What are the risks of crypto-assets?

Crypto-assets, also known as virtual assets, carry an elevated money laundering, terrorist financing and proliferation financing risk because they can move value across borders in minutes. They do this outside of the traditional banking system. And they do it with at least a degree of anonymity. In many cases, crypto-assets can be used to obscure the involved parties completely.
FATF (the Financial Action Task Force) brought crypto-assets into the global AML framework in 2019 and continues to identify them as a growing route for criminal funds.
You don’t need to work in the crypto sector for this to affect you. If your clients hold, trade or accept crypto-assets, the risk reaches your firm through source of funds, source of wealth and the transactions you facilitate.
Why do criminals use crypto-assets?
There are three features of crypto-assets that make them ideal for money laundering, terrorist financing and proliferation financing:
- Speed. A crypto transaction can be completed in minutes, sometimes seconds. In many cases, there’s simply not enough time for a suspicious international transfer to be delayed, questioned or frozen. By the time anyone raises a concern, the funds could have moved on several times.
- Reach. Crypto-assets move directly from wallet to wallet, often between jurisdictions, with no traditional banking system in the middle asking pertinent questions. FATF has been clear that, because virtual assets are borderless, weak regulation in one jurisdiction creates risk for everyone else.
- Anonymity. Some exchange platforms let users trade without any identity checks at all. Mixing and tumbling services pool funds from many users and redistribute them, deliberately breaking the trail between sender and recipient. In fact, some cryptocurrencies are designed specifically to hide transaction details.
Where does the money come from?
FATF’s red flag indicators report, built on more than 100 case studies from across its global network, shows that criminals have used virtual assets to launder proceeds from:
- the drugs trade;
- arms smuggling;
- fraud;
- tax evasion;
- cyber attacks;
- sanctions evasion;
- child exploitation;
- human trafficking.
FATF’s 2025 targeted update on Recommendation 15 shows how the use of stablecoins by illicit actors, including North Korean state actors, terrorist financiers and drug traffickers, has continued to increase.
One industry participant estimated around 51 billion dollars in illicit on-chain activity relating to fraud and scams in 2024, driven partly by the professionalisation of romance and investment scams.
How crypto-asset risk reaches your firm
For regulated professionals, crypto-asset risk usually arrives through clients’ funds. Common routes include:
- a client funding a property purchase with converted crypto gains;
- a business client accepting crypto payments from customers you cannot identify;
- a client whose declared wealth traces back to crypto trading with little supporting evidence.
Each of these should trigger some form of enhanced due diligence. For example, enquiries into source of funds and source of wealth can establish where the money originally came from, before it entered the crypto ecosystem. Research into exchange statements, wallet records and transaction histories can also support the picture you build.
What are the red flags?
FATF’s report groups its indicators into six categories, covering transactions, transaction patterns, anonymity, senders and recipients, source of funds and geographical risk, including:
- funds arriving from or heading to mixing services;
- clients unable or unwilling to explain their crypto transaction history;
- transactions involving exchanges in weakly regulated jurisdictions;
- funds converted to crypto immediately after receipt or converted from crypto and dispersed quickly.
Of course, these elements don’t always indicate criminality. Which is why you need to have a risk-based approach to your client due diligence. Higher inherent risk should mean more scrutiny and more evidence gathering. Lower inherent risk might mean different checks that keep the work commercially viable.
Building crypto-assets into your AML
Start with your inherent risk. This is the crypto exposure your firm carries before any controls are applied. Consider:
- whether your client base includes crypto investors or businesses;
- whether you accept instructions where crypto forms part of the funds flow;
- which jurisdictions those funds typically pass through.
Your AML policies, controls and procedures (PCPs) should then set out how you mitigate those risks. For crypto exposure, that might mean:
- requiring exchange statements and wallet records as source of funds evidence;
- applying enhanced due diligence where clients use exchanges in weakly regulated jurisdictions;
- setting a lower threshold for escalating unusual transaction patterns to your MLRO.
What’s left once those controls are working is your residual risk. A client with modest, well-documented crypto holdings is likely to sit in a different risk category from one moving large sums through offshore exchanges. Your residual risk rating should show that difference and the reasoning behind it.
What others have said
Making compliance easier








