VASP KYC Requirements: The 2026 Compliance Checklist for Crypto

A Virtual Asset Service Provider (VASP) is any business that exchanges, transfers, safeguards, or manages crypto-assets on behalf of customers — and in 2026 the compliance obligations that come with that licence look a lot like traditional finance. Know Your Customer (KYC), Know Your Business (KYB), Anti-Money-Laundering (AML) screening, Know Your Transaction (KYT) wallet screening, and the FATF (Financial Action Task Force) Travel Rule all apply, often simultaneously.

The challenge is that most VASPs stitch these together from four or five different vendors, each with its own API contract, data format, and pricing model. This guide maps each obligation to a clear checklist item, then shows how Didit covers the full stack from a single /v3/ API — so you can be compliant without being buried in integrations.

Key takeaways

• Every VASP is subject to FATF Recommendation 16 (the Travel Rule), which requires sharing originator and beneficiary data on transfers above a threshold — typically $1,000 USD equivalent.
• MiCA (Markets in Crypto-Assets) brings EU VASPs under a harmonised CASP (Crypto-Asset Service Provider) licence framework from 2024, with AML obligations mirroring the 6th AMLD.
• Beneficial-owner KYB is required for corporate customers — knowing the individual behind the business entity is a separate obligation from KYCing the business contact.
• Wallet screening on counterparty addresses is part of sanctions compliance, not optional due diligence — regulators expect you to check on-chain exposure before processing transfers.
• Ongoing AML monitoring costs far less than it seems — Didit's Ongoing AML is $0.07 per user per year, meaning 10,000 monitored users costs $700/year.
• One Didit /v3/ API call can spawn KYC, KYB, AML screening, wallet screening, and Travel Rule tracking — the same session orchestrator handles every step.

What is a VASP?

Under the FATF framework, a VASP is any natural or legal person that conducts — as a business — any of the following on behalf of a customer: exchange between virtual assets and fiat currencies, exchange between one or more forms of virtual assets, transfer of virtual assets, safekeeping or administration of virtual assets, or participation in and provision of financial services related to an issuer's offer or sale of a virtual asset.

In practice that means crypto exchanges, on/off-ramps, custodial wallets, OTC desks, DeFi protocol front-ends with a compliance layer, and crypto-asset brokers. Under MiCA, the EU term is CASP (Crypto-Asset Service Provider), but the compliance logic is identical.

Why VASP compliance is more complex than it looks

A retail exchange might onboard 50,000 new users in a single month, each of whom could be an individual retail customer, a business entity, or a high-risk politically exposed person (PEP). The same exchange processes millions of on-chain transactions, some of which route through mixers, darknet-market wallets, or sanctioned addresses. And any transfer above the Travel Rule threshold requires bilateral data exchange with a counterparty VASP — in real time.

Doing that manually is impossible. Doing it with four separate vendors means four reconciliation pipelines, four integration maintenance burdens, and four billing relationships. Doing it with one composable platform means one API, one data model, and one support relationship.

The VASP compliance checklist — and how Didit covers it

☑ 1. Customer KYC (individual onboarding)

Every individual customer must be identified and verified before they can transact. Standard onboarding includes document verification, biometric liveness, and face match.

Didit: Full KYC core flow — ID Verification ($0.15) + Passive Liveness ($0.10) + Face Match 1:1 ($0.05) + IP Analysis ($0.03) = $0.33 total. Sub-2 second inference across 14,000+ document types, 220+ countries, 48+ languages. 500 free verifications per month.

curl -X POST https://verification.didit.me/v3/session/ \
  -H "x-api-key: $DIDIT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "wfl_kyc_standard",
    "vendor_data": "user_8a3f91",
    "callback": "https://yourplatform.com/webhooks/didit"
  }'

The response returns a session.url — open it for the user and the hosted flow handles document capture, liveness, and face match. Read the result via GET /v3/session/{sessionId}/decision/ or the session.status.updated webhook.

☑ 2. AML and sanctions screening

Every customer must be screened against PEP lists, sanctions lists (OFAC, EU, UN, HM Treasury), and adverse media. Didit's AML Screening runs across 1,300+ lists at $0.20 per check. Add it to any workflow in the Console — it runs in the same session as KYC.

☑ 3. Business KYB (corporate customer onboarding)

Corporate accounts require business verification: registered entity checks, officer data, and Ultimate Beneficial Owner (UBO) extraction. Each UBO must then complete an individual KYC session.

Didit KYB covers registry lookups, UBO extraction, officer data, entity AML, and linked KYC sessions for each UBO — the entire closed loop, from $2.00 per company. A KYB session spawns the required KYC sessions automatically on the same /v3/ API; you do not manage them separately.

☑ 4. Ongoing AML monitoring

One-time onboarding is not enough. Customers' risk profiles change — sanctions lists update daily, PEP status changes, adverse media emerges. Regulators require continuous monitoring for higher-risk customers.

Didit Ongoing AML Monitoring costs $0.07 per user per year — 10,000 users monitored costs $700 annually. Alerts fire as soon as a match appears.

☑ 5. Wallet screening (KYT — on-chain due diligence)

Before processing an inbound or outbound crypto transfer, you must screen the counterparty wallet address for exposure to high-risk entities: sanctioned wallets, darknet markets, mixers, ransomware operators, and stolen funds.

