CertiK: AML Enforcement Now Top Crypto Regulatory Risk – FinanceFeeds
According to the report, 80% of CertiK's top 100 exploited protocols had no formal pre-breach audit and accounted for 89.2% of total value lost; 76% of 2025 on-chain losses by value came from infrastructure compromises rather than smart contract code.
AML enforcement has overtaken securities classification as the primary regulatory risk for digital asset firms, and smart contract audits have moved from voluntary best practice to statutory requirement across most major jurisdictions. That is the core finding of CertiK's Skynet Intelligence Report "State of Digital Asset Regulations," released in April 2026 as Skynet Report 09.
The report consolidates regulatory developments across eleven jurisdictions and concludes that frameworks for stablecoins, exchanges, custodians and tokenisation are now enforceable rather than proposed. For firms evaluating market entry or expansion, CertiK frames multi-jurisdictional licensing, recurring audit costs and AML compliance budgets as the baseline cost of operating at scale.
The shift in enforcement posture is the report's headline finding. The SEC brought 13 crypto-related actions in 2025 generating US$142 million in financial remedies, down from 33 actions and over US$4.9 billion the prior year — a 60% drop in volume and a 97% drop in penalty value. The 2024 figure was inflated by the US$4.5 billion Terraform Labs settlement, but the directional change is unambiguous.
The DOJ and FinCEN filled the gap. The OKX settlement reached US$504 million, KuCoin settled for US$297.4 million, Block Inc. paid US$40 million, and FinCEN fined Brink's Global Services US$37 million. CertiK frames these actions as evidence that transaction monitoring deficiencies now carry penalties on a scale previously associated with securities fraud.
Europe escalated faster on a percentage basis. EMEA AML fines reached US$168.2 million in H1 2025, a 767% year-on-year jump. The UK's Financial Conduct Authority issued penalties of £44 million against Nationwide Building Society, £39.3 million against Barclays, and £21.1 million against Monzo. The Central Bank of Ireland fined Coinbase Europe €21 million for AML/CFT breaches.
Asia-Pacific regulators favoured non-monetary tools. The Monetary Authority of Singapore and Hong Kong's Securities and Futures Commission preferred licence revocation and business improvement orders, with Singapore's MAS issuing S$960,000 in composition penalties across five firms in June 2025 for travel rule and AML screening failures.
CertiK attributes the intensification partly to sanctions exposure: blockchain intelligence estimates cited in the report show sanctions-related crypto volume grew over 400% year-on-year in 2025, with state-driven sanctions evasion volume up 694% over the same period.
The report finds stablecoin frameworks have converged with unusual speed on full fiat reserve backing, prohibition of algorithmic stabilisation, independent attestation of reserves, and licensing of issuers. Variation is in implementation, not architecture.
The US GENIUS Act, signed in July 2025, places the Office of the Comptroller of the Currency in supervisory authority, with rulemaking expected through 2026 and full effect by January 2027 at the latest. The European Union's MiCA classifies stablecoins as Asset-Referenced Tokens or E-Money Tokens with separate authorisation tracks, while Hong Kong's Stablecoins Ordinance (Cap. 656) added its first two licensees on 10 April 2026.
The UAE requires AED-denominated backing for domestic payment stablecoins and prohibits algorithmic and foreign currency stablecoins for merchant transactions. Brazil treats stablecoin flows as foreign exchange transactions under BCB Resolutions 520 and 521, requiring independent technical certification under IN 701 and capital between R$10.8 million and R$37.2 million. Japan restricts issuance to licensed banks, trust companies and fund transfer operators, with reserves held exclusively in Japanese trust accounts.
According to the report, almost all major jurisdictions now require some form of independent smart contract assessment as a precondition for licensing or token admission. Hong Kong has the most explicit mandate, with the HKMA Stablecoins Ordinance requiring an independent smart contract security audit before licensing and the SFC's VATP Guidelines imposing a parallel requirement at the token admission stage.
VARA's Technology and Information Rulebook mandates annual smart contract audits and gives the regulator authority to require Threat-Led Penetration Testing on live production environments — a power adapted from the banking sector's TIBER framework. ADGM's FSRA requires DLT stress testing and code validation. The EU's DORA, in effect since 17 January 2025, compels code reviews indirectly through operational resilience obligations.
