The EU’s proposed AML law: the impact on crypto-asset service providers

The growing popularity of crypto-assets has led to their increasing use in money-laundering schemes. A Europol study cited in the European Commission’s impact assessment (PDF) accompanying the EU’s proposed anti-money laundering (AML) package found that about 1 per cent of northern and western Europe’s cryptocurrency activity is illicit. And while the EU has already started to address these risks as part of Directive 2018/843/EU (AMLD5), the measures implemented so far fall short of those required by the Financial Action Task Force (FATF).

The Commission proposes three new measures to deal with crypto-asset-related AML risks, which are to:

• bring all crypto-asset service providers (CASPs) within the scope of EU AML rules;
• prohibit anonymous crypto-asset wallets; and
• extend the scope of transactions governed by Regulation (EU) 2015/847 on information accompanying transfers of funds (‘the Funds Transfer Regulation’) to cover the transfer of cryptoassets.

These measures are part of the broader EU legislative package on AML that we discuss further in our podcast and blog post.

Crypto-asset service providers in the EU AML/CFT single rulebook 

As part of the European legislative package on AML, entities obliged to comply with AML rules will be listed in a new regulation. As EU regulations apply directly to member states, this will arguably result in an EU single rulebook on AML/CFT (countering the financing of terrorism) and prevent member states from taking their own legislative measures. The regulation brings CASPs within the scope of these rules.

The definition of ‘crypto-asset service provider’ is linked to the draft Markets in Crypto-asset Regulation (MiCA), which was published by the European Commission in September 2020. MiCA will establish a comprehensive financial supervisory framework for all CASPs, such as the custody and administration, operation of trading platforms, provision of exchange services or investment advice in relation to cryptoassets. The MiCA rules mirror existing regulatory obligations for financial institutions. From that perspective, CASPs will probably be treated the same as financial institutions from an AML perspective.

This is a significant change to AMLD5, under which only two types of CASPs, namely fiat-to-crypto exchange service providers and custodian wallet providers, have been considered obliged entities. It also:

• acknowledges that member states have sometimes gone beyond AMLD5 requirements and brought, for instance, crypto-to-crypto exchange service providers into the scope of their AML rules; and
• implements the broader FATF definition that demands all ‘virtual asset service providers’ to be in scope of AML measures, a term that is broadly aligned with ‘crypto-asset service providers’.

Furthermore, the customer due diligence measures will apply to credit and financial institutions and CASPs when initiating or executing an occasional transaction that constitutes a transfer of crypto-assets exceeding €1,000 or the equivalent in national currency. Practically, this will increase the number of transactions that become subject to due diligence measures.

Up to now, it has not been entirely clear how to calculate the €1,000 threshold when the transfer of cryptoassets had not been subject to a cash repayment (eg in a crypto-to-crypto exchange or a mere transfer between wallets). In these cases, only the €15,000 threshold could be applied in the past.

Will anonymity be lifted under this new regulation?

A new proposal that has garnered much public attention is the so-called ‘prohibition of anonymous crypto wallets’. Credit and financial institutions and CASPs will be prohibited from keeping anonymous crypto-asset wallets. This aims to ensure effective application of AML/CFT requirements to crypto-assets as, according to the draft, anonymous crypto-asset wallets do not allow the traceability of crypto-asset transfers, while also making it difficult to identify linked transactions that may raise suspicion or to carry out adequate customer due diligence.

However, this also means that there is no outright ban on crypto-asset wallets. Instead, the proposed prohibition is aimed at certain regulated institutions that provide anonymous wallets as a service. There is also no proposed prohibition on:

• remaining anonymous if one takes the crypto-assets in self-custody solutions; and
• providing the hardware or software to self-custody crypto-assets.

Implementing the ‘travel rule’ in the EU

The Commission further proposes to extend the scope of the Fund Transfer Regulation to transfers of crypto-assets. As a result, certain crypto-asset transfers would need to be accompanied by the name of the originator, the originator’s account number and the originator’s address, official personal document number, customer identification or date and place of birth. The requirement applies to transfers initiated by CASPs and therefore not to self-initiated transactions. It shall generally not apply to person-to-person transfers of crypto-assets that does not involve a CASP or another regulated entity.

As recommended by the FATF, the extension of the Fund Transfer Regulation will transpose the so-called ‘travel rule’, which Germany is also planning to do. The implementation may require bespoke technical solutions, since not all crypto-assets will be established together with the necessary messaging infrastructure that is required to comply with the travel rule.

If you would like to discuss the EU’s AML proposals in more detail, please get in touch with your contacts in our regulatory team (Alexander Glos, Marius Rätz and Daniel Klingenbrunn). You can also reach out to Natalie Pettinger Kearney or Victor Garcia Lopez in our EU regulatory and public affairs team, who are following the legislative process closely.