Back to list

Protection against the freezing of stablecoin startup accounts

This article is a practical guide to building an AML (Anti-Money Laundering) system to protect crypto businesses from bank account closures. It is designed for founders, product managers, and heads of compliance in startups, mid-market companies, and enterprise-level organizations working with cryptocurrencies.

  • For Startups: The primary goal is to obtain and retain banking services by implementing a basic but reliable AML process.

  • For Mid-market Companies: The task involves automating and scaling compliance to reduce operational costs and risks.

  • For Enterprises: The focus shifts to optimization, reducing False Positives, and managing complex regulatory requirements across multiple jurisdictions.

    • By following this guide, you will be able to build an effective AML screening process step-by-step. A Minimum Viable Product (MVP) of such a system can be deployed in 4–8 weeks.

    Key Recommendation: Implement proactive AML screening of transactions before they are processed. To launch, you must complete three steps:

  • Select and integrate an AML provider for automated transaction analysis.

  • Develop and document an internal AML policy, including a decision matrix based on risk assessment and incident response procedures.

  • Set up manual review, escalation, and communication processes with users and banks, defining clear roles and standards (SLA).

    • Glossary of Key Terms

  • Anti-Money Laundering (AML): A set of measures aimed at preventing the use of the financial system to legalize proceeds derived from criminal activity.

  • Financial Action Task Force (FATF): An intergovernmental organization that sets international AML standards.

  • Suspicious Activity Report (SAR): An official report filed with a financial regulator upon detection of a suspicious transaction or activity.

  • Sanctioned Entity: A cryptocurrency address belonging to a person or organization on sanctions lists, such as the OFAC SDN List.

  • Mixer/Tumbler: A service that mixes transactions from different users to obscure their origin and increase anonymity.

  • Risk Score: An integral risk assessment of an address or transaction assigned by AML services on a scale (e.g., from 0 to 100).

  • False Positive Rate (FPR) / False Negative Rate (FNR): System error metrics. FPR is the share of clean transactions erroneously marked as risky; FNR is the share of risky transactions erroneously passed as clean.

    • Section 1. Legal and Regulatory Frameworks

    AML requirements vary significantly by jurisdiction. Your policy must be adapted to the laws of the countries where you operate.

    1.1. Comparison of Key Jurisdictions

    1.2. Data Storage and Protection (GDPR and Others)

    Compliance data storage is regulated by both AML laws and personal data protection standards (e.g., GDPR in the EU).

  • Retention Periods: AML data must be kept for the statutory period (usually 5 years after the end of the business relationship), even if the user requested deletion under the GDPR “Right to be Forgotten.” This is a lawful basis for data processing.

  • Data Transfer: When transferring personal data from the EU to other jurisdictions (e.g., when using a US-based AML provider), legal mechanisms such as Standard Contractual Clauses (SCC) must be used.

  • Technical Security Measures:
    ul>
    li>Encryption in-transit: Use TLS 1.2+ for all API communications.

  • Encryption at-rest: Data in databases (compliance logs, reports) must be encrypted using robust algorithms (e.g., AES-256).

  • Pseudonymization: Limit analyst access to direct user identifiers (email, name), replacing them with pseudonyms where possible.

    • Section 2. Selection and Calibration of AML Tools

    AML providers are powerful tools that require the right selection, configuration, and understanding of their limitations.

    2.1. Provider Selection Recommendations

    2.2. Cost Estimation (Total Cost of Ownership, TCO)

    The budget for AML tools depends on the provider's pricing model and your transaction volume.

  • Pay-per-API-call: Ranges from $0.01 to $0.05 per address check. Suitable for startups with small and unpredictable transaction volumes.

  • Monthly/Annual Subscription: Costs range from $1,000 to $10,000+ per month depending on the number of transactions, monitored addresses, and additional features (e.g., VASP lookup). Suitable for companies with predictable volumes.

    • When estimating TCO, also consider integration costs and compliance team maintenance.

    Section 3. Building the AML Screening Process

    Integrate AML checks into operational processes to automate decisions and minimize manual labor.

    3.1. Decision Matrix

    Develop an internal policy based on Risk Scores. Thresholds should be tested, documented, and adapted to your risk appetite.

    Process Flowchart:

    New Transaction -> Request to AML Provider -> Receive Risk Score -> Apply Matrix -> [Auto-accept | Manual Review | Block]

    3.2. Prioritization for Different Business Scales

    AML system settings must match your company's size and risk profile.

    3.3. Calculation and Calibration of KPIs


  • p>False Positive Rate (FPR) = FP / (FP + TN): Share of clean transactions erroneously marked as risky.

    Target:< 5% for mid and large businesses to avoid overloading the team. Startups may tolerate up to 10–15% initially./p>


  • p>False Negative Rate (FNR) = FN / (FN + TP): Share of risky transactions erroneously let through.

    Target: As close to 0% as possible for everyone. This is the most critical metric./p>

    • Section 4. Technical Implementation and Integration

    4.1. Integration Example via API (Pseudo-code)

    4.2. Integration Security and Reliability

  • Webhook Security: Use TLS and verify the digital signature of each incoming webhook to authenticate it.

  • Idempotency: All state-changing requests (e.g., starting a check) must be idempotent to avoid duplicate operations during network failures.

    • 4.3. Logging and Data Storage for Audit (eDiscovery)

    Store an immutable log of all AML decisions in a format suitable for legal analysis.

