SAMPLE REPORT — Based on a representative digital asset exchange profile. Your Snapshot maps your specific entity, licenses, and activities.
SAMPLE REPORT
CONFIDENTIAL
DAC
DIGITAL ASSET COMPLIANCE
READINESS SNAPSHOT
Prepared for
Sample Company, Inc.
New York, NY
Report Date: March 2026
Engagement Reference: DAC-SAMPLE-001
Classification: Client Confidential
DA Compliance LLC
hello@dacompliance.com | dacompliance.com
DAC provides mapped applicability and readiness analysis, not legal conclusions or guarantees of compliance.
Section 1
Executive Summary
DA Compliance LLC conducted a Readiness Snapshot assessment of Sample Company, Inc., a New York-based cryptocurrency exchange operating as a registered Money Services Business with a NYDFS BitLicense and money transmitter licenses in 13 states. The assessment mapped the Company's regulatory exposure across applicable federal, state, and supervisory frameworks based on intake questionnaire responses and documented operational activities including exchange, custody, fiat on-ramp, and institutional services.
6
Applicable Regulators
87
Requirements Mapped
12
Findings Identified
5
HIGH Severity
HIGH
5 findings
Immediate action required
MEDIUM
5 findings
Action within 30-90 days
LOW
2 findings
Improve within quarter
Five findings require immediate attention. The Company's BSA/AML program lacks independent testing within the required timeframe. OFAC screening is executed post-trade rather than pre-execution, creating sanctions exposure on every transaction. The NYDFS Part 500 MFA requirement has not been extended to all users as required by the November 2025 expansion. Transaction monitoring rule tuning documentation is incomplete, and the Part 500 annual certification evidence package has gaps that could result in a deficient filing before the April 15, 2026 deadline.
Assessment Period: February 2026 – March 2026
Report Date: March 2026
Methodology: DAC Regulatory Logic Mapping (Hierarchy of Authority, 4-tier classification)
This Snapshot is a readiness diagnostic, not a legal opinion or compliance certification.
Section 2
Regulatory Perimeter
Regulator
Basis of Jurisdiction
Requirements
Key Frameworks
FinCEN (BSA/AML)
31 CFR Chapter X
21
BSA/AML Program, SAR/CTR Filing, Travel Rule, CDD
OFAC (Sanctions)
Executive Orders, IEEPA
16
SDN Screening, Blocked Property, Sanctions Compliance
NYDFS (BitLicense & Part 500)
23 NYCRR 200, 23 NYCRR 500, 3 NYCRR 504
24
BitLicense Operations, Part 500 Cybersecurity, Part 504 TM
State MTL (Multi-State)
State money transmitter statutes
18
License Maintenance, Surety Bonds, Net Worth
SEC (Anti-Fraud)
Securities Exchange Act §10(b), Rule 10b-5
2
Anti-Fraud, Market Manipulation Prevention
CFPB (Consumer Financial Protection)
12 CFR 1005 (Regulation E)
6
Reg E Disclosures, Error Resolution, UDAAP
2.1 Entity Profile
Legal Name
Sample Company, Inc.
Entity Type
Money Services Business — Cryptocurrency Exchange
State of Formation
Delaware
FinCEN Registration
Registered MSB (FinCEN)
State Licenses
NYDFS BitLicense; MTL in 13 states
Principal Office
New York, NY
Core Activities
Cryptocurrency exchange, digital asset custody, fiat on-ramp, institutional OTC
Approximate Users
85,000 retail; 120 institutional
Employees
45
2.2 Regimes Assessed as Not Applicable
OCC — The Company is not a national bank, federal savings association, or federally chartered trust company. OCC does not have supervisory jurisdiction over state-chartered MSBs.
CFTC (Full Jurisdiction) — The Company does not offer derivatives, futures, swaps, or leveraged trading products. CFTC commodity oversight applies to the token classification framework but full registration requirements do not apply absent derivatives activity.
