By Chanté Eliaszadeh | Updated June 2026
If you operate convertible-virtual-currency kiosks --- crypto ATMs --- you are now at the center of a coordinated fraud crackdown. In August 2025 FinCEN issued a notice singling out CVC kiosks as a scam-payment channel; states have passed a wave of laws imposing transaction caps, scam warnings, and in a few cases outright bans; and regulators from the California DFPI to state attorneys general to the Department of Justice have brought real enforcement actions. The federal compliance baseline --- money-services-business registration, an anti-money-laundering program, suspicious-activity reporting --- has not changed. What has changed is the scrutiny, and the cost of getting it wrong. This guide lays out what the FinCEN notice actually requires, the baseline BSA obligations, the penalties, the fast-moving state-law landscape, and what operators should do now.
Key Takeaways
- The FinCEN notice is guidance, not a new rule. FIN-2025-NTC1 (August 4, 2025) reminds financial institutions of existing BSA duties and supplies fraud red flags; it imposes no new legal obligations, but it raises the examination and enforcement stakes.1
- Your baseline duties are unchanged and well-established. A kiosk operator is a money services business that must register with FinCEN, maintain an AML program, file suspicious-activity reports, keep records for five years, and comply with the Travel Rule on transfers of $3,000 or more.23
- The real crackdown is at the state level. A growing list of states now impose daily transaction caps, mandatory scam warnings, refund windows, and licensing --- and a few (Indiana and Tennessee) have enacted outright bans.4
- Enforcement is real and active. The California DFPI has fined multiple operators, state attorneys general have sued the largest networks, and the DOJ has obtained at least one criminal conviction involving a kiosk operator’s AML failures.56
- Federal legislation is pending, not law. The Crypto ATM Fraud Prevention Act (S. 710) would impose caps and warnings nationally, but it remains in committee.7
What Does FinCEN’s 2025 Kiosk Notice Actually Require?
FinCEN’s notice, FIN-2025-NTC1, issued August 4, 2025, is titled “FinCEN Notice on the Use of Convertible Virtual Currency Kiosks for Scam Payments and Other Illicit Activity.”1 It does two things. First, it reminds financial institutions --- including kiosk operators, which are money services businesses --- of their existing reporting obligations under the Bank Secrecy Act. Second, it supplies a set of fraud red-flag indicators and asks institutions to reference the key term “FIN-2025-CVCKIOSK” in the relevant field and narrative of any suspicious-activity report connected to kiosk fraud.1
The important legal point is what the notice is not. A FinCEN notice is guidance; it does not create new obligations the way a rule does. So statements that the notice “now requires enhanced due diligence” or “makes EDD the standard” overstate it --- new mandatory requirements can come only from a rulemaking that amends the regulations, not from a notice. What the notice does change is practical: it tells examiners and prosecutors that kiosk fraud is a priority, which means your existing obligations will be scrutinized more closely and enforced more aggressively. The duties are old; the attention is new.
Read FIN-2025-NTC1 as a spotlight on duties you already have, not a new rulebook. The compliance task is to do the existing BSA program well and to fold the notice’s red flags and the FIN-2025-CVCKIOSK key term into your SAR process.
What Are a Kiosk Operator’s Baseline BSA Obligations?
A crypto-ATM operator is a money transmitter and therefore a money services business under FinCEN’s regulations, with the full BSA compliance stack.2 In practice that means five core duties. Register with FinCEN as a money services business on Form 107 (and renew every two years).3 Maintain a written, risk-based anti-money-laundering program with a designated compliance officer, training, and independent review. File a suspicious-activity report within 30 days of detecting suspicious activity. Keep required records for five years. And comply with the Travel Rule, which requires transmitting specified originator and beneficiary information on transfers of $3,000 or more.23
One clarification matters because it is often overstated: the Travel Rule is a recordkeeping-and-transmittal requirement, not a “strict liability offense.” BSA civil penalties turn on whether a violation was negligent or willful, and criminal liability requires willfulness; “the technology doesn’t support it” is not an automatic defense, but neither is non-compliance automatically a crime regardless of intent.8 State licensing obligations sit on top of all of this and are increasingly where the action is.
The baseline has not moved: register, run a real AML program, file SARs on time, keep records five years, and meet the Travel Rule at $3,000. An operator that does these well is most of the way to defensible compliance.
What Are the Penalties?
BSA penalties come in civil and criminal tiers, and they are frequently misstated. On the civil side, a willful violation of the BSA’s program or reporting requirements exposes the operator to a civil money penalty under 31 U.S.C. § 5321, adjusted for inflation by regulation --- not the $250,000 figure that sometimes appears, which is actually the criminal fine.9 On the criminal side, a willful BSA violation under 31 U.S.C. § 5322(a) can bring a fine of up to $250,000, up to five years’ imprisonment, or both, with an aggravated tier under § 5322(b).9 Asset forfeiture is possible in a criminal case but is fact- and statute-dependent, not an automatic consequence of every violation.
