TL;DR
- CertiK says AML enforcement became crypto’s top regulatory risk in 2025, with DOJ and FinCEN imposing $900 million in related fines in the first half.
- SEC crypto penalties fell 97%, while OKX and KuCoin settlements showed regulators are targeting licensing, monitoring, and Bank Secrecy Act failures.
- The report also says mandatory audits, Basel capital rules, and stablecoin implementation are widening crypto compliance pressure beyond securities enforcement globally.
Crypto regulation in 2025 is starting to look less like a fight over token classification and more like a crackdown on financial controls. The biggest change is that Anti-Money Laundering enforcement has overtaken securities cases as the regulatory risk facing crypto companies. According to CertiK, the US Department of Justice and FinCEN imposed $900 million in AML-related fines in the first half of 2025. Over the same period, SEC crypto-specific penalties collapsed 97%, falling from $4.9 billion in 2024 to $142 million in 2025.
That reversal is not just statistical. The penalties now hitting the industry show regulators are increasingly targeting operational compliance failures rather than disclosure disputes. CertiK highlighted the DOJ’s February 2025 settlement with OKX for $504 million and KuCoin’s January 2025 payment of $297 million, both tied to unlicensed money transmitting activity and Bank Secrecy Act violations. The report also said sanctions-related crypto volume rose more than 400%, while European AML fines surged 767%. In Asia-Pacific, regulators are leaning toward license revocations and business improvement orders.
Compliance standards are widening beyond AML alone
The report argues that the enforcement pivot is arriving alongside a larger restructuring of global crypto oversight. Stablecoin rules, prudential standards, and banking treatment are all moving from policy debate into implementation. CertiK said jurisdictions are now operating with frameworks covering capital adequacy, asset segregation, liquidity management, and recovery planning. It also pointed to the Basel Committee’s prudential standard, scheduled for implementation from Jan. 1, 2026, subject to local adoption. Under that approach, Group 2 assets such as Bitcoin and Ether face near-100% capital charges, while Group 1 assets such as tokenized traditional instruments and qualifying stablecoins receive standard risk weighting.
Smart contract security is also being pulled into the regulatory core. What used to count as best practice is increasingly being treated as an expected compliance obligation. CertiK said mandatory audits are moving toward statutory status across major jurisdictions within two years. An ECB working paper found governance in major DeFi protocols remains highly concentrated. CertiK’s analysis of the top 100 exploited protocols found 80% had never undergone a formal audit before a breach, and those unaudited protocols accounted for 89.2% of total value lost. Infrastructure compromises such as private key theft and access control failures drove 76% of losses by value.
