FinCEN Guidance on Cryptocurrency & Virtual Currency Compliance

Introduction: Navigating FinCEN's Cryptocurrency Compliance Requirements

FinCEN has sharpened its enforcement posture across every virtual currency business model—kiosk operators, exchanges, P2P platforms, and wallet providers alike. The consequences of non-compliance are real: federal prosecution, civil money penalties in the millions, asset forfeiture, and permanent industry bans.

Yet the stakes don't make the rules any clearer. Many crypto startups and fintech companies face the same three questions: which FinCEN rules apply to their model, when MSB registration is mandatory, and what a compliant AML program actually requires in practice. According to a 2022 GAO report, there were 133 unregistered kiosk operators in the U.S. in 2020—nearly matching the 164 registered operators.

This guide covers FinCEN's legal authority over cryptocurrency, MSB registration requirements, key compliance obligations, red flag indicators, SAR filing duties, and how to build a defensible AML program that satisfies both federal regulators and sponsor banks.

TLDR:

  • FinCEN regulates convertible virtual currency (CVC) under the Bank Secrecy Act—MSB registration is mandatory within 180 days for most crypto businesses
  • Exchanges, kiosk operators, P2P exchangers, and wallet providers must implement a four-pillar AML program with a designated compliance officer and independent testing
  • SAR filings are required for transactions ≥$2,000 involving suspected illegal activity; CTRs are mandatory for currency transactions >$10,000
  • Key red flags include structuring below reporting thresholds, chain-hopping, and customers acting on remote third-party instructions
  • Non-compliance carries criminal penalties—operators have received 24-month prison sentences for running unregistered MSBs
  • Non-compliance carries criminal penalties—operators have received 24-month prison sentences for running unregistered MSBs

Does FinCEN Regulate Cryptocurrency? Understanding the Legal Framework

FinCEN derives its regulatory authority from the Bank Secrecy Act (31 U.S.C. § 5311 et seq.) and applies its regulations to convertible virtual currency (CVC)—defined as any digital asset that has an equivalent value in real currency or acts as a substitute for it. This definition covers Bitcoin, Ethereum, stablecoins like USDC and Tether, and similar assets. The regulatory framework is technology-neutral: if your business accepts and transmits value in CVC, you're subject to BSA obligations regardless of the underlying blockchain protocol.

FinCEN's 2019 CVC Guidance (FIN-2019-G001) formally extended BSA obligations to businesses dealing in virtual currency. The rules apply equally to U.S.-based entities and foreign-located businesses operating in whole or in substantial part within the United States.

Crucially, the label doesn't matter. Whether your product is called a "digital currency," "cryptocurrency," or "digital asset" is irrelevant—what FinCEN examines is the functional role your business plays in transmitting or exchanging value.

FinCEN registration is not a license—and claiming otherwise is a red flag. According to FinCEN's December 2024 fraud alert (FIN-2024-Alert005), any assertion that FinCEN registration constitutes a license to operate is false and potentially part of a scam. FinCEN does not license MSBs. Registration is a compliance obligation, not regulatory approval.

Key distinctions to keep in mind:

  • Registration confirms your business filed with FinCEN — it signals nothing about operational legitimacy
  • Licensing (where required) comes from state regulators, not FinCEN
  • BSA obligations — including AML program requirements, SAR filing, and recordkeeping — begin at registration, not after

Who Must Register with FinCEN: MSB Classification for Crypto Businesses

Any person or entity engaged in money transmission involving virtual currency qualifies as a Money Services Business (MSB) under the BSA. Registration with FinCEN is required within 180 days of commencing activity — and covers a wider range of business models than many operators expect. This includes exchanges, kiosk operators, P2P exchangers, and hosted wallet providers.