Size the risk to the actual statute: willfulness is the dividing line, the $250,000 figure is the criminal fine, and the civil penalty is a separate, inflation-adjusted number. Categorical “all kiosks will be seized” framing overstates how forfeiture works.
The State-Law Wave: Caps, Warnings, and Outright Bans
The most consequential 2025-2026 development for operators is not federal --- it is the state-by-state wave, and it runs in two distinct directions.4 The dominant model imposes conditions: daily transaction caps (commonly around $1,000-$2,000 for new customers), mandatory on-screen scam warnings, fraud-refund windows for victims, fee caps, and operator licensing. California, through its Digital Financial Assets Law and earlier kiosk statute, is the leading example, and states including Nebraska, Illinois, Connecticut, Arizona, Minnesota, Vermont, and Wisconsin have enacted versions of this conditions model.4
The second model is more aggressive: an outright ban. Indiana and Tennessee have moved to prohibit crypto kiosks rather than regulate them --- Indiana being the first state to enact a ban --- with similar prohibition bills pending in other states.4 For a multi-state operator, this means compliance is no longer a single national checklist --- it is a jurisdiction-by-jurisdiction map of caps, warning-text requirements, licensing, and a small but growing set of states where the business is simply not permitted.
Build a state-by-state compliance matrix, not a single policy. The questions are concrete: in each state you operate, what is the new-customer cap, what warning text is required, is a license required, and is the kiosk permitted at all?
Who Is Actually Being Prosecuted?
Enforcement has moved from threatened to real, across three channels.56 State financial regulators are the most active: the California DFPI has fined several kiosk operators and secured restitution for victims. State attorneys general have filed civil suits against the largest networks. And on the criminal side, the Department of Justice has obtained a conviction of a kiosk operator who pleaded guilty to charges including failure to maintain an effective anti-money-laundering program and money laundering --- the first federal criminal case charging an unlicensed money-transmitting business that operated through a Bitcoin kiosk.5 A separate cash-to-crypto kiosk operator was indicted in late 2025 on a money-laundering-conspiracy charge; that matter is pending, an indictment rather than a conviction.6
The legal theory in the real criminal case is worth getting right, because the original commentary on this topic garbled it: the operator was charged with a Bank Secrecy Act program offense --- failing to maintain an effective AML program --- alongside money-laundering counts. Those are distinct violations, not a single “convicted of money laundering for failing to have AML controls” theory.
The enforcement risk is concrete and multi-front: a state regulator’s fine, a state AG’s civil suit, and federal criminal exposure for genuine AML-program failures. The operators being prosecuted are the ones that skipped the baseline, not the ones that did it imperfectly.
What Federal Legislation Is Coming?
Congress has noticed. The Crypto ATM Fraud Prevention Act (S. 710), introduced in February 2025, would impose federal operator requirements --- FinCEN registration confirmation, a designated compliance officer, on-screen scam warnings, new-customer transaction caps, verbal confirmation for larger transactions, and a fraud-refund eligibility window.7 But it remains in the Senate Banking Committee and has not been enacted, and an effort to fold kiosk provisions into the GENIUS Act did not make it into that law. So the federal picture for now is the existing BSA baseline plus the FinCEN notice --- the proposed national caps-and-warnings regime is a bill to watch, not a current obligation.7
Track S. 710, but comply with what exists. If it passes, the national requirements will look much like the state conditions model you should already be building toward.
What Should Operators Do Now?
The compliance posture that survives this crackdown is the one that does the basics rigorously and maps the states carefully. Concretely: confirm your FinCEN MSB registration is current and your AML program is written, staffed, and independently tested; integrate the FIN-2025-NTC1 red flags and the FIN-2025-CVCKIOSK key term into your SAR process; implement on-screen fraud warnings and new-customer transaction limits even where not yet required, because they reduce both fraud and liability; build the state-by-state matrix of caps, warnings, licensing, and bans; and document everything, because the difference between an imperfect-but-genuine program and a sham is what separates a fine from an indictment.
The operators who come through this are the ones who treated AML compliance as core infrastructure, not a checkbox. The FinCEN notice did not raise the bar; it turned on the lights over the bar that was already there.
Need Crypto Kiosk Compliance Guidance?
Astraea Counsel advises crypto-ATM and money-services-business operators on FinCEN registration, AML programs, suspicious-activity reporting, multi-state licensing, and enforcement defense. Explore our Regulatory Compliance services.
