Combatting Fragmentation and Stimulating Harmonisation Through EU Supervision of Crypto-Asset Services

Crypto-asset activities have expanded rapidly across the European Union (EU). This growth has increased the risk of money laundering and terrorist financing (ML/TF), especially in situations where regulatory oversight was fragmented or incomplete. The European Banking Authority (EBA) published a report in the fall of this year which explains how certain crypto-asset businesses created vulnerabilities and how the Markets in Crypto-Assets Regulation (MiCA) and AML frameworks (AMLR and AMLD6) aim to improve supervision. This article provides a brief insight in the key takeaways from this report.

Supervisors observed that some crypto businesses operated without approval, moved between EU countries to avoid oversight, or misused legal exemptions. Many had weak systems for checking customers, detecting suspicious transactions, or following sanctions. Some firms used complicated ownership structures or partner companies to stay active despite earlier supervisory issues. These behaviours limited authorities’ ability to manage risks and created openings for money laundering and terrorist financing.

MiCA and the new EU anti-money-laundering regulations introduce stronger safeguards to address these problems. All crypto-asses service providers (CASPs) must now apply for one EU authorisation based on harmonised rules, which removes differences between Member States and prevents firms from seeking out weaker jurisdictions. Providers must show clear ownership, sound internal governance, and reliable customer- and transaction-monitoring systems before they can operate. The AML Regulation and AMLD6 further strengthen cooperation between national supervisors, improve transparency on who controls a company, and require more consistent risk assessments. The future EU Anti-Money Laundering Authority (AMLA) will also oversee high-risk firms directly, creating an additional layer of control.

These changes help create a safer and more predictable environment for crypto activities in the EU. The main lesson from recent cases is that strong, coordinated supervision and consistent rules across all Member States are necessary to limit financial crime risks. Clear standards, early information-sharing, and firm enforcement give supervisors the tools to identify problems quickly and ensure that only responsible businesses can enter or remain in the European market. The EBA formulates nine points of focus that should be established to treat authorisation as a true gatekeeping process, to close loopholes and build strong cooperation mechanisms across the EU.

Although the role of the EBA will partially transfer to AMLA by the end of 2025, the EBA will continue contributing under its MiCA mandate to maintain supervisory convergence and early risk detection.

 

Conclusion

At Compliance Champs, we follow these developments with a critical lens. We support organizations in aligning their processes and controls with MiCAR, the Wwft, and international standards. Through knowledge sharing, training, and tailored advice, we help professionals identify risks in time, implement mitigating measures, and embed sustainable compliance. Only through joint efforts by operators, supervisors, financial institutions, and technology partners can the balance between innovation and integrity truly be restored.

 

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.

The landscape of compliance investigations: fraud investigations today

What do we mean by forensic fraud investigations?

When we talk about fraud investigations, we often refer to forensic investigations. In the private sector, forensic investigations focus on the independent and in-depth analysis of financial, administrative, and digital data. The aim is to identify potential fraud, misconduct, or irregularities within organizations. This type of investigation combines accounting and financial expertise with investigative skills. In this way, investigators can reconstruct facts, recognize patterns, and gain insight into causes and consequences. The outcomes are not only used to prove or rule out fraud, but also to support organizations in decision-making, internal control, and potential civil proceedings.

A new reality and growing risks for organizations

Fraud remains a real and growing risk for organizations in the private sector. Digitalization, hybrid working, and international corporate structures create opportunities for efficiency, but at the same time increase vulnerability to financial and other forms of fraud. Where fraud was once often limited to simple embezzlement or false expense claims, we now see more complex constructions. These increasingly involve a combination of digital traces, internal processes, and human factors (online).

Studies show that online fraud and scams have increased significantly since 2014, particularly in the areas of purchase fraud, misuse of online payment methods, and identity fraud. At the same time, trend reports indicate that more than three-quarters of companies in the Benelux have faced fraud attempts in the past two years. The financial impact of these incidents continues to grow.

Fraud remains one of the most persistent risks within organizations. Remarkably, the way fraud is detected has hardly changed over the years. Various international studies, including the annual ACFE Report to the Nations, show that approximately 40% of fraud cases are still uncovered through tips and whistleblower reports. Employees, customers, and suppliers therefore play a crucial role in identifying misconduct, often earlier than internal controls or audits.

