Shufti-Sphere-Website-Banner
burger-menu cross-icon-2

Resources

us

216.73.216.200

US Crypto Regulations 2026: A Complete Guide to Federal Agencies, State Licensing and AML Compliance

TL;DR

  • Cryptocurrency is legal in the US and regulated at both the federal and state levels. There is no single federal rulebook, so firms navigate several agencies plus a state licensing layer.
  • The GENIUS Act (enacted 18 July 2025) is the first federal law for payment stablecoins. The CLARITY Act passed the House in July 2025 but is not yet law.
  • Four federal agencies dominate day-to-day compliance: FinCEN (AML and the Bank Secrecy Act), the SEC (securities), the CFTC (commodities and derivatives), and OFAC (sanctions), with the IRS handling tax.
  • Most crypto firms are Money Services Businesses (MSBs). They must register with FinCEN, run a risk-based AML program, verify customers, and file Suspicious Activity Reports.
  • The US Travel Rule threshold is USD 3,000. Firms must transmit originator and beneficiary information for qualifying transfers and verify their counterparty VASPs.
  • States add a licensing layer. New York’s BitLicense is the strictest, California’s Digital Financial Assets Law takes effect in 2026, and Wyoming offers the SPDI bank charter.
  • Enforcement is real. Binance settled for USD 4.3 billion in 2023, Bittrex for USD 29 million, and Paxful for USD 3.5 million in December 2025 (FinCEN).

US crypto regulations in 2026 are no longer just an enforcement risk; they are an operating requirement. Crypto exchanges, custodians, wallet providers, stablecoin issuers, and payment firms must now navigate FinCEN MSB rules, OFAC sanctions screening, state licensing, Travel Rule obligations, and the new federal stablecoin framework at the same time.

This guide is for crypto exchanges, custodians, wallet providers, stablecoin issuers, payment firms, and compliance teams building AML/KYC controls for US operations.

This guide sets out where US crypto regulations actually stand in 2026, which agencies matter, what applies to your business model, and the crypto AML regulations, Know Your Customer, Travel Rule, and wallet screening duties that follow. It is written for compliance and product teams at exchanges, custodians, wallet providers, stablecoin issuers and payment firms who need to translate the rules into crypto compliance requirements they can operationalize. For the European counterpart, see Shufti’s guide to MiCA and the EU crypto rules.

What is settled vs what is still in motion

Settled law Still in motion
GENIUS Act stablecoin framework is enacted CLARITY Act market structure bill (pending in the Senate)
BSA and FinCEN MSB obligations apply to crypto firms Final FinCEN and OFAC stablecoin rules (comment period closed, finalisation expected)
State money transmitter and BitLicense regimes are in force Proposed reduction of the international Travel Rule threshold
SEC and CFTC token classification is set by interpretive guidance Codification of the SEC and CFTC jurisdiction split into statute

US crypto regulation at a glance (2026 snapshot)

What changed in 2025 and 2026

Four developments define the current landscape:

  • GENIUS Act signed (July 2025). The first federal framework for payment stablecoins. Only permitted issuers may issue, reserves must be backed one-to-one and disclosed, and paying yield to holders is prohibited. See the Congressional Research Service summary.
  • SEC and CFTC joint interpretation (March 2026). After a March 2026 memorandum of understanding, the two agencies issued a joint interpretation classifying major tokens and dividing oversight. The SEC press release placed a set of large tokens, including Bitcoin, Ether, Solana, and XRP, under the CFTC as digital commodities. This is interpretive guidance, not statute.
  • CLARITY Act status. The Digital Asset Market Clarity Act passed the House in July 2025 and advanced in the Senate, but it is not law yet. It would lock the SEC and CFTC boundary into statute.
  • DeFi broker rule repealed. The earlier rule that would have imposed broker reporting on decentralized, non-custodial platforms was rolled back, so those platforms currently fall outside those reporting requirements.

For a running record of federal developments, including the SEC and CFTC coordination and 2026 derivatives approvals, the Latham US crypto policy tracker is a reliable reference.