Four Main Business Models That Trigger MSB Classification

  • CVC Exchangers — Accept fiat and transmit the equivalent in CVC (or vice versa), or swap one CVC type for another as a regular business activity
  • CVC Kiosk/ATM Operators — Owner-operators of electronic terminals that accept currency and transmit CVC to customer wallets, or dispense cash in exchange for CVC deposits
  • P2P Exchangers — Individuals who buy and sell CVC informally but as a business, whether in person, through advertising, or via online platforms with regular transaction volume
  • Foreign-Located MSBs — Entities outside the U.S. that do business in whole or substantial part within the country, even without a physical presence; this includes offshore exchanges serving U.S. customers

Four cryptocurrency business models triggering FinCEN MSB classification and registration

Registration Timing and Consequences of Non-Compliance

Under 31 C.F.R. § 1022.380, new MSBs must file their initial registration within 180 days of establishing the business. Failure to register carries severe consequences:

  • Federal prosecution for operating an unlicensed money transmitting business (18 U.S.C. § 1960)
  • Civil money penalties often exceeding $1 million
  • Forfeiture of assets and business proceeds
  • Industry bars and criminal records

Real enforcement example: In May 2021, Kais Mohammad was sentenced to 24 months in federal prison for operating Herocoin without FinCEN registration or an AML program. Mohammad exchanged between $15 million and $25 million through in-person transactions and a Bitcoin ATM network. Federal registration is a threshold requirement — not an afterthought — and state obligations add another layer on top.

State Licensing Requirements Run Parallel to Federal Registration

MSB registration with FinCEN does not replace state licensing requirements. Most states require separate money transmitter or digital asset licenses, and operating without both federal registration and applicable state licenses exposes businesses to dual enforcement risk. A February 2021 report by the New Jersey Commission of Investigation found that more than one-third of CVC kiosk operators in the state were not registered with FinCEN as MSBs.

Verify state licensing requirements based on where your business operates, where customers are located, and where transactions occur — all three factors can independently trigger a licensing obligation.

Key FinCEN Compliance Obligations for Crypto and Virtual Currency Businesses

Registration is just the starting point. The real compliance work begins with five ongoing obligations that FinCEN enforces actively — and where most enforcement actions originate.

AML/CFT Program: Four Core Pillars

Under 31 C.F.R. § 1022.210, every registered MSB must implement a written, risk-based AML/CFT program with four mandatory components:

  • Internal policies, procedures, and controls tailored to the business's specific CVC activities
  • Designated compliance officer with day-to-day oversight of the AML program
  • Ongoing employee training to ensure staff can identify suspicious activity
  • Independent testing and auditing to monitor program effectiveness

Four-pillar FinCEN AML CFT program requirements for crypto MSBs infographic

Failure to conduct adequate independent testing is a critical enforcement trigger. In the December 2025 Consent Order against Paxful, FinCEN cited the company for conducting "only a single independent test, a frequency of testing that is not even remotely commensurate with the volume of transactions processed or risks associated with the products and services offered."

KYC and Customer Due Diligence (CDD)

Crypto businesses must collect and verify customer identity at account opening and during transactions. Due diligence should scale with transaction risk — higher-value transactions, customers from high-risk jurisdictions, or unusual patterns all warrant enhanced scrutiny.

Inadequate KYC is one of the most frequently cited failures in FinCEN enforcement actions. A complete CDD process covers:

  • Identity verification using government-issued documents
  • Address verification through utility bills or other documentary evidence
  • Screening against OFAC sanctions lists before approving accounts
  • Enhanced due diligence for high-risk customers or jurisdictions

Currency Transaction Reports (CTRs)

Transactions involving currency in excess of $10,000 trigger mandatory CTR filing under 31 C.F.R. § 1010.311. Multiple related transactions can be aggregated when determining whether the threshold is met. Structuring transactions to avoid CTR filing is a federal criminal offense under 31 U.S.C. § 5324.

Suspicious Activity Reports (SARs)

Under 31 C.F.R. § 1022.320, MSBs must file a SAR for any transaction or pattern of transactions aggregating $2,000 or more that the institution knows, suspects, or has reason to suspect:

  • Involves funds from illegal activity
  • Is designed to evade BSA reporting requirements
  • Has no apparent lawful purpose
  • Facilitates criminal activity

Voluntary SARs may be filed for suspicious transactions below $2,000. SARs must be filed within 30 days of detecting suspicious activity, and all supporting documentation must be retained for five years.

