (NCAs) to supervise CASPs. For example, in Lithuania, the Bank of Lithuania oversees crypto license holders. In Estonia, the Financial Intelligence Unit (FIU) was the regulator, but as of 2026, the role has shifted to the Estonian Financial Supervision Authority (EFSA) under MiCA harmonisation. Each regulator publishes guidelines on what an AML program must contain.
For Panama, the regulator is the Superintendencia de Bancos de Panamá (SBP) for crypto activities that fall under banking or securities law, though Panama's crypto law is still evolving. Consulting24 delivers direct license support in Estonia, Lithuania, and Panama, and coordinates with local regulators in other jurisdictions. Always check the specific regulator's requirements for your target market.
4. Cost and Timeline of Building an AML Program
| Component | Estimated Cost (EUR) | Timeline |
|---|---|---|
| AML policy document drafting | 2,000 - 5,000 | 1-2 weeks |
| Risk assessment | 1,000 - 3,000 | 1 week |
| KYC/KYB procedures implementation | 3,000 - 8,000 | 2-4 weeks |
| Transaction monitoring system setup | 5,000 - 15,000 | 4-8 weeks |
| Staff training program | 1,000 - 3,000 | 1 week |
| Independent audit (optional but recommended) | 3,000 - 7,000 | 2-3 weeks |
| Total (typical range) | 15,000 - 41,000 | 6-12 weeks |
These figures are estimates. Exact pricing depends on your business model, complexity, and chosen vendors. Consulting24 can provide a tailored quote after a free consultation. For Panama company setup, the flat fee is EUR 6,000, which includes basic AML documentation.
5. Capital Requirements for AML Compliance
AML compliance does not have a direct capital requirement, but the underlying crypto license does. Under MiCA, capital requirements are tiered: EUR 50,000 for simple services like custody, EUR 125,000 for exchange services, and EUR 150,000 for more complex activities like trading on own account. These funds must be held as own funds and are separate from operational costs. In Panama, there is no statutory minimum capital for crypto companies, but the regulator may expect a reasonable amount based on risk.
You should budget for compliance software, legal advice, and potential fines for non-compliance. A well-funded compliance function is not just a regulatory necessity but a competitive advantage. Consulting24 helps clients structure their capital allocation to meet both license and AML requirements efficiently.
6. Tax Treatment of AML Compliance Costs
AML compliance costs are generally deductible as business expenses for corporate tax purposes. This includes fees for policy drafting, software subscriptions, staff training, and external audits. In Lithuania, the corporate income tax rate is 15% (or 5% for small companies), and these costs reduce taxable profit. In Estonia, corporate tax is 20% on distributed profits, so compliance costs are not immediately deductible but reduce retained earnings. Panama has a territorial tax system: income earned outside Panama is not taxed, and local expenses are deductible against local income.
Always consult a tax advisor in your jurisdiction. Consulting24 can recommend local tax partners to ensure you optimise your tax position while staying compliant.
7. Allowed Activities Under a Crypto AML Program
An AML compliance program does not define which activities you can perform; that is determined by your license scope. However, the program must cover all activities you are licensed for. For example, if you hold a Lithuania crypto license for exchange and custody, your AML program must address both. Common covered activities include:
- Exchange between crypto and fiat currency
- Exchange between one or more crypto-assets
- Custody and administration of crypto-assets on behalf of clients
- Transfer services (sending/receiving crypto)
- Execution of orders on behalf of clients
- Placing of crypto-assets
- Receiving and transmitting orders
- Advice on crypto-assets
Each activity may have specific AML risks. For instance, transfer services require special attention to travel rule compliance. Your program must detail controls for each activity type.
8. Step-by-Step Process to Build Your AML Program
- Appoint an AML Officer: Designate a person responsible for AML compliance, usually a senior manager or a dedicated compliance officer.
- Conduct a Business Risk Assessment: Identify and document the money laundering and terrorist financing risks specific to your business, customers, and geographic exposure.
- Draft an AML Policy: Write a comprehensive policy that includes CDD procedures, ongoing monitoring, record-keeping, and reporting obligations.
- Implement KYC/KYB Procedures: Set up identity verification for individuals (KYC) and businesses (KYB), including beneficial ownership checks.
- Deploy Transaction Monitoring: Use software to detect unusual or suspicious transactions based on rules and thresholds.
- Establish Reporting Channels: Create a process to file suspicious transaction reports (STRs) with the local FIU.
- Train Staff: Provide initial and ongoing AML training to all employees.
- Review and Update: Regularly review the program and update it based on regulatory changes or new risks.
Consulting24 can manage this entire process for you, from drafting to implementation. Contact us to get started.
9. Banking and Payments for AML Compliance
A critical component of your AML program is how you handle banking and payments. You need a corporate bank account to receive client funds (if you deal in fiat) and to pay operational costs. Many banks are wary of crypto businesses, so you must demonstrate a strong AML program to open an account. Your program should include procedures for verifying source of funds, monitoring fiat transactions, and reporting suspicious activity to the bank.
In Lithuania and Estonia, several banks accept crypto clients with proper compliance. Panama also has a growing number of crypto-friendly banks. Consulting24 assists clients in preparing the necessary documentation to open bank accounts, including a summary of your AML program. Without a bank account, your license may be unusable.
10. Benefits of a Strong AML Compliance Program
- Regulatory Approval: A strong program is essential for obtaining and retaining a crypto license.
- Trust and Reputation: Clients and partners prefer businesses that take compliance seriously.
- Reduced Risk of Fines: Non-compliance can result in penalties up to 10% of annual turnover under MiCA.
