Learn more about the latest security and privacy threats
Back

Risk Assessment for Crypto Compliance: The Model and the Numbers

Edoardo MustarelliEdoardo Mustarelli(Sales Development Representative)Published November 25, 2025Updated May 4, 2026
An image of a crypto with a server in a purple gradient background.

Risk assessment for crypto compliance in 2026: the model regulators expect and the numbers behind every shutdown that began with a weak score.

Table of contents

Hero / opening

A risk assessment for crypto compliance is the document a regulator pulls first when they walk in. It's also the artefact most crypto teams treat as a checkbox until the day it stops being one. TD Bank paid USD 3.09 billion in October 2024 because its transaction-monitoring rules were calibrated to a risk profile the bank had stopped having years earlier. The model wasn't catastrophic. It was just wrong. This piece breaks down how a working crypto compliance risk assessment looks in 2026, with anonymised tier-distribution data from the Zyphe network.

Why is risk assessment the document that fails first under regulator scrutiny?

Because it's the document that's hardest to fake retrospectively. A weak transaction-monitoring rule can be patched in a quarter. A missing audit trail can be reconstructed from logs. A risk-assessment model that's wrong has been wrong for the whole period the regulator is examining, and every alert, decision, and SAR that flowed from it inherits the defect.

TD Bank's USD 3.09 billion AML penalty makes the point at the maximum scale. The bank's transaction-monitoring system wasn't absent. It was outdated. Significant transaction classes — including a meaningful share of ACH flows — weren't being monitored at all. That gap traces back upstream to a risk-assessment model that hadn't been recalibrated to reflect the bank's actual customer mix and product offering. The fine wasn't for missing one alert. It was for running a model the regulator concluded had been the wrong model for the whole period.

For crypto-sector context, see our crypto KYC compliance in 2026 breakdown and the KYC vs AML differences post on how regulators separate the layers.

What does an effective risk assessment for crypto compliance actually contain?

Five inputs. Each one is what the regulator expects to see documented; each one is also what most generic templates skip past.

  1. Customer risk profile. Identity attributes, declared activity, jurisdiction of residence, source of funds, source of wealth, occupation, expected transaction profile.
  2. Product and channel risk. Spot trading vs derivatives vs custodial wallet vs DeFi front-end, retail vs institutional, fiat-on-ramp vs crypto-only.
  3. Geographic / jurisdictional risk. Customer's residence, the regimes you're licensed under, sanctions exposure, FATF grey/black list status, OFAC sectoral risk.
  4. Transaction-pattern risk. Velocity, value, counterparty mix, anonymity-enhanced asset exposure, mixer interaction, peeling-chain heuristics.
  5. Counterparty / VASP risk. For Travel Rule purposes: is the receiving address controlled by a regulated VASP, an unhosted wallet, or a non-compliant operator?

Each input feeds into a scoring model that produces a risk tier. The tier determines onboarding flow, enhanced due diligence requirements, transaction monitoring sensitivity, and re-review cadence. Generic templates treat these as a one-time questionnaire; effective risk assessments rebuild the model continuously.

For the foundational structure, see the three pillars of customer verification (CIP, CDD, EDD).

What does the Zyphe risk-scoring model look like?

The model is built around five weighted dimensions, each scored independently and combined into a composite risk tier. The weights are configurable per CASP based on licence regime, product mix, and the operator's documented risk appetite.

The composite output is a tier from 1 (low risk) to 4 (very high risk, EDD mandatory, frequent re-review). Tier transitions trigger automated re-verification, additional documentation requests, or escalation to compliance review depending on the operator's policy.

For the architectural detail underneath the scoring, see Decentralized KYC and the KYC Passport.

How are risk tiers actually distributed across a real crypto user base?

This is where most published risk-assessment guidance stops, because most authors don't have the data. The aggregated, anonymised numbers below are drawn from across the Zyphe network as of April 2026 and exclude operators with verification volumes under [10,000] per month to keep the sample meaningful. All percentages are bracketed for editor confirmation against current production figures.

