BIS ¦ Bulletin No 111: An Approach to AML Compliance for Cryptoassets

An approach to AML compliance for cryptoassets: using blockchain provenance to close the off-ramp gap

The growth of cryptoassets on permissionless public blockchains has outpaced the ability of traditional AML frameworks to contain illicit flows. The Bank for International Settlements Bulletin No. 111 (13 August 2025) proposes a practical alternative: leverage the public, tamper-evident transaction history on blockchains to compute AML compliance scores tied to specific units (UTXOs) or wallets and apply those scores where crypto intersects with the banking system. This article summarises the BIS proposal, explains how such scoring would work for different token types, reviews implementation choices and incentives, and highlights the key policy trade-offs for regulators, financial institutions and crypto service providers.

Why existing AML approaches struggle with permissionless blockchains

Conventional AML relies on regulated intermediaries — banks and licensed virtual asset service providers (VASPs) — to perform customer due diligence and to screen and report suspicious transactions. In traditional payments, intermediaries control account updates and can enforce KYC and reporting requirements. Permissionless blockchains, by contrast, distribute record-keeping across validators or miners and publish the full history of transfers. No single intermediary is the canonical enforcer of account updates. Once crypto moves into unhosted (self-custody) wallets, conventional supervisory reach weakens: banks and exchanges can police on‑ramp and off‑ramp flows, but they cannot directly prevent every on‑chain transfer. This creates gaps that criminals exploit: since 2022 stablecoins have become the dominant instrument in illicit crypto activity.

How blockchain features can help, not hinder, compliance

The public and permanent nature of on‑chain records creates an opportunity: traceability. For UTXO-based assets (e.g. Bitcoin), individual outputs are traceable back to their minting and retain identifiable provenance unless deliberately mixed. For account‑based tokens (e.g. most stablecoins on programmable chains), unit-level provenance is not preserved in the same way, but wallet‑level and transaction‑path information remains publicly visible. Centralised, fiat‑backed stablecoins add an additional lever: issuers can mint and burn, and in practice have sometimes frozen addresses at legal request. Combining these facts, a scoring system can summarise the extent to which a given UTXO or wallet balance is associated with illicit activity, sanction lists or other jurisdictional rules (for example foreign exchange controls).

What an AML compliance score is and how it would be used

An AML compliance score assigns a numeric or categorical rating to a UTXO or wallet balance that reflects its exposure to known illicit addresses, suspicious protocols (mixers, sanctioned exchanges), or other red flags identified by investigators and analytics providers. The score is then consulted at enforcement points — notably off‑ramps where crypto is converted to fiat and enters the banking system. A high score denotes “clean” provenance and would typically permit conversion and deposit into banks. A low score signals taint and would trigger blocking, enhanced due diligence or reporting. Jurisdictions would set threshold values and rules for action based on domestic laws and risk tolerance.

Bastian Schwind-Wagner_Follow "Blockchain transaction histories can be turned into practical AML tools by assigning provenance-based compliance scores to UTXOs or wallets and enforcing thresholds at fiat off-ramps. Applied thoughtfully with international coordination and privacy safeguards, this approach can substantially reduce the flow of illicit proceeds into the banking system while preserving legitimate crypto usage."

Ranges of implementation: from strict to permissive

The BIS Bulletin outlines a spectrum of possible approaches.

• Strict (allow‑list) model: Require that tokens presented at off‑ramps be traceable through KYC‑verified addresses. Only tokens with a provenance chain touching allow‑listed, verified wallets are convertible. This effectively extends intermediary‑style KYC to the whole economy by making conversion contingent on a clean chain of custody.
• Permissive (deny‑list) model: Only block tokens that have directly transacted with addresses on a deny list (e.g. known criminal wallets). This is lighter touch and harder to game via layering, but it leaves more room for laundering methods that avoid interaction with clearly tainted addresses.
• Intermediate models: Combine multiple criteria — recency of interaction with allow or deny lists, number of hops from tainted addresses, interaction with mixing protocols, minimum holding periods, size thresholds for allowable conversions — to balance false positives and circumvention risk.