- Access to Banking: Banks are more willing to work with compliant firms.
- Competitive Advantage: Many crypto businesses cut corners; a strong program sets you apart.
Investing in AML compliance is not just a cost but a strategic move. Consulting24 has seen clients who prioritise compliance grow faster because they attract institutional investors and partners.
11. Compliance and Trust: Staying Ahead of Regulators
Compliance is not a one-time task. Regulators increasingly use data-driven supervision, so your program must evolve. In 2026, the European Banking Authority (EBA) and national regulators conduct regular inspections. You should expect on-site visits and requests for documentation. Your AML officer must be prepared to explain your risk assessment and controls.
Trust is built through transparency. Publish a summary of your AML policy on your website, if allowed by your regulator. Use certified AML software that is regularly audited. Consulting24 offers ongoing compliance monitoring services to keep your program up to date. Note: This is general guidance, not legal advice. Always consult a qualified lawyer for your specific situation.
12. Common Mistakes in Crypto AML Programs
- Copying a Template: Regulators expect a program tailored to your business. Generic templates are often rejected.
- Ignoring Travel Rule: For transfers over EUR 1,000, you must collect and share sender and beneficiary information.
- Inadequate Risk Assessment: A superficial risk assessment is a red flag. You must analyse specific threats, like privacy coins or high-risk jurisdictions.
- Poor Record-Keeping: Records must be kept for at least 5 years (8 years in some jurisdictions). Use secure, immutable storage.
- No Independent Review: Many regulators require an annual independent audit of your AML program.
Avoid these pitfalls by working with experts. Consulting24 has corrected dozens of deficient programs for clients who initially tried to do it alone.
13. Alternatives and Comparison: Panama vs. Lithuania vs. Estonia
When choosing a jurisdiction for your crypto license, consider the AML program requirements. Panama offers a flat fee of EUR 6,000 for company setup and a lighter regulatory touch, but its crypto law is less developed. Lithuania and Estonia are fully MiCA-compliant, with clear requirements and a track record of licensing. Estonia was one of the first to regulate crypto, but its regime has tightened. Lithuania is now the most popular EU hub for crypto licensing.
Compared to other jurisdictions like Malta or Switzerland, Panama is more cost-effective and faster to set up. However, if you need to serve EU clients, a Lithuanian or Estonian license is more credible. Consulting24 can help you compare and choose the best fit for your business model.
14. Why Choose Consulting24 for Your AML Compliance?
Consulting24 (X24Consulting OU, Tallinn, Estonia) has obtained over 500 crypto licenses across multiple jurisdictions. We deliver directly in Estonia, Lithuania, and Panama, and advise and coordinate in all other jurisdictions. Our team includes former regulators, compliance officers, and legal experts who understand what regulators expect. We do not use templates; we build custom AML programs for each client.
Our services include AML policy drafting, risk assessment, KYC/KYB implementation, transaction monitoring setup, and staff training. We also assist with bank account opening and ongoing compliance support. Contact us on WhatsApp or book a consultation to discuss your project. Let us help you build a compliance program that works.
Frequently asked questions
What is the first step in creating a crypto AML compliance program?
The first step is to appoint an AML officer and conduct a business risk assessment. This assessment identifies the specific money laundering risks your business faces, which then informs the design of your policies and controls.
Do I need an AML program for a small crypto startup?
Yes, all regulated crypto businesses need an AML program regardless of size. However, you can apply a risk-based approach, meaning simpler controls may be acceptable if your risk is low. But you cannot skip any core element.
What is the cost of an AML compliance program in 2026?
Costs vary widely based on complexity. Typical ranges are EUR 15,000 to EUR 41,000 for a full program including policy, risk assessment, KYC procedures, monitoring software, and training. Consulting24 offers tailored quotes.
How long does it take to implement an AML program?
Implementation usually takes 6 to 12 weeks, depending on the scope and vendor availability. Drafting the policy and risk assessment can be done in 2-3 weeks, while setting up transaction monitoring may take longer.
What is the travel rule and how does it affect my AML program?
The travel rule requires that for crypto transfers over EUR 1,000, you collect and transmit sender and beneficiary information. Your AML program must include procedures to comply with this, often through specialised software.
Can I use a template for my AML policy?
Using a generic template is risky. Regulators expect a policy tailored to your specific business model, risk profile, and jurisdiction. A template may miss key elements and lead to rejection or fines.
What records must I keep as part of AML compliance?
You must keep all CDD records, transaction data, and suspicious transaction reports for at least 5 years (8 years in some jurisdictions). Records should be stored securely and be readily accessible to regulators.
Do I need an independent audit of my AML program?
Many regulators require an annual independent audit of your AML program. Even if not mandatory, it is best practice and strengthens your compliance posture. Consulting24 can recommend qualified auditors.
How does Panama compare to EU jurisdictions for AML compliance?
Panama has a lighter regulatory framework and lower setup costs (EUR 6,000 flat fee), but its crypto law is less defined. EU jurisdictions like Lithuania offer more regulatory clarity and are better for serving European clients.
What happens if my AML program is found deficient?
Regulators can impose fines, suspend or revoke your license, and even bring criminal charges. Deficiencies can also harm your reputation and banking relationships. It is critical to get it right from the start.
Official sources
Related jurisdictions
Talk to a crypto-licensing expert
500+ licenses across Estonia, Lithuania, Panama and beyond. Tell us your model and we'll map the right route — honestly.
💬 Talk to an expertFree consultationGeneral guidance, not legal advice. Rules and fees evolve — we confirm current requirements for your case.