FinCEN Advisory on Crypto ATM Scams

The Financial Crimes Enforcement Network (FinCEN) recently issued a notice (FIN-2025-NTC1) urging financial institutions to watch out for and report any suspicious activity involving convertible virtual currency (CVC) kiosks. CVC kiosks - also known as “crypto ATMs” or “Bitcoin ATMs” - allow customers to exchange government-issued currency (fiat) for cryptocurrency (like Bitcoin). The guidance highlights the rise in scam payments facilitated by CVC kiosks, along with red flag indicators to help financial institutions detect, prevent, and report potential suspicious activity related to scam payments involving these ATM-like electronic terminals.

Common Scam Payment Schemes

According to FinCEN, many scammers using CVC kiosks initiate contact with potential victims through unsolicited phone calls, often to elderly victims. In fact, a 2024 Federal Trade Commission Data Spotlight found that more than two of every three dollars reported lost to fraud using CVC kiosks was lost by an older adult.

A scammer may claim to be the victim’s bank or credit union calling about an unauthorized charge or pose as a government agency demanding purportedly unpaid taxes, tolls or fees. Tech and customer support scams are also quite common, where scammers falsely claim that a virus or other malware has compromised the victims’ computers and direct them to make payments via CVC kiosk to address the issue. Scammers involved in these schemes sometimes use online ads and emails to contact victims, which typically contain a phone number to call for assistance leading to the scammer.

Regardless of the type of fraudulent scheme, the criminals typically provide detailed instructions to prospective victims, including how to withdraw cash from their financial institution, locate a kiosk, and deposit and send funds using the CVC kiosk. They may also provide victims with instructions designed to circumvent the Bank Secrecy Act (BSA) reporting thresholds, transaction limits, or other safeguards.

For example, the scammer may direct the victim to separate cash deposits into multiple, lower-value transactions, which may constitute structuring to avoid Currency Transaction Reports (CTRs). In other cases, the scammer may direct the victim to split the payment across multiple different CVC kiosks (known as “smurfing”) or ask the victim to make payments through a different mechanism, such as through wire transfers or by handing cash or gold to a courier. Scammers often attempt to extract repeated payments from the same victim.

“Red Flags”

Which transactions or behaviors warrant closer scrutiny? FinCEN identifies in its notice a number of red flags, for both CVC kiosk operators and financial institutions. However, for the purposes of this blog post, we’ll stick to the red flags that credit unions may encounter. For example:

•    A member conducting an in-person transaction uncharacteristically withdraws substantial amounts of cash from their credit union account and indicates that they have been directed by a person on the phone or Internet to deposit the funds into a CVC kiosk.

•    A member, typically an elderly one, with no history of CVC-related activity conducts a high-value transaction or series of transactions with a CVC kiosk operator.

•    A member uses a debit card to make multiple payments below the CTR limit to a CVC kiosk operator.

•    A member operates a CVC kiosk business that is not registered with FinCEN as money services business (MSB) or does not maintain applicable state licenses. Administrators or exchangers of virtual currency are MSB’s under FinCEN's regulations. MSBs must register with FinCEN (unless they are agents of another registered MSB) and comply with BSA reporting and recordkeeping requirements. Registration status can be checked at FinCEN’s MSB Registrant Search. 

Credit unions should also be on the lookout for any member-CVC operator that:

•    Fails to collect required customer and transaction information in violation of BSA regulations;

•    Charges unusually high transaction fees compared to similar kiosk operators, or fails to clearly disclose applicable fees;

•    Has other business practices that diverge significantly from other operators; or

•    Structures cash transactions below the Suspicious Activity Report (SAR) or CTR threshold.

Additional red flags are available here. Note that no single red flag should be viewed in isolation. Instead, credit unions should evaluate the surrounding facts and circumstances, including members’ historical financial activity, whether the transactions are in line with customary business practices, and whether the member’s transaction activity exhibits multiple red flags before concluding that the behavior or transaction is suspicious or otherwise indicative of unlawful activity.

SAR Filing Instructions

When filing a SAR, FinCEN requests that financial institutions indicate a connection between the suspicious activity being reported and the activities highlighted in this notice by including the key term “FIN-2025-CVCKIOSK” in SAR field 2 (Filing Institution Note to FinCEN), as well as in the narrative. Credit unions may highlight additional advisory or notice keywords in the narrative, if applicable; and should select all other relevant suspicious activity fields, such as those in SAR Fields 36 (Money Laundering) and 38 (Other Suspicious Activities), if applicable.

Credit unions should include all available information relating to the account(s) and location(s) involved in the reported activity, identifying information and descriptions of any legal entities or arrangements involved and associated beneficial owners, and any information about related persons or entities involved in the activity. Click here to read more.

Questions? Suggestions for future blog posts? Contact the Compliance Team at compliance@americascreditunions.org.