Compliance Champs is FD Gazelle 2025!

We are proud to announce that Compliance Champs has been named one of the fastest-growing companies in the Netherlands, in the West region and Small Business category.

This recognition from Het Financieele Dagblad is a reflection of our continued growth and the impact we achieve together. It has been made possible by the dedication and expertise of our team, the trust placed in us by our clients and partners, and our ongoing commitment to advancing organizations with integrity in compliance risk management.

We look forward to celebrating this success together on November 25 at the official FD Gazellen Awards 2025 ceremony.

Implementation Act on the Prevention of Money Laundering and Terrorist Financing – Impact Analysis for Trust Offices

1. Introduction

The Implementation Act on the Prevention of Money Laundering and Terrorist Financing (Iwt) has significant consequences for trust offices in the Netherlands. In this article we will discuss the background and status of the Iwt and provide an overview of some of the key changes relevant to trust offices.

2. Background and Status of the Implementation Act

The Sixth Anti-Money Laundering Directive (hereinafter “AMLD6”) is part of a comprehensive legislative package approved by the European Council on 30 May 2024. It entered into force on 10 July 2024. The package also includes the Regulation establishing the Anti-Money Laundering Authority (AMLA) and the Anti-Money Laundering Regulation (AMLR).

AMLD6 aims to modernize and harmonize anti-money laundering laws within the European Union. It focuses on closing loopholes in the framework and strengthening cooperation between member states.

As a European regulation, the AMLR has direct effect and will apply from 10 July 2027. It replaces large parts of the current Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wwft). This ensures uniform application of anti-money laundering rules across the EU.

The Implementation Act on the Prevention of Money Laundering and Terrorist Financing (Iwt) is a new Dutch law. Together with the AMLR, it will replace the Wwft on 10 July 2027. In doing so, it implements AMLD6.

The draft Iwt was open for public consultation from 4 July to 29 August 2025.During that period, 45 public responses were received from various organizations. The law will be further developed in an Implementation Decree, which will also be open for consultation. Both the Act and the EU regulations will take effect on 10 July 2027..

3. Harmonization and Supervision

European harmonization will lead to greater consistency in regulation across the EU. For trust offices operating across borders, this means clearer and more predictable

rules. At the same time, supervision will be intensified, with a larger role for the new European authority AMLA and enhanced cooperation between national regulators.

4. Impact of the Implementation Act on Trust Offices

The Iwt has a substantial impact on trust offices. Below are several important changes, along with explanations of their implications.

Abolition of National Rules

A large part of Chapter 4 of the Trust Offices Supervision Act 2018 (Wtt 2018) will be repealed. This is because obligations will now flow directly from the EU Anti-Money Laundering Regulation. Unlike previous directives that allowed minimum harmonization, the AMLR establishes maximum harmonization, meaning the Netherlands can no longer impose stricter national rules. Chapter 4 of the Wtt, which governs client due diligence, is one of the most critical parts of the current legislation.

Enhanced Due Diligence measures

Despite the repeal of national provisions, the trust sector will remain subject to enhanced client due diligence requirements. The Netherlands is using a member state option under Article 34 of the AMLR that will require providers of trust and corporate services to always apply enhanced due diligence. This is due to the high inherent money laundering risks associated with the sector, as evidenced by National Risk Assessments and other studies.

Registration requirement for providers of domiciliation services

A new development is the registration requirement for domicile provider; 1entities that only offer a postal address, registered office, or administrative address. While such services were not previously regarded as independent trust services under the Wtt 2018, they now fall within the AMLR’s scope. The registration requirement, under the Minister of Finance, aims to better map risks and prevent the circumvention of trust services.

Companies have been circumventing the Wtt 2018, by artificially dividing their activities to avoid the licensing requirement of De Nederlandsche Bank (DNB).

Ultimate Beneficial Owners (UBOs)

The AMLR introduces an important change in how ultimate beneficial owners (UBOs) are identified. The key change is that control must now be assessed independently and in parallel with ownership interest.

