BIS Crypto AML Scoring: Supplement or Regulatory Workaround?
On a sweltering August afternoon in Basel, Switzerland, the Bank for International Settlements – that temple of monetary orthodoxy where central bankers gather to genuflect before the altar of financial stability – released a bulletin that would have made Satoshi Nakamoto chuckle from whatever crypto-anarchist bunker he’s presumably hiding in.
The document, dense with the kind of bureaucratic prose that could anesthetize a rhinoceros, proposed something remarkable: that instead of requiring cryptocurrency businesses to actually know who their customers are, regulators should simply trust a sophisticated scoring algorithm to separate the financial wheat from the criminal chaff.
The bulletin’s authors – a quintet of economists with the kind of résumés that inspire respectful nods at Davos cocktail parties – had stumbled upon what they believed to be a profound insight.
The cryptocurrency industry has spent more than a decade arguing that it deserves special treatment. Blockchain technology, the argument goes, is so revolutionary that traditional regulatory approaches simply don’t apply. This has led to a peculiar form of regulatory capture where the industry’s talking points have been so thoroughly internalized by policymakers that they’ve begun to sound like crypto evangelists themselves.
What we’re witnessing is crypto industry lobbying disguised as academic research. The BIS proposal is carefully designed to appear sophisticated with technical blockchain jargon, sound reasonable to regulators who don’t understand the technical reality, avoid real KYC costs for crypto businesses, and maintain the anonymity that makes crypto attractive to criminals in the first place. It’s a masterclass in regulatory arbitrage – finding ways to look compliant while avoiding compliance entirely.
The cryptocurrency industry’s fifteen-year experiment in self-regulation has produced exactly the results that any rational observer would have predicted: a thriving ecosystem for financial crime that processes tens of billions of dollars in illicit transactions each year. The BIS proposal represents not a solution to this problem but a sophisticated rationalization for continuing to ignore it.
The BIS bulletin represents the apotheosis of this trend – a document that reads like it was ghostwritten by a cryptocurrency lobbying firm and then translated into central banker speak. Its authors seem genuinely convinced that they’re proposing something innovative rather than simply finding an elaborate way to avoid doing the hard work of actual financial regulation.
The Bank for International Settlements’ August 2025 bulletin proposing AML compliance scoring for cryptoassets represents a fundamental paradigm shift that, while technically innovative, poses significant risks of undermining traditional KYC requirements through systematic workarounds and consumer protection erosion. The evidence suggests this is less a genuine supplement than a potential pathway for regulatory avoidance.
The core transformation: from customer to token surveillance
The BIS approach explicitly abandons traditional “Know Your Customer” frameworks in favor of “Know Your Token” methodologies. Rather than verifying customer identities and beneficial ownership, the system assigns compliance scores (0-100) to crypto assets based on their blockchain transaction histories. Clean tokens score near 100, while those connected to illicit activity approach zero. This represents the most significant departure from established AML principles since the Bank Secrecy Act’s creation.
The BIS acknowledges this shift directly, stating that “existing anti-money laundering approaches relying on trusted intermediaries have limited effectiveness with decentralised record-keeping in permissionless public blockchains.” However, positioning technical limitations as justification for abandoning customer identification requirements raises fundamental questions about regulatory integrity.
Traditional KYC versus blockchain scoring: incompatible philosophies
Traditional KYC/AML frameworks center on four critical pillars: customer identification and verification, beneficial ownership transparency, understanding business relationships, and ongoing monitoring through regulated intermediaries. These systems, refined over decades, ensure human accountability and regulatory oversight at institutional chokepoints.
The BIS scoring system operates on entirely different principles. It leverages blockchain transparency to track token provenance rather than customer behavior, creating compliance scores that travel with assets across the blockchain. While technically sophisticated, this approach eliminates the human oversight and institutional accountability that makes traditional AML effective.