US crypto compliance by the numbers

The regulatory pressure tracks the risk. A few figures explain why crypto AML regulations are tightening in 2026:

  • Illicit crypto addresses received at least USD 154 billion in 2025, a 162% year-on-year increase, according to the Chainalysis 2026 Crypto Crime Report.
  • Stablecoins accounted for roughly 84% of that illicit transaction volume, which is a major reason the GENIUS Act now applies AML and sanctions obligations to stablecoin issuers.
  • FinCEN received approximately 55,000 Suspicious Activity Reports referencing stablecoins between January 2015 and November 2025 (US Treasury).
  • Only one of the 138 jurisdictions assessed by the Financial Action Task Force was rated fully compliant with its virtual asset standard (Recommendation 15) in its 2025 update, and just 29% were rated largely compliant, so global enforcement still has room to harden.

Settled law vs pending proposals

The practical takeaway: build against what is enacted today (the BSA, MSB registration, state licensing and the GENIUS Act) while planning for what is close behind (the CLARITY Act and the final stablecoin AML and sanctions rules). Agency guidance and executive action can shift more easily than primary law, so treat them as directional rather than fixed.

Who regulates crypto in the US? Federal agencies explained

There is no single crypto regulator. Responsibility is split by activity and asset type across several federal bodies.

FinCEN: the Bank Secrecy Act, MSB registration and the Travel Rule

The Financial Crimes Enforcement Network treats most crypto exchangers and administrators as money services businesses under the Bank Secrecy Act. A Money Services Business (MSB) is the regulated category for firms that exchange, transmit, or handle convertible virtual currency for customers. That status triggers FinCEN MSB registration (Form 107), a written AML program, customer identification, Suspicious Activity Report and Currency Transaction Report filing, recordkeeping, and Travel Rule compliance.

SEC: securities, the Howey test and token taxonomy

The Securities and Exchange Commission oversees crypto assets that are securities. The 2026 interpretive guidance set out a token taxonomy covering digital commodities, digital collectibles, digital tools, stablecoins, and digital securities and addressed airdrops, staking, and wrapping. Firms can review the SEC’s crypto assets and securities guidance to understand where a token may fall.

CFTC: digital commodities and derivatives

The Commodity Futures Trading Commission oversees digital commodities and their spot and derivatives markets. Following the 2026 joint interpretation, major tokens sit under the CFTC, which in 2026 also began approving regulated crypto perpetual futures, a product class that had developed almost entirely offshore.

OFAC: sanctions screening

The Office of Foreign Assets Control administers US sanctions. Every crypto firm must screen customers, counterparties, and wallet addresses against the OFAC Specially Designated Nationals list and other programs. Sanctions breaches carry strict liability, so screening is non-negotiable regardless of intent.

IRS: tax and Form 1099-DA

The Internal Revenue Service treats crypto as property. The new Form 1099-DA introduces broker reporting, with gross proceeds reporting from 2025 and cost basis reporting phasing in thereafter.

Supporting roles: OCC, FDIC, Federal Reserve, DOJ, and the Working Group

Banking regulators (the OCC, FDIC, and Federal Reserve) shape how banks custody digital assets and will implement the stablecoin framework. The Department of Justice brings criminal cases, and the President’s Working Group on Digital Asset Markets sets federal policy direction.

Federal crypto laws you must know

The Bank Secrecy Act and the AML Act of 2020

The BSA is the foundation of US AML law. FinCEN has treated administrators and exchangers of convertible virtual currency as money transmitters/MSBs since its 2013 guidance and consolidated that approach in 2019.

The GENIUS Act: the stablecoin framework

Enacted on 18 July 2025, the GENIUS Act created the first federal regime for payment stablecoins. Permitted issuers must hold one-to-one reserves, publish attested disclosures, and follow redemption rules, and payment stablecoins issued by permitted issuers are treated as not being securities. In April 2026, FinCEN and OFAC jointly proposed rules applying AML and sanctions obligations to permitted payment stablecoin issuers, published in the Federal Register. Final rules are expected in 2026 with a phased enforcement runway into 2027.

