Authors: Andrea Minto, Anneke Kosse, Takeshi Shirakami and Peter Wierts, BIS
Compiled by: Ma Yimeng , FinTech Research Institute
In March 2026, the Bank for International Settlements (BIS) published a working paper, "From cash to crypto: towards a consistent regulatory approach to illicit payments." This paper explores the challenges facing anti-money laundering and counter-terrorist financing (AML/CFT) regulation in the context of diversified payment instruments. The paper proposes a conceptual framework to analyze the regulatory arbitrage risk arising from different payment instruments due to varying levels of intermediary involvement, namely the "waterbed effect."
By analyzing the evolution of EU regulation, the article points out that achieving effective regulation requires a balance between general law and special law. This research was translated by the Institute of Fintech at Renmin University of China (WeChat ID: ruc_fintech).
I. Introduction
With the rapid development of financial technology, we are experiencing a profound transformation in payment methods. From traditional cash and bank deposits to electronic money, and then to emerging crypto assets and the much-discussed retail central bank digital currency (CBDC), the range of payment instruments available is more abundant than ever before.
This diversification has fostered competition and financial inclusion, but it has also introduced new risks. Every payment instrument can be exploited by criminals for money laundering (ML) or terrorist financing (TF), thereby undermining the integrity and stability of the financial system.
For a long time, regulatory agencies in various countries have addressed these risks through anti-money laundering and counter-terrorist financing (AML/CFT) frameworks, requiring financial institutions and other "obligated entities" to fulfill obligations such as customer due diligence (CDD), transaction monitoring, and suspicious transaction reporting.
However, regulation does not operate in a vacuum. As new payment instruments emerge, the regulatory framework needs to be constantly adjusted to accommodate them. But the fundamental differences in the design of different payment instruments, especially their varying degrees of reliance on intermediaries, can lead to inconsistencies in regulatory rules among these instruments.
This inconsistency can trigger a "waterbed effect": when regulators tighten oversight in one area of payments (such as bank transfers) and close loopholes, funds may flow like the side of a waterbed being pressed down, shifting to another area with relatively looser regulation (such as certain cryptocurrencies). This behavioral shift, whether due to malicious regulatory arbitrage or legitimate users' privacy concerns, undermines the overall effectiveness of regulation.
Therefore, the core question of this article is: how do anti-money laundering and counter-terrorist financing frameworks affect, or even distort, users' choices of payment instruments? The author aims to explore how to achieve a more consistent and effective regulatory path across different payment instruments by constructing a conceptual framework and using EU regulatory practices as a case study.
II. Conceptual Framework: Anti-Money Laundering/Counter-Terrorist Financing Measures and Their Interaction with Payment Instrument Choice
Intermediary role and regulatory arbitrage
The core of this paper is a qualitative analytical framework based on differences in payment instrument design. The central variable in this framework is the degree of involvement of intermediaries . Based on this variable, the authors categorize payment instruments into two main types:
Intermediary-dependent instruments include bank deposits, electronic money, custodial wallet crypto assets, and online retail central bank digital currencies. These transactions pass through one or more regulated intermediaries who act as "obligated entities" to perform customer due diligence, monitor transactions, and report suspicious activity to the Financial Intelligence Unit (FIU). Therefore, these instruments are designed to have a high probability of detecting illicit transactions.
Intermediary-free instruments include cash, self-custodied wallet crypto assets, and offline retail central bank digital currencies. In these transactions, no intermediary is authorized or capable of acting as a "gatekeeper." Transaction information is primarily limited to the payer and payee. Therefore, theoretically, the design of these instruments leads to a lower probability of detection.
Based on this, the model derives its first key assumption: malicious actors will choose the payment instrument with the lowest expected detection probability to maximize the expected net profit of their illegal activities. Among non-intermediary-dependent instruments, cash offers the highest anonymity, but its physical form limits its practicality in large-value, long-distance transactions.
Self-custodial wallets may be a more attractive alternative due to their combination of greater anonymity and digital convenience. While offline central bank digital currencies (CBDCs) also leave electronic traces, their risks are higher than those of intermediary-dependent instruments if designed without intermediaries.
Waterbed effect and regulatory response
The second key part of the framework describes the dynamic game between behavioral adjustment and regulatory response. When regulators strengthen the regulation of a certain type of tool, such as imposing strict monitoring on bank deposits, this increases its "cost of use" (which is the risk of detection for malicious actors).
According to the "waterbed effect," malicious activities tend to shift to other payment instruments with weaker regulation and lower detection probabilities (such as self-custodied wallets). This arbitrage weakens the effectiveness of overall regulation, forcing regulators to intervene. Intervention typically involves expanding the scope of regulation to include newly emerging, previously unregulated payment instruments, thereby triggering a new round of behavioral adjustments.
This dynamic cycle explains why anti-money laundering and counter-terrorist financing frameworks are constantly evolving and "catching up" with technological innovations. This effect exists not only between different payment instruments but also between different jurisdictions, creating geographical regulatory arbitrage.