The philosophical divide is stark: traditional systems assume regulated institutions should know their customers and bear liability for compliance failures. The BIS approach assumes blockchain analytics can replace human judgment while shifting compliance burdens to end users.
Expert consensus reveals fundamental concerns
Compliance professionals acknowledge potential efficiency gains through automation but highlight critical concerns: false positives affecting legitimate users, difficulty handling privacy coins, and the lack of appeal mechanisms for incorrect scoring. Most significantly, they note the system could create market segmentation where “tainted” tokens trade at discounts, potentially penalizing innocent recipients.
The “duty of care” shift: abandoning consumer protection
The most troubling aspect of the BIS proposal is its explicit shift of compliance responsibility from regulated institutions to individual users. The bulletin states users “could reasonably be expected to exercise a duty of care in transacting with crypto tokens by checking beforehand if a crypto coin is known to be compromised.”
This represents a complete reversal of consumer protection principles developed over decades. Traditional financial regulation assumes sophisticated institutions should protect unsophisticated consumers, not the reverse. Requiring individuals to conduct blockchain forensics before accepting payments fundamentally undermines this protection framework.
The BIS acknowledges this shift could penalize users who received tainted assets “in good faith”, but dismisses these concerns by assuming “widespread and affordable compliance service providers” will emerge. This assumption places the burden of proof on consumers rather than maintaining institutional liability for due diligence.
Allow lists versus comprehensive due diligence
The BIS framework introduces three compliance stringency levels: allow lists (accepting only KYC-verified tokens), intermediate approaches (multiple screening criteria), and deny lists (rejecting only directly identified illicit addresses). While seemingly flexible, this creates a parallel compliance system that operates independently of traditional KYC requirements.
Traditional KYC requires comprehensive customer due diligence regardless of transaction history. The BIS approach allows institutions to accept anonymous transactions based solely on algorithmic scoring, potentially eliminating customer identification requirements entirely. A user with a “clean” token score could access financial services without providing identity verification, beneficial ownership information, or business relationship documentation.
This represents a fundamental weakening of customer due diligence. Token cleanliness does not equal customer legitimacy. Sophisticated money launderers could easily generate high-scoring tokens through layering techniques while maintaining complete anonymity.
International regulatory arbitrage opportunities
The BIS framework explicitly allows “each jurisdiction adopting its own variation of the approach” with different risk tolerances. This creates obvious regulatory arbitrage opportunities where crypto firms can seek the most favorable scoring thresholds while maintaining global market access.
Unlike traditional KYC requirements that maintain consistent customer identification standards across jurisdictions, the BIS approach enables forum shopping between compliance regimes. Exchanges could incorporate in jurisdictions with permissive scoring thresholds while serving customers worldwide, effectively undermining consistent global AML enforcement.
The lack of international coordination mechanisms compounds this problem. While FATF coordinates traditional AML standards globally, no equivalent framework exists for blockchain scoring systems, creating opportunities for regulatory fragmentation and competitive deregulation.
Blockchain analytics: enhancement versus replacement
The crypto industry has used blockchain analytics tools from companies like Chainalysis and TRM Labs for years to enhance traditional KYC compliance. These tools supplement rather than replace customer identification requirements, helping institutions identify suspicious transaction patterns while maintaining comprehensive customer due diligence.
The BIS approach fundamentally differs by positioning blockchain analytics as a complete replacement for customer identification. Rather than using transaction analysis to enhance human oversight, it eliminates human verification entirely. This represents a categorical shift from enhancement to substitution.
Existing blockchain analytics serve traditional compliance by flagging suspicious patterns for human review. The BIS system would automate compliance decisions without human verification, potentially missing contextual factors that experienced compliance officers would identify.
Consumer protection degradation
The BIS framework creates a two-tier market where token provenance determines access to financial services rather than customer legitimacy. Clean tokens provide unrestricted access while tainted tokens face restrictions, regardless of user circumstances.
