Stablecoins and the Emerging Financial Crime Fighting Toolkit
Lianne Dodds and Tom Rhodes examine the trade-offs policymakers face when designing financial crime frameworks for digital money.
Authors: Lianne Dodds and Tom Rhodes
This article was originally entitled ‘Stablecoins and the Emerging Financial Crime Toolkit’ and was first published in the June 41.6 issue of ‘Butterworths Journal of International Banking and Financial Law’.
This article compares anti-money laundering and financial crime risk and regulation in traditional financial systems and emerging stablecoin ecosystems, examining the trade-offs policymakers face when designing financial crime frameworks for digital money.
Key Points
- Stablecoins reshape the financial crime landscape, shifting risks away from the blind spots that arise in fragmented systems of intermediaries to the anonymity of peer-to-peer transfers via self-custody wallets.
- The benefits of on-chain traceability may trade off against poor identity attribution and lack of regulatory enforceability in the global secondary market.
- Public records and blockchain analytics enable new tools to track and combat illicit flows. But with the ability to freeze stablecoins anywhere in the world, these powers place private issuers in a legally ambiguous quasi-public enforcement role.
With the rapid expansion of stablecoin usage following what commentators dubbed “stablecoin summer” in 2025, debate around the associated financial crime risks has intensified. Policymakers and critics frequently frame stablecoins as a new and particularly high-risk channel for money laundering or illicit activity. In reality stablecoins do not necessarily increase or reduce this risk, they reshape the nature of the risk and the tools available to combat it.
This perspective is reflected in recent analysis by the Financial Action Task Force (FATF),1 which reports that although stablecoins are the dominant tool for on-chain illicit activity, accounting for 84% of volume of illicit crypto, there has been a shift in financial crime risk away from regulated intermediaries such as payment providers towards peer-to-peer (P2P) transactions conducted via self-custody wallets (wallet technology where the user retains full control over the cryptoassets in the wallet, rather than relying on a third-party custodian). In this sense, stablecoins circumvent existing control mechanisms. However, rather than defeat the controls altogether, they relocate the points at which they can be applied.
Lawmakers must now decide what tools to adopt, where to apply them, and what risk-tolerance to accept. This article seeks to contextualise the debate by describing the traditional legal controls and trade-offs, before applying them to stablecoins.
Traditional controls
Traditional financial systems already operate within a complex anti-money laundering and financial crime (AML/FC) regulatory landscape. For example the payment methods we all use today; cash, bank transfers and card payments are subject to the:
- UK Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (SI 2017/692) (MLRs);
- Proceeds of Crime Act 2002 (POCA);
- Terrorism Act 2000 (TACT); as well as
- regulatory supervision and guidance, such as the Joint Money Laundering Steering Group (JMLSG) guidance and financial crime guidance in the FCA Handbook.
All of which demand sophisticated operational controls implemented by regulated financial institutions.
Banking and payments
Banking systems and bank-initiated payments, from an AML/FC perspective benefit from a structure designed for a high degree of regulatory control.
Firstly, to participate in the banking system generally requires consumers to establish a relationship with a regulated institution. Onboarding is subject to customer due diligence (CDD) obligations which require the financial institution to verify your identity and conduct ongoing monitoring of the business relationship.
Secondly, all payments are processed via networks of regulated intermediaries, including banks, payment institutions and card networks. These entities are subject to CDD, transaction monitoring, and reporting obligations. Under the UK revised Wire Transfer Regulation (retained EU Regulation 2015/847), banks must ensure that payment messages include specified information about the payer and payee, such as names and account numbers (UK revised WTR, Art 4, see also FCA Financial Crime Guide, para 3.2.13). This gives intermediary and beneficiary institutions a limited ability to trace the origin of funds. Banks are also required under POCA, ss 330-331, to submit suspicious activity reports (SARs) to the National Crime Agency (NCA) where they identify or suspect money laundering.
Payment flows are typically linked to identifiable account holders and financial institutions maintain records that allow them to identify the parties involved in a transaction. As a result, financial institutions are able to impose AML/FC controls at various stages of the payments chain.
