---
title: "The 23-Question Bank Onboarding Interview for Crypto Firms: How to Rehearse"
slug: bank-onboarding-interview-23-questions
publishedAt: 2026-05-24T12:30:00Z
author: Finconduit Editorial Team
tags: AML, MiCA, AMLR, PSD2
canonicalUrl: https://finconduit.com/resources/bank-onboarding-interview-23-questions
---
# The 23-Question Bank Onboarding Interview for Crypto Firms: How to Rehearse

The 23 questions a banker asks a crypto firm at onboarding, the red-flag answers, the evidence to bring, and how to rehearse before the panel.

The **90\-minute onboarding interview** is where your crypto firm's bank account is actually won or lost. Forms get filled in afterwards. Decks get circulated afterwards. The decision is made in the room — by **a relationship manager, a financial\-crime officer, and \(often\) a credit officer** scoring you against a private rubric you will never see.

Most applicants walk in expecting a **conversation**. It is not. It is a **structured assessment** of business model, AML controls, transaction profile, sanctions exposure, and governance. There are **23 questions** that recur across nearly every Tier\-1 EU bank, specialist crypto\-native EMI, and qualified custodian onboarding panel.

This guide lists all 23, the **red\-flag answers that quietly fail you**, and the evidence to bring so the file confirms what you said in the room. We call this rehearsal framework ***The 23\-Question Onboarding Rehearsal***.

## Why the Interview Decides It \(and the Forms Confirm It\)

Banks onboard crypto firms under a **risk\-based approach** mandated by their own home regulator. In the UK that obligation lives in [FCA SYSC 6](https://www.handbook.fca.org.uk/handbook/SYSC/6/)¹[^1] — compliance, internal audit, and financial crime. The interview exists to produce **contemporaneous notes** the bank's own auditors and supervisors will later read.

That means every answer you give is **written into the bank's permanent customer file**. A vague answer becomes a vague file note. A vague file note becomes a **reason to exit** three years later when a supervisor flags the relationship.

Forms confirm what the interview already decided. The **diligence file** is the **evidence layer** that the interview answer was real. If the file contradicts what you said in the room, the file wins.

> **Note:** Treat the interview as a sworn interview, not a sales pitch. The banker is writing a customer\-risk memo in real time. Your job is to dictate the favourable sentences.

## What the Banker Is Actually Grading

Every panel scores against an internal rubric derived from the [EBA Guidelines on customer due diligence \(EBA/GL/2023/03\)](https://www.eba.europa.eu/regulation-and-policy/anti-money-laundering-and-countering-financing-terrorism/guidelines-customer-due-diligence-and-factors-credit-and-financial-institutions-should-consider)²[^2]. Crypto is treated as a **higher\-risk sector** requiring **enhanced due diligence \(EDD\)** — not because crypto is illicit, but because the sector has historically generated **disproportionate SAR volume** per account.

The rubric scores five dimensions: **business\-model clarity**, **AML control maturity**, **transaction\-flow predictability**, **sanctions\-edge defensibility**, and **governance escalation**. Each gets a score, and a single **red\-flag answer in any one dimension** can sink the entire application.

The five categories below map 1:1 to the 23 questions. Rehearse all 23. Do not assume any are throwaway.

## Category 1 — Business Model \(Questions 1–5\)

The opening five questions test whether you can **explain what your business does in 60 seconds** without using marketing language. The banker is grading **coherence between revenue model and AML risk**.

### Q1. Describe your business in one sentence — what do you do, for whom, how do you make money?

**What the banker grades: **can you state your **regulated activity, customer segment, and revenue mechanism** in one breath? Red flag: a 5\-minute monologue about *vision, ecosystem, and disruption*. Evidence: a **one\-page business model summary** you can hand across the table.

### Q2. What licence\(s\) do you hold, with which regulator, and what activities do they authorise?

**What the banker grades: **are you **actually doing what you are authorised to do**? Red flag: vague reference to *"crypto licence"* without naming the regulator, register entry number, or scope of activities. Evidence: the **licence certificate**, regulator register screenshot, and a one\-line summary of authorised activities.

### Q3. Who are your customers — retail, professional, institutional? Geographic split?

**What the banker grades: **do your customers match the bank's appetite? Red flag: *"retail customers globally"* with no jurisdictional breakdown. Evidence: a **customer\-segmentation table** showing retail/professional/institutional split, top\-10 source countries, and **explicit exclusion of FATF grey\-list / black\-list jurisdictions**.

