From Cash to Crypto: Towards a Consistent Regulatory Approach to Illicit Payments

Authors: Andrea Minto, Anneke Kosse, Takeshi Shirakami and Peter Wierts, BIS

Compiled by: Ma Yimeng, FinTech Research Institute

In March 2026, the Bank for International Settlements (BIS) published a working paper titled "From cash to crypto : towards a consistent regulatory approach to illicit payments". The paper explores the challenges faced by anti-money laundering and countering the financing of terrorism (AML/CFT) regulation in the context of the diversification of payment instruments. It proposes a conceptual framework to analyze the risk of regulatory arbitrage, known as the "waterbed effect," arising from the varying degrees of intermediary involvement across different payment instruments.

By examining the evolution of regulation in the European Union, the paper argues that achieving regulatory effectiveness requires a balance between general law (lex generalis) and special law (lex specialis). The FinTech Research Institute of Renmin University of China (WeChat ID: ruc_fintech) has compiled this research.

I. Introduction

With the rapid development of financial technology, we are undergoing a profound transformation in payment methods. From traditional cash and bank deposits to electronic money, and further to emerging cryptoassets and the much-discussed retail central bank digital currency (CBDC), the range of available payment instruments is unprecedentedly rich.

This diversification, on one hand, promotes competition and financial inclusion, but on the other hand, introduces new risks. Each payment instrument can be exploited by criminals for money laundering (ML) or terrorist financing (TF), thereby harming the integrity and stability of the financial system.

For a long time, regulatory authorities worldwide have addressed these risks through AML/CFT frameworks, requiring "obliged entities" such as financial institutions to fulfill obligations like customer due diligence (CDD), transaction monitoring, and suspicious transaction reporting.

However, regulation does not operate in a vacuum. When new payment instruments emerge, the regulatory framework needs constant adjustment to accommodate them. But there are inherent design differences among payment instruments, especially in their reliance on intermediaries, which may lead to inconsistencies in regulatory rules across these instruments.

This inconsistency can trigger a "waterbed effect": when regulators strengthen oversight in one payment area (e.g., bank transfers), plugging loopholes, fund flows may shift, like water pressed on one side of a waterbed, to another area with relatively lighter regulation (e.g., certain cryptocurrencies). This behavioral adjustment, whether malicious regulatory arbitrage or a choice by legitimate users for privacy reasons, undermines the overall effectiveness of regulation.

Therefore, the core question of this paper is: How does the AML/CFT framework influence, or even distort, users' choice of payment instruments? The authors aim to explore how to achieve a more consistent and effective regulatory path across different payment instruments by constructing a conceptual framework and using EU regulatory practice as a case study.

II. Conceptual Framework: AML/CFT Measures and Interaction with Payment Instrument Choice

Intermediary Role and Regulatory Arbitrage

The core of this paper is a qualitative analytical framework based on design differences in payment instruments. The core variable of this framework is the degree of involvement of intermediary institutions. Based on this variable, the authors categorize payment instruments into two broad types:

• Intermediary-Dependent Instruments: Include bank deposits, electronic money, custodial wallet cryptoassets, and online retail CBDC. These transactions pass through one or more regulated intermediaries, which act as "obliged entities," performing customer due diligence, monitoring transactions, and reporting suspicious activities to the Financial Intelligence Unit (FIU). Consequently, such instruments are designed with a high probability of detecting illicit transactions.

• Non-Intermediary-Dependent Instruments: Include cash, self-custody wallets cryptoassets, and offline retail CBDC. In these transactions, no intermediary institution is authorized or able to act as a "gatekeeper." Transaction information is primarily confined to the payer and payee. Therefore, theoretically, the design of these instruments results in a lower detection probability.

Based on this, the model derives the first key hypothesis: Malicious actors will choose the payment instrument with the lowest expected detection probability to maximize the expected net benefit of their illegal activities. Among non-intermediary-dependent instruments, cash, while offering the highest anonymity, is limited in its practicality for large-value, remote transactions due to its physical form.

Self-custody wallets may become a more attractive alternative, as they combine relatively high anonymity with digital convenience. Offline CBDC, although leaving electronic traces, if designed without intermediary involvement, also poses a higher risk than intermediary-dependent instruments.

Waterbed Effect and Regulatory Response

The second key part of the framework describes the dynamic game between behavioral adjustment and regulatory response. When regulators strengthen oversight of a certain type of instrument, for example, by implementing strict monitoring of bank deposits, this increases its "cost of use" (the detection risk for malicious actors).

According to the "waterbed effect," malicious activity will shift to other payment instruments with weaker regulation and lower detection probabilities (e.g., self-custody wallets). This arbitrage behavior weakens the overall effectiveness of regulation, forcing regulators to intervene. The intervention typically involves further expanding the regulatory scope to include newly emerged, uncovered payment instruments, thus triggering a new round of behavioral adjustment.

This dynamic cycle explains why the AML/CFT framework is constantly evolving and "catching up" with technological innovation. This effect exists not only between different payment instruments but also potentially between different jurisdictions, forming geographical regulatory arbitrage.

