Assistant Attorney GeneralCyber Fraud Unit, Consumer Protection Division, Florida Attorney General’s Office
Their Purpose – A Technical Understanding
Cryptocurrency kiosks, also known as Bitcoin ATMs, are coming to a location near you. Some people consider these machines as a step towards widespread cryptocurrency adoption while others raise the alarm over the criminal conduct these devices facilitate. In this article we will discuss the technology behind cryptocurrency kiosks and cover some of the regulatory compliance issues raised by these machines.
While many purchase cryptocurrency as an investment, many others use it to transfer value or to power internet-based applications. One of the growing pains affecting the cryptocurrency industry is its lack of adoption by retailers and difficulty in use in regular transactions. However, payment applications like Cash App and Venmo have added the option to trade cryptocurrencies in-app, effectively bringing crypto to the pockets of the masses.1 With more and more people owning cryptocurrency, these kiosks may be the answer to a problem more people will have: I own cryptocurrency but how do I actually use it?
As a general explanation, cryptocurrencies are digital representations or substitutions of money or value and are not government-issued or what is known as “fiat” legal tender.2 For a more in-depth description of cryptocurrency, primarily Bitcoin, please refer to this article published by the National Association of Attorney General.3 For the purposes of understanding how cryptocurrency kiosks operate, it is important to understand how cryptocurrency wallets work and the role of exchanges.
A cryptocurrency wallet is software that, in its most basic form, holds a private and public key that allows the wallet’s owner to send and receive cryptocurrency.4 The transfer of cryptocurrency out of the wallet will only occur if both the private and public keys are known; thus it is incredibly important to protect the confidentiality of this private key. The public key is used to create wallet addresses and a single public key can generate many public addresses at no cost.5 Think of the wallet address as an email address; anyone can send me an email but only I can sign in with my private key and send an email from my address. Wallets may take a variety of forms, although mainstream adoption typically favors online custodial wallets. A wallet may also be a physical device that looks like a USB stick and, in perhaps its simplest form, could even be a receipt-sized sheet of paper with the public and private keys along with a unique transaction code printed on its face.6 Since these keys are long and difficult to type, many paper wallets include a quick-response (QR) code to allow a camera to scan and import the keys into an online application.
A cryptocurrency exchange is a platform on which cryptocurrency can be bought, sold, or exchanged for fiat currencies or other cryptocurrencies.7 The exchanges through which most users operate are called custodial exchanges. These custodial exchanges are custodians of the user’s wallet; they control the keys as part of the service for the user who logs into these exchanges as one would with an online banking portal. If a platform or service allows or facilitates the transfer or exchange of cryptocurrency into other cryptocurrencies or fiat currencies, it is likely classified as an exchange.
How Cryptocurrency Kiosks Work
Now that we grasp wallets and exchanges, we can understand how cryptocurrency kiosks operate; but what is a cryptocurrency kiosk? Cryptocurrency kiosks are physical machines that allow customers to exchange cryptocurrencies for fiat currency or other cryptocurrencies. These machines are a combination cryptocurrency exchange and ATM. The physical manifestation of these devices is the unique characteristic, setting them apart from their online counterparts. A user may enter their public and private keys into the kiosk, access their wallet, and exchange that cryptocurrency for cash-in-hand. Likewise, a user may use cash to purchase and transfer cryptocurrency to any available address. With the availability of these kiosks, cryptocurrency owners’ digital representation of value can be converted to a familiar paper form (cash) and can be used anywhere they please.
It is important to note that not all cryptocurrency kiosks are created equal, and they are split broadly into two categories: unidirectional and bidirectional kiosks.8 Unidirectional kiosks only allow for the sale of cryptocurrency while bidirectional ATMs allow for both the sale and purchase of cryptocurrency.9 Some kiosks only allow for transactions in Bitcoin while others allow for the transfer of multiple cryptocurrencies, including Ethereum, Dash, Monero, and Litecoin.
A cryptocurrency kiosk may operate in several different ways. A kiosk company typically holds significant reserves of cryptocurrency and sells its assets directly to consumers. These companies make money by charging higher-than-market prices, but they also profit from imposing hefty transaction fees. Kiosk fees typically range between 9% and 12% of the value of the transaction but may range from as low as 4% to higher than 20%.10 Kiosks may also use some of these fees to increase the miner fee, which decreases the time it takes for the Bitcoin Blockchain to validate the transaction.11 Online exchanges often have complicated, multifaceted fee structures but they are generally appreciably lower than the prices charged by kiosks.
