By establishing a framework based on the principle of 'general law' and broadly defining the function of 'payment instruments', future innovations can be automatically included in the regulatory view, thereby breaking the passive cycle of 'innovation-regulation-re-innovation-re-regulation' and guiding financial innovation towards directions that are more beneficial to social welfare.
Article authors: Andrea Minto, Anneke Kosse, Takeshi Shirakami and Peter Wierts, BIS
Article compilation, source: Ma Yimeng, FinTech Research Institute
In March 2026, the Bank for International Settlements (BIS) published a working paper 'From cash to crypto: towards a consistent regulatory approach to illicit payments'. This paper discusses the challenges faced by anti-money laundering and counter-terrorist financing (AML/CFT) regulation in the context of the diversification of payment instruments. The article proposes a conceptual framework to analyze the regulatory arbitrage risks arising from the different levels of intermediary participation in various payment instruments, namely the 'waterbed effect'.
By analyzing the evolution of EU regulation, the article points out that to achieve regulatory effectiveness, a balance must be struck between general law (lex generalis) and special law (lex specialis). The Research Institute of Fintech at Renmin University of China (WeChat ID: ruc_fintech) has compiled this study.
1. Introduction
With the rapid development of financial technology, we are experiencing a profound transformation in payment methods. From traditional cash and bank deposits to electronic money and emerging cryptoassets, as well as the highly discussed retail central bank digital currencies (CBDC), the range of available payment tools has never been richer.
This diversification promotes competition and financial inclusion on one hand, but also brings new risks on the other. Each payment tool can potentially be exploited by criminals for money laundering (ML) or terrorist financing (TF), thereby undermining the integrity and stability of the financial system.
For a long time, regulatory authorities in various countries have addressed these risks through anti-money laundering and anti-terrorism financing (AML/CFT) frameworks, requiring obligated entities such as financial institutions to fulfill obligations such as customer due diligence (CDD), transaction monitoring, and suspicious transaction reporting.
However, regulation does not operate in a vacuum. When new payment tools emerge, regulatory frameworks need to be continuously adjusted to accommodate them. But different payment tools have essential differences in design, especially regarding the degree of reliance on intermediaries, which may lead to inconsistencies in regulatory rules between these tools.
This inconsistency can trigger a 'waterbed effect': when regulators strengthen regulation in a particular payment area (such as bank transfers) and close loopholes, the flow of funds may shift like the pressed side of a waterbed to another area with relatively loose regulation (such as certain cryptocurrencies). This behavioral adjustment, whether it is malicious regulatory arbitrage or legitimate users choosing for privacy reasons, will undermine the overall effectiveness of regulation.
Therefore, the core question of this article is: How do anti-money laundering and anti-terrorism financing frameworks influence, or even distort, users' choices of payment tools? The author aims to explore how to achieve a more consistent and effective regulatory path among different payment tools by constructing a conceptual framework and using the EU's regulatory practices as a case study.
2. Conceptual framework: Anti-money laundering/anti-terrorism financing measures and their interaction with payment tool choices
Intermediary roles and regulatory arbitrage
The core of this article is a qualitative analysis framework based on differences in payment tool design. The core variable of this framework is the degree of participation of intermediaries. The author categorizes payment tools into two main classes based on this variable:
Intermediary-dependent tools: Including bank deposits, electronic money, custody wallets for cryptocurrencies, and online retail central bank digital currencies. These transactions go through one or more regulated intermediaries, which act as 'obliged entities' to perform customer due diligence, monitor transactions, and report suspicious activities to Financial Intelligence Units (FIUs). Therefore, such tools are designed to have a higher probability of detecting illegal transactions.
Non-intermediary-dependent tools: Including cash, self-custody wallets for cryptocurrencies, and offline retail central bank digital currencies. In these transactions, no intermediaries are authorized or able to assume the role of 'gatekeepers.' Transaction information is primarily limited to the payer and payee. Therefore, theoretically, the design of these tools leads to a lower detection probability.
Based on this, the model derives the first key hypothesis: malicious actors will choose the payment tools with the lowest expected detection probability to maximize their expected net gains from illegal activities. Among non-intermediary-dependent tools, cash has the highest anonymity, but its physical form limits its practicality in large and remote transactions.
Self-custody wallets may become a more attractive alternative, as they offer a combination of high anonymity and digital convenience. Although offline central bank digital currencies may leave electronic traces, if designed without intermediary involvement, their risks are also higher than intermediary-dependent tools.
Waterbed effect and regulatory response
The second key part of the framework describes the dynamic game between behavioral adjustments and regulatory responses. When regulators strengthen the regulation of a particular type of tool, for instance, by implementing strict monitoring of bank deposits, it raises its 'cost of use' (which for malicious actors is the risk of detection).
According to the 'waterbed effect,' malicious activities will shift to other payment tools with weaker regulation and lower detection probabilities (such as self-custody wallets). This arbitrage behavior undermines the overall effectiveness of regulation, forcing regulators to intervene. The intervention usually expands the regulatory scope, incorporating newly emerging, uncovered payment tools into the framework, thereby triggering a new round of behavioral adjustments.