The ownership threshold is being lowered from “more than 25%” to “25% or more” of shares or voting rights, thereby bringing additional stakeholders under the definition.

If no UBO can be identified after exhausting all options, the regulation specifies that there is no UBO. Instead of registering a “pseudo-UBO,” the details of senior managing officials must be recorded. The definition of senior management is also broader than under current legislation.

Retention of Specific National Requirements

Although large parts of the Wtt will be repealed as explained earlier in this article, several key elements from the Wtt 2018 will remain in place, including:

– Licensing requirements.

– Fit and proper assessment (integrity and reliability of managers).

– Requirements for sound and controlled business operations.

– The prohibition on tax advice and acting as a conduit company.

These aspects fall outside the AMLR’s scope and may therefore continue nationally. Trust offices must also maintain particular vigilance regarding fiscal integrity risks.

Thus, while the Implementation Act simplifies the framework through harmonization and the elimination of duplicate regulation, trust offices remain subject to strict requirements due to the sector’s inherently high integrity risks.

Preparing for Upcoming Changes

The forthcoming changes will affect the operations of trust offices, making early preparation essential. Offices should assess what measures are needed to comply with the revised legal framework, including identifying which policies and procedures require updates. An effective response involves the following steps:

1. Conduct an impact analysis

2. Develop an implementation plan

3. Adjust policies and procedures

4. Provide training and communication

5. Implement technological support where necessary

6. Evaluate and perform periodic reviews

By systematically executing these steps, trust offices can ensure continued compliance even after the Iwt takes effect.

 

Would you like to learn more about how to effectively prepare your office for these upcoming changes? Compliance Champs has extensive knowledge, experience, and expertise to provide advice and support during implementation. Contact us for a free introductory consultation.

 

Please reach out to us on: info@compliancechamps.com

Read more articles here.

Bridging the Divide Between Decentralisation and Data Protection

Blockchain technology offers transparency and security through immutability. Once data is recorded on the blockchain, no one can alter or delete it. This feature builds trust in the system, yet it also creates major legal challenges. The General Data Protection Regulation (GDPR) is one example of legislation that clashes with this technology.

The immutability of blockchain technology directly conflicts with Article 17 of the GDPR, which gives individuals the right to be forgotten. Even technical measures like encryption or hashing cannot combat this problem, since data can still be considered personal if re-identifiable.

Because blockchains are decentralised and global, determining who is responsible for compliance is complex. Which actor in the system is to be qualified as a data controller and/or data processor? This raises questions about liability and enforcement, as no single entity holds authority over the system. Aside from this, national legislation on data retention and auditability further complicate dispute resolution. The result is a regulatory grey zone where legal accountability becomes fragmented.

Is it then impossible to reconcile blockchain technology with the GDPR? Efforts have led to partial technical solutions, such as off-chain storage, data minimization, and cryptographic deletion. Yet, these approaches rarely achieve full compliance as they challenge the fundamental assumption that data can always be modified or erased. The issue is therefore not only technical but conceptual: blockchain’s decentralised logic clashes with the GDPR’s human-centred model that presupposes a controllable data ecosystem. Without modifying these legal principles, compliance remains legally aspirational.

 

Conclusion

At Compliance Champs, we follow these developments with a critical lens. We support organizations in aligning their processes and controls with MiCAR, the Wwft, and international standards. Through knowledge sharing, training, and tailored advice, we help professionals identify risks in time, implement mitigating measures, and embed sustainable compliance. Only through joint efforts by operators, supervisors, financial institutions, and technology partners can the balance between innovation and integrity truly be restored.

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.

Stablecoins: A Compliance-Centric Foundation for 24/7 Financial Infrastructure

Stablecoins have moved beyond the experimental phase. They are now being used across the financial system for transparent and efficient settlement. Banks and financial institutions are integrating stablecoins into operations ranging from liquidity management to cross-border payments. 

