In December, the Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) announced a $3,500,000 civil penalty against Paxful, Inc. and Paxful USA, Inc. (“Paxful”), pursuant to a consent order.

Paxful is an exchanger of convertible virtual currencies (“CVC”), operating both a CVC wallet service and a marketplace for peer-to-peer (“P2P”) buyers and sellers of CVC. The company describes itself as “the world’s largest P2P marketplace,” enabling users to buy and sell digital currencies across 140 markets with hundreds of payment methods, send cash or cryptocurrency instantly, and “become a peer-to-peer market maker.” According to the consent order, between February 2015 and April 2023, Paxful conducted transactions with over 4 million users, including over 50 million trades valued at a total of several billion dollars. These transactions ranged across products including CVC, prepaid access cards, and fiat currencies. In that time period, Paxful’s customers engaged in over 20 million external crypto transactions worth more than $10 billion.

In the order, Paxful admitted to three types of violations. First, Paxful failed to maintain its registration with FinCen. Second, it failed to implement an effective AML program. Third, it failed to identify and report suspicious activity. Paxful agreed to pay a $3,500,000 civil penalty for these violations, which FinCEN described as “egregious” and having “caused extensive possible harm to the public.”

Failure to Register as a Money Services Business

The Bank Secrecy Act (“BSA”) requires all “money services businesses” to register with FinCEN as an MSB within 180 days of beginning operations, and to renew its registration every two years. Paxful is treated as an MSB because it is a “money transmitter,” one of seven categories of businesses required to register as MSBs. While Paxful initially registered with FinCEN in July 2015, it allowed its registration to lapse. MSBs are required to renew their registrations by the last day of the calendar year before two-year renewal period—here, Paxful was required to re-register by December 31, 2016. It failed to do so until September 3, 2019, and therefore operated as an unregistered MSB for 974 days.

Failure to Develop, Implement, and Maintain an Effective AML Program

Much of the consent order details Paxful’s failure to implement a compliant AML program. At the outset, Paxful did not have any AML program in place for its first four years of operation, only implementing a program for the first time in February 2019. The program Paxful eventually implemented still fell short of FinCEN’s requirements in numerous respects, including:

• Know your customer protocols. The know your customer (“KYC”) protocols Paxful put in place only applied to users whose activity exceeded $1,500, and Paxful made no effort to prevent users from evading controls by structuring transactions around this minimum.
• Customers acting as unregistered MSBs. While Paxful identified a risk that smaller P2P exchangers could use Paxful, it did not implement controls to identify unregistered MSBs.
• Geographic spoofing. Paxful did not assess customers’ locations, or take any action to identify circumstances where users used geographic spoofing to hide their true location—in many cases concealing activity from locaitons the government considers high-risk jurisdictions. 
• Transaction monitoring. Although Paxful’s products and services could be used for money laundering, its AML program provided no mechanism for the company to identify and report suspicious activity, as required by law.
• Prepaid access transactions. Paxful operates a prepaid access program, which was a substantial portion of its business. Between May 2015 and December 2019, the top payment methods on the platform were iTunes and Amazon prepaid access cards. Despite knowing that illicit actors were exploiting this market, Paxful prioritized its development, and failed to implement controls to monitor and illicit activity taking place within it.
• North Korean, Iranian, and terrorist finance transactions. One result of Paxful’s failure to implement sufficient internal controls is that it facilitated transactions with what the consent order describes as hostile nation-states and state-sponsored cybercriminals, including from Iran and North Korea. The Lazarus Group, which is designated a North Korean state-sponsored cyber-criminal group, conducted thousands of trades on Paxful’s platform. Paxful took no steps to address this for several years after receiving law enforcement inquiries about it.
• Compliance Officer. Although MSBs are required to designate a person ensure compliance with internal compliance programs and the BSA, Paxful operated without any designated compliance officer. When it did begin listing a compliance officer, that individual had never received any BSA or AML training, and during that person’s tenure, Paxful still had what the government describes as “egregious lapses in compliance.”
• Independent Testing. MSBs must obtain independent reviews of their compliance program, with the scope and frequency depending on the risks associated with the MSB’s services. Paxful only conducted one test in the multi-year period at issue on the consent order, which the government described as “not even remotely commensurate with the volume of transactions processed or risks associated with the products and services offered by Paxful.”

Failure to Report Suspicious Activity

The consent order states that Paxful “facilitated transactions involving over $500 million in suspicious activity[.]” These transactions were associated with ransomware attacks, darknet and other illicit marketplaces, unregistered MSBs, child sexual abuse material, elderly financial exploitation, terrorist financing, high-risk jurisdictions, and stolen funds or other illicit proceeds. Despite this, Paxful did not file a single suspicious activity report before November 2019, and its reporting after that date remained deficient.