This dynamic cycle explains why anti-money laundering and anti-terrorism financing frameworks are constantly evolving and 'chasing' technological innovations. This effect exists not only between different payment tools but may also arise across different jurisdictions, forming geographical regulatory arbitrage.
Side effects for legitimate users: Privacy and freedom of choice
The third part of the framework considers the side effects of regulation on legitimate users. Anti-money laundering and anti-terrorism financing measures, while necessary to combat crime, inevitably infringe on users' informational privacy.
Transaction monitoring and data sharing mean that some personal information of users is held by third parties (intermediaries, regulatory authorities). This trade-off between privacy and financial integrity is a core contradiction that cannot be avoided in regulatory design. Even if entirely for legal purposes, some users may prefer payment tools with higher privacy protection due to concerns about data security or a value orientation that 'payments are a private matter.'
Therefore, legitimate users and malicious actors may converge in behavior: both prefer non-intermediary-dependent tools. However, the reasons are entirely different: malicious actors aim to evade regulation, while legitimate users seek to maintain privacy and personal freedom. This complicates policy-making, as tightening regulation purely to close loopholes may excessively sacrifice the freedoms of ordinary citizens.
3. Legal analysis: Taking the EU as an example
Since 1991, the EU has been continuously evolving its anti-money laundering and anti-terrorism financing framework, initially focused on banks and other financial institutions, gradually expanding to accountants, lawyers, and real estate intermediaries, and ultimately in the reforms of 2018 and 2024, explicitly including Crypto-Asset Service Providers (CASPs) under regulation. This evolution clearly shows the framework's continuous adaptation to new risks. However, case studies also reveal inconsistencies in the current framework, which may trigger the 'waterbed effect.'
Cash: The EU has introduced a cash transaction limit of 10,000 euros, directing large transactions toward tools involving intermediaries.
Self-custody wallets: For such non-intermediated tools, regulation mainly relies on monitoring their 'touch points' with intermediaries (such as when converting crypto assets into fiat currency). However, there is currently no transaction or holding limit established similar to cash.
Offline digital euro: In the European Commission's proposal for a digital euro, offline transactions are designed to be without intermediary involvement to provide a cash-like privacy experience. To balance risks, the proposal authorizes the European Commission to set limits for such transactions, but this has not yet been finalized.
4. Constructing a unified regulatory path for anti-money laundering/anti-terrorism financing: Conclusions and recommendations
Based on the above analysis, the article proposes a core policy recommendation: adopt a regulatory model combining 'general law' and 'special law' to achieve both consistent and flexible regulatory effects.
General law (Lex Generalis): Refers to the principle and core requirements applicable to all payment instruments with similar characteristics. Specifically, for all payment tools involving intermediaries (bank deposits, electronic money, online central bank digital currencies, custody wallets), a unified regulatory 'baseline' should be established. This means that all such intermediaries should bear the same basic obligations: to conduct customer due diligence, monitor transactions, maintain records, and report suspicious transactions. At the same time, privacy and data protection standards applicable to these intermediaries should also be unified as much as possible to ensure that the trade-off between privacy and integrity is consistent across the industry.
Special law (Lex Specialis): Refers to supplementary and targeted rules established based on general law for the unique design or function of specific payment tools. For example:
For cash, its physical characteristics make it difficult for general law to apply directly, so special laws, such as the transaction limit of 10,000 euros, are needed as a supplement.
For offline central bank digital currencies, since they are deliberately designed to exclude intermediaries to provide a cash-like experience, special laws are also needed to manage their risks, such as setting transaction and holding limits.
For self-custody wallets, special laws are also needed to address the unique challenges they present. This may include further strengthening the regulation of 'touch points' with intermediaries or exploring ways to achieve compliance technologically (for example, by setting limits at the protocol level), as well as enhancing responsibility requirements for wallet service providers (even if they do not directly hold assets).
For payment tools that do not rely on intermediaries, regulators need to move beyond the traditional model of 'intermediary accountability' and explore more diverse regulatory tools. This may include:
Utilizing touch points: Strengthen the monitoring of all illegal funds entering or exiting the non-intermediated domain.
Setting transaction limits: As done for cash and offline central bank digital currencies, and using it as a universal risk management tool. For self-custody wallets, while enforcing such limits is technically challenging, it is not impossible and is a promising direction for future exploration.
Enhancing issuer responsibility: Requiring the issuers of payment instruments (such as cash issuance departments of central banks, stablecoin issuers) to take on more anti-money laundering/anti-terrorism financing responsibilities, for example by taking more proactive measures (such as stopping the issuance of large denomination banknotes, freezing suspicious addresses, etc.) to maintain the integrity of their issued instruments.
Increasing the cost of violations: Stricter penalties for individuals or entities using non-intermediated payment tools for transactions in professional activities can be established.
Finally, the article emphasizes that a truly effective anti-money laundering/anti-terrorism financing framework must be proactive and adaptable. In the future, there will inevitably be more innovative payment tools that we cannot foresee today. By establishing a framework based on the principle of 'general law' and broadly defining the function of 'payment instruments', future innovations can be implicitly included in the regulatory view, thereby breaking the passive cycle of 'innovation-regulation-re-innovation-re-regulation' and guiding financial innovation toward outcomes more beneficial to social welfare.