NEWS: The Financial Crimes Enforcement Network (FinCEN) recently issued this Notice urging financial institutions to be vigilant in identifying and reporting suspicious activity involving convertible virtual currency (CVC) kiosks, also known as, cryptocurrency automated teller machines (crypto ATMs). These electronic terminals allow users to exchange real currency for virtual currency and vice versa. The notice exposes widespread regulatory failures among kiosk operators, many of whom fail to register as required “money services businesses” or implement basic “anti-money laundering” controls. The kiosks have been used to launder suspected drug proceeds and drain victims’ accounts. The agency found that elderly victims bear the brunt of these schemes, with adults over 60 accounting for more than two-thirds of all crypto kiosk fraud losses.
The Notice describes scams associated with CVC kiosks, provides red flag indicators to assist with identifying and reporting related suspicious activity, and reminds financial institutions of their reporting requirements under the BSA. The nature of CVC transactions makes it difficult to recover funds. Once a victim makes the transfer with a CVC kiosk, the recipient (the scammer) instantly owns the CVC and then usually transfers the funds into another CVS wallet or exchange account they control. The speed and difficulty of reversing these transactions makes them attractive payment mechanisms for scammers.
FinCEN provided specific warning signs for financial institutions, including large cash withdrawals from crypto kiosks, elderly clients with no crypto history making sizable transactions, and blockchain evidence linking funds to criminal wallets.
The most common scam associated with CVC kiosks is tech and customer support scams with criminals targeting older individuals. For example, a 70-year-old retiree was scammed out of her life savings by responding to a pop-up window that appeared on her computer telling her to call for help because her computer had been hacked.
Regardless of the type of fraudulent scheme, the criminals typically provide detailed instructions to prospective victims, including how to (i) withdraw cash from their bank, (ii) locate a kiosk, and (iii) deposit and send funds using the CVC kiosk, normally using a QR code provided by the scammer to ensure the CVC is sent to the correct destination, i.e., a CVC wallet the scammer controls. After providing the victim with the QR code, the scammer then directs the victim to a physical CVC kiosk to purchase and send the scammer CVC, often staying in constant online or phone communication with the victim and providing step-by-step instructions until the payment is completed.
Reg flag indicators
FinCEN identified red flag indicators to help detect, prevent, and report potential suspicious activity related to illicit activity involving CVC kiosks. Since no single red flag is determinative of illicit or other suspicious activity, credit unions should consider the surrounding facts and circumstances, such as a member’s historical financial activity, whether the transactions are in line with prevailing business practices, and whether the member exhibits multiple red flags before determining if a behavior or transaction is suspicious or otherwise indicative of illicit activity. Some of the red flags credit unions should be looking for are the following:
- A member conducting an in-person transaction withdraws substantial amounts of cash from their account and indicates that they have been directed by a person on the phone or internet to deposit the funds into a CVC kiosk.
- An older member with no history of CVC-related activity conducts a high-value transaction or series of transactions with a CVC kiosk operator.
- A member uses a debit card to make multiple payments below the CTR limit to a CVC kiosk operator.
- A member operates a CVC kiosk business that is not registered with FinCEN as an MSB or does not maintain applicable state licenses.
- A member operates a CVC kiosk business that fails to collect required customer and transaction information.
- A member operates a CVC kiosk business that advertises the ability for customers to conduct transactions without identification, or with only a phone number or email address.
- A member operates a CVC kiosk business that charges unusually high transaction fees relative to similarly situated operators, has opaque rates and fees, or has other business practices that diverge significantly from those of legitimate CVC kiosk operators.
- A member that operates a CVC kiosk business structures cash transactions below the SAR or CTR threshold.
SAR reporting
The Notice reminds credit unions of their SAR reporting requirements and requests that credit unions indicate a connection between the suspicious activity being reported and the activities highlighted in the Notice by including the key term “FIN-2025-CVCKIOSK” in SAR field 2 (Filing Institution Note to FinCEN), as well as in the narrative. Credit unions may highlight additional advisory or notice keywords in the narrative, if applicable. Credit unions also should select all other relevant suspicious activity fields, such as those in SAR Fields 36 (Money Laundering) and 38 (Other Suspicious Activities), if applicable.