Bank Diligence File for a Regulated Crypto Firm (2026)

A bank application file for a regulated crypto firm is 50–100 pages. The contents are surprisingly standardised across credible institutions — the questions are predictable, the document expectations are documented, the diligence flow is repeatable. What separates the eight-week files from the twenty-week files is not the content; it is the completeness, internal consistency, and pre-emptive evidencing that signals to the bank's risk committee this is a file built by people who have done it before.

Crypto firms face deeper diligence than other regulated fintechs. The bank is underwriting not just the entity but the on-chain risk surface: custody architecture, Travel Rule compliance, blockchain analytics integration, sanctions screening on-chain, and the segregation of fiat from crypto. The file therefore has twelve sections, not the nine that suffice for a non-crypto EMI — and three of those twelve are unique to crypto.

This is the full file inventory we ship for CASP and VASP clients in 2026: the twelve sections, the order banks read them, the five most common gaps, the pre-emptive remediation that compresses diligence, and the diligence-call questions you will be asked to defend the file in real time.

Three structural reasons. First, regulatory framework risk: MiCA¹^[1] is new (fully applied 30 December 2024) and supervisors are still calibrating expectations — banks therefore overweight conservatism. Second, AML risk surface: crypto flows expose the bank to on-chain mixing, cross-chain bridging, sanctions evasion vectors that simply do not exist in fiat-only payments. Third, reputational risk: a single FT-front-page incident at one CASP can prompt the bank to de-risk the entire crypto book.

The diligence depth is therefore 1.5x to 2x what a non-crypto fintech faces. The total page count is roughly the same; the depth in each section is materially deeper.

Full CASP authorisation (or VASP registration where MiCA does not yet apply), licence grant letter, the public register entry (e.g. FCA Cryptoasset Register²^[2] for UK firms, the equivalent NCA register elsewhere), the full Programme of Operations as filed, and any conditions imposed at authorisation. Banks confirm the register entry matches what you have submitted.

The hardest section for crypto firms. Banks want UBO traced to natural persons with documented source of wealth that does not derive from anonymous on-chain activity. Founders who built equity through trading or token sales need a paper trail — dated wallet origination, capital-gains filings, banking history of the realised proceeds. Anonymous early-Bitcoin wealth is the single most common rejection point.

Full AML/CTF policy aligned with AMLR (Regulation 2024/1624)³^[3], customer risk model with crypto-specific risk factors (mixer exposure, privacy-coin policy, peeling-chain detection, bridge-exposure scoring), EDD triggers including on-chain factors, transaction monitoring rules covering both fiat and crypto legs, sanctions screening across both. Generic templates fail in one read.

Crypto-specific. FATF Recommendation 16 'Travel Rule'⁴^[4] requires originator and beneficiary information to travel with crypto transfers above the threshold. Document your Travel Rule provider (Notabene, Sumsub, Sygna, Veriscope), the protocols supported (TRP, IVMS101), threshold logic, sunrise-jurisdiction handling, and the self-hosted-wallet policy. Banks will ask in interview which provider you use and why.

Crypto-specific. Document the on-chain analytics vendor stack — Chainalysis, Elliptic, or TRM Labs are the three credible options for institutional firms. Show the integration points: pre-deposit screening, post-deposit risk scoring, withdrawal screening, KYT (Know-Your-Transaction) thresholds, alert workflow, and false-positive tuning history. Single-vendor stacks are common; the bank wants to see the workflow not the vendor list.

Crypto-specific. Document the custody model: self-custody with MPC, qualified custodian arrangement, or hybrid. Hot/warm/cold split, cold-storage operating procedures, key-ceremony documentation, signer policy, withdrawal authorisation matrix, insurance arrangements, segregation of customer assets from house assets, daily proof-of-reserves protocol. Banks now expect quarterly Merkle-tree proof-of-reserves attestation from any CASP they bank.

Sanctions list coverage (OFAC SDN, EU consolidated, UN, UK HMT), on-chain sanctions screening for known SDN-linked addresses, mixer / sanctioned-protocol policy (Tornado Cash, Sinbad), refresh frequency, exception handling, and the documented response to an OFAC alert. Tornado Cash exposure policy is now a standard interview question.

How customer fiat is segregated from house fiat, how customer crypto is segregated from house crypto, the no-rehypothecation policy, treasury operations across multiple banks, FX execution policy, and the policy on stablecoin treasury (which stablecoins are accepted, which issuers are on the whitelist, and the MiCA EMT/ART classification logic).

MiCA Annex IV minimum own funds (€50,000 / €125,000 / €150,000 by class), ICAAP including crypto-specific operational risk (custody loss, oracle failure, smart-contract risk for tokenised products), 36-month capital projection, stress-testing including a 50% crypto market drawdown, liquidity buffer composition.

Board fit-and-proper, MLRO appointment with crypto-specific competence evidence (banks now reject MLROs whose CV is fiat-only AML), CISO and risk officer, three-lines-of-defence model, organisational chart, and the key-person risk analysis where founders hold critical operational keys.

Standard BCP, IT DR, RTO/RPO, vendor concentration, cyber-incident response — plus crypto-specific items: cold-storage continuity in a key-personnel-loss event, blockchain-fork policy, exchange-listing-delist procedures. Mandatory DORA⁵^[5] ICT-third-party risk programme aligned to the 17 January 2025 application date.

