Spend enough time inside a central bank and you stop looking at transactions. You start looking at flows.
That one shift in altitude is, I think, the biggest blind spot in how a lot of crypto exchanges run anti-money-laundering today — and it’s worth unpacking, because the gap isn’t about effort or technology. Serious exchanges have both. It’s about the lens.
I’ve spent the last several years on the international side of a central bank, working on cross-border regulation and the assessment of digital assets and central bank digital currencies. Before that, I spent seven years as a compliance principal inside a US broker-dealer — close enough to the transaction to know what supervision actually feels like from the inside. Those two seats see money very differently, and crypto AML sits right on the seam between them.
Here’s what the view from the central bank adds.
1. A clean transaction can still be a dirty flow.
An exchange’s monitoring asks: is this transaction suspicious? Is this customer who they claim to be? Good systems answer those well. A central bank asks a different question — where is the money going, in aggregate, across borders, over time? Funds can pass every account-level check and still form a pattern that only appears when you step back: value quietly leaving a jurisdiction, routing to evade sanctions or capital controls, structuring spread thin across many compliant-looking nodes. Monitor strictly transaction-by-transaction and you can miss the shape of the thing entirely.
2. Exchanges are becoming correspondent banks — and inheriting their problems.
Central banks spent decades learning the hard way about correspondent banking: nested relationships, the institution that vouches for the institution that vouches for the customer, and the de-risking that followed once those chains became impossible to see through.
Crypto is rebuilding that structure at speed. Every virtual asset service provider (VASP) that leans on another VASP’s due diligence is a correspondent relationship by another name. The Travel Rule (pass identifying information about the sender and recipient along with a funds transfer) was meant to close exactly this gap, but its uneven adoption across jurisdictions recreates the old problem: you’re only as clean as the weakest counterparty you can’t see.
3. Bad actors route to the weakest link — and that link is jurisdictional.
From a regulator’s chair, the unit of risk isn’t the customer; it’s the jurisdiction. Illicit flows find the laxest competent VASP in the most permissive regime and move through it. An exchange perfecting its own controls in isolation is solving a local problem inside a global system. The flows don’t respect your org chart, and neither will your examiners.
4. Regulators don’t grade your policy. They grade your evidence.
This one comes from the broker-dealer seat, not the central bank. The hardest lesson of supervised compliance is that having the right policy counts for almost nothing on its own. What an examiner wants is evidence of supervision — the reviews you ran, the alerts you escalated, the calls you documented, the gaps you caught yourselves. Plenty of crypto AML programs have excellent written frameworks and thin supervisory trails. When the regulator arrives — and in this industry, they are arriving — the trail is the program.
None of this means exchanges are doing it wrong. It means the transaction-level lens, however sharp, is the wrong altitude for part of the problem. The flows are systemic. The risk is jurisdictional. And the standard you’ll eventually be held to is the supervisory one that regulated finance already lives under.
That’s the seam I work on, and the conversation I’m always glad to have. If you’re building AML at an exchange, wallet, or chain and thinking about it from the regulator’s side of the table, I’d like to hear from you.
Categories: Uncategorized
Gregory's Writings 
Leave a comment