Cryptocurrency Hardware Vendors (Mining Equipment and Wallets): AML Risks Associated with an Emerging Market Segment

JUDr. Jakub Dohnal, Ph.D., LL.M.
JUDr. Jakub Dohnal, Ph.D., LL.M.
16.6.2026 | ARROWS law firm

Traders in crypto hardware are increasingly coming under scrutiny from regulators, banks, and investors due to AML risks. This article explains when a hardware seller becomes an obliged entity under Act No. 253/2008 Coll., what the specific practical risks are, and how to set up processes so that the company trades safely while not blocking the development of new business.

Crypto-technology merchants—whether they sell mining equipment, hardware wallets, or related software and services—are in 2026 within the sights of anti-money laundering and counter-terrorist financing (AML/CFT) regulators.

Whereas attention previously focused on crypto exchanges, today there is also significant scrutiny of risks associated with entities that supply technologies enabling the generation or storage of crypto-assets.

Regulation in the Czech Republic and in the European Union, as a result of the effectiveness of the European Regulation on Markets in Crypto-Assets (MiCA) and the Regulation on information accompanying transfers of certain crypto-assets (TFR), has unified terminology and regulates service providers (so-called CASPs).

In practice, this means that some crypto-technology merchants fall directly under the regime of obliged entities under the Czech AML Act, while others face pressure from banks.

This text explains in detail which AML obligations apply to merchants, where the most common shortcomings occur, and how to set up processes so that the business itself is not put at risk.

Key takeaways

In this introductory section you will find several key practical conclusions that are important for company owners and the management of crypto-technology merchants. The individual points serve as a quick guide on when to be alert and when to address AML issues with advisors from ARROWS, a Prague-based law firm.

Although many merchants perceive their business as merely selling hardware, in many models they in fact provide services related to crypto-assets under MiCA and the Czech AML Act.

If they have access to these keys, or if they combine the sale of equipment with hosted mining, key-based staking, or yield management, they become obliged entities. In such cases, they must carry out customer identification and due diligence and report suspicious transactions to the Financial Analytical Office (FAÚ), the Czech financial intelligence unit.

Even in cases where the merchant does not formally fall under the definition of an obliged entity, they bear significant operational risks due to selling expensive mining units without identifying the buyer.

Banks apply strict screening to these transactions, and insufficient checks by the merchant commonly lead to the immediate blocking or termination of bank accounts.

An appropriate way to eliminate risks is a precise legal analysis of the business model, proper setup of contractual documentation, and transparent communication with financial institutions.

If your model may come close to regulated services (e.g., custody or intermediation), it is also appropriate to assess the requirements for CNB licensing & investments.

Given the full effectiveness of MiCA and the EU’s new sanctions framework, it is essential for merchants to continuously update their general terms and conditions, customer agreements, and internal policies. Regulation overlaps with tax rules, customs law, and rules limiting cash payments.

The practical impact on accounting and taxes is also summarized in the follow-up text Corporate investments in cryptocurrencies 2026: Accounting procedures and rules for taxing profits when purchasing under a company ID number (IČO).

ARROWS advokátní kancelář provides clients in this segment with comprehensive legal, regulatory, and tax advice with the aim of ensuring full compliance with applicable legislation.

What it means today to be a crypto-technology merchant

The category of crypto-technology merchants continues to evolve in practice and is much broader than a classic e-shop selling hardware wallets. For AML assessment purposes, it is very important to distinguish what exactly the company sells, what services it adds, and to which clients it supplies. From a legal perspective, the material function is decisive.

A typical business model is the sale of mining equipment, i.e., specialized machines, and in more advanced models sellers also provide installation, software configuration, and subsequent operational management.

The legal-regulatory boundary between the mere sale of equipment and the provision of services related to crypto-assets (in particular administration and custody) is extraordinarily thin in these hybrid models.

In a pure retail model, this is standard electronics distribution; however, many companies offer additional services such as comprehensive onboarding, where they pre-configure the wallet for clients and generate the seed phrase.

