Crypto Asset Wallet Due Diligence in the Era of AI

Tom Lazard, Deen Favaedi, Luke Gerken
| 7/7/2026
Financial services professionals review digital due diligence information related to evolving KYC and AML requirements.

Financial services organizations can take proactive steps to mitigate the risks of crypto asset wallets and AI-enabled finance activity.

AI is changing how customers interact with financial services, and many financial services organizations are encountering a growing gap between verifying the customer and understanding who or what initiates account activity. Financial services organizations should reassess know your customer (KYC) and customer due diligence (CDD) frameworks now to address crypto asset wallet-linked activity, delegated authority, and AI-enabled transaction initiation before those gaps create anti-money laundering (AML), fraud, or KYC monitoring blind spots, misaligned risk assessments, or regulatory exposure.

Keep informed
Sign up to receive the latest insights on strengthening your financial crime program.

AI-enabled tools, crypto asset wallets, and due diligence

Financial services organizations might verify the customer but not necessarily the actor initiating activity, and that gap is becoming more material as AI reshapes the financial services industry. AI traditionally has been discussed in financial crime compliance as an internal tool that can enhance monitoring, streamline investigations, support CDD operations, and improve regulatory filing processes. However, AI also is beginning to shape how customers interact with financial services, which raises new AML and KYC considerations.

Lloyds Banking Group’s 2025 Consumer Digital Index found that 56% of adults in the UK had used AI to help manage their money in the past year, and nearly one in three reported using AI weekly for personal finance. These examples demonstrate that the operational layer of the customer relationship is beginning to change even if the customer of record remains the same.

For AML and KYC programs, the challenge is that AI-enabled activity can move faster than human activity and blur the line between the verified customer and the actor that initiates activity. Traditional onboarding frameworks are designed to identify a person or legal entity, establish beneficial ownership where required, and assess the nature and purpose of the relationship. Those steps remain necessary, but they might not always be sufficient when financial activity is increasingly shaped by software acting through application programming interfaces (APIs), automated workflows, or wallets used to store and transfer value digitally.

Wallets come in various forms, and organizations must understand the risks and due diligence considerations associated with each. Bank wallets are digital payment or account-access wallets provided by regulated financial services organizations. Crypto asset wallets are tools used to store and transact in digital assets, whether they are tokenized or crypto assets. Unhosted wallets are crypto asset wallets controlled directly by the user rather than by a regulated intermediary. AML leadership should confirm that onboarding, customer due diligence, and transaction monitoring frameworks reflect how AI-enabled activity and wallet-based relationships operate.

If organizations fail to adapt their AML and KYC frameworks accordingly, the result might be misaligned customer risk assessments, incomplete onboarding assumptions, and monitoring blind spots when wallet-linked or AI-enabled activity begins. In higher-risk cases, particularly when unhosted wallets are involved, those shortcomings can also create regulatory exposure if the organization’s due diligence framework does not reflect how the relationship operates.

Because agentic commerce might challenge risk and compliance frameworks at the transaction level, focusing earlier in the customer life cycle prompts a practical question: What should organizations add to KYC when customer relationships involve AI-enabled tools, crypto asset wallets, and unhosted wallets?

Why traditional KYC might need to expand

Traditional KYC does not need to be replaced. Financial accounts are still opened and held by identifiable individuals or legal entities, and the Financial Crimes Enforcement Network’s (FinCEN’s) CDD rule still centers on four familiar obligations: identifying and verifying customers, identifying and verifying beneficial owners of legal entity customers, understanding the nature and purpose of customer relationships to develop customer risk profiles, and conducting ongoing monitoring to maintain and update customer information. Organizations must determine whether those obligations are being applied with enough specificity when customers use software, APIs, or crypto asset wallets to carry out account activity.

