New AML rules for crypto-asset service providers

AML Package

On 18 January 2024, the European Council and European Parliament reached a provisional agreement on parts of the new AML package that was first proposed in 2021. As part of this package, the core AML rules will move to a regulation. The immediate result of this is that the EU’s AML rules will be harmonized across all Member States. This is, of course, a big step up from the previous approach, where the former AML Directives were often transposed quite differently across the Member States. This made compliance quite a hassle for obliged entities offering services in several Member States. 

The texts on which the agreement is based will now go through legal and linguistic revisions and will then be put before the Committee of permanent representatives and the European Parliament. Next, the Council and the Parliament will still need to formally adopt the texts before they can be published in the EU’s Official Journal and enter into force. It is expected that legislators will still want to get this package across the finish line before the European Parliament disbands for the upcoming EU elections. This would require a formal adoption by the last session at the end of April. 

One of the big changes to the AML framework is that all of the crypto-asset service providers (CASPs) identified in the Markets in Crypto-Assets Regulation (MiCAR) will formally become obliged entities and thus subject to EU AML law – even though this was already made clear in MiCAR. Under the current framework, set by the Fifth Anti-Money Laundering Directive (AMLD5), only exchange service providers and custodian wallet providers were considered as obliged entities. 

However, the rules applied to CASPs are not always the same as those for other obliged entities. For instance, normally customer due diligence will only need to be applied to occasional transactions exceeding EUR 10.000. In the case of crypto-assets, customer due diligence will already need to be applied when the occasional transaction exceeds a value equal to EUR 1.000. Furthermore, there will be specific rules regarding self-hosted wallets. 

For the time being, we will have to wait until the final texts are approved and made public before being able to fully delve into the details of this new framework. But CASPs will need to be aware of these new rules and start preparing for their compliance with them, as this will become an important aspect in obtaining their license under the MiCAR framework. At Timelex, we will continue to closely monitor these developments to prepare the necessary advice for our clients in the sector. 

EBA guidance for crypto-asset service providers

Just a few days earlier, on 16 January 2024, the European Banking Authority (EBA) amended its 2021 Guidelines on customer due diligence. These Guidelines are intended to provide a number of factors that credit and financial institutions should consider when assessing the AML risk associated with individual business relationships and occasional transactions.

The reason for this amendment was to extend their scope to CASPs, taking into account some of the specific risk factors they face. In particular, the EBA points out the following risk factors:

• sector-specific risks resulting from transfers to or from self-hosted wallets, the use of decentralised platforms, and transfers involving service providers not compliant with or regulated by MiCAR;
• for products related to crypto-assets, the EBA again points to self-hosted wallets and decentralized platforms, but also to products with anonymity-enhancing features; and
• of course, general factors such as specific jurisdictions. 

One of the steps CASPs will need to take under these Guidelines is to consider whether blockchain analytics tools are needed to support their compliance. The Guidelines also provide specific guidance for banks, and other financial institutions, entering into a business relationship with CASPs. For instance, banks providing custody over crypto-assets belonging to their customers’ clients should apply full customer due diligence measures, considering their customers’ clients as the ultimate beneficial owners and thus verifying their identities. 

CASPs should assume a higher risk from, for instance, products with a higher degree of anonymity, payments without apparent economic rationale, products without restrictions on volume or value of transactions, decentralized finance, and self-hosted wallets. A lower risk may result from products with transaction limitations and transactions to and from other regulated entities. Specific examples are also provided for when to assume a higher or lower consumer risk. 

Given the digital nature of crypto-assets, remote onboarding will be the most frequent manner of establishing a business relationship. Here, EBA Guidance on Remote Customer Onboarding applies. Last, CASPs need to be mindful of the geographic risk, particularly given that many players in this field are registered in known tax havens. 

When enhanced customer due diligence must be applied, proof of source of funds may need to be provided. 

This Guidance will be critical in supporting the AML compliance of CASPs. As noted above, this is also an essential element in obtaining their MiCAR license. The Guidance also makes abundantly clear that AML compliance can never be a one-size-fits-all solution. At Timelex, we translate these requirements into a tailored approach for our clients in the sector.