Although the way fraud is detected has barely changed, the execution of forensic investigations has evolved significantly. The work has become almost entirely digital. eDiscovery (the legal review of digital data) and AI play a central role in this process. At the same time, requirements relating to privacy and evidentiary standards have become stricter than ever. Below, we first outline these trends. We then provide a detailed description of what a forensic investigation looks like in today’s practice, from engagement letter to reporting.

New trends in forensic investigations

Fraud can increasingly no longer be captured in simple accounting errors or isolated transactions. Due to digital traces, complex organizational structures, and rapidly growing volumes of data, forensic investigations in the private sector are also changing. Investigators must work faster, smarter, and with greater technological expertise to identify hidden patterns and subtle signals. These developments are driving significant changes in how organizations detect, investigate, and attempt to prevent fraud.

Three clear trends stand out:

  • Online and hybrid forms of fraud are increasing. Examples include phishing and fake payment requests, misuse of online trading platforms, concealing fraud through corporate structures, and improper declarations within healthcare and subsidy schemes. These forms of fraud increase complexity and require an integrated approach. Investigators therefore combine financial investigation with digital analysis and open-source intelligence (OSINT) to make relationships, money flows, and involved parties visible.
  • eDiscovery is developing into a key discipline for reducing and analyzing enormous volumes of electronic data. AI and language models help investigators quickly identify relevant documents, conversations, and patterns.
  • Forensic readiness is gaining a more prominent place on the agenda. Studies and practical cases show that organizations without proper logging, appropriate retention periods, clear access rights, and solid agreements with external IT service providers struggle to reconstruct a complete and reliable picture after an incident.

Against this background, it is relevant to examine step by step how a forensic fraud investigation unfolds in practice. At the same time, we provide insight into how we approach such investigations.

From engagement to investigation plan

An investigation usually starts with a signal. This may be an internal finding from controls, a report via a whistleblower channel, a remarkable transaction, or a request from an external party, such as a regulator or subsidy provider. The first (or second) contact with the forensic investigator takes place during an intake meeting. In this meeting, the facts, context, and legal framework are clarified. This includes what exactly has been identified, which period and systems may be affected, and whether there is a risk of criminal implications or regulatory enforcement.

Based on this intake, the parties prepare an engagement letter and an investigation plan. These documents define the objective, scope, roles, planning, and deliverables. They also address conditions related to data processing and privacy. This includes the categories of personal data likely to be processed, the applicable legal basis under the GDPR, any restrictions on access to mailboxes and private devices, and whether a DPIA is required. In practice, this aspect often proves to be a weak point. Organizations want investigations to be carried out, but do not always have a clear process in place to act quickly and lawfully when an incident occurs, especially when IT is partly outsourced.

Financial forensic investigation

Financial forensic investigation often forms the backbone of the factual analysis. Investigators analyze, among other things, general ledger entries, project administration, payment flows, procurement and sales files, expense claims, and contracts. The aim is to identify unusual patterns. In cases involving misuse of subsidy schemes or healthcare budgets, investigators may, for example, compare declared hours with services actually delivered. Illogical money flows through intermediary entities also receive attention.

Using data analytics, investigators identify anomalies such as unusual journal entries, round amounts just below authorization limits, fictitious or duplicate suppliers, abnormal margins, and circular transactions between related parties. Visualizations of money flows and network analyses of relationships between legal entities and natural persons help make complex constructions understandable. This is particularly relevant when companies are used as a front for money laundering or VAT carousel fraud.

It is essential that investigators properly document the analytical methods they use and ensure that these methods are reproducible. Only then can findings withstand scrutiny by auditors, regulators, or courts. When deploying new AI techniques, it is therefore crucial to understand the underlying models to meet reproducibility requirements.

Digital forensic investigation and eDiscovery

Digital traces play a role in almost every investigation. Examples include email traffic, chat messages, access logs, document versions, CRM or ERP data, cloud storage, and sometimes mobile phones. Digital forensic investigation focuses on securing, analyzing, and interpreting this data, with strict attention to chain of custody, data integrity, and privacy.

For large datasets, investigators use eDiscovery to search through vast amounts of user-generated data, particularly email traffic. This process reduces data volumes and brings the most relevant subset to the surface. eDiscovery is the process of systematically identifying, preserving, searching, and analyzing electronically stored information for use in investigations, disputes, or legal proceedings. Platforms such as Relativity and Reveal support deduplication, metadata filtering, keyword searches, concept and topic clustering, and increasingly AI-driven prioritization of documents and conversations.

