The 23-Question Bank Onboarding Interview for Crypto Firms: How to Rehearse

The 90-minute onboarding interview is where your crypto firm's bank account is actually won or lost. Forms get filled in afterwards. Decks get circulated afterwards. The decision is made in the room — by a relationship manager, a financial-crime officer, and (often) a credit officer scoring you against a private rubric you will never see.

Most applicants walk in expecting a conversation. It is not. It is a structured assessment of business model, AML controls, transaction profile, sanctions exposure, and governance. There are 23 questions that recur across nearly every Tier-1 EU bank, specialist crypto-native EMI, and qualified custodian onboarding panel.

This guide lists all 23, the red-flag answers that quietly fail you, and the evidence to bring so the file confirms what you said in the room. We call this rehearsal framework The 23-Question Onboarding Rehearsal.

Banks onboard crypto firms under a risk-based approach mandated by their own home regulator. In the UK that obligation lives in FCA SYSC 6¹^[1] — compliance, internal audit, and financial crime. The interview exists to produce contemporaneous notes the bank's own auditors and supervisors will later read.

That means every answer you give is written into the bank's permanent customer file. A vague answer becomes a vague file note. A vague file note becomes a reason to exit three years later when a supervisor flags the relationship.

Forms confirm what the interview already decided. The diligence file is the evidence layer that the interview answer was real. If the file contradicts what you said in the room, the file wins.

Every panel scores against an internal rubric derived from the EBA Guidelines on customer due diligence (EBA/GL/2023/03)²^[2]. Crypto is treated as a higher-risk sector requiring enhanced due diligence (EDD) — not because crypto is illicit, but because the sector has historically generated disproportionate SAR volume per account.

The rubric scores five dimensions: business-model clarity, AML control maturity, transaction-flow predictability, sanctions-edge defensibility, and governance escalation. Each gets a score, and a single red-flag answer in any one dimension can sink the entire application.

The five categories below map 1:1 to the 23 questions. Rehearse all 23. Do not assume any are throwaway.

The opening five questions test whether you can explain what your business does in 60 seconds without using marketing language. The banker is grading coherence between revenue model and AML risk.

What the banker grades: can you state your regulated activity, customer segment, and revenue mechanism in one breath? Red flag: a 5-minute monologue about vision, ecosystem, and disruption. Evidence: a one-page business model summary you can hand across the table.

What the banker grades: are you actually doing what you are authorised to do? Red flag: vague reference to "crypto licence" without naming the regulator, register entry number, or scope of activities. Evidence: the licence certificate, regulator register screenshot, and a one-line summary of authorised activities.

What the banker grades: do your customers match the bank's appetite? Red flag: "retail customers globally" with no jurisdictional breakdown. Evidence: a customer-segmentation table showing retail/professional/institutional split, top-10 source countries, and explicit exclusion of FATF grey-list / black-list jurisdictions.

What the banker grades: is your number realistic, defensible, and inside the bank's correspondent-banking limits? Red flag: "€500M/month in year 1" with no customer pipeline. Evidence: a month-by-month volume projection tied to signed LOIs or live customer count.

What the banker grades: will the relationship still fit three years from now? Red flag: silence, or a pivot to a higher-risk activity (token issuance, lending, leverage) that requires a licence you do not hold. Evidence: a 3-year licensing roadmap with regulator engagement already underway.

The AML block is the longest and the most failure-prone. Under Regulation (EU) 2024/1624 (AMLR)³^[3], obliged entities — including the banks onboarding you — must demonstrate risk-based customer due diligence with documented controls. Your AML maturity becomes their AML defence.

What the banker grades: does your MLRO have genuine independence and a direct line to the board? Red flag: MLRO reports to the CEO, has no board access, or is the same person as the Head of Operations. Evidence: org chart, MLRO appointment letter, board-pack template.

What the banker grades: is your KYC actually risk-based, or one-size-fits-all? Red flag: identical KYC for a €100 retail user and a €5M institutional desk. Evidence: a tiered onboarding matrix — KYC-light / standard / EDD — with explicit triggers (volume, jurisdiction, PEP, source-of-funds complexity).

