What U.S. Crypto Exchanges Must Change Overnight to Comply With Draft Rules

Immediate changes U.S. crypto exchanges must make overnight to meet the draft bill

Hook: If you run or work for a U.S. crypto exchange, the late‑2025/early‑2026 draft legislation that gives the CFTC sweeping authority over spot crypto markets and tightens rules on stablecoins will force immediate, non‑negotiable operational shifts. The pain is real: regulators expect institutional‑grade custody, razor‑sharp AML/KYC, and machine‑readable reporting pipelines. This checklist translates the draft bill into an actionable, prioritized road map you can execute overnight and across the next 90 days.

Why this matters now (brief)

The draft congressional bill released in January 2026—born out of months of negotiation and industry pushback—seeks to define when tokens are securities versus commodities, extend the CFTC’s authority over spot markets, and tighten stablecoin oversight. High‑profile industry responses, including public objections from Coinbase leadership, have shown how powerful and fragile the regulatory moment is. Regardless of final text, the likely effective rules will demand immediate technical, policy and personnel changes from exchanges. Exchanges that act now reduce regulatory risk, protect customers, and preserve market access.

Top‑level checklist: What to change overnight

Below is a prioritized, practical checklist. Each item includes a brief rationale, the minimum tactical action you should take immediately, and follow‑up steps for 30‑ and 90‑day windows.

1) Custody segregation and control (Priority: Critical)

Why: The draft bill emphasizes client asset protection and clear custody rules. Regulators will expect exchanges to segregate customer assets from the firm's balance sheet and demonstrate robust controls for hot and cold custody.

• Overnight: Publish and implement an interim written policy that formally segregates customer assets from corporate holdings. Freeze any internal workflows that move customer assets to firm‑owned accounts without documented approval.
• 30 days: Create segregated accounting ledgers for customer vs. house balances across all supported assets; enable read‑only proof traces for auditors.
• 90 days: Deploy a custody architecture with segregated trust accounts, independent key management, and multi‑party attestations. Implement hot‑wallet transfer limits, cold‑wallet air‑gap procedures, and mandatory dual approval (MPC or multi‑sig with independent cosigners).

Technical specifics to adopt: HSM/MPC for high‑value keys, hardware air‑gapped cold rooms for long‑term reserves, immutable on‑chain change logs, and automated reconciliation every settlement cycle.

2) AML/KYC hardening (Priority: Critical)

Why: Expect stricter AML/KYC provisions and enhanced due diligence requirements—especially around stablecoins, institutional accounts, and cross‑border flows. The bill will push exchanges to operate like banks when it comes to financial crime controls.

• Overnight: Enforce stricter onboarding gates: pause approvals for accounts that fail automated identity checks; require enhanced documentation for accounts above low risk thresholds.
• 30 days: Integrate or upgrade blockchain analytics (for example, enterprise tools for sanctions screening, clustering and risk scoring). Implement real‑time travel‑rule compliance flows (VASP messaging) and SAR escalation templates.
• 90 days: Deploy a full AML program that includes continuous transaction monitoring, behavioral analytics, automated SAR filing pipelines, end‑to‑end audit trails, and periodic independent testing.

Operational details: Build a customer risk scoring engine that combines identity, transaction history, and source of funds, and smart‑contract/DeFi exposure. Add manual review queues with SLA targets and documented decision trees.

3) Reporting pipelines and market surveillance (Priority: High)

Why: The draft requires structured trade and position reporting to regulators and gives the CFTC market surveillance authority. Exchanges must be able to deliver precise, timestamped trade data and suspicious activity flags in machine‑readable formats.

• Overnight: Ensure logging and timestamping systems are intact and synchronized (NTP / PTP). Begin capturing order IDs, client IDs, order timestamps, executions, cancels, and balances.
• 30 days: Build an ETL pipeline that normalizes orderbook and execution feeds into a regulator‑friendly schema (consider FIX/FIXML or an agreed JSON schema). Implement secure delivery channels to regulators (SFTP, API endpoints, or secure cloud buckets with encryption).
• 90 days: Run full reconciliation between exchange trades, custody records, and on‑chain settlement. Deploy a market surveillance module to detect wash trading, spoofing, layering, and unusual counterparty concentration.