This system penalizes users for factors beyond their control. Someone who unknowingly accepts a tainted payment could face financial service restrictions without recourse or appeal mechanisms. Traditional KYC provides customer-focused remediation processes, while token-based scoring offers no equivalent protections.
The approach also reduces cryptocurrency fungibility, creating different classes of tokens with varying liquidity and acceptance. This fundamentally alters cryptocurrency’s value proposition while creating potential discrimination against legitimate privacy-seeking users.
Risk of regulatory capture
The crypto industry has strong incentives to promote blockchain scoring as superior to traditional KYC. The BIS framework provides authoritative justification for reducing customer identification requirements while maintaining claims of regulatory compliance. This creates obvious opportunities for regulatory capture.
Industry lobbying can leverage the BIS proposal to argue against enhanced KYC requirements, claiming blockchain analytics provide superior compliance without recognizing their fundamental limitations. The technical sophistication of blockchain scoring may obscure its regulatory inadequacies to policymakers unfamiliar with traditional AML principles.
The framework’s emphasis on technological solutions over institutional accountability aligns perfectly with crypto industry preferences for minimal human oversight and maximum regulatory flexibility.
Core KYC objectives undermined
Traditional KYC serves three essential functions: customer identification (establishing who is conducting transactions), beneficial ownership transparency (understanding ultimate control), and ongoing monitoring (detecting suspicious patterns). The BIS scoring system fails to address any of these objectives comprehensively.
Customer identification disappears entirely under token-based compliance. Users with clean tokens can access services anonymously, eliminating regulatory visibility into actual transaction parties. Beneficial ownership becomes impossible to establish when compliance depends on algorithmic scoring rather than corporate structure verification.
Ongoing monitoring shifts from human-supervised institutional surveillance to automated algorithmic assessment without contextual understanding. This eliminates the nuanced judgment that makes traditional AML effective against sophisticated laundering schemes.
Parallel system dangers
Perhaps most concerning, the BIS approach enables development of a parallel financial system that operates adjacent to traditional oversight. Crypto firms could create blockchain-native compliance frameworks that satisfy technical requirements while avoiding substantive regulatory scrutiny.
This parallel system could process significant transaction volumes while providing minimal visibility to financial intelligence units, law enforcement, and regulatory authorities. Unlike traditional banking surveillance that enables investigation and prosecution, blockchain scoring systems may provide compliance theater without enforcement capability.
The technical complexity of blockchain analytics creates information asymmetries where regulators struggle to assess actual compliance effectiveness, enabling sophisticated avoidance strategies disguised as innovative compliance solutions.
Conclusion: workaround disguised as innovation
The evidence overwhelmingly suggests the BIS AML compliance scoring approach represents a sophisticated regulatory workaround rather than a genuine supplement to traditional KYC requirements. While technically innovative, the framework systematically undermines core compliance principles through customer identification elimination, consumer protection erosion, and parallel system development.
The approach fails the fundamental test of regulatory integrity: rather than maintaining traditional KYC objectives while adapting to new technology, it abandons these objectives entirely in favor of algorithmic substitutes. The shift from institutional liability to user responsibility represents a complete reversal of financial consumer protection principles.
Most critically, the framework provides authoritative justification for crypto industry efforts to avoid meaningful KYC compliance while maintaining regulatory legitimacy claims. This creates significant risks of regulatory capture and competitive deregulation that could undermine decades of AML framework development.
Effective crypto regulation should enhance traditional KYC through technological tools rather than replacing human oversight with algorithmic scoring. The BIS approach represents a fundamental step backward that prioritizes technical convenience over regulatory effectiveness and consumer protection.
The real world, meanwhile, continues to operate according to rather more prosaic principles. When the Department of Justice arrested the operators of Samourai Wallet – a cryptocurrency mixing service that allegedly laundered more than two hundred million dollars for cybercriminals – they didn’t rely on blockchain analytics or compliance scores. They used traditional investigative techniques: following the money, identifying the people behind the wallets, and building cases based on evidence that would hold up in court.