What the banker grades: do you have an enterprise-grade TM platform and a documented rule-tuning governance? Red flag: "we built it in-house" with no audit trail. Evidence: TM vendor contract, current rule library, last quarterly rule-tuning minutes, and on-chain analytics vendor (Chainalysis, Elliptic, or TRM Labs) integration spec.

What the banker grades: do your SAR numbers look realistic for your volume and customer mix? Red flag: "zero SARs" combined with high volume — that signals you are not detecting anything. Equally bad: "hundreds" with no quality narrative. Evidence: SAR register summary (numbers and categories only — not contents).

What the banker grades: are you compliant with the FATF Updated Guidance for VASPs (2021)⁴^[4] and the EU Transfer of Funds Regulation? Red flag: "we don't process crypto-to-crypto transfers" when your licence says you do. Evidence: Travel Rule vendor (Notabene, Sumsub, Sygna, Veriscope), counterparty due-diligence policy, and unhosted-wallet handling procedure.

This block tests whether the bank can predict your account behaviour. Predictable flows pass. Unpredictable flows trigger exit within 6–12 months even if onboarded.

What the banker grades: can the bank build an expected-activity profile from your answer? Red flag: "it varies" with no numbers. Evidence: a 12-month transaction histogram showing count, value, peak-to-trough range.

What the banker grades: are your counterparties reputable, regulated, and in low-risk jurisdictions? Red flag: top counterparties domiciled in FATF grey-list jurisdictions or unlicensed exchanges. Evidence: counterparty list with licence references and EDD files for each top-10 counterparty.

What the banker grades: correspondent-banking risk concentration. Red flag: ">80% from third countries" with no breakdown by jurisdiction or counterparty bank. Evidence: geographic inflow heatmap and policy for handling high-risk third countries.

What the banker grades: under MiCA, do you understand the difference between EMT, ART, and unbacked tokens? Red flag: treating all stablecoins identically. Evidence: token-whitelist policy, issuer due-diligence file per stablecoin, and de-listing protocol.

What the banker grades: can you walk a single transaction end-to-end with full source-of-funds documentation? Red flag: hesitation, or "I'd have to check". Evidence: a redacted case study pre-prepared for the meeting.

Sanctions failure is the single biggest fear inside the bank's financial-crime function. The questions in this block are deliberately pointed. Expect them to be asked twice, in two different ways, to test consistency.

What the banker grades: do you screen against OFAC, EU Consolidated, UK OFSI, UN, and HMT — at minimum — at onboarding and on a daily refresh? Red flag: "OFAC only, at onboarding". Evidence: sanctions vendor contract, daily refresh logs, and false-positive review SLA.

What the banker grades: do you have a written sanctioned-jurisdictions policy and a hard block at IP, KYC, and counterparty levels? Red flag: any answer involving "case-by-case" for these jurisdictions. Evidence: blocked-jurisdiction policy, IP-geofencing logs, and counterparty risk file.

What the banker grades: is your on-chain analytics actually configured for sanctions-evasion typologies? Red flag: "the vendor handles that". Evidence: on-chain rule library, mixer-exposure threshold, privacy-coin handling policy, and a sample alert with disposition.

What the banker grades: have you actually run the escalation pipeline end-to-end? Red flag: "we've never had one" at volume. Evidence: a redacted alert-to-SAR case study with timestamps, decision-maker, and outcome.

What the banker grades: can you freeze within hours, not days? Red flag: freeze requires a board resolution or a software release. Evidence: freeze-authority matrix, documented SLA (target: under 2 hours), and a tested fire-drill log.

The final block tests whether you actually run the firm or whether you are a founder with a compliance veneer. The reference point is the EBA Guidelines on internal governance (EBA/GL/2021/05)⁵^[5]. Banks expect that even unregulated parts of your firm follow the spirit of these guidelines.