In practice, a lack of proper forensic or litigation readiness often becomes apparent at this stage. When mailboxes are fully managed by an external IT service provider without clear agreements on incident access, when logging is disabled to save storage costs, or when retention periods are set too short, crucial evidence may simply be lost. At the same time, investigators must handle privacy with care. They collect only data that may be relevant, limit access to a small authorized team, apply encryption and logging, and remove or anonymize irrelevant personal data where possible.

Interviews and conversations

In addition to analyzing financial data and digital evidence, interviews remain an essential part of forensic investigations. Conversations with involved employees, managers, key process owners, and, where relevant, external parties help explain the story behind the data. In investigations into, for example, subsidy misuse or complex expense fraud, interviews may reveal that certain practices “had always been done this way,” that there was implicit pressure to meet targets, or that individuals relied on instructions from others without independently verifying them.

Beforehand, investigators determine the order in which individuals are interviewed, what information they receive about the reason and scope of the investigation, and how their rights and obligations are explained. Notes or recordings are carefully documented and stored, with clear agreements on confidentiality and use. Statements are continuously tested against the “hard” data from financial, digital, and open-source investigations. Inconsistencies between narratives and factual evidence often provide valuable leads, but they also require careful interpretation. Experience plays a major role here.

Open-source intelligence (OSINT)

Open-source intelligence is often a standard component of forensic investigations into fraud. Investigators consult trade registers, sanctions lists, case law, news archives, sector publications, and publicly available online information to identify relationships, corporate structures, and reputational indicators.

OSINT activities are always carefully documented. Investigators record which sources were consulted, which filters were used, and what limitations apply to the reliability of the information found. Tools can support this process, for example by recording visited websites and indexing collected information.

Privacy considerations also apply here. Not all personal information found online is relevant or may be processed indiscriminately in an investigation.

Analysis of all collected information

An investigation is an iterative process. Based on new information from earlier investigative steps, analysts reassess the data and determine whether it can be further enriched. It is common to take a step back during an investigation before moving forward again. For example, open-source research may reveal new individuals or entities that play a role as problematic suppliers. This can trigger further analysis of specific transactions in the financial records. These names may also serve as additional search terms in the eDiscovery process.

Reporting: bringing all lines together

At the end of the investigation, investigators present all relevant facts in a report. The report starts with a clear description of the engagement, scope, methodology, and any limitations. Investigators then present the factual findings per investigation stream in a structured way, covering financial investigation, digital investigation, interviews, and open-source research. This is followed by an analysis that connects the different lines of inquiry.

For example, financial data may show unusual money flows, while digital logs indicate that certain changes were made from specific accounts or locations. eDiscovery may reveal relevant communications between involved parties, and OSINT may confirm that certain entities or individuals have previously been linked to similar schemes. Together, this forms a coherent picture supported by data and clear source references.

A modern investigation report always includes an explicit explanation of how personal data and confidential information were handled. Investigators describe which data was collected, on what legal basis, and which limitations applied. They also explain how security measures were implemented and which forms of data minimization were applied. This is not only important for regulators and courts, but also for maintaining trust among employees and other stakeholders.

Not always forensic ready

A key theme from our recent practical experience is that many organizations are willing to cooperate substantively with investigations, but are not always technically, contractually, or practically prepared for a forensic approach.

This can lead not only to unnecessary delays and higher costs, but sometimes also to irreparable gaps in the reconstruction of events. Against this background, one lesson is already clear—even before discussing improvement programs: a solid forensic investigation starts long before the first signal, with how data, IT, contracts, and privacy are organized today.

Invitation to consult

We can imagine that after reading this article, you may have questions or wish to exchange thoughts on certain topics. You may also be dealing with a concrete case that you would like to discuss. We invite you to contact us without obligation to get acquainted with us and/or discuss your case. Our contact details can be found on our website.

Looking ahead: from fraud to broader integrity investigations

In the next article in this series, the focus shifts from strictly forensic fraud investigations to broader integrity investigations. The attention will not only be on financial damage or clear fraud indicators, but on a wider spectrum of integrity issues. These include conflicts of interest, abuse of position, secondary activities, and inappropriate behavior.

In this third part, we show what fact-finding investigations into integrity reports look like. We also discuss the central research questions and explain how organizations can find the right balance between due care, confidentiality, and transparency.

Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.

Blockrise is MiCAR approved

We want to congratulate Blockrise for obtaining the MiCAR license!

This is truly a big milestone and an achievement to be proud of!
Congratulations with this achievement Jos Lazet and Jasper Hu.

