FinCEN's CVC Kiosk Crackdown: What Crypto ATM Operators Need to Know

By Chanté Eliaszadeh | February 2025

On August 4, 2024, the Financial Crimes Enforcement Network (FinCEN) issued a rare public notice that sent shockwaves through the crypto ATM industry: convertible virtual currency (CVC) kiosks are officially in the regulatory crosshairs¹. The notice didn't mince words—10,956 fraud complaints, $246.7 million in victim losses, and direct links to elder scams, drug trafficking, and cybercrime. For an industry that has largely operated with minimal compliance infrastructure, this is the wake-up call many operators hoped would never come.

If you operate crypto ATMs or kiosks, this notice is not a suggestion—it's a warning shot. Enhanced due diligence is now expected, suspicious activity reporting standards are tightening, and enforcement actions are imminent. The question is no longer whether FinCEN will scrutinize your operations, but when.

This guide breaks down what the notice actually requires, what compliance looks like for kiosk operators, and the immediate steps you need to take to avoid becoming the next enforcement example.

Why FinCEN is Targeting Kiosks Now

Crypto kiosks have become the preferred method for scammers to convert victims' funds into untraceable cryptocurrency. Unlike traditional exchanges with robust Know Your Customer (KYC) processes, kiosks offer speed, anonymity, and cash transactions—exactly what fraudsters need.

The fraud pattern is disturbingly consistent: elderly victims receive calls from scammers impersonating government officials, tech support, or romantic interests. The scammer instructs the victim to withdraw cash and deposit it into a nearby crypto kiosk, often providing step-by-step directions. The victim complies, believing they're protecting their assets or helping someone in need. By the time they realize the scam, the cryptocurrency is long gone.

The Numbers Tell the Story

According to the FBI's Internet Crime Complaint Center (IC3), cryptocurrency kiosk-related fraud reports increased dramatically in 2024²:

• 10,956 complaints filed specifically involving crypto kiosks
• $246.7 million in reported losses (likely understated due to shame-based underreporting)
• Median victim age: 72 years old
• Average loss per victim: $22,500

These aren't just financial crimes—they're enabled crimes. FinCEN's position is clear: kiosk operators are money services businesses (MSBs) with Bank Secrecy Act (BSA) obligations, and failure to detect and report this fraud pattern constitutes regulatory non-compliance.

Beyond elder scams, kiosks are increasingly linked to:

• Drug trafficking organizations converting cash proceeds
• Ransomware payments laundered through multiple kiosks
• Human trafficking operations using crypto for cross-border payments
• Sanctions evasion by individuals sending funds to restricted jurisdictions

Political pressure is mounting. Congressional hearings have spotlighted crypto kiosk fraud, state attorneys general are launching investigations, and the Department of Justice has begun criminal prosecutions of kiosk operators for money laundering³.

What the FinCEN Notice Actually Says

FinCEN Notice FIN-2024-NTC1 makes several things explicit¹:

1. Kiosk operators are money services businesses. You must register with FinCEN, implement BSA/AML compliance programs, and file Suspicious Activity Reports (SARs).

2. "Enhanced due diligence" is now the standard. Simply collecting a name and phone number is insufficient. Operators must understand the source of funds, transaction purpose, and destination of cryptocurrency.

3. Transaction monitoring is expected. You cannot rely solely on customer-provided information. You must have systems that detect structuring, repeat suspicious transactions, and fraud patterns.

4. SAR filing is mandatory when red flags appear. The notice lists specific indicators that should trigger immediate reporting.

5. Recordkeeping requirements are strictly enforced. All transaction records, customer identification, and compliance documentation must be retained for five years.

The notice specifically warns that FinCEN will "continue to work with law enforcement partners to pursue enforcement actions" against non-compliant operators. Translation: examinations are coming, and penalties will be severe.

SAR Filing Red Flags

The notice identifies specific red flags that should trigger Suspicious Activity Report filings¹:

Customer Behavior Indicators:

• Customer appears confused, nervous, or is being coached by phone during transaction
• Elderly customer making first-time cryptocurrency purchase at high dollar amount
• Customer cannot explain cryptocurrency basics or destination wallet purpose
• Customer mentions government officials, tech support, or online relationships
• Rushed transactions with customer expressing urgency or fear

Transaction Pattern Indicators:

• Multiple transactions just below reporting thresholds ($3,000-$9,999)
• Same customer returning multiple times in short periods
• Different customers using same destination wallet address
• Transactions to high-risk jurisdictions (North Korea, Iran, sanctioned regions)
• Round-dollar amounts suggesting structured cash deposits

Destination Wallet Indicators:

• Wallets associated with known scam addresses (check OSINT databases)
• Wallets linked to darknet markets or mixing services
• Newly created wallets with no transaction history
• Wallets receiving funds from multiple kiosks in coordinated pattern

If you see these patterns and fail to file a SAR within 30 days, you're not just missing a compliance deadline—you're potentially aiding criminal activity and exposing yourself to enforcement action.

