On August 4, 2025, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a notice warning about increased illicit activity at convertible virtual currency (CVC) kiosks where fraudsters are exploiting the machines’ convenience and anonymity. While these self-service machines offer customers quick access to CVC, they also open new avenues for cybercrime, money laundering, and fraud—leaving financial institutions exposed to increased compliance and operational risks and potential reputational damage.
Even if institutions choose not to provide banking services to these businesses, the guidance highlights key risks and red flags that institutions should be aware of regarding this emerging technology and the potential for fraud or money laundering.
FinCEN’s notice underscores the need for financial institutions to train staff to recognize sophisticated risks and red flags, bolster transaction monitoring programs, and promptly file suspicious activity reports (SARs). This article will unpack FinCEN’s advisory, look at key emerging risks, and share targeted considerations to help community banks and other financial institutions stay resilient.
A Need for Vigilance
FinCEN’s notice alerts financial institutions about the heightened risks posed by CVC kiosks and urges them to be vigilant in identifying and reporting related suspicious activity. In particular, the alert highlights that older adults are being disproportionately targeted through impostor schemes using these kiosks as a payment portal. What are these kiosks and how are bad actors using them?
CVC kiosks are electronic terminals that enable customers to exchange fiat currency, e.g., U.S. dollar, for virtual currency, e.g., bitcoin, Ether, stablecoins, etc., and vice versa. Whereas traditional automated teller machines (ATMs) enable a customer to deposit or withdraw cash from their bank account, CVC kiosks enable customers to buy or sell CVC from a cryptocurrency wallet or exchange. Not a new mechanism, the guidance issued on the CVC kiosks dates back to 2013; however, the rapidly expanding and evolving digital assets landscape has brought them into focus with more than 37,000 kiosks reportedly in operation today. In its 2024 Internet Crime Complaint Center (IC3) Report, the FBI reported it received more than 10,956 CVC kiosk-related complaints with victim losses reported at approximately $246.7 million—a 99% spike in incident totals and a 31% increase in dollar losses compared to 2023.
CVC kiosks offer a rapid, user-friendly gateway to digital assets, but their convenience, anonymity, and limited transaction oversight make them prime targets for fraud and money laundering. The fraudsters behind these schemes aren't just anonymous hackers. Transnational criminal organizations, including drug cartels, are using kiosks to launder proceeds and move funds across borders quickly.
On a customer level, scammers are increasingly coercing elderly victims into transferring funds using QR codes linked to wallets they control. As the threats expand, undetected schemes not only expose the institution to supervisory scrutiny under the Bank Secrecy Act (BSA)/anti-money laundering (AML) framework but also have the ability to erode customer trust and prompt direct financial losses.
From anonymity of services that obscures the origins of funds to near-instant transfers that outpace legacy monitoring systems, emerging digital channels can amplify vulnerabilities if left unmonitored. With the digital asset ecosystem becoming more complex and showing no signs of slowing, institutions must be mindful of key risks and red flags surrounding these activities and build proactive defenses to help deter and detect illicit behaviors.
Risk & Red-Flag Considerations
To combat these emerging threats, the notice outlines red-flag indicators and reminds institutions of their BSA reporting obligations. By the nature of their operation, institutions have little control over these kiosks. Still, community banks must concentrate on identifying behavior patterns and ask the right questions for due diligence to protect their customers. While not a full list, the notice provides common red-flag indicators to help detect, prevent, and report suspicious activity. In addition, institutions are reminded to consider the surrounding facts and circumstances, such as a customer’s historical financial activity, whether the transactions are in line with prevailing business practices, and whether the customer exhibits multiple red flags before determining if a behavior or transaction is suspicious or indicates illicit activity.
At the program level, a steadfast approach to risk governance is imperative, particularly as risks expand and become more sophisticated. CVC kiosk-specific scenarios and alerts should be applied into the risk governance framework. That includes refining real-time monitoring with tiered thresholds to detect structuring, notably across multiple machines or with respect to rapid transactions. Alert logic should incorporate geographic and velocity risk factors to flag high-risk jurisdictions or suspicious IP activity. Where SARs are required for kiosk-related matters, the file should explicitly cite “FIN-2025CVCKIOSK” in Field 2 and within the narrative to aid in FinCEN’s aggregate data to identify emerging typologies across the industry.
Creating kiosk-specific controls is not a one-time task. Institutions must meet these evolving and sophisticated threats with agile countermeasures. Periodic appraisals should measure the adequacy of thresholds, logic, and vendor due diligence, incorporating relevant scenarios and recent supervisory updates. Feedback loops driven by trends and gathered data enable continuous refinement to help keep controls dynamic and forward looking.
What Next?
Now that the information is out there, financial institutions must ask: What do we do now? The following items represent potential next steps as you look to refine your BSA/AML program to consider the potential risks of CVC kiosks.
- Apply targeted transaction monitoring rules that flag clients, particularly elderly clients, engaging in unordinary crypto-related activity.
- Set automated alerts for first-time crypto purchases, tiered velocity monitoring for repeated buys, and cross reference against known kiosk locations.
- Know how to identify and enhance due diligence on CVC kiosk operators by confirming money service business (MSB) registration status and looking at their AML-related policies and procedures before processing any related transactions, including potential nonregistered MSBs based on cash or network activity on the account.
- Require written proof of a license, on-site AML audits, and periodic compliance attestations tied to each kiosk operator.
- Leverage advanced analytics and integrate blockchain forensics to trace wallet-destination patterns and map fund flows to uncover layering across multiple decentralized finance protocols.
- Train branch staff to identify red flags, e.g., victims coached on fraudulent narratives, through scenario-based training and updated red-flag memos, and encourage employees to escalate ambiguous cases to leadership and/or the BSA/AML officer.
- Refine escalation protocols and explore 314(b) information sharing with peer institutions and law enforcement.
- Maintain a centralized incident tracking log with proactive monitoring to leverage noted trends and interbank intelligence to help identify emerging schemes.
Conclusion
The message is clear: financial crime is adapting, and so must we. Digital assets and CVC kiosks are here to stay—but so are the community bankers, bank leadership, and frontline staff that work each day to protect their customers. Taking proactive steps now can not only help you comply with regulations but also live up to your commitment to serve and protect our communities.
For more information or questions on BSA/AML guidance, please reach out to a professional at Forvis Mazars.