The CLARITY Act: the SEC and CFTC jurisdiction split

The Digital Asset Market Clarity Act passed the House in July 2025 and cleared the Senate Banking Committee on 15–9 vote on 14 May 2026, before being placed on the Senate Legislative Calendar. As of publication, it is awaiting a full Senate floor vote and is not yet law.

The SEC and CFTC joint interpretation and token classification

The March 2026 joint interpretation gave the market a working taxonomy and placed a set of major tokens under the CFTC as digital commodities. It reduced near-term litigation risk, but because it is guidance rather than law, durable certainty still depends on the CLARITY Act passing.

State-by-state crypto regulation

Federal progress does not remove state obligations. A firm can be fully compliant with FinCEN and still be unlawful in a given state without the right license, so crypto licensing requirements are a state-level question as much as a federal one. Most crypto firms need state money transmitter licenses plus federal FinCEN registration, and the GENIUS Act’s state pathway for smaller stablecoin issuers sits on top of, not instead of, this existing landscape.

Strict licensing states: New York and California

New York’s BitLicense, administered by the NYDFS, is the strictest regime in the country, with detailed KYC, capital and reporting requirements and a long approval timeline. California’s Digital Financial Assets Law, overseen by the DFPI, introduces a dedicated licensing regime taking effect on 1 July 2026.

Crypto-friendly states: Wyoming and others

Wyoming pioneered the Special Purpose Depository Institution (SPDI) charter, letting qualifying crypto firms operate as banks with clear legal definitions for digital assets. Other states, including Texas, Arizona, and New Hampshire, have explored digital asset reserves and tax treatment aimed at attracting industry.

The money transmitter licensing patchwork

Outside the specialist regimes, most states regulate crypto through money transmitter laws. Requirements, fees, net capital, and approval timelines vary widely, so multi-state operators typically maintain a portfolio of licenses and a state-by-state compliance calendar.

State licensing comparison

State Licence/charter Application fee Capital Timeline Compliance burden
New York BitLicense (NYDFS) ~USD 5,000 Case by case, high Often 12 months+ Highest: full KYC, capital, reporting
California DFAL licence (DFPI) Set by DFPI Set by DFPI Live 1 Jul 2026 High and rising
Wyoming SPDI bank charter ~USD 5,000 ~USD 2m net capital Several months Bank grade, pro innovation
Most states Money transmitter licence Varies Varies (bond based) Varies Moderate, per state

Figures are indicative. Confirm current fees, net capital and timelines directly with each regulator before you rely on them.

Which US crypto rules apply to your business model?

Your obligations depend on what you actually do. Map your activity to the primary registration path, then layer state licensing and sanctions duties on top.

Exchanges, custodians and wallet providers (MSB path)

If you exchange, transmit, or have custody of convertible virtual currency for customers, you are almost certainly an MSB. Register with FinCEN, run a full AML program, verify users at onboarding, and screen and monitor throughout the customer lifecycle. Many exchanges match verification depth to risk with a tiered KYC workflow, applying lighter checks below the Travel Rule threshold and full due diligence above it.

Token issuers and trading platforms (SEC path)

If your token is offered or sold as, or functions like, a security, SEC registration and disclosure obligations may apply. The 2026 taxonomy helps classify tokens, but structuring decisions should be taken with securities counsel.

Derivatives and futures platforms (CFTC path)

Platforms offering crypto derivatives, including the newly approved perpetual futures, operate under CFTC oversight and the Commodity Exchange Act, typically through registered contract markets.

Stablecoin issuers (GENIUS path)

Payment stablecoin issuers must become permitted issuers, hold one-to-one reserves, publish attested disclosures, and, once final rules take effect, maintain AML and sanctions compliance programs as permitted payment stablecoin issuers.

DeFi and non-custodial or unhosted wallets

Treatment turns on control. Genuinely decentralized, non-custodial platforms currently fall outside the repealed DeFi broker rule, and unhosted wallets receive different treatment from hosted accounts. The practical test is whether the operator controls customer funds and can identify users. Where it can, MSB-style obligations tend to follow.