If the merchant gains access to private keys or the seed, this amounts to the de facto provision of custody and administration services for crypto-assets for third parties (custody) within the meaning of MiCA. This automatically creates an obligation to hold the relevant authorization.

Specific procedures on how to set up compliance and work with regulatory uncertainty in the crypto business are discussed in the article Why ARROWS is the first choice for crypto projects: Ensuring full compliance and a safe path through a still-evolving regulatory environment.

The development of the ecosystem also brings hybrid models, for example combining the sale of mining rigs with an offer of turnkey cloud mining, or selling hardware tied to a staking program.

What is described in marketing as a complete technical solution for mining may, in the eyes of the regulator, be the provision of a financial service or the management of third-party assets. Legally, AML regulation targets these activities, and it is necessary to anticipate possible classification as an obliged entity.

ARROWS advokátní kancelář helps clients identify risky elements of their business model in time and propose adjustments that preserve commercial value while eliminating legal risks.

These adjustments often include reviewing and negotiating key arrangements with suppliers, customers, or hosting partners as part of contracts and negotiations.

AML regulation in the Czech Republic and the EU: where the risk for crypto technology comes from

The statutory regulation in the Czech Republic is Act No. 253/2008 Coll., on certain measures against the legalization of proceeds of crime (the Czech AML Act). This Act defines obliged entities, which also include persons providing services related to crypto-assets.

These entities have a statutory obligation to identify and verify clients, assess risk factors, retain documentation, and report suspicious transactions to the Financial Analytical Office (FAÚ).

The scope of regulated activities covers not only the classic exchange of crypto-assets for fiat currencies, but also the operation of trading platforms, the execution of orders and, last but not least, the custody and administration of crypto-assets on behalf of clients. For crypto-technology merchants, the key principle is the principle of substantive truth.

If a seller crosses the line beyond the sale of goods and becomes involved in the administration, transfer, or holding of clients’ crypto-assets, they become an obliged entity with all related obligations.

European developments from AML directives to crypto-asset regulation

In recent years, the European Union has significantly tightened supervision over the entire crypto ecosystem. A key pillar is the Regulation on Markets in Crypto-assets (MiCA), which introduced a uniform licensing and supervisory regime for service providers (CASPs) across the entire EU single market.

At the same time, the Regulation on transfers of funds has entered into full effect, applying to crypto-asset transactions the obligation to collect and transmit accurate information about the originator and the beneficiary.

In 2026, the new European supervisory authority (AMLA) is already fully operational, coordinating national financial intelligence units and supervising the most complex cross-border entities. European regulation also monitors the technical interfaces and infrastructure that enable the holding and transfer of crypto-assets.

For pure hardware sellers who only distribute physical devices without custody services, the rule is that, in and of themselves, they do not fall under the MiCA licensing regime or the definition of a CASP.

If software enables a user to initiate transactions via integrated third parties and the seller collects commissions from these transactions or technically co-signs them, regulators assess such conduct as intermediation of services related to crypto-assets.

Borderline activities and the definition of services

Identifying borderline activities is essential for crypto-technology merchants to prevent unauthorised business activity and breaches of AML legislation. The most common borderline activities include, in particular, the backup and administration of private keys or seeds.

If the seller is able, independently or in cooperation with other entities, to authorise transactions involving a client’s crypto-assets, this constitutes a regulated custody service.

If a hosting provider manages a client’s mining account in a pool and then distributes the mined crypto-assets to the client’s wallet, this activity may be classified as the administration of crypto-assets or the execution of orders on behalf of the client.

The sale of devices with pre-installed third-party software, where the seller collects commissions for intermediating financial services, represents a significant risk from the regulators’ interpretative perspective.

ARROWS advokátní kancelář carries out detailed legal audits in these borderline areas and proposes adjustments to contractual documentation so that the client’s activity falls outside the regulated regime.

