A few weeks ago, I spoke on a panel at a conference about the financial crimes risk that crypto creates for traditional banks (so-called ‘off-chain’ risks).
Having previously led a programme designed to spot, assess and report crypto-linked payments exposure for a global bank, I was excited to share my thoughts and hear from the other panellists. After all, doing that work for the bank changed how I think about what ‘good’ control looks like for the majority of firms that don’t offer crypto products.
Given the level of interest I saw in the panel discussion, my aim here is straightforward. I want to set out what needs to change for fiat-only institutions now, what should be measured, and how to demonstrate proportionate, defensible controls.
Before I go on, it’s worth pointing out that this topic isn’t only relevant to crypto enthusiasts anymore. Exposure to crypto-linked activity is pervasive in today’s financial services industry. If you send or receive payments, you’re likely to have more exposure than you think – and you need to be thinking about how to mitigate the risks associated with that exposure.
.png)
If you operate in the UK, you work under the UK Money Laundering Regulations which require you to assess financial crime risk and apply proportionate controls to customers and payments.
Even if your firm does not offer crypto products, you will be managing payments that go to, or come from, a crypto exchange, broker, wallet provider or custodian (referred to collectively by the regulator as ‘Virtual Asset’ or ‘Crypto-Asset’ service providers, or VASPs and CASPs for short). When any payment like this is made, the regulator expects you to recognise the counterparty and manage the risk in the same disciplined way you would for any customer or client.
The FCA’s registration regime for crypto firms matters because it gives you a reference point for counterparties. Registration does not guarantee good behaviour, but it tells you which firms have met a baseline in AML and sanctions. What matters is who ultimately receives and controls the funds, not simply how the payment is routed. If you cannot tell that a payment is headed to a registered UK exchange versus an unregulated offshore platform, it is hard to defend why your controls were light in one case and heavy in another.
OFSI and the NCA come into the picture because sanctions evasion, ransomware cash-outs and large-scale fraud often use crypto as part of the path. Your organisation may never interact with a blockchain, but your customers’ fiat payments can still be the ‘on-ramp’ or ‘off-ramp’ for that activity. Regulators will ask whether you have a documented risk-based approach for crypto-related activity, whether you intervene, and whether you can evidence why.
Cross-border rules complicate the operational picture. The EU’s MiCA framework, Singapore’s MAS approach and regimes in the Middle East differ in scope and timing. Ideally, a global bank will have one internal standard that holds up across London, Dubai and Singapore, then adjusts for local nuance.
In my experience the first problem to solve is recognition. If your systems do not flag when a beneficiary is a crypto firm, you cannot tailor any response. Payment enrichment can fix more than most people expect. Simple steps help, such as maintaining reference lists of known exchanges and custodians, capturing merchant names and URLs in a consistent way, and storing descriptors and account metadata that let investigators join the dots quickly.
Once you can see the counterparties, let behaviour lead you. Crypto fraud often reveals itself in the fiat rails – in test payments, bursts of new payees and mule patterns. You already collect this data. Treat it as an early warning and step in before the damage is done.
Friction should then be proportional. Payments to a UK-registered exchange with a clean profile warrant only light-touch checks. Flows to an offshore platform with weak signals need a different experience, for example a clear warning, a confirmation step or a targeted review.
Use blockchain analytics (tools linking ‘on-chain’ activity to known services or red flags, such as stolen funds or sanctioned entities) when the risk justifies it, for example if a case points to organised fraud, or when you are onboarding a crypto firm and need a view of its flows. You do not need these tools for every retail payment, but you do need timely access to them for higher-risk scenarios.
Onboarding an exchange, custodian or broker is a choice. If you make that choice, set a clear tiering framework and stick to it.
The baseline is simple, but it must work in practice, not just on paper. Verify licensing or registration and keep it fresh. Test governance and the fitness of senior people. Read the AML, CTF and sanctions frameworks, then ask to see them operating in practice, for example training records, quality assurance outputs and rejected customers. Understand who the customers are, where they are based, what products they use and how volumes behave under stress. Ask for a plain description of custody and wallet operations. Find out who controls the private keys, since those credentials allow movement of funds.
Where the model carries higher inherent risk, go deeper. Use analytics to measure illicit exposure and set thresholds that lead to action rather than debate. Ask for independent assurance, whether that is a SOC report, an ISO certification or a focused AML review, and read the scope rather than the cover page. Where the firm serves higher-risk clients, examine how it tests source of wealth and source of funds. If it permits privacy tools, cross-chain movement or interaction with mixers, insist on evidence that the countermeasures work.
A small number of relationships warrant the top tier. Real-time wallet screening with shared alerting builds trust. API-level transparency can show how controls operate without exposing customer identities. On-site operational reviews reveal how policy becomes practice.
Not every firm needs this level. What matters is a defensible segmentation and people on your side who can interpret what they see. Without that capability, blanket limits become the default, and these are blunt and often unnecessary.
Over the coming year, expect the spotlight to stay on the ‘on-’ and ‘off-ramps’ between bank accounts and crypto markets, with a push for tighter cross-border alignment. In the meantime, banks that rely on jurisdiction-by-jurisdiction exceptions will struggle; you need a single, coherent standard that works across MiCA, MAS, ADGM and Hong Kong, then flexes at the edges.
I expect UK rules on promotions and market integrity will widen, while sanctions and counter-fraud expectations harden. After any major incident (the Bybit hack is a recent example) supervisors will ask a simple question: what was your exposure?
Investment should favour intelligence over infrastructure. Enrich data so you reliably recognise V/CASPs, typologies and mule patterns. Tie fraud, AML and sanctions together with shared playbooks so cases move cleanly. Improve investigator capability – this is the biggest gap I see – and keep risk assessments live so they evolve as typologies change. The goal is visibility and agility, not to become a crypto firm.
To translate that into action:
- Document your exposure, be clear on the data lineage and be explicit about what sits in and out of scope, then embed it in the BWRA as an inherent risk.
- Rework KYC to ask sensible source-of-wealth and transactional questions for customers who interact with digital assets.
- Tune monitoring to capture blockchain-related red flags.
- Give operations clear playbooks for handling crypto-linked payments and customers, and train investigations, fraud, sanctions and customer-facing teams together so hand-offs work.
- Keep evidence that shows you understood the exposure and mitigated it proportionately, even if you don’t offer crypto products.
- Build yourself acceptable guard-rails of what type of exposure you are willing to tolerate – whether that an overall cap on crypto related activity per account or black-listing certain V/CASPs.
If you’re looking for help implementing any of this in your own risk management frameworks, we can map your exposure, design tiered friction that works in the real world, build proportionate due diligence for V/CASPs, and lift investigator capability. Get in touch for more information.
-1.png)