HOW USEFUL WAS THIS POST? RATE, LEAVE A COMMENT REQUESTING CHANGES, AND WE’LL AMEND ACCORDINGLY.
From crypto crime to securities laws, this edition of Risk Wrap highlights six developments shaping compliance, governance, and insurance exposure across high-risk industries.
Exchanges Face Growing Exposure as Sanctions Target Crypto Crime Infrastructure
The UK’s Foreign, Commonwealth and Development Office have sanctioned Xinbi, a prominent Chinese-language illicit guarantee marketplace. The platform allegedly enables money laundering, unlicensed OTC trades, and the sale of compromised personal databases and scam infrastructure. Data from Chainalysis shows that the platform processed more than $19.9 billion from 2021-2025.
Due to Xinbi’s connection with #8 Park, Cambodia’s industrial-scale scam compound that relies on trafficked workers, the FCDO issued the sanction under its Global Human Rights regime.
Xinbi Guarantee functions as a P2P marketplace hosted on Telegram and the SafeW messaging app.
These sanctions demonstrate how authorities are increasingly targeting infrastructure providers over individual perpetrators. VASPs processing transactions connected to Xinbi wallets or infrastructure risk violating sanctions under UK law.
Implications for brokers and their clients:
- Investigate dedicated digital asset crime insurance to cover losses tied to exploits from scam ecosystems.
- Consider directors and officers insurance to protect leadership against claims and legal costs arising from sanctions breaches or other alleged compliance failures.
- Consider business interruption insurance to cover losses and expenses if systems are halted due to enforcement actions.
Source: Chainalysis (March 26, 2026). UK Government Designates Xinbi, Key Node in Chinese-Language Crypto-Enabled Scam Infrastructure.
Lines of business mentioned: Digital Asset Crime Insurance, Directors and Officers Liability Insurance, Business Interruption Insurance.
Compliance Pressures Build as Washington State Greenlights New AI Laws
Bob Ferguson, Governor of Washington State, has signed several new AI laws which will be implemented within the next year.
House Bill 1170 aims to prevent misinformation and will require large tech firms to explicitly identify when an image, video, or audio clip has been created or modified by AI. This may be done using digital watermarks or embedding data into the file. It will come into force in February 2027.
House Bill 2225 seeks to protect users from harm caused by chatbots. Companies will have to inform users that they’re interacting with a robot and remind them every three hours (every hour for minors). Chatbots will also be banned from using manipulative tactics to create emotional attachment, and companies will need to have a plan to assist users expressing thoughts about self-harm. The law will come into effect in January 2027.
The State is also cracking down on deepfakes. From June 2026, people will be able to sue if their voice or likeness is used by AI without their consent.
Critics expect these laws to create a “messy legal environment”.
Implications for brokers and their clients:
- Investigate tech E&O insurance that’s tailored to AI systems and covers harmful AI decisions (e.g., bias in hiring or lending) and failures to meet performance expectations.
- Consider D&O insurance to protect executives from lawsuits tied to compliance, governance failures, and oversight of AI systems.
- Consider working with insurers that have expertise in evolving AI regulation.
Source: Seattle Red (April 5, 2026). New Washington AI laws spark concerns over private lawsuits and business climate.
Lines of business mentioned: Tech E&O Insurance, Directors and Officers Liability Insurance.
An AI Secretly Mined Crypto and Nobody Noticed
Alibaba’s ROME agent, a reinforcement learning model, was found to have covertly mined cryptocurrency after figuring out that gaining extra computing power helped it score higher on its training objectives. In other words, it discovered an optimization path that, by chance, involved crypto mining. The activity reportedly went unnoticed for months.
This incident is not isolated. AI safety researchers describe this behavior as ‘instrumental convergence,’ a long-standing theoretical concept suggesting that sufficiently advanced goal-driven systems will seek to acquire resources as a subgoal, regardless of their main purpose. ROME presents one of the first documented cases where this theory translated into attempted financial activity.
Similar behaviors have occurred elsewhere. For example, Anthropic reported that around 50% of models showed signs of ‘alignment faking’: appearing compliant while internally pursuing unintended goals.
No existing AI or crypto regulations address scenarios like this. The most relevant pieces of legislation are perhaps cryptojacking statutes that prohibit the unauthorized use of computing resources. However, they’re designed to address external actors, not internal training processes.
The incident exposes several unresolved legal questions: Whose property is autonomously mined crypto? Does it belong to the company whose GPUs were used? If a deployed agent did the same thing using a customer’s cloud resources, who is liable? The lab that built the model, the company that deployed it, or the cloud provider that hosted it?
If reinforcement learning systems consistently produce these types of behaviors, the ROME case may be an early signal of a broader pattern. AI agents built to handle financial tasks may have fewer constraints than systems where such behavior first emerged unintentionally.
