ARTICLE
12 August 2025

FinCEN Addresses Increased Fraud Involving Convertible Virtual Currency Kiosks

PC
Perkins Coie LLP

Contributor

Perkins Coie LLP logo

Perkins Coie is a premier international law firm with over a century of experience, dedicated to addressing the legal and business challenges of tomorrow. Renowned for its deep industry knowledge and client-centric approach, the firm has consistently partnered with trailblazing organizations, from aviation pioneers to artificial intelligence innovators. With 21 offices across the United States, Asia, and Europe, and a global network of partner firms, Perkins Coie provides seamless support to clients wherever they operate.

The firm's vision is to be the trusted advisor to the world’s most innovative companies, delivering strategic, high-value solutions critical to their success. Guided by a one-firm culture, Perkins Coie emphasizes excellence, collaboration, inclusion, innovation, and creativity. The firm is committed to building diverse teams, promoting equal access to justice, and upholding the rule of law, reflecting its core values and enduring dedication to clients, communities, and colleagues.

Explore Firm Details
The Financial Crimes Enforcement Network (FinCEN) has issued a comprehensive notice clarifying the regulatory landscape for operators of convertible virtual currency (CVC) kiosks.
United States Technology
Joseph P. Cutler,J. Dax Hansen,James (Jim) Vivenzio
+1 Authors

Key Takeaways

The Financial Crimes Enforcement Network (FinCEN) has issued a comprehensive notice clarifying the regulatory landscape for operators of convertible virtual currency (CVC) kiosks. This notice is of particular importance to kiosk operators, as it not only reiterates the application of the Bank Secrecy Act (BSA) to these businesses but also provides detailed guidance on compliance expectations, risk factors, and enforcement priorities. The guidance is also directed towards banks that provide account services to CVC kiosk operators and describes red flags for identifying noncompliant CVC kiosk operators that may result in additional scrutiny and closer reviews of these account relationships. The notice states that fraud complaints involving crypto ATMs increased 99% between 2023 and 2024, with reported victim losses approximating $246 million. More than two of every three dollars reported lost to fraud using CVC kiosks was lost by an older adult. In the release accompanying the notice, FinCEN Director Andrea Gacki states that "the United States is committed to safeguarding the digital asset ecosystem for legitimate businesses and consumers, and financial institutions are a critical partner in that effort."

FinCEN's notice is a clear signal that CVC kiosk operators are firmly within the scope of federal anti-money laundering (AML) regulations and that steps need to be taken by the industry to address this prolific increase in fraud by working in partnership with FinCEN. The unique risks posed by these kiosks require a tailored and vigilant approach to compliance. Operators must ensure that all aspects of BSA compliance are addressed, including:

  • Registration with FinCEN
  • Development of an AML program as required by the BSA
  • Know-your-customer and customer verification as required by the BSA
  • Transaction monitoring and reporting

The notice also points out that there are relevant state laws designed to deter illicit activity and protect consumers from fraud.

Regulatory Classification and Obligations

FinCEN's notice makes it unequivocally clear that most CVC kiosk operators are considered money transmitters under the BSA. This classification is based on the core function of these kiosks: accepting and transmitting value, whether in the form of virtual currency or fiat, on behalf of customers. As a result, most such operators are required to register as money services businesses (MSBs) with FinCEN. This registration is not a mere formality, as it triggers a host of ongoing compliance obligations that are central to the BSA's AML framework in addition to examinations by the Internal Revenue Service on behalf of FinCEN.

Many states have specific licensing requirements for CVC kiosk operators, and several states have kiosk-specific statutes that address both consumer protection and AML requirements. For example, California's Digital Financial Assets Law, among other requirements, prohibits kiosk operators from accepting or dispensing more than $1,000 in a day from or to a customer via a kiosk. See Cal. Fin. Code § 3902. Connecticut has a law that, among other things, requires kiosk operators to allow customers full refunds within 72 hours if the transaction is the customer's first transaction with the owner or operator and involves a wallet or exchange outside the United States. See, Conn. Gen. Stat. § 36a-613. In addition, some states have aggressively sought enforcement actions against noncompliant operators. For example, on February 26, 2025, the Iowa attorney general announced lawsuits against two CVC kiosk operators for alleged failures that allowed Iowans to be defrauded in violation of the Iowa Consumer Fraud Act. See, Iowa Office of the Attorney General, "Attorney General Bird Sues Crypto ATM Companies for Costing Iowans more than $20 Million." (Fed. 26, 2025). In addition, the California Department of Financial and Consumer Protection and the Connecticut Banking Commissioner have published enforcement cases brought against CVC kiosk operators.