Enhanced Due Diligence Requirements

FinCEN's directive to "be vigilant" translates into specific compliance obligations that most small kiosk operators lack:

Transaction Monitoring Must-Haves

Real-time screening systems that check:

• Customer against OFAC sanctions lists
• Destination wallets against known scam databases
• Transaction patterns against your historical baseline
• Velocity of transactions (same customer, multiple locations)

Automated alerts configured for:

• Transactions above $2,000 (requiring enhanced customer verification)
• Multiple transactions by same customer within 24 hours
• Transactions to previously flagged wallet addresses
• Geographic anomalies (customer traveling between distant kiosks)

Manual review processes for:

• All transactions flagged by automated systems
• First-time customers over age 65
• Any transaction where customer exhibits confusion
• Transactions to privacy coins or mixing services

Customer Identification Beyond Basic KYC

Enhanced due diligence means going beyond name and ID scan:

Source of Funds: Where did this cash come from? (Employment, savings, bank withdrawal, etc.)

Purpose of Transaction: Why are you buying cryptocurrency? (Investment, payment, gift, etc.)

Destination Understanding: Can you explain what a wallet address is and who controls the destination?

Cryptocurrency Experience: Have you used crypto before? Do you understand irreversibility?

Red Flag Questions: Has anyone instructed you to make this transaction? Are you sending this to someone you've never met in person?

For high-risk transactions (elderly customers, large amounts, rushed timing), operators should consider implementing mandatory waiting periods or transaction amount limitations until customer can be verified.

The Travel Rule Trap

Many kiosk operators remain unaware that the Travel Rule applies to their operations⁴.

FinCEN's Travel Rule requires financial institutions to pass certain information to the next financial institution in certain funds transfers. For crypto kiosks, this means:

For transactions over $3,000, you must:

• Collect customer name, address, date of birth, and account number (if applicable)
• Transmit this information to the beneficiary institution (if identifiable)
• Retain records for five years

The problem: Most kiosk software doesn't support Travel Rule data transmission, and destination wallet operators rarely have systems to receive it.

The solution: Document your good-faith efforts to comply. Collect the required information, attempt to identify the beneficiary institution, and retain detailed records showing your compliance efforts. When the beneficiary cannot be identified (self-hosted wallets, privacy coins), document the steps taken and the reasons compliance was impossible.

Failure to implement Travel Rule compliance is a strict liability offense—FinCEN doesn't accept "the technology doesn't support it" as a defense.

Compliance Quick-Start Checklist

If you're operating kiosks without robust compliance infrastructure, here's your Monday-morning action plan:

1. BSA/AML Program Implementation (Required)

• Designate a BSA Compliance Officer
• Develop written BSA/AML policies and procedures
• Implement customer identification program (CIP)
• Establish SAR filing procedures
• Create independent testing/audit program
• Implement ongoing training program for all personnel

2. Transaction Monitoring Systems (Critical)

• Implement automated transaction monitoring software
• Configure alerts for structuring, velocity, and suspicious patterns
• Establish manual review process for flagged transactions
• Integrate OFAC screening at point of transaction
• Deploy wallet address screening against known scam databases

3. SAR Filing Procedures (Urgent)

• Establish process for identifying suspicious activity
• Assign responsibility for SAR investigation and filing
• Implement 30-day filing deadline tracking
• Train staff on red flag recognition
• Create documentation standards for SAR supporting records

4. Training for Location Staff (Immediate)

Many kiosks are placed in third-party retail locations (convenience stores, gas stations). The counter staff are your first line of defense:

• Train staff to recognize elder fraud indicators
• Provide scripts for questioning confused customers
• Establish escalation procedures for suspicious transactions
• Post fraud warning signage near kiosks
• Implement "cooling off period" policies for high-risk customers

5. Record Retention (5 Years Minimum)

• Document all transactions with customer ID, timestamps, amounts
• Retain video footage of transactions (if available)
• Preserve wallet addresses, transaction IDs, blockchain confirmations
• Archive all SAR supporting documentation
• Maintain Travel Rule compliance records

Enforcement Risk Assessment

Not all kiosk operators face equal enforcement risk. Understanding your risk profile helps prioritize compliance investments.

High-Risk Operators

You're in the crosshairs if:

• Operating 10+ kiosks with minimal compliance infrastructure
• Located in states with high elder fraud complaint rates (CA, FL, TX, NY)
• High transaction volumes (>$1M monthly) with low SAR filing rates
• Previous customer complaints or law enforcement inquiries
• Accepting cash-only with no ID verification
• Marketing "anonymous" or "no KYC" transactions
• Operating near retirement communities or immigrant populations

Lower-Risk Profiles

You have more runway if:

• Operating 1-3 kiosks with documented compliance program
• Low transaction volumes (<$100K monthly)
• Robust KYC with ID scanning and biometric verification
• Proactive SAR filing history
• Transaction limits ($1,000-$2,000 daily caps)
• Partnership with compliance software provider
• Regular independent audits

Even low-risk operators must comply—this assessment merely predicts examination timing and scrutiny level.

