Introduction: The Crypto-Banking Conundrum
The relationship between traditional Financial Institutions (FIs) and the cryptocurrency ecosystem is more intertwined than many realize. Even FIs that avoid direct involvement in crypto face significant exposure through customer-driven transactions, such as debit and credit card purchase on Virtual Asset Service Providers (VASPs). These aggregated flows create under-monitored counterparty risks with serious regulatory and financial implications.
Contrary to the perception that traditional FIs and crypto operate in separate realms, FIs are already deeply embedded in the intersection of fiat and crypto. As this intersection grows, banks, card issuers, acquirers, and other stakeholders must proactively address novel and complex crypto-asset risks. This blog explores myths, realities, and strategies for managing these risks effectively.

Myth #1: “FIs Have No Exposure to Crypto”
The idea that FIs have no exposure to crypto is a myth.  Even without direct involvement, FIs are deeply embedded in the fiat-crypto intersection.  Customers use debits, credit cards and wire transfers to purchase crypto from VASP, creating indirect exposure to FIs.
In 2023, U.S. credit card payments totaled $5.6 trillion[1], with cryptocurrency purchases accounting for approximately 0.08%, around $4.5 billion.  Similarly, EU card-based payments reached €3 trillion in 2023[2], with crypto purchases estimated at €2.4 billion ($2.5 billion). These figures highlight the hidden exposure FIs face through customer-driven crypto transactions.
Even if FIs avoid direct crypto engagement, they remain exposed to risks such as:
Counterparty Risk: VASPs may lack robust AML/CFT controls or face regulatory scrutiny.
Reputational Risk: Fraud or illicit activity linked to crypto purchases can harm a bank’s reputation.
As the fiat-crypto intersection deepens, financial institutions must proactively address these risks to safeguard their operations and comply with evolving regulations.

Myth #2: VASP Counterparty Risk Is Fully Understood
VASP counterparty risk is often misunderstood and underestimated, despite its complexity and significance.  Evaluating a VASP requires navigating a multifaceted landscape, including regulatory compliance, technological infrastructure, and the unique vulnerabilities tied to virtual assets. Unlike traditional risk categories—such as interest rate, credit, liquidity, operational, or geographical risks, VASP counterparty risk remains under-monitored, even though it carries substantial regulatory and financial implications.

Stakeholder Considerations: Various stakeholders—financial institutions, regulatory authorities, central banks, card issuers and acquirers—engage with VASPs based on their specific business needs.  However, determining which VASPs align with their risk appetite is a significant challenge, particularly in the fast-evolving crypto environment. 

Overlooked Aspects: A critical, yet often overlooked area is the use of VASPs by customers for purchasing crypto, as well as the aggregated transaction volumes per VASP and per bank. Identifying high-volume, low-risk VASPs is essential to enable consumer participation in crypto, while maximizing bank revenues and mitigating risks.  Conversely, identifying high-volume, high-risk VASPs is equally important to avoid engaging with entities that pose significant threats.
FIs that fail to effectively quantify or manage VASP counterparty risk face heightened regulatory scrutiny and potential sanctions. This lack of oversight persists despite the growing regulatory and financial stakes associated with VASP counterparty risk.

Reality Check: Unpacking the Dimensions of VASP Counterparty Risk
When evaluating a VASP, several key elements contribute to higher risk and warrant elevated scrutiny:
Size: VASPs with 1M+ active users in the EU or a balance sheet of €3B+ pose greater systemic risks due to their scale and influence.
Complexity of Offerings: The range and sophistication of crypto-asset products or services offered can increase operational and compliance risks.
Geography & Corporate Structure: Complex group structures, often involving multiple legal entities operating across jurisdictions under different legal names, create challenges for transparency and oversight.
KYC Processes: VASPs with robust user identity verification reduce the likelihood of onboarding customers involved in criminal activities, thereby mitigating risk exposure.  
Fiat Capabilities (On/off ramping): VASPs that allow direct fiat deposits or withdrawals may invertedly facilitate money laundering criminal activities, such as converting cash to crypto or vise-versa
Regulatory Compliance: A VASP’s licensing status and adherence to jurisdictional regulations are critical indicators of its risk profile.  
On-Chain Risk Indicators: Monitoring cross-border activities and interaction with high-risk, criminal or sanctioning helps identify potential vulnerabilities.

