Basel Institute on Governance (2024) ¦ The Role of Financial Institutions in Preventing and Detecting Money Laundering using Crypto Assets

Financial institutions as frontline defenders: preventing and detecting money laundering with crypto assets

At the 8th Global Conference on Criminal Finances and Cryptocurrencies, a high‑level panel explored how banks and other regulated financial institutions can prevent and detect money laundering involving crypto assets without stifling innovation. Participants included representatives from the Wolfsberg Group, the European Central Bank, the European Banking Authority, Europol, UNODC, et alii. The discussion covered regulatory progress in the EU, payment transparency and the travel rule, practical exposure scenarios for banks, the role of technology and analytics, challenges around source of wealth, and operational steps institutions can take now.

EU regulatory developments and the travel rule

European authorities have progressively extended anti–money laundering and counter‑terrorist financing obligations to crypto activity. The Financial Action Task Force first broadened its recommendations in 2019 to bring virtual assets and virtual asset service providers within the AML/CFT framework. At EU level, initial steps (2018) already covered custodial wallet providers and fiat‑crypto exchanges. The new, wider EU regulatory perimeter will create an authorization regime for a broader set of crypto‑asset service providers and introduce a transfer‑of‑funds‑style framework for certain crypto asset movements, increasing traceability obligations for transfers.

The European Banking Authority issued technical guidance to clarify how obliged entities should implement travel‑rule‑type requirements for crypto transfers. Those guidelines specify the data elements expected, outline monitoring tasks, and address when checks should be performed (pre‑ and post‑transfer). An expert group made up of public‑ and private‑sector specialists informed the guidance to reflect implementation challenges such as cross‑jurisdictional fragmentation and the technical limits of current solutions — for example, difficulties applying rules to unhosted wallets. Regulators and industry must continue iterative work to resolve inconsistencies, and further regulatory technical standards and clarifications are expected.

Bastian Schwind-Wagner_Follow "Financial institutions must combine clear governance, tailored risk assessments and integrated on‑chain/off‑chain analytics to detect and prevent money laundering involving crypto assets, while preserving room for legitimate innovation. Close cooperation between banks, supervisors, law enforcement and industry partners is essential to turn travel‑rule data and blockchain intelligence into actionable investigations."

The ECB’s focus: financial stability, prudential risk and governance

The ECB has assessed crypto assets through the lens of financial stability, prudential supervision and the integrity of payment systems. Crypto‑related payment and market activities can affect financial stability and the soundness of individual institutions, so the ECB has underlined three key expectations for banks.

First, banks must perform business‑wide risk assessments before making significant business‑model changes: launching crypto products or onboarding crypto clients requires reflecting those risks in the institution’s risk appetite and capital/liquidity planning.

Second, prudential supervisors increasingly expect active cooperation between compliance and risk functions so that AML/CFT and prudential assessments (ICAAP/ILAAP) are aligned and reflect financial‑crime exposures.

Third, governance matters: the board and senior management must endorse and resource AML/CFT controls. Some supervisory regimes are already requiring board‑level responsibility for AML/CFT matters, and a weak tone from the top undermines all other controls.

How banks are exposed to crypto

Banks encounter crypto‑related risks in at least three ways. A bank may have direct exposure by offering crypto services or launching its own crypto products. A bank may have indirect but material exposure as a correspondent or fiat on‑/off‑ramp for crypto exchanges and market participants, where it relies on its customer (the exchange) to perform strong customer due diligence on end users. Third, ordinary retail or corporate customers may use bank accounts to buy, sell or bridge crypto holdings, creating transactional flows that carry risk even when the bank is not a crypto specialist.

Many banks underestimate these exposures. Even if an institution does not deliberately enter the crypto market, payment transparency gaps, correspondent relationships and customer behavior create channels that bring crypto‑related risk into traditional banking systems. Regulators and supervisors therefore expect banks to identify and measure such exposures and to adapt KYC and transaction monitoring accordingly.

Practical challenges: fragmented data, source of wealth and sanction risks

Panelists emphasized persistent operational challenges. On the data side, payment legs are often fragmented across multiple institutions, jurisdictions and on‑chain/off‑chain boundaries. A bank frequently sees only one leg of a transfer and must rely on correspondent banks or the crypto counterparty to piece together originator information. Where relationships exist with crypto‑friendly banks or exchanges, timely RFIs can often bridge gaps, but such communication depends on counterparties’ willingness and regulatory alignment across jurisdictions.