Related Resources
- Money Transmitter Licensing: State-by-State Strategy --- State licensing for money services businesses
- GENIUS Act Stablecoin Compliance Roadmap --- The federal payment-stablecoin framework
- Treasury Management for Crypto Companies --- Custody and compliance for digital-asset businesses
- Regulatory Compliance Services --- Federal and state compliance guidance
- Contact Us --- Discuss your kiosk compliance program
Footnotes
-
FinCEN Notice FIN-2025-NTC1, “FinCEN Notice on the Use of Convertible Virtual Currency Kiosks for Scam Payments and Other Illicit Activity” (Aug. 4, 2025) (assigning SAR key term “FIN-2025-CVCKIOSK”; a notice reminds institutions of existing BSA obligations and supplies red-flag indicators, and does not impose new legal requirements), available at https://www.fincen.gov/system/files/2025-08/FinCEN-Notice-CVCKIOSK.pdf. PDF ↩ ↩2 ↩3
-
FinCEN Guidance FIN-2019-G001, “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies” (May 9, 2019) (CVC money transmission, including the Travel Rule); 31 C.F.R. §§ 1010.410(e)-(f) (Travel Rule, $3,000 threshold) and 1010.430(d) (five-year recordkeeping), https://www.fincen.gov/resources/statutes-regulations/guidance/application-fincens-regulations-certain-business-models. ↩ ↩2 ↩3
-
31 C.F.R. § 1022.380 (MSB registration; FinCEN Form 107, RMSB; two-year renewal) and § 1022.320 (suspicious-activity reporting; 30-day filing deadline), available at https://www.ecfr.gov/current/title-31/subtitle-B/chapter-X. ↩ ↩2 ↩3
-
State crypto-kiosk legislation (2024-2026) follows two models. The conditions model --- daily transaction caps, on-screen scam warnings, fraud-refund windows, fee caps, and licensing --- has been enacted in California (Cal. Fin. Code § 3901 et seq., added by SB 401 (2023-2024)), Illinois (Digital Asset Kiosks Act, 205 ILCS 732), Nebraska (LB 609 (2025)), Connecticut (Pub. Act 25-66 (2025)), Arizona (HB 2387 (2025)), Minnesota (Minn. Stat. §§ 53B.70-53B.75 (2024)), Vermont (8 V.S.A. § 2577), and Wisconsin (2025 Wis. Act 226), among other states. The prohibition model --- an outright ban --- has been enacted in Indiana (House Enrolled Act 1116 (2026), the first state to ban) and Tennessee (Pub. Ch. 766 (2026), effective July 1, 2026); comparable ban legislation was pending in Minnesota and other states during the 2026 session. Dollar thresholds, effective dates (several prospective), and specific provisions vary by state; confirm the current statute for each state of operation. ↩ ↩2 ↩3 ↩4
-
California Department of Financial Protection and Innovation, enforcement actions against crypto-kiosk operators under the Digital Financial Assets Law (e.g., DFPI action fining Coinme $300,000 with $51,700 in victim restitution, June 25, 2025), available at https://dfpi.ca.gov/press_release/dfpi-fines-coinme-300000-related-to-crypto-kiosk-violations-secures-51700-in-restitution-for-victims/; United States v. Kalra (C.D. Cal.) (guilty plea to charges including failure to maintain an effective anti-money-laundering program and money laundering by an operator of an unlicensed money-transmitting business using a Bitcoin kiosk). ↩ ↩2 ↩3
-
United States v. Isa, Founder of Crypto Dispensers (N.D. Ill.) (indicted Nov. 18, 2025 on a money-laundering-conspiracy charge; pending --- an indictment, not a conviction), per IRS Criminal Investigation, available at https://www.irs.gov/compliance/criminal-investigation/founder-of-chicago-cryptocurrency-company-indicted-in-alleged-10-million-money-laundering-conspiracy. ↩ ↩2 ↩3
-
Crypto ATM Fraud Prevention Act of 2025, S. 710, 119th Cong. (introduced Feb. 25, 2025; referred to the Senate Committee on Banking, Housing, and Urban Affairs; not enacted as of mid-2026), available at https://www.congress.gov/bill/119th-congress/senate-bill/710. ↩ ↩2 ↩3
-
31 U.S.C. § 5318(h) (AML program requirement); BSA civil and criminal liability turn on the negligent/willful distinction (see note 5). The Travel Rule is a recordkeeping-and-transmittal requirement, not a strict-liability offense. ↩
-
31 U.S.C. § 5321 (civil money penalties for BSA violations; willful-violation penalties adjusted for inflation under 31 C.F.R. § 1010.821) and 31 U.S.C. § 5322 (criminal penalties: § 5322(a), fine up to $250,000, imprisonment up to five years, or both; § 5322(b), aggravated tier), available at https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title31-section5322. PDF ↩ ↩2