### Q4. What is your projected monthly transaction volume in EUR — both fiat and crypto legs?

**What the banker grades: **is your number **realistic, defensible, and inside the bank's correspondent\-banking limits**? Red flag: *"€500M/month in year 1"* with no customer pipeline. Evidence: a **month\-by\-month volume projection** tied to signed LOIs or live customer count.

### Q5. What is your business model in three years — and which licences will you need then?

**What the banker grades: **will the relationship still fit **three years from now**? Red flag: silence, or a pivot to a higher\-risk activity \(token issuance, lending, leverage\) that requires a licence you do not hold. Evidence: a **3\-year licensing roadmap** with regulator engagement already underway.

## Category 2 — AML & Transaction Monitoring \(Questions 6–10\)

The AML block is the longest and the most failure\-prone. Under [Regulation \(EU\) 2024/1624 \(AMLR\)](https://eur-lex.europa.eu/eli/reg/2024/1624/oj)³[^3], obliged entities — including the banks onboarding you — must demonstrate **risk\-based customer due diligence with documented controls**. Your AML maturity becomes their AML defence.

### Q6. Who is your MLRO, where do they sit on the org chart, and what is their reporting line?

**What the banker grades: **does your MLRO have **genuine independence** and a **direct line to the board**? Red flag: MLRO reports to the CEO, has no board access, or is the same person as the Head of Operations. Evidence: **org chart, MLRO appointment letter, board\-pack template**.

### Q7. Walk us through a customer's KYC journey — from sign\-up to first transaction.

**What the banker grades: **is your KYC **actually risk\-based, or one\-size\-fits\-all**? Red flag: identical KYC for a €100 retail user and a €5M institutional desk. Evidence: a **tiered onboarding matrix** — KYC\-light / standard / EDD — with explicit triggers \(volume, jurisdiction, PEP, source\-of\-funds complexity\).

### Q8. What transaction\-monitoring system do you use, and who tunes the rules?

**What the banker grades: **do you have an **enterprise\-grade TM platform** and a documented **rule\-tuning governance**? Red flag: *"we built it in\-house"* with no audit trail. Evidence: TM vendor contract, current rule library, last quarterly rule\-tuning minutes, and **on\-chain analytics vendor** \(Chainalysis, Elliptic, or TRM Labs\) integration spec.

### Q9. How many SARs did you file last year — and to which FIU?

**What the banker grades: **do your SAR numbers look **realistic for your volume and customer mix**? Red flag: *"zero SARs"* combined with high volume — that signals you are not detecting anything. Equally bad: *"hundreds"* with no quality narrative. Evidence: SAR register summary \(numbers and categories only — not contents\).

### Q10. How do you handle Travel Rule for crypto transfers?

**What the banker grades: **are you compliant with the [FATF Updated Guidance for VASPs \(2021\)](https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Updated-guidance-rba-virtual-assets.html)⁴[^4] and the EU Transfer of Funds Regulation? Red flag: *"we don't process crypto\-to\-crypto transfers"* when your licence says you do. Evidence: **Travel Rule vendor** \(Notabene, Sumsub, Sygna, Veriscope\), counterparty due\-diligence policy, and unhosted\-wallet handling procedure.

## Category 3 — Transaction Profile \(Questions 11–15\)

This block tests whether the bank can **predict your account behaviour**. Predictable flows pass. **Unpredictable flows trigger exit** within 6–12 months even if onboarded.

### Q11. Describe a typical month — number of transactions, average size, peak day.

**What the banker grades: **can the bank build an **expected\-activity profile** from your answer? Red flag: *"it varies"* with no numbers. Evidence: a **12\-month transaction histogram** showing count, value, peak\-to\-trough range.

### Q12. What are your top\-5 counterparty banks and crypto exchanges?

**What the banker grades: **are your counterparties **reputable, regulated, and in low\-risk jurisdictions**? Red flag: top counterparties domiciled in FATF grey\-list jurisdictions or unlicensed exchanges. Evidence: **counterparty list with licence references** and EDD files for each top\-10 counterparty.

