Regulatory Compliance
Where organizations must perform digital control
The new Russian Federal Law mandates KYT for all digital currency market participants. We break down every checkpoint — where exactly and why address verification is required.
01How outsourcing works
The law permits delegating KYT checks
Article 24 part 3 explicitly allows outsourcing KYT checks — simply connect a specialized provider.
Organizations are not required to build their own digital control system. Engaging a specialized provider is sufficient — the responsibility for conducting checks transfers to them contractually.
Bill No. 1194918-8 · Article 24 · Part 3
«A person organizing the circulation of digital currency (digital rights) may engage third parties to ensure digital control is carried out, unless otherwise established by a regulatory act of the Bank of Russia.»
Exchange / Swap / Depositary
Must perform digital control (Art.24 pt.2)
KYTcheck.ru
Digital control provider · Data in Russia · 300ms
02Who must comply
Mandatory digital control subjects
Articles 3–7 establish an exhaustive list of organizations permitted to work with digital currency — all must perform digital control for every transaction.
Art. 3
Trading organizer
Exchanges and trading systems licensed under FZ-325
Art. 4
Broker
Licensed for brokerage activities under FZ-39
Art. 5
Trustee
Management companies and managers under FZ-156
Art. 6
Digital depositary
Included in the Bank of Russia registry
Art. 7
Digital currency exchange organization
Exchangers, p2p platforms, OTC desks with volume exceeding 3.5M RUB per month
⚠ Threshold: over 3.5M RUB per month
03KYT checkpoint diagram
At what transaction stage KYT is required
Digital control is mandatory at five points in the transaction flow. The law explicitly states — verification must be performed for every transaction.
🔄 For exchanges / trades — KYT for both counterparties (Art.7, Art.24)
| № | Event / operation |
|---|---|
| 1 | Incoming deposit — crediting |
| 2 | Outgoing withdrawal |
| 3 | Exchange and trading operations |
| 4 | Digital rights placement |
| 5 | Ongoing monitoring of active wallets |
Incoming deposit — crediting
Art. 24 pt.2 · Art. 31 pt.5When digital currency arrives at a client's address, the organization must verify the sender's address before completing the credit. If suspicious — the depositary must return the funds and restrict access.
What is checked:Sender address identifier, transaction history, connection to illegal activity
Who checks:Digital depositary, trading organizer, broker
Timing / deadline:Before credit completes. On refusal — next business day to report to Rosfinmonitoring
Outgoing withdrawal
Art. 24 pt.2, pt.4, pt.5When a withdrawal is initiated, the organization checks the recipient address. On suspicious activity — mandatory refusal. The refusal must be reported to Rosfinmonitoring by the next business day.
What is checked:Destination address, sanctions lists, connection to mixers, darknet, fraud
Who checks:All organizations under Art.3–7: exchanges, brokers, swaps, depositaries
Timing / deadline:Before transaction execution. On refusal — Rosfinmonitoring report next business day
Exchange and trading operations
Art. 7 · Art. 24 pt.2When executing a buy/sell or exchange transaction, the organization checks both address identifiers. Applies to all exchangers with volume over 3.5M RUB/month and all exchanges.
What is checked:Both counterparty addresses, source of funds, risk level of each side
Who checks:Trading organizer (Art.3), broker (Art.4), exchanger (Art.7)
Timing / deadline:Before order execution — before actual fund transfer
Digital rights placement
Art. 33 pt.9During initial placement of digital rights (tokens/DFA), the operator must identify all acquirers and check addresses. Crediting is only possible after successful identification.
What is checked:Acquirer identity (KYC) + address identifier for digital rights credit
Who checks:Digital rights placement operator (included in Bank of Russia registry)
Timing / deadline:Crediting prohibited until identification complete — blocking condition (Art.33 pt.9)
Ongoing monitoring of active wallets
Art. 24 pt.6 · Art. 31Digital control rules mandate not only one-time but also periodic checks. Risk profiles change — an address that was clean yesterday may appear on a sanctions list today.
What is checked:Risk profile changes for existing client addresses, sanctions list updates
Who checks:All Art.3–7 subjects under approved digital control rules
Timing / deadline:Established by internal digital control rules of the organization
What happens after the check
0–25
Low risk
Operation approved. Funds credited, withdrawal or exchange completed without delay.
26–74
Medium risk
Manual review. Operation suspended. Compliance officer makes the decision.
75–100
High risk
Mandatory refusal (Art.24 pt.4). Report to Rosfinmonitoring by next business day (Art.24 pt.5).
04Legal basis
Key articles of the law
The exact provisions that obligate organizations to perform KYT checks for every digital currency transaction.
Federal Law "On Digital Currency and Digital Rights" — Article 24 "Digital Control"
Enters into force July 1, 2026
Art. 24 pt.1
What is digital control
Show quote from law
«...a set of measures for checking digital currency and address identifiers for connections to activities subject to criminal or administrative liability, including risk level assessment of the transaction»
Art. 24 pt.2
Mandatory for every transaction
Show quote from law
«...when conducting transactions with digital currency, must ensure digital control over the digital currency and address identifiers used in transactions»
Art. 24 pt.3
KYT providers may be engaged
Show quote from law
«...may engage third parties to ensure digital control is carried out, unless otherwise established by a regulatory act of the Bank of Russia»
Art. 24 pt.4
Mandatory refusal on suspicion
Show quote from law
«...must refuse to execute the transaction if suspicions arise regarding the connection of digital currency and address identifiers to activities subject to criminal or administrative liability»
Art. 24 pt.5
Mandatory Rosfinmonitoring notification
Show quote from law
«...must document and report to the federal anti-money laundering authority all refusals no later than the next business day following the refusal decision»
Art. 31 pt.5
Return and access restriction
Show quote from law
«Upon crediting digital currency that raises suspicion, the digital depositary must return the funds and immediately restrict access to the address identifier»
Law enters into force
All organizations must have a digital control system in place. Penalties for non-compliance — from 1.5M RUB, up to exclusion from the Bank of Russia registry (Art.46).
July 1, 2026
approximately 3 months remaining
Ready for July 1, 2026?
KYTcheck.ru — Russian KYT provider with servers in Russia, Rosfinmonitoring integration, and full compliance with the new law. Integration in 1 day.
Часто задаваемые вопросы
Who must perform KYT under the new digital currency law?
All organizations in Bank of Russia registries: exchanges (Art.3), brokers (Art.4), trustees (Art.5), digital depositaries (Art.6), and exchangers (Art.7). For exchangers, the threshold is over 3.5M RUB per month.
At what transaction stage must KYT be performed?
KYT is mandatory at five checkpoints: incoming deposit, outgoing withdrawal, exchange/trading, digital rights placement, and ongoing monitoring.
Is it necessary to build an in-house KYT system?
No. Article 24 part 3 explicitly allows outsourcing — engaging third parties for digital control.
When does the digital control law take effect?
The main provisions enter into force on July 1, 2026.
What are the penalties for non-compliance?
Fines from 1.5M RUB, up to exclusion from the Bank of Russia registry (Art.46) and loss of the right to work with digital currency.