Side Effects on Legitimate Users: Privacy and Freedom of Choice

The third part of the framework considers the side effects of regulation on legitimate users. AML/CFT measures, while necessary for combating crime, inevitably infringe upon users' informational privacy.

Transaction monitoring and data sharing mean that part of the user's personal information is held by third parties (intermediaries, regulators). This trade-off between privacy and financial integrity is an unavoidable core contradiction in regulatory design. Even for legitimate purposes, some users may prefer payment instruments with a higher degree of privacy protection due to concerns about data security or the value orientation that "payment is a private matter."

Therefore, legitimate users and malicious actors may converge in behavior: both prefer non-intermediary-dependent instruments. However, the reasons are截然不同: Malicious actors aim to evade regulation, while legitimate users seek to protect their privacy and personal freedom. This makes policymaking more complex, as simply tightening regulation to plug loopholes may excessively sacrifice the freedom of ordinary citizens.

III. Legal Analysis: The Case of the European Union

The EU has continuously evolved its AML/CFT framework since 1991, gradually expanding from initial financial institutions like banks to accountants, lawyers, real estate agents, and finally explicitly bringing crypto-asset service providers (CASPs) under regulation in the 2018 and 2024 reforms. This evolution clearly shows the framework's trajectory of constantly adapting to new risks. However, the case study also reveals that inconsistencies still exist in the current framework, which may trigger the "waterbed effect."

• Cash: The EU has introduced a €10,000 upper threshold for cash transactions, directing large-value transactions towards instruments involving intermediaries.

• Self-Custody Wallets: For such tools that do not involve intermediaries, regulation primarily monitors them through their "touch points" with intermediaries (e.g., when converting crypto assets to fiat currency). However, there is currently no transaction or holding limit similar to that for cash.

• Offline Digital Euro: In the European Commission's digital euro proposal, offline transactions are designed to be without intermediary involvement to provide a cash-like privacy experience. To balance the risks, the proposal授权 the European Commission to set limits for such transactions, but these have not been finalized yet.

IV. Building a Consistent AML/CFT Regulatory Path: Conclusions and Recommendations

Based on the above analysis, the paper proposes a core policy recommendation: adopt a regulatory model that combines "general law" and "special law" to achieve both consistent and flexible regulatory effects.

• General Law (Lex Generalis): Refers to the application of uniform, universal principles and core requirements to all payment instruments with similar characteristics. Specifically, for all payment instruments involving intermediaries (bank deposits, electronic money, online CBDC, custodial wallets), a unified regulatory "baseline" should be established. This means all such intermediaries should bear the same basic obligations: conducting customer due diligence, monitoring transactions, keeping records, and reporting suspicious transactions. At the same time, privacy and data protection standards applicable to these intermediaries should be as unified as possible to ensure that the trade-off between privacy and integrity is consistent across the industry.

• Special Law (Lex Specialis): Refers to the formulation of supplementary, targeted rules based on the general law, addressing the unique design or functions of specific payment instruments. For example:

Forcash, its physical characteristics make the direct application of general law difficult, hence the need for special law, such as the €10,000 transaction limit, as a supplement.

Foroffline CBDC, since its design deliberately excludes intermediaries to provide a cash-like experience, special law is also needed to manage its risks, such as setting transaction and holding limits.

Forself-custody wallets, special law is needed to address the unique challenges they pose. This may include further strengthening the regulation of "touch points" with intermediaries, or exploring technical compliance (e.g., setting limits at the protocol level), and enhancing the requirements for wallet service providers (even if they do not directly custody assets).

For payment instruments that do not rely on intermediaries, regulators need to go beyond the traditional model of "intermediary accountability" and explore more diverse regulatory instruments. This may include:

• Utilizingtouch points: Strengthening the monitoring of all channels through which illicit funds enter or exit the non-intermediated realm.

• Setting transaction limits: As done for cash and offline CBDC, and using this as a universal risk management tool. For self-custody wallets, although enforcing such limits is technically challenging, it is not impossible and is a direction worth exploring in the future.

• Enhancing issuer responsibility: Requiring issuers of payment instruments (e.g., the central bank's currency issuance department, stablecoin issuers) to take on more AML/CFT responsibilities, such as taking more active measures (e.g., discontinuing high-denomination banknotes, freezing suspicious addresses) to maintain the integrity of their issued instruments.

• Increasing the cost of violation: Imposing stricter penalties on individuals or entities that use non-intermediated payment instruments for transactions in professional activities.

Finally, the paper emphasizes that a truly effective AML/CFT framework must be forward-looking and adaptable. There will inevitably be more innovative payment instruments in the future that we cannot foresee today. By establishing a framework based on the principles of "general law" and broadly defining the function of "payment instruments," future innovations can be默认纳入 regulatory视野, thereby breaking the passive cycle of "innovation-regulation-re-innovation-re-regulation" and guiding financial innovation towards a direction more beneficial to social welfare.