The 7 Crypto Risk Dimensions Every Compliance Officer Must Track

Dimension 1: Regulatory and Compliance Risk

What to Track

Regulatory risk is dynamic — it changes with every new law, every enforcement action, and every guidance document. The CCO must track the number of open regulatory change items, the number of compliance gaps identified, the average time to close a compliance gap, upcoming compliance deadlines, and the number of regulatory examinations in the past 12 months and their outcomes.

KPIs and Thresholds

The critical KPI is the compliance gap count. A firm with zero identified gaps is either perfectly compliant or not looking hard enough. A firm with more than 10 open gaps has a systemic compliance problem. Green: 0-3 open gaps, all being actively remediated. Yellow: 4-7 open gaps, or any gap older than 90 days. Red: 8+ open gaps, or any gap relating to a current enforcement priority.

Reporting Cadence

Monthly to the compliance committee. Quarterly to the board. Ad hoc to the board for any red-threshold breach or regulatory examination notification.

Dimension 2: Identity and KYC Risk

What to Track

Identity risk is measured through verification system performance and fraud detection outcomes. Track KYC completion rate, verification pass rate, false acceptance rate, false rejection rate, deepfake detection rate, document forgery detection rate, average verification time, and multi-account detection rate.

KPIs and Thresholds

The most important KPI is the KYC completion rate. It must be 100% for active users. Any shortfall creates regulatory risk and was the direct cause of Bithumb's 36.8 billion won fine. Green: 100% KYC completion, false acceptance rate below 0.5%. Yellow: 99-99.9% KYC completion, or false acceptance rate 0.5-1%. Red: Below 99% KYC completion, or false acceptance rate above 1%.

Dimension 3: Market Risk

For exchanges that hold proprietary positions or provide margin trading, market risk metrics include net exposure by asset class, value at risk (VaR) at 99% confidence level, margin utilization rate, liquidation frequency and volume, and stablecoin reserve composition and concentration. Green: VaR within board-approved limits, margin utilization below 60%. Yellow: VaR approaching limits, margin utilization 60-80%. Red: VaR exceeding limits, margin utilization above 80%, or any forced liquidation event exceeding $1M. Daily for trading desk management. Weekly for risk committee. Monthly to the board.

Dimension 4: Custody Risk

Custody risk metrics include the ratio of assets in cold storage vs hot wallets, the frequency of cold-to-hot transfers, wallet balance reconciliation discrepancies, key management procedure compliance, insurance coverage relative to assets under custody, time since last proof of reserves audit, and the number of security incidents affecting custody infrastructure.

The critical ratio is cold storage percentage. Industry best practice is 95% or more of customer assets in cold storage. Green: 95%+ in cold storage, zero reconciliation discrepancies, insurance covering 100% of hot wallet exposure. Yellow: 90-95% in cold storage. Red: Below 90% in cold storage, any unresolved reconciliation discrepancy, or insurance gap.

Dimension 5: Counterparty Risk

Counterparty risk metrics include the number of counterparties with active exposure, exposure concentration (percentage of total exposure represented by the top 5 counterparties), counterparty credit quality, the number of counterparties that have not completed KYB verification, stablecoin issuer reserve adequacy, and DeFi protocol audit status. Green: No single counterparty represents more than 15% of total exposure. Yellow: Any counterparty represents 15-25% of exposure. Red: Any counterparty represents more than 25% of exposure, or any stablecoin reserve attestation overdue by more than 30 days.

Dimension 6: Operational Risk

Operational risk metrics include system uptime (especially during high-volatility periods), the number of security incidents, mean time to detect and respond to incidents, employee turnover in critical functions, pending system changes and their risk assessments, and the number of process exceptions. Green: 99.9%+ uptime, zero security breaches, all process exceptions documented and approved. Yellow: 99.5-99.9% uptime, any security incident under investigation. Red: Below 99.5% uptime, any security breach affecting customer data or assets, or systemic process failures.

Dimension 7: AML/CFT Risk

AML/CFT risk is measured through the monitoring system's detection performance and the quality of investigative outcomes. Track total alerts generated, alert investigation completion rate, alert-to-SAR conversion rate, average investigation time, SAR filing timeliness, sanctions true positive vs false positive ratio, suspicious activity dollar value identified, and the number of law enforcement inquiries.

The most telling KPI is the alert-to-SAR conversion rate. A rate below 5% suggests miscalibrated monitoring (too many false positives). A rate above 50% suggests the monitoring system may not be casting a wide enough net. Green: Alert-to-SAR conversion rate 10-30%, all SARs filed within deadline, investigation backlog under 5 days. Yellow: Conversion rate outside 10-30% range. Red: Conversion rate below 5% or above 50%, missed SAR deadlines, or backlog exceeding 15 days.

The Board Reporting Package

The seven dimensions should be consolidated into a single board reporting package that provides a one-page risk dashboard showing all seven dimensions with traffic-light status, trend indicators showing the direction of each dimension vs. prior quarter, a narrative section highlighting the top three risks requiring board attention, an action item section with specific decisions requested from the board, and an appendix with detailed metrics for each dimension.

The board does not need to see every metric. The board needs to see the status of each risk dimension, the direction of travel, and the decisions that require their input or approval.