Preparing Your Exchange: A Practical Roadmap for Post-Bill Know-Your-Customer and AML Compliance

Urgent roadmap: How exchanges must rebuild operations for post‑bill KYC and AML

If the Senate bill lands as drafted, exchanges will face immediate, material changes to KYC, AML and oversight. That raises hard operational questions: Which systems to upgrade first? How many people do you hire? How do you avoid breaking onboarding conversion while meeting stricter regulator and banking demands? This guide gives a technical, staffing and timeline roadmap — built for exchange operators, product leads and compliance teams preparing for 2026 enforcement realities.

Topline: what changes are likely and why speed matters

Late 2025 and early 2026 saw renewed legislative momentum to define crypto regulation, with draft Senate language proposing expanded oversight of spot markets, clearer definitions for token types and tighter stablecoin controls. Major industry actors publicly pushed back:

“Coinbase unfortunately can’t support the bill as written… This version would be materially worse than the current status quo.” — Brian Armstrong, 2026

Whether the bill becomes law or a modified version passes, the trajectory is clear: regulators will demand more demonstrable KYC/AML controls, stronger travel‑rule compliance, and robust transaction monitoring — including for NFTs, stablecoins and wallet‑to‑wallet activity. Exchanges that act early preserve access to banking, avoid disruptive enforcement, and protect user trust.

Executive checklist: 8 priority actions for the next 90 to 365 days

1. Run a 30‑day impact assessment — map current gaps: identity coverage, wallet monitoring, sanctions lists, travel‑rule readiness, and SAR pipeline capacity.
2. Stabilize onboarding and IDV — ensure tiered KYC flows, dynamic risk scoring and fallback verification to protect conversion.
3. Deploy integrated AML transaction monitoring — on‑chain + off‑chain signals with entity resolution and NFT‑aware rules.
4. Build wallet screening and provenance tools — NFT provenance, contract risk scoring and non‑custodial wallet attestation.
5. Staff up smartly — hire or retrain AML analysts, data engineers, regtech integrators and a senior Head of Compliance with crypto experience.
6. Choose a regtech stack — prioritize vendor APIs, modularity, audit trails and explainable ML.
7. Operationalize SARs and regulator reporting — automated case management, SLA targets, and independent testing.
8. Document timelines and contingency plans — prepped playbooks for fastest possible implementation after final legislation.

Phase plan: What to do now, in 3 months, 6 months and 12 months

Now — Immediate 0–30 days

Start with the facts: you need a rapid, board‑level readiness report that answers three questions: 1) Which products are high‑risk? 2) What tooling is missing? 3) How many people must we add to meet expected volume? Deliverables:

• 90‑minute cross‑functional workshop with compliance, engineering, product and legal.
• Inventory: on‑chain analytics, IDV providers, sanctions sources, case management and data retention policies.
• Quick gap analysis against travel‑rule and enhanced due diligence (EDD) expectations.

Short term — 30–90 days

Begin tactical upgrades that unblock enforcement risk without rewriting core systems:

• Modular IDV & KYB: Implement tiered KYC (email/phone — basic IDV — in‑depth KYB for institutional onboarding) and integrate at the API layer so UIs can call multiple providers and fall back if one fails.
• Sanctions & PEP feeds: Consolidate multiple sanctions sources into a single reconciliation pipeline with daily re‑hits and metadata versioning for audit trails.
• Case management: Deploy a case system with role‑based access, chain‑of‑custody logs and automated SAR drafting templates. Pair this with postmortem templates for consistent incident handling.
• Pilot wallet tag feeds: Subscribe to at least one leading on‑chain analytics provider’s token tagging and wallet risk feed; build a small integration to tag deposits and withdrawals.
• Training: Certify first wave of AML analysts in crypto‑specific curricula (ACAMS + on‑the‑job sessions). Consider guided learning programs such as Gemini-guided upskilling for rapid analyst onboarding.

Medium term — 3–6 months

Drive deeper product changes that require engineering cycles and cross‑domain decisions:

• AML Transaction Monitoring System (TMS): Integrate on‑chain analytics with off‑chain deposits/withdrawals to create unified alerts (supports multi‑chain and NFT flows). Consider edge cost tradeoffs when deciding where to run inference for real-time signals.
• Wallet attestation for withdrawals: Build whitelisting, device fingerprinting and withdrawal risk scoring for higher tiers.
• Enhanced NFT tooling: Create provenance checks, wash trade detection rules, and royalty flow tracing under the AML program. See scaling patterns such as layered caching and real-time indexes for NFT-heavy workloads.
• Travel‑rule tooling: Implement VASP messaging (e.g., interoperable APIs, shared directories or indirect solutions like compliant intermediaries) and logging for cross‑border transfers.
• KYB & beneficial ownership: Onboard KYB provider for institutional counterparties and add structure to record BOI, UBO and corporate control chains.

