BIS ¦ From Cash to Crypto: Towards a Consistent Regulatory Approach to Illicit Payments

From cash to crypto – aligning AML/CFT rules across payment instruments

Payments vary not only in speed, cost and convenience but in a structural feature that matters enormously for anti-money laundering and countering the financing of terrorism (AML/CFT): whether transactions are validated and recorded through an intermediary that can act as a gatekeeper. Intermediaries such as banks, e-money issuers, payment service providers and hosted wallet custodians can perform customer due diligence (CDD), monitor flows and file suspicious transaction reports. Instruments that do not require such intermediaries – physical cash, self‑hosted crypto wallets and offline variants of retail central bank digital currency (CBDC) – inherently limit those standard points of detection. That simple design difference shapes the incentives of both malicious actors and legitimate users, and it drives regulatory choices and unintended market responses.

A conceptual framework – intermediaries, detection and behavioural responses

Treating AML/CFT as a behavioural policy problem clarifies the mechanisms at work. The expected cost to a criminal depends on two parameters: the probability of detection and the penalty upon detection. Intermediated payment instruments raise the probability component because obliged entities are in a position to identify customers, monitor patterns and report suspicious activity. Non‑intermediated instruments reduce that probability by design.

Because payment instruments are imperfect substitutes, actors will respond to differences in expected cost. Criminals will seek instruments that minimise detection risk while remaining practical for their needs. Legitimate users who highly value privacy or distrust intermediaries may also migrate to less intermediated instruments. This shift can produce a “waterbed effect” – stricter controls in one channel push illicit or privacy‑seeking activity into another, weakening overall system integrity.

Policy responses therefore follow a dynamic cycle: regulators tighten rules for instruments where intermediaries exist, innovators and users migrate to less‑regulated alternatives, regulators extend the scope or add tailored rules, and the cycle repeats. To be effective and sustainable, policy design must anticipate these behavioural responses rather than simply reacting instrument by instrument.

Bastian Schwind-Wagner _Follow

"Payment instruments differ in how they involve intermediaries, which shapes the likelihood of detecting illicit activity and influences both criminal behaviour and legitimate users’ privacy choices. A consistent AML/CFT approach should combine common rules for intermediated instruments with tailored measures for non‑intermediated ones to minimise regulatory arbitrage while preserving proportionality and privacy.

Effective enforcement requires clear legal definitions, strong data‑protection safeguards and coordinated supervision across sectors and borders. Embedding technology‑neutral principles and focusing on touch points where non‑intermediated instruments enter the regulated system will help future‑proof AML/CFT frameworks as payments evolve."

How the European Union adjusted its framework – a case study

The European Union’s AML/CFT framework illustrates the interaction between payment design and regulatory response.

From directives to a single-rulebook and a new authority

EU AML rules evolved from the 1991 AMLD1 (Council Directive 91/308/EEC) through successive directives that progressively broadened obliged entities and strengthened CDD, transaction monitoring and suspicious activity reporting. Recent reforms replaced much of the directive‑based patchwork with a directly applicable AML Regulation and created the European Anti‑Money Laundering Authority (AMLA). Those steps aimed to reduce fragmentation and to make enforcement across borders more coherent.

Cash

The EU’s AMLR introduced an EU‑wide cash threshold of EUR 10,000 for consumer and business transactions. Thresholds force transactions above the limit onto intermediated rails where CDD is feasible. The EUR 10,000 level reflects proportionality and legal tender considerations; member states may set lower limits after consulting the European Central Bank, but very low thresholds risk undermining cash’s viability and could conflict with legal tender protections unless proportionate public interest grounds are shown.

E‑money and bank deposits

E‑money issuers and banks are treated as obliged entities and are subject to the same basic CDD, monitoring and reporting requirements. The AMLR acknowledges heterogeneity in e‑money products and permits narrowly defined low‑risk exemptions for non‑reloadable, small‑value instruments under strict conditions, preserving proportionate treatment.

Hosted crypto

The EU extended AML obligations to a broad class of crypto-asset service providers (CASPs). Hosted wallets and custodial services are within scope, and the Travel Rule was extended to virtual asset transfers so that originator and beneficiary information accompanies transfers. The AMLR bans services offering anonymising wallets or deliberately obfuscated transaction records, reflecting the view that pseudonymity undermines traceability.

Self‑hosted crypto

Transactions that occur between self‑hosted wallets without a CASP on either end remain outside direct CDD and monitoring unless conversion to or from fiat or an interaction with an obliged entity occurs. Regulators require CASPs to assess and mitigate risks associated with transfers to and from self‑hosted wallets, but no transaction or holding limits analogous to cash thresholds have been imposed on self‑hosted crypto. Absent additional measures, this differential treatment creates an attractive channel for illicit transfers.