AML Program Requirements

A central pillar of BSA compliance is the development and implementation of a written AML program that is tailored to the specific risks associated with CVC kiosks. Unlike traditional financial institutions, CVC kiosks present unique challenges due to their self-service nature, the potential for high transaction volumes, and the relative anonymity they can afford users. Therefore, operators must conduct a thorough risk assessment and design controls that address these specific vulnerabilities. This includes establishing robust, risk-based procedures for customer due diligence, ongoing transaction monitoring designed to detect and facilitate required reporting of suspicious user activity, and the identification and reporting of suspicious activity—all of which can be difficult to design and implement in the context of self-service kiosks. Operators are also expected to have effective know-your-customer procedures to enable verification of the identity of their customers as required under the BSA.

Reporting and Recordkeeping

CVC kiosk operators are subject to the same reporting requirements as other MSBs. This includes the obligation to file suspicious activity reports (SARs) for transactions that may involve money laundering, fraud, or other criminal conduct exceeding $2,000. Additionally, currency transaction reports (CTRs) must be filed for transactions exceeding $10,000 in a single day by or on behalf of the same person, and the financial institution must verify the identity of the individual processing the transaction. The notice underscores the importance of maintaining detailed records of all transactions, including customer identification information, transaction amounts, dates, and the nature of the transaction. These records must be retained for a minimum period as specified by the BSA and must be readily accessible for review by regulators or law enforcement.

Additional SAR Reporting Language Required

FinCEN's notice provides specific guidance regarding the content and language that financial institutions should include when filing SARs. A SAR should include a description of any red flags or indicators that prompted the filing, such as attempts to structure transactions, use of false identification, or patterns consistent with known typologies of money laundering or fraud. FinCEN also encourages operators to use the "Other" field in the SAR form to indicate that the report relates to a CVC kiosk transaction and to include relevant keywords such as "Convertible Virtual Currency," "CVC Kiosk," "Crypto ATM," or the specific virtual currency involved. This additional language helps FinCEN and law enforcement agencies more efficiently identify and analyze trends in suspicious activity related to virtual currency kiosks.

Risk Factors and Red Flags

The notice provides three categories of red flags for (1) operators of CVC kiosks regarding scam payments, (2) other financial institutions regarding use of CVC kiosks for scam payments, and (3) financial institutions identifying potentially noncompliant CVC kiosk owners/operators. Some of the common red flags identified by FinCEN for CVC kiosk operators include:

  • Structuring or smurfing. Customers attempt to evade reporting thresholds by conducting multiple transactions just below the reporting limit, either at a single kiosk or across multiple locations.
  • Customers with limited activity. Customers with limited or no transaction history make a substantial deposit that is rapidly transferred through multiple addresses, commingled with multiple other deposits, or swapped into a different CVC, or an older customer with no history of CVC-related activity conducts a high-value transaction or series of transactions.
  • Funnel arrangements. Multiple customers use CVC kiosks in geographically disparate locations to make deposits to the same CVC wallet over a short period of time while certifying that they are the owners of the wallet.
  • Same phone number. Multiple customer accounts are linked to the same phone number or CVC wallet address.
  • Blockchain analytics. Blockchain analytics indicate that a transaction is received by a CVC wallet that is identified or associated with fraud or other illicit activity, or with a financial institution that has been identified as associated with transnational criminal organizations perpetrating CVC investment scams.

When any of these red flags are observed, operators should document the details in the SAR narrative, including the specific behavior or pattern that raised suspicion. Providing this information helps FinCEN and law enforcement agencies better understand the context of the activity and enhances the effectiveness of the SAR in supporting investigations. Refer to the FinCEN notice for other red flags directed at other financial institutions, including banks that provide services to CVC kiosk operators.

