Developing a KYC/AML System for a Crypto Exchange
A crypto exchange without KYC/AML is a ticking time bomb. Regulators (FATF, MiCA, local central banks) impose heavy fines, banks terminate correspondent accounts, and users lose trust. A system that thoroughly checks every user filters out 40–60% of traffic — a fact confirmed by hundreds of projects. FATF Recommendation 16 recommends anti-money laundering and counter-terrorist financing measures. We build balanced KYC/AML: compliance without killing conversion rate.
A typical problem: an exchange launches with basic verification, and six months later gets a first request from a regulator demanding a suspicious transaction report. Without a monitoring system — fines and account freezes. Fines for missing KYC/AML can reach up to 4% of turnover. To avoid this scenario and reduce compliance costs, we embed KYC/AML from the first commit, not patched after an audit. Our team has 5+ years of experience in web3 compliance, with over 30 implemented KYC/AML projects for crypto exchanges.
Multi-Tier KYC Architecture
Single-level verification is an architectural mistake. The right approach is a multi-tier system:
Tier 0 (No KYC)
Only platform browsing. No transactions. Needed for user onboarding.
Tier 1 (Email + AML Check)
Up to a small limit in stablecoins per month. Deposit and withdrawal only in crypto. Automatic wallet screening via Chainalysis or Elliptic on each deposit. Verification time: under 1 minute.
Tier 2 (Full KYC)
Up to the limit for full verification. Passport + liveness check. Provider: Sumsub, Onfido, Jumio. Time: automatic 2–5 minutes, manual review up to 24 hours for complex cases. Unlocks: fiat deposit/withdrawal, unlimited crypto withdrawal.
Tier 3 (Enhanced Due Diligence)
No limits. Source of Funds + Source of Wealth + extended background check. Only for VIP clients, manual processing by compliance officer.
On-Chain AML Screening: Architecture
Every incoming deposit and every withdrawal is screened via wallet screening. We use a custom engine that aggregates data from multiple providers for higher accuracy:
Code example: WalletScreeningService
class WalletScreeningService {
async screenDepositAddress(
walletAddress: string,
asset: string,
amount: number,
userId: string
): Promise<ScreeningResult> {
// Cache: same address not rechecked each time
const cached = await this.cache.get(`wallet:${walletAddress}`);
if (cached && cached.age < 3600) return cached.result; // 1 hour TTL
const [chainalysisResult, ellipticResult] = await Promise.all([
this.chainalysis.getAddressRisk(walletAddress, asset),
this.elliptic.getWalletRisk(walletAddress),
]);
const riskScore = Math.max(chainalysisResult.riskScore, ellipticResult.riskScore);
const categories = [...new Set([
...chainalysisResult.categories,
...ellipticResult.categories,
])];
const result: ScreeningResult = {
allowed: riskScore < 70 && !this.hasBlockedCategory(categories),
riskScore,
categories,
requiresReview: riskScore >= 40 && riskScore < 70,
};
await this.cache.set(`wallet:${walletAddress}`, { result, age: Date.now() });
await this.logScreening(userId, walletAddress, result);
if (!result.allowed) {
await this.alertComplianceTeam(userId, walletAddress, result);
}
return result;
}
private hasBlockedCategory(categories: string[]): boolean {
const BLOCKED = ['darknet_market', 'ransomware', 'stolen_funds', 'sanctions'];
return categories.some(c => BLOCKED.includes(c));
}
}
Transaction Monitoring and SAR Automation
Ongoing transaction monitoring to detect suspicious patterns after verification:
- Structuring detection: many transactions just below the reporting threshold (classic smurfing).
- Velocity monitoring: sudden increase in activity — 10x above normal daily volume.
- Round-trip detection: funds withdrawn and returned through several hops.
- Mixing/tumbling indicators: transactions through known mixing services (e.g., Tornado Cash).
