.png)
A merchant application arrives listing "crypto services" as the business description. The merchant says they are a wallet provider. They have a FinCEN registration and a clean-looking website. For heads of risk, compliance leaders, and underwriting teams, the question is not whether crypto is automatically high risk. The question is whether the merchant can prove what model they actually operate, because the model determines everything.
A wallet is not a broker. A broker is not an exchange. One-size-fits-all controls applied across all three create compliance gaps in either direction: insufficient controls on a custodial exchange offering leverage trading, or unnecessary restrictions on a non-custodial wallet with no fund custody at all.
Crypto is not one vertical. The model changes the risk.
Custody determines licensing obligations.
Who holds customer private keys determines whether a merchant is subject to money transmission licensing requirements across U.S. states. A non-custodial wallet provider, which never controls customer funds, operates under a fundamentally different regulatory burden than a custodial exchange holding millions in customer assets. Treating both identically is the most common underwriting error we see in this vertical.
Fiat on-ramps create direct payment processor exposure.
When a crypto merchant accepts credit cards or ACH transfers to fund customer accounts, the fiat payment rail creates direct chargeback, fraud, and card network compliance obligations that belong to the processor as much as the merchant. A broker who delivers Bitcoin to an external wallet within minutes of a credit card charge, with no hold period, is creating a chargeback risk profile that requires specific controls. Reviewing the crypto operations alone, without the payment integration, leaves the most actionable risk unaddressed.
Licensing gaps and sanctions violations are not merchant problems in isolation.
A custodial exchange serving U.S. customers without proper state money transmission licenses creates regulatory exposure for the payment processor facilitating their operations. OFAC sanctions violations at the merchant level are not contained to the merchant. Payment processors facilitating transactions to sanctioned jurisdictions face direct civil and potentially criminal liability.
The burden of classification has shifted.
Regulatory scrutiny of crypto merchant portfolios has increased across acquiring banks, card networks, and state regulators. Compliance teams can no longer accept "we are a wallet" as a sufficient description. The framework below provides the five dimensions we use to classify crypto merchants by actual operational model, not self-description.
Access the full classification framework
The comprehensive guide outlines a five-part classification framework built from operational analysis of crypto merchant applications:
The single most important question in crypto merchant underwriting is: "Who holds the private keys to customer crypto assets?" This question determines custody classification, which in turn determines licensing requirements, monitoring obligations, and appropriate risk controls.
Custodial merchants (those who hold or can access customer private keys) require money transmission licenses in most U.S. states and are subject to full Bank Secrecy Act (BSA) obligations including a Customer Identification Program (CIP), transaction monitoring, and Suspicious Activity Report (SAR) filing. Non-custodial merchants (those whose customers exclusively control their own keys) face lower regulatory burden, though not zero obligations.
Key insight: If the merchant can freeze a customer account, prevent a withdrawal, or access customer keys under any circumstance, they have custody regardless of how they describe their service. Test this directly with two questions: "Can you freeze a customer account?" and "Do you possess or have access to any customer private keys?" Policy documents and technical descriptions follow from those answers.
The guide details how to evaluate ambiguous custody claims, including merchants who claim non-custodial status while operating multi-signature key arrangements where the merchant controls the majority of signing keys. It also covers broker models where custody during settlement is brief but must be clearly bounded by time and process.
How customers convert fiat to crypto (on-ramp) and crypto to fiat (off-ramp) determines chargeback exposure, fraud risk, and whether the merchant is subject to card network rules. This is where payment processor risk is most directly created, yet it is the dimension most frequently underweighted in crypto merchant reviews.
For credit card on-ramps, the critical variable is whether the merchant delivers crypto to external wallets before any hold period expires. Instant delivery to external customer-controlled wallets makes chargebacks completely unrecoverable. A customer dispute filed 30 days after a credit card crypto purchase cannot be remediated once Bitcoin has been transferred through multiple external wallets.
For off-ramps, the critical variable is whether fiat withdrawal destinations are verified to match the customer's identity. Allowing fiat withdrawals to any bank account, without verification that the account belongs to the verified customer, enables money laundering and structuring patterns.