The Regulatory Landscape: A Growing Focus on VASP Due Diligence
The global regulatory environment is increasingly focused on FIs’ exposure to crypto-related activities, with recent developments emphasizing stricter due diligence and risk management for VASPs. Key global regulatory actions include:

EU’s Markets in Crypto Assets (MiCA) Implementation Guidelines (June 2023): Mandates enhanced AML/CFT checks, transaction monitoring, and customer ID verification. Requires VASPs to register with national regulators and share transaction data under the “Travel Rule” (effective 2024).
European Securities and Markets Authority (ESMA) (February 2025):  Stated[3] that are no low-risk Crypto Asset Service Providers (CASPs), emphasizing the need for heightened scrutiny across the sector.
FED, FDIC & OCC Joint Statement[4] (July 2023): Urged banks to review crypto-related partnerships for compliance with AML rules, liquidity risks, and counterparty due diligence.
Hong Kong’s Monetary Authority (July 2023): Directed banks to treat crypto transactions as “high-risk,” requiring enhanced due diligence for VASP clients.
Singapore’s MAS AML/CFT Updates (August 2023): Expanded due diligence rules for VASPs, including ongoing monitoring of high-risk customers and mandatory reporting of suspicious cross-border transfers.
 
These measures reflect a global push to standardize VASP oversight, prioritize AML/CFT compliance, and mitigate systemic risks from crypto-banking linkages.

VASP Risk Mitigation Strategies for Financial Institutions: A Four-Step Approach
As FIs increasingly engage with crypto markets, proactive risk management is critical. A structured four-step approach can help financial institutions effectively navigate crypto-related risks:

Educate: Train employees in crypto technologies, the evolving landscape of crypto-assets and associated risks.  This establishes a shared understanding across the organization and ensures informed decision-making.
Discover: Monitor aggregated crypto-related transactions at the bank level, including various payment rails (e.g. card payments, wire transfers), and volumes with VASP counterparties. This provides visibility into exposure and potential vulnerabilities.
Assess – Evaluate VASP counterparty risks by examining factors such as KYC standards, jurisdiction compliance and licensing status.  This helps identify high-risk entities and align with regulatory expectations.
Act: Align crypto strategies with the institution’s risk appetite and regulatory requirements.  Implement controls and policies to mitigate risks while enabling informed, strategic decision-making.
By adopting this framework, financial institutions can effectively manage crypto-related risks, maintaining compliance and safeguarding their operations in an evolving digital asset landscape.
 
Conclusion: The Need for a Balanced Approach
The interconnectedness of crypto and traditional banking is undeniable. As customer-driven crypto transactions continue to grow, FIs face hidden risks that demand proactive management. By debunking myths, understanding the realities of VASP counterparty risk, and adopting a structured risk mitigation framework, financial institutions can navigate this evolving landscape with confidence.
Rather than dismissing the crypto sector outright, FI’s must enhance their risk frameworks to address these challenges head-on. A balanced approach—combining education, discovery, assessment, and action—will enable financial institutions to harness the opportunities of crypto while mitigating its risks.
Infocredit Group provides the tools and expertise to assess and mitigate these risks, making crypto payments safer and enabling stakeholders to make informed decisions aligned with their risk appetite.


[1] https://www.clearlypayments.com/blog/payment-processing-usa-2024-market-overview/
[2] EU card-based payments reached €1.5 trillion in the first half of 2023.  Source: https://www.ecb.europa.eu/press/stats/paysec/html/ecb.pis2023~b28d791ed8.en.html?utm_source=chatgpt.com. Assuming a similar volume in the second half, total EU credit card payments for the year amounted to approximately €3 trillion. Applying the same 0.08% ratio, cryptocurrency purchases via credit cards in the EU were roughly €2.4 billion ($2.5 billion).
[3] https://www.esma.europa.eu/sites/default/files/2025-01/ESMA75-453128700-1263_Supervisory_Briefing_on_Authorisation_of_CASPs.pdf
[4] https://www.fdic.gov/system/files/2024-07/joint-statement-on-third-party-deposit-products_0.pdf