On the 16th January 2024, the European Banking Authority (“EBA”) issued a Final Report which amends Guidelines EBA/2021/02 on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering (“ML”) and terrorist financing (“TF”) risk associated with individual business relationships and occasional transactions (the “ML/TF Risk Factors Guidelines” / the “Guidelines”) under Articles 17 and 18(4) of Directive (EU) 2015/849.  In doing so, the EBA extended its ML/TF Risk Factors Guidelines to crypto-assets service providers (“CASPs”) and the steps CASPs and other credit and financial institutions should take to manage such increased risks associated with this sector.

The Guidelines take into consideration,  

  • transactions, such as transfers to or from self-hosted addresses, decentralised platforms or transfers involving providers of crypto-assets services that are not authorised or regulated;
  • products, such as those containing anonymity-enhancing features or which allow transfers to and from the CASP and self-hosted and decentralised trading platforms;
  • the nature of customers and their behaviour, including when customers provide inconsistent or incorrect information or their transaction volumes or patterns are not in line with those expected from the type of customer;
  • the customers’ or beneficial owners’ links to high-risk jurisdictions or transactions to/from jurisdictions associated with a high risk of ML/TF.

According to the evaluation of the EBA, although crypto-assets have existed for roughly a decade, they have remained largely unregulated and unsupervised. Thus, CASPs are less mature in terms of their compliance efforts than other obliged entities and therefore this sector continues to expose significant ML/FT risk.

In the course of a prior public consultation, certain respondents challenged the increased ML/TF risk associated with self-hosted wallets, decentralized trading platforms and decentralised finance (“DeFi”) applications and emphasized various advantages, which is offered by those tools to their users, such as the direct control and increased security as the ability to engage with many parts of the blockchain ecosystem. They argued that applications, wallets which presents higher risk than others can be captured by advanced blockchain analytics and other monitoring tools. However, the EBA remained of the view that transactions with self-hosted addresses and DeFi platforms present an increased risk due to the lack of a legal framework applicable to them and the lack of identification and verification requirements applicable to their users.

As mentioned above the Guidelines also include procedures and recommendations to the credit and financial institutions on how to identify and mitigate the ML/FT risk associated with this field when entering into a business relationship with CASPs or onboarding customers with exposure to crypto-assets.  

Credit and financial institutions need to understand the business model of the CASPs, determine if they are regulated in accordance with Regulation (EU) 2023/1114, furthermore if the services provided by the CASPs are falling within the scope of the registration or licence. The nature and the risks associated with the crypto-assets, which the CASP trades with or offers to their customers, shall also be taken into consideration. The Guidelines also include methods of how to conduct and document quantitative assessments on the anti-money laundering and counter-financing of terrorism (“AML/CFT”) control frameworks of the CASPs.

The Guidelines include additional record keeping obligations on CASPs regarding the transactions on the distributed ledgers.

The development of the Guideleines was deemed necessary to provide clarification on  ML/TF risk factors presented by crypto-assets and CASPs and to explain the factors to be considered by CASPs when entering into business relationships with their customers, and to provide guidance to credit/financial institutions on the subject. Overall, the Guidelines will harmonise the way risk associated with CASPs is assessed by credit and financial institutions across the EU, which may also reduce the de-risking of this sector.

The Guidelines will apply from 30 December 2024 and competent authorities will need to report how they comply with the Guidelines within 2 months from the Guidelines’ translations into the EU’s official languages.

The relevant Guidelines may be accessed through this link: https://www.eba.europa.eu/sites/default/files/2024-01/a3e89f4f-fbf3-4bd6-9e07-35f3243555b3/Final%20Amending%20%20Guidelines%20on%20MLTF%20Risk%20Factors.pdf

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content