Two significant compliance deadlines land within 60 days of each other this summer. The European Union’s Markets in Crypto-Assets Regulation transition period for crypto-asset service providers ends on July 1, 2026 — after which unregistered CASPs must cease EU operations or face enforcement. The GENIUS Act’s additional regulations, which will specify the operational compliance requirements for stablecoin issuers under US law, are due on July 18, 2026.
These deadlines arrive against an enforcement backdrop that should be uncomfortable for any operator who believes their compliance programme is adequate because it is documented. The DOJ fined OKX over $500 million in 2025 for AML failures — weak KYC checks and billions in suspicious transactions flowing through systems that had nominal compliance controls in place. FinCEN hit Paxful with a $3.5 million penalty for willful Bank Secrecy Act violations after the platform facilitated approximately $500 million in illicit activity. Crypto-linked illicit flows globally reached an estimated $158 billion in laundered funds in 2025, more than triple 2024’s total, according to Kroll’s financial compliance analysis.
The pattern across enforcement actions from 2023 through 2026 is consistent. The failures are not primarily in having a compliance policy. They are in operating compliance systems that function in practice — that actually detect suspicious activity, that apply KYC standards to the full customer population rather than a sampled subset, that file suspicious activity reports when the evidence supports it rather than when it is convenient. The distance between documented compliance and functional compliance is where enforcement cases are built.
What the OKX Case Actually Shows
The DOJ’s case against OKX is worth examining in some detail because it illustrates a failure mode that is more common than the headline fine suggests.
OKX had a compliance team, a KYC programme, and AML policies. The DOJ’s findings were not that OKX had no compliance programme — they were that the programme was not applied to a significant portion of OKX’s customer base, that the KYC controls contained known gaps that were not remediated, and that suspicious transactions flowed through the system in patterns that should have triggered SARs at volumes that should have made the pattern visible without sophisticated analysis.
Exchanges have a systematic incentive to underinvest in compliance that actually catches suspicious activity. A compliance programme that generates large volumes of SARs creates regulatory scrutiny, customer friction, and operational cost. A compliance programme that is documented but not fully operational keeps regulators satisfied with policy evidence while minimising operational disruption. The enforcement record suggests that several major exchanges have rationally chosen the latter path until the point where enforcement action made the calculation change.
The $500 million OKX fine changes the calculation materially. At that scale, the cost of non-compliance significantly exceeds the cost of a genuine compliance programme. But the fine arrived after the fact. The more useful question for operators evaluating their own programmes — or evaluating the compliance posture of exchanges they use as infrastructure — is whether the gap between documented and functional compliance is detectable before enforcement.
It is, with the right questions. How many SARs did this exchange file last year? What is the ratio of SARs to transaction volume, and how does it compare to peer institutions? What percentage of the customer base has been through full enhanced due diligence versus simplified KYC? What is the false-negative rate on transaction monitoring — the proportion of suspicious transactions that the system missed relative to those flagged by external blockchain analysis? Exchanges with strong compliance programmes can answer these questions specifically. Exchanges with nominal programmes cannot.
What MiCA Actually Requires After July 1
MiCA has been in force since December 2024, with an 18-month transition period for existing CASPs to obtain licensing or wind down EU operations. The July 1, 2026 end of the transition period is not a new requirement — it is the point at which the requirement stops being transitional and starts being enforced without the grandfathering provisions that have allowed CASPs to continue operating during the licensing queue.
The practical situation in Europe in May 2026 is that a significant number of CASPs that applied for MiCA licensing are still in the queue — licensing processing has been slower than the transition timeline anticipated, and several EU member state regulators are handling backlogs. The European Securities and Markets Authority has indicated that it expects national competent authorities to use enforcement discretion for CASPs that can demonstrate a complete, submitted licensing application and a compliant interim operating structure. This is not a de facto extension — it is a discretionary regulatory posture that can change, that varies by jurisdiction, and that provides no guarantees.
For a CASP currently operating in the EU with a pending licence application, the risk is not primarily immediate enforcement action on July 2. It is the risk that the discretionary posture changes, that a specific national regulator decides to make an example of an applicant in its queue, or that a compliance failure in another domain — AML, consumer protection, market manipulation — triggers a regulator to look more closely at a pending licence application that might otherwise have been processed without scrutiny.
MiCA’s operational requirements extend beyond licensing. CASPs must maintain minimum capital requirements, publish whitepapers for crypto-assets they offer, comply with market abuse prohibitions, maintain segregated client assets, and implement AML/CFT frameworks aligned with the EU’s 6th Anti-Money Laundering Directive. An exchange that obtained MiCA licensing but is operating with capital below the minimum, or that has not updated its AML programme to align with 6AMLD requirements, is compliant in one sense and non-compliant in another.
The Specific Failure Patterns Enforcement Has Documented
Across the OKX case, the Paxful penalty, Binance’s $4.3 billion DOJ resolution in 2023, and FinCEN’s enforcement against other VASPs, the compliance failure patterns cluster around a small number of categories.