BSA Violations and Penalty

The consent order noted that Paxful employees had identified and discussed many of these deficiencies with senior leadership, who in some instances dismissed the concerns, and in other instances claimed that the concerns would be addressed. In some circumstances, the consent order states that Paxful leadership instructed employees not to raise or report issues, and that Paxful employees actively worked to build its relationships with and presence on high-risk platforms. For example, Paxful actively sought to be utilized on Backpage.com, a platform well-known for its role in promoting sex trafficking, including child sexual abuse, even after its widespread illicit activity was made public by a government investigation.

Based on these actions and deficiencies, FinCEN found that Paxful willfully violated the BSA and associated regulations, specifically finding:

1. Paxful willfully failed to register as an MSB in violation of 51 U.S.C. § 5330 and 31 C.F.R. § 1022.380;
2. Paxful failed to develop, implement, and maintain an effective AML program reasonably designed to prevent its programs from being used to facilitate money laundering and the financing of terrorist activities in violation of 31 U.S.C. § 5318(h)(1) and 31 C.F.R. § 1022.210; and
3. Paxful willfully failed to accurately, and timely, report suspicious transactions to FinCEN, in violation of 31 U.S.C. § 5318(g)(1) and 31 C.F.R. § 1022.320.

In discussing its decision to impose a civil money penalty, FinCEN noted the “egregious” nature of the violations, which it determined “caused extensive possible harm to the public.” FinCEN further discussed that it determined there was a “culture of noncompliance throughout” Paxful, whose leadership were aware of their obligations under the BSA and still failed to comply. Based on these, and other factors, FinCEN imposed a $3.5 million civil penalty.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. And please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

On August 28, 2025, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) released an advisory (FIN-2025-A003) alongside a comprehensive Financial Trend Analysis (“FTA”), shining a spotlight on one of today’s most significant illicit finance risks: the integration of Chinese Money Laundering Networks (“CMLNs”) into the operations of Mexico-based transnational criminal organizations, better known as cartels. This pairing not only illustrates an evolution in global money laundering typologies but also presents new compliance challenges for financial institutions and multinational businesses alike.

The CMLN–Cartel Partnership

FinCEN’s latest analysis highlights how two very different regulatory environments have fostered an unlikely alliance:

1. Mexican cartels, flush with U.S.-dollar drug proceeds but restricted by Mexican currency controls that limit dollar deposits into local financial institutions (See related blog posts here, here and here.)
2. Chinese nationals, facing strict capital controls at home that cap annual foreign currency conversions at $50,000 per person.

These pressures have produced what FinCEN describes as “a mutualistic relationship”: CMLNs purchase dollars from cartels desperate to move cash out of reach; they then sell this cash to Chinese clients seeking ways around China’s capital controls, effectively weaving together criminal proceeds with ostensibly legitimate wealth migration.

As professional money launderers operating globally, including within U.S. borders, CMLNs have become vital intermediaries capable of handling vast sums quickly while minimizing risk for their cartel clients by offering both speed and sophistication at scale.

Mutual Interests

This alliance operates on simple logic: Cartels need to move large volumes of cash out of Mexico without attracting law enforcement scrutiny or breaching currency controls. Chinese individuals want access to overseas dollars beyond China’s annual conversion limits for investments or personal spending abroad.

CMLNs buy cash from cartel operatives at discounted rates, then sell this cash to Chinese clients seeking U.S. dollars outside formal channels, effectively blending criminal proceeds with legitimate wealth migration.

By operating globally, including within U.S borders, CMLNs serve as professional intermediaries who can rapidly move millions while minimizing risk for their cartel partners through fast settlements and advanced tradecraft.

Core Money Laundering Methods Used by CMLNs

FinCEN identifies three primary money laundering methodologies employed by CMLNs in support of cartel operations:

1. Mirror Transactions

Mirror transactions are at the heart of CMLN operations:

• These transactions resemble informal value transfer systems (“IVTS”), where one member receives illicit cash in one country while another delivers an equivalent value, often in pesos or yuan, to a recipient abroad.
• A hypothetical example: A U.S.-based operator collects dollar proceeds from a cartel contact. Simultaneously, an associate pays pesos directly to cartel representatives in Mexico without physically moving funds via formal banks.
• Increasingly, mirror transactions rely on convertible virtual currencies such as Bitcoin for swift settlement outside traditional banking channels. This system allows participants to evade detection by avoiding official remittance routes altogether, a key reason why these schemes continue thriving despite heightened regulatory scrutiny worldwide.

