John Paul Cuvinar, Unsplash
On August 4, 2025, the Financial Crimes Enforcement Network (“FinCEN”) issued Notice FIN-2025-NTC1 (the “Notice”) to address mounting concerns over regulatory risks related to convertible virtual currency (“CVC”) kiosks, also known as cryptocurrency ATMs. This action is part of a broader response to the rise in money laundering, fraud, and other financial crimes linked to digital assets.
What Are CVC Kiosks? How Do They Work?
CVC kiosks are terminals that allow customers to exchange physical cash for cryptocurrencies such as Bitcoin or Ethereum. Their popularity has accelerated due to their user-friendly interfaces and widespread presence in public venues like convenience stores and supermarkets. Typically, a transaction begins with customer identification, ranging from providing basic details like a phone number to scanning a government-issued ID, depending on the kiosk operator’s compliance protocols. After verification, users enter or scan their personal crypto wallet address so the purchased funds can be transferred directly. Payment is settled either by depositing cash into the machine or using card payment options available at certain kiosks. These devices may connect in real time with online cryptocurrency exchanges or use pre-loaded inventories managed by operators.
While convenient access through high-traffic retail locations benefits legitimate consumers, including those who might otherwise avoid digital assets, the relative anonymity of CVC kiosk transactions and lower oversight compared to bank branches create significant opportunities for criminal misuse.
Why Is FinCEN Focusing on These Kiosks Now?
FinCEN has observed sharp increases in consumer complaints and financial losses associated with CVC kiosk-related scams. In 2024 alone, the FBI’s Internet Crime Complaint Center recorded over 10,956 complaints involving these machines, a year-over-year surge of nearly 99%, with aggregate victim losses approaching $246.7 million (an increase of about 31%). This pattern extends beyond consumer fraud. Criminal organizations such as Cartel Jalisco Nueva Generación have embraced virtual currencies for their rapid global transferability and anonymity unavailable through traditional banking channels.
These trends intersect with this administration’s priorities around anti-money laundering (“AML”) and countering terrorist financing (“CTF”): protecting vulnerable populations from fraud, disrupting cyber-enabled crime, and intercepting organized crime-driven money laundering activities.
Key Risks Identified by FinCEN
The Notice highlights several major risks linked to CVC kiosk usage. Organized crime groups increasingly exploit these terminals as alternatives to conventional cash-based schemes, particularly in U.S cities that have become hotspots for laundering proceeds via local kiosks instead of banks because transactions are faster and more difficult for authorities to monitor effectively. Vulnerable populations are especially at risk. FinCEN states that nearly two-thirds of scam-related losses involve individuals aged sixty or older. Many attacks begin with phone-based deception before victims are remotely guided through withdrawal processes at kiosks.
Prevalent scams exploiting CVC kiosks include tech support frauds where victims are told their computer is infected and instructed to pay via Bitcoin ATMs using QR codes supplied by scammers; government impostor schemes invent fake tax liabilities payable only through kiosk deposits; romance scams manipulate targets into sending cryptocurrency under false pretenses built on fabricated relationships; lottery hoaxes promise non-existent prizes contingent upon upfront payments made through crypto transfers at kiosks.
Regulatory Requirements
FinCEN reminds operators that they must register as Money Services Businesses (“MSBs”), comply fully with Bank Secrecy Act (“BSA”) obligations, including robust AML protocols. and maintain proper recordkeeping standards before operating any CVC kiosk business. Operators need strong Know Your Customer (“KYC”) procedures so customers can be properly identified, a critical measure against anonymous abuse facilitating illicit activity. In addition, ongoing monitoring for suspicious activity is required; this includes filing Suspicious Activity Reports (“SARs”) when detecting patterns such as structured deposits just below reporting thresholds or rapid withdrawals indicative of potential money laundering efforts.
Regular audits and compliance reviews are essential since lapses expose operators not only to civil penalties but potentially criminal liability under federal law. Common compliance failures include inadequate customer verification procedures; poor retention of documentation; marketing strategies promoting “no-ID required” features contrary to regulations; lack of state licensure; or use of fraudulent business identities or accounts, all vulnerabilities that regulatory authorities scrutinize closely.
Practical Guidance
To help detect suspicious activity involving CVC kiosks, the Notice outlines key red flags:
- Customers structuring payments just below reporting thresholds using multiple accounts or kiosks.
- Unusual high-value transactions from customers lacking transaction history, with rapid movement across wallets or currencies.
- Multiple interconnected accounts, phone numbers, or wallet addresses used across geographically distant locations.
- Transactions sent directly toward wallets flagged by blockchain analysis as tied either to scams, illicit conduct, or investment fraud institutions.
- Elderly customers conducting large transactions after remote direction, often following significant cash withdrawals.
- Operators running without appropriate federal or state registration.
- Advertising minimal or no-ID requirements despite regulatory mandates regarding identification/documentation collection practices.
FinCEN reminds financial institutions to file SARs whenever they identify these indicators, even if supporting evidence is limited at the outset. All SAR filings must be securely retained for at least five years after submission, in accordance with BSA requirements and strict access controls to protect sensitive information. Section §314(b) of the USA PATRIOT Act also permits voluntary sharing of this information among authorized organizations engaged in efforts to disrupt terrorist financing and money laundering networks globally.
Looking Ahead
The issuance of this Notice signals intensifying regulatory scrutiny prompted not just by rising incidents but also industry control gaps among certain market participants operating outside robust standards expected within digital asset sectors today.
As digital asset transactions expand, it is important for banks, cryptocurrency platforms, fintech companies, and kiosk operators to proactively integrate FinCEN’s red flag indicators and enhance AML/CFT protocols. Doing so helps safeguard clients while meeting legal obligations and promoting trust within the sector. Consumers are also encouraged to be aware of potential risks associated with using CVC kiosks until industry-wide protections are strengthened.
[View source.]