However, although traditional financial services operate in a tightly controlled environment, this does not eliminate financial crime risk. The information provided with transactions is not always sufficient to identify illicit activity. Transactions pass through accounts at multiple organisations, between which communication is limited. If funds cross borders, communication essentially stops. Even with the strongest controls in one institution deployed with regard to its own customers, a key limitation is the visibility of their counterparties’ customers or the origin of funds. Criminal actors continue to exploit weaknesses identified in systems and controls.
This problem is increased by the globally fragmented architecture of banks. The global banking system operates in domestic payment systems, subject to domestic regulations and eligibility requirements. Banking crosses borders through a complex network of correspondent relationships between institutions each operating in their own geographically limited payment systems. These relationships are often not visible to parties outside the immediate transaction. Combining this with differences in regulatory regimes and cross border enforcement, there are inevitably blind spots for illicit actors to exploit.
Lawmakers recognise these limitations. They accept a “risk-based” approach rather than requiring perfect information about all counterparties and transaction chains. As the Explanatory Memorandum to the MLRs states, the regulations “are deliberately not prescriptive, providing flexibility in order to promote a proportionate and effective risk-based approach” (Explanatory Memorandum to SI 2017/692, para 7.4). The JMLSG Guidance similarly recognises that “no system of checks will detect and prevent all money laundering, terrorist financing and proliferation financing. A risk-based approach will, however, serve to balance the cost burden placed on individual firms and their customers with a realistic assessment of the threat” (JMLSG Guidance, Part I, para 4.9). To go any further would have a paralysing effect on business. For cross-border transactions, applying extensive AML/FC controls to participants throughout the chain could also raise data protection and conflict of laws challenges.
Cash
Cash has its own distinct risk profile: a bearer instrument, where ownership is determined by possession, and there is no requirement for a linked identity or an account at a regulated financial institution. Cash transactions are P2P and typically result in no records being associated with the transaction. Illicit actors can relatively easily store or use cash to transfer their ill-gotten gains anonymously. Cash can also be transported across borders with limited traceability, although moving large amounts has logistical challenges that limit scalability. For these reasons, transactions in cash are generally regarded as higher risk for money laundering.
However, regulatory controls are generally only applied when cash interacts with the financial system, for example through limits on deposits, withdrawal thresholds or bank reporting requirements. Under regs 27 and 28 of the MLRs, service providers must conduct CDD in relation to certain high value transactions (€10,000 or more) and banks are required to scrutinise cash transactions to ensure they are consistent with their knowledge of the customer and risk profile. Where such transactions give rise to knowledge or suspicion of money laundering, the firm must make a disclosure under section 330 of POCA, usually by submitting a SAR to the NCA.
These obligations illustrate the regulatory approach: rather than controlling cash itself, or exercising supervision via the cash issuer (the Bank of England (BoE)), policymakers place controls at specific junctures in the payment chain where cash meets the regulated financial system (financial institutions or other businesses specifically supervised under the money laundering regime).
In theory regulators could impose stricter requirements on cash. The general public could be required to record holdings and transfers in a public record, which could be supervised by the issuer (BoE) or intermediaries such as banks. If a holder has no bank account, they would not be permitted to hold cash. But clearly this would present significant trade-offs. The administrative costs alone would massively slow down transactions and reduce the demand for cash. Given the significant role cash continues to play, particularly in financial inclusion, policy balances the benefits of cash against the risks of financial crime.
Stablecoins
Stablecoins offer a new technological architecture: a bearer-like instrument with the ability to transfer directly between users anywhere in the world, creating a public digital record of transactions which allows for traceability. Whilst the accessibility and P2P transferability challenge traditional AML/FC controls like CDD, the public immutable record and the technological functionality built into the token introduce new detection and enforcement possibilities.
Like cash, they can operate as a bearer instrument, allowing ownership to transfer based on control (through a digital address known as a wallet) rather than a verified identity or account at a service provider like a bank. The critical new feature, compared to cash, is the record of all transactions on distributed ledgers, creating a public, permanent and immutable record of activity. Transactions may occur P2P, without the involvement of any regulated institution, but the availability of the transaction data allows for live and retrospective analysis that is not available with cash.
