The Bank of International Settlements has produced this bulletin advising on approaches to KYC AML for Bitcoin (and shitcoins). You know what word doesn't show up once in the bulletin's 8 pages?
privacyI really would love to know the mindset of the kind of people who write such things. Do they imagine that individuals ought to have no privacy from the governments in which they live (and, in many cases, are supposed to serve them)? Even if they don't care about privacy, do they not see how these can (and likely will) be misused?
There is a growing trend in governments relying on what I would call neutral technologies to enforce laws. The banking layer is such a case. Moving money from one place to another is not evil or bad or harmful. But stealing money is. Rather than try to enforce laws against stealing, it is more convenient for our government to make banks freeze stolen funds. Even if it comes at the cost of sweeping surveillance of all users of the banking system.
The internet is becoming another case: rather than trying to enforce laws about harming other people, governments seem eager to surveil everyone using the internet and block access to those who they deem "bad."
Read the full report if you really want to plunge into a foreign mindset.
The specific criteria for assessment could vary across jurisdictions. For instance, for those that maintain foreign exchange regulations, the definition of illicit activity could encompass transactions that violate those regulations. Given the widespread cross-border use of stablecoins, such safeguards could help to slow the erosion of monetary sovereignty and maintain the effectiveness of monetary policy
In particular, an AML compliance score that references the UTXOs for bitcoins or wallets for stablecoins could use the information on the blockchain, including the full history of transactions and the wallets they have passed through.7 A higher value (eg maximum 100) would denote relatively clean funds, coming mostly from “allow-listed” wallets, while a lower value (eg minimum zero) would denote funds that are tainted by being associated with one or more wallets known to be on a “deny list” (Graph 1).8 The AML compliance score for such wallets can then be assessed against a threshold value chosen by authorities following jurisdictional considerations to determine whether off- ramp transactions with that wallet are allowed or denied. Crypto exchanges, stablecoin issuers and banks could apply safeguards by considering minimum AML compliance score requirements for cashing out crypto coins, helping to prevent funds from illicit activities from entering the conventional monetary system.
The strongest form of AML compliance would require off-ramps to accept tokens for conversion only if they have passed through addresses that have met KYC compliance checks – ie wallets that are on an “allow list” (Graph 2). This stringent version of the AML test implies that all users (including those operating unhosted wallets) would have to undergo KYC checks, just as all clients of banks must do when opening an account today. Using smart contract functionalities, crypto exchanges and other wallet providers could be required to block any transactions from or to addresses that are not on the allow list.
While some users may reasonably claim to have received a tainted token in good faith if information on illicit use is scarce, such an argument would be less persuasive if there were widespread and affordable compliance service providers. In such a setting, users could reasonably be expected to exercise a duty of care in transacting with crypto tokens by checking beforehand if a crypto coin is known to be compromised.
There are even proposals for a “bounty hunter” approach to compliance, whereby licensed firms could receive compensation for reporting suspicious activity to regulators (Kellerman (2025)). This can be compared with “bug bounties” that are paid for successfully finding cyber vulnerabilities.