A few patterns worth flagging from the network-level view:

  • Tier-3 share is the single most volatile number across customer segments. A spot exchange with a heavy SMB-merchant customer base will skew higher; a custodial wallet with retail-only users will skew lower. The default 9% figure should not be treated as a target.
  • Tier-4 movement is overwhelmingly driven by behavioural signal, not initial onboarding data. A customer who clears Tier 1 at signup can move to Tier 4 within months on transaction-pattern triggers alone. Static onboarding-only models miss this.
  • Jurisdiction risk is binary in practice, not graded. A customer in a FATF-listed grey jurisdiction is operationally treated as a higher tier than the model's continuous score might suggest.

For comparison context, see our adverse media screening AML guide and enhanced due diligence vs standard CDD.

When should a risk assessment trigger EDD, and what does that involve?

EDD is mandatory under most AML frameworks for higher-risk customers, but the trigger thresholds vary by regime. The Zyphe default policy ships EDD as automatic on Tier 3 and above, with operator override for jurisdiction-specific tightening. The actual EDD package, when triggered, includes:

  1. Documented source of funds. Payslips, tax returns, bank statements, audited financials for entities, crypto wallet provenance for crypto-funded accounts.
  2. Documented source of wealth. For high-net-worth profiles, evidence of how the underlying wealth was accumulated, not just where the funds being deposited came from.
  3. Senior management sign-off on onboarding. Required under FATF Recommendation 19 for high-risk customers in higher-risk countries.
  4. Enhanced ongoing monitoring. Lower thresholds on transaction-monitoring rules, more frequent SAR review, shorter re-verification cadence.
  5. Documented risk acceptance. Some EDD outcomes still result in onboarding the customer; the rationale must be documented and signed off.

Read the deeper structural breakdown in the three pillars of customer verification and the building a robust AML strategy for crypto exchanges post.

How often should a crypto risk assessment be reviewed?

Not annually. Annual was the regulatory floor a decade ago. Under FATF, MiCA, and current FinCEN guidance, the expectation is now that the risk assessment is a living document — updated when the operator's product mix changes, when a jurisdiction enters or leaves a sanctions list, when a counterparty VASP changes its compliance posture, when transaction patterns shift, when an enforcement action elsewhere in the sector signals a new risk vector.

The pragmatic cadence we see across the Zyphe network:

  • Continuous re-screening on sanctions, PEP, and adverse media. Daily or near-daily.
  • Monthly review of tier-3 and tier-4 customer cohorts. Anything moving up or down a tier gets compliance review.
  • Quarterly recalibration of behavioural-signal thresholds. Velocity and value distributions shift; thresholds that worked in Q1 will produce false positives or false negatives by Q4.
  • Annual full risk-assessment refresh. The whole document, every dimension, signed off by the compliance lead and reviewed by independent testing.
  • Event-driven recalibration. A new enforcement action against a peer, a regulatory rule change, a major breach affecting the sector — each is a trigger to re-examine the model.

For the regulatory backdrop, see compliance enforcement 2026: fintech takeaways and GDPR transparency enforcement 2026 EDPB sweep.

What's the most common mistake crypto teams make in their risk assessment?

Three patterns recur across the calls we have with compliance leads:

  1. Treating the risk assessment as a static document. The model that was right at launch is rarely the model that's right at scale. Customer mix shifts, product mix shifts, jurisdictional exposure shifts. A risk assessment that's been signed off and filed away is a regulator-facing liability waiting to happen.
  2. Weighting jurisdiction too heavily, behavioural signal too lightly. Onboarding-only models over-rely on the customer's declared residence and under-weight what they actually do once they're inside the platform. The TD Bank pattern lives in this gap.
  3. Skipping the documented rationale. Risk-tier outputs without documented input rationale are unfalsifiable to the regulator. Every dimension's score needs a paper trail. Every override needs a justification. Every EDD outcome needs a sign-off.

The fix is operational, not philosophical. Run the model continuously, document every score and override, recalibrate quarterly, and treat the risk assessment as code in production rather than a Word doc in a folder.

How does Zyphe automate risk assessment for crypto compliance teams?

Three layers, designed to remove the manual maintenance burden that turns a static risk assessment into a regulator-facing problem.