Didit Wallet Screening returns a risk score (0–100) with a verdict of LOW, MEDIUM, HIGH, or CRITICAL, and exposure categories including SANCTIONED, RANSOMWARE, DARKNET_MARKET, MIXER, and STOLEN_FUNDS. Pricing starts at $0.15 per check (managed) or $0.02 per check with bring-your-own-key (BYOK) via Crystal or Merkle Science — roughly 10× cheaper than buying the analytics vendor direct.

☑ 6. FATF Travel Rule

Recommendation 16 of FATF requires VASPs to obtain, hold, and transmit originator and beneficiary information for transfers at or above the threshold. Under MiCA and most national implementations, that threshold is €1,000 (or equivalent).

Didit's unified Transaction Monitoring engine carries full Travel Rule support: originator and beneficiary data exchange, bilateral counterparty protocol handling, and Travel Rule statuses — COMPLIANT, PENDING_ACTION, PENDING_COUNTERPARTY, FAILED, and EXEMPT — tracked per transaction. Read more at the Travel Rule docs.

☑ 7. Transaction monitoring

Beyond the Travel Rule, VASPs are expected to monitor transaction patterns for structuring, velocity spikes, high-risk jurisdictions, and mule-network behavior.

Didit Transaction Monitoring processes each transaction in real time at $0.02 per transaction, with 11 built-in rule bundles covering AML/CTF, FATF patterns, crypto monitoring, and crypto screening. Flagged transactions open an alert in a built-in case manager; the AWAITING_USER status lets a flagged transfer pause and request a user action — re-KYC or proof of funds — before resuming.

Use cases

Crypto exchange (retail) — High daily user volume, many individual KYC onboardings, continuous AML monitoring, wallet screening on every withdrawal address. The $0.33 KYC core flow keeps per-user onboarding costs predictable; wallet screening at $0.02 BYOK keeps per-transaction costs low.

On/off-ramp provider — Every fiat-to-crypto or crypto-to-fiat conversion is a transfer obligation. Travel Rule compliance is non-negotiable. Didit's session orchestrator links the KYC result to the transaction record so Travel Rule data is already available when the transfer is submitted.

OTC desk and prime broker — Corporate clients require KYB with UBO-level KYC. Deep AML screening and ongoing monitoring matter more than volume pricing. Didit's KYB session spawns linked individual KYC sessions automatically, and Ongoing AML keeps the UBO records current.

Custodial wallet provider — Periodic re-verification (re-KYC) matters as much as onboarding. Didit's Reusable KYC and Face Match 1:1 make periodic identity refresh low-friction for users and cost-efficient for the platform.

How Didit helps

Didit is infrastructure for identity and fraud — one API that covers the full VASP compliance stack: KYC, KYB, AML, Ongoing AML, Wallet Screening, Transaction Monitoring, and the Travel Rule. Every module is composable in the Workflow Builder: activate the checks your licence requires, tune thresholds in the Console, and the same /v3/ API session handles everything.

The platform is formally attested by an EU member-state government (Spain's Tesoro / BdE / SEPBLAC / CNMV) as safer than in-person verification — the only provider with that attestation. Coverage spans 220+ countries, 14,000+ document types, 48+ languages, sub-2s inference, and 200+ fraud signals.

Start at $0.33 per KYC, $2.00 per KYB, $0.20 per AML check, $0.02 per transaction, and $0.02 per wallet screening with BYOK. 500 free checks per month, no minimums.

Frequently asked questions

What is the FATF Travel Rule threshold for VASPs?

FATF Recommendation 16 sets the threshold at USD/EUR 1,000 equivalent. Individual jurisdictions may set lower thresholds; MiCA aligns to €1,000 for EU CASPs. Transfers below the threshold still require some information to be collected, though the transmission obligation is lighter.

Does Didit handle both the originator and beneficiary side of the Travel Rule?

Didit tracks Travel Rule obligations per transaction and supports counterparty data exchange. Travel Rule statuses — COMPLIANT, PENDING_ACTION, PENDING_COUNTERPARTY, FAILED, and EXEMPT — are tracked in the same transaction record. See the Travel Rule docs for protocol details.

How much does VASP compliance cost with Didit?

A fully compliant retail onboarding (KYC + AML screening) costs $0.53 per user ($0.33 KYC + $0.20 AML). Add ongoing AML monitoring at $0.07/user/year and wallet screening at $0.02/check BYOK. Transaction monitoring is $0.02 per transaction. 500 free verifications per month, no minimums.

Does wallet screening replace AML screening?

No. Wallet screening (KYT) assesses on-chain address risk; AML screening checks individuals and entities against sanctions and PEP lists. Both are required for a complete VASP compliance stack.

Does Didit replace compliance software?

Didit replaces the identity, AML, and transaction monitoring vendors; it is not a compliance management system (policy documentation, training records, regulatory filings). Pair it with your compliance programme documentation and a qualified compliance officer.

Ready to get started?

• Wallet Screening → didit.me/products/wallet-screening
• Full compliance stack docs → docs.didit.me
• Travel Rule → docs.didit.me/transaction-monitoring/travel-rule
• Transparent pricing → didit.me/pricing
• Start free → business.didit.me — 500 free verifications/month, no minimums