AML/CFT Compliance for Crypto Startups: What the CBB Really Expects (Beyond the Templates)

AML compliance isn't the most glamorous part of launching a crypto startup, but in Bahrain, it’s non-negotiable. The Central Bank of Bahrain (CBB) doesn’t just want to see a pretty policy PDF, they want evidence that your team, technology, and daily operations can prevent abuse of your platform by criminals. 

If you're applying for a crypto-asset service licence, this article breaks down what the CBB actually looks for (and where most applicants get it wrong). No fluff. No theory. Just hard-earned insights from helping real startups prepare regulator-ready AML frameworks. 

1. Compliance Isn’t About Templates. It’s About Ownership. 

The CBB’s AML Rulebook isn’t a ‘cut-and-paste’ affair. Many founders download templates, change the logo, and hope for the best. That won’t work. Regulators can spot generic content in seconds, and it signals that your firm isn’t taking compliance seriously. 

Instead, tailor every policy to your actual product, risk exposure, and customer base. If you’re serving institutional clients, your risk profile is different from a retail wallet app, and your controls should reflect that. 

2. Your MLRO Isn’t a Token Hire 

Every crypto business needs a Money Laundering Reporting Officer (MLRO). This person must be: 

1. Based in Bahrain 

2. Senior enough to speak to the board 

3. Legally responsible for filing suspicious activity reports 

Founders sometimes assign this role to a junior staffer or even a consultant abroad. That’s a fast track to rejection. The MLRO must have independent authority, and must not be buried beneath the CTO or COO in the org chart. 

3. Risk-Based Approach: Do You Actually Use It? 

You’ll hear the phrase “risk-based approach” (RBA) a lot. But what does it mean in practice? 

It means you evaluate each customer, transaction, and product based on how likely it is to be used for money laundering. It means assigning risk ratings (low, medium, high), and adapting your controls accordingly. High-risk clients must go through Enhanced Due Diligence (EDD), not the same onboarding flow as a low-risk user. 

From a legal standpoint, Use a risk matrix that considers customer type, jurisdiction, source of funds, and delivery channel. But don’t just include it in your policy, show how it’s built into your onboarding process. 

4. Onboarding: It’s Not Just ID Checks 

Verifying identity is only one part of Customer Due Diligence (CDD). You also need to: 

1. Understand the nature of the business relationship 

2. Assess the source of funds 

3. Watch for red flags (like mismatched IP geolocation) 

If a user is flagged as a Politically Exposed Person (PEP), or if they’re in a high-risk country, you’re legally required to do Enhanced Due Diligence. That means deeper background checks, manual review, and ongoing monitoring. 

5. STR Reporting: Do You Have a Button for That? 

You’re required to report suspicious transactions to Bahrain’s Financial Intelligence Directorate (FID). But first, your internal team needs a clear process for spotting and escalating issues. 

Do you have an internal reporting form? Is it digital and secure? Do employees know how to use it, and is the MLRO regularly reviewing submissions? 

If your answer is “we’ll build that later,” expect the regulator to hit pause on your licence. 

6. Training Isn’t Optional 

Your staff, not just compliance staff, but customer support, sales, and tech, need to be trained on AML risks. That includes: 

1. Initial training during onboarding 

2. Annual refresher sessions 

3. Quizzes or certification tracking 

Document everything. Regulators don’t want to be told that training happened. They want to see attendance logs, training material, and test results. 

7. KYC Outsourcing? You’re Still on the Hook 

Using Sumsub, Veriff or any third-party KYC provider doesn’t exempt you from liability. The CBB is clear: you can outsource the function, but not the responsibility. 

If your provider fails to detect a fake document or lets a sanctioned user slip through, it’s still your neck on the line. Make sure you: 

1. Conduct due diligence on your vendor 

2. Periodically test their accuracy 

3. Supplement their checks with your own logic 

8. Audit Trails Aren’t Just for Auditors 

The CBB expects you to retain every KYC file, transaction log, and internal report for at least five years. Not in email folders. Not on someone’s laptop. In a secure, auditable system. 

Your backend should log: 

1. Who accessed what data and when 

2. What decisions were made (e.g., approving a flagged user) 

3. What changes were made to policies or customer profiles 

If your systems don’t support this yet, you’re not ready for inspection. 

9. Align Your Business Plan and Policy 

This one’s subtle but critical. If your AML policy says you run quarterly risk reviews, but your business plan says annually, that’s a problem. Regulators cross-check every statement. 

Make sure your business plan, AML policy, STR forms, and governance framework speak the same language. Even small contradictions can delay approval. 

10. Are You Actually Ready? 

Here’s a final pre-submission checklist: 

• MLRO is qualified, resident in Bahrain, and has board access 

• Customer Risk Matrix exists and is integrated into onboarding 

• STR form and process are live internally 

• Staff are trained and records are maintained 

• Third-party KYC providers have been audited 

• Five-year record retention system is operational 

• Business plan and AML policy are fully aligned 

If you’re missing even one of these, don’t apply yet. The CBB expects real systems, not promises. 

Final Thoughts: Be the Startup That Gets It Right 

The crypto space is still young in the Gulf, and regulators want to support serious players. But they also want to keep bad actors out. If you treat AML like a regulatory tax, your application will reflect that. If you treat it like a foundation of long-term credibility, you’ll build a company that lasts. 

Show the CBB that you understand the risks, and are serious about managing them. That’s the difference between getting licensed and getting left behind. 

Disclaimer: The content of this blog is intended for informational purposes only and does not constitute formal legal advice. While every effort is made to ensure accuracy, the material is general in nature and may not reflect the most recent legal developments. No lawyer-client relationship is formed by reading or relying on this content. If you require legal assistance tailored to your specific situation, you are advised to consult directly through an appropriate channel.