The most expensive design mistake in a crypto exchange's wallet screening architecture is to force every flow into a single mode — either everything pre-trade, or everything post-trade. Real operator practice is hybrid: deposits run post-trade (with periodic re-screening), withdrawals run pre-trade. This article walks through why that split is rational, what threshold policy belongs on each side, how to size the manual review queue, and what an international exchange, OTC desk, or custodial wallet provider should be building toward as supervisor expectations harden in 2026.
Definitions: pre-trade vs post-trade
Pre-trade screening: Runs before the transaction is confirmed at the exchange's deposit address, or before the user balance is credited. If the decision goes negative, the funds never appear in the user's balance.
Post-trade screening: Runs after confirmation and after balance is credited. If the decision goes negative, the funds are already under user control — freezing them, blocking withdrawal, or restricting the account becomes operational work.
The definitions are simple, but they sit on top of a critical tradeoff: latency budget vs risk window.
| Criterion | Pre-trade | Post-trade |
|---|---|---|
| User experience (latency) | 1-5 second onboarding delay before deposit appears | Instant balance, "green check" UX |
| Risk of tainted funds reaching balance | Zero (negative decision = funds never visible) | Real (must freeze and recover post hoc) |
| Operational overhead | Lower (single decision point) | Higher (freeze, recovery, account restrictions) |
| Provider API calls per flow | One (at transaction time) | Two+ (deposit + post-confirm + optional periodic re-screen) |
| Regulator perception | Stronger (preventive) | Standard (detective) |
At first glance pre-trade looks correct for everything. But two architectural constraints push deposits toward post-trade: (a) mempool screening is unreliable — a broadcast-but-unconfirmed transaction can be replaced (RBF on Bitcoin) or reordered, so screening before confirmation can be wasted work, (b) the deposit address belongs to the user once funds touch it — pre-trade rejection requires you to send funds back, which is itself a transaction that costs gas/fees and creates a separate counterparty risk question.
Withdrawals invert the picture. The withdrawal request is fully under the exchange's control; halting or refusing it is one decision point. Here pre-trade is almost always the right answer.
The hybrid architecture: what serious operators run
Across tier-1 and tier-2 exchanges internationally, the most common observed pattern:
DEPOSIT flow:
1. (Optional) Mempool listener — track the broadcast, do not decide yet
2. On block confirmation, run post-trade screening
3. Low risk → credit balance immediately
4. Moderate risk → credit balance, flag account "review pending"
5. High risk → credit balance but freeze, route to manual review queue
6. (Every 24-72 hours) Periodic re-screening — exposure changed?
WITHDRAWAL flow:
1. User clicks Withdraw → pre-trade screening fires
2. Destination address normalized, cluster lookup
3. Low risk → approve withdrawal, broadcast
4. Moderate risk → manual review (typical 1-4 hour SLA)
5. High risk → auto-decline + SAR (Suspicious Activity Report) trigger
The rationale behind this hybrid: on the deposit side, tainted funds have already arrived; the marginal protection of pre-trade rarely justifies the latency cost for a normal user's onboarding experience. On the withdrawal side, sending funds to a sanctioned or high-risk destination is far costlier — regulators read that as "actively facilitated" rather than the more passive "accepted tainted funds".
Our blockchain AML guide covers the four-layer infrastructure backing this architecture.
Threshold policy: a starting table
A working threshold policy models the two sides separately. Reasonable starting points for a tier-2 exchange:
Deposit thresholds (post-trade)
| Signal | 0 hops (direct) | 1 hop | 2 hops | 3+ hops |
|---|---|---|---|---|
| OFAC SDN / sanctions | Freeze + SAR | Freeze + SAR | Manual review (high) | Manual review |
| CSAM | Freeze + SAR | Freeze + SAR | Freeze + SAR | Manual review (high) |
| Mixer (Tornado Cash etc.) | Freeze + SAR | Manual review (high) | Manual review | Monitor |
| Darknet (active/recent) | Freeze + SAR | Manual review (high) | Manual review | Monitor |
| Ransomware | Freeze + SAR | Manual review (high) | Manual review | Monitor |
| Scam/fraud | Manual review | Manual review | Monitor | Pass |
| Stolen funds (hack) | Freeze + SAR | Manual review (high) | Manual review | Monitor |
| Privacy-focused protocol | Manual review | Manual review | Monitor | Pass |
Withdrawal thresholds (pre-trade)
Withdrawal bands run tighter — sending funds means actively transmitting, not passively receiving:
| Destination label | 0 hops | 1 hop | 2+ hops |
|---|---|---|---|
| OFAC SDN / sanctions | Auto-decline + SAR | Auto-decline + SAR | Manual review (high) |
| CSAM | Auto-decline + SAR | Auto-decline + SAR | Auto-decline + SAR |
| Mixer | Auto-decline + SAR | Manual review (high) | Manual review |
| Active darknet | Auto-decline + SAR | Auto-decline + SAR | Manual review (high) |
| Ransomware | Auto-decline + SAR | Manual review (high) | Manual review |
| Scam-collector address | Auto-decline | Manual review (high) | Manual review |
| Another known VASP | Screen, Travel Rule data exchange | Screen | Screen |
Travel Rule obligation: if the destination is another VASP, our FATF Travel Rule guide and Travel Rule integration walkthrough describe the IVMS 101 messaging flow that transmits originator/beneficiary info to the counterparty VASP.
