How to use this checklist: Run through this list each time you onboard to a new crypto exchange — whether for treasury management, OTC trading, or operational purposes. Section 3 (treasury controls) is the highest risk area: API keys with withdrawal permissions and unfunded 2FA are the most common vectors for exchange-related losses. Complete Section 4 before your first trade, not after.
1. KYB & Compliance Documentation
- Corporate KYB documents preparedCertificate of incorporation, constitutional documents, and full ownership structure ready in a shareable format.
- UBO declarationAll beneficial owners above the exchange's threshold identified — government-issued identity documents provided for each.
- Regulatory status documentationFCA registration or authorisation certificate provided — any other relevant licences included in the KYB pack.
- AML policy summaryBrief overview of the firm's AML programme provided to the exchange compliance team — key controls described clearly.
- Business descriptionClear explanation of business model, customer types, and expected transaction volumes on the exchange prepared.
- Source of fundsDocumentation of the origin of crypto assets to be deposited — sourced from trading, treasury, or on-chain activity as applicable.
2. Fee Structure & Commercial Terms
- Maker/taker fee schedule reviewed and modelledCost per trade calculated at expected volumes — blended fee rate included in the treasury cost model.
- Withdrawal fee structurePer-transaction fees and any free tier thresholds understood for both crypto withdrawals and fiat off-ramps.
- Volume discountsThresholds for reduced fees identified — factored into the treasury cost model at projected trading volumes.
- Fiat on/off ramp feesBank transfer fees, SWIFT charges, and any FX conversion spread understood and modelled before first fiat movement.
- Terms of service reviewed by legalIP rights, data use, account closure terms, and asset recovery procedures noted — any unusual provisions flagged to the board.
3. Treasury Controls
- API accessTrading API keys generated with withdrawal permissions explicitly disabled — separate keys used for automated trading and reporting.
- IP whitelistingAPI access restricted to company IP addresses — whitelist configured before API keys are activated.
- Withdrawal whitelistApproved withdrawal addresses pre-registered in the exchange — change requests subject to a minimum 48-hour delay.
- Two-factor authenticationAll authorised users enrolled on hardware or authenticator-app 2FA — backup codes generated, encrypted, and securely stored.
- Deposit limitsMaximum deposit and withdrawal limits set in the exchange account in line with the treasury policy — limits reviewed quarterly.
4. Accounting & Tax Setup
- Chart of accounts updatedNew exchange added as a separate nominal code — ensures exchange-level reporting is available without manual disaggregation.
- Accounting policy confirmedCost basis method (FIFO, average cost, or other) confirmed for this exchange — consistent with the policy applied across all exchanges.
- Transaction export format reviewedCSV or API export format verified as compatible with the accounting system — test export performed before first live trade.
- Tax lot trackingSystem in place to track acquisition cost of each lot deposited to this exchange — required for accurate disposal calculations.
- Year-end confirmation processMethod for obtaining a year-end balance confirmation from the exchange for audit purposes identified and tested.
5. Transaction Monitoring Integration
- On-chain analytics tool connected to exchange wallet addressesAll deposit addresses registered in the on-chain analytics platform — alerts configured before first deposit.
- Deposit screeningIncoming transaction screening active — procedure confirmed for holding or returning funds that fail screening checks.
- Suspicious transaction alertsEscalation path to MLRO documented for flagged transactions — response timeframes and record-keeping requirements clear.
- Exchange AML assessmentExchange's own AML controls reviewed as part of the firm's third-party risk assessment — risk rating documented and reviewed annually.