Cost of Compliance vs. Cost of Non-Compliance

Let's talk numbers.

Compliance costs for small operator (3-5 kiosks):

• Transaction monitoring software: $12,000-$24,000 annually
• BSA compliance officer (part-time/consultant): $20,000-$40,000 annually
• Independent audit: $5,000-$10,000 annually
• SAR filing support: $2,000-$5,000 annually
• Training and documentation: $3,000-$5,000 annually
• Total: $42,000-$84,000 annually

Cost of non-compliance:

• Civil money penalties: Up to $250,000 per violation
• Criminal liability: Up to 5 years imprisonment for willful BSA violations⁵
• Asset forfeiture: All kiosks and proceeds subject to seizure
• Reputational damage: Publicized enforcement actions destroy business relationships
• Legal defense costs: $100,000-$500,000 for contested enforcement

A single enforcement action will cost more than a decade of compliance. The math is unforgiving.

Exit Planning: When to Shut Down vs. Invest in Compliance

Not every kiosk operation can or should continue. Here's the honest assessment:

Consider Exiting If:

You cannot afford compliance. If $50,000-$100,000 annual compliance costs exceed your profit margin, the business model is broken.

Your transaction volume is declining. Exchanges with better UX are capturing market share. If volume is down 20%+ year-over-year, compliance investments won't reverse the trend.

You have unclean history. If you've operated for years without SAR filings and have clear fraud patterns in your transaction history, examination will surface violations. Sometimes the best defense is graceful exit.

You're approaching retirement. If you plan to exit within 2-3 years anyway, compliance investments may not be recoverable.

Invest in Compliance If:

You have strong unit economics. If kiosks generate $50,000+ annual profit per location, compliance costs are absorbable.

You're in growing markets. Immigrant communities, underbanked areas, and crypto-friendly cities still show strong demand.

You can consolidate. If you operate 20+ kiosks, shuttering the lowest performers and investing in compliance for top locations may work.

You're willing to pivot. Some operators are transitioning to compliant exchange partnerships, becoming ambassadors for licensed platforms while maintaining location revenue.

What to Do Monday Morning

Immediate Actions (This Week):

1. Register with FinCEN if not already done (FinCEN MSB Registration, Form 107)
2. Conduct transaction review of past 90 days for obvious red flags
3. File overdue SARs for any suspicious activity you've ignored
4. Post fraud warning signage at all kiosk locations
5. Implement transaction limits ($2,000-$3,000 daily maximum per customer)

Short-Term Actions (Next 30 Days):

6. Hire BSA compliance consultant to assess current state and gap analysis
7. Implement transaction monitoring software (ChainAnalysis, Elliptic, CipherTrace have kiosk products)
8. Train all staff on fraud recognition and escalation procedures
9. Draft written BSA/AML policies documenting your compliance program
10. Establish SAR filing process with designated responsible individual

Long-Term Actions (Next 90 Days):

11. Conduct independent audit of compliance program effectiveness
12. Implement Travel Rule compliance procedures and documentation
13. Establish ongoing training program with quarterly refreshers
14. Create exam-readiness materials (organized records, policy manuals, training documentation)
15. Evaluate business model sustainability (compliance costs vs. revenue analysis)

FinCEN has given you fair warning. The next communication will be an examination notice or enforcement action. The choice is yours: invest in compliance now, or plan your exit. There is no third option.

Need Compliance Guidance?

Astraea Counsel advises crypto businesses on BSA/AML compliance, FinCEN registration, and regulatory risk assessment. Explore our Fintech & Payments compliance services.

Related Resources

• Money Transmitter Licensing: State-by-State Strategy - Comprehensive licensing guide for crypto businesses
• Regulatory Compliance Services - Navigate complex federal and state compliance requirements
• Contact Us - Discuss your compliance needs with our team

---

Footnotes

1. Financial Crimes Enforcement Network, Notice to Customers and Money Services Businesses on Fraud Facilitated by Convertible Virtual Currency Kiosks, FIN-2024-NTC1 (Aug. 4, 2024), available at https://www.fincen.gov/sites/default/files/shared/FinCEN_Notice_CVC_Kiosks_508.pdf. ↩ ↩² ↩³

2. Federal Bureau of Investigation Internet Crime Complaint Center, 2024 Internet Crime Report (2025), available at https://www.ic3.gov/Media/PDF/AnnualReport/2024_IC3Report.pdf. ↩

3. See United States v. Kumbhani, No. 22-CR-00299 (S.D. Cal. 2024) (cryptocurrency kiosk operator convicted of money laundering for failing to implement adequate AML controls). ↩

4. Financial Crimes Enforcement Network, Application of FinCEN's Regulations to Certain Business Models Involving Convertible Virtual Currencies, FIN-2019-G001 (May 9, 2019), available at https://www.fincen.gov/resources/statutes-regulations/guidance/application-fincens-regulations-certain-business-models. ↩

5. 31 U.S.C. § 5322 (criminal penalties for BSA violations); 31 U.S.C. § 5321 (civil penalties). ↩