We’re very happy that we were able to offer our support over the last year and to have played a part in your journey to this incredible milestone.

Here’s to continued innovation and leadership in the industry!

The transparency test: how Crypto-asset service providers can survive MiCAR, DORA and DAC8 (CARF)

Read more

The landscape of compliance investigations: an introduction 

Compliance investigations are becoming increasingly important for organizations as the scope of compliance work expands due to new laws and regulations. Reliability, integrity, and adherence to those laws and regulations are essential to maintaining the trust of customers, regulators, and employees. 

At Compliance Champs, we offer various types of compliance investigations. These investigations share many similarities but also have clear distinctions. 

In this blog series, we will walk through the different types of compliance investigations step by step: from exploratory to forensic, from data-driven to people-focused, what they deliver, and most importantly, when to use them. 

This first article provides an overview of the different types of compliance investigations conducted today, their objectives, and how they contribute to a healthy and future-proof organization. 

What are compliance investigations? 

Compliance investigations are structured processes designed to determine whether and how rules, laws, internal procedures, and codes of conduct are being followed within an organization. They provide insight into potential violations, risks, and areas for improvement. The focus is not only on hard facts (such as fraud or misreporting) but also on soft factors such as culture, behavior, and leadership. 

Types of compliance investigations 

There are various types of investigations, each with its own focus and purpose: 

  • Fraud investigations: Focused on detecting and establishing fraud or financial misconduct. These often begin with reports or irregularities and typically require a combination of data analysis, interviews, and forensic techniques. 
  • Integrity investigations: Focused on identifying possible conflicts of interest, corruption, abuse of position, or other breaches of integrity. This type of investigation often also looks at behavioral patterns within the organization. 
  • Labor law compliance investigations: These investigations focus on workplace-related issues such as non-competition clauses, theft of company information, or sexual harassment, with strong emphasis on privacy and legal frameworks. 
  • Due diligence and reputation research: Prior to mergers, acquisitions, or investments, in-depth research is conducted to identify integrity risks, sanctions risks, and reputation issues. 
  • AML and KYC investigations: Primarily relevant for organizations in the financial sector, these focus on preventing money laundering and understanding customers, using thorough client reviews and ongoing monitoring. They can also be valuable for companies not subject to AML regulations. 
  • Compliance audits: These audits assess compliance with anti-money laundering (AML) and customer identification (KYC) requirements. They evaluate whether processes effectively manage risks related to customer acceptance, risk classification, transaction monitoring, and reporting procedures. Policies, procedures, and practices are reviewed to identify gaps and strengthen compliance and risk management. 
  • Whistleblower investigations: Initiated in response to reports, these independent fact-finding investigations are conducted with strong safeguards for anonymity and careful follow-up. 
  • Culture and behavior measurements: Investigations that measure the effectiveness of soft controls, such as reporting culture, ethical behavior, and leadership. These are often carried out through surveys and analytical tools. 

Coherence and integrated approach

Organizations sometimes choose to combine different types of investigations in integrated compliance and governance programs. This provides broad insight into risks and offers opportunities to strengthen compliance structurally—both in terms of processes and organizational culture.

What else can you expect? 

In this blog series, we will take a closer look at each of these types of compliance investigations. We will discuss methodologies, best practices, current developments, and lessons learned from real-world practice. In doing so, we aim to help you navigate this complex and dynamic field with greater confidence. 

 

Would you like to learn more about how to effectively prepare your office for these upcoming changes? Compliance Champs has extensive knowledge, experience, and expertise to provide advice and support during implementation. Contact us for a free introductory consultation.



Get in touch

Dennis van der Meer | +31618948848 | dennis.van.der.meer@compliancechamps.com

Boy Custers | +31649935735 | boy.custers@compliancechamps.com

 

Read more articles here.

Compliance Champs is FD Gazelle 2025!

We are proud to announce that Compliance Champs has been named one of the fastest-growing companies in the Netherlands, in the West region and Small Business category.

This recognition from Het Financieele Dagblad is a reflection of our continued growth and the impact we achieve together. It has been made possible by the dedication and expertise of our team, the trust placed in us by our clients and partners, and our ongoing commitment to advancing organizations with integrity in compliance risk management.

We look forward to celebrating this success together on November 25 at the official FD Gazellen Awards 2025 ceremony.