### Q13. What percentage of inflows arrive from outside the EEA?

**What the banker grades: **correspondent\-banking risk concentration. Red flag: *"\>80% from third countries"* with no breakdown by jurisdiction or counterparty bank. Evidence: **geographic inflow heatmap** and policy for handling high\-risk third countries.

### Q14. Do you handle cash\-equivalent instruments — stablecoins, USDT, USDC?

**What the banker grades: **under **MiCA**, do you understand the difference between **EMT, ART, and unbacked tokens**? Red flag: treating all stablecoins identically. Evidence: token\-whitelist policy, **issuer due\-diligence file per stablecoin**, and de\-listing protocol.

### Q15. What is your largest single transaction in the last 12 months — and what was the source of funds?

**What the banker grades: **can you walk a **single transaction end\-to\-end** with full source\-of\-funds documentation? Red flag: hesitation, or *"I'd have to check"*. Evidence: a **redacted case study** pre\-prepared for the meeting.

## Category 4 — Sanctions & Sanctions\-Edge \(Questions 16–20\)

Sanctions failure is the **single biggest fear** inside the bank's financial\-crime function. The questions in this block are **deliberately pointed**. Expect them to be asked twice, in two different ways, to test consistency.

### Q16. Which sanctions lists do you screen against, and on what frequency?

**What the banker grades: **do you screen against **OFAC, EU Consolidated, UK OFSI, UN, and HMT** — at minimum — at onboarding and on a **daily refresh**? Red flag: *"OFAC only, at onboarding"*. Evidence: sanctions vendor contract, **daily refresh logs**, and false\-positive review SLA.

### Q17. How do you handle Russia, Belarus, Iran exposure — directly or via counterparties?

**What the banker grades: **do you have a **written sanctioned\-jurisdictions policy** and a **hard block at IP, KYC, and counterparty levels**? Red flag: any answer involving *"case\-by\-case"* for these jurisdictions. Evidence: blocked\-jurisdiction policy, IP\-geofencing logs, and counterparty risk file.

### Q18. How do you detect sanctions\-evasion typologies in crypto — chain\-hopping, mixers, privacy coins?

**What the banker grades: **is your on\-chain analytics **actually configured** for sanctions\-evasion typologies? Red flag: *"the vendor handles that"*. Evidence: **on\-chain rule library**, mixer\-exposure threshold, privacy\-coin handling policy, and a sample alert with disposition.

### Q19. Walk us through a true\-hit sanctions alert from the last 12 months.

**What the banker grades: **have you **actually run the escalation pipeline** end\-to\-end? Red flag: *"we've never had one"* at volume. Evidence: a **redacted alert\-to\-SAR case study** with timestamps, decision\-maker, and outcome.

### Q20. Who has authority to freeze an account — and within what SLA?

**What the banker grades: **can you **freeze within hours, not days**? Red flag: freeze requires a board resolution or a software release. Evidence: **freeze\-authority matrix**, documented SLA \(target: under 2 hours\), and a tested fire\-drill log.

## Category 5 — Escalation & Governance \(Questions 21–23\)

The final block tests whether you **actually run the firm** or whether you are a founder with a compliance veneer. The reference point is the [EBA Guidelines on internal governance \(EBA/GL/2021/05\)](https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-internal-governance-revised)⁵[^5]. Banks expect that even unregulated parts of your firm follow the spirit of these guidelines.

### Q21. Describe your three lines of defence — and name the head of each.

**What the banker grades: **do you have **genuine separation between operations, compliance, and internal audit**? Red flag: the same person heads two lines. Evidence: **three\-lines\-of\-defence org chart** with named individuals and CVs.

### Q22. How often does your board review AML and sanctions MI — and what do they actually see?

**What the banker grades: **is your board **genuinely engaged or rubber\-stamping**? Red flag: *"annually, in the audit"*. Expected: **monthly or quarterly board pack** with SAR count, alert backlog, sanctions hits, and key\-control breaches. Evidence: a redacted board pack.

### Q23. If we onboard you and something goes wrong tomorrow — who do we call, and at what hour?

**What the banker grades: **is there a **24/7 escalation contact** and a **named senior individual accountable**? Red flag: a generic compliance@ inbox. Evidence: a **single\-page escalation contact card** with named individuals, mobile numbers, and backup contacts. Hand it to the banker before they ask.

## Strong, Weak, and Red\-Flag Answer Patterns

The table below shows how the same question produces **three very different file notes** depending on how it is answered. Rehearse to the Strong column.


