AML/KYC Requirements for Token Issuers: What the Law Actually Requires
Anti-money laundering and know-your-customer requirements are the compliance foundation for any digital asset business. This guide explains what FinCEN actually requires, when MSB registration is triggered, and how to design XRPL trust line compliance into your token issuance architecture.
This article is for informational purposes only and does not constitute financial, legal, or investment advice. Consult qualified legal counsel for compliance guidance.
The Regulatory Framework: Bank Secrecy Act and FinCEN
US anti-money laundering requirements for digital asset businesses flow primarily from the Bank Secrecy Act (BSA), which is administered by the Financial Crimes Enforcement Network (FinCEN), a bureau of the US Treasury Department. The BSA requires financial institutions to maintain anti-money laundering programs, file Suspicious Activity Reports (SARs), file Currency Transaction Reports (CTRs) for large cash transactions, and implement KYC procedures.
In 2013, FinCEN issued guidance clarifying that "administrators" and "exchangers" of convertible virtual currencies are money services businesses (MSBs) subject to BSA requirements. This guidance, along with subsequent FinCEN statements, forms the primary AML compliance framework for digital asset businesses that don't fit neatly into traditional banking or broker-dealer categories.
Who Is an MSB?
A money services business under FinCEN regulations includes any person (individual or entity) who engages as a business in one or more of these activities worth more than $1,000 per person per day:
- Dealing in currency
- Check cashing
- Issuing or selling stored value
- Money transmission — sending money from one place to another
- Currency exchange
For digital asset businesses, the critical category is typically money transmission. FinCEN has taken the position that exchanging convertible virtual currency (including XRP) for fiat currency or for other virtual currencies constitutes money transmission.
When Token Issuers Become MSBs
A pure token issuer — a company that issues tokens representing ownership interests in assets, sells them to investors, and manages the underlying assets — may not be an MSB if it is not transmitting money or exchanging currencies. This analysis depends heavily on the specifics of the business model.
However, if your business involves:
- Converting fiat to tokens (even as a convenience for investors)
- Facilitating secondary market trading between investors
- Operating a buyback or redemption program that involves currency conversion
- Handling cross-border payments
...then MSB registration with FinCEN is likely required. When in doubt, err on the side of registration.
MSB Registration Requirements
If your business is an MSB, the BSA requires:
- FinCEN registration — Register with FinCEN's BSA E-Filing system. Registration is free and relatively straightforward. You must re-register every two years
- Written AML Program — Develop a written anti-money laundering program tailored to your specific business risks. The program must be approved by senior management and provide for independent testing
- Designated Compliance Officer — Appoint a person responsible for the AML program
- Training — Train employees on your AML policies and procedures
- Customer Due Diligence (CDD) — Identify and verify the identity of customers
- SAR Reporting — File Suspicious Activity Reports for transactions suspected of involving money laundering or other financial crimes
- CTR Reporting — File Currency Transaction Reports for cash transactions exceeding $10,000
- Recordkeeping — Maintain records of transactions for specified periods
KYC Requirements in Practice
Know-your-customer (KYC) procedures are the investor-facing implementation of the AML program's identity verification requirements. For digital asset businesses, KYC typically involves:
Individual Investors
- Full legal name
- Date of birth
- Residential address
- Government-issued ID (passport, driver's license)
- Tax identification number (SSN for US persons; ITIN or foreign equivalent for non-US)
- Politically Exposed Person (PEP) and OFAC sanctions screening
Entity Investors
- Legal name and registration documents
- Beneficial ownership information — who owns 25%+ of the entity
- Authorized representative identity verification
- Principal place of business
- Tax ID / EIN
- Entity sanctions screening
XRPL Trust Line Compliance Architecture
XRPL's trust line system can be leveraged to enforce KYC/AML requirements at the token level. Here's how forward-thinking issuers are building compliance into their token architecture:
Restricted Trust Line Issuance
By default on XRPL, any account can establish a trust line to any issuer. For a compliant token offering, you need to restrict which accounts can hold your token. The mechanism:
- Set the
RequireAuthflag on your issuer account — this prevents trust lines from taking effect until the issuer explicitly authorizes them - When an investor completes KYC verification in your off-chain system, submit an
AccountSettrust authorization transaction on-chain - Only authorized trust lines can hold your token — unauthorized accounts cannot receive it
This creates a whitelist at the protocol layer. Token transfers between non-whitelisted accounts are blocked by the ledger itself, not just by application-layer enforcement. This is a more robust compliance control than many other blockchain architectures support.
Transfer Fee as Compliance Signal
The XRPL transfer fee mechanism can also serve compliance purposes: setting a non-zero transfer fee creates a transaction that flows through the issuer account, creating an audit trail of every secondary transfer. Combined with address verification in the issuer's database, this creates a record of economic flows between investors.
Practical Implementation Stack
| Layer | Function | Technology |
|---|---|---|
| Identity verification | Document collection and verification | Persona, Jumio, Onfido |
| Sanctions screening | OFAC/PEP/adverse media | Chainalysis, Elliptic, Comply Advantage |
| Trust line authorization | On-chain whitelist enforcement | XRPL AccountSet + TrustSet |
| Transaction monitoring | Ongoing suspicious activity detection | Chainalysis KYT, custom rules |
| SAR filing | Regulatory reporting | FinCEN BSA E-Filing |
OFAC Sanctions Compliance
Separate from FinCEN's BSA requirements, the Office of Foreign Assets Control (OFAC) administers US economic sanctions programs. OFAC compliance prohibits US persons from transacting with sanctioned individuals, entities, and jurisdictions regardless of whether fiat or digital assets are used.
For token issuers, OFAC compliance means:
- Screening all investors (individuals and entities) against the Specially Designated Nationals (SDN) list before allowing investment
- Screening the source of funds if fiat conversion is involved
- Monitoring for transactions to or from sanctioned XRPL addresses (Chainalysis and similar providers maintain updated lists of blockchain addresses linked to sanctioned parties)
- Having a process for blocking transactions involving sanctioned parties and reporting them to OFAC
OFAC enforcement in the digital asset space has been active. In 2022, OFAC sanctioned Tornado Cash, a cryptocurrency mixer, marking a significant expansion of sanctions enforcement to protocol-level infrastructure rather than just individual actors. Token issuers who handle meaningful volume should have documented OFAC compliance programs.
State-Level Money Transmitter Licenses
If your business qualifies as a money transmitter under FinCEN's definition, you may also need state-level money transmitter licenses. Most US states have separate money transmitter licensing regimes, and many explicitly require licenses for virtual currency businesses. The requirements, application procedures, and bond/net worth requirements vary significantly by state.
The multistate licensing process is administratively burdensome and expensive. Many early-stage digital asset businesses manage this by restricting their activities to states where they have obtained licenses (or where no license is required) and gradually expanding as they obtain additional licenses.
The Bottom Line for Token Issuers
AML/KYC compliance is not optional for token issuers who handle real money. The requirements are:
- Determine if your business is an MSB (and if so, register with FinCEN)
- Implement a written AML program proportional to your business risk
- Implement KYC procedures for all investors
- Screen for OFAC sanctions before and during the investor relationship
- Use XRPL's RequireAuth flag to enforce access controls at the protocol layer
- Maintain transaction monitoring and be prepared to file SARs
The compliance infrastructure exists, the third-party tools are mature, and the process is manageable for a well-organized business. The issuers who struggle with compliance are those who try to build the compliance system after the product is live. Build the compliance stack first.
Issue Tokens on XRPL
OnrampDLT provides non-custodial token issuance infrastructure on the XRP Ledger.
Explore OnrampDLT →