The report cites empirical support: CertiK's own analysis of the top 100 exploited protocols found 80% had no pre-breach audit and those unaudited protocols accounted for 89.2% of total value lost. The 20% that had been audited accounted for the remaining 10.8%.
The Basel Committee's finalised cryptoasset prudential standard carries a 1 January 2026 implementation date for BCBS member jurisdictions, with transposition into local law — including EU CRR3 and US federal banking rules — occurring on differing timelines. Group 1 assets, covering tokenised traditional instruments and qualifying stablecoins, receive standard risk weights. Group 2 assets — Bitcoin, Ether and other unbacked tokens — face significantly higher weights that often require near-100% capital charges.
CertiK frames this as the most consequential structural divide in the report: it determines which digital assets are economically viable for bank balance sheets and which remain structurally constrained for institutional adoption.
Two regimes outside the traditional financial centres get extended treatment. Brazil received an estimated US$318.8 billion in crypto value between July 2024 and June 2025, with 109.9% period-over-period growth and roughly 90% of that volume stablecoin-denominated. BCB Resolutions 519, 520 and 521 took full effect on 2 February 2026 with a 270-day grace period through October 2026, creating the SPSAV authorisation framework. Foreign platforms must establish a local subsidiary or partner with a licensed entity.
Turkey's Capital Markets Board operational regulations, issued in March 2025, set minimum charter capital at TRY 150 million (approximately US$4.1 million) for platform-services CASPs and TRY 500 million (US$13.7 million) for depository institutions. Companies on the existing operating list were required to apply by 30 June 2025, with full authorisation expected by 30 June 2026. TÜBİTAK technical infrastructure audits are a precondition for licensing.
The report sets out five practical implications. Multi-jurisdictional licensing is now the cost of entry, with operating from a single offshore licence no longer viable for institutions that need regulatory credibility with counterparties and supervisors. AML compliance has overtaken securities classification as the primary enforcement risk, requiring screening, sanctions checking and SAR capabilities benchmarked against current DOJ and FinCEN standards. Smart contract audits are a recurring operating cost. Stablecoin infrastructure must meet banking-grade reserve and governance standards. And Basel Group 1 versus Group 2 classification will shape institutional portfolio construction.
The report also flags an evolution in attack surface: 76% of 2025 on-chain losses by value came from infrastructure compromises — private key theft, access control failures, wallet orchestration exploits — rather than smart contract code. The Bybit breach in February 2025 (US$1.46 billion, attributed to North Korean operatives by the FBI) compromised signing infrastructure, not the contracts themselves.
What is CertiK's Skynet "State of Digital Asset Regulations" report?
It is the ninth Skynet Intelligence Report, published by Web3 security firm CertiK in April 2026. The report consolidates digital asset regulatory developments across eleven jurisdictions, including the US, EU, UK, Hong Kong, Singapore, the UAE, Japan, South Korea, Brazil, India and Turkey, and sets out implications for institutions deploying capital across multiple regimes.
Why does the report say AML has replaced securities classification as the top regulatory risk?
According to the report, SEC crypto-specific enforcement fell 60% in volume and 97% in penalty value between 2024 and 2025. AML-related fines and settlements imposed by the DOJ and FinCEN exceeded US$900 million in H1 2025 alone, including a US$504 million OKX settlement and a US$297.4 million KuCoin settlement.
Which jurisdictions now mandate independent smart contract audits?
The report identifies seven jurisdictions with statutory or near-statutory audit mandates: Hong Kong (HKMA Stablecoins Ordinance and SFC VATP Guidelines), the UAE through VARA and ADGM, Singapore (MAS pre-licensing assessment), the EU under DORA's operational resilience obligations, Brazil (BCB IN 701 and Resolution 520 Article 48.VIII), Turkey (TÜBİTAK audits) and US state-level requirements at NYDFS.
The cumulative direction of travel is unambiguous: higher compliance thresholds, more prescriptive security mandates, and less tolerance for ambiguity. Whether the next phase brings genuine cross-border supervisory coordination — or simply layered, jurisdiction-specific compliance costs that compound at the point of execution — will set the pace at which institutional capital can actually move on-chain through 2026 and into 2027.
Key Insights
- This topic is currently trending
- Experts are closely monitoring developments
- It may impact future decisions