*Table: Sample interview answers ranked Strong / Weak / Red\-flag, with the file note each one produces.*

| Question | Strong answer | Weak answer | Red\-flag answer |
| --- | --- | --- | --- |
| Q1. Describe your business | "Authorised CASP under MiCA in \[EEA jurisdiction\], reg. no. X, providing custody and execution to professional clients only. Revenue: 80% trading fees, 20% custody fees." | "We're a crypto exchange." | "We're building the future of decentralised finance for everyone." |
| Q6. Who is your MLRO | "Named individual, 15 years AML experience, reports directly to the board, no operational reporting line. Independent budget of €X." | "Our Head of Compliance." | "The CEO covers compliance for now." |
| Q9. SARs filed last year | "42 SARs filed to \[FIU\], 18 stablecoin\-related, 9 sanctions\-edge, 15 source\-of\-funds escalations. Trend: stable vs prior year." | "A few." | "None — we haven't seen anything suspicious." |
| Q17. Russia/Belarus/Iran | "Hard\-blocked at IP, KYC, and counterparty layers. No case\-by\-case exceptions. Policy approved by board Dec 2025." | "We screen for them." | "We assess case\-by\-case for legacy customers." |
| Q20. Freeze authority | "MLRO can freeze unilaterally within 30 minutes. CTO \+ Head of Ops as backups. Last fire\-drill: March 2026." | "Compliance team has access." | "It requires a board sign\-off." |
| Q23. Who do we call | "Single\-page contact card: MLRO mobile, CEO mobile, CTO mobile, all 24/7. Acknowledgment SLA: 30 minutes." | "Email our compliance team." | "Use the contact form on our website." |

## Preparation Checklist by Attendee Role

Sending the wrong people is a common failure. The bank expects **CEO \+ MLRO at minimum**, with the CFO and COO in support. Each owns a different set of questions.


*Table: Who owns which questions and what each attendee should rehearse before the interview.*

| Role | Owned questions | Rehearsal focus | Documents to bring |
| --- | --- | --- | --- |
| CEO | Q1, Q2, Q3, Q5 | Business model in one sentence, licensing roadmap, customer segmentation logic. | Board\-approved strategy deck, customer\-segmentation table, 3\-year licensing roadmap. |
| MLRO | Q6–Q10, Q16–Q19, Q22 | KYC tiering, TM rule\-tuning, SAR narrative, sanctions escalation, board MI cadence. | KYC matrix, TM rule library, SAR register summary, sanctions policy, redacted board pack. |
| CFO | Q4, Q11, Q13, Q15 | Volume projections tied to pipeline, transaction histogram, largest\-transaction case study. | 12\-month transaction histogram, signed\-LOI summary, redacted source\-of\-funds case study. |
| COO | Q12, Q14, Q20, Q21, Q23 | Counterparty list, stablecoin policy, freeze SLA, three\-lines org chart, escalation card. | Counterparty file, token\-whitelist policy, fire\-drill log, org chart, 24/7 contact card. |

## The Three Common Rehearsal Failures

Across hundreds of crypto\-firm bank applications, three rehearsal failures recur. Each is correctable.

### Failure 1 — Rehearsing the deck, not the questions

Founders practise the **pitch** and freeze on the **AML detail questions**. The fix: brief the MLRO to take the AML block entirely, with the CEO interrupting only when business context is needed.

### Failure 2 — Answering with the website, not the operations

Marketing language \(*"institutional\-grade"*, *"best\-in\-class compliance"*\) triggers a **negative file note**. The fix: replace every adjective with a number, a vendor name, or a control reference.

### Failure 3 — Inconsistent answers between attendees

The CEO says *"€10M/month"*; the CFO says *"€25M/month"*. The banker writes a ***"governance concern"*** note that kills the application. The fix: an internal pre\-brief where every projected number, vendor name, and policy version is locked.

> **Warning:** Inconsistency between CEO and MLRO is the single most common reason for a quiet rejection. Lock your numbers and your vendor names in writing 48 hours before the interview.

## The 48\-Hour Pre\-Interview Checklist

Use this checklist in the 48 hours before the interview. Treat each item as binary: done or not done.

1. **Confirm attendees: **CEO \+ MLRO mandatory; CFO \+ COO recommended.

1. **Print the 23 questions **and assign one owner per question.