2. Trade-Based Money Laundering

Trade-Based Money Laundering (“TBML”) remains central within this threat landscape:

• Illicit funds are used within the United States to purchase bulk quantities of high-value goods, such as smartphones or luxury handbags, which are exported through complicit companies based often in Hong Kong or Latin America.
• Shell entities facilitate shipments overseas. These goods may be resold for local currency or serve directly as stores of wealth among Chinese buyers seeking alternatives to mainland investment restrictions. Layered export-import flows obscure both originators and ultimate beneficiaries across multiple jurisdictions. Frequently involved are “daigou” buyers, agents familiar throughout Chinese diaspora communities who use credit cards funded from laundered proceeds before shipping inventory home for resale on popular e-commerce platforms.

3. Use and Exploitation of Money Mules

Money mules play a crucial role:

• Large-scale recruitment targets vulnerable populations, including students on temporary visas (especially those restricted from lawful employment), retirees with modest means but clean credentials, or anyone willing to participate for compensation. These individuals may knowingly accept small fees or be misled under false pretenses via social media connections.  Facilitators within  CMLN structures may provide counterfeit passports for opening bank accounts. After the accounts are opened,  substantial deposits, often inconsistent with the account holder’s declared income sources, are made and quickly wired onward or converted into cashier’s checks used later for real estate acquisitions across desirable markets.

In addition,

• FinCEN has documented extensive misuse of retail credit card systems, with laundered funds being used to finance shopping sprees that do not fit established customer profiles;
• Outstanding balances are settled using fresh infusions from network-controlled accounts; and
• Reward points earned through spending cycles become additional vehicles for offshore payments, all facilitated using promotional platforms that are popular among Peoples Republic of China (“PRC”) nationals.

Key Red Flags and Compliance Vulnerabilities

To assist financial institutions in learning how money launderers exploit gaps across KYC processes and transaction monitoring frameworks, FinCEN has identified the following red flags:

1. Accounts opened with Chinese passports plus student or visitor visas, followed immediately by high-volume activity unrelated to customer profiles
2. Frequent large-dollar cash deposits closely followed by wire-outs or cashier’s check purchases
3. Multiple wire transfers originating abroad where legitimate business relationships cannot be substantiated
4. Reluctance, or outright refusal, to explain sources behind incoming transfers when questioned during onboarding or enhanced due diligence reviews
5. Shell companies focused on electronics or export trades reporting income inconsistent with typical business size, type, or geography
6. Businesses receiving repeated credits from online marketplaces but rarely engaging suppliers or purchasing needed inventory

Legacy rules-based monitoring tools frequently fail to detect suspicious activity unless multiple red flags appear together over time. This highlights the importance of adding contextual behavioral analysis to existing AML programs for more effective detection.

Five-Year Data Trends: SAR Insights (2020–2024)

The FTA supporting FinCEN’s advisory analyzed more than 137,000 Suspicious Activity Reports (“SAR”s) filed between January 2020–December 2024 under Bank Secrecy Act (“BSA”) obligations, with roughly $312 billion flagged as activity possibly tied back toward CMLN involvement.

Major Takeaways:

1. Depository Institutions are Prime Gateways

• Banks accounted for nearly 85% of all relevant filings, from national chains down through community branches serving immigrant-heavy metro areas where bulk-cash placement occurs largely undetected via traditional surveillance alone
• About 9% came from money services businesses reflecting vulnerability among smaller operators less equipped with modern anti-money laundering controls

2. TBML Schemes Remain Prevalent

• Over $9 billion cited specifically involved trade-based methods characterized by unusual funding behind exports/imports routed East Asia, Mexico, and Middle East corridors

3. Daigou Buyers and Credit Card Abuse Feature Prominently

• Only twenty SARs flagged daigou buyers explicitly, but associated retail or luxury typologies driven mainly through serial credit card spending cycles accounted collectively upwards $19 billion

4. Human Trafficking and Elder Fraud Crossovers Noted

• More than sixteen hundred filings implicated human trafficking or smuggling flows representing about $4+ billion transferred directly into massage parlors, spas, or restaurants owned ultimately via proxy structures linked back toward PRC and U.S dual residents (See related blog post here.)
• Adult daycare and healthcare fraud centered around New York facilities reflected hundreds more filings totaling nearly three quarters-of-a-billion dollars

5. Real Estate Remains Favored Integration Channel

• Over $53 billion in illicit funds were laundered through property acquisitions. These transactions were either conducted directly using accounts, wire transfers, or check payments held by money mules and falsely described as coming from “relatives abroad,” or indirectly routed through shell companies set up for single transactions and then abandoned after the deals closed.