Typical AML risks for mining hardware merchants

Trading in hardware for crypto-asset mining shows specific AML risks that standard IT equipment distribution does not. Mining equipment is an investment asset with a high acquisition value that generates highly liquid assets.

Offenders purchase mining equipment using illegally obtained funds, while the mined crypto-assets are then perceived as newly generated and without history.

For these newly generated crypto-assets, there is no prior transaction history linking them to criminal activity on the blockchain. A merchant who sells mining equipment without verifying the origin of the buyer’s funds may therefore become part of a laundering chain.

The export of high-performance mining equipment to sanctioned countries constitutes a direct breach of the Act on the Implementation of International Sanctions, which leads to high fines.

In hosted models, there is also the risk that a party involved in cybercrime operates equipment on the data centre premises. A hosting operator who does not know the true identity of the machine owners exposes themselves to the risk of the hardware being seized by the police.

Risks relating to hardware wallets and custody services

The distribution of hardware wallets entails specific risks, especially in the area of supply chain integrity and protection against facilitating illegal financial flows. A fundamental risk is a supply chain attack ( supply chain attack ).

If the device were physically compromised before delivery to the end customer, clients’ crypto-assets could be stolen.

If a seller offers supplementary software enabling direct interaction with DeFi protocols without KYC checks, they risk their infrastructure being used to anonymise illegal funds. Regulators strictly sanction integrations that circumvent the rules for crypto-asset transfers.

If a merchant stores physical backups of private keys as well as backup seeds for clients and has access to them, they assume the position of an institution administering third-party assets.

Reputation, banks, and supply chains

The relationship with banking institutions is the most sensitive operational point for crypto-technology merchants. The banking sector in the Czech Republic as well as across the European Union applies a very conservative approach ( de-risking ) towards entities connected with the crypto ecosystem.

If a merchant cannot provide the bank with credible evidence of client identification (KYC) and the origin of funds, the bank will reject the transaction and file a report with the FAÚ.

In the vast majority of cases, the bank will then unilaterally terminate the contractual relationship and close the accounts. The loss of banking access is fatal for a hardware merchant, as it prevents the payment of supplier invoices and the acceptance of customer payments.

Having a functional and professionally prepared AML framework implemented is therefore an absolutely essential condition for keeping the business running, regardless of obliged-entity status.

Most frequent questions on classifying a merchant as an obliged entity

In this section, we summarise practical questions that we typically address with clients in connection with whether or not they are an obliged entity under AML regulations.

1. Do the obligations under the AML Act apply to a standard e-shop that sells exclusively physical hardware wallets to end consumers?
If the e-shop carries out purely boxed sales of unformatted hardware wallets, does not accept payments in crypto-assets without immediate conversion to fiat, and does not interfere with the setup of access credentials, it is not an obliged entity under the AML Act. However, it must comply with general sanctions regulations and cash payment limits.

2. Does a mining hardware seller become an obliged entity if it offers colocation (machine placement) and technical management services?
The mere rental of rack space and the supply of electricity does not make anyone an obliged entity. However, if the provider participates in the administration of the client’s mining accounts, receives proceeds into its own wallets, and then redistributes them, it becomes an obliged entity providing services related to crypto-assets.

3. Is providing customer support during the initial wallet setup risky from an AML perspective?
Yes, it is risky. If an e-shop employee, as part of support, sees the client’s seed phrase or helps generate it, there is a risk that the activity will be reclassified as a custody service. Compliance requires strict process settings so that employees never come into contact with clients’ private keys.

In each of these situations, it depends on the details of the specific practice, the wording in the contracts, and how the company communicates its services externally. That is why it makes sense to consult similar models in advance with attorneys from ARROWS, a Prague-based law firm.

For a quick assessment and consultation of a specific model, you can contact our specialists by email at office@arws.cz.

What an effective AML framework looks like for a merchant

The basic building block of a compliance system is a risk-based approach ( risk-based approach ). This principle requires that the merchant does not proceed mechanically, but identifies, assesses, and continuously manages the specific risks to which its business is exposed.