These tables are starting points. Every operator calibrates to risk appetite, jurisdiction, and customer base.
Sizing the manual review queue
The manual review queue is the human layer of the screening architecture, and sizing it is a real engineering problem. Typical benchmarks:
Anonymized tier-2 exchange example:
- 10,000 deposits per day
- ~0.02-0.04% (so 2-4 deposits) trigger high-risk on-chain signals
- ~80% of those are mixer exposure within 2-3 hops; remaining ~20% are sanctions, scam, or darknet
- 6,000 withdrawals per day
- ~0.05-0.10% (3-6 withdrawals) drop into manual review queue (the withdrawal threshold is tighter)
Total daily queue: 5-10 cases. An analyst can review 20-40 cases per day (averaging 15-20 minutes per case with full audit-log compliant write-up). So 1 senior compliance analyst suffices at baseline.
But baseline does not survive shocks. During volatile events (a major hack, an OFAC action, a mixer takedown), the queue can grow 5-10x. If your SLA is "every case in queue resolved within 4 hours", capacity must be sized for peak — typically 2-3 full-time analysts plus a shared on-call rota, or a hybrid (1-2 in-house + provider-side outsourced backstop).
This capacity calculation works alongside the match-grouping and threshold calibration practices in our reduce AML false positives guide — well-calibrated thresholds can shrink the manual queue 30-50%.
Threshold policy versioning and audit log
Threshold policy evolves — new labels, regulator updates, false-positive analysis tightens or relaxes bands. Every screening decision must record which policy version applied.
Minimum field set per screening:
screening_id(immutable UUID)timestamp(UTC, millisecond)flow_type(deposit/withdrawal)screening_mode(pre_trade/post_trade/periodic_rescreen)address(normalized)cluster_idandcluster_namerisk_categoriesanddirect_match_flagexposure_percentandexposure_breakdownhop_distance_mindecision(auto_clear/manual_review/auto_decline/freeze)threshold_policy_version— which policy version executedanalyst_idandanalyst_notes(if manual)travel_rule_message_id(if withdrawal to another VASP)
Retention: 5 years under US BSA, 5-10 years under EU AMLD6/MiCA-aligned guidance, jurisdiction-specific in practice. Format must be immutable append-only (S3 Object Lock, Azure Blob immutability policy, or equivalent WORM configuration).
Periodic re-screening: the post-trade companion
A critical component of the post-trade model: periodic re-screening. The source cluster of deposits sitting in user balances can shift its risk profile over time — a cluster may be added to a sanctions list later, a wallet may receive retroactive Lazarus attribution.
A practical re-screening flow:
- Active balances' source deposits are re-screened every 24 hours (every 4 hours for high-value accounts)
- When a cluster picks up a new risky label, every deposit from that cluster is flagged
- Flagged accounts have withdrawal holds applied, route to manual review
This mechanism protects against "retroactive risk" — a customer's deposit might have looked clean three months ago, but a wallet two hops earlier may have just been added to OFAC SDN.
OTC desks and custodial wallet providers: same logic, different velocities
The hybrid model adapts to other operator types:
OTC desks. Deposit velocity is much lower (tens to hundreds per day vs thousands for an exchange) and per-trade value is much higher (often six- and seven-figure trades). The economics flip — pre-trade screening on the deposit side becomes affordable per-trade and the latency budget is forgivable because OTC clients expect deal-flow conversation, not millisecond UX. Many OTC desks run pre-trade on both sides.
Custodial wallet providers. Wallet creation and address generation is high-velocity; actual deposit/withdrawal flow per address can be sparse. The hybrid model fits, but periodic re-screening cadence often tightens (every 4-6 hours rather than 24) because custodial providers are explicitly trusted with continuous custody of customer funds.