Implementation Act on the Prevention of Money Laundering and Terrorist Financing – Impact Analysis for Trust Offices

1. Introduction

The Implementation Act on the Prevention of Money Laundering and Terrorist Financing (Iwt) has significant consequences for trust offices in the Netherlands. In this article we will discuss the background and status of the Iwt and provide an overview of some of the key changes relevant to trust offices.

2. Background and Status of the Implementation Act

The Sixth Anti-Money Laundering Directive (hereinafter “AMLD6”) is part of a comprehensive legislative package approved by the European Council on 30 May 2024. It entered into force on 10 July 2024. The package also includes the Regulation establishing the Anti-Money Laundering Authority (AMLA) and the Anti-Money Laundering Regulation (AMLR).

AMLD6 aims to modernize and harmonize anti-money laundering laws within the European Union. It focuses on closing loopholes in the framework and strengthening cooperation between member states.

As a European regulation, the AMLR has direct effect and will apply from 10 July 2027. It replaces large parts of the current Dutch Money Laundering and Terrorist Financing (Prevention) Act (Wwft). This ensures uniform application of anti-money laundering rules across the EU.

The Implementation Act on the Prevention of Money Laundering and Terrorist Financing (Iwt) is a new Dutch law. Together with the AMLR, it will replace the Wwft on 10 July 2027. In doing so, it implements AMLD6.

The draft Iwt was open for public consultation from 4 July to 29 August 2025.During that period, 45 public responses were received from various organizations. The law will be further developed in an Implementation Decree, which will also be open for consultation. Both the Act and the EU regulations will take effect on 10 July 2027..

3. Harmonization and Supervision

European harmonization will lead to greater consistency in regulation across the EU. For trust offices operating across borders, this means clearer and more predictable

rules. At the same time, supervision will be intensified, with a larger role for the new European authority AMLA and enhanced cooperation between national regulators.

4. Impact of the Implementation Act on Trust Offices

The Iwt has a substantial impact on trust offices. Below are several important changes, along with explanations of their implications.

Abolition of National Rules

A large part of Chapter 4 of the Trust Offices Supervision Act 2018 (Wtt 2018) will be repealed. This is because obligations will now flow directly from the EU Anti-Money Laundering Regulation. Unlike previous directives that allowed minimum harmonization, the AMLR establishes maximum harmonization, meaning the Netherlands can no longer impose stricter national rules. Chapter 4 of the Wtt, which governs client due diligence, is one of the most critical parts of the current legislation.

Enhanced Due Diligence measures

Despite the repeal of national provisions, the trust sector will remain subject to enhanced client due diligence requirements. The Netherlands is using a member state option under Article 34 of the AMLR that will require providers of trust and corporate services to always apply enhanced due diligence. This is due to the high inherent money laundering risks associated with the sector, as evidenced by National Risk Assessments and other studies.

Registration requirement for providers of domiciliation services

A new development is the registration requirement for domicile provider; 1entities that only offer a postal address, registered office, or administrative address. While such services were not previously regarded as independent trust services under the Wtt 2018, they now fall within the AMLR’s scope. The registration requirement, under the Minister of Finance, aims to better map risks and prevent the circumvention of trust services.

Companies have been circumventing the Wtt 2018, by artificially dividing their activities to avoid the licensing requirement of De Nederlandsche Bank (DNB).

Ultimate Beneficial Owners (UBOs)

The AMLR introduces an important change in how ultimate beneficial owners (UBOs) are identified. The key change is that control must now be assessed independently and in parallel with ownership interest.

The ownership threshold is being lowered from “more than 25%” to “25% or more” of shares or voting rights, thereby bringing additional stakeholders under the definition.

If no UBO can be identified after exhausting all options, the regulation specifies that there is no UBO. Instead of registering a “pseudo-UBO,” the details of senior managing officials must be recorded. The definition of senior management is also broader than under current legislation.

Retention of Specific National Requirements

Although large parts of the Wtt will be repealed as explained earlier in this article, several key elements from the Wtt 2018 will remain in place, including:

– Licensing requirements.

– Fit and proper assessment (integrity and reliability of managers).

– Requirements for sound and controlled business operations.

– The prohibition on tax advice and acting as a conduit company.

These aspects fall outside the AMLR’s scope and may therefore continue nationally. Trust offices must also maintain particular vigilance regarding fiscal integrity risks.

Thus, while the Implementation Act simplifies the framework through harmonization and the elimination of duplicate regulation, trust offices remain subject to strict requirements due to the sector’s inherently high integrity risks.

