The report said that as of April 2026, regulatory frameworks for digital assets are becoming more defined in key jurisdictions including the United States, the European Union, Hong Kong and Singapore. It said the industry is moving beyond early-stage self-regulation and reactive enforcement toward comprehensive compliance covering licensing, anti-money laundering (AML), security audits and reserve management.
CertiK listed four major shifts: tougher AML enforcement; smart-contract security audits moving into formal regulatory requirements; convergence in stablecoin standards; and changes in institutional participation as bank prudential rules are introduced.
Enforcement focus shifts from securities status to AML
The report said global enforcement is increasingly centered on controlling fund flows rather than debating whether tokens are securities.
From 2024 to 2025, the U.S. Securities and Exchange Commission’s crypto-specific enforcement actions and penalty totals declined, while the U.S. Department of Justice and the Financial Crimes Enforcement Network stepped up AML-related actions, it said. In the first half of 2025 alone, more than $900 million in fines and settlements were imposed in AML-related matters.
It cited sanctions involving OKX and KuCoin. OKX reached a $504 million settlement over allegations tied to operating an unlicensed money services business and violating the Bank Secrecy Act. KuCoin agreed to a $297.4 million settlement over similar violations.
CertiK said the cases show that exchanges’ transaction monitoring, customer due diligence and sanctions screening have become core regulatory risks, not just internal controls.
The report also noted regional differences. Europe has tended to respond by raising the level of AML fines and sanctions, while Asia-Pacific regulators more often rely on license revocations, business restrictions and corrective orders rather than monetary penalties.
“The logic of digital-asset regulation is shifting from disputes over an asset’s legal character to controlling fund flows and market access,” the report said, adding that transaction monitoring, suspicious-activity reporting and sanctions screening will be key capabilities for exchanges and custodians.
Smart-contract audits become a market-entry requirement
CertiK said security regulation is also tightening. Smart-contract audits, once closer to an industry best practice, are increasingly being treated in major jurisdictions as a de facto requirement for licensing, token listings and asset-approval processes.
Hong Kong, the United Arab Emirates, Singapore and Brazil are incorporating independent security assessments into licensing reviews or asset approvals, the report said. Hong Kong applies smart-contract audit requirements in its stablecoin issuer authorization process, and Dubai’s Virtual Assets Regulatory Authority requires regular smart-contract audits for licensed entities.
The EU’s Digital Operational Resilience Act, or DORA, strengthens obligations for operational resilience, information and communications technology risk management and security testing for financial institutions and related service providers, it said. VARA requires annual smart-contract audits and can order threat-based penetration testing when needed. Brazil’s central bank requires independent technical certification in the licensing process for virtual asset service providers, including cybersecurity, segregated custody and key-management systems.
CertiK’s internal analysis found that about 80% of projects that later suffered hacking losses had not undergone an official security audit before the incident, and those projects accounted for more than 89% of total losses.
Attack patterns are also changing, the report said. In 2025, about 76% of total losses were attributed to infrastructure-layer issues such as private-key leaks and failures in access-permission management. That indicates operational security, key management and access controls are driving larger losses than traditional code vulnerabilities.
CertiK said regulators’ security expectations are expanding beyond code reviews to broader assessments that include key management, operational security, penetration testing and internal controls.
Stablecoin rules converge around reserves and licensing
The report said stablecoins are the area where global standards are converging fastest.
It cited the U.S. GENIUS Act, the EU’s Markets in Crypto-Assets regulation, or MiCA, Hong Kong’s stablecoin rules and Singapore’s payment services licensing framework. While details differ, the report said these regimes generally share core principles: reserves backed by fiat currency or highly liquid assets; limits on algorithmic stablecoins; independent reserve audits; licensing of issuers; and guaranteed redemption rights.
However, the report said reserve composition rules, audit frequency, capital requirements and how foreign issuers are recognized are not yet fully aligned. As a result, stablecoin issuers face the challenge of meeting multiple, differing regulatory systems at the same time, not merely securing legal status in one market.
For global operators, the report pointed to burdens including conflicting reserve rules across regions, the lack of mutual recognition for licenses and rising compliance costs. It said oversight by central banks and financial regulators is likely to intensify as stablecoins become more connected to payment infrastructure.
Basel standards expected to reshape banks’ crypto exposure
The report said the structure of institutional and banking participation in digital assets is also changing.
It forecast that the Basel Committee on Banking Supervision’s prudential standards for cryptoassets will be incorporated into national regulatory systems in stages. The framework classifies digital assets by risk characteristics and applies differentiated capital requirements depending on what banks hold.
Stablecoins and tokenized traditional financial assets that meet regulatory requirements may receive relatively lower risk weights, while unsecured digital assets such as bitcoin would face higher capital charges, it said.
CertiK said this is likely to influence banks’ and large financial institutions’ strategies, with institutional capital more likely to concentrate in digital assets that demonstrate regulatory compliance, reserve transparency, securities-like structures and robust custody.
“Compliance is no longer optional”
CertiK said that while major regulatory systems are gradually converging, the compliance barriers companies must clear continue to rise. It said AML, security audits, reserve management and license maintenance are becoming ongoing costs for digital-asset firms expanding globally.
Stefan Muehlbauer, CertiK’s head of U.S. government policy, said, “The era of ambiguous digital asset regulation is already over,” adding that enforceable regulatory systems are spreading quickly across major markets worldwide.
“The key question for institutional investors and companies is no longer ‘Do we need compliance?’ but ‘How quickly can we build compliance infrastructure that meets regulatory requirements and can actually be enforced?’” he said.
The report said Web3 firms and institutions operating across multiple jurisdictions should incorporate licensing, upgraded AML systems, ongoing security audits and key-management programs into long-term capital planning. It said security and compliance are becoming decisive conditions for market entry as the digital-asset industry moves into formal regulation.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.