Side effects of legitimate users: privacy and freedom of choice
The third part of the framework considers the side effects of regulation on legitimate users. While anti-money laundering and counter-terrorist financing measures are necessary in combating crime, they inevitably infringe on users' informational privacy.
Transaction monitoring and data sharing mean that some of users' personal information is held by third parties (intermediaries, regulatory agencies). This trade-off between privacy and financial integrity is a core contradiction that cannot be avoided in regulatory design. Even for entirely legitimate purposes, some users may choose payment tools with higher privacy protection due to concerns about data security or the value orientation that "payment is a private matter."
Therefore, legitimate users and malicious actors may exhibit similar behaviors: both preferring non-mediation-dependent tools. However, their reasons are quite different: malicious actors aim to evade regulation, while legitimate users seek to protect their privacy and personal freedom. This complicates policymaking, as simply tightening regulations to close loopholes could unduly sacrifice the freedom of ordinary citizens.
III. Legal Analysis: Taking the European Union as an Example
Since 1991, the EU has continuously evolved its anti-money laundering and counter-terrorist financing framework, initially expanding from banks and other financial institutions to accountants, lawyers, and real estate agents, culminating in reforms in 2018 and 2024 that explicitly included crypto-asset service providers (CASPs) under regulation. This evolution clearly demonstrates the framework's trajectory of adapting to new risks. However, case studies also reveal inconsistencies within the current framework, potentially triggering a "waterbed effect."
Cash : The EU has introduced a €10,000 cap on cash transactions, directing large transactions toward instruments with intermediaries.
Self-custodial wallets : For these types of tools that do not involve intermediaries, regulation mainly relies on monitoring their "touchpoints" with intermediaries (such as when converting crypto assets into fiat currency). However, there are currently no transaction or holding limits similar to those for cash.
Offline Digital Euro : In the European Commission's proposal for a digital euro, offline transactions are designed to be uninterrupted, providing a cash-like privacy experience. To balance the risks, the proposal authorizes the European Commission to set limits on such transactions, but this has not yet been finalized.
IV. Establishing a unified regulatory framework for anti-money laundering/counter-terrorist financing: Conclusions and Recommendations
Based on the above analysis, the article proposes a core policy recommendation: to adopt a regulatory model that combines "general law" and "special law" to achieve a regulatory effect that is both consistent and flexible.
Lex Generalis refers to the application of uniform and universal principles and core requirements to all payment instruments with similar characteristics. Specifically, it establishes a unified regulatory baseline for all payment instruments involving intermediaries (bank deposits, electronic money, online central bank digital currencies, custodial wallets). This means all such intermediaries should bear the same basic obligations: conducting customer due diligence, monitoring transactions, maintaining records, and reporting suspicious transactions. Simultaneously, privacy and data protection standards applicable to these intermediaries should be as uniform as possible to ensure a consistent trade-off between privacy and integrity across the industry.
Special laws (Lex Specialis) : These are supplementary and targeted rules formulated based on general laws, taking into account the unique design or function of specific payment instruments. For example:
Cash 's physical properties make it difficult to apply general laws directly, thus requiring special laws, such as a transaction limit of 10,000 euros, as a supplement.
Offline central bank digital currencies , because they are designed to eliminate intermediaries in order to provide a cash-like experience, also require special laws to manage their risks, such as setting transaction and holding limits.
For self-custodial wallets , special legislation is also needed to address the unique challenges they present. This may include further strengthening the regulation of “touchpoints” with intermediaries, or exploring technical compliance (e.g., setting limits at the protocol level), as well as strengthening liability requirements for wallet service providers (even if they do not directly custody assets).
For payment instruments that do not rely on intermediaries, regulators need to move beyond the traditional "intermediary accountability" model and explore more diverse regulatory tools. These may include:
Leveraging touch points : Enhance monitoring of all channels through which illicit funds enter or exit the uninterrupted sector.
Set transaction limits: as done for cash and offline central bank digital currencies, and use them as a general risk management tool. For self-custodied wallets, while enforcing such limits is technically challenging, it is not impossible and is a direction worth exploring in the future.
Strengthen issuer responsibility: Require issuers of payment instruments (such as the cash issuing department of central banks and stablecoin issuers) to assume greater responsibility for anti-money laundering/counter-terrorist financing, for example, by taking more proactive measures (such as stopping the issuance of large-denomination banknotes and freezing suspicious addresses) to maintain the integrity of their instruments.
Increase the cost of violations: Stricter penalties can be imposed on individuals or entities that use intermediary-free payment tools for transactions in professional activities.
Finally, the article emphasizes that a truly effective anti-money laundering/counter-terrorist financing framework must be forward-looking and adaptable. The future will inevitably see the emergence of more innovative payment instruments that we cannot foresee today. By developing a framework based on general law principles and broadly defining the function of "payment instruments," future innovations can be implicitly brought under regulatory scrutiny, thereby breaking the passive cycle of "innovation-regulation-re-innovation-re-regulation" and guiding financial innovation in a direction more conducive to social well-being.