Preparing for Upcoming Changes

The forthcoming changes will affect the operations of trust offices, making early preparation essential. Offices should assess what measures are needed to comply with the revised legal framework, including identifying which policies and procedures require updates. An effective response involves the following steps:

1. Conduct an impact analysis

2. Develop an implementation plan

3. Adjust policies and procedures

4. Provide training and communication

5. Implement technological support where necessary

6. Evaluate and perform periodic reviews

By systematically executing these steps, trust offices can ensure continued compliance even after the Iwt takes effect.

 

Would you like to learn more about how to effectively prepare your office for these upcoming changes? Compliance Champs has extensive knowledge, experience, and expertise to provide advice and support during implementation. Contact us for a free introductory consultation.

 

Please reach out to us on: info@compliancechamps.com

Read more articles here.

Bridging the Divide Between Decentralisation and Data Protection

Blockchain technology offers transparency and security through immutability. Once data is recorded on the blockchain, no one can alter or delete it. This feature builds trust in the system, yet it also creates major legal challenges. The General Data Protection Regulation (GDPR) is one example of legislation that clashes with this technology.

The immutability of blockchain technology directly conflicts with Article 17 of the GDPR, which gives individuals the right to be forgotten. Even technical measures like encryption or hashing cannot combat this problem, since data can still be considered personal if re-identifiable.

Because blockchains are decentralised and global, determining who is responsible for compliance is complex. Which actor in the system is to be qualified as a data controller and/or data processor? This raises questions about liability and enforcement, as no single entity holds authority over the system. Aside from this, national legislation on data retention and auditability further complicate dispute resolution. The result is a regulatory grey zone where legal accountability becomes fragmented.

Is it then impossible to reconcile blockchain technology with the GDPR? Efforts have led to partial technical solutions, such as off-chain storage, data minimization, and cryptographic deletion. Yet, these approaches rarely achieve full compliance as they challenge the fundamental assumption that data can always be modified or erased. The issue is therefore not only technical but conceptual: blockchain’s decentralised logic clashes with the GDPR’s human-centred model that presupposes a controllable data ecosystem. Without modifying these legal principles, compliance remains legally aspirational.

 

Conclusion

At Compliance Champs, we follow these developments with a critical lens. We support organizations in aligning their processes and controls with MiCAR, the Wwft, and international standards. Through knowledge sharing, training, and tailored advice, we help professionals identify risks in time, implement mitigating measures, and embed sustainable compliance. Only through joint efforts by operators, supervisors, financial institutions, and technology partners can the balance between innovation and integrity truly be restored.

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.

Stablecoins: A Compliance-Centric Foundation for 24/7 Financial Infrastructure

Stablecoins have moved beyond the experimental phase. They are now being used across the financial system for transparent and efficient settlement. Banks and financial institutions are integrating stablecoins into operations ranging from liquidity management to cross-border payments. 

Data from Visa’s Onchain Analytics Dashboard confirms the scale of this shift. Over 45 trillion dollars in stablecoin transaction volume has been recorded across public blockchains. There are more than 300 million unique active addresses, and the average stablecoin supply exceeds 200 billion dollars. These figures demonstrate that stablecoins are already playing a central role in global payment flows and blockchain-based financial services. 

One of the most significant infrastructure developments is the decision by SWIFT to incorporate a blockchain-based shared ledger into its global system. SWIFT is the financial messaging backbone for over 11,000 banks in more than 200 countries. While it does not move money directly, it is essential for transmitting secure financial data. With the addition of a blockchain ledger, SWIFT will now enable regulated stablecoins, tokenized assets and central bank digital currencies to be settled across interoperable networks in real time. 

Regulatory clarity is advancing in parallel. In the European Union, the Markets in Crypto-Assets Regulation (MiCAR) is now in effect. It requires issuers of Electronic Money Tokens (EMTs) and Asset Referenced Tokens (ARTs) (two different types of stablecoins) to hold fully backed reserves, meet disclosure requirements and register with financial authorities. In the United States, the GENIUS Act provides a federal framework for institutions to issue their own stablecoins under defined legal and risk standards. Other regions including Singapore and Hong Kong are building similar regimes. 

At Compliance Champs we work with financial institutions and crypto-asset service providers to translate these developments into actionable strategies. Whether preparing for licensing, building internal risk frameworks or meeting supervisory expectations, our focus is on helping our clients align innovation with regulation. 

Stablecoins are not just about technical innovation. They are about operational reliability and legal certainty. The institutions that succeed in this next phase of digital finance will be those that embed compliance from the beginning. If your organisation is preparing to issue, adopt or expand its use of stablecoins, we are ready to support you. 