1. **Hold a 2\-hour mock interview **with an external advisor playing banker.

1. **Lock the number set: **volume, SAR count, freeze SLA, board cadence.

1. **Pre\-build a leave\-behind pack: **one\-page business summary, org chart, KYC matrix, sanctions policy, escalation card.

1. **Refresh sanctions screening evidence **so the most recent daily refresh log is dated within 24 hours.

1. **Brief on banker style: **answer first, evidence second, do not volunteer extra risk.

> **Tip:** A practitioner rule of thumb: in the room, you should be speaking 40% of the time and the banker 60%. If you are speaking more than half, you are over\-explaining and creating new risk for them to write down.

## FAQ

### What questions do banks ask crypto companies at onboarding?

Banks structure onboarding interviews around five categories: **business model**, **AML and transaction monitoring**, **transaction profile**, **sanctions exposure**, and **escalation and governance**. Expect roughly 23 recurring questions across the five blocks, plus follow\-ups based on the answers.

### How long does a bank onboarding interview take?

Typically **60–90 minutes**, with the first 15 minutes on business model and the remainder split between AML, sanctions, and governance. Complex applicants — multi\-jurisdictional groups, novel token models — should expect a second session.

### Who from a crypto firm should attend the bank onboarding interview?

At minimum the **CEO and the MLRO**. For larger or higher\-volume firms, add the CFO and COO. Sending only sales or business\-development staff is treated as a red flag — banks need to see the people who are accountable for the controls.

### What is the single biggest red flag in a bank onboarding interview?

Inconsistency between attendees on **projected volumes, SAR counts, or sanctioned\-jurisdiction policy**. A single contradiction triggers a governance concern in the file note and is the most common reason for a quiet rejection.

### Can a crypto firm fix a failed bank onboarding interview?

Sometimes — by **sending a structured written follow\-up** within 48 hours that addresses the weak answers with documentation. More often, the cleaner path is to **approach a different bank with a corrected file**. Repeated reapplication to the same bank after rejection is rarely productive.

> **Call to action:** Book a mock onboarding interview with a Finconduit banker advisor. We rehearse all 23 questions with your team before you face the panel. Free first session.

## Related Guides

- [Bank Diligence File for Regulated Crypto Firms](/resources/bank-diligence-file-crypto-firm): the document pack that backs up every answer you give in the interview.

- [What Banks Actually Evaluate When Onboarding a CASP](/resources/what-banks-evaluate-casp): the rubric behind the questions in this guide.

- [Bank Account for a VASP/CASP](/resources/bank-account-vasp-casp): end\-to\-end overview of how regulated crypto firms get banked in 2026.

- [The 2026 Substance Bar](/resources/substance-bar-2026): end\-to\-end overview of operational substance banks expect to see behind the answers.

The 23\-question interview is not a hazing ritual. It is the **working session in which your bank decides whether to bet its own licence on you**. Rehearse to the Strong column, bring the evidence file, and treat every answer as a sentence in your permanent customer record. The firms that win bank relationships in 2026 are not the firms with the slickest decks — they are the firms whose **interview answers, file notes, and diligence files tell the same story**.

## Footnotes

[^1]: FCA Handbook, SYSC 6 — Compliance, internal audit and financial crime. UK Financial Conduct Authority. <https://www.handbook.fca.org.uk/handbook/SYSC/6/>
[^2]: EBA Guidelines on customer due diligence and the factors credit and financial institutions should consider — EBA/GL/2023/03. European Banking Authority, 2023. <https://www.eba.europa.eu/regulation-and-policy/anti-money-laundering-and-countering-financing-terrorism/guidelines-customer-due-diligence-and-factors-credit-and-financial-institutions-should-consider>
[^3]: Regulation \(EU\) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing \(AMLR\). <https://eur-lex.europa.eu/eli/reg/2024/1624/oj>
[^4]: FATF Updated Guidance for a Risk\-Based Approach to Virtual Assets and Virtual Asset Service Providers, 2021. Financial Action Task Force. <https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Updated-guidance-rba-virtual-assets.html>
[^5]: EBA Guidelines on internal governance under Directive 2013/36/EU \(EBA/GL/2021/05\). European Banking Authority, 2021. <https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-internal-governance-revised>


---
Source: https://finconduit.com/resources/bank-onboarding-interview-23-questions