Practical mechanics by token type

For UTXO tokens (Bitcoin and similar): Scoring can be applied at the UTXO level. Analytics tools can trace Satoshi-level provenance and label UTXOs as clean, indirectly tainted (via intermediary addresses), directly tainted, or fully tainted. Off‑ramp systems would check the UTXOs being cashed out and apply the threshold rule.

For account‑based stablecoins: Unit-level tracking is not natively preserved, but tracing wallet histories and transaction links is still feasible. Centralised stablecoin issuers present additional options because issuers can implement controls on minting, redemption and freezing. Off‑ramps and issuers can coordinate: issuers may deny redemption for wallets below a threshold score or provide provenance metadata to downstream counterparties.

Allocation of responsibility and incentives

The proposal focuses on leveraging existing chokepoints — exchanges, custodians, stablecoin issuers and banks — rather than policing every on‑chain transfer. Placing a clear duty of care on off‑ramp actors creates incentives for them to use score providers and screening tools, since regulatory penalties can enforce compliance. That duty could be allocated differently across jurisdictions: some may place primary responsibility on intermediaries, others on users or on a combination. The public nature of blockchains also opens a market for affordable compliance services that individuals and smaller firms can use, reducing plausible deniability arguments when tainted tokens are received.

Behavioral and market feedbacks

Scoring systems will change incentives across the ecosystem. Clean wallets and well‑established compliance practices could gain liquidity and a price premium, while tainted coins would trade at discounts or be rejected outright for conversion. Illicit actors will respond: they may attempt to use mixers, privacy coins, off‑chain transfers or unregulated exchanges to avoid traceability. Scoring algorithms will need to adapt, incorporating pattern detection for circumvention techniques. This is an ongoing arms race, but publication of scores and widespread screening increases the cost and complexity of laundering, producing an expected net reduction in successful illicit conversions into the banking system.

Policy trade‑offs and risks

False positives and access: A strict allow‑list regime risks excluding legitimate users who have no practical ability or willingness to pass KYC chains, particularly in jurisdictions with limited banking access. Regulators must weigh financial inclusion concerns against illicit finance risks.

Fragmentation and cross‑border coordination: Crypto flows are inherently international. Divergent national scoring rules could fragment markets and create regulatory arbitrage. International cooperation and common standards for scoring inputs, allow/deny lists and evidence thresholds would reduce frictions and improve effectiveness.

Privacy and proportionality: Using public chain data preserves no additional surveillance beyond what is already visible on the ledger, but combining on‑chain analysis with off‑chain identity data raises privacy and data‑protection issues. Policymakers should require that off‑ramp screening respects data minimisation and due process.

Market concentration and operational resilience: If a handful of analytics firms become gatekeepers for scoring, concentration risk and single points of failure may emerge. Authorities could mitigate this by endorsing multiple providers, open standards and auditability of scoring methodologies.

Enforcement and legal frameworks: Clear rules are needed on how scores are generated, how appeals or disputes are handled, and what liability attaches to downstream actors. Penalties for non‑compliance should be predictable and proportionate.

Conclusion

The BIS Bulletin proposes a pragmatic way to bring cryptoasset activity within the scope of AML/CFT efforts without trying to reimpose intermediary control over every on‑chain transfer. By converting the transparency of public ledgers into actionable AML compliance scores applied at conversion points, authorities can significantly reduce the entry of illicit proceeds into the banking system while preserving legitimate use cases. Implementation choices — the placement of thresholds, the choice between allow‑list and deny‑list regimes, and the allocation of duty of care — will shape inclusion, market dynamics and the effectiveness of enforcement. Crucially, international coordination, open methodologies and safeguards for privacy will be essential to make blockchain‑based scoring a durable and fair tool in the financial crime fight.

Dive deeper

• Bank for International Settlements (BIS) ¦ Iñaki Aldasoro, Jon Frost, Sang Hyuk Lim, Fernando Perez-Cruz and Hyun Song Shin; BIS Bulletin No 111 An approach to AML compliance for cryptoassets; ISSN: 2708-0420 (online), ISBN: 978-92-9259-881-5 (online) ¦ Link