 

Conclusion

At Compliance Champs, we follow these developments with a critical lens. We support organizations in aligning their processes and controls with MiCAR, the Wwft, and international standards. Through knowledge sharing, training, and tailored advice, we help professionals identify risks in time, implement mitigating measures, and embed sustainable compliance. Only through joint efforts by operators, supervisors, financial institutions, and technology partners can the balance between innovation and integrity truly be restored.

 

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.

Crypto ATMs: A Bridge Between Two Worlds or a Getaway Car for Criminals?

In our recent article in the professional journal Compliance, Ethics & Sustainability (“From inadequate oversight to effective regulation?”), we emphasized how the crypto industry is gradually maturing under the influence of European regulation. At the same time, risks related to money laundering, fraud, and sanctions evasion persist.

A concrete example of these risks are crypto ATMs. In the journal, we already highlighted the risk of sanctions evasion via crypto ATMs. To summarize: Poland currently hosts more than 280 machines, many strategically located near the borders with Belarus and Russia. Here, cash can be easily converted into crypto, carried across the border via a mobile wallet or paper voucher, and liquidated elsewhere. This process can occur entirely outside traditional financial channels and sanctions oversight.

In this article, we take a closer look at how these machines operate, the risks they pose, and the role regulation and enforcement play in mitigating abuse.

From Cash to Crypto – Beyond the Banks

Crypto ATMs provide users with a direct and familiar gateway to convert cash into crypto-assets and vice versa, without requiring an account at a (crypto) exchange. The process is straightforward: users select buy or sell, enter an amount, and verify their identity which, depending on the local regulation, is through an ID, phone number, or another simplified form of KYC. The machine then dispenses crypto or cash.

For individuals in regions with limited banking infrastructure or for less digitally skilled users, these terminals may seem like an ideal solution. Yet it is precisely the combination of accessibility and anonymity that makes crypto ATMs attractive for criminal misuse.[1]

A Magnet for Fraud and Money Laundering

Supervisors worldwide are increasingly reporting abuse of crypto ATMs for money laundering and fraud. The classic laundering process (placement, layering, and integration) can easily be executed through ATMs: cash is inserted, split across multiple terminals, converted into crypto, and later exchanged back into cash.[2]

In 2025, the U.S. Financial Crimes Enforcement Network (FinCEN) reported that victims lost over $247 million through crypto ATMs, with a notable concentration among people over 60.[3] Victims are often pressured over the phone by fraudsters impersonating bank employees or government officials, instructing them to deposit large sums via ATMs.

Some machines accept up to €15,000 (or $25,000) per day without strict identity verification.[4] Transaction fees are significantly higher than those of regulated exchanges (>5% vs. <1%). Certain terminals even print paper vouchers functioning as anonymous bearer instruments.

International Regulatory Differences

Regulation of crypto ATMs varies widely across jurisdictions. New Zealand, for example, banned the machines entirely,[5] while Australia applies a risk-based model with transaction limits and stricter KYC.[6] In the United States, warnings are paired with prosecutions of unregistered operators.[7]

Within the EU, greater clarity is provided through the Markets in Crypto-Assets Regulation (MiCAR). Crypto ATMs are classified as “Crypto-Asset Service Providers” (CASPs). They are not prohibited, but operators must meet licensing requirements, comply with KYC/AML obligations, conduct transaction monitoring, and apply risk-based customer due diligence.[8] Despite the expiration of MiCAR’s transitional regime in the Netherlands, we observed that several crypto ATMs remained active beyond the deadline.

Regulation alone is not enough. Effective enforcement is essential—as underlined by recent Dutch case law.[9]

Dutch Case Law: Crypto ATMs as Money-Laundering Vehicles

In a recent ruling, the Arnhem-Leeuwarden Court of Appeal (ECLI:NL:GHARL:2025:237) convicted an operator of crypto ATMs who repeatedly and deliberately violated the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wwft).[10]

Evidence showed that the ATMs were repeatedly used for transactions linked to criminal proceeds, including drug trafficking. Investigations revealed that the operator had deliberately designed the process to minimize traceability: no identity checks were performed for transactions below €10,000, deposits were often spread across multiple ATMs to avoid detection, and even for higher amounts, KYC checks were superficial and the ultimate beneficial owners of wallets were not verified.

