Article 40 AMLR – Measures to mitigate risks in relation to transactions with a self-hosted address
1. Crypto-asset service providers shall identify and assess the risk of money laundering and financing of terrorism associated with transfers of crypto-assets directed to or originating from a self-hosted address. To that end, crypto-asset service providers shall have in place internal policies, procedures and controls.
Crypto-asset service providers shall apply mitigating measures commensurate with the risks identified. Those mitigating measures shall include one or more of the following:
| (a) | taking risk-based measures to identify, and verify the identity of, the originator or beneficiary of a transfer made from or to a self-hosted address or beneficial owner of such originator or beneficiary, including through reliance on third parties; |
| (b) | requiring additional information on the origin and destination of the crypto-assets; |
| (c) | conducting enhanced ongoing monitoring of transactions with a self-hosted address; |
| (d) | any other measure to mitigate and manage the risks of money laundering and financing of terrorism as well as the risk of non-implementation and evasion of targeted financial sanctions. |
2. By 10 July 2027, AMLA shall issue guidelines to specify the mitigating measures referred to in paragraph 1, including:
| (a) | the criteria and means for identification and verification of the identity of the originator or beneficiary of a transfer made from or to a self-hosted address, including through reliance on third parties, taking into account the latest technological developments; |
| (b) | criteria and means for the verification of whether or not the self-hosted address is owned or controlled by a customer. |