Longer term — 6–12+ months

This period is for full integration, independent testing, and continuous optimization:

• Full TMS to production: Rules, ML models, alert prioritization, analyst workbench and integrated case management.
• Independent audit & red team: Third‑party testing of AML program, including on‑chain simulation of evasion strategies (mixers, privacy coins, NFT wash trades). Use postmortem templates to formalize lessons learned.
• Continuous monitoring & reporting: SLA dashboards, compliance KPIs, and monthly regulator report templates.
• Policy codification: Finalize internal AML policies, training manuals and escalation matrices aligned to the new law and guidance.

Technical architecture: modular regtech that scales

Implement with a “composable compliance” architecture: small independent services with clear API contracts so you can swap providers without reworking everything. Key components:

• Identity & KYB layer — multiple IDV providers, automated liveness checks, digital ID storage with encryption, and a fallback queue for manual review.
• Transaction monitoring engine — ingest on‑chain data, exchange ledger events, fiat rails and NFT marketplace feeds into a normalized event stream. Evaluate hybrid orchestration patterns for real-time enrichment and throughput.
• Wallet & token intelligence — address risk scoring, protocol risk flags, exploit and rug pull blacklists, and specific NFT provenance indexes.
• Case management & SAR generator — unified investigator workspace, evidence attachments, templated SARs and regulator submission connectors.
• Audit log & data warehouse — immutable logging for regulatory audit, retention policies that meet the bill’s likely requirements and a BI layer for KPIs. Align retention and storage choices with a data sovereignty checklist.
• Orchestration & rules engine — dynamic rule deployment, versioning and simulation environment to test new rules before release. Pair with model and rule governance playbooks such as versioning and governance for ML-driven signals.

Integration patterns and vendor selection

Choose vendors by API maturity, data coverage (chains, token standards, NFT marketplaces), SLAs and portability. Prioritize vendors that offer:

• Real‑time webhooks + bulk backfill
• Explainable risk scores and rule logic
• High recall on sanctions and wallet attribution
• Strong documentation and sandbox environments

Staffing blueprint: roles, headcount and training

Scaling compliance requires both volume and specialized skills. Below is a practical headcount model for small, mid and large exchanges preparing for stricter KYC/AML:

Small exchange (≤100k users)

• Head of Compliance (1) — senior hire with crypto regulatory experience.
• AML Analysts (2–4) — tiered to handle alerts and onboarding exceptions.
• Onboarding Ops (2) — manual ID reviews and customer outreach.
• Data Engineer / Integration (1) — builds and maintains regtech connectors. Keep running-cost options open: from managed connectors to cheaper alternatives like refurbished hardware for temporary surge capacity.

Mid‑sized exchange (100k–1M users)

• Head of Compliance (1)
• AML Team Lead (1)
• AML Analysts (8–20) — including EDD specialists.
• Onboarding Ops (8–12)
• Data & ML Engineers (3–6)
• Product/Platform Engineers (2–4) for integration

Large exchange (1M+ users)

• Global Head of Compliance + regional deputies
• 100+ AML analysts distributed by shift
• Dedicated NFT risk team, Institutional KYB team, travel‑rule engineers
• Data science and ML team (10+), incident response & legal counsel

Cross‑training is essential: product and engineering need basic compliance literacy, while compliance must understand blockchain concepts. Target certifications (ACAMS, crypto AML courses) and create a 90‑day onboarding curriculum.

Operational playbook: onboarding, investigations and SARs

Onboarding

• Implement risk‑based onboarding: minimal friction for low tiers; full KYC + source of funds for high‑risk products (OTC, margin, institutional or high NFT volume).
• Use progressive profiling: collect more data over time rather than upfront to preserve conversion.
• Record and encrypt all identity attestations and provide a path for appeal and timely escalation.

Investigations & SARs

• Set SLA: initial triage within 4 hours for high‑risk alerts, 24–48 hours for medium, 7 days for low.
• Automate evidence collection: link on‑chain transaction history, wallet tags, user‑submitted KYC and communications in each case.
• Design SAR templates that match regulator formats and pre‑populate fields to reduce drafting time.
• Establish executive escalation for potential material incidents that affect liquidity or banking relationships.

NFTs, wallets and payments: specific controls you must add

NFTs and wallet‑to‑wallet flows are pain points for regulators and a likely focus of the bill. Actions:

• NFT provenance and wash trading detection: Build rules to flag rapid resale cycles, circular ownership, and multiple transfers between clustered wallets.
• Marketplace integrations: Ingest marketplace order books and on‑chain sale receipts to reconcile off‑chain listings vs on‑chain settlement.
• Self‑custody onboarding: Implement wallet attestation flows (signature challenges, transaction patterns) and require enhanced KYC for users interacting with certain protocols or high‑value NFTs.
• Stablecoin and payments controls: Add monitoring for interest/earnings flows to and from stablecoin accounts in light of bank and legislative scrutiny. Review resilient crypto infrastructure patterns such as Lightning infrastructure design when planning high-throughput rails.