Key tech: immutable audit logs, sequenced and signed trade events, sub‑millisecond timestamping where possible, and a replayable event store for forensic review.

4) Licensing and legal posture (Priority: High)

Why: The bill will create new federal regimes and clarify token classifications. Exchanges must map token inventories to potential securities/commodities and adjust licensing strategies accordingly.

• Overnight: Assemble a rapid legal taskforce to classify top‑50 traded tokens by legal risk (security, commodity, other). Pause any product launches for tokens under high legal uncertainty.
• 30 days: File or update state money transmitter applications where needed; document banking relationships and proof of reserve arrangements for stablecoins.
• 90 days: Depending on final rules, consider federal registration pathways (registration as a DCO/SEF or with the CFTC, or equivalent broker‑dealer filings if securities exposures are identified). Engage with regulators for no‑action relief where appropriate.

Practical note: Exchanges with strong D.C. lobbying presence—Coinbase’s recent interventions are illustrative—may negotiate transitional relief, but operations should assume no grace period.

5) Technology upgrades and resilience (Priority: High)

Why: Regulators will expect institutional‑grade operational resilience: disaster recovery, capacity planning, and demonstrable cybersecurity programs.

• Overnight: Validate DR runbooks and ensure a recent, successful failover test report is available. Increase logging retention until retention policy changes are ratified.
• 30 days: Harden APIs (rate limiting, WAFs), adopt advanced DDoS protections, and implement SIEM integration with regulatory alerting hooks.
• 90 days: Certify systems under third‑party audits (SOC2+, ISO 27001) and implement continuous penetration testing and bug bounty expansions targeted at custody and reporting layers.

Performance specifics: Add replayable message queues, idempotent order processing, backpressure controls, and a clear service‑level definition for market data and execution services.

6) Personnel and governance (Priority: Elevated)

Why: The bill will demand named compliance officers, stronger board oversight, and qualified personnel responsible for AML, custody and reporting.

• Overnight: Appoint an interim Chief Compliance Officer (CCO) and an AML/BSA officer if you don’t already have them documented publicly. Add mandatory compliance training for all front‑office staff.
• 30 days: Expand headcount for compliance engineers, forensic analysts, and reporting technicians. Establish a regulatory program office that coordinates cross‑functional compliance projects.
• 90 days: Institutionalize reporting lines: Board risk committee charter updates, quarterly compliance attestations, and a certified compliance manual aligned to the draft bill’s language.

Hiring profile: Seek candidates with bank compliance experience, CFTC/SEC exposure, and engineers who have built financial reporting pipelines (trade surveillance, market abuse detection).

7) Operational risk controls and capital/insurance posture (Priority: Elevated)

Why: Expect minimum capital or reserve requirements and higher standards for insurance or customer restitution mechanisms after losses or thefts.

• Overnight: Reconcile insurance coverage; confirm and document the scope of policies for custodial loss, cyber incidents, and fraud.
• 30 days: Run scenario stress tests (hot‑wallet compromise, stablecoin bank run, settlement outage) and produce remediation plans.
• 90 days: Engage insurers for expanded coverage or consider a captive insurance vehicle. Prepare capital buffers to meet anticipated minimums outlined in the bill or in likely regulator guidance.

Practical templates and sample actions

Below are terse, actionable templates you can adapt immediately.

Sample policy amendment: Custody segregation (overnight)

"Effective immediately, all customer digital assets must be recorded in segregated trust ledgers and may not be used to fund corporate operations or margin positions. Any transfer from customer to corporate accounts must be approved by the CCO and recorded with dual signatures."

Sample tech checklist for reporting pipeline (first 30 days)

1. Verify system clocks across matching, custody, and API nodes against authoritative NTP sources.
2. Export last 90 days of orderbook and execution logs into an immutable S3 bucket with server‑side encryption.
3. Implement a mapping table to convert internal trade events to regulator schema (fields: event_id, order_id, client_id_hash, instrument_id, side, quantity, price, exec_timestamp, settlement_timestamp, fee, counterparty_id).
4. Establish secure delivery (SFTP + PGP) and a retry policy documented in an SOP.