  1. Continuous scoring at the verification layer. Identity confidence, jurisdiction risk, and source-of-funds plausibility are computed at onboarding and re-computed on every event that updates the underlying inputs. The composite tier is the operator's source of truth.
  2. Behavioural signal integration with Zyphe AML software. Transaction-monitoring outputs feed back into the risk-tier calculation. A customer whose behaviour shifts from Tier-1-consistent to Tier-3-consistent is moved automatically and re-verified.
  3. Audit-ready documentation by default. Every score, every override, every EDD trigger, and every senior-management sign-off is captured in a threshold-encrypted audit trail the regulator can verify without exposing the underlying customer data.

The architecture is described on Decentralized KYC and Decentralized PII Storage. For the operator-side detail, see how it works.

The bottom line

A risk assessment for crypto compliance is no longer a quarterly Word doc. It's a continuously-updated production system whose outputs are scrutinised line by line when a regulator opens a file. The teams that pass the next audit will be the ones whose risk-assessment model can produce a defensible rationale for every tier assignment, every EDD trigger, and every override across the entire examination period.

The architectural choice is whether you build that capability in-house, paste it together from disconnected vendors, or run it as a single integrated layer. If the question belongs in your roadmap, book a 30-minute walkthrough and we'll show you how the Zyphe model fits with your existing licence regime and product mix.

Related resources

  1. Foundations: The three pillars of customer verification: CIP, CDD, EDD
  2. Operator playbook: Building a robust AML strategy for crypto exchanges
  3. Enforcement context: Compliance enforcement 2026: fintech takeaways
Edoardo MustarelliEdoardo Mustarelli(Sales Development Representative)Edoardo Mustarelli, fintech/Web3 strategist at Zyphe, driving sales growth and partnerships with global expertise across technology, finance, and strategy.

Frequently Asked Questions

A risk assessment for crypto compliance is the documented process by which a CASP, exchange, or wallet evaluates the money-laundering and terrorist-financing risks its customers and products present. It feeds into customer due diligence, transaction monitoring, EDD triggers, and the SAR pipeline. Under FATF Recommendation 1 and most national derivatives, it's a foundational compliance document the regulator examines first.

Five weighted dimensions: identity confidence (NFC, document quality, liveness), jurisdiction risk (FATF, OFAC, sanctions), source-of-funds plausibility, behavioural signal (transaction velocity, counterparty mix, anonymity-enhanced asset exposure), and VASP counterparty quality. The composite output is a tier from 1 (low risk) to 4 (very high risk, EDD mandatory, frequent re-review). Weights are configurable per operator.

Across the Zyphe network as of April 2026, approximately 12% of verified users score Tier 3 or higher: ~9% in Tier 3 (elevated risk, EDD required) and ~3% in Tier 4 (high risk, ongoing review). The exact distribution shifts significantly by operator product mix and customer segment. Numbers are bracketed for editor confirmation against current production data.

Under FATF Recommendation 19, EDD is mandatory for higher-risk customers and any business relationships with persons from higher-risk countries. The Zyphe default ships EDD on Tier 3 and above, with operator override for jurisdiction-specific tightening. EDD typically includes documented source of funds, source of wealth, senior-management sign-off, and enhanced ongoing monitoring.

Not annually. Continuous re-screening on sanctions, PEP, and adverse media. Monthly review of tier-3 and tier-4 cohorts. Quarterly recalibration of behavioural thresholds. Annual full refresh signed off by the compliance lead. Plus event-driven recalibration on new enforcement actions, regulatory changes, or major sector breaches. The regulator now expects a living document, not a static one.

TD Bank paid USD 3.09 billion in October 2024 because its transaction-monitoring system was calibrated to a risk profile the bank had outgrown. Significant transaction classes, including a meaningful share of ACH flows, weren't being monitored. The risk assessment was wrong for the whole period the regulator examined, and every downstream control inherited the defect.

Treating the document as static. Weighting onboarding-only data too heavily and behavioural signal too lightly. Skipping the documented rationale for every score and override. The regulator examines the whole period the model was in force; a risk assessment without paper trails is unfalsifiable, and unfalsifiable controls fail audits.

Three layers: continuous scoring at the verification layer, behavioural signal integration with Zyphe AML software, and audit-ready documentation captured in a threshold-encrypted audit trail by default. Every score, override, EDD trigger, and senior sign-off is logged and regulator-verifiable without exposing the underlying customer data.