EBA issues guidance to crypto-asset service providers to effectively manage their exposure to ML/TF risks
The European Banking Authority (EBA) has published a significant update to its Guidelines on money laundering (ML) and terrorist financing (TF) risk factors, extending them to include crypto-asset service providers (CASPs). This development is a crucial step in the EU’s ongoing efforts to combat financial crime, particularly in the rapidly evolving domain of cryptocurrency and digital assets.
The updated Guidelines are designed to help CASPs recognize and effectively manage their exposure to ML and TF risks. These risks are inherently higher in the crypto-asset sector due to factors such as the speed of asset transfers and certain features that may obscure user identity. CASPs are advised to be vigilant about these risks and implement robust measures to mitigate them.
Key aspects of the amended Guidelines include:
- Identification of Risk Factors: The Guidelines provide a non-exhaustive list of risk factors related to customers, products, delivery channels, and geographical locations. This will assist CASPs in gauging their exposure to higher or lower levels of ML/TF risks.
- Understanding Customer Base: By analyzing these risk factors, CASPs can better understand their customer base and pinpoint which aspects of their business are most susceptible to ML/TF.
- Adjustment of Mitigating Measures: The Guidelines outline how CASPs should tailor their mitigating measures, including the employment of blockchain analytics tools, to better manage these risks.
Furthermore, the EBA’s guidelines are not limited to CASPs alone. They also provide guidance for other credit and financial institutions that have business relationships with CASPs or are exposed to crypto assets, particularly in scenarios where these institutions interact with unauthorised crypto-asset service providers.
The objective of these amendments is to harmonize the approach taken by CASPs across the EU in implementing AML/CFT measures as part of their operations. Competent authorities are expected to report on their compliance with these Guidelines within two months following the publication of the official EU language translations. The Guidelines will be enforceable from December 30, 2024.
In addition to these Guidelines, the EBA is also engaged in developing Guidelines aimed at preventing the misuse of fund and crypto-asset transfers for ML/TF purposes (the ‘Travel Rule Guidelines’) and on establishing internal policies, procedures, and controls for compliance with restrictive measures applicable to CASPs and other financial institutions.
This initiative is grounded in the legal framework of Directive (EU) 2015/849, which emphasizes a risk-based approach in the EU’s AML/CFT regime. Moreover, Regulation (EU) 2023/1114 has brought crypto-asset services and activities under the EU regulatory umbrella, making CASPs subject to EU AML/CFT obligations and supervision, aligning with international standards and effectively managing the ML/TF risks associated with this sector.
Guideline 21: Sectoral Guideline for crypto-asset services providers (CASPs)
- 21.1: CASPs face unique ML/TF risks due to their global, instant transfer capabilities and potential for anonymity in transactions.
- 21.2: CASPs must adhere to both general provisions in Title I and relevant sector-specific guidelines in Title II.
- 21.3 – 21.4: Identifies factors increasing or reducing ML/TF risk based on the nature of products, services, and transactions.
- 21.5 – 21.6: Details customer-related risk factors and conditions that might lower these risks.
- 21.7 – 21.8: Discusses the increase in ML/TF risk associated with transactions connected to high-risk countries and how this risk is reduced when dealing with low-risk jurisdictions.
- 21.9 – 21.10: Covers the increased risks from certain distribution channels, like non-compliant remote customer onboarding, and how reliance on CDD measures by a third party within the EU can reduce risk.
- 21.11: CASPs should implement suitable and effective monitoring tools, including transaction monitoring and advanced analytics tools, and ensure employee training in understanding crypto-assets and associated ML/TF risks.
- 21.12: In situations of increased risk, CASPs are required to apply enhanced CDD measures, such as verifying identities from multiple sources and obtaining detailed customer profiles.
- 21.13: CASPs should use advanced analytics tools for a more nuanced risk assessment of transactions, especially those involving self-hosted addresses.
- 21.14: CASPs must follow Title I guidance for transactions or business relationships involving high-risk non-EU countries.
- 21.15: In low-risk scenarios, CASPs may apply simplified due diligence measures, such as verifying identities based on regulatory compliance evidence.
- 21.16: CASPs must maintain accurate records and not solely rely on distributed ledger information for recordkeeping, linking ledger addresses to identifiable private keys.