"No KYC" Crypto Cards Tap Corporate Issuing Loopholes
Bitsika Touts Sutton-Issued Cards For Iran Sanctions Evasion; Varo Gets a Lifeline With $123.9 Million Series G Fundraise
Hey all, Jason here.
I’ll admit, I had a bit of FOMO last week, seeing industry friends out in Utah for the Fintech XChange event (and skiing). One of the downsides of living so far away is that it’s a near impossibility to make it to all of the events I’d like to go to!
Speaking of events… I’m looking forward to joining Natasha Vernier (Cable) and Trisha Kothari (Unit21) later this month to discuss the risk and compliance challenges that come with the layered partnerships increasingly common in fintech (and stablecoin) infrastructure — see the details below.
👀 Is risk lurking in your partner network?
Sponsored content: As fintech ecosystems become more layered, compliance risk extends well beyond direct partners.
Gaps in oversight across intermediaries and downstream partners operating in higher-risk jurisdictions can expose institutions to regulatory and reputational risk.
🗓️ Join us to see how compliance teams are preparing for 2026, with a practical look at managing partner-of-partner risk in complex fintech relationships.
“No KYC” Crypto Cards Tap Corporate Issuing Loopholes
If it sounds too good to be true, it probably is.
For those that understand the mechanics and legal and regulatory obligations of payment card issuing, especially for institutions in the United States, the prospect of a “no KYC” crypto spending card should immediately raise red flags.
“No KYC” cards, long a topic of background chatter among professionals in the bank partnership, crypto/stablecoin, and financial crime spaces, went semi-viral on crypto Twitter last week, with at least one user saying the quiet part out loud.
Many of these offerings leverage a glaring loophole in how certain categories of cards, most commonly corporate credit cards, are issued.
The relative legitimacy of sites purporting to offer no KYC cards runs the gamut, with some seemingly well-intentioned if naive. Many of the services lean in to a “privacy” focus or cypherpunk ethos, with Off Grid being a representative example.
In a manifesto posted on X, the company claims that “Non-KYC doesn’t mean unregulated. It doesn’t mean operating in grey areas waiting to get shut down. It means building inside the system with a different philosophy.”
Many of the sites offering such cards lack even the most basic of disclosures, including failing to list their legal entity name or a country in which they are based.
At the more extreme end of the spectrum, some providers explicitly position the cards as tools to evade financial regulations, including sanctions.
For example, bitsika — which a test transaction confirmed uses prepaid debit cards issued by Sutton Bank — markets its service to users in Iran, saying bitsika’s cards “work on international platforms where Iranian bank cards are declined due to sanctions.”
Ghana-headquartered Bitsika also lists Nigeria, Pakistan, China, and Rwanda as “top countries” on its site, marketing cards to users in those higher-risk jurisdictions that can be funded anonymously from popular stablecoin Tether (USDT), bitcoin, or other cryptocurrencies, and then spent anywhere Visa is accepted, all without any KYC requirements.
In response to questions sent via email, Bitsika founder and CEO Atsu Davoh suggested the page marketing the company’s service as a way to evade sanctions on Iran “[m]ay be a mishap or miscommunication from the content team.”
What Are The Actual Legal & Regulatory Requirements?
The most popular mechanism for operating these no KYC card offerings is something of an open secret in the industry: corporate cards.
But to understand how and why that loophole is important, it helps to understand what these sites are trying to get across when they say “no KYC” — that you can fund a card and spend without supplying real identity information — vs. what is legally required.
In the U.S., when a consumer opens an account, including a bank account, credit card account, or a reloadable prepaid card, covered financial institutions must meet the Customer Information Program (CIP) requirements of Section 326 of the USA PATRIOT Act by collecting a consumer’s name, date of birth, physical address, and identification number. Institutions are not required to verify each data point, but they must be able to form a “reasonable” belief in the identity of their customer.
The CIP requirement imposed by the PATRIOT Act similarly mandates that covered persons be able to form a reasonable belief in the identity of business customers. The minimum requirements are functionally similar: the name of the entity, principal place of business/physical address (eg, not a P.O. Box or virtual office), and tax identification number (eg, IRS-issued employer identification number).