OFAC Sanctions Compliance

SAR obligations address suspicious activity — but sanctions violations are a separate track with their own severe penalties. OFAC compliance operates independently of FinCEN's BSA requirements. Under OFAC's October 2021 Sanctions Compliance Guidance for the Virtual Currency Industry, sanctions obligations "apply equally to transactions involving virtual currencies and those involving traditional fiat currencies."

Key requirements include:

  • Screen transactions and customers against OFAC's Specially Designated Nationals (SDN) list
  • Block IP addresses and transactions from sanctioned jurisdictions (Iran, North Korea, Syria, etc.)
  • Implement procedures to ensure no transactions violate U.S. sanctions programs
  • Report blocked transactions to OFAC within 10 days

FinCEN's Red Flags for Suspicious Cryptocurrency Activity

FinCEN's guidance emphasizes that no single red flag is determinative—institutions must consider the full surrounding context, customer history, and whether multiple indicators are present before filing a SAR.

Structuring and Threshold Evasion Red Flags

Watch for deliberate threshold avoidance:

  • Customers sending multiple payments just below the SAR threshold ($2,000) or CTR threshold ($10,000)
  • "Smurfing"—splitting one large transaction across multiple kiosk locations or multiple identities linked to the same contact information
  • Rapid conversion of funds between different CVCs to obscure the chain of custody
  • Multiple transactions from different kiosk locations within a short timeframe

Transaction Behavior Red Flags

These patterns consistently appear in blockchain analysis and transaction monitoring alerts:

  • Limited or no transaction history followed by a substantial deposit that is rapidly transferred through multiple wallet addresses
  • Blockchain analysis indicating a wallet receiving funds is flagged as associated with fraud, illicit activity, transnational criminal organizations, or investment scams
  • "Chain-hopping" via cross-chain bridges or DeFi services to make transaction tracing more difficult
  • Immediate movement of funds after deposit, particularly to wallets in high-risk jurisdictions

Blockchain analytics dashboard displaying flagged wallet transactions and suspicious activity patterns

Customer Profile Red Flags

Customer-level indicators of fraud or money laundering:

  • Older customers with no prior CVC history conducting high-value transactions after receiving remote instructions by phone or online (common in pig-butchering and romance scams)
  • Customers showing limited knowledge of CVC despite significant activity—potential scam victims or money mules
  • Customers declining KYC requests or providing contradictory account credentials
  • Customers purchasing large amounts of CVC inconsistent with their known financial profile or stated occupation

Operator-Level Red Flags for Financial Institutions

If you're a bank serving a CVC kiosk operator, watch for:

  • The operator is not registered with FinCEN as an MSB or lacks applicable state licenses
  • The operator advertises "no-ID required" transactions or "anonymous Bitcoin"
  • The operator charges unusually high or opaque transaction fees inconsistent with legitimate market rates
  • The operator provides false business descriptions to acquire depository accounts

FinCEN's August 2025 Notice on CVC Kiosks (FIN-2025-NTC1) explicitly identifies each of these red flags. When filing SARs for suspicious kiosk-related activity, financial institutions must enter the key term "FIN-2025-CVCKIOSK" in SAR Field 2.

SAR Filing: What Crypto Firms Need to Know

For crypto MSBs, SAR obligations aren't optional — knowing the thresholds, triggers, and filing procedures is a core compliance requirement.

Mandatory SAR Filing Triggers

MSBs must file a SAR for any transaction or pattern of transactions aggregating $2,000 or more that the MSB knows, suspects, or has reason to suspect:

  • Involves funds from illegal activity
  • Is designed to evade BSA regulations
  • Has no apparent lawful purpose
  • Facilitates criminal activity

Voluntary SAR filings can be made for any suspicious transaction regardless of amount and are protected by statutory safe harbor from civil liability.

CVC Kiosk-Specific SAR Filing Instructions

When suspicious activity is linked to CVC kiosk usage, financial institutions should include the key term "FIN-2025-CVCKIOSK" in SAR Field 2 (Filing Institution Note to FinCEN) and in the narrative. All supporting documentation must be retained for a minimum of five years from the date of filing.