As with cash, these controls can be deployed at touchpoints with a regulated institution. For example, when a holder redeems stablecoins with the issuer, the issuer can review the transaction history of the redeeming stablecoins to identify suspicious patterns or interactions with illicit or sanctioned wallets. Other touchpoints could include banks that convert stablecoins into bank deposits, cryptoasset exchanges, payment orchestrators and custodial wallets (where the service provider takes full control of the stablecoin on the user’s behalf).
An evolving risk profile
A key finding from the recent FATF report is that the vulnerability of stablecoins to financial crime does not primarily arise at the point of issuance or redemption, where often there is a requirement for CDD, but rather:
The majority of illicit activity in stablecoins occurs in the secondary market.
(FATF, Targeted Report on Stablecoins and Unhosted Wallets – Peer-to-Peer Transactions (March 2026), paras 29-30).
Specifically, risk arises in P2P transactions between self-custody wallets where there is no interaction with a regulated intermediary; this is where the opportunity for illicit activity occurs.
This highlights the different risks of traditional finance and stablecoin systems. In bank payments, parties are identifiable and transactions flow through heavily regulated payment infrastructure, but the challenges arise from fragmented information and lack of communication across institutions and jurisdictions. In contrast, stablecoin usage provides a consolidated and transparent record of transactions, but the public record may lack reliable information about the identities of the parties involved and, in the case of P2P transactions, the ways to intervene and enforce controls may be limited. The challenge therefore shifts from limited transaction data to limited identity attribution and limited regulatory enforceability.
The emerging AML/FC regime
In the absence of fully-fledged regulatory regimes for cryptoasset activities, the UK and other jurisdictions have limited AML/FC regulation addressing stablecoins. An important AML/FC measure specifically addressing cryptoasset transfers is the “travel rule”, developed by FATF and implemented in the UK through regs 64A-64H of the MLRs. The travel rule requires cryptoasset exchange providers and custodian wallet providers to ensure that specified information about the originator and beneficiary accompanies each “inter-cryptoasset business transfer” that they are involved in, including names and account numbers or unique transaction identifiers. The travel rule faces several practical challenges. It applies only to transfers involving at least one cryptoasset business carrying on business in the UK, meaning P2P transfers between self-custody wallets fall outside its scope. As businesses take advantage of programmability and transferability of stablecoins, there are many complex and partly self-custody transactions for which it is not clear how the rule applies. Implementation across jurisdictions varies, meaning UK firms sending to non-implementing jurisdictions must take a risk-based approach to whether to proceed with incomplete information.2
The UK’s wider AML/FC framework reflects an extension of traditional regulation: issuers are required to conduct CDD for any direct issuance or redemption activity and monitor those business relationships. This allows for controls to be applied when stablecoins enter or exit the traditional financial system. As stablecoins circulate through the secondary market, via exchanges or payment service providers, these entities are expected to apply similar controls.
A key aspect of the FCA’s wider regulatory proposals is that authorised firms, including stablecoin issuers, exchanges and custodians will be required to allocate senior management responsibility for financial crime compliance and accountability. This requires financial crime risks to be owned and managed at senior levels within firms.
Notably the proposals are yet to determine how to make use of the technological and analytical capabilities of stablecoins. The focus to date has understandably been on extending established requirements into the emerging digital assets sector.
Developing the future legal toolkit
The programmability of stablecoins introduces the possibility of embedding financial crime controls directly into the asset itself. Issuers, and to a more limited extent, custodial wallet providers who manage private keys on behalf of users have the ability to freeze, restrict or condition transfers. This could enable issuers to respond to suspected illicit activity with near real-time interventions, targeted at specific stablecoins and wallets wherever they are in the world. This gives issuers abilities that far exceed the speed and reach of traditional mechanisms, which typically involve the relatively blunt freezing of whole accounts, long after loosely connected suspicious transactions have already taken place and the money is out of reach. In practice, today, the primary mechanism for reporting suspected financial crime involves submitting a SAR to the NCA and where a specific transaction is involved, a Defence Against Money Laundering (DAML) or Defence Against Terrorist Financing (DATF). These reports are then disseminated to the relevant law enforcement authorities, who require time to investigate and gather evidence of suspected wrongdoing. This process typically occurs some time after the event, on a much slower timescale than the movement of funds, particularly in relation to digital assets transactions. With blockchain technology, stablecoins and wallets can be instantly taken out of use, wherever they have got to in the money laundering or financial crime chain.
