Joonas Ilmasti
← Back to blog

Five years of running compliance at LocalBitcoins

What I learned building an AML program at the world's largest P2P Bitcoin marketplace.

Joonas IlmastiCompliance3 min read

I joined LocalBitcoins in 2017 and stayed five years, eventually as Chief Compliance Officer and General Counsel. We built the compliance function, and rebuilt it several times, under conditions that don't tend to make textbooks: a peer-to-peer model, hundreds of jurisdictions, a regulatory environment that changed under us almost every quarter, and a user base that was both extraordinarily sophisticated and extraordinarily wary of the system we were trying to interface with.

What follows isn't war stories. It's the shorter list of things I would tell anyone now setting up an AML program for a crypto business.

Build the function, not the document

The fastest way to fail an AML review is to have beautiful policies that don't match what the operations team is actually doing. The fastest way to pass one is to have plain, sometimes ugly, policies that describe a function that actually exists. Regulators read both, and they can tell the difference within five minutes.

Pay your compliance people. Give them seats at decisions before launch, not after. Make sure they can say no without leaving the company.

Investigations are the product

For a P2P marketplace, the compliance product is its investigations capability. We learned early that the work that mattered most, both for users and for regulators, was the boring, careful, evidence-driven investigation of specific cases. Not the algorithmic screening. Not the dashboard. The case file.

This is true for most crypto businesses, in fact. Tooling helps. But the unit of work is a human decision based on evidence, and the entire system has to be organised around making that decision fast, traceable, and right.

Engage with regulators early, and as humans

The single highest-leverage habit I formed was treating our lead supervisor as a long-term counterparty, not an event. We were in regular contact, in person where possible, and we volunteered information when we found things that mattered. None of that prevented enforcement attention when it came, and in our case enforcement did come. But it shaped what the conversation looked like when it did.

Crypto founders sometimes treat regulators as a kind of weather system to be avoided. They are not. They are people doing a job, with constraints of their own, who can be reasoned with if you give them reasons.

The business outlasts the program

LocalBitcoins eventually closed in 2023, and that's its own long story. But the compliance program we built outlasted us as a template: alumni now work across most of the larger European exchanges, custodians, and regulators themselves. That diffusion is, in some ways, what compliance work actually produces. People who know what good looks like, working in many places at once.

If you're starting one now, that's the time horizon to plan on.