From Cash to Cryptocurrency: Moving Towards a Unified Regulatory Path for Illegal Payments

Authors: Andrea Minto, Anneke Kosse, Takeshi Shirakami and Peter Wierts, BIS

Compiled by: Ma Yimeng, FinTech Research Institute

In March 2026, the Bank for International Settlements (BIS) published a working paper titled "From cash to crypto: towards a consistent regulatory approach to illicit payments." This paper explores the challenges faced by anti-money laundering and counter-terrorist financing (AML/CFT) regulation in the context of diversified payment instruments. The article proposes a conceptual framework to analyze the regulatory arbitrage risks arising from different levels of intermediary involvement in various payment tools, referred to as the "waterbed effect."

By analyzing the regulatory evolution in the European Union, the article points out that achieving regulatory effectiveness requires a balance between general law (lex generalis) and special law (lex specialis). The Research Institute of Financial Technology at Renmin University of China (WeChat ID: ruc_fintech) has compiled this study.

I. Introduction

With the rapid development of financial technology, we are experiencing a profound transformation in payment methods. From traditional cash and bank deposits to electronic money, and then to emerging cryptoassets and the highly anticipated retail central bank digital currency (CBDC), the variety of available payment tools has never been richer.

This diversification promotes competition and financial inclusion on one hand, but also brings new risks on the other. Each payment tool can potentially be exploited by criminals for money laundering (ML) or terrorist financing (TF), thereby undermining the integrity and stability of the financial system.

For a long time, regulatory authorities in various countries have responded to these risks through AML/CFT frameworks, requiring "obliged entities" such as financial institutions to perform customer due diligence (CDD), transaction monitoring, and suspicious transaction reporting.

However, regulation does not operate in a vacuum. When new payment tools emerge, the regulatory framework needs to be continuously adjusted to accommodate them. Yet, the inherent differences in the design of different payment tools, especially in terms of reliance on intermediaries, can lead to inconsistencies in regulatory rules across these tools.

Such inconsistencies can trigger a "waterbed effect": when regulators strengthen oversight in one payment area (such as bank transfers) and close loopholes, the flow of funds may shift like the pressed side of a waterbed to another area with relatively loose regulation (such as certain cryptocurrencies). This behavioral adjustment, whether it is malicious regulatory arbitrage or legitimate users opting for privacy reasons, undermines the overall effectiveness of regulation.

Therefore, the core question of this paper is: how do AML and CFT frameworks influence, or even distort, users' choices of payment tools? The authors aim to explore how to achieve a more consistent and effective regulatory path across different payment tools by constructing a conceptual framework and using the regulatory practices of the EU as a case study.

II. Conceptual Framework: Interaction Between AML/CFT Measures and Payment Tool Choices

Intermediary Role and Regulatory Arbitrage

The core of this paper is a qualitative analytical framework based on the design differences of payment tools. The central variable of this framework is the level of intermediary involvement. The authors categorize payment tools into two main types based on this variable:

• Intermediary-dependent tools: These include bank deposits, electronic money, custodial wallet cryptoassets, and online retail central bank digital currencies. Transactions involving these tools go through one or more regulated intermediaries, which act as "obliged entities" to perform customer due diligence, monitor transactions, and report suspicious activities to financial intelligence units (FIUs). Therefore, these tools are designed to have a higher probability of detecting illicit transactions.

• Non-intermediary-dependent tools: These include cash, self-custody wallet cryptoassets, and offline retail central bank digital currencies. In these transactions, no intermediary is authorized or able to act as a "gatekeeper." Transaction information is primarily limited to the payer and payee. Thus, theoretically, the design of these tools leads to a lower probability of detection.

Based on this, the model derives the first key hypothesis: malicious actors will choose payment tools with the lowest expected detection probability to maximize their expected net gains from illicit activities. Among non-intermediary-dependent tools, cash, while having the highest anonymity, is limited in its practicality for large, remote transactions due to its physical form.

Self-custody wallets may become a more attractive alternative because they combine high anonymity with the convenience of digitalization. Offline central bank digital currencies, although they may leave electronic traces, pose higher risks than intermediary-dependent tools if designed without intermediary involvement.

Waterbed Effect and Regulatory Response

The second key part of the framework describes the dynamic game between behavioral adjustments and regulatory responses. When regulators strengthen oversight of a certain type of tool, such as implementing strict monitoring of bank deposits, this increases its "cost of use" (which is detection risk for malicious actors).

According to the "waterbed effect," illicit activities will shift to other payment tools with weaker regulation and lower detection probabilities (such as self-custody wallets). This arbitrage behavior weakens the overall effectiveness of regulation, forcing regulators to intervene. The usual form of intervention is to further expand the regulatory scope, incorporating newly emerging, uncovered payment tools into the framework, thereby triggering a new round of behavioral adjustments.

This dynamic cycle explains why AML and CFT frameworks are constantly evolving and "chasing" technological innovations. This effect exists not only between different payment tools but may also occur across different jurisdictions, creating geographical regulatory arbitrage.