2026 trends and how they change planning

Several trends through late‑2025 and early‑2026 shape the practical steps above:

• CFTC assertiveness: With the draft giving the CFTC spot jurisdiction, exchanges should expect derivatives‑grade surveillance requirements and market‑integrity standards.
• Stablecoin tightening: After 2025 federal stablecoin rules, banks and exchanges face stricter custody and earnings restrictions on dollar‑pegged tokens—expect required bank partnerships or trust charters.
• On‑chain analytics mainstreaming: Chain analytics vendors are now integrated into KYC/AML workflows; exchanges must operationalize these feeds in real time.
• Industry lobbying and transition windows: Ad hoc lobbying (see Coinbase’s high‑profile interventions) can change timing and text, but not the inevitability of requiring controls aligned to traditional financial firms.

What success looks like

Within 90 days, a compliant exchange will be able to demonstrate the following to an examiner:

• Segregated, auditable client asset ledgers and independent custody attestations.
• Operational AML/KYC systems that produce SARs automatically and block sanctioned flows in real time.
• Machine‑readable, end‑to‑end trade reporting with authenticated timestamps and replayable audit trails.
• Documented governance: named CCO, AML officer, board risk committee minutes, and periodic independent testing of controls.
• Robust resilience and incident response programs with recent test evidence.

Common pitfalls and how to avoid them

• Pitfall: Treating compliance as a checkbox. Fix: Embed AML/KYC and custody requirements in product design and release gates.
• Pitfall: Relying on vendors without validating data provenance. Fix: Contractually require auditability and log access; maintain in‑house forensic capability.
• Pitfall: Understaffing compliance engineering. Fix: Prioritize hiring compliance engineers and analysts with capital markets or payments expertise.

Quick decision matrix: Act now vs. wait

If you must triage scarce resources, use this simple matrix:

• Immediate (act now): Custody segregation, AML/KYC gates, logging/timestamping, appointing CCO/AML officer.
• Near term (30 days): Reporting ETL, blockchain analytics, expanded compliance headcount, DR tests.
• Medium term (90 days): Full custody redesign, licensing strategy execution, capital/insurance negotiations, external certification.

Closing: playbook for the first 7 days

Day 1-2: Publish interim custody and AML policy updates; appoint or confirm CCO and AML officer. Day 3-4: Lock down any risky fund movements; escalate high‑risk accounts. Day 5: Validate logging, NTP sync, and export recent trading data to an immutable store. Day 6-7: Run tabletop incident and SAR filing drills; create a regulator‑ready folder with the last 90 days of evidence.

Final thoughts

The draft 2026 rules are a pivot point: exchanges that move from aspirational compliance to institutional discipline will protect customers, maintain market access, and limit enforcement exposure. The checklist above is conservative—built around likely statutory outcomes and the operational expectations regulators set for traditional financial firms.

"Better to show regulators a working control with documented tests than a promising roadmap with no executable artifacts."

If your exchange team needs a starting point, copy and adapt the sample policy and reporting templates above tonight. Prioritize custody segregation, AML/KYC hardening and trade reporting; everything else is easier to build on that foundation.

Call to action

Start executing this checklist now: designate a small cross‑functional taskforce (legal, engineering, compliance, ops) and run a 7‑day sprint to deliver the overnight actions. If you want a tailored gap assessment against the draft bill's likely requirements, contact our editorial advisory team for a downloadable compliance playbook and vendor checklist.

Related Reading

• Audit‑Ready Text Pipelines: Provenance, Normalization and LLM Workflows for 2026
• Micro‑Forensic Units in 2026: Small Teams, Big Impact — Tools, Tactics and Edge Patterns
• Field Review: Best Hosted Tunnels & Low‑Latency Testbeds for Live Trading Setups (2026)
• Edge Storage for Small SaaS in 2026: Choosing CDNs, Local Testbeds & Privacy-Friendly Analytics
• Night‑Operations Playbook 2026: Fire Alarm Response, Portable Power, and On‑Call Workflows
• How to Build a Sports Betting Data Scraper and Validate AI Predictions with Historical NFL Data
• How to Hire for Cyber Resilience: Roles and Skills After Legacy Support Ends
• How to Spot a Good Refurbished Tech Deal for Parents — Headphones, Dumbbells, and More
• How to Archive and Share Your Animal Crossing Islands Before They Get Wiped
• Deal Alert: When to Pull the Trigger on EcoFlow’s Ending Flash Sale