  • Retention Policy: Define log retention periods (e.g., 1 year in “hot” storage for operational analysis, 5+ years in “cold” archive for compliance).

  • Log Format: Save the full JSON report from the provider, the decision made, the employee ID (if reviewed manually), and timestamps.

    • Example Log Structure (JSON):

    Section 5. Incident Management and Communications

    5.1. Roles and Responsibilities (RACI Matrix)

    5.2. User Notification Templates


  • p>For Manual Review:/p>
    blockquote>
    p>Your transfer has been temporarily paused for a standard security check.

    This usually takes no more than 24 hours. We will notify you of the result./p>
    /blockquote>


  • p>For Document Request:/p>
    blockquote>
    p>Your transfer of [AMOUNT] [ASSET] has been paused for additional verification in accordance with our AML procedures.

    To expedite the process, please provide documents confirming the source of funds. Contact support for a list of required documents./p>
    /blockquote>

    • 5.3. Manual Review Checklist

  • input type="checkbox" disabled=""> Verify the source of funds in the AML provider's report (exchange, private wallet, smart contract).

  • input type="checkbox" disabled=""> Assess for direct and indirect links to high-risk categories.

  • input type="checkbox" disabled=""> Analyze the client's transaction history within the service.

  • input type="checkbox" disabled=""> Match transaction volume with the client's KYC profile.

  • input type="checkbox" disabled=""> If risk is confirmed, request Source of Funds documents from the client.

  • input type="checkbox" disabled=""> Document the decision and rationale in the system.

    • Section 6. Playbook: Responding to Bank Inquiries and Debanking Threats

    If a bank sends an inquiry, act quickly, systematically, and transparently.

  • Initial Reaction (0–2 hours): Acknowledge receipt. Assign an owner.

  • Information Gathering (2–24 hours): Collect AML policy, provider reports, KYC data.

  • Drafting Response (24–48 hours): Draft a concise official letter.

    • Letter Template (Abbreviated):


    p>Subject: Response to your inquiry dated [Date] regarding transaction [Transaction ID]/p>
    p>Dear [Bank Manager Name],/p>
    p>We are writing in response to your inquiry dated [Date] regarding transaction [Transaction ID]. We have conducted an internal analysis and are prepared to provide the following information./p>
    p>Executive Summary: A transaction of [Amount] [Asset] from address [Sender Address] was received on [Date] and processed in accordance with our internal AML policy (Appendix A). The sender's address was analyzed using the AML service [Provider Name]. According to the report (Appendix B), the transaction received a Risk Score of [Low / Medium]./p>
    p>[If manually reviewed]: Our compliance officer conducted additional analysis and [accepted the transaction based on... / requested and received supporting documents from the client (Appendix C)]./p>
    p>Conclusion: Our investigation confirms that this transaction was processed in strict accordance with our compliance procedures./p>
    p>Sincerely,

    [Your Name], [Title]

    [Company Name]/p>

    Section 7. Validation and Testing of the AML System

    An AML system requires regular verification to maintain effectiveness.

  • Backtesting: Quarterly run historical data through updated algorithms to identify transactions where the risk level has changed.

  • Retrospective Analysis (False Negative Review): Monthly check if your clients interacted with addresses involved in recent public incidents.

  • A/B Threshold Testing: Before changing Risk Score thresholds, run them in “shadow mode” to assess impact on FPR.

    • Section 8. MVP Implementation Roadmap

    Implementing a basic AML system can be broken down into four phases (4–8 weeks):

  • Discovery and Provider Selection (1–2 weeks): Define requirements, request demos, agree on budget.

  • Technical Integration and POC (2–4 weeks): Integrate API in test environment, configure logging.

  • Policy Development (1–2 weeks): Write AML policy, decision matrix, communication templates.

  • Training and Launch (1 week): Train the team, launch system in production.

    • Section 9. Practical Case Studies


  • p>Case 1: False Positive./p>
    ul>
    li>Situation: Risk Score 65 due to links with an exchange.

  • Action: Client provided withdrawal screenshot. Transaction manually approved.

    • Case 2: Missed Risk (False Negative).

  • Situation: Transaction approved (Score 25). Later, the address was linked to a hack (Score 95).

  • Action: Continuous monitoring detected the change. Assets frozen, SAR filed.

    • Case 3: Sanctions (Tornado Cash).

  • Situation: OFAC sanctions introduction.

  • Action: Immediate update of provider risk models allowed automatic blocking of new transactions.

    • Section 10. Limitations and Ethical Risks

  • Discrimination Risk: Algorithms may be biased against certain regions.

  • Need for Human Oversight: Account blocking should not be fully automated; always allow an avenue for appeal.

    • Conclusion: Immediate Action Checklist

    Building a robust AML system is an ongoing process.

  • input type="checkbox" disabled=""> Create an implementation roadmap.

  • input type="checkbox" disabled=""> Select and test AML providers.

  • input type="checkbox" disabled=""> Develop and approve the AML policy.

  • input type="checkbox" disabled=""> Draft a technical integration plan.

  • input type="checkbox" disabled=""> Prepare the Playbook for bank communications.

  • input type="checkbox" disabled=""> Implement a validation process.

  • input type="checkbox" disabled=""> Diversify banking relationships (open a backup account).

    • Tags

    crypto aml compliance
    stablecoin startup banking
    anti-money laundering screening
    transaction monitoring system
    bank account de-risking