Note: If the Company introduces leveraged or margin trading, CFTC registration as a Swap Dealer or FCM may be required. Evaluate with counsel before product launch.
Section 3
Key Findings
The following findings were identified through deterministic mapping of the Company's intake responses against the applicable regulatory requirements. Each finding is cited to the specific regulatory provision that establishes the requirement.
HIGH
Direct regulatory violation or material gap cited in examination. Immediate remediation required.
MEDIUM
Incomplete implementation or documentation gap. Would likely result in MRA. Action within 30-90 days.
LOW
Minor gap or best-practice recommendation. Would be noted but not cited as formal finding.
This sample shows 2 of 12 findings. Your Readiness Snapshot includes all findings applicable to your regulatory perimeter.
F-001BSA/AML Program — Independent Testing OverdueHIGH
Citation
31 CFR 1022.210(c)
Finding
The Company's BSA/AML program requires independent testing by qualified personnel. The Company reported that its last independent AML test was conducted in September 2024 — over 18 months ago. For MSBs with the Company's transaction volume and risk profile, FinCEN examination guidance expects independent testing at least annually. The gap between the last test and present represents a material deficiency that would be cited in a FinCEN examination.
Remediation
Engage an independent third party with digital asset AML expertise to conduct a comprehensive BSA/AML program test. The test scope must include: transaction monitoring effectiveness, SAR filing timeliness, sanctions screening coverage, Travel Rule compliance, and CDD/EDD procedures. Address all findings within 90 days of the test report.
Full analysis available in your Readiness Snapshot
F-003NYDFS Part 500 — MFA Not Extended to All UsersHIGH
Full analysis available in your Readiness Snapshot
F-004NYDFS Part 500 — Annual Certification Evidence GapsHIGH
Citation
23 NYCRR 500.17(b)
Finding
The Company's Part 500 annual certification is due April 15, 2026. The Company reported that its certification preparation relies on informal evidence collection rather than a structured assessment. Several Part 500 controls lack documented evidence of implementation, including the dynamic asset inventory requirement (500.13), access privilege review (500.7), and risk assessment update (500.9). Filing a certification without adequate supporting evidence could constitute a false filing.
Remediation
Conduct a pre-certification gap assessment against all Part 500 requirements. For each control, compile documented evidence of implementation (policies, configuration screenshots, audit logs, test results). Remediate any control gaps before the April 15 filing deadline. Retain all evidence for a minimum of 5 years per NYDFS examination expectations.
Full analysis available in your Readiness Snapshot
F-010Market Surveillance — No Manipulation Detection SystemMEDIUM
Full analysis available in your Readiness Snapshot
F-011Governance — Risk Committee Meets Ad HocLOW
Full analysis available in your Readiness Snapshot
F-012Vendor Risk Management — No Formal Assessment FrameworkLOW
Full analysis available in your Readiness Snapshot
Section 4
Remediation Priority Matrix
The following matrix summarizes all findings in priority order.
ID
Area
Severity
Citation
Timeline
F-001
BSA/AML Independent Testing
HIGH
31 CFR 1022.210(c)
Immediate
F-002
OFAC Screening Gap
HIGH
OFAC Framework (May 2019)
Immediate
F-003
NYDFS MFA
HIGH
23 NYCRR 500.12(a)
Immediate
F-004
Part 500 Certification
HIGH
23 NYCRR 500.17(b)
Immediate
F-005
Transaction Monitoring
HIGH
3 NYCRR 504.3
30 Days
F-006
EDD Program
MEDIUM
31 CFR 1010.610
30 Days
F-007
Travel Rule
MEDIUM
31 CFR 1010.410(f)
30 Days
F-008
Asset Inventory
MEDIUM
23 NYCRR 500.13(a)
60 Days
F-009
Key Management
MEDIUM
23 NYCRR 200.9
60 Days
F-010
Market Surveillance
MEDIUM
Rule 10b-5
60 Days
F-011
Risk Committee
LOW
23 NYCRR 500.4(a)
90 Days
F-012
Vendor Risk Mgmt
LOW
23 NYCRR 500.11
90 Days
Full priority matrix available in your Readiness Snapshot
Section 5
NYDFS Part 500 Annual Certification — April 15, 2026
Certification Deadline: April 15, 2026
The Company holds a NYDFS BitLicense and is subject to the Part 500 annual cybersecurity certification requirement. The certification for calendar year 2025 is due by April 15, 2026. The CISO must certify that the Company has materially complied with Part 500 requirements throughout the preceding year. Filing a certification without adequate supporting evidence could constitute a false filing under New York law.