FinCEN’s Customer Due Diligence (CDD) final rule, formulated in the wake of 2016’s Panama Papers scandal, clarified requirements for covered financial institutions to establish and verify the beneficial ownership of companies by collecting documentation for shareholders over a certain ownership threshold, often 25%, or those with significant control over the entity, like executive officers.
The task of verifying ownership is complicated when entities are layered; for example, one legal entity being partially owned by another legal entity, which in turn is owned by multiple natural person shareholders.
The concept of an “ultimate beneficial owner,” or the natural person who ultimately owns or controls a legal entity and its transactions, is intended to address this situation.
The Corporate Transparency Act, passed by Congress in January 2021 as part of the National Defense Authorization Act — over then-President Trump’s veto — authorized the creation of a beneficial owner reporting regime.
However, while FinCEN formulated a rule to implement this requirement, the original rule was challenged in court. In March 2025, FinCEN issued a new interim final rule, which drastically narrowed the scope of who had to comply with the beneficial owner reporting requirement by exempting domestic reporting companies, U.S. persons, and certain foreign entities primarily controlled by U.S. persons.
Given the ease with which foreign persons can setup “domestic” U.S. entities, especially in privacy-focused jurisdictions like Wyoming, the beneficial ownership reporting requirement became functionally meaningless.
The Corporate Card Loophole
Onboarding a company entity as a customer, particularly for certain kinds of credit card accounts, can be a relatively light-touch process for entities with simple ownership and officer structures. And remember, the legal obligation is to collect necessary CIP information — such as company formation documents and proof of an EIN — but there isn’t a legal requirement to actually verify this information.
Corporate card programs offer an easy-to-exploit loophole, in that, once the company entity has been onboarded to a program, cards can be created for individual employees, contractors, and so forth — typically without any additional verification of those individuals’ information or that they have a bona fide relationship with the company.
The challenges of policing this gaping loophole are amplified by the nested structures common in bank sponsorship, issuer-processor, and program management relationships.
Responsibility for BSA/AML compliance is often passed down a chain of partners, with collection of necessary information typically resting with the user-facing entity. But, all too often, the data doesn’t flow back up to the regulated entity — the bank — standing behind a given card program, blinding financial institutions to the true risks hidden beneath multiple layers of service providers.
The “Nth party” risk management issues posed by these relationships should already be well known and well understood after the 2022-2024 wave of consent orders focused on BSA/AML and third-party risk management failures in bank-fintech partnerships.
Yet a number of existing players and new entrants are still exposed to outsized risk through their third-party relationships.
Sutton — which was hit with a consent order in February 2024 over gaps in its BSA/AML controls and third party oversight — illustrates how bad actors can take advantage of these oversight failures.
Paywithus Demonstrates the Corporate Card “Supply Chain”
Paywithus is a fairly representative example of how these no KYC services operate.
While the site now purports to require KYC to obtain a card, that is only a relatively recent development that appears to be in response to inquiries from Fintech Business Weekly.
People who appear to represent Paywithus promoted the service on web forums as far back as February 2024, explicitly marketing it as “no KYC.”
And as recently as October 2025, FAQs on Paywithus’ site stated it did not require KYC information:
At the time, a user could easily deposit crypto or stablecoins into a wallet on Paywithus via crypto payment processor Cryptomus and then use those funds to create and spend on virtual cards.
Cryptomus itself is an interesting story. The company, whose legal entity name is Xeltox Enterprises Ltd., is incorporated in Canada, but appears to actually be controlled and operated from Uzbekistan, according to a regulatory action by FINTRAC, Canada’s equivalent of FinCEN.
On October 22, 2025, FINTRAC hit Cryptomus with a record-setting CAD $176.9 million fine (about USD $130 million) for violations that included:
Failure, on 1,068 separate occasions, to submit suspicious transaction reports for transactions involving known darknet markets and virtual currency wallets linked to criminal activity, such as trafficking in child sexual abuse material, movement of fraud proceeds, laundering of ransomware payments, and financial flows with reasonable grounds to suspect they were related to sanctions evasion;
Failure to report, on 1,518 separate occasions, the receipt from a client of an amount in virtual currency of $10,000 or more in the course of a single transaction, together with the prescribed information;
Failure to comply with a Ministerial Directive, as demonstrated in connection to more than 7,500 financial transactions associated with the Islamic Republic of Iran.
Once a user’s Paywithus wallet is funded via Cryptomus, they can use the proceeds to purchase and fund virtual cards, with the service offering different cards by “BIN,” or bank identification number. BINs/IINs identify the card network (Visa, Mastercard, etc.), issuing institution (in the U.S., the issuing bank), and card type (prepaid, consumer credit, corporate credit, etc.).
Cards that were purchased included a named cardholder and corresponding address information. Live test transactions confirmed cards purchased from Paywithus worked successfully in production.
It’s Just TPRM, All The Way Down
The two BINs Paywithus listed as “New” — both associated with Sutton Bank — offer a glimpse into the techniques bad actors use to gain access to cards that can be used for their illicit “no KYC” programs.
Analysis of the Sutton-issued cards Paywithus offered as of last October showed they were affiliated with Bluebanc, which describes itself as offering “business banking and card issuance at scale,” with a focus on serving media and ad agencies and fintech companies. Bluebanc operates as a program manager for Sutton.
From a legal and regulatory perspective, Bluebanc is a third-party service provider to the bank. As program manager, Bluebanc takes on the responsibility of conducting required compliance processes as part of onboarding, including collecting its business customers’ information.
But Paywithus wasn’t a direct customer of Bluebanc — which makes sense, as a cursory examination of Paywithus’ site, which lacks any named legal entity and, before October 2025, specified it did NOT require KYC information, would raise immediate red flags.
Rather, a relatively more legitimate-looking service, Fincone, which also went by the name Bespoke Tech Consulting, was Bluebanc’s customer.
Bluebanc, per sources familiar with the matter, did conduct KYB on Bespoke Tech Consulting and its principal, Zuocang Fan.
But Fan, and another principal once listed as Secretary for the Wyoming-registered Bespoke Tech Consulting, Wencai Li, are associated with numerous other entities, including Wyoming registered Capte.Inc, California-registered Capte Trading Co. Limited (which was previously named Bespoke Tech Consulting in the California registration), Hong Kong-registered Capte Trading Co. Limited, Hong Kong-registered Fincone Technology Limited, and U.K.-registered Fincone Technology Limited.
Fincone purported to offer corporate cards for use in managing digital advertising campaigns.
Fincone, which now appears to be defunct, did collect basic details in its customer onboarding process, including business name, EIN, business formation documents, and business owner/controller information. But Fincone appears to have done little if anything to verify the legitimacy of this information.
Fincone appears to have allowed customers to deposit funds via popular stablecoin Tether (USDT) and use those funds to create, fund, and transact on Sutton-issued cards via Bluebanc.
Paywithus, according to a source familiar with the situation, made an unauthorized purchase of 53 cards from an e-commerce client of Fincone’s and used these fraudulently obtained cards to offer its no KYC service.
Shortly after Fintech Business Weekly began making inquiries in early October 2025, all of the BINs Paywithus offered appear to have been shut down, with the site’s UX showing cards that had been previously used as “deleted.”
The Fincone/Bluebanc-sourced cards were live for less than two weeks and had approximately $10,000 in spend routed through them, according to a person with knowledge of the situation.
Upon learning that cards associated with Sutton appeared on Paywithus, the bank “took prompt internal action in accordance with its established risk management and escalation procedures,” according to a Sutton spokesperson. The spokesperson added that “[t]hose actions were designed to assess the situation, address any gaps if any existed, and ensure continued alignment with regulatory requirements.”
When asked about the “deleted” cards and the ability to create new ones, a support representative for Paywithus stated that “due to new regulatory requirements, all users are now required to complete KYC verification.”
Yet, the newly required “KYC verification” is easily circumvented, and, as of Friday, Paywithus continues to offer cards, including issued by U.S.-based The Central Trust Bank.