However, this raises a legal question: to what extent should private firms act in a monitoring and enforcement role that is usually performed by public authorities? Should issuers monitor and act proactively, potentially freezing or restricting third parties’ assets in the absence of a formal law enforcement request. In doing so, issuers risk stepping into a quasi-public enforcement role, making determinations about suspicious activity and effectively exercising control over users’ private property without legal authority.
Currently, stablecoin AML/FC regulatory regimes have not expressly tackled these questions. Any legal basis for issuers or wallet providers proactively taking such steps would be somewhat novel. Stablecoin issuers generally have a small set of direct customers for issuance and redemption and no direct relationship with the broader population of holders in secondary markets. They may therefore lack contractual relationships on which to base such action. They may also lack access to sufficient or reliable customer due diligence information from which to have the certainty needed before making drastic interventions with third parties’ private property. Given the global nature of stablecoins, there are inevitable conflicts of law questions around which law governs an intervention by the issuer or wallet provider.
A further complication arises from the reliability of blockchain analytics to support such interventions. While these tools have significantly enhanced the ability to trace transaction flows and attribute illicit activity, attribution in practice has been shown in some cases to be incorrect. In the UK, to submit a SAR, DAML or DATF, the financial institution must do so on the basis that the institution knows or suspects, or has reasonable grounds for knowing or suspecting, that a person is engaged in money laundering or terrorist financing ss 330, 335, 336 POCA or ss 19-21ZA TACT. If a private party, such as a stablecoin issuer, freezes a third-party’s stablecoins unilaterally without a court order or NCA direction and without a direct contractual right, the intervention could give rise to claims in tort or breach of property rights. The question of what level of confidence blockchain analytics would need to meet before supporting such an intervention remains untested in the UK courts. At the same time, an issuer’s or custodian’s failure to act where blockchain analytics showed, or could have shown, suspicious activity may attract regulatory scrutiny. This results in a tension whereby stablecoin issuers are increasingly expected to manage financial crime risks in real time, yet lack the legal authority and associated protections to do so. It is an area of active consideration among regulators.
Issuers may seek to rely on provisions for holding the stablecoins in their public facing terms of use to justify actions such as freezing. While this may provide a contractual basis in relation to direct customers, its legal effectiveness is less clear for stablecoins circulating in secondary markets. Many holders will have no direct relationship with the issuer, having obtained the stablecoin from a third party, and may not have agreed to those terms, raising questions as to their legal enforceability, particularly across jurisdictions.
Conclusion
Financial crime is recognised as a somewhat inevitable risk of business. Stablecoins reshape the risk. They offer a degree of traceability that has no equivalent in traditional finance or cash, whilst challenging the regulated intermediary entry points on which the traditional AML/FC framework is built.
The emerging regulatory regimes represent a meaningful step towards strengthening financial crime controls in the stablecoin sector. However, effectiveness will depend on careful use of technological solutions, while recognising the legal and operational limits of individual firms applying the controls. The task for lawmakers is to develop a regulatory regime that exploits new capabilities without imposing restrictions that undermine the transferability, accessibility and commercial viability that make stablecoins useful or, worse, drive activity offshore and beyond regulatory visibility.
Further Reading
- When code meets compliance: the institutional turn in Decentralised Finance (2026) 2 JIBFL 105.
- The role of financial market infrastructure for stablecoins (2026) 1 JIBFL 3.
- Lexis+® UK: LexisPSL Financial Services Practical Guidance: Practice Note: UK regulation of cryptoassets.