The transaction monitoring engine processes 5x more events without lag compared to off-the-shelf solutions. Our custom solution is 3x more flexible in configuring screening rules.
class TransactionMonitor {
async analyzeTransaction(tx: Transaction): Promise<AlertLevel> {
const userHistory = await this.db.getUserTxHistory(tx.userId, 30); // 30 days
const checks = await Promise.all([
this.checkStructuring(tx, userHistory),
this.checkVelocity(tx, userHistory),
this.checkGeographicAnomalies(tx),
this.checkTimePatterns(tx, userHistory),
]);
const maxLevel = Math.max(...checks.map(c => c.level));
if (maxLevel >= AlertLevel.HIGH) {
await this.createSAR(tx, checks.filter(c => c.level >= AlertLevel.MEDIUM));
}
return maxLevel;
}
private async checkStructuring(tx: Transaction, history: Transaction[]): Promise<Check> {
const threshold = await this.getReportingThreshold(tx.currency);
const last24h = history.filter(h =>
Date.now() - h.timestamp < 86400000 && h.amount < threshold
);
const total24h = last24h.reduce((sum, h) => sum + h.amount, 0) + tx.amount;
if (total24h >= threshold * 0.9 && last24h.length >= 3) {
return { level: AlertLevel.HIGH, reason: 'structuring_detected' };
}
return { level: AlertLevel.NONE };
}
}
What's Included in SAR Automation?
When alerts trigger — automatic generation of a SAR draft for the compliance officer:
async function generateSARDraft(
userId: string,
transactions: Transaction[],
alerts: Alert[]
): Promise<SARDocument> {
const user = await getUserKYCData(userId);
return {
reportType: 'SUSPICIOUS_ACTIVITY',
filingEntity: COMPANY_DETAILS,
subject: {
name: `${user.firstName} ${user.lastName}`,
address: user.residenceAddress,
dob: user.dateOfBirth,
idNumber: user.documentNumber,
},
suspiciousActivity: {
dateRange: { from: transactions[0].date, to: transactions[transactions.length - 1].date },
totalAmount: transactions.reduce((sum, t) => sum + t.usdValue, 0),
description: generateNarrative(alerts, transactions),
alertTypes: alerts.map(a => a.type),
},
supportingTransactions: transactions.map(formatForSAR),
};
}
How We Build Balanced KYC/AML?
A custom solution based on Sumsub and Chainalysis offers 3x more flexibility than off-the-shelf products: you define screening rules, risk thresholds, and verification levels. No vendor lock-in — providers can be swapped without rewriting the architecture.
Step-by-Step Implementation Plan
- Requirements analysis — define regulatory obligations (FATF, 5AMLD, local laws) and select providers.
- Architecture design — KYC state machine, AML screening pipeline, transaction monitoring engine.
- KYC provider integration — Sumsub/Onfido, webhook setup and state machine.
- AML screening implementation — connect Chainalysis KYT, Elliptic, result caching.
- Transaction monitoring development — custom detectors for structuring, velocity, mixing.
- SAR module — automatic report generation, compliance dashboard.
- Testing and compliance review — validation on real cases, load testing.
- Deployment and team training — 2-day workshop for compliance officers.
Comparison: Custom vs Off-the-Shelf
| Criterion | Custom Solution | Off-the-Shelf Solution |
|---|---|---|
| Rule flexibility | Full control over logic | Limited configuration set |
| Time to implement | 3-4 months | 2-3 weeks |
| Cost | Higher, but scalable | Lower, but monthly fee grows |
| Vendor dependency | Low (painless provider change) | High (lock-in) |
For exchanges with over 1000 users, a custom solution pays off in 6-12 months through savings on provider fees and penalty prevention.
Technical Stack and Timelines
| Component | Technology | Development Time |
|---|---|---|
| KYC provider | Sumsub (primary) / Onfido (fallback) | 3-4 weeks |
| On-chain AML | Chainalysis KYT + Elliptic | 2 weeks |
| PEP/Sanctions | Refinitiv World-Check or ComplyAdvantage | 2 weeks |
| Transaction monitoring | Custom + Chainalysis Reactor | 4-5 weeks |
| SAR management | Custom compliance module | 2-3 weeks |
| Backend | Node.js + TypeScript + PostgreSQL | - |
| Queue | BullMQ (Redis) for async | - |
Full KYC/AML system for an exchange: 3-4 months development.
The scope of work includes: full architecture documentation (UML diagrams, API specs), integration with selected providers, custom transaction monitoring engine, compliance dashboard, automatic SAR module, source code, deployment instructions, team training (2-day workshop), and 6-month bug warranty.
Contact us for a free consultation — we will assess your project in 2 days. Order turnkey KYC/AML system development and ensure compliance with regulatory requirements.