The court ruled that this amounted to knowingly facilitating money laundering. The operator was sentenced to multiple years in prison, and the equipment was confiscated. This case demonstrates that Dutch courts treat crypto ATM violations as serious criminal offenses and highlights the critical role of national enforcement alongside EU regulation.

The Athena Bitcoin Inc. Case – A Wake-Up Call

In February 2025, the Attorney General of the District of Columbia filed a lawsuit against Athena Bitcoin Inc., one of the largest U.S. crypto ATM operators. Investigations revealed that during the first five months of operations in Washington D.C., as much as 93% of all transactions were fraudulent, with average losses of $8,000 per transaction and victims having a median age of 71. Victims were pressured to repeatedly send funds to the same, well-known scam wallets.[11]

Athena is accused of deliberately profiting from these practices by charging hidden fees of up to 26%, without clearly disclosing them to customers. The company systematically refused to compensate victims, even when transactions were visibly routed to previously abused wallets. In some cases, Athena demanded liability waivers from victims who attempted to recover part of their losses.

This case illustrates that poorly regulated crypto ATMs not only endanger the integrity of the financial system but also pose a structural threat to financially vulnerable groups, especially the elderly.

From Signal to Structural Action

The introduction of MiCAR provides a necessary framework, but regulation without consistent enforcement remains toothless. Crypto ATMs operate at the intersection of financial inclusion and financial crime. A collective and decisive response is essential. As long as operators profit from opaque fee structures and criminals exploit the gaps, crypto ATMs will remain more of a getaway car for criminals than a bridge for financial inclusion.

What must happen?

  • Operators must provide full transparency on fees and limits, implement structural transaction monitoring, and actively block suspicious wallets.
  • Supervisors must move beyond registration requirements and invest in effective monitoring and enforcement.
  • Financial institutions must stay alert to unusual cash flows that may disappear through crypto ATMs and act on them with a risk-based approach.
  • Consumers must be better protected through education, warnings, and accessible reporting channels.
  • CASPs are legally obliged to monitor transactions. Illicit flows—originating from crypto ATMs as well as darknet markets—are often detected through tools such as Cense, Chainalysis, TRM Labs, and Elliptic. CASPs are expected not only to conduct active monitoring but also to report suspicious activity.

Together with our partner Cense, we will soon publish a follow-up article exploring in more depth how blockchain analytics tools can strengthen organizations’ detection and control capabilities.

Conclusion

At Compliance Champs, we follow these developments with a critical lens. We support organizations in aligning their processes and controls with MiCAR, the Wwft, and international standards. Through knowledge sharing, training, and tailored advice, we help professionals identify risks in time, implement mitigating measures, and embed sustainable compliance. Only through joint efforts by operators, supervisors, financial institutions, and technology partners can the balance between innovation and integrity truly be restored.

 

Do you seek support and assistance in enhancing your Crypto Compliance Framework?

Please reach out to us on: info@compliancechamps.com

Read more articles here.

[1] The Record. (2025). Crypto ATMs fueling cybercrime.

[2] Sanction Scanner. (2025). How to ensure AML compliance on Bitcoin ATMs in the US. https://www.sanctionscanner.com/blog/how-to-ensure-aml-compliance-on-bitcoin-atms-in-the-us-448.

[3] FinCEN. (2025). FinCEN Notice on crypto kiosk scams. https://www.fincen.gov/sites/default/files/shared/FinCEN-Notice-CVCKIOSK.pdf

[4] Europol. (2022). Cryptocurrencies – Tracing the evolution of criminal finances. Europol.

[5] Rahman Ravelli. (2024). New Zealand to ban crypto ATMs. https://www.rahmanravelli.co.uk.

[6] CryptoNews. (2025). Tasmania joins nationwide crackdown on crypto ATMs as scam losses hit $1.6 million. https://cryptonews.com

[7] FinCEN. (2025). FinCEN Notice on crypto kiosk scams. https://www.fincen.gov/sites/default/files/shared/FinCEN-Notice-CVCKIOSK.pdf.

[8] European Parliament and Council. (2023). Markets in Crypto-Assets Regulation (MiCAR).

[9] Bitomat. (2024). MiCA impact on Bitcoin ATMs. https://www.bitomat.com.

[10] Gerechtshof Arnhem-Leeuwarden. (2025). ECLI:NL:GHARL:2025:237.

[11] Office of the Attorney General for the District of Columbia. (2025, February). Attorney General Schwalb Sues Athena Bitcoin for Failing to Protect Consumers from Scams . https://lnkd.in/eb8qGmqP.