.svg)
Financial institutions must be vigilant in monitoring virtual currency kiosks for suspicious activity, the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has warned.
In a notice issued on August 4, 2025, FinCEN said that while convertible virtual currency
(CVC) kiosks, sometimes known as crypto ATMs, can be a simple and convenient way for consumers to access virtual currency, they can also be exploited by scammers and other illicit actors for the same reasons.
The watchdog reminded financial institutions of their reporting requirements under the Banking Secrecy Act (BSA) and highlighted the role of CVC kiosks in money laundering.
“Illicit activity involving CVC kiosks is linked to fraud, certain types of cybercrime, and drug trafficking organization activity, which are three of FinCEN’s Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) National Priorities,” said the notice.
Red flags
The notice detailed a number of red flags for CVC kiosk operators, including customers making multiple payments just below suspicious activity reporting threshold, or cash deposits just beneath the Currency Transaction Report (CTR) threshold or the kiosk’s daily withdrawal limit.
Multiple customers using CVC kiosks in geographically disparate locations to make deposits to the same CVC address over a short period of time while certifying that they are the owners of the deposit address and multiple customer accounts or transactions being linked to the same phone number or CVC wallet address were also deemed suspicious.
It also detailed red flags for other financial institutions on the use of CVC kiosks for scam payments, such as an older customer with no history of CVC-related activity conducting a high-value transaction or series of transactions with a CVC kiosk operator.
The regulator further flagged what financial institutions should be looking for when identifying potentially non-compliant CVC kiosk owner-operators such as someone operating a CVC kiosk business that advertises the ability for customers to conduct transactions without identification, or with only a phone number or email address.
Racing to keep up
The notice underlines the extent to which criminals are putting virtual currencies to illicit use and regulators racing to keep pace with them.
The note comes just weeks after the UK’s Financial Conduct Authority (FCA) seized seven crypto ATMs and arrested two people on suspicion of money laundering. Crypto ATMs are illegal in the UK and New Zealand.
In the US some states have imposed limits on withdrawals and toughened supervision of crypto ATMs.
For example, in California from January 1, 2024 the Digital Financial Assets Law requires kiosk operators to provide a list of kiosk locations to the authorities, comply with daily transaction limits and provide receipts to customers with specified information for any transaction made at the operator’s kiosks.
In Nebraska, meanwhile, the Controllable Electronic Record Fraud Prevention Act requires asset ATM and kiosk operators to be licensed, registered and approved, and operators must provide quarterly reports on kiosk locations, names and transactions.
The Act caps transactions at $2,000 per day for new users and $5,000 per day for existing customers, with fees not permitted to exceed 18 percent of the transaction value, while kiosk operators must display fraud warnings and appoint a compliance officer to enforce fraud prevention measures.
FinCEN’s warning also tells providers that FinCEN is alert to potential abuses of digital assets. This means they must ensure they are fully compliant with the regulatory regime and are not running the risk of enabling criminal activity.