Side Effects on Legitimate Users: Privacy and Freedom of Choice

The third part of the framework considers the side effects of regulation on legitimate users. While AML and CFT measures are necessary for combating crime, they inevitably infringe on users' informational privacy.

Transaction monitoring and data sharing mean that some personal information of users is held by third parties (intermediaries, regulatory authorities). This trade-off between privacy and financial integrity is a core contradiction that cannot be avoided in regulatory design. Even for entirely legitimate purposes, some users may prefer payment tools with higher privacy protections due to concerns about data security or the value orientation that "payments are a private matter."

Thus, legitimate users and malicious actors may converge in their behaviors: both prefer non-intermediary-dependent tools. However, the reasons are entirely different: malicious actors seek to evade regulation, while legitimate users aim to maintain privacy and personal freedom. This complicates policy-making, as tightening regulation solely to close loopholes may excessively sacrifice the freedoms of ordinary citizens.

III. Legal Analysis: A Case Study of the EU

Since 1991, the EU has continuously evolved its AML and CFT framework, initially focusing on financial institutions such as banks, gradually expanding to include accountants, lawyers, and real estate agents, and ultimately incorporating crypto-asset service providers (CASPs) into regulation in the reforms of 2018 and 2024. This evolution clearly demonstrates the framework's ongoing adaptation to new risks. However, case studies also reveal inconsistencies within the current framework that may trigger the "waterbed effect."

• Cash: The EU has introduced a cash transaction limit of €10,000, directing large transactions towards intermediary-involved tools.

• Self-custody wallets: For these non-intermediary tools, regulation primarily relies on their "touch points" with intermediaries (such as when converting crypto assets to fiat currency) for monitoring. However, no transaction or holding limits similar to cash have been established.

• Offline digital euro: In the European Commission's proposal for the digital euro, offline transactions are designed to occur without intermediary involvement to provide a cash-like privacy experience. To balance risks, the proposal authorizes the European Commission to set limits for such transactions, but this has not yet been finalized.

IV. Building a Unified AML/CFT Regulatory Path: Conclusions and Recommendations

Based on the above analysis, the article proposes a core policy recommendation: adopt a regulatory model that combines "general law" and "special law" to achieve both consistent and flexible regulatory effects.

• General Law (Lex Generalis): This refers to the application of unified, universal principles and core requirements to all payment tools with similar characteristics. Specifically, for all intermediary-involved payment tools (bank deposits, electronic money, online central bank digital currencies, custodial wallets), a unified regulatory "baseline" should be established. This means that all such intermediaries should bear the same basic obligations: conducting customer due diligence, monitoring transactions, maintaining records, and reporting suspicious transactions. Additionally, privacy and data protection standards applicable to these intermediaries should be as uniform as possible to ensure that the trade-off between privacy and integrity is consistent across the industry.

• Special Law (Lex Specialis): This refers to the formulation of supplementary, targeted rules based on the unique design or function of specific payment tools on the foundation of general law. For example:

For cash, its physical characteristics make it difficult for general law to apply directly, thus requiring special laws, such as the €10,000 transaction limit, as a supplement.

For offline central bank digital currencies, since their design deliberately excludes intermediaries to provide a cash-like experience, special laws are also needed to manage their risks, such as setting transaction and holding limits.

For self-custody wallets, special laws are similarly needed to address the unique challenges they present. This may include further strengthening monitoring of "touch points" with intermediaries or exploring compliance through technical means (e.g., setting limits at the protocol level) and enhancing accountability requirements for wallet service providers (even if they do not directly hold assets).

For non-intermediary-dependent payment tools, regulators need to move beyond the traditional model of "intermediary accountability" and explore more diverse regulatory tools. This may include:

• Utilizing touch points: Strengthening monitoring of all channels through which illicit funds enter or exit non-intermediary domains.

• Setting transaction limits: As done for cash and offline central bank digital currencies, and using this as a general risk management tool. For self-custody wallets, while enforcing such limits is technically challenging, it is not impossible and is a direction worth exploring in the future.

• Enhancing issuer accountability: Requiring issuers of payment tools (such as the cash issuance department of central banks, stablecoin issuers) to bear more AML/CFT responsibilities, such as taking more proactive measures (e.g., stopping the issuance of high-denomination banknotes, freezing suspicious addresses) to maintain the integrity of their issued tools.

• Increasing penalties for violations: Setting stricter penalties for individuals or entities using non-intermediary payment tools in professional activities.

Finally, the article emphasizes that a truly effective AML/CFT framework must be forward-looking and adaptable. More innovative payment tools that we cannot foresee today will inevitably emerge in the future. By establishing a framework based on the principles of "general law" and broadly defining the function of "payment tools," future innovations can be implicitly included in the regulatory view, thereby breaking the passive cycle of "innovation-regulation-innovation-regulation" and guiding financial innovation towards directions that are more beneficial to social welfare.