On August 4, 2025, FinCEN issued Notice FIN-2025-NTC1 to alert financial institutions to the escalating misuse of convertible virtual currency (CVC) kiosks, commonly referred to as crypto ATMs, for illicit purposes. These kiosks, often located in convenience stores, gas stations, and other high-traffic public venues, allow customers to exchange cash for cryptocurrency and vice versa. While serving legitimate payment and remittance needs, they have increasingly become a conduit for scams, money laundering, and other financial crimes. The notice underscores institutions’ obligations under the Bank Secrecy Act (BSA) and calls for enhanced monitoring, due diligence, and suspicious activity reporting to address the emerging risks.
The growth in criminal exploitation is both rapid and substantial. In 2024, the FBI’s Internet Crime Complaint Center (IC3) recorded over 10,956 CVC kiosk-related complaints, with reported losses totaling approximately $246.7 million. This reflects a 99% surge in complaint volume and a 31% rise in losses compared to the prior year. A significant share of these incidents stemmed from schemes such as fraudulent tech support services, impersonation of banks or government agencies, and fabricated customer service claims. Older adults remain disproportionately targeted, victims aged 60 or above were more than three times as likely to report losses than younger individuals, accounting for nearly two-thirds of the total financial harm.
Beyond fraud, CVC kiosks have emerged as an attractive mechanism for laundering illicit proceeds. FinCEN highlights their increasing use by drug trafficking organizations and other transnational criminal groups seeking to obscure the source of funds. These vulnerabilities are exacerbated by compliance failures among some kiosk operators, including failure to register as money services businesses (MSBs), absence of effective anti-money laundering/counter-terrorist financing (AML/CFT) programs, inadequate customer identification practices, and deliberate misrepresentation of business activities to financial institutions.
To assist detection, FinCEN identifies several red-flag indicators. These include structured cash deposits just below reporting thresholds, multiple small transactions conducted across different kiosks or accounts but converging on the same CVC wallet, unusual transaction activity by older or inexperienced customers under apparent third-party direction, and kiosk operators that do not demonstrate visible compliance measures or customer due diligence. Financial institutions are advised to embed these indicators into transaction monitoring systems, review their exposure through vendor and correspondent relationships, and ensure timely, well-documented suspicious activity reporting.
This notice aligns with FinCEN’s broader strategic priorities to combat fraud, cyber-enabled crime, and narcotics-related money laundering. It builds on earlier virtual currency advisories, signaling heightened regulatory attention to poorly supervised CVC channels. Concurrently, several states are advancing stricter oversight measures, such as mandatory fraud disclosures and transaction limits, further shaping the compliance landscape.
The underlying message is clear. Financial institutions must proactively adapt their AML/CFT frameworks to address the distinctive risks posed by CVC kiosks. By integrating targeted monitoring, strengthening governance over kiosk-related relationships, and educating vulnerable customer segments, institutions can reduce exposure to financial crime, safeguard consumer trust, and demonstrate regulatory readiness in an environment of increasing scrutiny.
Read the FinCEN notice here: FIN-2025-NTC1