Widespread Problems, Whack-a-Mole Solutions
While the Sutton-Bluebanc-Fincone-Paywithus situation illustrates a typical ‘supply chain’ used by no KYC card providers, there are numerous bad actors exploiting these kinds of loopholes.
Once an entry point is identified, it is exploited until detected. The parties operating these services are clearly aware that certain transaction patterns are likely to draw scrutiny, and warn end users they may be banned if they engage in certain behavior, like attempting to transact with prohibited classes of merchants (prohibited MCC codes) or a high volume of declined or disputed transactions.
A review of a number of no KYC card services, conducted in October 2025 and again last week, found card BINs associated with a number of U.S. issuers, including: Fifth Third Bank, The Central Trust Bank, Column, Regions Bank, and Sutton Bank.
Despite Sutton learning its BINs were used to offer no KYC cards via Paywithus last October — and the bank’s consent order for BSA/AML and third-party risk failures — programs associated with Sutton continue to be used to offer these types of cards.
BINs tied to popular crypto-cards-as-a-service provider Rain — recently linked to Venezuelan crypto app Kontigo — have also been in use by multiple no KYC card services. Rain issues cards using its Puerto Rico-based Nimbus LLC entity.
Asked about the use of its cards by no KYC providers like Uncash (image above), a Rain spokesperson clarified that “Uncash was never an authorized Rain program” and that the card information that appeared on Uncash in October was associated with a “a user that successfully completed KYC (with ID verification and liveness checks), received a card, and then resold it via the Uncash site violating [Rain’s] terms of service.”
It isn’t only U.S. financial institutions that face this problem. A review of no KYC providers turned up numerous BINs associated with foreign card issuers, with Hong Kong appearing to be a favored jurisdiction. Cards tied to Nium, Reap, and Sunrate appeared on multiple sites.
Ultimately, even financial institutions that have robust onboarding processes and compliance programs are vulnerable, particularly if they have downstream third-party providers fulfilling compliance responsibilities on their behalves.
It’s impossible to prevent all bad actors, particularly those that invest the time to create or fabricate convincing documentation. Once onboarded, transaction monitoring can help detect and shut down bad actors, but, to be effective, the right data must be surfaced to the parties responsible for detecting illicit activity — which is made more complex by the layered nature of many of these partnerships.
Perhaps most importantly, providers up and down the chain have to invest the time and resources to mitigate these risks — yet, absent regulatory enforcement, they have little to no incentive to do so, given that banks, processors, and program managers profit from every transaction that runs through their systems, illicit or not.
This newsletter is made possible thanks to the generous support of paying subscribers. In addition to supporting independent analysis of the banking, fintech, and crypto spaces, paying subscribers get an extended version of this newsletter and access to full archives of past issues (5+ years of newsletter goodness!)
You can upgrade to a paid subscription here or, if you prefer, you can make a one-off pay-what-you-want "tip" here.Varo Gets a Lifeline With $123.9 Million Series G Fundraise
Varo, still unprofitable, has earned a reprieve: anchor investor Warburg co-led a $123.9 million round alongside Coliseum Capital Management. Varo made the announcement last Monday, the first business day after Varo Bank’s call report, which reflects the new capital, became available.
The new investment appears to be an extension of a round first announced in early 2025, per an amended SEC filing by the company related to the fundraise. The $123.9 million total is inclusive of previously announced amounts. At least $23 million of the aggregate funding amount appears to be debt, based on filings made in June 2025 associated with Varo’s bank holding company, Varo Money, Inc.
Varo was ostensibly valued at $1.8 billion when it raised a $50 million round in February 2023 — down substantially from what the company was valued at in 2021 — and it’s difficult to imagine the valuation picture has improved since then.
While Varo reduced its losses somewhat in Q4 2025, much of that improvement appears to have come from reducing headcount, with the company reporting just 330 employees at the end of 2025. The shrinking workforce helped Varo decrease employee compensation expenses to $18 million in Q4 — a drop of 17% vs. Q4 2024.
But while Varo posted somewhat improved account, deposit, and asset numbers, the overall picture remains bleak.