Data from Visa’s Onchain Analytics Dashboard confirms the scale of this shift. Over 45 trillion dollars in stablecoin transaction volume has been recorded across public blockchains. There are more than 300 million unique active addresses, and the average stablecoin supply exceeds 200 billion dollars. These figures demonstrate that stablecoins are already playing a central role in global payment flows and blockchain-based financial services. 

One of the most significant infrastructure developments is the decision by SWIFT to incorporate a blockchain-based shared ledger into its global system. SWIFT is the financial messaging backbone for over 11,000 banks in more than 200 countries. While it does not move money directly, it is essential for transmitting secure financial data. With the addition of a blockchain ledger, SWIFT will now enable regulated stablecoins, tokenized assets and central bank digital currencies to be settled across interoperable networks in real time. 

Regulatory clarity is advancing in parallel. In the European Union, the Markets in Crypto-Assets Regulation (MiCAR) is now in effect. It requires issuers of Electronic Money Tokens (EMTs) and Asset Referenced Tokens (ARTs) (two different types of stablecoins) to hold fully backed reserves, meet disclosure requirements and register with financial authorities. In the United States, the GENIUS Act provides a federal framework for institutions to issue their own stablecoins under defined legal and risk standards. Other regions including Singapore and Hong Kong are building similar regimes. 

At Compliance Champs we work with financial institutions and crypto-asset service providers to translate these developments into actionable strategies. Whether preparing for licensing, building internal risk frameworks or meeting supervisory expectations, our focus is on helping our clients align innovation with regulation. 

Stablecoins are not just about technical innovation. They are about operational reliability and legal certainty. The institutions that succeed in this next phase of digital finance will be those that embed compliance from the beginning. If your organisation is preparing to issue, adopt or expand its use of stablecoins, we are ready to support you. 

 

Conclusion

At Compliance Champs, we follow these developments with a critical lens. We support organizations in aligning their processes and controls with MiCAR, the Wwft, and international standards. Through knowledge sharing, training, and tailored advice, we help professionals identify risks in time, implement mitigating measures, and embed sustainable compliance. Only through joint efforts by operators, supervisors, financial institutions, and technology partners can the balance between innovation and integrity truly be restored.

 

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.

Crypto ATMs: A Bridge Between Two Worlds or a Getaway Car for Criminals?

In our recent article in the professional journal Compliance, Ethics & Sustainability (“From inadequate oversight to effective regulation?”), we emphasized how the crypto industry is gradually maturing under the influence of European regulation. At the same time, risks related to money laundering, fraud, and sanctions evasion persist.

A concrete example of these risks are crypto ATMs. In the journal, we already highlighted the risk of sanctions evasion via crypto ATMs. To summarize: Poland currently hosts more than 280 machines, many strategically located near the borders with Belarus and Russia. Here, cash can be easily converted into crypto, carried across the border via a mobile wallet or paper voucher, and liquidated elsewhere. This process can occur entirely outside traditional financial channels and sanctions oversight.

In this article, we take a closer look at how these machines operate, the risks they pose, and the role regulation and enforcement play in mitigating abuse.

From Cash to Crypto – Beyond the Banks

Crypto ATMs provide users with a direct and familiar gateway to convert cash into crypto-assets and vice versa, without requiring an account at a (crypto) exchange. The process is straightforward: users select buy or sell, enter an amount, and verify their identity which, depending on the local regulation, is through an ID, phone number, or another simplified form of KYC. The machine then dispenses crypto or cash.

For individuals in regions with limited banking infrastructure or for less digitally skilled users, these terminals may seem like an ideal solution. Yet it is precisely the combination of accessibility and anonymity that makes crypto ATMs attractive for criminal misuse.[1]

A Magnet for Fraud and Money Laundering

Supervisors worldwide are increasingly reporting abuse of crypto ATMs for money laundering and fraud. The classic laundering process (placement, layering, and integration) can easily be executed through ATMs: cash is inserted, split across multiple terminals, converted into crypto, and later exchanged back into cash.[2]

In 2025, the U.S. Financial Crimes Enforcement Network (FinCEN) reported that victims lost over $247 million through crypto ATMs, with a notable concentration among people over 60.[3] Victims are often pressured over the phone by fraudsters impersonating bank employees or government officials, instructing them to deposit large sums via ATMs.

Some machines accept up to €15,000 (or $25,000) per day without strict identity verification.[4] Transaction fees are significantly higher than those of regulated exchanges (>5% vs. <1%). Certain terminals even print paper vouchers functioning as anonymous bearer instruments.

International Regulatory Differences

Regulation of crypto ATMs varies widely across jurisdictions. New Zealand, for example, banned the machines entirely,[5] while Australia applies a risk-based model with transaction limits and stricter KYC.[6] In the United States, warnings are paired with prosecutions of unregistered operators.[7]

Within the EU, greater clarity is provided through the Markets in Crypto-Assets Regulation (MiCAR). Crypto ATMs are classified as “Crypto-Asset Service Providers” (CASPs). They are not prohibited, but operators must meet licensing requirements, comply with KYC/AML obligations, conduct transaction monitoring, and apply risk-based customer due diligence.[8] Despite the expiration of MiCAR’s transitional regime in the Netherlands, we observed that several crypto ATMs remained active beyond the deadline.

Regulation alone is not enough. Effective enforcement is essential—as underlined by recent Dutch case law.[9]

Dutch Case Law: Crypto ATMs as Money-Laundering Vehicles

In a recent ruling, the Arnhem-Leeuwarden Court of Appeal (ECLI:NL:GHARL:2025:237) convicted an operator of crypto ATMs who repeatedly and deliberately violated the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft).[10]

Evidence showed that the ATMs were repeatedly used for transactions linked to criminal proceeds, including drug trafficking. Investigations revealed that the operator had deliberately designed the process to minimize traceability: no identity checks were performed for transactions below €10,000, deposits were often spread across multiple ATMs to avoid detection, and even for higher amounts, KYC checks were superficial and the ultimate beneficial owners of wallets were not verified.

The court ruled that this amounted to knowingly facilitating money laundering. The operator was sentenced to multiple years in prison, and the equipment was confiscated. This case demonstrates that Dutch courts treat crypto ATM violations as serious criminal offenses and highlights the critical role of national enforcement alongside EU regulation.

The Athena Bitcoin Inc. Case – A Wake-Up Call

In February 2025, the Attorney General of the District of Columbia filed a lawsuit against Athena Bitcoin Inc., one of the largest U.S. crypto ATM operators. Investigations revealed that during the first five months of operations in Washington D.C., as much as 93% of all transactions were fraudulent, with average losses of $8,000 per transaction and victims having a median age of 71. Victims were pressured to repeatedly send funds to the same, well-known scam wallets.[11]

Athena is accused of deliberately profiting from these practices by charging hidden fees of up to 26%, without clearly disclosing them to customers. The company systematically refused to compensate victims, even when transactions were visibly routed to previously abused wallets. In some cases, Athena demanded liability waivers from victims who attempted to recover part of their losses.

This case illustrates that poorly regulated crypto ATMs not only endanger the integrity of the financial system but also pose a structural threat to financially vulnerable groups, especially the elderly.

From Signal to Structural Action

The introduction of MiCAR provides a necessary framework, but regulation without consistent enforcement remains toothless. Crypto ATMs operate at the intersection of financial inclusion and financial crime. A collective and decisive response is essential. As long as operators profit from opaque fee structures and criminals exploit the gaps, crypto ATMs will remain more of a getaway car for criminals than a bridge for financial inclusion.

What must happen?

  • Operators must provide full transparency on fees and limits, implement structural transaction monitoring, and actively block suspicious wallets.
  • Supervisors must move beyond registration requirements and invest in effective monitoring and enforcement.
  • Financial institutions must stay alert to unusual cash flows that may disappear through crypto ATMs and act on them with a risk-based approach.
  • Consumers must be better protected through education, warnings, and accessible reporting channels.
  • CASPs are legally obliged to monitor transactions. Illicit flows—originating from crypto ATMs as well as darknet markets—are often detected through tools such as Cense, Chainalysis, TRM Labs, and Elliptic. CASPs are expected not only to conduct active monitoring but also to report suspicious activity.

Together with our partner Cense, we will soon publish a follow-up article exploring in more depth how blockchain analytics tools can strengthen organizations’ detection and control capabilities.

Conclusion

At Compliance Champs, we follow these developments with a critical lens. We support organizations in aligning their processes and controls with MiCAR, the Wwft, and international standards. Through knowledge sharing, training, and tailored advice, we help professionals identify risks in time, implement mitigating measures, and embed sustainable compliance. Only through joint efforts by operators, supervisors, financial institutions, and technology partners can the balance between innovation and integrity truly be restored.

 

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.

[1] The Record. (2025). Crypto ATMs fueling cybercrime.

[2] Sanction Scanner. (2025). How to ensure AML compliance on Bitcoin ATMs in the US. https://www.sanctionscanner.com/blog/how-to-ensure-aml-compliance-on-bitcoin-atms-in-the-us-448.

[3] FinCEN. (2025). FinCEN Notice on crypto kiosk scams. https://www.fincen.gov/sites/default/files/shared/FinCEN-Notice-CVCKIOSK.pdf

[4] Europol. (2022). Cryptocurrencies – Tracing the evolution of criminal finances. Europol.

[5] Rahman Ravelli. (2024). New Zealand to ban crypto ATMs. https://www.rahmanravelli.co.uk.

[6] CryptoNews. (2025). Tasmania joins nationwide crackdown on crypto ATMs as scam losses hit $1.6 million. https://cryptonews.com

[7] FinCEN. (2025). FinCEN Notice on crypto kiosk scams. https://www.fincen.gov/sites/default/files/shared/FinCEN-Notice-CVCKIOSK.pdf.

[8] European Parliament and Council. (2023). Markets in Crypto-Assets Regulation (MiCAR).

[9] Bitomat. (2024). MiCA impact on Bitcoin ATMs. https://www.bitomat.com.

[10] Gerechtshof Arnhem-Leeuwarden. (2025). ECLI:NL:GHARL:2025:237.

[11] Office of the Attorney General for the District of Columbia. (2025, February). Attorney General Schwalb Sues Athena Bitcoin for Failing to Protect Consumers from Scams . https://lnkd.in/eb8qGmqP.

Cense and Compliance Champs Partner to Power the Future of Financial Compliance

Rotterdam / Zug, Tuesday 2 September 2025 — Cense, the company decoding the complexity of crypto compliance, has entered a strategic partnership with Compliance Champs. The alliance is designed to strengthen how financial institutions approach crypto-related compliance, expanding beyond technology to include process, policy and long-term strategic alignment.

“Our mission has always been to empower institutions to bridge traditional finance with the new digital economy,” said Michiel Hoogenboom, Chief Commercial Officer at Cense. “This partnership strengthens our go-to-market strategy by connecting our technology to the broader context of crypto policy and execution. Together, we make compliance faster, smarter and more future-ready.”

Compliance Champs brings deep expertise in helping financial institutions and Crypto-Asset Service providers define and implement Compliance strategies. By integrating Cense, they gain the tools to deliver on those strategies with precision and speed.

“We support clients in building a vision for compliant crypto adoption,” said Peter Engering, CEO of Compliance Champs. “Cense is the technology that makes it real. Their solution accelerates implementation and ensures that what we design can be executed at scale.”

Together, Cense and Compliance Champs are enabling the financial world to move with confidence into a more complex digital future. From automation to advisory, this partnership delivers end-to-end compliance solutions for institutions ready to lead.

 

About Cense

Cense automates crypto compliance for financial institutions. Its platform delivers real-time user profiling, AML screening, and source of funds verification — enabling institutions to onboard legitimate crypto flows with speed and confidence.

 

About Compliance Champs

Compliance Champs advises leading financial institutions and Crypto-Asset Service Providers on regulatory change, crypto adoption and compliance design. Their work ensures that innovation is grounded in policy and aligned with the highest regulatory standards.

 

Cense. Decoding complexity. Empowering finance.

 

Compliance Champs. Leading with vision. Delivering with confidence.

 

 

Please reach out to us on: info@compliancechamps.com

Read more articles here.

 

Another Schrems II in the making? Trump’s privacy moves could wreck EU-US Data Transfers (again)

EU privacy pros, brace yourselves, transatlantic data transfers might be on the chopping block once more. 

In a move that is already raising alarms in the privacy and compliance world, President Donald Trump has removed key members of the Privacy and Civil Liberties Oversight Board (PCLOB), the very body meant to ensure US surveillance practices respect privacy rights. 

Why does this matter for GDPR compliance? Because the PCLOB plays a key role in the EU’s trust in US data protection mechanisms under the new EU-US Data Privacy Framework (DPF). Without it, European regulators could pull the plug on the DPF just like they did with Privacy Shield, throwing companies back into legal uncertainty. 

Déjà Vu? we have been here before 

First, Safe Harbor ( an agreement between EU and U.S that allowed companies to transfer personal data from the EU to the U.S based on a self-certification of adequate privacy protections) collapsed. Then, Schrems II , a case brought by Max Shrems, an Austrian privacy advocate and lawyer which led the CJEU to invalidate the Privacy Shield (the successor of Safe Harbour) in 2020 because. The Court found that U.S surveillance laws were deemed incompatible with GDPR and the fundamental rights guaranteed by the EU Charter. The DPF was supposed to fix this by strengthening oversight, but with the PCLOB in disarray, is it still credible? 

If the EU decides the US isn’t holding up its end of the deal, we could see: 

  • Another invalidation of EU-US data transfers 
  • More legal battles from privacy activists (Schrems III?) 
  • Companies scrambling for Standard contractual clauses (SCCs) or costly local hosting solutions 

What’s next? 

European regulators will likely demand answers and possibly rethink the DPF’s adequacy decision. Max Schrems and his organization “None of your business “(NOYB) could challenge the framework in court and history tells us they tend to win. But most importantly, businesses relying on EU-US data flows should prepare for disruption and explore alternative compliance strategies. Nonetheless, to ensure compliance, conducting a Data Transfer Impact Assessment (DTIAs) is strongly advised 

What do your think? 

Is this just political noise, or are we on the verge of yet another GDPR disaster? Should companies start future-proofing their data transfer strategies now?



Need help navigating the shifting landscape of EU-US data transfers? Our experts can support you in assessing risks and future-proofing your data transfer strategy.

Please reach out to us on: info@compliancechamps.com

Read more articles here.

 

The Bybit hack; 4-key Compliance and AML lessons we learned from North Korea’s largest crypto hack.

On February 21, 2025, Bybit fell victim to a cyberattack that resulted in an unprecedented loss of approximately $1.46 billion in digital assets. To put the breach into perspective, the previous largest crypto heist was the $611 million that was stolen from Poly Network in 2021. Early reports pointed to the notorious Lazarus Group, a North Korean state-backed cybercriminal organization, which has already been implicated in several high-profile hacks and money laundering operations in the past. The FBI has since confirmed the Lazarus Group as the perpetrators of the attack.

The breach raises critical questions regarding the security of centralized exchanges, particularly in the wake of the Digital Operational Resilience Act (DORA). What truly underscores the importance of compliance and anti-money laundering (AML) measures is the speed with which the stolen funds were funnelled into laundering networks. TRM Labs estimates that at least $160 million was laundered within the first 48 hours, with this figure surpassing $400 million within a week, illustrating a level of operational efficiency and professionalism we haven’t seen before.

How the funds were laundered, an overview

With the stolen funds still circulating through the crypto ecosystem, examining the methods used to obfuscate the origin of the stolen funds is more relevant than ever. The Lazarus Group’s laundering tactics were notably sophisticated, leveraging various crypto services and decentralized exchanges (DEXs) to hide the trail of illicit funds.

The laundering operation commenced immediately after the breach, when the stolen assets- initially consisting of mETH and sETH (liquid staking tokens)[1]– were converted into ETH using DEXs. This step was vital to avoid intervention by token issuers, who could potentially freeze the compromised assets. Since Ether and Bitcoin are not controlled by a centralized authority, they are less susceptible to being frozen.

Following the conversion to ETH, the Lazarus group employed a common money laundering technique known as “layering”, dispersing the funds through multiple intermediary wallets in an attempt to conceal the origin of the funds and hinder tracking efforts. While the inherent transparency of the blockchain allow for the tracing of transactions, this strategy bought the hackers time to move the funds to different wallets, swap tokens, use cross-chain bridges, and interact with no-KYC instant swap services. Using these crypto services, the hackers swapped significant amounts of ETH for other cryptocurrencies, especially BTC and DAI.

Historically, North Korea has relied on crypto mixers as part of its laundering operations to obfuscate the origin of stolen assets before converting them into fiat currencies. With increased scrutiny and law enforcement actions targeting mixing services, it appears the Lazarus Group is now prioritizing speed and efficiency over privacy.

Key Compliance and AML Takeaways

The aftermath of the Bybit hack provides several important lessons for compliance officers, regulatory bodies, and businesses operating in the cryptocurrency sector. While the hack highlights vulnerabilities that still exist, it also underscores the importance of strong compliance frameworks, robust AML practises, and industry-wide cooperation. Some key takeaways include:

1. Enhanced Transaction Monitoring Systems

The sophistication of the laundering methods used in this case highlights the necessity for cryptocurrency platforms to implement advanced transaction monitoring systems. A combined effort between blockchain analytics firms, law enforcement and centralized exchanges were able to actively trace the stolen funds, identifying and flagging wallets related to the Lazarus Group. While several centralized exchanges were able to freeze assets, a large portion of the stolen funds remain under the hackers’ control and further attempts to launder these funds are expected in the coming days or weeks. The ongoing investigations illustrate both the effectiveness of blockchain- and transaction monitoring, as well as the challenges presented by cryptocurrency services such as DeFi protocols that potentially do not leverage blockchain analytics.

2. Strengthening KYC and AML Standards:

Crypto exchanges must ensure they adhere to stringent Know Your Customer (KYC) procedures and performing regular AML checks throughout the lifecycle of their client. While KYC requirements are now standard across exchanges, many DeFi platforms continue to lag in establishing robust identity verification processes. As decentralized finance and privacy tools continue to evolve, there is a growing need for a more rigorous approach to user onboarding and transaction monitoring to prevent illicit activity. A notable example of decentralized protocol already taking such actions is Chainflip, which implemented an emergency software update, blocking incoming funds tied to the hack.

3. Collaboration within the industry and law enforcement agencies

Effective collaboration within the industry and with law enforcement agencies is vital in combating money laundering threats and protecting the ecosystem. In response to the hack, Bybit launched a bounty program offering rewards of up to 10% for successfully frozen funds. This initiative sparked collaboration among industry actors, complicating efforts by the hackers to convert stolen assets into fiat currencies. This demonstrates the importance of swift, collaborative responses to protect the integrity of the cryptocurrency ecosystem and defend against these sophisticated cyber-attacks.

4. Education and Awareness

The Bybit hack highlights the need for continuous education and awareness within the crypto industry. Firms should invest in regular training for compliance teams to stay ahead of emerging laundering tactics. Moreover, educating users on the risks of interacting with unregulated platforms remains crucial to curbing illicit activity in the crypto space.

 

Conclusion: The Path Forward for Crypto Compliance

The Bybit hack serves as a reminder of the vulnerabilities currently present in the crypto ecosystem. As illicit actors become increasingly sophisticated in their methods, the need for robust compliance and AML measures has never been greater. Exchanges, DeFi platforms, and regulators must work together to close the gaps in the current system, implement strong monitoring tools, and ensure that the crypto space remains a safe and secure environment for legitimate users.

The ongoing investigations and the collaborative actions taken in response to the hack exemplify the cryptocurrency sector’s growing commitment to improving security standards and protecting users from illicit activity. By focusing on enhancing compliance frameworks, tightening KYC and AML standards, and fostering a culture of cooperation, the industry is taking crucial steps toward mitigating the risks of future breaches.

 

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.

[1] Liquid staking tokens refer to obtain a tradeable asset in exchange for staking a cryptocurrency in a proof-of-stake blockchain.

Getting ready for DORA compliance: what financial institutions should know for 2025

DORA compliance is now in effect! as of 17 January 2025, financial institutions are required to meet the standards set by the Digital Operational Resilience Act (DORA). With national supervisors like the Dutch Authority for the Financial Markets (AFM) increasing their supervision, it’s time to prioritize your preparations! here’s a quick breakdown of what to expect and how to stay ahead.

What’s changing in 2025?

Starting this year, supervisory authorities will actively review how financial institutions comply with DORA. This includes submitting critical information to the European Supervisory Authorities (ESAs), EIOPA, ESMA, and EBA and ensuring operational resilience across the financial sector.

For a detailed look at the DORA regulation, you can access the official text here: DORA Regulation (EU) 2022/2554.

Key Priorities for 2025

1. Submitting the register of information

The first big milestone for DORA compliance is the register of information. Here’s what you need to know:

  • Deadline: the AFM and DNB must submit the first registers of information to the ESAs by 30 April 2025.
  • Action needed: If your organization is subject to DORA, expect an information request from the AFM soon after DORA takes effect. Preparing now is important to meet the deadline.
  • Annual updates: After the initial submission, you’ll need to provide updates yearly. The AFM and DNB will verify your register before it’s sent to the ESAs.

This register helps ESAs identify critical ICT third-party providers, who will then come under direct ESA supervision.

 

2. Reporting ICT-related incidents

Major ICT incidents must be reported promptly. Here’s how it works:

  • Notification timeline:
    • Notify the AFM or DNB within 4 hours of classifying an incident as “major.”
    • Submit an intermediate report within 72 hours.
    • Deliver a final report within 1 month.
  • Proactive communication: while mandatory for major incidents, voluntary reporting of cyber threats is also encouraged. This helps build a clearer picture of sector-wide risks.

The AFM will assess your reports for completeness and may request additional details to understand the full impact.

 

3. Threat-led penetration testing (TLPT)

For some firms, TLPT will become part of compliance efforts. Firms designated by the AFM will undergo rigorous testing to ensure resilience against cyber threats.

  • Designation: If your firm is selected, you’ll be notified by letter.
  • Preparation: the AFM will guide you through the process, from planning to execution.
  • Certification: successful completion earns your firm a certificate demonstrating compliance.

 

What Should You Do Next?

  1. Act now: start preparing your register of information and review incident reporting protocols.
  2. Engage your team: ensure your ICT and compliance teams understand DORA’s requirements.
  3. Stay updated: follow updates from the AFM and be ready to act on any requests or notifications.

Why DORA matters

DORA isn’t just about meeting regulatory demands; it’s about strengthening the financial sector’s resilience in an increasingly digital world. By preparing early, your organization can avoid unnecessary risks, show compliance, and build trust with stakeholders.

Let’s embrace this challenge as an opportunity to improve operational resilience and cybersecurity across the board. Is your organization ready for DORA? Share your thoughts below!