Retail CBDC (digital euro) – online versus offline

The EU proposal for a digital euro treats online retail CBDC payments as intermediated where payment service providers would act as obliged entities, allowing application of standard AML/CFT tools. Offline CBDC payments pose a harder choice: offline person‑to‑person transactions would resemble cash in being executed without a validating intermediary, but they would leave different kinds of electronic traces. The digital euro proposal therefore takes a tailored approach – a lex specialis – allowing the European Commission to set transaction and holding limits and specifying which data can be retained for funding/defunding events to enable investigations while attempting to preserve privacy for ordinary use.

Key tensions – privacy, proportionality and legal constraints

AML/CFT measures reduce informational privacy because they require collection and processing of payment data for law enforcement purposes. That privacy‑integrity trade‑off is not merely technical; it implicates rule‑of‑law, proportionality and public trust. Strong data protection regimes, bank secrecy rules where appropriate and limited, targeted data access by competent authorities are crucial complements to AML/CFT obligations to limit social costs and avoid chilling lawful payment behaviour.

Legal tender protections and other statutory rights linked to central bank money complicate straightforward application of transaction limits. EU case law and ECB opinions accept that limits may be justified on public interest grounds, provided measures are proportionate and do not amount to de facto abolition of cash.

Design principles for a consistent and future‑proof approach

The experience in the EU suggests a policy architecture combining a consistent foundation and calibrated instrument‑specific measures:

1. A clear lex generalis: apply a common set of AML/CFT principles and baseline obligations to all instruments that involve identifiable intermediaries. That ensures uniformity across banks, e‑money issuers, PSPs and custodial crypto service providers – harmonising CDD, transaction monitoring standards, suspicious reporting obligations and data protection safeguards.
2. Instrument‑specific lex specialis rules where necessary: for instruments without intermediaries, adopt tailored measures that reflect their particular technical and legal properties. Options include transaction and holding limits, rules on funding/defunding touch points, and obligations on issuers or platform operators. For offline CBDC, programmable limits and constrained data retention tied to legitimate investigative uses are feasible; for self‑hosted crypto, policy could focus on robust controls at conversion points and enhanced obligations on service providers that interact with such wallets.
3. Focus enforcement and compliance where it is effective: leverage touch points where non‑intermediated instruments intersect with intermediated systems – withdrawals, deposits, fiat conversions and merchant on‑ramps/off‑ramps – to increase detection without eliminating desirable properties like convenience or basic privacy.
4. Align incentives and raise the expected cost of non‑compliance: strengthen supervision and meaningful sanctions for obliged entities and professional service providers, and empower authorities to require issuers or platforms to freeze or delist suspect instruments where lawful. Increasing the probability of detection and the expected penalties reduces arbitrage incentives.
5. Preserve proportionality and public trust: embed strong data protection and oversight, require transparency about how payment data are used, and ensure legal safeguards for access to retained data. Transaction limits and data collection should be tailored to risk and be legally justified to avoid disproportionate impacts on law‑abiding users and financial inclusion.
6. Make rules technology‑agnostic and future‑proof: adopt broad functional definitions that capture payment instruments by their role and effect rather than by specific technologies. This prevents simple relabelling or minor technical tweaks from evading regulatory coverage and reduces the regulatory lag that encourages arbitrage.

Practical implications and open questions

• A harmonised baseline for intermediated instruments reduces regulatory arbitrage between banks, e‑money providers and hosted crypto custodians. It also simplifies supervision and creates clearer deterrence.
• For non‑intermediated instruments, the choice between limits, issuer obligations and touch‑point controls depends on enforceability, proportionality and policy priorities.
• Limits can be embedded in offline CBDC and programmable token standards; they are far harder to enforce for physical cash and for permissionless self‑hosted crypto.
• Enforcement relies on cross‑sector cooperation and data sharing. Authorities and obliged entities need interoperable standards for suspicious reporting and for investigating cross‑border flows.
• The waterbed effect is empirical as well as conceptual. Quantifying the extent to which stricter rules in one channel shift illicit activity to another requires cross‑instrument data and careful causal analysis.
• Such empirical work would help calibrate thresholds, limits and the balance between privacy and integrity.

Conclusion

Differences in payment design – especially whether a transaction is validated through an identifiable intermediary – create distinct AML/CFT risk profiles and shape both criminal incentives and legitimate users’ preferences. A consistent regulatory philosophy that pairs a common set of obligations for intermediated instruments with carefully chosen instrument‑specific rules for non‑intermediated ones will reduce arbitrage, preserve desirable privacy features, and maintain system integrity. Achieving that balance requires legal clarity, proportionality, robust data protection, well‑resourced supervision, and forward‑looking, technology‑neutral definitions so that AML/CFT frameworks remain effective as payments continue to evolve.

Dive deeper

• BIS ¦ A. Minto, A. Kosse, T. Shirakami and P. Wierts; BIS Papers No 166 (2026); From cash to crypto: towards a consistent regulatory approach to illicit payments ¦ Link