What the banker grades: do you have genuine separation between operations, compliance, and internal audit? Red flag: the same person heads two lines. Evidence: three-lines-of-defence org chart with named individuals and CVs.

What the banker grades: is your board genuinely engaged or rubber-stamping? Red flag: "annually, in the audit". Expected: monthly or quarterly board pack with SAR count, alert backlog, sanctions hits, and key-control breaches. Evidence: a redacted board pack.

What the banker grades: is there a 24/7 escalation contact and a named senior individual accountable? Red flag: a generic compliance@ inbox. Evidence: a single-page escalation contact card with named individuals, mobile numbers, and backup contacts. Hand it to the banker before they ask.

The table below shows how the same question produces three very different file notes depending on how it is answered. Rehearse to the Strong column.

Sending the wrong people is a common failure. The bank expects CEO + MLRO at minimum, with the CFO and COO in support. Each owns a different set of questions.

Across hundreds of crypto-firm bank applications, three rehearsal failures recur. Each is correctable.

Founders practise the pitch and freeze on the AML detail questions. The fix: brief the MLRO to take the AML block entirely, with the CEO interrupting only when business context is needed.

Marketing language ("institutional-grade", "best-in-class compliance") triggers a negative file note. The fix: replace every adjective with a number, a vendor name, or a control reference.

The CEO says "€10M/month"; the CFO says "€25M/month". The banker writes a "governance concern" note that kills the application. The fix: an internal pre-brief where every projected number, vendor name, and policy version is locked.

Use this checklist in the 48 hours before the interview. Treat each item as binary: done or not done.

1. 1

   Confirm attendees: CEO + MLRO mandatory; CFO + COO recommended.

2. 2

   Print the 23 questions and assign one owner per question.

3. 3

   Hold a 2-hour mock interview with an external advisor playing banker.

4. 4

   Lock the number set: volume, SAR count, freeze SLA, board cadence.

5. 5

   Pre-build a leave-behind pack: one-page business summary, org chart, KYC matrix, sanctions policy, escalation card.

6. 6

   Refresh sanctions screening evidence so the most recent daily refresh log is dated within 24 hours.

7. 7

   Brief on banker style: answer first, evidence second, do not volunteer extra risk.

Banks structure onboarding interviews around five categories: business model, AML and transaction monitoring, transaction profile, sanctions exposure, and escalation and governance. Expect roughly 23 recurring questions across the five blocks, plus follow-ups based on the answers.

Typically 60–90 minutes, with the first 15 minutes on business model and the remainder split between AML, sanctions, and governance. Complex applicants — multi-jurisdictional groups, novel token models — should expect a second session.

At minimum the CEO and the MLRO. For larger or higher-volume firms, add the CFO and COO. Sending only sales or business-development staff is treated as a red flag — banks need to see the people who are accountable for the controls.

Inconsistency between attendees on projected volumes, SAR counts, or sanctioned-jurisdiction policy. A single contradiction triggers a governance concern in the file note and is the most common reason for a quiet rejection.

Sometimes — by sending a structured written follow-up within 48 hours that addresses the weak answers with documentation. More often, the cleaner path is to approach a different bank with a corrected file. Repeated reapplication to the same bank after rejection is rarely productive.

• Bank Diligence File for Regulated Crypto Firms: the document pack that backs up every answer you give in the interview.

• What Banks Actually Evaluate When Onboarding a CASP: the rubric behind the questions in this guide.

• Bank Account for a VASP/CASP: end-to-end overview of how regulated crypto firms get banked in 2026.

• The 2026 Substance Bar: end-to-end overview of operational substance banks expect to see behind the answers.

The 23-question interview is not a hazing ritual. It is the working session in which your bank decides whether to bet its own licence on you. Rehearse to the Strong column, bring the evidence file, and treat every answer as a sentence in your permanent customer record. The firms that win bank relationships in 2026 are not the firms with the slickest decks — they are the firms whose interview answers, file notes, and diligence files tell the same story.