The core challenge is how onboarding can capture enough information about how the relationship will operate. If a customer relationship involves AI-enabled tools, organizations might need greater clarity into who is authorized to act, what permissions have been delegated, and whether crypto asset wallet activity is part of the expected operating model. Without that information available at onboarding, an organization might have a valid customer file but still lack a complete understanding of how activity will be initiated and conducted in practice. Framed this way, the primary challenge is one of KYC and CDD. Transaction monitoring still matters, but it should build on effective due diligence and ongoing risk reassessment rather than compensate for weaknesses in them.

Who is affected

Financial services organizations should pay attention because the AI element extends beyond crypto assets. The issue is most immediate for organizations that offer, support, or bank wallet-linked products and services, including crypto asset custodians, exchanges, stablecoin-related businesses, fintechs with wallet-based payment products, and banks that provide fiat on- and off-ramp services or banking services to crypto asset businesses. Financial Action Task Force’s (FATF’s) March 2026 report underscores why. Stablecoins had grown to more than 250 in circulation by mid-2025, with market capitalization exceeding $300 billion, and they represented roughly 30% of on-chain virtual asset transaction volume in 2025. For organizations operating in or around that ecosystem, wallet activity is not peripheral to the relationship. In fact, it often is central to how value moves.

In those organizations, the roles that are most affected are AML and KYC leaders, onboarding and CDD teams, crypto asset compliance leaders, fintech banking teams, product-risk teams, and governance functions responsible for approving wallet-linked customer activity. For those groups, the issue affects what gets asked at onboarding, what triggers enhanced due diligence (EDD), and what must be escalated when wallet-linked or AI-enabled activity changes the customer risk profile.

What organizations should add to KYC programs

Organizations with such exposure should consider adding a wallet and AI-enabled technology to supplement to their KYC process to make sure onboarding captures the information needed to understand wallet ownership, delegated authority, and AI-enabled activity. Organizations should consider the following areas:

  • Wallet ownership and control. Organizations should understand whether the customer will use hosted wallets, unhosted wallets, or both, and identify who controls those wallets. In AML terms, unhosted wallets create challenges similar to bearer instruments such as cash. Value can be controlled and transferred outside an intermediary, which makes source-of-funds and counterparty transparency harder to assess, including whether wallets are controlled directly by the customer, an affiliate, or a vendor; who has authority to initiate transfers; and whether control is centralized, shared, or delegated.
  • Purpose and expected wallet activity. If wallets are part of the relationship, organizations should understand how they are expected to be used. Is the wallet supporting treasury activity, settlement, customer payments, custody, trading, or internal transfers? What transaction volume, value, and frequency are expected? What types of counterparties are anticipated, and will activity move between hosted and unhosted environments? These are not crypto asset-specific add-ons; they are extensions of the basic KYC requirement to understand the nature and purpose of the relationship.
  • Unhosted wallet exposure. FATF’s March 2026 report identifies peer-to-peer transfers through unhosted wallets as a key stablecoin vulnerability because they occur without an intermediary subject to AML and countering the financing of terrorism obligations, which limits the customer and counterparty information typically available in account-based activity. In practical terms, organizations should determine whether unhosted wallet use is incidental, occasional, regular, or central to the customer’s business model; whether undeclared wallets are permitted; and how wallet ownership or legitimacy is verified.
  • AI-enabled tools, APIs, and automation. Organizations should ask whether the customer uses APIs, rules-based automation, or AI-enabled tools in connection with wallet activity, and, if so, what those tools are allowed to do. Are they used to route transactions, initiate transfers, or act within preconfigured thresholds? Who configures those rules? Is human override available? Is there an audit trail? The purpose is not to view the AI tool itself as the customer. It is to understand how the customer relationship is being operated and whether delegated or automated activity should affect the customer risk profile.
  • Governance and delegated authority. Organizations should understand who owns the relationship operationally, who approves wallet additions or changes in permissions, whether there is a documented change-management process, and what escalation path exists if activity deviates from expected use. The Bank for International Settlements has emphasized governance, accountability, transparency, and human oversight as core elements of AI use in the financial sector, and that principle remains relevant even when the AI is used by the customer rather than the organization itself.