Section 314(b) Voluntary Information Sharing

The Section 314(b) program — codified at 31 U.S.C. § 5318(g) and implemented via 31 C.F.R. § 1010.540 — allows financial institutions to share information about individuals or entities suspected of money laundering or terrorist financing. Participation carries statutory safe harbor protection from civil liability.

FinCEN actively promotes 314(b) participation for disrupting coordinated crypto fraud. When multiple institutions detect similar patterns tied to the same wallet addresses, sharing that intelligence builds a more complete picture and supports stronger, more comprehensive SARs.

Building a FinCEN-Compliant AML Program for Your Crypto Business

A defensible crypto AML program requires more than checking regulatory boxes—it must be tailored to your specific business model and demonstrably effective.

Foundational Program Components

Your AML program should include:

  • Written risk assessment covering your specific CVC activities — exchanges, kiosks, wallets, DeFi interfaces, and any hybrid models
  • Policies and procedures aligned to FinCEN's guidance and updated to reflect new advisories and notices
  • Transaction monitoring systems that flag smurfing, structuring, and rapid wallet-to-wallet movement
  • Blockchain analytics tools to identify sanctions exposure, illicit wallet connections, and on-chain suspicious activity

The Critical Role of the BSA/AML Compliance Officer

FinCEN requires every MSB to designate a compliance officer with direct program oversight. That officer must have hands-on experience across BSA, KYC, SAR filing, and OFAC — it cannot be delegated to someone without that background.

For early-stage crypto firms, that level of expertise is often out of reach on a full-time basis. Fraxtional's fractional BSA officer model places experienced compliance directors directly into your program, without the cost or commitment of a permanent hire.

Independent Testing Is Mandatory, Not Optional

Crypto firms must conduct regular independent audits of their AML programs. During examinations, regulators look specifically for documented testing results — firms without them face significantly higher enforcement risk.

Independent testing should evaluate:

  • Whether policies and procedures are followed in practice
  • The effectiveness of transaction monitoring systems
  • KYC and CDD process compliance
  • SAR decision-making and filing timeliness
  • Training effectiveness and staff competency

Five-point AML independent audit checklist for crypto firms compliance testing

Fraxtional provides independent audit services for crypto firms that need external program review — including gap analysis, examiner-ready documentation, and findings presented through data visualization. It's available as a standalone engagement, separate from any ongoing compliance leadership work.

Frequently Asked Questions

Is FinCEN registration required for cryptocurrency businesses?

Yes. Most cryptocurrency businesses—including exchanges, kiosk operators, P2P exchangers, and wallet providers—are classified as MSBs and must register with FinCEN within 180 days of starting operations. Registration also requires a four-pillar AML/CFT program, SAR and CTR filing obligations, and OFAC sanctions compliance.

Does FinCEN regulate cryptocurrency?

Yes, FinCEN regulates cryptocurrency under the Bank Secrecy Act, applying its rules to any convertible virtual currency business model. This includes U.S.-based businesses and foreign-located entities that do business substantially within the United States, regardless of physical presence.

What is the FinCEN advisory for cryptocurrency?

FinCEN has issued three key crypto guidance documents, each covering red flags, typologies, and SAR filing instructions for specific business models:

What are FinCEN's red flags for suspicious cryptocurrency activity?

FinCEN's red flags include:

  • Structuring transactions below CTR/SAR reporting thresholds
  • Rapid movement of funds through multiple wallets
  • Blockchain analytics indicating ties to fraud or sanctioned entities
  • Unusual high-value activity by older customers following remote direction
  • Kiosk operators advertising no-ID transactions

No single flag is determinative—context matters.

Can law enforcement trace cryptocurrency transactions?

Yes. While CVC transactions occur on decentralized blockchains and cannot easily be reversed, blockchain analytics tools can and do trace transaction flows. FinCEN notes that blockchain analysis often connects scam payments—made at different times or by different victims—to the same wallet. Law enforcement regularly uses these tools in criminal investigations.

Is cryptocurrency mining legal in the USA and do I need a license?

Cryptocurrency mining is generally legal in the United States. Miners who only mine for their own account are not typically classified as MSBs by FinCEN. However, selling mined CVC to third parties or running a fee-based mining pool may trigger MSB registration obligations—and state-level licensing requirements vary by jurisdiction.