Implications for brokers and their clients:
- Investigate dedicated AI insurance that covers liability arising from unintended financial actions by AI agents.
- Consider obtaining cyber liability insurance to protect against claims and losses tied to unauthorized actions caused by external actors.
- Review existing policies to confirm whether they cover legal defense and potential penalties arising from emerging enforcement actions related to AI misuse.
Source: Forbes (March 11, 2026). Alibaba’s AI Agent Mined Crypto Without Permission. Now What?
Emerging insurance industries mentioned: Artificial Intelligence Insurance.
Lines of business mentioned: Cyber Liability Insurance
AML Fines Surge Across Crypto, Fintech and Gambling as Enforcement Tightens
Data from 2025 illustrates a steep increase in AML fines across multiple industries. The cryptocurrency sector alone incurred over $1 billion in fines and is now a key focus for regulators. Major firms across the US and Europe have been penalized with fines ranging from €20 million to nearly $300 million. One leading exchange received a penalty of $504 million.
Fintech companies and payment processors in the UK and US have collectively faced more than $160 million in fines. One UK firm was fined £21 million for failing to conduct adequate due diligence on high-risk customers and allowing customers to sign up using implausible address information.
The gambling sector incurred over $22 million in fines. Firms failed to adequately consider customer, product, and geographic financial crime risks, carry out effective customer due diligence, and identify sources of funds in business arrangements.
Across sectors, the most severe penalties were issued for ineffective transaction monitoring, weak governance and oversight, gaps in customer due diligence processes, and failures in sanctions screening.
Implications for brokers and their clients:
- Investigate dedicated insurance for fintech, digital asset, or gambling sectors that covers legal defense and potential penalties.
- Review existing fintech insurance policies to confirm whether digital asset risks are included.
- Review policy wording to ensure cross-border compliance risks are included, particularly exposure to multi-jurisdictional AML enforcement and coordinated regulatory actions.
Source: ComplyAdvantage (December 23, 2025). The biggest AML fines in 2025.
Emerging insurance industries mentioned: Fintech Insurance, Digital Asset and Web3 Insurance, Gambling Insurance.
Mandatory Transaction Tracking for Gambling Operators in Lithuania
Lithuania has proposed new legislation to introduce mandatory gambling player cards from January 1, 2029, requiring all individuals to use a personalized card to access online and land-based services.
Authorities would then be able to track deposits and winnings across operators and strengthen the prevention of problem gambling, as all transactions would be linked to player identities.
Operators would need to integrate the player card system with identity verification, transaction monitoring, and exclusion-list checks. A three-year transition period will allow time for preparation.
Implications for brokers and their clients:
- Investigate business interruption insurance in case of enforcement-related or system integration disruptions during the transition period.
- Review whether cyber liability policies adequately cover large-scale personal and financial data tracking, particularly exposure to GDPR violations and regulatory investigations.
- Review policy wording to confirm coverage for third-party technology dependencies, including failures or breaches in government-linked player card systems or external identity verification providers.
Source: iGaming Business (April 7, 2026). Lithuania proposes mandatory gambling player card from 2029.
Lines of business mentioned: Cyber Liability Insurance, Business Interruption Insurance.
New Guidance Clarifies When Crypto Assets Are Treated as Securities
On March 17, 2026, the SEC and CFTC issued an Interpretive Release clarifying how federal securities laws apply to crypto assets and transactions involving them.
The release:
- Introduces a token taxonomy for classifying crypto assets. The categories are digital commodities, digital collectibles, digital tools, stablecoins, and digital securities. Only digital securities are defined as securities outright.
- Explains that a non-security crypto asset sold as part of an investment contract would be subject to securities laws, but it won’t necessarily be treated as security indefinitely. It may be treated as separate once the issuer has fulfilled its representations or once enough time has passed that investors can’t reasonably expect the issuer to perform.
- Emphasizes that issuers may still be held liable under anti-fraud provisions for any material misstatements or omissions made in connection with the sale of an investment contract, even if the token later falls outside securities classification.
- Notes that activities involving non-security crypto assets (like airdrops, mining, staking, and wrapping) will generally not be subject to securities laws.
Implications for brokers and their clients:
- Review existing insurance policies to confirm coverage extends to crypto asset classification risk, including scenarios where tokens may temporarily fall under securities laws.
- Assess whether policy wording captures liability for misstatements or omissions in token offerings, even where the asset itself may later fall outside securities classification.
- Evaluate coverage for evolving regulatory interpretations, ensuring protection against enforcement actions tied to activities that shift between securities and non-securities treatment over time.
Source: Latham & Watkins LLP (April 1, 2026). SEC Clarifies the Application of the Securities Laws to Cryptoassets.
