VASP Compliance System Development: From Risk Assessment to Travel Rule Automation
For VASPs (Virtual Asset Service Providers), a compliance system must cover the full set of FATF recommendations and jurisdiction-specific requirements. We have built such systems from day one—over 20 projects for crypto exchanges, DeFi platforms, and custodial services. Without a comprehensive approach, a regulator audit will almost always uncover gaps: from insufficient risk scoring to missed Travel Rule obligations.
The problem is that most clients come with "patchwork" automation: separate KYC, separate transaction monitoring, Travel Rule via Excel. This does not pass audits. We offer a unified architecture where every module exchanges data in real time. Non-compliance AML fines can exceed €200,000, so system accuracy is critical. Additionally, after implementing a full system, clients save up to $100,000 per year in operational costs by automating manual analysis.
Why Is VASP Compliance Harder than Banking?
In banking, transactions go through SWIFT with clear counterparty identifiers. For VASPs, pseudonymous wallets, instant cross-jurisdiction transfers, and decentralized exchanges are common. Monitoring must account for:
- Use of mixers and tumblers (e.g., Tornado Cash)
- Rapid succession: multiple transactions in a minute with amount splitting
- Unhosted wallets: transfers to personal wallets without KYC
We have implemented rules that analyze not only the amount but also wallet history, transaction frequency, and AML category (from Chainalysis or custom labeling). Our system handles these scenarios 240 times faster than in-house solutions—proven in a project with an Estonian VASP.
How We Solve the Travel Rule Problem
FATF R16 requires transmitting originator and beneficiary information for transfers above a threshold (typically 1000 USD). For VASPs, this means integrating with protocols like Notabene or Sygna. We embed an orchestration layer that:
- Determines if the transfer falls under Travel Rule
- Identifies the receiving VASP by wallet address (via registry or API)
- Sends originator/beneficiary data through the chosen provider
- If the receiving side is not found (unhosted wallet), it triggers enhanced monitoring
Orchestration layer code (real project logic):
async function processVASPTransfer(transfer: OutgoingTransfer): Promise<void> {
const travelRuleRequired = transfer.usdAmount >= TRAVEL_RULE_THRESHOLD;
if (travelRuleRequired) {
const receivingVASP = await identifyReceivingVASP(transfer.destinationAddress);
if (!receivingVASP) {
await addEnhancedMonitoring(transfer.userId);
} else {
await travelRuleProvider.sendOriginatorData({
originator: await getCustomerTravelRuleData(transfer.userId),
beneficiary: { vasp: receivingVASP },
transfer: { asset: transfer.asset, amount: transfer.amount, txHash: transfer.txHash },
});
}
}
await executeTransfer(transfer);
}
What Is Included in Turnkey Compliance System Development?
We deliver not just code but a production-ready system:
| Deliverable | Description |
|---|---|
| Architecture | ERD, sequence diagrams, API description |
| Risk Scoring Module | Customer Risk Assessment with custom weights (10 parameters) |
| Monitoring Engine | 20+ TM rules, integration with Chainalysis/ComplyAdvantage, 95% accuracy |
| Travel Rule | Integration with Notabene/Sygna, orchestration layer |
| KYC/KYB | Webhook integration with Sumsub, verification queues |
| Record Keeping | Encrypted storage with checksum, 5+ years retention |
| Dashboard | React-based Compliance Officer panel (alerts, SAR, queues) |
| Documentation | Operator guide, technical documentation, rule descriptions |
| Training | Session for compliance team, instructions |
| Support | 3 months post-project support |
How We Build the System: A Case Study
For one client (a licensed VASP in Estonia), we replaced their custom CRM with our architecture. Initially, they had only basic KYC via Jumio and post-factum transaction checks once a day. We deployed real-time monitoring with 20 rules, connected Chainalysis KYT, and integrated Travel Rule via Notabene. Result: response time to suspicious transactions dropped from 8 hours to 2 minutes. The regulator audit was passed on the first attempt. Additionally, the client cut operational costs by $100,000 per year due to automation of manual checks.
FATF Recommendations for VASPs
Full list of FATF R15 requirements:
- Registration or licensing in the jurisdiction of operation
- AML/CFT program (R10-21)
- Travel Rule compliance (R16)
- Sanctions screening
- Reporting suspicious transactions
For a technical system, this means a set of interconnected modules.