This is the uncomfortable truth that the BIS researchers seem determined to ignore: effective anti-money laundering enforcement requires identifying actual human beings and holding them accountable for their actions. All the algorithmic sophistication in the world cannot substitute for the basic requirement that financial institutions know who their customers are and what they’re doing.
The proposal’s authors do acknowledge, almost in passing, that their system would require “defining which actor is responsible for preventing illicit flows”. But they treat this as a minor implementation detail rather than the central question it actually is. In traditional finance, responsibility is clear: banks and other financial institutions are required to verify customer identities, monitor transactions, and report suspicious activity to government authorities. They face severe penalties if they fail to meet these obligations.
The cryptocurrency industry has fought tooth and nail against similar requirements, arguing that decentralization makes traditional compliance impossible. But this is a bit like arguing that the invention of the automobile made traffic laws obsolete. New technologies may require new approaches to regulation, but they don’t suspend the basic social contract that governs financial services.
Nothing can replace normal know-your-customer protocols. Every other financial service provider must know who their customers are, verify their identities, monitor their transactions, and report suspicious activity. These aren’t antiquated bureaucratic rituals – they’re the fundamental building blocks of a financial system that doesn’t collapse under the weight of its own criminality.
The BIS proposal would essentially allow cryptocurrency businesses to outsource their compliance obligations to an algorithm while avoiding the inconvenient necessity of actually knowing who their customers are. The researchers are essentially saying: “Instead of requiring crypto businesses to know their customers like every other financial institution, let’s create a complicated scoring system that sounds technical but doesn’t actually identify people”. It’s a solution that would be perfect if money launderers were the kind of people who follow rules and give up when faced with minor technical obstacles.
Unfortunately, the criminal organizations that move hundreds of billions of dollars through the international financial system each year tend to be somewhat more resourceful than that. They employ teams of programmers, maintain relationships with corrupt officials in multiple jurisdictions, and adapt their techniques faster than regulators can update their guidelines. The idea that they would be stymied by a compliance scoring system is charming in its naivety.
Perhaps most tellingly, the bulletin’s authors seem unaware that they’re proposing to solve a problem that has already been solved. Blockchain analytics companies like Chainalysis and Elliptic have been providing transaction scoring services for years, and major cryptocurrency exchanges already use these tools to flag suspicious activity. The difference is that these companies understand their limitations: they provide additional intelligence to support human decision-making rather than replacing it entirely.
The BIS researchers, by contrast, seem to believe they’ve discovered a silver bullet that will allow regulators to have their cake and eat it too – maintaining the fiction that cryptocurrencies are somehow exempt from normal financial regulations while still preventing them from becoming a playground for international criminal organizations.
It’s a seductive fantasy, but it’s still a fantasy. The real world of money laundering is messier, more sophisticated, and more human than any algorithm can capture. Stopping it requires the kind of old-fashioned police work that involves identifying suspects, gathering evidence, and building cases that can withstand scrutiny in a courtroom.
Founder and Managing Partner of Skarbiec Law Firm, recognized by Dziennik Gazeta Prawna as one of the best tax advisory firms in Poland (2023, 2024). Legal advisor with 19 years of experience, serving Forbes-listed entrepreneurs and innovative start-ups. One of the most frequently quoted experts on commercial and tax law in the Polish media, regularly publishing in Rzeczpospolita, Gazeta Wyborcza, and Dziennik Gazeta Prawna. Author of the publication “AI Decoding Satoshi Nakamoto. Artificial Intelligence on the Trail of Bitcoin’s Creator” and co-author of the award-winning book “Bezpieczeństwo współczesnej firmy” (Security of a Modern Company). LinkedIn profile: 18 500 followers, 4 million views per year. Awards: 4-time winner of the European Medal, Golden Statuette of the Polish Business Leader, title of “International Tax Planning Law Firm of the Year in Poland.” He specializes in strategic legal consulting, tax planning, and crisis management for business.