Key insight: The on-ramp and off-ramp controls are as important as the crypto operations themselves. A merchant with strong KYC (Know Your Customer) procedures who nonetheless delivers crypto instantly to external wallets on credit card purchases has a fundamental chargeback control gap. The merchant underwriting review must cover payment integration controls specifically, not just crypto operations.
The guide provides specific testing protocols: verify whether new accounts face purchase limits before external transfers are permitted, confirm that withdrawal bank accounts require pre-verification matching customer identity, and document the sanctions screening process for all off-ramp destinations.
Spot trading (buying and selling crypto at current market prices) creates different regulatory obligations than margin trading (using borrowed funds) or derivatives trading (futures, options, perpetual swaps). Merchants frequently describe their services as "trading platforms" without disclosing leverage ratios or derivatives availability, which conceals significant regulatory exposure.
Derivatives trading is subject to Commodity Futures Trading Commission (CFTC) jurisdiction in the United States. Operating a derivatives platform without registration as a Futures Commission Merchant (FCM) is illegal. Payment processors facilitating unregistered derivatives platforms face regulatory liability. This is not a marginal risk: enforcement actions against unregistered crypto derivatives platforms have resulted in substantial penalties.
Key insight: Review the merchant's platform directly before relying on their description. If the interface displays leverage ratios, perpetual contract listings, or futures markets, the merchant is operating derivatives services regardless of how they described the business model in their application. Cross-reference against the National Futures Association (NFA) BASIC database (nfa.futures.org/basicnet) and the SEC EDGAR system to verify registrations claimed.
The guide also covers token listing practices, including the risk profile of merchants listing tokens subject to active SEC enforcement, and the additional Anti-Money Laundering (AML) requirements that apply to platforms offering privacy coins such as Monero or Zcash.
Crypto merchants operate across jurisdictions with fundamentally different regulatory frameworks. A merchant licensed in one U.S. state who serves customers in 40 states without corresponding licenses is not a compliant operation. A merchant claiming exemption from state money transmission requirements without supporting legal analysis has not established a defensible compliance posture.
The most critical geographic risk is sanctions compliance. Providing crypto services to customers in comprehensively sanctioned jurisdictions (Iran, North Korea, Syria, Cuba) violates OFAC regulations. Merchants who lack geographic blocking controls, who permit VPN access without detection, or who claim inability to verify customer location have created sanctions exposure that extends to their payment processors.
Key insight: Verify licensing through primary sources, not merchant-provided documentation. FinCEN MSB registration can be confirmed through the FinCEN MSB Registrant Search. State money transmission licenses can be verified through state regulator websites. Merchant monitoring should include licensing status as a tracked variable, with alerts triggered if licenses expire or are revoked post-onboarding.
The guide details how to test KYC enforcement in practice: verify that account creation requires identity verification before any service access, not as a post-deposit step. Merchants with post-deposit KYC have made a deliberate choice to prioritize revenue over compliance. That choice has implications for the entire payment processing relationship.
Many crypto merchants operate multiple services under related entities with different ownership structures, regulatory postures, and service models. A merchant applying for payment processing as a "non-custodial wallet" may be operationally integrated with a related offshore exchange under common beneficial ownership. The applying entity's risk profile does not reflect the full ecosystem risk.
Ecosystem mapping identifies all domains, entities, and services operated by the same Ultimate Beneficial Owners (UBOs) or management teams. This surfaces undisclosed exchange operations, regulatory arbitrage structures (U.S.-facing non-custodial entity fronting an offshore custodial exchange), and service integrations that create unlicensed activity at the portfolio level.
Key insight: "Decentralized" is not a regulatory classification. It is a technical architecture description and, at times, a marketing position. If the merchant controls smart contract admin keys, can upgrade or pause protocol operations, or holds any custody of user funds, the protocol is not fully decentralized for regulatory purposes. Operational control and custody determine licensing requirements. The company analysis review must examine the technical controls, not the marketing description.
The guide provides domain mapping protocols using WHOIS records, SSL certificate analysis, and infrastructure fingerprinting to identify common ownership across entities. It also covers inter-entity fund flow analysis to determine whether customer assets move between related entities in ways that create undisclosed custody or exchange operations.
Access the full classification framework
The guide provides a detailed compliant benchmark for each model. Across all models, the acceptable profile includes:
Custody clarity: Clear, unambiguous, documented custody structure. Custodial merchants provide money transmission licenses for all operating states. Non-custodial merchants provide technical architecture documentation and open-source code or security audit confirmation that keys are generated client-side and never transmitted to merchant servers.
