The European Banking Authority (EBA) recently came with updated Anti-Money Laundering (AML) and Counter-Terrorist Financing (CFT) guidelines. These are extended to encompass all crypto-asset services providers (CASPs and are aimed to prevent the abuse of
fund and crypto-asset transfers for money laundering and terrorist financing purposes.
To address these risks, the EBA’s guidelines present a comprehensive approach that ensures a cohesive strategy across the financial landscape, delivering guidelines on internal policies, procedures, and controls to comply with restrictions that apply to
CASPs and other financial institutions.
This blog is aimed to give more insight in these guidelines.
EBA updated guidelines
The European Banking Authority (EBA), which overseas banks in the EU, issued updated AML and CTF guidelines on 16 January for risk-based supervision, extending its guidelines to include crypto-asset service providers (CASPs). Thereby consulting on proposals
following recommendations from the Financial Action Task Force (FATF), the global financial watchdog.
These new guidelines mandate crypto firms to adhere to stringent anti-money laundering (AML) and counter-terrorist financing (CTF) measures. They thereby highlight money laundering and terrorist financing risk factors and mitigating actions that CASPs are
required to consider, which represents a significant step in the EU’s fight against financial crime.
The EBA’s recent guidelines are designed to integrate crypto firms into the European framework for financial oversight. The EBA's primary aim is to standardize crypto regulations to prevent these platforms from being used for illicit activities, thereby harmonizing
the implementation of risk-based strategies for AML and CTF across the EU.
Crypto Asset Service Providers (CASPs)
CASPs, including exchanges, wallets, and custodians, are now required to comply with stringent anti-money laundering (AML) and know-your-customer (KYC) financial regulations. This means that crypto companies in the EU have to figure out how likely they are
to be involved in financial crimes by scrutinizing their customers and the products they offer, how they deliver those products, and where they are located.
EBA Guidelines: part of broader EU effort
The amended guidelines extend the European Union’s Anti-Money Laundering and Counter-Terrorist Financing measures to encompass all European crypto companies.
This move, is part of a broader effort to harmonize regulatory approaches against financial across the European Union as well as integrate these crypto companies into the existing EU financial regulatory framework.
Why these updated Guidelines?
The EBA came with these updated Guidelines, triggered by the rapid growth of the crypto industry. The EBA thereby recognizes the increased risks due to the nature of crypto transactions. The EBA’s Guidelines thereby focus on the unique risks CASPs face associated
with crypto-assets, that may heighten the risk of money laundering and terrorist financing.
These risks are crypto products contain features that potentially can anonymize users’ identities. Consequently, it is important that CASPs need to know about these risks and put in place measures that effectively mitigate them.
Roadmap for CASPs
The guidelines provide a roadmap for CASPs to tailor their strategies based on the identified risk factors, extend to guidance on internal policies and control measures that CASPs should enforce. The guidelines include detailed risk assessment directives
for CASPs, particularly focusing on the potential dangers associated with various products and services that facilitate transfers between companies and users, thereby creating a robust defence against potential money laundering and terrorism financing
activities.
Mitigating risks strategies
The new EBA AML and CTF Guidelines are aimed to make sure that CASPs across the EU mitigate risks associated with financial crimes. The proposed guidelines should
prevent the abuse of crypto transfers that align with recommendations from the global watchdog, the Financial Action Task Force (FATF).
The guidelines explain how CASPs can adjust their risk mitigating strategies accordingly. EBA are thereby delivering guidelines on internal policies, procedures and controls to comply with restrictive measures that apply to CASPs as well as other financial
institutions.
As crypto assets become increasingly susceptible to misuse for criminal purposes, the EBA Guidelines provide CASPs with a framework i.e. the knowledge and tools to identify, assess and effectively mitigate these risks. To address these risks, CASPs are advised
to utilize tools like blockchain analytics and consider risks related to anonymity-enhancing features, self-hosted wallets, and decentralized platforms.
Identifying ML and TF risks
These amendment intends to support CASPs in identifying these risks by providing a non-exhaustive list of different factors, which may indicate the CASP’s exposure to the ML/TF risk. Next to crypto-specific risks, alongside self-hosted wallets, it listed four
other transaction risk factors.
These transaction-specific risks include transfers to a DeFi platform, those involving crypto-ATMS not under EU oversight, payments via mixers and transactions to CASPs in risky jurisdictions. Identifying vulnerabilities in these areas is critical for understanding
and mitigating potential risks.
How to respond to these challenges?
CASPs have been advised to scrutinize various aspects of their operations in response to these challenges. The EBA advises CASPs to delve into their customer base, the type of product offerings, their delivery channels, and geographical locations of their
operations to pinpoint vulnerabilities and indicate the CASP’s exposure to increased or decreased levels of the ML or TF risk. For each category, the Guidelines provide for a list of factors that may contribute to increasing risks or to reducing risks.
Understanding their customer base
CASPs have to apply customer due diligence measures on a risk-based approach. CASPs thereby have to assess the customer and the customer’s behaviour. Based on these risk factors, CASPs can better understand their customer base and identify which part of
their business or activities are more vulnerable to ML and TF.
