Anti-Money Laundering and Crypto: What Sri Lanka Must Get Right
AML compliance is the key to unlocking crypto regulation in Sri Lanka. Here is why it matters and what frameworks we need.
Uvin Vindula — IAMUVIN
Published 2026-01-05 · Updated 2026-03-20
The AML Question
Every conversation I have with Sri Lankan regulators about crypto eventually comes back to one thing: money laundering. "How do we prevent criminals from using Bitcoin to launder money?" It is a fair question, and one that the crypto industry needs to take seriously rather than dismissing as FUD.
Here is the thing: Sri Lanka already has a massive money laundering problem — and it has nothing to do with crypto. Illegal hawala networks, cash-based corruption, trade misinvoicing, and underground banking have been laundering billions of rupees for decades using entirely traditional financial systems. Crypto is a rounding error compared to these existing channels.
But that does not mean we should ignore AML in crypto. If Sri Lanka wants to build a credible regulatory framework, AML compliance needs to be a cornerstone. Here is how I think we should approach it.
FATF Standards and Sri Lanka
The Financial Action Task Force (FATF) has issued specific guidance on how countries should regulate Virtual Asset Service Providers (VASPs). Sri Lanka is a member of the Asia/Pacific Group on Money Laundering (APG), which follows FATF standards. Non-compliance with FATF recommendations can result in grey-listing — which would be catastrophic for Sri Lanka's already fragile access to international banking.
Key FATF requirements for VASPs include:
- Registration/licensing: All VASPs must be registered or licensed by a competent authority
- Customer Due Diligence (CDD): VASPs must verify customer identities before establishing business relationships
- Transaction monitoring: Suspicious transactions must be identified and reported
- Travel Rule: Information about the originator and beneficiary must travel with transactions above certain thresholds
- Record keeping: Transaction records must be maintained for at least five years
What Sri Lanka Should Build
A VASP Registration Framework
Any business facilitating crypto transactions in Sri Lanka should be required to register with the Financial Intelligence Unit (FIU). Registration should be straightforward and affordable — we do not want to create barriers so high that only large international companies can comply.
Risk-Based Approach
Not all crypto transactions carry the same risk. A student buying 5,000 LKR of Bitcoin does not need the same scrutiny as someone moving 10 million LKR through a P2P platform. A tiered approach based on transaction size and risk profile makes sense:
| Transaction Size | Requirements |
|---|---|
| Under 50,000 LKR | Basic identity verification (NIC number) |
| 50,000 - 500,000 LKR | Full KYC with document verification |
| Over 500,000 LKR | Enhanced due diligence, source of funds verification |
Blockchain Analytics
One of the ironies of crypto regulation is that blockchain transactions are actually more traceable than cash transactions. Every Bitcoin transaction is recorded permanently on a public ledger. Sri Lanka's FIU should invest in blockchain analytics tools — companies like Chainalysis and Elliptic provide software that can trace crypto flows with remarkable precision.
The P2P Challenge
The biggest AML challenge in Sri Lanka's crypto space is not exchanges — it is P2P trading. Thousands of Sri Lankans buy and sell crypto through Binance P2P, WhatsApp groups, and in-person meetings. These transactions are largely invisible to regulators.
Banning P2P trading is not realistic — it would simply move to more opaque channels. Instead, regulation should focus on bringing P2P activity on-shore through licensed platforms that apply appropriate KYC based on transaction size.
A Message to Regulators
I understand the CBSL's caution around crypto and AML. But I urge regulators to consider this: the current lack of regulation means zero AML compliance in Sri Lanka's crypto sector. No KYC, no transaction monitoring, no suspicious activity reports. By developing a sensible framework, we go from zero compliance to meaningful compliance. That is a massive improvement, even if it is not perfect.
The perfect should not be the enemy of the good. A reasonable AML framework for crypto, implemented now, is infinitely better than a theoretically perfect framework that never gets implemented. Learn more about secure crypto practices at our education center.
— Uvin Vindula
By Uvin Vindula — IAMUVIN
Sri Lanka's leading Bitcoin educator. Author of "The Rise of Bitcoin".
Learn more →Related Articles
The Bitcoin Brief: LK
Weekly Bitcoin insights, market analysis, and Sri Lanka crypto news. Join 1,000+ readers.
Unsubscribe anytime · Educational content only