Audited accounts, management accounts to most recent month, shareholder list with UBO breakdown, source-of-wealth dossier for any UBO above 25%, PEP screening at the shareholder level, group structure chart, and — critically for crypto — a no-token-treasury declaration or, if applicable, full disclosure of the firm's own token holdings on its balance sheet.

The reading order is predictable. Authorisation first (does the licence cover the proposed activity?). UBO and source of wealth second (who actually owns this and where did the money come from?). AML programme third (can this firm detect what it needs to detect?). Then a sequenced read through the technical sections. Reject in the first three and the rest never gets read.

Founder accumulated equity from on-chain wealth in 2014–2018 with no contemporaneous KYC, no bank record of realisation, no capital-gains filing. The bank cannot underwrite the relationship without a documented chain of custody back to legitimate origination. Pre-empt by constructing the dossier years before banking: exchange statements, dated wallet origination, tax filings, on-chain proof of pre-mining or pre-ICO participation, contemporaneous correspondence.

Templated fiat AML policies with a Travel Rule paragraph appended fail in the first read. Pre-empt by commissioning a crypto-native AML policy from the ground up — customer risk model with on-chain factors, TM rules covering both legs, EDD triggers including mixer/bridge exposure.

Post-FTX, banks expect quarterly proof-of-reserves attestation from any custodial CASP. Firms without one are flagged for either segregation risk or rehypothecation risk. Pre-empt by adopting a Merkle-tree-plus-attestation protocol with a Tier-1 audit firm before applying.

AMLR (Article 79–80) tightens controls on transfers to/from self-hosted wallets above €1,000. Banks expect a documented policy: enhanced verification, ownership-proof mechanism (signed-message or Satoshi test), risk-scoring of the receiving address. Files that omit this section get sent back.

OFAC's Tornado Cash designation (and its legal aftermath) means banks expect a clear documented policy on mixer-tainted deposits, with a deterministic decision tree and an escalation path. 'Case-by-case' is not an answer that survives diligence.

After the file is read, the bank schedules two to four diligence calls. The MLRO call. The CTO/security call (custody and analytics). The CFO call (capital and treasury). The founder call (governance and exit). Expect questions like:

• Walk us through what happens when an inbound deposit is flagged by your analytics provider with a 6/10 risk score.

• What is your policy on a customer depositing from Tornado Cash today?

• Show us the SAR you filed last quarter.

• Walk us through your cold-storage key ceremony and the recovery procedure if your founder dies tomorrow.

• Where did the founder's equity come from in dollar terms, and where can we trace it?

• What is your policy on customers from sanctioned jurisdictions, and how is geo-fencing enforced?

• How would your customer fiat balance be returned in a 24-hour wind-down?

Vague answers fail. The interviewers are looking for specificity, repeatability, and documented evidence.

Files that compress diligence to eight weeks share five attributes: complete document set on first submission, internally consistent across all sections, evidenced rather than asserted (training logs, SAR registers, audit reports), front-loaded with the strongest material, and pre-cleared by an external reviewer before submission. The economic value of a six-week compression is substantial: revenue starts six weeks earlier and the bank's risk team has fewer follow-up cycles, which reduces the probability of late-stage rejection.

Eight to twenty weeks at credible institutions, depending on file quality. The strongest correlate is not the size of the firm but the completeness and internal consistency of the initial submission. Files needing more than three follow-up rounds usually do not get past credit committee.

Most credible banks now do, post-FTX. The cadence is typically quarterly with a Merkle-tree mechanism plus a Tier-1 audit firm attestation. Some banks accept self-attestation in the first 12 months but expect external attestation thereafter.

AMLD is a directive (transposed nationally); AMLR is a regulation (directly applicable EU-wide from 10 July 2027). AMLR introduces a single rulebook with prescriptive controls including the €1,000 self-hosted-wallet threshold and AMLA direct supervision of selected CASPs. Banks now expect AMLR-readiness in 2026 even though application is 2027.

Yes. Fiat-only AML CVs are now flagged at most banks. The bank wants to see hands-on experience with on-chain analytics, Travel Rule, mixer policy, and crypto SAR filings. A senior fiat MLRO with a junior crypto deputy is acceptable; a senior fiat MLRO without crypto bench is not.

Most institutional CASPs run a single primary provider with fallback messaging via IVMS101 for counterparties on different protocols. Document the protocol coverage and the sunrise-jurisdiction handling (jurisdictions where the Travel Rule has not yet entered force) so the bank sees you have thought about coverage gaps.

• How to Get a Bank Account for a VASP or CASP — the broader market context for the diligence file.

• MiCA Compliance Guide for CASPs — the authorisation that underpins the file.

• AML Compliance for Crypto Firms — the AML programme depth banks demand.

• Bank Account for an EMI: 2026 Buyer's Playbook — the parallel framework for non-crypto regulated fintechs.

• Banking Access for Regulated Fintechs — our service: file engineering, diligence pre-clearance, bank introductions.

The file is the firm. Banks underwrite the document set as much as the entity behind it — because the document set is what they will be asked to defend if a supervisor returns to the relationship in eighteen months. Build the file to supervisor-grade depth, not minimum-viable, and the eight-week diligence becomes achievable.