For low risk, such as a standard e-shop sale of a single hardware wallet to a natural person from the EU, basic transaction monitoring is sufficient.

Medium risk is represented, for example, by the sale of a smaller number of mining devices to a Czech legal entity with a clear ownership structure. This requires standard company identification and verification of the beneficial owner in the register (UBO).

High risk is represented by the sale of large-volume mining rigs, colocation services for foreign entities, or payments made in crypto-assets.

AML policy, guidelines, and internal control

If, based on the analysis, the merchant is classified as an obliged entity, it is legally required to prepare and implement a system of internal policies and procedures (SVZ). This document must be updated regularly and must describe in detail the process of client identification and verification.

The guidelines must also include a list of red flags specific to crypto infrastructure, such as purchases through intermediaries or payments from high-risk wallets.

The internal framework must also include a program of regular employee training focused on frontline staff. Employees must know exactly what customer behavior requires immediate escalation to the compliance department.

ARROWS, a Prague-based law firm, helps clients with the complete preparation of SVZ, internal guidelines, and tailored risk assessments that will stand up to inspections by the FAÚ (the Czech Financial Analytical Office).

Cooperation with banks and payment institutions

The relationship with financing banks requires a proactive and максимально transparent approach from the crypto-technology merchant. Attempts to conceal the business’s link to the crypto sector from the bank end in immediate termination of cooperation by the bank’s compliance team.

We recommend that, already when opening an account, you present the bank with the complete business model and a voluntarily prepared AML policy, which significantly increases the company’s credibility.

Before executing an exceptionally large payment, we recommend sending the bank supporting documents in advance, such as contracts, invoices, or the client’s KYC profile. This reliably prevents automatic blocking of the payment and restrictions on account access.

Attorneys from ARROWS, a Prague-based law firm, help clients formulate responses to banks’ queries, structure information about the business model, and personally represent them in negotiations.

Contact our specialists

Table of risks and solutions

The following table summarizes several typical problematic situations that crypto-technology merchants encounter and states how ARROWS, a Prague-based law firm, can help in specific terms.

Potential issues

How ARROWS can help (office@arws.cz)

Purchase of mining equipment by an anonymous or high-risk entity : An unusual order for a large number of ASIC miners; the buyer is a shell company based offshore with no clear history.

We will prepare practical procedures for identifying and verifying beneficial owners (UBO). We will set criteria for assessing the source of funds and prepare contractual clauses.

Export of mining devices to high-risk countries : Risk of breaching sectoral or individual international sanctions and exporting to embargoed areas.

We will carry out a legal analysis of the transaction’s compliance with sanctions regulations. We will implement tools for screening sanctions lists and prepare End-User clauses.

Setting up hardware wallets including seeds : Offering additional services for configuration and storage of backups, creating a risk of unauthorized provision of custody services.

We will conduct a legal audit of your technical support processes. We will amend the terms and conditions to make it clear that the key holder is exclusively the client.

Combination of hardware sales and hosted mining : Offering hybrid packages that create uncertainty as to whether it is necessary to hold a Crypto-Asset Service Provider (CASP) license under MiCA.

We will propose the optimal legal structure for the project to eliminate regulatory grey areas. If needed, we will guide you through the entire registration process with the Czech National Bank (ČNB).

Pressure from a bank or investor to evidence AML setup : Threat of immediate blocking of operating accounts or refusal of investment capital due to the sector’s risk profile.

We will prepare a professional compliance package, SVZ, and risk assessment for your company. We will represent you in negotiations with bank analysts.

If any of the issues listed affects your company, we recommend addressing the situation in advance and contacting specialists from ARROWS, a Prague-based law firm, at office@arws.cz.

Most common questions on setting up AML processes

In this section, we will focus on several practical questions related to the company’s day-to-day operations and the setup of internal mechanisms.

