A single unreported crypto ATM transaction can trigger large HMRC penalties. Operators in England must register as an MSB, keep per‑transaction logs and file correct tax returns. Act promptly to avoid bank closures and enforcement risk.
Summary of the process
This section lists the steps to reach compliance and reduce enforcement risk.
- Register as an MSB with HMRC and appoint an AML officer.
- Use KYC/CDD, secure transaction logs and create per‑transaction exports.
- Classify revenues and file the correct tax returns or self‑assessment entries.
Quick steps
Register with HMRC as a Money Services Business and keep written AML procedures under the Money Laundering Regulations 2017.
Prepare a per‑transaction ledger with timestamp, terminal ID, crypto wallet address, fiat amount, crypto amount, fee and KYC identifier.
Map ledger fields to CARF or third‑party formats before filing and keep exportable CSV or JSON with UTC timestamps for audits.
Pause for clarity.
Do now: MSB registration, appoint AML officer, choose KYC provider, set transaction log headings.
Do next: Use separate ledgers for fiat cash float, commission income and crypto inventory.
Do before scaling: Run a one‑month reconciliation and arrange a bank meeting with AML documents ready.
Step 1: register, AML and banking
Operators must present a business case when seeking bank services. Banks normally require clear AML controls and MSB registration before opening an account.
The most frequent error at this point is assuming cash‑heavy activity will not trigger bank scrutiny and AML questions.
Begin HMRC MSB registration, keep a written AML policy, and set sanctions screening and reporting channels under POCA 2002.
A short pause follows for clarity.
MSB registration
Register on the HMRC MSB portal and keep the registration number in the corporate file for bank meetings and audits.
Keep AML policies that reference the Proceeds of Crime Act 2002 and the Money Laundering Regulations 2017. Log staff training and keep those records.
Bank engagement
Prepare a concise pack for banks: business plan, AML policy, transaction volumes, sample reconciliations and KYC flows.
A common option is to open discussions with specialist acquirers or fintechs if mainstream banks refuse service; this can work, but often adds costs and delays, so expect onboarding to take 4 to 12 weeks.
Pause for clarity.
Step 2: transaction records and CARF mapping
HMRC and CARF‑aligned regimes expect transaction‑level granularity: timestamp, wallet address, fiat amount, fee and a KYC ID for each event.
The data fields must be exportable and auditable. Store immutable raw logs and a reconciled monthly summary for tax and bank review.
Operators should create standard CSV and JSON exports aligned to CARF headings to prepare for automatic exchange.
Transaction log template
Use these fields in every record: transaction_id, UTC_timestamp, terminal_id, tx_type (buy or sell), fiat_amount_gbp, crypto_amount, fee_gbp, wallet_address, kyc_reference.
Sample CSV header line: transaction_id,utc_timestamp,terminal_id,tx_type,fiat_gbp,crypto_amt,fee_gbp,wallet,kyc_ref.
Map each CSV row to accounting entries and keep an audit trail.
CARF mapping example
Map CSV fields to CARF or other reporting formats: taxpayer ID becomes operator MSB, transaction_id becomes the unique field, value_in_gbp maps to fiat_amount_gbp and counterparties map to wallet or KYC provider.
What most guides omit is the need to retain hashes and submission receipts as proof of filing. Keep those items with the reconciled workbook.
Record rule: retain the raw transaction file plus a reconcile file that shows how each transaction maps to an accounting entry and to a KYC record.
Compliance flow
1. Register
MSB registration and AML policy.
2. KYC
Collect ID per thresholds; store KYC reference.
3. Log
Per‑tx record with wallet and fiat.
4. Reconcile
Monthly accounting and export.
5. Report
File tax returns and CARF‑aligned exports.
When CARF‑style reporting applies, operators should expect a sequence of reconciliations rather than a single ad hoc disclosure. Start by reconciling each reporting period's transaction file to the nominal ledger and the KYC index. Validate which records meet CARF reporting criteria and prepare an extract in CSV or JSON that maps internal fields to CARF headings.
Keep proof of validation and submission such as hashes and receipts. Be ready to provide a reconciled workbook that shows how each reported line feeds into tax returns.
