EBA Extends AML Guidelines To Crypto-Asset Service Providers

January 18, 2024
<
Back
The European Banking Authority has extended its guidelines on money laundering and terrorist financing risks to crypto-asset service providers as part of ongoing efforts to combat financial crime.

The European Banking Authority (EBA) has extended its guidelines on money laundering (ML) and terrorist financing (TF) risks to crypto-asset service providers (CASPs) as part of ongoing efforts to combat financial crime.

Crypto platforms are at increased risk of illicit financial activities because of the speed at which cryptocurrency transactions can be completed and because some products contain features that hide the user’s identity.

“Therefore, it is important that CASPs know about these risks and put in place measures that effectively mitigate them,” the regulator stated.

The EBA guidance, which will apply from December 30, 2024, aims to help service providers identify potential risks by listing various factors that may indicate their exposure to money laundering or terrorist financing risk, relating to their customers, product offerings, delivery channels and geographical locations. This should help CASPs understand their customer base and identify vulnerabilities in their businesses or activities.

The factors contributing to increased risks include:

- Products or services offering a higher degree of anonymity.

- Products allowing third-party payments that are not associated with the product or identified and verified upfront.

- Products placing no upfront restrictions on the overall volume or value of transactions.

- Products allowing transactions between the customer’s account and self-hosted addresses; accounts or distributed ledger addresses subject to less robust regimes; decentralised finance (DeFi) platforms; mixers; and hardware used to exchange crypto-assets to official currencies or vice versa, such as crypto ATMs, that do not come under the EU’s regulations.

The EBA explains how service providers should implement mitigating measures, including the use of blockchain analytics tools. CASPs are also subject to mainstream anti-monye laundering (AML) rules, which include a long list of risk factors.

Given the interdependence of traditional and digital financial services providers, the guidelines are directed at other credit and financial institutions that serve CASPs or are otherwise exposed to their assets. 

This risk is heightened when credit and financial institutions engage in business relationships with CASPs that are not authorised under the Markets in Crypto-Assets Regulation (MiCA), according to the EBA.

CASPs that register under MiCA may still be treated like money remittance firms, as these can also struggle to comply with AML rules, if they permit transfers to self-hosted wallets or DeFi protocols.

Identifying suspicious customer behaviour

CASPs are also required to assess customers and their behaviour, which will require them to ask more questions beyond users’ identity to include their sources of income and wealth. Customers who may pose increased risks include:

- Non-profit organisations that have been linked to extremism, terrorist activities, or misconduct or criminal activities.

- Shell banks.

- Recently-established or previously inactive companies processing large transactions volumes.

- An undertaking or person using an IP address associated with a darknet or a software that allows anonymous communication.

- A vulnerable person who is not likely to be a typical CASP customer or displays little knowledge and understanding of crypto-assets or related technologies.

Some of the customer behaviour risks are broad and may be difficult for service providers to assess, such as finding behaviour or transaction patterns that are not expected from the type of customer, using multiple bank or payment accounts, credit cards or prepaid cards to fund the crypto account, or using a bank or payment account located in a different jurisdiction. 

This could potentially pose problems for customers of pan-European payment service providers, such as Wise or Revolut, as well as for non-fungible token NFT platforms, as users typically store NFTs in self-hosted wallets and connect them to platforms only to trade.

The EU’s AML/CTF regime was extended to include crypto-assets and NFT platforms in March 2023. The amendment prompted the EBA to issue the new guidelines.

The guidelines will be translated into the official EU languages and published on the EBA’s website. The deadline for competent authorities to report whether they comply with the guidelines will be two months after the publication of the translations.

PC Editorial

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

To read more articles like this, along with gaining access to the tools that will help you navigate compliance risk with confidence, request a demo of our RegTech platform today.

Related articles

January 21, 2025

Daily Dash: Lithuanian Payments Firms Experience Another Surge

Revenues of e-money institutions and payment institutions soared in Q3 2024, with licensing income rising by 22 percent year-on-year to €431.4m and payment transaction volumes up 37 percent to €141bn.
Read article
January 21, 2025

Daily Dash: Estonia Looks For Solutions To Growing Fraud Problems

The country has seen a rise in fraud, particularly relating to cross-border transactions, phishing emails, scam calls and other manipulation schemes, according to the Estonian Payment Environment Forum.
Read article

Opt in to hear about webinars, events, industry and product news

Gambling Compliance

Learn more

Payments Compliance

Learn more
Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
Contact us
No items found.
Crypto-Assets
European Union

Please choose your preferred
service to log in to.

GamblingCompliance
PaymentsCompliance
Don’t have an account?