The reserve cryptocurrency is held by the company in its own wallet, or more likely, multiple sets of wallets. Tenets of safety and security suggest that wallets be occasionally changed as it would generally be unwise to keep all reserves in one location. A kiosk company might keep creating internet-connected wallets, or hot wallets, that interface with consumers and rotate these wallets on a regular basis. Meanwhile, most of the reserves are maintained in wallets not connected to the internet. These cold wallets offer much greater security than their web-connected hot wallet counterparts.
When purchasing cryptocurrency, there are generally two options for determining where the cryptocurrency finally ends up. The purchaser might enter in their wallet address or, more conveniently, scan a QR code linked to their wallet. A private key in this case is not needed and if a purchaser had the QR code to a friend’s wallet, they could just as easily send money to their friend’s wallet as to their own. Alternatively, a kiosk may simply print a paper wallet with a scannable code that allows the purchaser to use a mobile wallet on their phone to sweep the crypto from the machine-generated wallet to their own. Since it costs nothing to generate new wallets, a kiosk operator may create a new wallet for each transaction which increases the security of the process in case a wallet should become compromised.
The process of selling cryptocurrency is equally straightforward. A user deposits cryptocurrency into the machine’s wallet, typically by use of a QR code displayed on the kiosk’s screen. Once the transaction is complete, the kiosk dispenses cash and sometimes a paper receipt.
Of course, using a cryptocurrency kiosk might not be as easy as just entering in cash or scanning a code. Cryptocurrency kiosks will, or at least should, have some form of anti-money laundering (AML) or know your customer (KYC) due diligence as part of its compliance program. The Bank Secrecy Act (BSA) and correlated anti-money laundering requirements (together, BSA/AML) are overseen and enforced by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) and serve to detect criminal activity within financial institutions. FinCEN has special designations for money service businesses (MSB), perhaps most notably institutions that fall under the category of money transmitters.12
Money transmitters are defined by FinCEN as any “person that provides money transmission services,” or “any other person engaged in the transfer of funds.”13 Like online exchanges, cryptocurrency kiosk companies must register as a MSB with FinCEN and meet the recordkeeping requirements promulgated by the BSA/AML. These requirements include in part:
- Reporting transactions with a value of over $10,000;14
- Reporting suspicious transactions amounting to $2,000 or greater if the MSB suspects or has reason to believe the transaction is used to facilitate criminal activity;15
- Following a written AML compliance program that is designed to reasonably prevent the MSB from being used as a conduit for criminal activity;16 and
- Following a KYC compliance program that includes consumer verification procedures such as collecting the name, SSN, and address of all users that transfer more than $3,000.17
In addition to the FinCEN requirements, there are a multitude of other federal statutes that may apply to the use of cryptocurrency kiosks. Agencies that investigate crimes which involve cash-intensive enterprises, including those related to human trafficking or the sale of narcotics, may encounter targets that take advantage of cryptocurrency kiosks without proper KYC/AML.18 Those that use cryptocurrency kiosks for criminal purposes may also face money laundering or RICO charges.19 If the operator of the cryptocurrency kiosk was aware of the illegal activity on their device, they will likely also be charged with transactions involving the proceeds of illegal activity.20
As part of its BSA/AML compliance program, a cryptocurrency kiosk might collect information such as the user’s name, address, birthdate, or phone number.21 Personal identification numbers such as driver’s license number or social security number may also be collected as part of the KYC program. Some exchanges have the user hold up a driver’s license (or other photo identification) next to the user’s face and take a selfie, or even video, to prove the user’s identity. While all cryptocurrency kiosk operators should have some form of BSA/AML compliance, some companies have better user identification methods than others. Companies that have underwhelming compliance policies or intentionally make it easy to obfuscate user identity will likely find themselves facing legal penalties.