Enforcement and Penalties

The notice pointedly emphasizes the consequences of noncompliance and provides a case study and other references to noncompliant operators that were criminally prosecuted. The case study and references serve as a warning that regulatory scrutiny of the CVC kiosk sector is increasing and that operators cannot afford to take a lax approach to compliance. The reputational and financial risks associated with enforcement actions can be severe, potentially threatening the viability of the business.

Practical Steps for Compliance

FinCEN's notice explains that crypto kiosks "are...exploited by illicit actors, including scammers" and recognized that "[t]he risk of illicit activity is exacerbated if CVC kiosk operators fail to meet their obligations under the Bank Secrecy Act." To meet their obligations, CVC kiosk operators should take a proactive approach to compliance. This begins with timely and accurate registration as an MSB with FinCEN and state licensure, as appropriate. If an operator is delinquent on registration either at the state or federal level, counsel should be consulted swiftly on navigating the appropriate outreach to relevant regulators. Operators must develop a risk-based AML program that is regularly reviewed, subjected to independent testing, and updated to reflect changes in the business or regulatory environment. Effective and thorough risk-assessment is a key foundation for designing (and defending, if necessary) an AML program. Staff training is also essential to ensure that employees understand their responsibilities and are equipped to identify and respond to suspicious activity.

Customer verification procedures should be robust, leveraging available technology to authenticate identification documents and monitor for suspicious patterns. Operators should implement systems for real-time transaction monitoring and ensure that all required reports are filed promptly. Regular internal audits can help identify and address compliance deficiencies before they become the subject of regulatory action.

In addition, CVC kiosk operators should consider taking specific steps to identify and address the red flags highlighted by FinCEN. These steps could include:

  1. Robust identification and verification for every transaction, which may include the submission of government issued identification and a social security number or other identifying number, as appropriate, in addition to a phone number that can be tied to the individual at the kiosk through the use of both geolocation tools and two-factor authentication to ensure the customer at the kiosk is who he or she is represented to be.
  2. The ability to block accounts that cannot be verified; that are tied to the same name, phone number, or address; that trigger Office of Foreign Assets Control sanctions alerts; or for which customers request repeated changes to their phone numbers or wallet addresses within designated time periods.
  3. The ability to promptly block wallet addresses associated with fraud, as fraudsters may perpetuate multiple, simultaneous frauds against other customers using that same wallet.
  4. Surveillance photos and capabilities that enable the operator to compare the photograph on the identification document to the person standing at the kiosk. In particular, if the person is elderly and speaking to someone on the phone or engaging in a large transaction for the first time, steps may be necessary to intervene to effectively prevent fraud.
  5. Automated suspicious activity monitoring and blockchain analytics to identify typologies and suspicious wallet addresses, as well as regular testing and recalibration of such screening. Resulting SAR filings should include the required language set forth in the notice.
  6. Compliance controls that can aggregate transactions involving the same customer that may use multiple kiosks in a single day and exceed the $10,000 threshold for filing CTRs.
  7. Enhanced due diligence processes at certain thresholds that require customers to provide account statements or other evidence of the source of funds, in addition to other know-your-customer information.
  8. Cyclical analysis of anti-scam efforts and whether they effectively address evolving scam techniques. Importantly, operators should continuously analyze fraud and scam methodologies and adapt their detection and prevention mechanisms to address them.

Conclusion

FinCEN's notice is an initial attempt to address the significant increase in fraud—including increasingly egregious fraud perpetrated on vulnerable populations, such as the elderly—attributed to these CVC kiosks and a call by FinCEN to partner with this industry to address this problem. CVC kiosk operators should take note of the changing regulatory environment, the changes in state laws directly targeting CVC kiosk operators, and the increase in regulatory enforcement and take these matters seriously. The consequences of noncompliance are significant, making it imperative for operators to invest in robust compliance infrastructure and to foster a culture of compliance throughout their organizations. Regular review and adaptation of compliance practices, in light of evolving risks and regulatory expectations, are essential to maintain good standing with regulators and safeguard the business against legal and financial jeopardy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Joseph P. Cutler
Joseph P. Cutler
Photo of J. Dax Hansen
J. Dax Hansen
Photo of Jamie Schafer
Jamie Schafer
Photo of James (Jim) Vivenzio
James (Jim) Vivenzio
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More