On-ramp controls: Hold periods for new customer external transfers (commonly 24-72 hours). Purchase limits during initial account periods. Verified withdrawal bank accounts that demonstrably match customer identity. OFAC SDN (Specially Designated Nationals) list screening on all fiat transactions with documented screening vendor and update frequency.
Licensing completeness: FinCEN MSB registration for brokers and custodial operations. State money transmission licenses in all states where customers are located. Exemption analysis with legal opinion for any states where the merchant claims exemption. No gaps between claimed geographic scope and licensed jurisdictions.
Trading controls (if applicable): Leverage (if offered) limited to moderate ratios with customer sophistication verification. FCM registration with CFTC if derivatives are offered. Documented token listing policy with legal analysis of securities status for each listed token.
Ecosystem transparency: All related entities disclosed without prompting. Corporate structure serving legitimate business purposes. Customer-facing disclosure when services involve multiple legal entities. Terms of service accurately reflecting all services offered across all related domains.
This profile represents acceptable risk for merchant onboarding at appropriate monitoring intensity. The guide maps acceptable variations within each model to specific monitoring and reserve requirements.
Access the full classification framework
The guide identifies the highest-frequency errors in crypto merchant underwriting:
"We are non-custodial" without technical verification. Every merchant who wants to avoid licensing requirements claims non-custodial status. Claims require verification. Request technical architecture documentation. Ask directly whether the merchant can freeze a customer account or prevent a withdrawal. If yes, they have custody. Policy descriptions mean nothing without operational confirmation.
Reviewing crypto operations without reviewing payment integration. The chargeback and fraud risk in crypto merchant portfolios is concentrated at the fiat-to-crypto conversion point. Reviewing custody structure and trading features while treating the payment integration as standard creates a blind spot at the exact point where payment processor exposure is highest. On-ramp controls are not incidental to the review. They are central to it.
Accepting licensing documentation without verification. Possession of a FinCEN MSB registration does not confirm the merchant is licensed in the states where their customers are located. It does not confirm that state licenses have not expired or been revoked. It does not confirm the licensed activities match the actual services offered. Licensing documents require primary source verification, not just document receipt.
Missing related entities and ecosystem operations. Applicants frequently describe only the entity applying for payment processing. Related entities operating exchange services, offshore custody, or high-risk trading under common ownership are not disclosed unless specifically investigated. Partner oversight for PayFacs managing crypto sub-merchants requires ecosystem mapping as a standard component, not an exception process.
Applying uniform controls to all crypto merchants. A non-custodial wallet with no fund control, clean transaction monitoring, and appropriate geographic scope is not the same risk profile as a custodial exchange offering 50x leverage trading to retail customers. Uniform controls either impose unnecessary restrictions on low-risk merchants or leave high-risk operations undercontrolled. Model-specific classification is the prerequisite to model-appropriate controls.
The crypto merchant classification framework enables underwriting and compliance teams to:
The full guide includes custody classification testing protocols, on-ramp and off-ramp control verification procedures, licensing verification sources for all U.S. jurisdictions, ecosystem mapping methodology, and merchant assessment checklists with specific risk thresholds by model.
The complete guide, How to Detect Crypto Broker vs Wallet vs Exchange, provides operational checklists, testing protocols, regulatory source documentation, and documentation requirements for each classification dimension. It is designed for immediate implementation by underwriting teams, risk analysts, and compliance leaders evaluating crypto merchant applications.
For acquiring banks, PayFacs, and payments platforms managing crypto merchant portfolios, the framework delivers the structured classification methodology needed to distinguish brokers, custodial wallets, and exchanges from each other, and to identify the compliance gaps that each model-specific risk profile creates, before those gaps become portfolio-level problems.
Ballerine's role: We provide the infrastructure to make this complex underwriting process manageable. Automated license verification across federal and state registries, real-time regulatory status monitoring, risk scoring calibrated to specific crypto business models, and alerts when merchant operations change or regulatory actions occur. Our merchant underwriting platform surfaces the classification questions from this framework directly in analyst workflows, ensuring consistent documentation across all crypto merchant applications.