1. How should we proceed in practice if a client requests to purchase hardware wallets or mining equipment and pay in cash?
In the Czech Republic, a strict limit applies to cash payments under the Act on Limitation of Cash Payments, amounting to CZK 270,000 within one day. For crypto-technology merchants, we recommend setting an internal limit for accepting cash significantly lower, as a high-value cash transaction is a strong AML red flag.

2. What should we do if a client avoids presenting identification documents when purchasing a more expensive mining rig?
If the client refuses to provide the cooperation necessary to carry out identification, the merchant must not execute the transaction. In such a case, the deal must be refused without delay, the goods must not be dispatched, and the funds must be returned to the account from which they were received.

3. Is it necessary to conduct regular AML training for all employees, or is it sufficient to train only the company’s management?
Under the AML Act, all employees who may, in the course of their work, come into contact with suspicious transactions must be trained. Training must be carried out at least once a year, or whenever internal policies are amended, and a written record of the training must be kept, including the signatures of the trained persons.

All of these questions have one thing in common: without clear rules and management support, compliance becomes an ineffective agenda that creates extra work for employees but does not provide real protection.

If you want to set up AML processes so that they make sense and are sustainable in the long term, you can contact the attorneys at ARROWS advokátní kancelář by email at office@arws.cz.

Cross-border element and international risks

Trade in crypto-technology is inherently strongly international in nature. Manufacturing capacity for key components is concentrated in the Asian region, distribution takes place through global logistics hubs, and end customers are located all over the world.

When importing mining equipment into the EU, the importer must meet strict standards, and from an AML perspective it is crucial to declare the customs value of the goods absolutely correctly.

When exporting crypto-technology outside the EU, the trader must thoroughly screen not only the destination country, but above all the end user ( end-user ). High-performance mining equipment may fall under the dual-use goods regime ( dual-use ).

Including an end-user clause in sales agreements is a standard protective measure preventing exports to sanctioned regions.

International standards and supervisory trends

Regulation of crypto-assets and related technical infrastructure is shaped by the international standards of the Financial Action Task Force (FATF). In its recommendations, it insists that states apply regulation and supervision to all entities carrying out CASP activities.

Supervisory authorities are also shifting responsibility for illegal transactions onto software developers and hardware distributors if they facilitate circumvention of the rules.

As part of cross-border supervision, there is intensive information exchange between financial intelligence units. If a foreign entity is investigated for financial crime, the Czech FAÚ (Financial Analytical Office) will initiate an inspection at the domestic trader focused on verifying the origin of funds.

Management liability and personal risks

Members of the statutory bodies of crypto-technology traders bear significant personal responsibility in connection with AML and sanctions compliance. Under the Civil Code, each member of an elected body is required to perform their function with due managerial care.

Neglecting compliance obligations and ignoring AML regulations constitutes a direct breach of due managerial care, with the risk of personal liability for damages.

From a criminal law perspective, ignoring warning signs may lead to charges for negligent money laundering or breaches of international sanctions. For the personal protection of management, it is crucial to have all compliance decisions properly documented.

ARROWS advokátní kancelář has exceptional professional liability insurance with coverage limits of up to CZK 400,000,000, providing our clients with absolute legal certainty.

Practical scenarios from practice

Case study: an e-shop with a starter package
Let us imagine a company that operates an e-shop selling hardware wallets and offers its clients an additional service in the form of assistance with initial setup and generating the seed phrase. The service consists of the company’s technician guiding the client through the entire process.

If the technician gains access to the displayed seed phrase, the company assumes control over the client’s crypto-assets and the relationship qualifies as the provision of a custody service.

ARROWS advokátní kancelář recommends restructuring the service so that the contractual terms and internal methodology explicitly prohibit technicians from any contact with the seed phrase.

Sale of mining rigs with hosting

A trading company sells high-performance mining rigs and, as its main selling point, offers the option of immediate hosting in its own data centre. The client signs a purchase agreement for the hardware and, at the same time, an agreement for the provision of hosting services.

If mining proceeds are first sent to the operator’s collection wallet, this involves executing payment transactions and administering crypto-assets for third parties.