Risk metrics and KPIs: how to measure readiness

Track a balanced set of technical and operational KPIs:

• Average onboarding time by tier
• False positive rate on AML alerts
• Alerts per 1,000 active users
• SARs filed per quarter and average turnaround time
• Cases closed per analyst per month
• Uptime and latency for regtech connectors
• Conversion impact from KYC changes

Cost considerations and build vs buy tradeoffs

Expect meaningful investment. Ballpark figures:

• Regtech vendor subscriptions: $100k–$2M+ annually depending on scale and chains covered.
• Engineering & data costs: $250k–$2M first year for integrations, rule engines and warehouse builds.
• Headcount: an extra 5–50 hires depending on user base and risk profile.

Build when your product is unique (proprietary matching of off‑chain orderbooks to on‑chain trades, custom NFT provenance) or vendor coverage is insufficient. Buy for core capabilities (sanctions screening, base wallet tagging, IDV) to accelerate time to compliance.

Privacy, UX and the political environment

Tighter KYC and AML will create UX friction and privacy questions. Best practices:

• Be transparent with users about data use, retention and legal obligations.
• Use risk‑based thresholds to limit excessive data collection.
• Apply differential privacy where possible for analytics — align with a data sovereignty checklist to ensure multinational compliance.

Politically, the law’s text may change; maintain modularity so that you can adapt quickly to new definitions (e.g., which tokens are securities) without rearchitecting compliance from scratch.

Case study snapshot: rapid onboarding of travel‑rule features

One mid‑sized exchange implemented a travel‑rule prototype in 90 days by taking these steps: (1) built a VASP API gateway for message exchange, (2) used an off‑the‑shelf attestation check for beneficiary details, and (3) added UI prompts for recipients’ VASP details on withdrawals. The result: compliance with early travel‑rule tests and minimal disruption to fiat rails.

Common pitfalls and how to avoid them

• Over‑blocking: Overly aggressive rules kill conversion. Counter with dynamic thresholds and human‑in‑the‑loop review. Consider automation workflows such as automated triage to reduce manual load while keeping human oversight.
• Vendor lock‑in: Keep API abstraction layers to swap providers without long projects.
• Understaffed SAR pipeline: SAR backlogs attract regulator attention. Plan headcount for surge capacity and temporary options (see refurbished audit hardware for temporary analyst fleets).
• Poor data lineage: Maintain audit trails and proof of re‑checks for sanctions lists to defend decisions.

Actionable 30‑/90‑/180‑day playbooks

30 days

1. Board approval for compliance readiness budget.
2. Deliver readiness report and prioritized gap list.
3. Engage 2–3 regtech vendors for pilots (IDV, analytics, case mgmt).

90 days

1. Deploy IDV & sanctions consolidation; tiered KYC flows live for new customers.
2. Pilot TMS alerting for high‑risk tokens and NFT flows.
3. Hire first wave of AML analysts and run training sprints — consider guided learning and prompt-driven curricula such as Gemini-guided training for rapid ramp.

180 days

1. Full TMS integration with case management.
2. Travel‑rule messaging in production for high‑value transfers.
3. Independent audit and tabletop incident response tests completed — use frameworks from postmortem templates to capture learnings.

Final takeaways — practical, non‑political priorities

Regulatory outcomes will keep evolving in 2026, but the operational imperatives are stable: adopt modular compliance architecture, staff for scale, deploy integrated on‑chain and off‑chain monitoring, and treat NFTs and self‑custody flows as first‑class AML concerns. Acting quickly preserves banking relationships and market access, while protecting users.

Your immediate next steps: run a 30‑day readiness sprint, choose at least one regtech partner to pilot, and hire a senior compliance lead with crypto experience. That sequence minimizes disruption while building toward a compliant, scalable exchange.

Get help preparing now

If you’re an exchange leader: schedule a compliance readiness audit, benchmark your KYC/AML stack against peers, and start tabletop drills for SAR handling. We offer tailored operational checklists and vendor selection support to accelerate any implementation in 2026 — contact your legal and compliance advisors today.

Call to action: Download our Compliance Readiness Checklist for exchanges and subscribe to weekly operational briefings to get vendor scores, sample SAR templates and an implementation timeline you can use today.

Related Reading

• Case Study Template: Reducing Fraud Losses by Modernizing Identity Verification
• Data Sovereignty Checklist for Multinational CRMs
• Postmortem Templates and Incident Comms for Large-Scale Service Outages
• Automating Nomination Triage with AI: A Practical Guide for Small Teams
• Where to Grab Discounted Home Gadgets for Your Rental: Smart Lamps, Vacuums and Monitors on Sale
• The Best Herbal Heat Packs and Microwavable Alternatives: How We Tested Comfort and Safety
• A Journalist’s Take: Should Jazz Bands Launch Podcasts Now? (Lessons from Ant & Dec and Goalhanger)
• Platform Outage Contingency: Email and SMS Playbook to Save Flash Sale Conversions
• Mapping Global Grain Flows from Private USDA Export Notices