On August 4, 2025, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a notice warning about increased illicit activity at convertible virtual currency (CVC) kiosks where fraudsters are exploiting the machines’ convenience and anonymity. While these self-service machines offer customers quick access to CVC, they also open new avenues for cybercrime, money laundering, and fraud—leaving financial institutions exposed to increased compliance and operational risks and potential reputational damage.
FinCEN’s notice underscores the need for financial institutions to train staff to recognize sophisticated risks and red flags, bolster transaction monitoring programs, and promptly file suspicious activity reports (SARs). This article will unpack FinCEN’s advisory, look at key emerging risks, and share targeted considerations to help community banks and other financial institutions stay resilient.
A Need for Vigilance
CVC kiosks are electronic terminals that enable customers to exchange fiat currency, e.g., U.S. dollar, for virtual currency, e.g., bitcoin, Ether, stablecoins, etc., and vice versa. In its 2024 Internet Crime Complaint Center (IC3) Report, the FBI reported it received more than 10,956 CVC kiosk-related complaints with victim losses reported at approximately $246.7 million—a 99% spike in incident totals and a 31% increase in dollar losses compared to 2023.
On a customer level, scammers are increasingly coercing elderly victims into transferring funds using QR codes linked to wallets they control. As the threats expand, undetected schemes not only expose the institution to supervisory scrutiny under the Bank Secrecy Act (BSA)/anti-money laundering (AML) framework but also have the ability to erode customer trust and prompt direct financial losses.
Risk & Red-Flag Considerations
To combat these emerging threats, the notice outlines red-flag indicators and reminds institutions of their BSA reporting obligations. By the nature of their operation, institutions have little control over these kiosks. Still, community banks must concentrate on identifying behavior patterns and ask the right questions for due diligence to protect their customers. While not a full list, the notice provides common red-flag indicators to help detect, prevent, and report suspicious activity. In addition, institutions are reminded to consider the surrounding facts and circumstances, such as a customer’s historical financial activity, whether the transactions are in line with prevailing business practices, and whether the customer exhibits multiple red flags before determining if a behavior or transaction is suspicious or indicates illicit activity.
Creating kiosk-specific controls is not a one-time task. Institutions must meet these evolving and sophisticated threats with agile countermeasures. Periodic appraisals should measure the adequacy of thresholds, logic, and vendor due diligence, incorporating relevant scenarios and recent supervisory updates. Feedback loops driven by trends and gathered data enable continuous refinement to help keep controls dynamic and forward looking.
What Next?
Now that the information is out there, financial institutions must ask: What do we do now? The following items represent potential next steps as you look to refine your BSA/AML program to consider the potential risks of CVC kiosks.
- Apply targeted transaction monitoring rules that flag clients, particularly elderly clients, engaging in unordinary crypto-related activity.
- Set automated alerts for first-time crypto purchases, tiered velocity monitoring for repeated buys, and cross reference against known kiosk locations.
- Know how to identify and enhance due diligence on CVC kiosk operators by confirming money service business (MSB) registration status and looking at their AML-related policies and procedures before processing any related transactions, including potential nonregistered MSBs based on cash or network activity on the account.
- Require written proof of a license, on-site AML audits, and periodic compliance attestations tied to each kiosk operator.
- Leverage advanced analytics and integrate blockchain forensics to trace wallet-destination patterns and map fund flows to uncover layering across multiple decentralized finance protocols.
- Train branch staff to identify red flags, e.g., victims coached on fraudulent narratives, through scenario-based training and updated red-flag memos, and encourage employees to escalate ambiguous cases to leadership and/or the BSA/AML officer.
- Refine escalation protocols and explore 314(b) information sharing with peer institutions and law enforcement.
- Maintain a centralized incident tracking log with proactive monitoring to leverage noted trends and interbank intelligence to help identify emerging schemes.
Conclusion
The message is clear: financial crime is adapting, and so must we. Digital assets and CVC kiosks are here to stay—but so are the community bankers, bank leadership, and frontline staff that work each day to protect their customers. Taking proactive steps now can not only help you comply with regulations but also live up to your commitment to serve and protect our communities.
https://www.forvismazars.us/forsights/2025/08/fincen-notice-warns-of-emerging-risks-in-crypto-kiosks
Leave a Reply