KYC application gaps. In almost every major enforcement case, a significant portion of the customer base — often customers acquired during high-growth phases when KYC was operationally inconvenient — had not been through the full KYC process that the exchange’s written policy required. The policy said full KYC; the practice exempted customers below certain deposit thresholds, or customers acquired through certain partnership channels, or customers from jurisdictions that the exchange had categorised as lower-risk without adequate documentation of that risk assessment.
Transaction monitoring calibration failures. Monitoring systems that generate too many alerts create an analyst bottleneck where alerts are cleared without genuine review. Monitoring systems calibrated too conservatively to reduce alert volume miss the patterns they were designed to catch. Both failure modes produce the same output: suspicious transactions that should have generated SARs that did not. Grant Thornton’s 2026 compliance analysis found that on-chain transaction monitoring is “where many crypto exchange compliance programmes fail in practice” — the problem is functional, not documentary.
Jurisdictional evasion. Paxful’s case involved operating in jurisdictions where its compliance programme was not applied — effectively treating some geographies as compliance-exempt zones within an exchange that had a global compliance policy. This is the failure mode most common in platforms with inconsistent geographic coverage: a strong programme in regulated markets, a thin or non-existent programme in markets where regulatory oversight was weaker.
SAR filing culture. Whether a compliance team files SARs when the evidence supports it, or whether the culture is to avoid filing unless absolutely necessary, is a cultural question that documents cannot answer. FinCEN and DOJ enforcement teams know how to diagnose this: they look at whether the SAR filing rate is consistent with the known transaction risk profile of the platform. An exchange with high-risk transaction patterns and a low SAR filing rate is not over-performing on compliance — it is under-filing. The gap is the evidence of the failure.
What Web3 Operators Should Extract From the Enforcement Record
For operators who are not crypto exchanges — who use exchanges as infrastructure, who build on top of exchange APIs, who hold assets at exchanges — the enforcement record has a practical implication that is easy to miss.
An exchange with inadequate AML controls is not just a regulatory risk for the exchange. It is a counterparty risk for the businesses that operate on it. If an exchange’s AML failures cause it to lose its operating licence, businesses that depend on that exchange’s APIs, custody services, or liquidity face operational disruption. If an exchange’s AML failures result in asset freezes — which frequently accompany enforcement actions — businesses with assets held at that exchange may find themselves unable to access those assets during the resolution process.
The due diligence question for operators choosing exchange infrastructure should include the same compliance quality indicators that regulators use: SAR filing rates relative to transaction volume, licensing status across operating jurisdictions, capital adequacy against MiCA or GENIUS Act requirements, and the quality of the written compliance programme relative to known industry standards. These questions are not always answerable from public information alone — but exchanges that have nothing to hide on compliance typically engage with them directly when asked. The certification operating capability that distinguishes genuine compliance from nominal compliance is observable if you know what to look for.
The July 1 and July 18 deadlines are enforcement triggers, not compliance creation events. An exchange that reaches July 1 without MiCA licensing was not compliant before July 1 — the deadline simply changes the enforcement posture. For operators evaluating their exchange infrastructure right now, the question is not whether the exchange will be compliant after the deadline. It is whether the compliance infrastructure that should have been built to meet the deadline actually exists — or whether what exists is a policy document and a licence application. The regulatory drift pattern — having the form of compliance without the substance — is the dominant failure mode in this enforcement cycle, and it applies equally to exchanges trying to meet MiCA as it did to the data controllers who tried to meet GDPR.
FAQ
When does MiCA enforcement begin for unlicensed CASPs? The transition period ends July 1, 2026. After that date, CASPs without MiCA licensing must cease EU operations. ESMA has indicated that national regulators may use discretion for applicants with complete submitted applications, but this is not a formal extension and varies by jurisdiction.
How large was the OKX AML fine? The DOJ fined OKX over $500 million for AML failures including weak KYC controls and allowing billions in suspicious transactions to flow through the platform. This was one of the largest crypto enforcement actions in 2025.
What is the most common pattern in crypto exchange compliance failures? Across the major enforcement cases, the consistent pattern is the gap between documented compliance policy and functional compliance operations — particularly in KYC application to the full customer base, transaction monitoring calibration, and SAR filing culture. Exchanges fail not by having no compliance programme but by having one that is not operationally applied.
What should I ask an exchange about its compliance quality? SAR filing rates relative to transaction volume, licensing status across all operating jurisdictions, capital adequacy against applicable requirements, percentage of customer base through full enhanced due diligence, and the false-negative rate of transaction monitoring. Exchanges with strong compliance programmes answer these specifically. Those without cannot.
What is the counterparty risk of using a non-compliant exchange? Operating licence loss resulting in service disruption, asset freezes during enforcement resolution, and API dependency failure. Web3 operators that depend on exchange infrastructure should evaluate compliance quality as a counterparty risk input, not a regulatory-only concern.
Sources
- Grant Thornton — Crypto compliance in 2026: AML, sanctions, and enforcement
- Kroll — The money laundering surge: crypto enforcement gaps
- AML Watcher — AML Compliance for Crypto Exchanges: A 2026 Regulatory Map
- Hogan Lovells — Crypto regulation and enforcement: key risks and compliance priorities
- Global Legal Insights — Blockchain & Cryptocurrency Laws & Regulations 2026 USA
