A client asked me once what he had done wrong. I could not answer that question. Because he had not done anything wrong.
He had bought through a regulated exchange. He had completed full KYC. He had dealt only with counterparties he had verified. He had kept records that most businesses would be embarrassed not to have. By every standard available to him — and, frankly, by every standard I would have applied — his cryptocurrency was clean.
Six months later, a bank declined to convert his holdings and flagged the transaction for review. The compliance officer cited a blockchain analytics report. Somewhere in the history of the coins he held — not from the person he had bought them from, but several transactions before that — there was a connection to an address that had subsequently appeared on a sanctions list.
He had not known. He could not have known. It made no difference.
I have thought about that conversation many times since. Not because it was unusual. Because it was not.
A bank account works like a safe. The money inside is either yours or it is not. Its history does not travel with it. When funds arrive in your account, they arrive clean — whatever they were before, they are now simply a balance.
Blockchain works differently. A cryptocurrency coin is not a unit of value sitting in a wallet. It is a record of every address it has ever passed through. When you receive cryptocurrency, you receive not just the value but the entire chain of custody that preceded it. And when you send it on, you attach your address to that chain permanently.
I find this is the single most important thing to understand about cryptocurrency as a practical matter — more important than volatility, more important than regulation, more important than tax treatment. The blockchain does not forget. And neither do the tools that banks and exchanges now use to read it.
Most clients I speak with think about contamination in one direction: something that happened before the coin reached them. That is real, and I will come to it. But the direction they rarely think about is equally serious.
When you send cryptocurrency to someone, and that person is later sanctioned — or later identified as connected to a mixer, or later named in a law enforcement action — the transaction you made months ago now sits in a chain that leads somewhere problematic. The timestamp does not protect you. The intent does not protect you. The blockchain record is what it is.
I have seen both patterns cause serious problems for clients who operated entirely in good faith. The incoming version is more common. The outgoing version tends to come as more of a shock — because the client feels, correctly, that they cannot reasonably be held responsible for what a counterparty did after the transaction was complete. That feeling is understandable. It does not change the outcome.
There is an additional layer to this that I think deserves more attention than it receives: there is no single answer to the question of whether a coin is clean.
The major blockchain analytics providers — Chainalysis, Elliptic, TRM Labs, among others — each maintain their own databases of flagged addresses and their own methodologies for calculating risk scores. One applies a ten percent threshold for indirect exposure to a high-risk source. Another uses twenty-five percent. A third flags only direct contact. The databases themselves are not identical. The same wallet, run through two different tools, can produce two different results.
The institution you are dealing with chooses its tool. You do not choose it for them. And when a flag appears in their report, you are the one who has to explain it — even if a different instrument would have produced a different result.
I am not sure there is a clean solution to this particular problem. But I am quite sure that not knowing it exists is far more dangerous than knowing it does.
The response to this is not legal. I want to be direct about that, because the first instinct of most clients is to reach for a lawyer. A lawyer cannot clean a coin retroactively. Documentation, however thorough, cannot change what the blockchain records. And a carefully worded letter does not address the underlying analytical report.
The response is operational. It has to be built into the way the crypto layer functions from the beginning — not retrofitted after a problem appears.
In my experience, that means four things:
Screening counterparty addresses before any significant transaction. Not once, when a relationship begins, but each time. Sanctions lists are updated continuously. An address that was clean last quarter may not be clean today.
Monitoring the holdings you already own. The risk profile of what you hold can change without any action on your part. Periodic screening of your own portfolio — not just new transactions — is the only way to know where you stand before an institution runs its own report.
Documenting the process. When a bank asks about a transaction, the most useful thing you can produce is evidence that you screened it: when, with what tool, and what result you received at that time. This does not guarantee a favourable outcome. It does demonstrate that you ran a serious operation. That is a different conversation.
Understanding what tool your bank uses, and what thresholds it applies, if that information is discoverable. Not all institutions will tell you. Some will, if asked correctly. It is worth attempting.
I want to add one observation that goes beyond the individual wallet, because I think it is underappreciated.
If cryptocurrency is held inside an operating company — one that also maintains conventional bank accounts, deals with customers, and appears in due diligence processes — then a single flagged address does not stay in the crypto layer. It travels. The bank reviewing a routine payment sees the entity. The investor conducting due diligence sees the entity. The flag follows the legal person, not just the wallet.
This is one of the reasons I consistently recommend that clients with meaningful cryptocurrency activity keep it structurally separated from the rest of the group. Not only to protect conventional banking relationships from crypto exposure — which is a real concern and one I have written about separately — but because structural separation makes the screening obligation manageable. A dedicated entity with a defined scope, its own relationships, and its own compliance architecture is something you can actually run a serious process around. A general operating company with cryptocurrency mixed into the balance sheet is considerably harder to defend.
I do not think there is a way to hold cryptocurrency and face zero contamination risk. The chain is too long, the databases are updated too frequently, and the methodology is not under the holder's control. Anyone who tells you otherwise is either uninformed or selling something.
What a well-run crypto architecture achieves is not immunity. It achieves a defensible position — the ability to demonstrate, when a question is raised, that the operation was conducted with rigour, that screening was performed, that documentation exists, and that any exposure was not the product of negligence or indifference.
That is the standard worth building towards. And it is an architectural standard, not a legal one. Which means it has to be built in — not called in after the bank has already run the report.
Vladimir Shuvalov works with international businesses and private clients on corporate structure, banking acceptability, and cryptocurrency architecture from Nicosia, Cyprus.
Thinking Globally — thinking-globally.com
Thinking Globally Consulting Limited
Registered in England & Wales · Company No. 17138834
128 City Road, London EC1V 2NX, United Kingdom
© 2026 Thinking Globally Consulting Limited · All rights reserved