Wallet-related due diligence: Part of the customer risk framework

Asking targeted questions helps organizations gather information and determine when a customer relationship should be treated differently. A strong KYC framework should define which responses fit within standard onboarding, which require enhanced due diligence, and which should trigger escalation or additional approvals. Potential triggers might include regular use of unhosted wallets, unclear wallet ownership or control, third-party or vendor-controlled wallet activity, AI-enabled or rules-based transaction initiation, frequent movement between hosted and unhosted environments, use of privacy-enhancing services without clear business rationale, or limited governance and auditability.

Consider a bank onboarding a fintech client that offers stablecoin-based payments or treasury services. Standard KYC might identify the legal entity, beneficial owners, and stated purpose of the relationship. But if the client sends or receives funds through unhosted wallets, uses AI-enabled tools to initiate transfers, or operates through APIs, then standard onboarding might not provide a full picture of how the relationship will function. This scenario demonstrates why wallet-related due diligence should sit inside the customer risk framework rather than alongside it.

The same principle applies to clients of exchanges, custodians, or other wallet-linked platforms. If the relationship is expected to involve movement between hosted and unhosted wallets, or if AI-enabled tools are part of the operating model, those details should be reflected in onboarding, periodic refresh, and escalation criteria. In the U.S., FinCEN’s 2020 proposal on certain transactions involving unhosted wallets underscored the same transparency concern by proposing additional recordkeeping and reporting obligations tied to those transfers, even though the proposal was never finalized into a binding rule.

Proactive steps for organizations

When working with wallets, organizations do not need to build an entirely new compliance framework. However, they should determine whether wallet-linked and AI-enabled customer activity already touches the organization’s products, customers, and onboarding model.

Some organizations should act now, including organizations that directly offer, support, or bank wallet-linked and crypto asset activity, such as custodians, exchanges, stablecoin-related businesses, fintechs with wallet-based payment products, and banks that provide fiat on- and off-ramp services or banking services to crypto asset businesses. For those organizations, this is an imperative. If onboarding, due diligence, and escalation criteria do not reflect how wallet-linked and AI-enabled activity occurs, the organization might already be relying on an incomplete customer risk profile.

Other organizations should prepare now, including those that are evaluating wallet-linked products, stablecoin capabilities, or customer segments that could introduce unhosted wallet exposure, delegated activity, or AI-enabled account use. For those organizations, the priority is to identify where that exposure is likely to emerge and determine whether current KYC and CDD standards will effectively support the business model if it expands.

Other organizations might not need immediate redesign, but they should have a plan for when such activity becomes relevant. In those cases, the focus might be narrower and identify where AI-enabled customer activity, APIs, or future wallet-linked relationships could change onboarding expectations or due diligence requirements.

A practical starting point for financial services organizations is to evaluate five targeted questions:

  • Do we know which products, services, and customer segments create wallet-linked exposure?
  • At onboarding, do we capture whether the customer will use hosted wallets, unhosted wallets, APIs, or AI-enabled tools?
  • Do we understand who controls what activity, what authority has been delegated, and what approvals govern it?
  • Have we defined which responses should trigger enhanced due diligence, escalation, or additional approvals?
  • Do our governance, refresh, and change-management processes capture when wallet use or automation changes after onboarding?

Not being able to answer those questions often is the clearest sign that current KYC and due diligence processes might not be sufficient for wallet-linked and AI-enabled customer activity. In many cases, the right next step is not a full redesign, but a targeted KYC and CDD assessment focused on wallet-linked exposure, onboarding questions, EDD triggers, governance, and escalation criteria.

Organizations that take that step now can better position themselves to determine whether they need targeted updates, a broader control redesign, or a more detailed review of how onboarding, wallet-related due diligence, and escalation should work in practice.

A targeted review can help determine whether current KYC controls align to the products offered, the customers served, and the visibility the organization has into wallet-linked and AI-enabled activity. For many organizations, the more immediate risk is assuming existing KYC processes already capture activity they were never designed to assess.

Fight financial crime with a team that understands the stakes

With more than 40 years of experience working with financial services companies, our financial crime specialists know how to help you address risks in ways that make sense for your organization.