AML and KYC requirements for US crypto firms

Building a risk-based AML programme

A compliant BSA program needs written policies and procedures, a designated compliance officer, ongoing employee training, and independent testing. The program must be proportionate to your risk profile and documented well enough to survive an examination.

KYC and identity verification at onboarding

Every user must be identified and verified before they can trade or withdraw. That means document verification, biometric liveness checks, and sanctions screening in a single onboarding flow. For a deeper walkthrough, see Shufti’s guide to KYC for crypto exchanges and the KYC compliance knowledge base.

CDD, EDD, and beneficial ownership

Customer due diligence establishes and verifies identity and the nature of the relationship. Enhanced due diligence applies to higher-risk customers, geographies, and transaction patterns. For business customers, you must identify the ultimate beneficial owners behind the entity.

Ongoing monitoring and SAR / CTR reporting

Verification is not a one-time gate. Firms must monitor transactions and customer profiles on an ongoing basis, refresh customer information, and file Suspicious Activity Reports and Currency Transaction Reports on time. Missing or late filings are among the most commonly penalized failures.

Run US crypto KYC and AML through one APIShufti verifies users across 240+ countries and 10,000+ document types, adds biometric liveness, and screens against global sanctions, PEP, and adverse media data in real time. The same decisioning layer runs from onboarding through continuous monitoring, so your compliance team keeps one audit trail instead of stitching together three vendors.

Book a demo to run it against your own onboarding pipeline

US crypto Travel Rule compliance

The USD 3,000 threshold and required data

Under FinCEN’s rules, the US Travel Rule applies to transmittals of USD 3,000 or more. For qualifying transfers, institutions must transmit identifying information for both the originator and the beneficiary. (The international FATF threshold is lower, around USD 1,000, and FinCEN has proposed reducing the US international threshold, so watch this space.) 

Verifying the counterparty VASP: KYB and UBO checks

The Travel Rule is not only about your own customers. A Virtual Asset Service Provider (VASP) is any business that exchanges, transfers, custodies, or issues virtual assets for others. Before a transfer proceeds, you need to know whether the counterparty is a regulated VASP; confirm its legal entity, registration, and licensing status; and screen its directors and ultimate beneficial owners. This counterparty due diligence is where many programs are weakest. Shufti’s approach to KYB for crypto exchanges under the Travel Rule covers entity verification, UBO mapping, and business AML screening through one API.

Protocol interoperability challenges

Different VASPs use different Travel Rule protocols that do not natively communicate, so outbound transfers can stall on interoperability. Supporting multiple protocols is what keeps corridors open as you scale across borders.

Sanctions screening, wallet screening, and transaction monitoring

OFAC obligations for virtual currency

OFAC screening is mandatory and subject to strict liability. Screen customers, counterparties, and wallet addresses at onboarding and continuously, because sanctions lists change and a previously clean address can become exposed.

Wallet screening and on-chain risk scoring

Beyond identity, firms increasingly score wallet risk using on-chain analytics: links to sanctioned addresses, darknet markets, mixers, and known illicit clusters. A risk score should trigger enhanced due diligence, fund holds, or law enforcement referrals under a documented policy rather than acting as automatic proof.

Real-time transaction monitoring for crypto

Transaction monitoring flags structuring, rapid or circular flows, mixer exposure, and other red flags across wallets and exchanges and feeds SAR generation.

Crypto enforcement and penalties in the US

Recent enforcement snapshot

US regulators have shown they will pursue AML and sanctions failures at scale and against individuals as well as firms.