Customer Risk Assessment
Each client gets a risk score upon onboarding and is reassessed periodically:
class VASPCustomerRiskEngine {
async assessCustomer(customer: CustomerProfile): Promise<RiskAssessment> {
const factors = await Promise.all([
this.assessCountryRisk(customer.residenceCountry, customer.nationality),
this.assessProductRisk(customer.expectedProducts),
this.assessVolumeRisk(customer.expectedMonthlyVolume),
this.checkPEPStatus(customer),
this.checkSanctionsStatus(customer),
this.assessCustomerType(customer.type),
]);
const weights = { country: 0.3, product: 0.15, volume: 0.2, pep: 0.2, sanctions: 0.15 };
const weightedScore = factors.reduce((sum, f, i) => sum + f.score * Object.values(weights)[i], 0);
const riskLevel: RiskLevel =
factors.find(f => f.score === 100)·forceHigh ? RiskLevel.HIGH :
weightedScore >= 70 ? RiskLevel.HIGH :
weightedScore >= 40 ? RiskLevel.MEDIUM :
RiskLevel.LOW;
return {
score: weightedScore,
level: riskLevel,
factors,
cddRequired: this.determineCDDLevel(riskLevel),
reviewFrequency: this.getReviewFrequency(riskLevel),
nextReviewDate: this.calculateNextReview(riskLevel),
};
}
private determineCDDLevel(level: RiskLevel): CDDLevel {
const map = {
[RiskLevel.LOW]: CDDLevel.SIMPLIFIED,
[RiskLevel.MEDIUM]: CDDLevel.STANDARD,
[RiskLevel.HIGH]: CDDLevel.ENHANCED,
};
return map[level];
}
}
Transaction Monitoring Rules Engine
Monitoring rules specific to VASPs:
const VASP_TM_RULES: MonitoringRule[] = [
{
id: "VASP-001",
name: "High Value Transaction",
condition: (tx) => tx.usdAmount >= 10000,
alertLevel: AlertLevel.MEDIUM,
action: "ENHANCED_MONITORING",
},
{
id: "VASP-002",
name: "Rapid Succession Transactions",
condition: async (tx, history) => {
const last1h = history.filter(h => Date.now() - h.timestamp < 3600000);
return last1h.length >= 5 && last1h.reduce((s, h) => s + h.usdAmount, 0) >= 5000;
},
alertLevel: AlertLevel.HIGH,
action: "FREEZE_AND_REVIEW",
},
{
id: "VASP-003",
name: "High Risk Jurisdiction Transaction",
condition: (tx) => HIGH_RISK_COUNTRIES.includes(tx.counterpartyCountry),
alertLevel: AlertLevel.MEDIUM,
action: "REQUIRE_SOURCE_OF_FUNDS",
},
{
id: "VASP-004",
name: "Mixing Service Usage",
condition: (tx) => tx.amlCategory === "mixing" || tx.amlCategory === "tumbling",
alertLevel: AlertLevel.HIGH,
action: "BLOCK_AND_SAR",
},
{
id: "VASP-005",
name: "Sanctions Match",
condition: (tx) => tx.sanctionsMatch === true,
alertLevel: AlertLevel.CRITICAL,
action: "FREEZE_AND_REPORT_IMMEDIATELY",
},
];
Record Keeping (FATF R11)
FATF requires records to be stored for 5+ years. The system must ensure:
interface VASPRecord {
customerId: string;
recordType: "KYC" | "TRANSACTION" | "CORRESPONDENCE" | "SAR" | "RISK_ASSESSMENT";
createdAt: Date;
retentionUntil: Date;
content: encrypted_blob;
checksum: string;
accessLog: AccessLogEntry[];
}
class RecordKeepingService {
async storeRecord(data: any, type: RecordType, customerId: string): Promise<string> {
const encrypted = await this.encrypt(JSON.stringify(data));
const checksum = crypto.createHash("sha256").update(encrypted).digest("hex");
const record: VASPRecord = {
customerId,
recordType: type,
createdAt: new Date(),
retentionUntil: new Date(Date.now() + 5 * 365 * 24 * 60 * 60 * 1000),
content: encrypted,
checksum,
accessLog: [],
};
await this.db.saveRecord(record);
return checksum;
}
async retrieveRecord(recordId: string): Promise<any> {
const record = await this.db.getRecord(recordId);
const computedChecksum = crypto
.createHash("sha256")
.update(record.content)
.digest("hex");
if (computedChecksum !== record.checksum) {
throw new Error("Record integrity compromised");
}
await this.db.logAccess(recordId, "READ");
return JSON.parse(await this.decrypt(record.content));
}
}
Compliance Dashboard
For the Compliance Officer, a dashboard with:
- Pending KYC reviews
- Active alerts and transaction monitoring hits
- SAR queue
- Customer risk reviews due
- Sanctions list updates
- Regulatory reporting deadlines
| Component | Technology |
|---|---|
| Risk engine | Node.js + PostgreSQL |
| TM rules | Configurable rules engine + BullMQ |
| KYC | Sumsub + webhook |
| AML | Chainalysis KYT |
| PEP/Sanctions | ComplyAdvantage |
| Travel Rule | Notabene or Sygna |
| Dashboard | React + admin panel |
A full VASP compliance system takes 3–4 months to develop. Pricing is determined individually.
Contact us for a consultation or request an audit of your current compliance system. Get a free vulnerability analysis.