At ARROWS advokátní kancelář, in such cases we adjust the contractual architecture so that mining proceeds are directed straight to the client’s private wallet.

Combination of equipment sales and an investment programme

The company offers a product described as passive income from mining. The client formally purchases a share in mining equipment and signs a joint mining agreement. The company manages the entire farm, pays energy costs, and pays the client the net proceeds in crypto-assets.

This model shows strong characteristics of collective investment without the relevant Czech National Bank (ČNB) licence, and attempts to disguise an investment product as hardware sales are risky.

The attorneys at ARROWS advokátní kancelář help adapt the project to comply with legislation, or set it up in line with the licensing requirements for CASPs.

Final summary

Crypto-technology traders—sellers of mining equipment, hardware wallets, and providers of related IT and hosting services—are no longer an invisible segment outside the authorities’ interest. The entry into force of the MiCA and TFR regulations has created an environment where ignoring compliance risks is a path to the liquidation of a business.

Any facilitation of key management, wallet configuration, or distribution of mining proceeds must be subject to strict legal assessment to avoid the unauthorised provision of financial services.

However, a well-designed and professionally implemented compliance framework is not a brake on business. Demonstrable compliance opens the door to stable relationships with reputable banks, facilitates onboarding with global distributors, and increases the company’s value in the eyes of potential investors.

ARROWS advokátní kancelář has deep expertise in crypto regulation and will help you analyse your business model, identify risk areas, and create a functional system of internal policies.

To agree on a specific course of action and ensure the smooth operation of your business, you can contact us at office@arws.cz.

Frequently Asked Questions on Risks in the Crypto Sector

FAQ

1. How do I know whether my company is an obliged entity under the AML Act?
Whether your company falls among obliged entities depends on the substantive nature of your services. If your activity consists purely of selling hardware without any ancillary services, you are not an obliged entity. However, if you provide customers with crypto-asset custody services, generate private keys for them, or administer their mining accounts, you are an obliged entity.

2. Do I have to carry out KYC even if I am not formally an obliged entity?
The law does not impose this on you directly, but in practice it is recommended. Without basic customer due diligence, you expose yourself to the risk of becoming involved in circumvention of international sanctions. In addition, banks require evidence of the source of funds and identification of counterparties for transactions related to crypto technology.

3. What are the biggest practical risks if I do not address AML at all?
The main risks include the immediate blocking and closure of operating accounts by the bank due to unacceptable AML risk. There is also the risk of financial penalties from the FAÚ (the Czech Financial Analytical Office) for failure to comply with obligations, personal criminal liability of statutory bodies, and confiscation of goods in the course of investigations involving your clients.

4. What documents and processes should I have prepared to satisfy banks and investors?
Banks and professional investors will require documented written risk assessment, a system of internal policies and procedures (SVZ), an internal policy on implementing international sanctions, template contractual documentation clearly defining the technical nature of your services, and evidence of regular employee training.

5. How often do I have to review and update the AML framework?
Obliged entities have a statutory duty to review their risk assessment and system of internal policies and procedures at least once a year. In addition, this must be done without undue delay whenever there is any material change in the product offering, technologies, or upon entering new foreign markets.

6. What should we do if an inspection by the FAÚ is already underway, or we have a dispute with a bank due to AML?
In such a situation, it is necessary to act immediately and professionally. Any ill-considered communication with bank analysts can make the situation worse. Gather all supporting documentation, the transaction history of the affected deals, and contact specialised legal advisers without delay.

Legal Notice

The information contained in this article is of a general informational nature only and is intended for basic guidance based on the legal status as of 2026. Legal regulations evolve over time; therefore, each case must be assessed individually.

We are ARROWS, a law firm in Prague, an entity registered with the Czech Bar Association, and for our clients’ protection we maintain professional liability insurance with a limit of CZK 400,000,000. To verify how this applies to your situation, contact us at office@arws.cz.

Read also: