Issue #2 | May 5, 2026 | 7 min read
SECTION 1: The Brief
Binance spent years building the world's largest cryptocurrency exchange on a simple premise: if you never formally accept that you're a financial institution, you never have to act like one. For years, while processing hundreds of billions in transactions, it filed zero suspicious activity reports with FinCEN.
In November 2023, that strategy cost $4.3 billion.
This issue breaks down what Binance actually did, what three federal agencies found when they looked, and what it means for compliance programs still treating crypto as someone else's problem.
SECTION 2: Main Feature
ENFORCEMENT ACTION
Binance Decided It Wasn't a Bank. Federal Prosecutors Corrected That.
The world's largest crypto exchange filed zero SARs with FinCEN. What followed was the largest corporate AML settlement in DOJ history.
In November 2023, Binance pleaded guilty to conspiracy to conduct an unlicensed money transmitting business and willful failure to maintain an effective AML program. Changpeng Zhao, known as CZ, pleaded guilty personally and stepped down as CEO. The settlement totaled $4.3 billion, split across three agencies: the Department of Justice, FinCEN ($3.4 billion, the largest penalty in the agency's history at the time), and OFAC ($968 million). It was the largest corporate resolution involving a financial institution in DOJ history.
The compliance failure here wasn't a breakdown of controls or a staffing shortfall. Binance had a nominal compliance function that understood what it was doing and chose differently. The exchange registered with FinCEN as a money services business in 2019, acknowledging in writing that it was subject to Bank Secrecy Act obligations. Then it filed zero SARs with FinCEN while processing transactions that met the reporting threshold many times over.
$4.3 billion total settlement
$3.4 billion: FinCEN — largest penalty in agency history at the time
$968 million: OFAC
SARs filed with FinCEN during the relevant period: 0
FinCEN's consent order identified more than 100,000 transactions between Binance users and people in sanctioned jurisdictions: Iran, North Korea, Cuba, Syria. The exchange's transaction monitoring was largely decorative. Binance had a stated KYC policy for US users but built workarounds into the platform, and internal communications showed the compliance team knew the policy wasn't functioning as written. Samuel Lim, Binance's former chief compliance officer, described the exchange's user base in internal messages that made the DOJ's case straightforward. The public statement of facts quotes him directly: "Like come on. They're here for crime."
That sentence is in the public record. Act accordingly.
What the Regulators Found
FinCEN's findings reduced to five points:
Binance filed no SARs with FinCEN for years after registering as an MSB, including on transactions that explicitly involved sanctioned counterparties
Binance's KYC program allowed US users to continue trading by coaching them, or allowing them, to circumvent geographic restrictions using VPNs
Transaction monitoring thresholds were calibrated to minimize alert volume, not catch suspicious activity
Internal communications documented awareness of criminal use of the platform: not hypothetical risk assessment, but actual knowledge, in writing, from the compliance team
That knowledge was reported upward to leadership, which continued operating the exchange regardless
The DOJ's statement of facts runs to dozens of pages. The through-line is consistent: Binance made a deliberate business decision that the cost of compliance exceeded the cost of non-compliance. For six years, that math worked.
The practitioner implication cuts two ways. For anyone working at a financial institution with crypto-related exposure — correspondent banking relationships, payment rails used by exchanges, custody relationships — Binance's failure created downstream risk at your institution. Suspicious transactions that should have generated SARs didn't. Some of that activity flowed through conventional banking infrastructure. If your institution processed wire transfers or ACH transactions for Binance's US entity, or for customers who moved funds through Binance, whether your own SAR program caught it is a reasonable question to ask.
For compliance teams still treating crypto as peripheral: FinCEN has been clear since 2013 that virtual currency exchangers operating as money transmitters have BSA obligations. The Binance settlement is the definitive enforcement proof point. Regulators have now demonstrated they'll pursue this at scale, across jurisdictions, and personally against executives who knew.
What Binance got wrong wasn't misreading the regulation. They understood it. The bet was that penalties would never exceed the revenue from ignoring it. The $4.3 billion settlement is the answer to that bet.
Source: DOJ Press Release, November 21, 2023 | FinCEN Consent Order, November 21, 2023 | OFAC Civil Monetary Penalty, November 21, 2023 | DOJ Statement of Facts, United States v. Binance Holdings Limited
SECTION 3: Intelligence Briefing
INTELLIGENCE BRIEFING
DOJ — Identity Document Fraud, New Mexico. A federal indictment in Albuquerque charged a foreign national with using forged immigration documents and a stolen Social Security number to open bank accounts and obtain vehicle financing and consumer loans. If convicted, the defendant faces up to 10 years. The scheme succeeded across multiple institutions, which makes it a CIP problem as much as a criminal one. Forged documents paired with a plausible SSN can clear basic verification if the authentication step is superficial. Source: DOJ Office of Public Affairs, Week of Fraud press release, May 2026.
OFAC — New Cuba Sanctions Executive Order. The President signed an Executive Order on May 1 imposing sanctions on individuals responsible for repression in Cuba and threats to U.S. national security. Financial institutions should check OFAC's SDN list for new designations tied to the EO and confirm that Cuban Assets Control Regulations compliance is current. Cuba is already a comprehensively sanctioned jurisdiction — the new EO expands specific-party exposure on top of the existing country-level prohibitions. Source: OFAC Recent Actions, May 1, 2026.
SECTION 4: From the Source
FROM THE SOURCE
"Binance's [AML] program did not identify, and thus did not report to FinCEN, suspicious transactions that took place on Binance... Binance processed more than $898 million in transactions between U.S. users and users in Iran alone."
— FinCEN Consent Order, In the Matter of Binance Holdings Limited, November 21, 2023
The $898 million figure isn't incidental. It's the number that explains why OFAC's involvement carried a $968 million civil penalty, which tracks closely with the Iran transaction volume FinCEN documented. Regulators weren't estimating. They were counting. When an institution's exposure to sanctioned-jurisdiction transactions becomes countable at the billion-dollar scale, the settlement math isn't in your favor.
SECTION 5: CTA Block
If someone forwarded this to you, welcome.
The AML Brief goes out every Tuesday. Subscribe for free:
[Subscribe → theamlbrief.beehiiv.com]
Already subscribed? Forward this to one colleague who works in financial crimes. That's how we grow.
The AML Brief | theamlbrief.com/posts
Disclaimer: The AML Brief is an independent financial crimes intelligence publication. All content is sourced from publicly available regulatory documents, enforcement actions, and published research. Nothing published here constitutes legal, compliance, or regulatory advice. The AML Brief is not affiliated with any financial institution, regulator, law firm, or employer. For advice specific to your situation, consult a qualified attorney or compliance professional.