6. Students Frequently Serve as Account Openers or Mules

• Roughly fourteen percent ($13+ billion) cited account holders listing status only as students, with patterns showing repeat openings, multiple bank links, or spending behavior well beyond background justification

Banks remain frontline defenders against this evolving threat ecosystem, yet also risk becoming unwitting conduits if robust internal practices lag rising sophistication exhibited among laundering networks themselves.

Regulatory Responses and Risk Mitigation Strategies

The evolving legal environment reflects increased regulatory attention and a growing focus on industry compliance obligations:

• FinCEN guidance aligns closely with broader policy developments including Executive Order 14157 which now designates major cartels and transnational crime organizations (“TCO”s) under Foreign Terrorist Organization statutes.
• The Department of Justice view even indirect facilitation, such as what could occur unwittingly through correspondent banking and remittance partnerships, as grounds not merely technical BSA breaches, but also as potential material support violations.
• In June 2025, FinCEN invoked new authority barring certain Mexican financial institutions labeled primary money laundering concerns from interacting with the U.S. financial system (See related blog post here).

For practitioners tasked daily with managing exposure amid rising complexity several actionable steps stand out:

Practical Steps Forward:

1. Revisit transaction monitoring and risk rating models by integrating the latest red flag indicators and placing greater emphasis on behavioral surveillance, especially in situations where multiple risk vectors converge over time;
2. Intensify customer due diligence especially regarding beneficial ownership verification and source-of-funds tracing;
3. Ensure that escalation protocols and internal reporting lines facilitate prompt legal and compliance review of any linkages, even circumstantial, to sanctioned entities, TCOs, and CMLNs;
4. Where third-party exposure exists overseas, including logistics providers, supply chain partners, freight forwarders, and export-import brokers operating out of affected regions, embed contract language granting audit rights and requires proof of adequate AML/CFT program compliance; and
5. Educate staff routinely regarding current threat typologies, new sanctions lists, and red flag scenarios, ensuring awareness extends to non-financial operational units likely exposed day-to-day interactions.

Implementing these strategies helps ensure defenses remain dynamic in response to both evolving geopolitical realities and technological advances increasingly exploited criminal actors.

Conclusion: Adapting Amid Escalating Complexity

With more than $312 billion flagged suspicious over just four years, and robust government action underway, FinCEN’s message is unmistakable: professionalized global networks will continue adapting rapidly unless private sector vigilance rises correspondingly.

Financial institutions must evolve beyond box-ticking compliance toward genuinely intelligent risk assessment incorporating current geopolitical shifts, regulatory changes, and emerging technology-enabled evasion tactics deployed alike by the cartels and CMLN brokers.

As reflected throughout both FIN-2025-A003 advisory and the FTA, a multi-layered defense posture leveraging intelligence-driven detection capabilities will prove indispensable if industry participants aim not simply survive, but thrive, in today’s ever-changing regulatory landscape.

By implementing comprehensive detection techniques, drawing on international best practices and a nuanced understanding of the specific cross-border risks associated with modern money laundering methods, the financial sector can better protect itself and fulfill regulatory obligations to maintain the integrity of global payment systems.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.

On August 4, 2025, the Financial Crimes Enforcement Network (“FinCEN”) issued Notice FIN-2025-NTC1 (the “Notice”) to address mounting concerns over regulatory risks related to convertible virtual currency (“CVC”) kiosks, also known as cryptocurrency ATMs. This action is part of a broader response to the rise in money laundering, fraud, and other financial crimes linked to digital assets.

What Are CVC Kiosks? How Do They Work?

CVC kiosks are terminals that allow customers to exchange physical cash for cryptocurrencies such as Bitcoin or Ethereum. Their popularity has accelerated due to their user-friendly interfaces and widespread presence in public venues like convenience stores and supermarkets. Typically, a transaction begins with customer identification, ranging from providing basic details like a phone number to scanning a government-issued ID, depending on the kiosk operator’s compliance protocols. After verification, users enter or scan their personal crypto wallet address so the purchased funds can be transferred directly. Payment is settled either by depositing cash into the machine or using card payment options available at certain kiosks. These devices may connect in real time with online cryptocurrency exchanges or use pre-loaded inventories managed by operators.

While convenient access through high-traffic retail locations benefits legitimate consumers, including those who might otherwise avoid digital assets, the relative anonymity of CVC kiosk transactions and lower oversight compared to bank branches create significant opportunities for criminal misuse.

