FinCEN Publishes First Set of Compliance Considerations in Parallel Civil and DOJ Enforcement Actions Against Crypto Company Paxful

Key Points

• On December 9, 2025, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) and the U.S. Department of Justice (“DOJ”) took parallel enforcement actions against Paxful, Inc., Paxful USA, Inc., and/or Paxful Holdings Inc. (together, “Paxful” or the “Company”), a cryptocurrency peer-to-peer trading platform, relating to the Company’s willful violations of multiple requirements of the Bank Secrecy Act (“BSA”) and its implementing regulations over an extended period.
• FinCEN’s consent order (“Order”) assessed a $3.5 million civil monetary penalty based on Paxful’s failures relating to: (i) maintaining its registration as a money services business (“MSB”); (ii) implementation of an effective, risk-based anti-money laundering (“AML”) program; and (iii) submission of timely and complete suspicious activity reports (“SARs”). 

• FinCEN’s action reinforces the agency’s view that cryptocurrency peer-to-peer virtual asset platforms fall squarely within the BSA’s regulatory perimeter. Additionally, FinCEN’s press release announcing the Order highlights FinCEN’s core AML compliance considerations applicable to cryptocurrency and other virtual assets companies. Notably, this is the first time FinCEN has included specific “Compliance Considerations” alongside an enforcement action, mirroring an approach long taken by OFAC in its sanctions enforcement releases.
• As with OFAC’s Compliance Considerations, FinCEN’s observations related to key areas of risk and compliance failures provide broader guidance to the crypto industry, rather than being limited to the particular facts of the Paxful case.
• This action also underscores that, notwithstanding the Trump Administration’s generally favorable polices towards the crypto industry, FinCEN will continue to enforce BSA obligations applicable to crypto exchanges and other actors in the industry.
• In a related development in the Eastern District of California, Paxful agreed to plead guilty to conspiring to violate the Travel Act, conspiring to operate an unlicensed money transmitting business, and conspiring to violate the BSA’s AML program requirement.  The Company agreed to pay a criminal penalty of $4 million.

Background

• The U.S. Department of the Treasury’s Financial Crimes Enforcement Network’s (FinCEN) consent order (Order) outlined the agency’s determination that Paxful Inc. and Paxful USA Inc. (together, Paxful) willfully violated multiple requirements of the Bank Secrecy Act (BSA) and its implementing regulations over an extended period. According to the Order, Paxful facilitated more than $500 million in suspicious activity involving various illicit actors and countries subject to comprehensive or significant U.S. sanctions restrictions, including Iran, North Korea and Venezuela.
• In addition, Paxful qualified as a money services business (MSB), and although it registered with FinCEN in July 2015, it failed to re-register as required pursuant to FinCEN regulations. Indeed, Paxful did not re-register as an MSB until September 3, 2019, more than four years after its initial registration. FinCEN also found that Paxful failed to develop and implement an effective anti-money laundering (AML) program reasonably designed to prevent the platform from being used to facilitate money laundering and other illicit activity. These deficiencies included weaknesses in customer risk assessment, transaction monitoring, and internal controls.
• With respect to suspicious activity reports (SAR) reporting, FinCEN identified significant failures, including delayed and incomplete filings despite the presence of clear indicators of potentially illicit conduct. According to FinCEN, these failures impaired law enforcement’s ability to detect and investigate criminal activity conducted through the platform.
• In assessing this $3.5 million civil penalty, FinCEN cited factors commonly referenced in other BSA enforcement actions, including the nature and seriousness of the violations, their duration and the risks posed to the U.S. financial system. In determining the final penalty amount, the agency also credited certain remedial measures undertaken by Paxful, including steps taken to wind down U.S. operations and enhance compliance controls.

FinCEN’s Compliance Considerations and Key Takeaways

For the first time, FinCEN’s press release announcing an enforcement action includes a section describing key “Compliance Considerations” arising from the case. This section mirrors an identically titled section that has for years appeared in the Office of Foreign Assets Control’s (OFAC) enforcement releases. With respect to the Paxful Order, key compliance considerations highlighted by FinCEN include:

• MSB registration. Cryptocurrency platforms and other virtual asset businesses must carefully assess whether their activities trigger MSB or other registration requirements and ensure timely registration and re-registration with FinCEN. Failure to register and re-register in accordance with regulatory requirements carries significant enforcement risk.
• Risk-based AML programs tailored to crypto activity. FinCEN emphasized that AML programs must be commensurate with the specific risks posed by a platform’s products, services, customer base, and transaction flows, including peer-to-peer and cross-border virtual currency transactions. For example, firms should consider the nature of their customers’ businesses when assessing the risk of potential illicit activities.
• Effective transaction monitoring and SAR processes. Firms must maintain systems capable of identifying suspicious activity and filing SARs that are timely, accurate, and sufficiently detailed. SAR obligations apply fully to cryptocurrency transactions.
• Use of geolocation and related controls. FinCEN highlighted the importance of Internet Protocol (IP) address and geolocation data to identify transactions involving high-risk jurisdictions and prohibited parties, prevent misuse of virtual private networks (VPNs) or location masking, and support AML and sanctions compliance. OFAC has long included similar guidance alongside its enforcement actions against companies in the cryptocurrency industry, including in its Guidance for the Virtual Currency Industry.
• Integration of AML and sanctions compliance. The compliance considerations reflect an expectation that firms align AML monitoring with sanctions screening and geographic risk assessments, recognizing overlapping risks and shared control frameworks.
• Documentation and independent testing. Firms should document their risk assessments, design of internal controls and efforts to remediate compliance gaps, and subject their AML programs to independent testing to ensure ongoing effectiveness.
• Bottom Line: The Order underscores FinCEN’s continued focus on ensuring that cryptocurrency platforms comply with applicable BSA requirements and, through the Compliance Considerations, signals a more explicit use of the agency’s enforcement actions to drive broader compliance. FinCEN’s publication of specific compliance considerations related to the action—long a hallmark of OFAC enforcement—also suggests increased convergence with respect to how component agencies within the U.S. Department of the Treasury communicate regulatory expectations to industry. Crypto and fintech businesses should view this action as a reminder that MSB registration, robust AML programs, geolocation controls and integrated sanctions compliance are among FinCEN’s core regulatory expectations.