CertiK’s Skynet report shows AML enforcement and security standards have replaced securities angst as crypto’s main risk axis, with Basel and DORA baking rules into code.
CertiK’s latest Skynet State of Digital Asset Regulations Report makes one thing brutally clear: the experimental phase in crypto is over, and enforcement is now the default setting for digital assets in every major jurisdiction.
The report finds that regulatory frameworks across the United States, European Union, Hong Kong, Singapore, the UAE, Japan, Turkey, and Brazil have moved from consultation to live, enforceable regimes that increasingly mirror traditional financial regulation. The primary risk axis has shifted with them: securities classification is no longer the main fear for crypto businesses. Instead, anti‑money laundering (AML) enforcement has overtaken everything else.
According to CertiK, AML‑related fines and settlements exceeded 900 million dollars in the first half of 2025 alone, with headline actions including a combined 504 million dollars in penalties for OKX and 297.4 million dollars for KuCoin, while European AML fines surged 767% over the same period. In contrast, SEC crypto enforcement penalties fell 97% year‑over‑year as the Department of Justice and FinCEN expanded their roles, underscoring the pivot from “is this a security?” to “is this KYC/AML‑clean?” as the dominant regulatory question.
The report also ties directly into the recent wave of wallet and smart‑contract security news. CertiK notes that independent smart contract security audits have become statutory or quasi‑statutory requirements for licensing and token admission in most key markets, citing Hong Kong, the UAE’s VARA and ADGM regimes, the EU’s Digital Operational Resilience Act (DORA), and state‑level rules from NYDFS and Wyoming in the US. That trend tracks with recent disclosures of mobile‑device and SDK vulnerabilities affecting millions of users, and with MetaMask’s and Binance’s warnings about malware and full‑chain exploits targeting wallets, where regulators increasingly view smart‑contract and app‑layer security as part of operational resilience rather than a nice‑to‑have.
For exchanges, custodians, and issuers, prudential standards now look almost identical to traditional financial market infrastructure: capital adequacy, asset segregation, liquidity management, and recovery planning are all part of the baseline, not aspirational best practice. Stablecoin regulation has also moved into the implementation phase, with binding rules on reserves, redemption rights, governance, and disclosure live across major jurisdictions; the hard problem now is handling fragmented, cross‑border requirements and the absence of seamless license passporting.
At the banking level, the Basel cryptoasset framework that took effect on January 1, 2026, introduces a structural divide between “Group 1” and “Group 2” assets. Tokenized traditional instruments and qualifying stablecoins fall into Group 1 and receive standard risk‑weighting, while unbacked tokens like BTC and ETH are pushed into Group 2 and hit with significantly higher capital requirements, mechanically limiting their appeal for heavily regulated balance sheets. Meanwhile, tokenization itself is scaling inside existing securities law: initiatives such as Franklin Templeton’s on‑chain fund, Singapore’s Project Guardian, and Brazil’s Piloto Drex are all cited as examples of traditional frameworks being adapted rather than replaced.
The practical message for teams is blunt. Multi‑jurisdictional licensing is now table stakes, AML compliancebudgets must be sized to match a world where nine‑figure fines are routine, and security audits are recurring, jurisdiction‑specific operating expenses, not one‑time marketing events. In other words: if you are building in crypto in 2026, your real competitors are the ones that treat regulation and security as core product features, not as legal footnotes.