A couple of the customer behaviour risks are broad. To give some examples of these risks. Depositing money in a P2P lending platform not regulated under MiCA is considered high-risk behaviour. But also transfers by CASPs to self-hosted wallets are treated
as high risk. If a customer tops up a crypto account from multiple bank accounts or credit cards, that’s considered high risk. Another is if the bank account is in a jurisdiction different from the customer’s address.
EBA Guidelines extend beyond CASPs
The proposed EBA Guidelines extend beyond CASPs. The Guidelines also include guidance addressed to other credit and financial institutions that have CASPs as their customers or that are exposed to crypto assets. This reflects the EBA's recognition of the interconnectedness
within the financial system.
The guidelines note an increased risk when credit and financial institutions engage in business relationships with providers of crypto asset services which are not authorized under EU MICA regulation.
Among others these firms must assess AML and CFT risks prior to the launch or the significant change of new products, services, business practices, new delivery channels or new innovative technology.
EBA Guidelines align with recent EU’s regulatory developments
This comprehensive approach by the EBA aligns with the European Union's recent regulatory developments in the crypto sector. The EU, last year, finalized legislation on the transfer of funds using digital assets, the so-called Transfer of Funds Regulation
(ToFR) alongside the comprehensive Markets in Crypto Assets (MiCA) regulatory package. MiCA thereby introduces specific investor protections for crypto users and offers a transitional period for CASPs seeking to issue, trade, and secure crypto assets, tokenized
assets, and stablecoins to adapt to these new regulations.
EBA Guidelines deadline
The deadline for competent authorities to report whether they comply with the EBA Guidelines is set to be two months after the publication of the translations into the official EU languages.
The enforcement of EBA’s new guidance for crypto firms will apply from 30 December 2024 and is scheduled to coincide with the time when MICA takes full effect.
EBA comprehensive rules for stablecoins
At the same meeting on 16 January, the EBA further informed about comprehensive rules it established last year to regulate
the stablecoin market. This move is a strategic effort to build a robust framework for the stablecoin industry, reducing risks and enhancing investor confidence.
The EBA announced its proposed operational guidelines for stablecoin issuers under the upcoming EU Markets in Crypto Assets (MiCA) framework. The EBA is charged with creating a single rulebook under MiCA for stablecoin issuers and will later elaborate on
related policies supervisors must implement. These include guidelines on internal governance of stablecoin issuing companies, requirements for management, compliance, remuneration as well as disclosures for conflicts of interest.
The primary objective is to protect investors by requiring stablecoin issuers maintain capital and liquidity standards, including holding sufficient reserves. This requirement aims to prevent or mitigate potential crises and provide a stable foundation for
the stablecoin industry.
EU new AML regulations for the crypto industry
Two days later, on 18 January, the European Council and Parliament have provisionally agreed on new anti-money laundering (AML) and counter terrorist financing regulations, thereby extending its scope specifically targeting the cryptocurrency market sector.
These will force all crypto firms to run due diligence on their customers. The provisional agreement focuses on enhancing measures to safeguard both EU citizens and its financial system from money laundering and terrorist financing activities. The package
also includes a proposal to create a new EU Anti-Money Laundering Authority.
The deal will include CASPs
The deal will include crypto asset service providers (CASPs), that will be subject to additional scrutiny. The agreed measures include enhanced due diligence requirements specifically for crypto-asset service providers (CASPs) involved in cross-border correspondent
relationships. This includes verifying facts and information about their customers and reporting any suspicious activity.
CASPs must conduct customer checks for transactions exceeding EUR 1,000 and report suspicious activities. The deal also adds measures to mitigate risks in relation to transactions with self-hosted wallets. Special checks for crypto asset service providers
when they have relationships involving transactions across different countries, requiring them to closely monitor the business connections of wealthy individuals.
This should ensure the traceability of crypto transfers in order to be able to better identify possible suspicious transactions and block them.
Financial Intelligence Units
The provisional agreement also grants special powers to Financial Intelligence Units (FIUs).These will play an important role in the fight against money laundering and terrorist financing, allowing them to obtain important financial and administrative details
more quickly and easily.
These units are responsible for receiving, requesting, analysing and disseminating information to the competent authorities on potential money laundering or terrorist financing activities.
Final Remarks
The EBA's updated Guidelines mark a crucial step in the EUs efforts towards a more secure and regulated crypto environment within the European Union. This provides the EU with a solid framework that complies with the most demanding international standards
on the exchange of crypto-assets, ensuring that these are not used for criminal purposes.
Both the EBA and EU deals are important steps forward in the fight against money laundering and address the existing variations in national approaches. The EBA's comprehensive approach ensures a cohesive strategy across the financial landscape, by harmonizing
AML measures and extending their reach to include crypto firms. Thereby mitigating the risks of financial crimes and integrate crypto assets more securely into the financial system.
According to the EBA, this harmonization is important for fostering a united front against financial crime. The EU is thereby making it more difficult for criminals to circumvent AML rules via crypto currencies and misuse crypto-assets for money laundering
purposes.