ID
Requirement
Status
Impact
F-003
23 NYCRR 500.12(a) — MFA for All Users
NOT MET
MFA not extended to all users. Cannot certify material compliance with 500.12(a).
F-004
23 NYCRR 500.17(b) — Certification Evidence
AT RISK
Evidence package incomplete. Risk of unsupported certification filing.
F-008
23 NYCRR 500.13(a) — Dynamic Asset Inventory
NOT MET
Static spreadsheet does not satisfy dynamic inventory requirement.
F-011
23 NYCRR 500.4(a) — CISO Reporting
AT RISK
Ad hoc risk committee may lack documented CISO annual report.
Prioritize remediation of F-003 (MFA) and F-004 (certification evidence) before the April 15 deadline. For F-008 (asset inventory), document the current state and planned migration to a dynamic system as part of the certification narrative.
Section 6
Methodology
6.1 Hierarchy of Authority
DAC classifies regulatory requirements using a four-tier Hierarchy of Authority that reflects how examiners weight findings:
CLARITY Act (pending Senate), SEC digital asset safe harbor proposals, State digital asset framework harmonization efforts
6.2 Requirement Classification
Each requirement in the DAC database is classified by type: Statutory (codified in law), Regulatory (agency regulation), Exam (examination expectation), Enforcement (derived from enforcement actions), and Guidance (agency guidance documents). All classifications are mapped to primary source documents.
6.3 Scope & Limitations
This assessment is based on the Company's responses to the DAC Stage 1 and Stage 2 intake questionnaires. DAC did not independently verify the accuracy of the Company's representations. Findings reflect the state of the compliance program as described by the Company during the assessment period.
DAC provides mapped applicability and readiness analysis, not legal conclusions or guarantees of compliance. This report should be reviewed with the Company's legal counsel before making compliance decisions.
Section 7
Next Steps
1. Immediate (This Week)
F-001Engage independent firm for comprehensive BSA/AML program test covering transaction monitoring, sanctions screening, SAR filing, Travel Rule, and CDD/EDD.
F-010Implement market surveillance system for wash trading, spoofing, and layering detection.
4. Within 90 Days
F-011Establish regular risk committee meeting schedule (quarterly). Document agendas, minutes, and ensure written CISO annual report.
F-012Develop vendor risk management policy covering due diligence, risk tiering, contractual requirements, and ongoing monitoring.
100% CREDIT-BACK GUARANTEE
Your entire $5,000 Snapshot fee is credited toward your first annual DAC Platform subscription if signed within 30 days of this report.
The DAC Platform keeps your regulatory map current with ongoing monitoring, self-assessment tools, and monthly compliance alerts.
hello@dacompliance.com | dacompliance.com
✓
Built by compliance and audit practitioners with over a decade of experience across the digital asset space, banking, and the broader financial markets.
✓
Every Snapshot is reviewed by a practitioner before delivery.
✓
DAC maps requirements using a 4-tier Hierarchy of Authority — from binding statute through enforcement-informed expectations.
1
Scoping form — 2 minutes. Entity type, licenses, and key activities.
2
Customized questionnaire — 15-20 minutes. Tailored to your regulatory perimeter.