Crypto ATM Fraud Prevention Act: New US Senate Bill Targets Bitcoin ATM Scams

What Happened: The Crypto ATM Fraud Prevention Act Introduced

In response to escalating cryptocurrency ATM scams, four Democratic senators, led by Senator Dick Durbin, introduced the Crypto ATM Fraud Prevention Act. The legislation aims to curb fraud schemes that have cost US consumers over $100 million annually, with $65 million reported in losses during the first half of 2024 alone. These scams often target older adults, with criminals posing as bank or law enforcement officials to trick victims into depositing cash into bitcoin ATMs via QR codes linked to criminal wallets. Median losses are around $10,000, with some cases reaching up to $390,000.

The proposed federal bill arrives as at least 15 states are considering similar legislation, with Minnesota, California, and Vermont already enforcing daily transaction limits. This indicates a growing regulatory trend toward stricter oversight of the crypto ATM industry, which has operated in a patchwork of state-level money transmitter laws without consistent federal standards for fraud prevention.

Why It Matters: Key Provisions and Regulatory Gap Analysis

The Crypto ATM Fraud Prevention Act introduces several key provisions designed to protect consumers and enhance transparency:

• Transaction Limits: Imposes daily and 14-day transaction caps of $2,000 and $10,000, respectively, for new users.
• Personal Communication Requirement: Mandates operators to establish personal communication with users for transactions exceeding $500 to verify legitimacy.
• Fraud Refund Mandate: Requires full refunds for fraud reported to law enforcement within 30 days.
• Registration and Disclosure: Likely includes registration requirements for operators and clear consumer disclosures about scam risks.

This bill addresses a significant regulatory gap in the US crypto market. While crypto ATM operators are subject to the Bank Secrecy Act (BSA) and must file Suspicious Activity Reports (SARs) with FinCEN when suspecting illicit activity, there has been no federal law specifically targeting the unique fraud vectors of bitcoin ATMs. The existing BSA framework, including SAR filing within 30 days (60 days if no suspect is identified) for transactions meeting the $5,000 threshold for banks or $2,000 for money services businesses (MSBs), focuses on money laundering rather than consumer fraud prevention. State money transmitter laws vary widely, creating compliance complexity for multi-state operators.

Impact on Fintech Compliance Under Existing Frameworks

For crypto ATM operators, this legislation would layer additional requirements onto existing BSA/AML obligations. Operators must already comply with:

• BSA Requirements: Including Currency Transaction Reports (CTRs) for cash transactions over $10,000, SAR filing, and Customer Due Diligence (CDD) under the CDD Rule effective since May 2018.
• State Money Transmitter Laws: Which require licensing and often have their own transaction reporting or consumer protection rules.
• OFAC Sanctions Screening: A strict liability regime requiring screening against the SDN List to avoid penalties up to $356,579 per violation.

The new bill would integrate fraud prevention directly into this compliance stack, requiring operators to enhance monitoring for scam patterns—such as rapid, high-value deposits by inexperienced users—beyond traditional AML red flags. This aligns with broader fintech regulatory trends, including the CFPB's focus on consumer protection in digital financial services and the SEC's cybersecurity disclosure rules for public companies, which mandate incident reporting within 4 business days on Form 8-K.

Internationally, approaches vary. The EU's Markets in Crypto-Assets (MiCA) Regulation, fully applicable from 30 December 2024, imposes authorization requirements for Crypto-Asset Service Providers (CASPs) but does not specifically target ATM fraud. Some countries have implemented transaction limits or enhanced KYC for crypto ATMs, but the US bill represents one of the first comprehensive federal efforts focused on this channel.

What Organizations Should Do: Practical Compliance Steps

Crypto ATM operators should take proactive steps to prepare for potential federal regulation and strengthen their current compliance programs:

1. Conduct a Risk Assessment: Evaluate existing fraud and AML controls specific to ATM transactions. Identify vulnerabilities to scams like social engineering or QR code manipulation.
2. Enhance Transaction Monitoring: Implement systems to detect patterns associated with scams, such as transactions just below reporting thresholds, rapid successive deposits, or activity from geographically high-risk areas. AI-driven platforms like RisksRadarAI can reduce false positives by 80%+ through cross-domain signal correlation, automating SAR generation in FinCEN format with AI-powered evidence briefs for scam-related alerts.
3. Update Consumer Disclosures: Prepare clear, prominent warnings about common scams at ATM kiosks and in digital interfaces, as mandated by the bill.
4. Implement Verification Protocols: Develop procedures for personal communication for transactions over $500, ensuring staff training and secure recordkeeping.
5. Review State Compliance: Align operations with existing state laws in Minnesota, California, Vermont, and others considering similar bills, to create a unified compliance framework.
6. Leverage Regulatory Intelligence: Use platforms like AIGovHub to monitor regulatory changes across 47+ jurisdictions, including state-level crypto ATM bills and federal developments. Its fintech compliance tools can help map requirements across BSA, state laws, and emerging fraud prevention mandates.

As regulatory scrutiny intensifies, building a robust compliance infrastructure now will position operators to adapt quickly when the Crypto ATM Fraud Prevention Act or similar state laws take effect. This includes integrating fraud detection with existing AML programs, ensuring clear audit trails, and preparing for enhanced reporting obligations.

This content is for informational purposes only and does not constitute legal advice. Organizations should verify current regulatory timelines and consult legal counsel for compliance guidance.