Source of wealth and provenance of large crypto gains pose acute difficulties for onboarding and enhanced due diligence. Wealth accumulated via early crypto investments can involve multiple now‑closed exchanges, multiple wallets (including self‑custody) and interposed intermediaries. Blockchain analytics are helpful for tracing transaction history, but they seldom replace documentary evidence, tax records or credible customer explanations. Banks must therefore combine on‑chain analysis with off‑chain evidence, tailored questioning and risk‑based escalation.

Sanctions and misuse remain material concerns. Actors may route funds through crypto channels to avoid restrictions, exploit jurisdictions with weak controls, or abuse non‑KYC platforms as de facto mixers. Supervisors and industry have highlighted the risk of regulatory shopping and offshore routing, and the need for consistent global standards and supervisory cooperation to reduce safe havens for illicit activity.

Technology: analytics, automation and data sharing

Technology and blockchain analytics are powerful tools for detection and investigation. On‑chain analytics can reveal networks, address clustering, transaction patterns and links to known illicit services. Smart contracts and programmable controls can automate compliance checks and enable rule‑based gating of transfers. Emerging cryptographic tools (for example, zero‑knowledge proofs) can help reconcile privacy and data‑protection constraints with the need to share provenance or identity claims.

However, technology must be implemented with controls, testing, governance and skilled personnel. Analytics without well‑designed monitoring processes, trained investigators and governance creates false confidence. Equally, data protection and legal constraints mean industry and public authorities must carefully design information‑sharing channels and legal bases for exchange of travel‑rule data and law‑enforcement requests.

What banks should do now

Banks should start from a business‑wide risk assessment aligned with supervisory expectations. That assessment must drive choices about permissible crypto business, risk appetite, capital and liquidity planning, governance and resourcing. Priorities for action include:

• Building compliance infrastructure before taking on crypto products or customers: hire or train qualified staff, adopt appropriate policies and dedicate sufficient resources to AML/CFT functions.
• Strengthening onboarding and enhanced due diligence specific to crypto: augment KYC with targeted questions about wallets, exchanges and historical trading; request credible documentary evidence for source of wealth and profits; and apply a risk‑based approach for activities involving unhosted wallets or non‑KYC venues.
• Improving transaction monitoring: incorporate crypto‑specific typologies and keywords, maintain up‑to‑date lists of virtual asset providers and risk indicators, and tune scenarios for on‑ and off‑ramp activity.
• Using blockchain analytics and integrating on‑chain insights with traditional AML systems: combine analytics with RFIs, correspondent engagement and case management workflows so on‑chain intelligence translates into actionable investigations.
• Training front‑line staff, investigators and senior management: equip first‑line personnel to identify crypto signals at onboarding and transaction review, upskill compliance teams for on‑chain investigations, and ensure senior leaders understand and back the firm’s crypto strategy and controls.
• Cooperating with supervisors and peers: engage proactively with national supervisors to confirm interpretations of regulation and supervisory expectations, participate in public–private partnerships and sector task forces to share typologies and best practice, and work with law enforcement to ensure timely exchange of relevant travel‑rule and suspicious‑activity information.

One practical priority for law enforcement and supervisors is to ensure obliged entities preserve and can produce travel‑rule data. At the EU level, law enforcement can obtain travel‑rule‑type information from obliged entities in the context of investigations; competent AML supervisors have distinct but complementary access and supervisory powers. Clear channels and prompt cooperation are key to turning travel‑rule data into investigative leads.

Regulatory and cultural proposals from the panel

Regulators can help by harmonizing requirements to reduce regulatory fragmentation and by issuing clear, implementable technical standards and supervisory guidance. Policy clarity reduces uncertainty for banks and makes compliance more feasible. Public authorities should continue to promote cross‑border supervisory cooperation and common taxonomies for crypto exposure.

Equally important are non‑technical elements: strong governance, ethical hiring and a credible tone from the top. The panel suggested that recruiting senior managers with appropriate fit‑and‑proper assessments and strong ethical standards can reinforce compliance culture. Psychological or behavioral assessments for senior roles were mentioned as effective complements to traditional checks in some jurisdictions.

Final takeaways

Crypto is now embedded in the financial ecosystem in many ways; banks cannot assume they are untouched. Effective prevention and detection of crypto‑related money laundering require a combination of regulatory clarity, robust governance, skilled people, tailored risk assessments, integrated on‑chain/off‑chain analytics, and proactive cooperation across supervisors, industry and law enforcement. By aligning business strategy, resourcing and governance with AML/CFT obligations, financial institutions can serve as effective gatekeepers without needlessly obstructing legitimate innovation.