The Department of Justice actively pursues the criminal operation of cryptocurrency kiosks that fail to comply with FinCEN requirements. A cryptocurrency company called Herocoin operated multiple kiosks across California from 2014 through 2019.22 Herocoin’s owner, a former bank employee, intentionally failed to register as a MSB even though he was aware of his requirement under FinCEN’s regulations. Undercover law enforcement officers, with the support of the Department of Homeland Security Investigations and the Organized Crime Drug Enforcement Task Force (OCDETF), made multiple transactions through Herocoin above the FinCEN reporting requirements and even made in-person transactions with the owner after claiming that the funds were derived from prostitution. In 2020, Herocoin’s owner pled guilty to the operation of an unlicensed money transmitting business, money laundering, and the failure to maintain an effective anti-money laundering program.23
In addition to the federal regulations, individual states will often have their own rules that pertain to the operation of cryptocurrency kiosks. These regulations commonly fall under the existing regulations for money service businesses and money transmitters. However, some states have rules that pertain specifically to cryptocurrency kiosks. For example, a 2014 opinion letter from the Massachusetts Division of Banks provides insightful regulatory clarifications to the cryptocurrency kiosk company Coindeavor.24 The agency stated that the company’s kiosks should neither be considered an electronic branch of a financial institution nor a foreign money transmitter under the laws of Massachusetts. Other states, like Louisiana and New York, require cryptocurrency companies to obtain specific licenses before they can operate in those states.25
These regulations continue to evolve with technology itself and there are plenty of issues that should still be addressed. For example, identifying the location (current and historical) of a cryptocurrency kiosk is not as easy as looking up a government database. ATMs, as well as any device determined to be the electronic branch of an MSB, are required to provide their location to FinCEN as part of their reporting requirements. According to the Government Accountability Office (GAO) however, cryptocurrency kiosk companies are not required to provide locations of their machines to FinCEN. 26 FinCEN may request this information but since kiosks can easily be moved, a requirement to constantly update all kiosk positions is deemed by FinCen to be unduly burdensome.27 Instead, the best way to find a cryptocurrency kiosk is to visit a public website that advertises the location of various machines. The most used website, and the site that the GAO used when researching this topic, is Coin ATM Radar (www.coinatmradar.com). Coin ATM Radar allows users to search by cryptocurrency type, bi-or-unidirectional kiosks, and shows (where applicable) kiosk fees, limits, and details on the operator company. Coin ATM Radar also has a Google Maps integration, allowing for easy directions from the user’s current location.
Over the past two years, there has been significant growth in the number of cryptocurrency kiosks in the United States, from roughly 6,000 installed in 2020 to over 36,000 in 2022.28 As cryptocurrencies become both a more common investment and a means of monetary transfer, the prevalence of cryptocurrency kiosks will continue to rise. Although there are many positive and legitimate uses for cryptocurrency kiosks, there have been an increasing number of bad actors who use this technology to facilitate criminal transactions. It is important to note however that with the proper KYC compliance in place and with adequate forensic software, investigating cryptocurrency-related crimes is possible. State agencies that encounter fraud using cryptocurrency kiosks should understand what information to collect from the victim, namely the keys, transaction code, and location of the kiosk. Armed with an understanding of how these kiosks operate and with a proper cryptocurrency investigation procedure in place, we can better face these challenges posed by this new technology.
Other articles in this edition include:
- Cash App, My First Bitcoin and the Legend of Satoshi Nakamoto. [↩]
- FinCEN, Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies, (March 18, 2013). [↩]
- Vaughan, Follow the Money: An Introduction to Cryptocurrency Transactions, National Association of Attorneys General Consumer Protection Monthly, (October 2020). [↩]
- Investopedia, What is a Private Key? [↩]
- Bitcoin, What exactly happens when a new wallet is created? [↩]
- Blockchain Council, Types of Crypto Wallets Explained. [↩]
- See supra, n. 2. [↩]
- Coin Atm Radar, Crypto ATM Buy and Sell Support, [↩]
- Cointelegraph, Bitcoin ATMs: A beginner’s guide to Bitcoin teller machines, [↩]
- Coinsource, Which ATM Would You Go To? [↩]
- Bitpay, What Are Bitcoin Miner Fees? [↩]
- See FDIC Law, Regulations, Related Acts at https://www.fdic.gov/regulations/laws/rules/8000-120.html. [↩]
- 31 CFR § 1010.100(ff)(5). [↩]
- See 31 C.F.R. § 1010.310 and 1010.313. [↩]
- See 31 C.F.R. § 1022.320. [↩]
- See 31 C.F.R. § 1022.210. [↩]
- See 31 C.F.R. § 1010.410(e). [↩]
- See 18 U.S. Code § 1591 – Sex trafficking of children or by force, fraud, or coercion; See also 21 U.S. Code § 841 – Prohibited acts A. [↩]
- See 18 U.S. Code § 1956 – Laundering of monetary instruments, See also 18 U.S. Code Chapter 96 – RACKETEER INFLUENCED AND CORRUPT ORGANIZATIONS. [↩]
- See 18 U.S. Code § 1957 – Engaging in monetary transactions in property derived from specified unlawful activity. [↩]
- Coindesk, What is KYC and Why Does it Matter for Crypto? [↩]
- U.S. Dept. of Justice, O.C. Man Admits Operating Unlicensed ATM Network that Laundered Millions of Dollars of Bitcoin and Cash for Criminals’ Benefit, (July 22, 2020). [↩]
- Id. [↩]
- https://www.mass.gov/opinion/selected-opinion-14-004. [↩]
- See New York Department of Financial Services, BitLicense FAQs and La. Rev. Stat. Ann. 6:1381 through 6:1394. [↩]
- GAO-22-105462 Virtual Currency and Trafficking, p. 48. [↩]
- Id. [↩]
- https://coinatmradar.com/charts/growth/ [↩]