Each CSV row should map into accounting as: fiat cash float plus 150.00, commission income plus 4.50, crypto inventory change minus the crypto amount at inventory valuation.
CSV
transaction_id,utc_timestamp,terminal_id,tx_type,fiat_amount_gbp,crypto_amount,fee_gbp,wallet_address,kyc_ref
T000123456,2025-03-05T14:12:03Z,ATM-27,buy,150.00,0.0031,4.50,0x4bA...9fF,KYC-20250305-001
T000123457,2025-03-05T14:18:21Z,ATM-27,sell,200.00,0.0042,6.00,0x7e2...4Aa,KYC-20250305-002
Each CSV row must feed the accounting system as described and create the reconciliation paper HMRC will request.
Step 3: tax treatment, filing and accounting
An operator must classify receipts into commission income, trading income and disposals of crypto that may create capital gains.
The correct distinction decides whether Income Tax or Capital Gains Tax applies. Misclassification raises adjustment risk on enquiry.
Tax entries should flow from the reconciled monthly file into the nominal ledger with separate ledgers for fiat float, commission income and crypto inventory.
Income versus capital
Commission and service fees are business revenue and face Income Tax or Corporation Tax depending on structure.
Holding crypto for resale as part of trading makes disposals trading receipts. Holding crypto as an investment means disposals fall under Capital Gains Tax.
VAT and corporation tax treatment
VAT rarely applies to the supply of fiat for crypto when the supplier only acts as an exchange provider. VAT treatment still needs review for ancillary services.
Operators with a company report profits under Corporation Tax; sole traders include profits in self‑assessment and follow CGT rules for disposals.
This paragraph states a clear recommendation: treat commissions as trading income and keep crypto inventory reconciled daily to avoid matching errors. This reduces the chance of a contested HMRC adjustment. Operators with material holdings must adopt policies that separate trading stock from investment holdings. Prepare valuations that match accepted accounting standards.
Pause for clarity.
The technical stack must capture required fields, secure them, and support exchange with counterparties when Travel Rule obligations apply.
A Travel Rule integration sends encrypted originator and beneficiary data with transfers above thresholds and logs the exchange.
Operators must consider data protection when storing KYC files and follow ICO guidance on personal data retention.
KYC thresholds
Set pragmatic ID thresholds and enhanced checks for higher‑risk transactions and document thresholds in the AML policy.
Screen customers against sanctions and PEP lists and keep a clear record of screening outcomes and actions taken.
Travel rule checklist
Use secure API endpoints, message signing and time‑ordered logging. Include hashed identifiers where partners do not permit full data transfer.
| Approach |
Estimated cost |
Time to implement |
Travel Rule readiness |
| In‑house build |
£8,000–£30,000 initial |
3–6 months |
High, customisable |
| Third‑party provider |
£1,500–£10,000+ yearly |
2–8 weeks |
Good, vendor dependent |
| Kiosk provider package |
May be included in fee |
Deployment time varies |
Limited, vendor dependent |
Legal deadline and practical note: retain AML records and KYC evidence for at least five years from the end of the transaction year in case of HMRC or FCA inspection.
Costs, calculator and decision matrix
Operators should estimate tax exposure and compliance spend before launch and run sensitivity tests against volume and volatility.
A simple calculator uses monthly transactions, average ticket, operator fee percentage, holding days and corporate structure to estimate monthly tax and compliance spend.
Small operators typically see annual compliance costs in the range £1,500 to £6,000 per site, excluding banking charges and bespoke integration.
Pause for clarity.
Required inputs include monthly_tx, avg_ticket_gbp, operator_fee_pct, average_holding_days and corporate_tax_flag.
Sample output lines include estimated_monthly_revenue, estimated_monthly_tax_liability, estimated_compliance_cost and breakeven_fee_pct.
Decision matrix example
For 0 to 500 tx per month, use a third‑party AML provider and a basic bank account. For 500 to 5,000 tx per month, consider in‑house controls and a banking relationship with a specialist provider.
Operators should instruct a crypto‑specialist tax adviser to review historical records and prepare any voluntary disclosure or corrective filings before HMRC opens enquiries. Doing so reduces exposure and frames the operator as cooperative.
This guidance does not apply to customers using a public ATM solely for personal purchases, to machines that do not perform fiat/crypto exchange, or to hardware vendors who never process transactions through the device.
To make the calculator concrete, use simple inputs and show the arithmetic. Example: monthly_tx = 1,000, avg_ticket_gbp = £150, operator_fee_pct = 3% (0.03), average_holding_days = 2, expected annual compliance_cost_per_site = £6,000. Estimated_monthly_revenue = 1,000 × £150 × 0.03 = £4,500. Assuming corporation tax at 25% for illustration, estimated_monthly_tax_liability = £4,500 × 0.25 = £1,125. Add monthly compliance cost = £6,000 / 12 = £500.
Net after tax and compliance = £4,500 − £1,125 − £500 = £2,875. Breakeven fee_pct to cover tax and compliance roughly = (tax_rate × revenue_factor + monthly_compliance) / (monthly_tx × avg_ticket), which with these numbers gives a breakeven operator_fee_pct ≈ 3.8%.
Showing this worked example helps operators estimate crypto ATM tax exposure and compare vendor quotes for AML, KYC or Travel Rule integration against likely revenues.
Frequently asked questions
Do I pay tax on every ATM transaction?
Tax does not arise on every cash withdrawal alone; tax arises when a disposal or profit event occurs, such as when the operator realises crypto holdings or records commission income.
Commissions are trading income, and disposals of operator‑held crypto may trigger CGT or trading profits depending on accounting policy.
How should I split accounting ledgers?
Maintain separate ledgers for fiat cash float, commission income, operating expenses and crypto inventory.
This separation simplifies tax treatment and bank reconciliations and prevents the common error of commingling commission receipts with inventory sales.
What records does HMRC expect in an enquiry?
HMRC expects transaction‑by‑transaction logs with timestamp, wallet address, fiat amount, fee and KYC reference and reconciliations showing how each entry flowed into tax returns.
Keep raw logs, reconciliation workpapers and KYC records for at least five years to meet inspection and information requests.
Can I correct past non‑compliant reporting?
Yes, operators can make voluntary disclosures to HMRC but should do so with a tax specialist to reduce penalties and present reconciled data and remediation steps.
Voluntary correction with full reconciled records and implemented AML controls materially improves the outcome of any HMRC engagement.
Final synthesis, risks, precedents and next steps
Operators must treat ATM activity as a regulated, taxable business and take three actions immediately: register as an MSB, implement per‑transaction logging and consult a crypto‑specialist tax adviser for filing strategy.
The data point is clear: Money Laundering Regulations were updated in recent years, POCA dates from the early 2000s and FATF published virtual asset guidance subsequently. Regulators expect traceability consistent with those standards.
A typical enforcement path starts with bank account closure, then a tax information notice and finally an HMRC enquiry that may cover multiple tax years. Poor records raise the likelihood of penalties.
The most common operator failing is inadequate mapping of transaction logs to accounting entries. A case example: an anonymous London operator failed to log wallet addresses for 18 months, which led to a bank closure and an HMRC information request that required retrospective reconciliation and a voluntary disclosure. The operator avoided criminal proceedings but paid professional fees and lost banking access for six months.
Estimated cost: expect initial compliance setup between £2,000 and £25,000 depending on in‑house build or vendor choice; ongoing annual costs typically range from £1,500 to £10,000 per site.
Operators should keep a documented upgrade plan and run an annual compliance audit against current guidance.
For supporting evidence, FATF provides guidance on virtual assets and service providers and HMRC publishes cryptoassets material and tax guidance for businesses. FATF guidance on virtual assets.
Must I register with HMRC?
Yes, operators register as an MSB with HMRC and keep AML policies under the Money Laundering Regulations 2017 before scaling the business.
Registration helps with bank onboarding and shows intent to comply with UK law.
Will CARF affect my reporting?
CARF‑aligned reporting adds fields and cross‑border information exchange for virtual asset transfers. Begin mapping transaction logs to CARF headings now even if full implementation is pending.
OECD model rules and HMRC guidance indicate that early preparation reduces future rework and exposure; see HMRC guidance for cryptoassets for further detail. HMRC cryptoassets guidance.