Why Is FinCEN Focusing on These Kiosks Now?

FinCEN has observed sharp increases in consumer complaints and financial losses associated with CVC kiosk-related scams. In 2024 alone, the FBI’s Internet Crime Complaint Center recorded over 10,956 complaints involving these machines, a year-over-year surge of nearly 99%, with aggregate victim losses approaching $246.7 million (an increase of about 31%). This pattern extends beyond consumer fraud. Criminal organizations such as Cartel Jalisco Nueva Generación have embraced virtual currencies for their rapid global transferability and anonymity unavailable through traditional banking channels.

These trends intersect with this administration’s priorities around anti-money laundering (“AML”) and countering terrorist financing (“CTF”): protecting vulnerable populations from fraud, disrupting cyber-enabled crime, and intercepting organized crime-driven money laundering activities.

Key Risks Identified by FinCEN

The Notice highlights several major risks linked to CVC kiosk usage. Organized crime groups increasingly exploit these terminals as alternatives to conventional cash-based schemes, particularly in U.S cities that have become hotspots for laundering proceeds via local kiosks instead of banks because transactions are faster and more difficult for authorities to monitor effectively. Vulnerable populations are especially at risk. FinCEN states that nearly two-thirds of scam-related losses involve individuals aged sixty or older. Many attacks begin with phone-based deception before victims are remotely guided through withdrawal processes at kiosks.

Prevalent scams exploiting CVC kiosks include tech support frauds where victims are told their computer is infected and instructed to pay via Bitcoin ATMs using QR codes supplied by scammers; government impostor schemes invent fake tax liabilities payable only through kiosk deposits; romance scams manipulate targets into sending cryptocurrency under false pretenses built on fabricated relationships; lottery hoaxes promise non-existent prizes contingent upon upfront payments made through crypto transfers at kiosks.

Regulatory Requirements

FinCEN reminds operators that they must register as Money Services Businesses (“MSBs”), comply fully with Bank Secrecy Act (“BSA”) obligations, including robust AML protocols. and maintain proper recordkeeping standards before operating any CVC kiosk business. Operators need strong Know Your Customer (“KYC”) procedures so customers can be properly identified, a critical measure against anonymous abuse facilitating illicit activity. In addition, ongoing monitoring for suspicious activity is required; this includes filing Suspicious Activity Reports (“SARs”) when detecting patterns such as structured deposits just below reporting thresholds or rapid withdrawals indicative of potential money laundering efforts.

Regular audits and compliance reviews are essential since lapses expose operators not only to civil penalties but potentially criminal liability under federal law. Common compliance failures include inadequate customer verification procedures; poor retention of documentation; marketing strategies promoting “no-ID required” features contrary to regulations; lack of state licensure; or use of fraudulent business identities or accounts, all vulnerabilities that regulatory authorities scrutinize closely.

Practical Guidance

To help detect suspicious activity involving CVC kiosks, the Notice outlines key red flags:

1. Customers structuring payments just below reporting thresholds using multiple accounts or kiosks.
2. Unusual high-value transactions from customers lacking transaction history, with rapid movement across wallets or currencies.
3. Multiple interconnected accounts, phone numbers, or wallet addresses used across geographically distant locations.
4. Transactions sent directly toward wallets flagged by blockchain analysis as tied either to scams, illicit conduct, or investment fraud institutions.
5. Elderly customers conducting large transactions after remote direction, often following significant cash withdrawals.
6. Operators running without appropriate federal or state registration.
7. Advertising minimal or no-ID requirements despite regulatory mandates regarding identification/documentation collection practices.

FinCEN reminds financial institutions to file SARs whenever they identify these indicators, even if supporting evidence is limited at the outset. All SAR filings must be securely retained for at least five years after submission, in accordance with BSA requirements and strict access controls to protect sensitive information. Section §314(b) of the USA PATRIOT Act also permits voluntary sharing of this information among authorized organizations engaged in efforts to disrupt terrorist financing and money laundering networks globally.

Looking Ahead

The issuance of this Notice signals intensifying regulatory scrutiny prompted not just by rising incidents but also industry control gaps among certain market participants operating outside robust standards expected within digital asset sectors today.

As digital asset transactions expand, it is important for banks, cryptocurrency platforms, fintech companies, and kiosk operators to proactively integrate FinCEN’s red flag indicators and enhance AML/CFT protocols. Doing so helps safeguard clients while meeting legal obligations and promoting trust within the sector. Consumers are also encouraged to be aware of potential risks associated with using CVC kiosks until industry-wide protections are strengthened.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch.  Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team.