Firm Year Agencies Penalty Core failure
Binance 2023 DOJ, FinCEN, OFAC, CFTC USD 4.3bn total (FinCEN USD 3.4bn, OFAC USD 968m) No MSB registration, no effective AML programme, zero SARs, sanctions breaches
Bittrex 2022 FinCEN, OFAC ~USD 29.3m AML programme and SAR failures, exposure to sanctioned jurisdictions
Paxful 2025–2026 FinCEN (Dec 2025), DOJ (Feb 2026) | USD 3.5m (FinCEN) + USD 4m (DOJ) = USD 7.5m total MSB registration, AML program, and SAR failures on a P2P platform

Sources: FinCEN enforcement actions and the Bittrex enforcement release.

The cost of non-compliance

Beyond the headline fines, resolutions routinely include multi-year independent monitorships, forced US market exits, lookback reviews, and personal liability for executives. The recurring theme across cases is not misreading the rules but failing to operationalize them: no registration, weak onboarding, and monitoring that does not generate the reports regulators expect.

US crypto compliance checklist

  1. Determine your business model and registration path (MSB, SEC, CFTC, GENIUS permitted issuer).
  2. Register with FinCEN as an MSB where applicable and obtain the required state licenses, including a BitLicense for New York activity.
  3. Appoint a qualified BSA / AML compliance officer with real authority.
  4. Document a risk-based AML program with policies, procedures, and a risk assessment.
  5. Verify every customer at onboarding with documents, biometrics, and liveness checks.
  6. Screen customers, counterparties, and wallets against OFAC and global sanctions, PEP, and adverse media data.
  7. Perform CDD and EDD and identify ultimate beneficial owners for business customers.
  8. Implement Travel Rule transmission for transfers of USD 3,000 or more and verify counterparty VASPs.
  9. Run real-time transaction monitoring and on-chain wallet risk scoring.
  10. File SARs and CTRs on time and keep records for the required retention period.
  11. Deliver ongoing staff training and commission independent testing of the program.
  12. Track regulatory change (CLARITY Act, final stablecoin rules) and update controls accordingly.

The future of US crypto regulation

Expect the direction of travel to continue toward codified rules. If the CLARITY Act passes, the SEC and CFTC boundary moves from guidance to statute, giving firms firmer ground. Final stablecoin AML and sanctions rules will formalize obligations for permitted issuers. DeFi, privacy coins, and unhosted wallets remain the hardest edges, and international coordination through FATF will keep pushing Travel Rule enforcement and stablecoin-specific controls. The firms that operationalize compliance now will adapt fastest as these frameworks harden.

How Shufti helps crypto firms stay compliant

Shufti gives exchanges, custodians, wallet providers, and stablecoin issuers a single compliance layer for US and global operations: KYC and identity verification, KYB with UBO mapping, AML and wallet screening, transaction monitoring, and Travel Rule support, all through one integration. Coverage spans 240+ countries and 10,000+ document types; screening runs against global sanctions, PEP, and adverse media data; and one decisioning layer carries a customer from onboarding through continuous monitoring so your team maintains a single audit trail.

One compliance layer for US crypto operationsKYC, KYB with UBO mapping, AML and wallet screening, transaction monitoring, and Travel Rule support, delivered through one API across 240+ countries. Built to help crypto firms meet FinCEN, OFAC, and state obligations without stitching vendors together.

Talk to a compliance expert to see it run on your own pipeline

Frequently Asked Questions

Is crypto legal in the US?

Yes. Cryptocurrency is legal in the US. Crypto-related activities are regulated under both federal and state law, and the specific rules depend on the activity, asset type, and jurisdiction.

Who regulates cryptocurrency in the US?

Several agencies. FinCEN handles AML under the BSA, the SEC oversees crypto securities, the CFTC oversees digital commodities and derivatives, OFAC administers sanctions, and the IRS handles tax. Banking regulators and the DOJ also play roles.

Do crypto exchanges need a license in the US?

In practice, yes. Most exchanges must register with FinCEN as an MSB and hold state money transmitter licenses, plus a BitLicense to serve New York customers. Operating without the right registrations can lead to fines, asset freezes, or criminal charges.

What are the AML rules for crypto in the US?

Crypto MSBs must run a risk-based AML program, verify customers, conduct due diligence, screen against sanctions, monitor transactions on an ongoing basis, comply with the Travel Rule, and file SARs and CTRs, all under the Bank Secrecy Act.