Crypto-accepting merchants/PSPs. Inbound payments are the primary flow; outbound is usually to a payout wallet under the merchant's own control or to a banking-rail off-ramp. Post-trade on inbound + pre-trade on the payout/off-ramp side mirrors the exchange model.
Regulatory baseline: what supervisors expect in 2026
For an exchange operating under MiCA in the EU, the FCA framework in the UK, or comparable regimes, supervisors increasingly expect:
- Hybrid architecture compliance. OFAC + UN + EU + UK sanctions screening on both sides, on-chain risk scoring across the major risk categories, written threshold policy, defined manual review SLA.
- Audit log retention. 5-10 years, immutable format.
- SAR integration. Auto-decline or freeze triggers electronic reporting to the relevant FIU (FinCEN, the NCA, national FIUs in the EU) within jurisdiction-specific deadlines.
- Travel Rule capability. Withdrawals to another VASP transmit IVMS 101-format counterparty data. Our Travel Rule integration article walks through this end-to-end.
- Named MLRO (Money Laundering Reporting Officer). A signing officer who is the regulator's point of contact and policy owner.
Operators building this stack today will not be the ones rushing during enforcement waves; retrofitting is structurally harder than building correctly the first time.
Frequently Asked Questions
Can pre-trade screening apply to all deposits?
Technically yes, practically expensive. Mempool listeners catch broadcasts, but (a) some chains have hidden or short-lived mempools (Solana, certain Ethereum L2s), (b) RBF transactions can invalidate decisions, (c) the latency budget hits onboarding UX. A common refinement: add pre-trade as an extra layer above a value threshold (e.g. >$100k deposits get pre-trade screening), keep low-value deposits on post-trade. This hybrid-within-hybrid is operationally manageable.
What withdrawal manual review SLA should we target?
Industry practice: 1-4 hour SLA for high-risk withdrawals, 4-24 hour for moderate. Longer SLAs generate customer complaints; shorter SLAs require additional queue capacity. A reasonable starting point is 2-hour (high) / 8-hour (moderate) with metric tracking; tighten as your queue capacity and false-positive rate stabilize.
How long can we hold a frozen deposit?
Jurisdiction-specific. In the EU and UK, account-freeze powers run under national AML legislation; typically funds can be held pending FIU instructions, with sustained holds requiring formal orders. US holds tied to SAR filings have specific procedural windows. A defensible position: your user terms of service explicitly contemplate freeze actions for compliance reasons, your MLRO documents every freeze decision with rationale, and you have a written escalation path to legal counsel for protracted holds.
What happens when Travel Rule data exchange counterparty doesn't respond?
The classic "sunrise problem" — the counterparty VASP has not yet adopted Travel Rule infrastructure. Practical approaches: (a) transmit below-threshold withdrawals (e.g. under €1,000-equivalent) without data exchange (FATF guidance supports this de minimis carve-out), (b) hold above-threshold transfers to unknown counterparties pending customer explanation, (c) offer alternative withdrawal methods. Our Travel Rule sunrise problem article covers these scenarios in detail.
Should we build screening in-house or buy from a provider?
At 10,000+ deposits per day and tightening supervisor expectations, building an in-house attribution database is a 12-18 month engineering investment plus 4-6 senior analysts plus continuous label updates. Rarely economic for tier-2 or tier-3 exchanges. The provider question is rational — but single-provider lock-in is fragile. A two-provider architecture (primary + fallback) absorbs both label-coverage gaps and API outages, and is now the predominant pattern at well-run exchanges. Our blockchain AML guide details the provider evaluation matrix.
How Legichain helps
Legichain's blockchain AML stack is purpose-built for the hybrid model: post-trade plus periodic re-screening on deposits, low-latency pre-trade on withdrawals, all behind a single API. Address normalization across 12+ chains, continuously updated label database covering the eight risk categories, configurable threshold policy with version tracking written into audit log, and an integrated manual review queue UI. For crypto exchange customers globally, the MiCA/TFR-aligned Travel Rule layer sits next to the screening engine; for OTC desks and custodial wallet providers, the same engine adapts to your flow shape. If you already run a screening provider, Legichain deploys as a secondary/fallback so you can run dual-source comparison before any cutover — contracted pilots typically reach production in 4-6 weeks.
Next steps
- Blockchain AML complete guide — the four-layer architecture and overall framework
- How to screen a crypto wallet — end-to-end screening flow, code, decisions
- Legichain crypto exchange solution — exchange infrastructure components
- How to implement Travel Rule — withdrawal counterparty data exchange
- Reduce AML false positives: 7 proven techniques — threshold calibration and match grouping