On January 16, 2024, the European Banking Authority (EBA) announced critical amendments to its Money Laundering/Terrorist Financing (ML/TF) Risk Factors Guidelines, specifically targeting crypto-asset service providers (CASPs). This update broadens the scope of existing guidelines, recognizing the unique risks that CASPs face in terms of money laundering and terrorist financing.
"The Guidelines are crafted to enhance the understanding of ML/TF risks posed by CASPs and to detail the requisite steps these providers and other financial institutions must take to manage these risks effectively," said an EBA representative during the release announcement.
"The Guidelines are crafted to enhance the understanding of ML/TF risks posed by CASPs and to detail the requisite steps these providers and other financial institutions must take to manage these risks effectively,"
The EBA identifies several specific characteristics of CASPs that render them particularly vulnerable to ML/TF threats. These features include the global nature of instant crypto-asset transfers, customer onboarding across various jurisdictions, and the inherent anonymity of many crypto transactions. As a result, it is essential for CASPs to conduct thorough risk assessments across multiple categories, including products and services, customer demographics, geographical factors, and distribution channels.
CASPs are now required to implement appropriate monitoring tools, such as advanced analytics and transaction monitoring systems, which must be tailored to their operational scope. "CASPs should ensure they have suitable and effective monitoring tools in place, depending on the nature and volume of their activities," the EBA representative emphasized. Additionally, specialized training is fundamental for employees, enabling them to recognize and address the specific ML/TF risks associated with blockchain and cryptocurrencies.
"CASPs should ensure they have suitable and effective monitoring tools in place, depending on the nature and volume of their activities,"
By the Numbers
A key feature of the updated guidelines is the insistence on adopting customer due diligence (CDD) measures based on a risk-based approach. CASPs must not solely rely on distributed ledgers for recordkeeping but should maintain robust procedures to ensure compliance with their recordkeeping responsibilities. "Where information on customers and transactions exists on the distributed ledger, CASPs need to connect that information to a private key controlled by a natural or legal person," outlined the EBA representative.
"Where information on customers and transactions exists on the distributed ledger, CASPs need to connect that information to a private key controlled by a natural or legal person,"
The guidelines extend beyond CASPs to include credit and financial institutions (Firms) that provide crypto-asset services but operate outside the purview of the Market in Crypto-Assets Regulation (MiCAR). Firms are required to evaluate AML/CFT risks prior to launching or significantly changing products, services, or technologies. This includes assessing risks associated with CASPs, which now joins the ranks of money service businesses and casinos as factors demanding due diligence.
"The intensity and frequency of monitoring must align with the risk-based approach established by the Guidelines," said the EBA representative. Firms should employ automated transaction monitoring systems alongside advanced blockchain analytics tools to ensure comprehensive oversight. Standardized employee training is essential, focusing on the recognition of unusual transactions and the effective use of analytics outputs.
"The intensity and frequency of monitoring must align with the risk-based approach established by the Guidelines,"
Retail banks similarly face increased obligations under the new guidelines. In situations where a bank’s customer opens a ‘pooled/omnibus account’ for managing funds or crypto-assets, banks must implement comprehensive CDD measures. According to the EBA, "Banks must conduct a thorough ML/TF risk assessment of any CASP before establishing a business relationship with them," which includes analyzing the specific crypto-assets involved.
"Banks must conduct a thorough ML/TF risk assessment of any CASP before establishing a business relationship with them,"
To mitigate identified risks, the guidelines encourage banks to engage in dialogues with CASPs, thus fostering a better understanding of the business operations and associated risks. This proactive communication is crucial in assessing the nature of the crypto-assets offered and the inherent risks tied to them.
The implementation of these Guidelines represents a significant step in enhancing regulatory frameworks surrounding the evolving domain of crypto-assets. As the landscape continues to shift and mature, adherence to these guidelines will be paramount for CASPs and their partners.
Looking Ahead
Looking ahead, the EBA's focus on AML and CFT compliance within the crypto space signals a robust regulatory future, reinforcing the need for transparency and accountability in digital asset management. Stakeholders will need to remain vigilant and adaptive to meet these new standards effectively.