Is the CLARITY Act law yet?

No. The Digital Asset Market Clarity Act passed the House in July 2025 and advanced in the Senate, but as of mid-2026, it has not passed the full Senate or become law.

Which US states are crypto-friendly?

Wyoming is the best known, with its SPDI bank charter and clear digital asset definitions. Texas, Arizona, and New Hampshire have also pursued crypto-friendly measures. New York and California, by contrast, run stricter licensing regimes.

What is the difference between the SEC and the CFTC for crypto?

The SEC regulates crypto assets that are securities, focusing on issuance and disclosure. The CFTC regulates digital commodities and their spot and derivatives markets. The 2026 joint interpretation placed major tokens such as Bitcoin, Ether, Solana, and XRP under the CFTC as digital commodities, though the CLARITY Act is still needed to fix the boundary in statute.

How much does a crypto license cost in the US?

Costs vary by state and business model. Application fees may be relatively small, but legal preparation, surety bonds, compliance staffing, audits, reporting, and ongoing examinations can make the total cost materially higher.

Related Posts

Shufti Blog

Demand Deposit Account (DDA) Fraud: What It Is, How It Works, and How to Stop It

Demand Deposit Account (DDA) Fraud: What It Is, How It Works, and How to Stop It

Explore More

Shufti Blog

Alabama HB172: What the Political Synthetic Media and Election Integrity Act Actually Requires

Alabama HB172: What the Political Synthetic Media and Election Integrity Act Actually Requires

Explore More

Shufti Blog

Perpetual KYC (pKYC): The Complete Guide to Continuous Customer Due Diligence (2026)

Perpetual KYC (pKYC): The Complete Guide to Continuous Customer Due Diligence (2026)

Explore More

Shufti Blog

Central KYC (CKYC): The Complete Guide to CKYC, KIN and CERSAI Compliance (2026)

Central KYC (CKYC): The Complete Guide to CKYC, KIN and CERSAI Compliance (2026)

Explore More

Shufti Blog

What are Deepfake? How AI-Generated Video and Media Work

What are Deepfake? How AI-Generated Video and Media Work

Explore More

Shufti Blog

The State of Online Travel Fraud

The State of Online Travel Fraud

Explore More

Shufti Blog

US Crypto Regulations 2026: A Complete Guide to Federal Agencies, State Licensing and AML Compliance

US Crypto Regulations 2026: A Complete Guide to Federal Agencies, State Licensing and AML Compliance

Explore More

Shufti Blog

Demand Deposit Account (DDA) Fraud: What It Is, How It Works, and How to Stop It

Demand Deposit Account (DDA) Fraud: What It Is, How It Works, and How to Stop It

Explore More

Shufti Blog

Alabama HB172: What the Political Synthetic Media and Election Integrity Act Actually Requires

Alabama HB172: What the Political Synthetic Media and Election Integrity Act Actually Requires

Explore More

Shufti Blog

Perpetual KYC (pKYC): The Complete Guide to Continuous Customer Due Diligence (2026)

Perpetual KYC (pKYC): The Complete Guide to Continuous Customer Due Diligence (2026)

Explore More

Shufti Blog

Central KYC (CKYC): The Complete Guide to CKYC, KIN and CERSAI Compliance (2026)

Central KYC (CKYC): The Complete Guide to CKYC, KIN and CERSAI Compliance (2026)

Explore More

Shufti Blog

What are Deepfake? How AI-Generated Video and Media Work

What are Deepfake? How AI-Generated Video and Media Work

Explore More

Shufti Blog

The State of Online Travel Fraud

The State of Online Travel Fraud

Explore More

Shufti Blog

US Crypto Regulations 2026: A Complete Guide to Federal Agencies, State Licensing and AML Compliance

US Crypto Regulations 2026: A Complete Guide to Federal Agencies, State Licensing and AML Compliance

Explore More

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Contact us

Request demo

Get free access to our platform and try our products today.

Get started