Crypto Compliance for ATMs: Opportunities and Challenges
Updated: Mar 15
For years, automated teller machines (“ATMs”) have been a service provided exclusively by traditional financial institutions; more recently, however, their use has been adapted to the crypto space. These stand-alone electronic kiosks allow users to buy and sell cryptocurrency in exchange for cash or with a debit card. Certain providers support only one asset (e.g. bitcoin), while others support a variety -- a good example being Coinstar, a company known for its coins-for-cash service.
Crypto ATMs are often more accessible to new crypto users than other methods -- users can be onboarded into the crypto space within minutes.
And the numbers back this up: investment firms have more recently focused on crypto ATM companies. As of 2022, the global crypto ATM market was valued at USD 116.7 million and is expected to grow at a 62.5% compound annual growth rate between 2023 and 2030.
In this post, we'll explore some of the unique compliance risks crypto ATM operators face, and we'll provide some controls to help mitigate them.
Are crypto ATMs regulated?
As with regulation of the crypto industry in general, regulation of crypto ATMs is evolving. The US was one of the first countries to articulate guidance around the topic: in 2013, the US Treasury's Financial Crimes Enforcement Network ("FinCEN") released guidance defining three primary categories of "persons creating, obtaining, distributing, exchanging, accepting, or transmitting virtual currencies": (a) users; (b) exchangers; and (c) administrators. Crypto ATMs fall into the second category -- exchangers -- as they are "engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency." Consolidating guidance released by FinCEN in 2019 later more clearly articulated this stance.
What are the potential risks associated with operating a crypto ATM?
While crypto ATMs reduce some of the barriers for users getting started in the crypto space, they also present unique risks. In a 2019 advisory, FinCEN notes the many ways crypto ATM operators can fall short of meeting -- or even make a willful effort to evade -- AML obligations, including:
assisting in structuring transactions
failing to collect and retain required customer identification information
operating an unregistered crypto ATM business
failing to implement proper monitoring of transactions for suspicious activity, particularly those that take place across multiple crypto ATMs operated by the same company
Of the illicit activity originating from crypto ATMs in 2022, most was sent to addresses associated with scams, fraud shops, and darknet markets. At least $35.3 million was sent to scammers using crypto ATMs, with victims primarily comprising individuals new to cryptocurrency and not technologically adept.
As a prime example, on March 6, 2023, bitcoin technology firm Bitcoin of America and three of its executives were charged with money laundering, conspiracy, and other crimes related to operating more than 50 unlicensed cryptocurrency kiosks in Ohio. The kiosks allegedly knowingly benefited from victims of cryptocurrency scams, with the firm pocketing a 20% transfer fee each time a scam occurred. Romance scammers, law enforcement impersonators, and “robocallers” exploited the lack of anti-money laundering ("AML") protections in the firm’s systems to transfer funds out of users’ crypto wallets.
How can a crypto ATM operator mitigate financial crime risks?
Crypto ATMs operating in the US must be registered as money service businesses (“MSBs”) with FinCEN and must comply with the Bank Secrecy Act ("BSA"). Obligations include:
Registering with FinCEN and renewing registration per FinCEN's schedule.
Conducting an enterprise-wide risk assessment to identify the specific areas of vulnerability and where controls would make the most mitigating impact.
Establishing a written AML program that details the company's policies and procedures, program governance and oversight structure, employee training program, customer due diligence ("CDD") processes, and approach to independent program testing.
Implementing proper Know Your Customer (“KYC”) controls, including requesting basic information (e.g. full legal name, physical address, email address, wallet address) in addition to something to verify that identity (e.g. biometric fingerprint/face scan, government-issued ID upload).
Monitoring and reporting suspicious activity to ensure the detection and alerting of high-risk transactions, transactions involving stolen cryptocurrency, and crypto ATM-specific typologies (such as structuring across multiple ATM kiosks).
Submitting currency transaction reports ("CTRs") for any cash transactions over $10,000 conducted by, or on behalf of, one person, as well as multiple currency transactions that aggregate to be over $10,000 in a single day.
This is a joint article between María Fernanda Risco and María Fernanda Romero, Associates at Canaria Consulting, LLC.
Bibliography
Wade, Jacob. (August 18, 2022). Crypto ATMs
Grand View Research. (2022). Global Crypto Market Analysis Report.
Whalen, Michael. (May 16, 2018). So You Want to Put a Bitcoin ATM in a Coffee Shop.
FinCEN. (2023). BSA Requirements for MSBs
Chainalysis. (2023). The 2023 Crypto Crime Report.
Ciphertrace (2023). Bitcoin ATM Anti-Money Laundering Kiosk Compliance