The European AML package – what’s in it for the crypto industry?

Crypto-assets are associated with many benefits: Instantaneous settlements of transactions, a decentralisation of financial services and access to the general public are only some of the advantages that are commonly associated with distributed ledger-based technologies (DLT). Where exploited by criminals, however, these benefits can quickly turn into some of the major disadvantages of the crypto industry. According to a 2021 Europol report, recent years have seen cryptocurrency increasingly being used for criminal activities and to launder criminal proceeds.

In March 2024 alone, several press reports reminded the public and regulators of the risks of money laundering in connection with crypto-assets. First, the operator of the longest-running cryptocurrency mixer “Bitcoin Fog” was convicted of money laundering conspiracy in the US. The mixer was considered to have laundered USD 400 million since 2011. Similarly, KuCoin, one of the largest crypto-exchanges in the world, was indicted by the US Commodity Futures Trading Commission (CFTC) for violating U.S. anti-money laundering laws by failing to vet customers, allegedly allowing billions of dollars in illicit funds to be transferred since its establishment. 

It does not come as a surprise, then, that the European Union (EU) has long pursued to tighten its anti-money laundering (AML) and counter terrorism financing (CFT) regime surrounding crypto. Following the adoption of a Markets in Crypto-Assets Regulation (MiCAR) in 2023 (see our comprehensive Navigator), the European Parliament and Council now voted for a comprehensive framework that also aims at reducing the AML and CFT risks associated with crypto-assets. 

Beyond that, the AML package focuses on the establishment of an EU single rulebook by means of a new AML/CFT Regulation (AMLR) and the creation of a new AML/CFT supervisory authority at EU level (AMLA).

The purpose of this blogpost is to assess the impact of AMLR on the European crypto-asset services industry. 

Why are crypto-assets used to launder money?

The pseudonymity and decentralisation of crypto-assets may provide for a favourable environment for criminal activities. According to Europol, criminals are increasingly using crypto-assets and other tokens

• to obfuscate fund flows as part of increasingly complex money laundering schemes, 
• as a means of payment, or 
• as an investment using illicit funds.

For the obfuscation of fund flows, criminals typically rely on service providers in the dark web. Crypto-swapping services facilitate a quick conversion of one coin into another by placing orders on behalf of users. These transactions are difficult to trace when well-known coins are exchanged into lesser known ones or into crypto-assets with features that enhance privacy. Some service providers implement only very limited KYC procedures. Europol notes, that, in some cases, service providers even advertise their noncompliance. Criminals may also rely on crypto-mixers, like “Bitcoin Fog”, whose services obfuscate which individual tokens were transferred from one wallet and to another. 

According to Europol, cryptocurrencies are also widely used as a means of payment for illegal goods and services offered online and offline, as they allow for a fast and pseudo-anonymous transfer of funds from one wallet to another. 

How are crypto-assets currently regulated from an AML perspective? 

With AMLD5, the EU had already expanded the scope of the ‘obliged entity’ definition to also encompass custodian wallet providers, i.e. entities that provide services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies and to providers engaged in exchange services between virtual currencies and fiat currencies. As such, custodian wallet providers and exchange service providers are subject to requirements in relation to, among others, the identification of their customers (KYC), the monitoring of transactions and the reporting of suspicious transactions. 

The EU also implemented the so-called travel rule by amending the Funds Transfer Regulation (FTR), which requires that information on the origin of the crypto-asset and its beneficiary travels with the transaction and is stored at both ends of the transfer. Crypto-asset service providers (CASPs) must submit this information to competent authorities if an investigation is conducted into money laundering and terrorist financing. For an overview on the travel rule see our other blogpost.

Certain Member States implemented additional restrictions aiming at the prevention of money laundering via crypto-assets. Germany, for instance, introduced a ban on crypto payments for real-estate acquisitions in the beginning of 2023 (for an overview on these restrictions, please see our blogpost). In addition, advising, selling, or providing custody services in relation to crypto-assets often qualifies as regulated financial service in Germany. Their providers automatically become subject to AML supervision as ‘obliged entity’. 

Which changes will the AML Package bring about for the European crypto industry?

The current AML framework was still deemed insufficient to address the money laundering risks associated with crypto-assets. The AMLR, therefore, provides for a comprehensive AML framework for CASPs and traditional members of the financial sector that are involved with crypto-assets.

1. Extending the scope of ‘obliged entities’ to crypto-asset service providers 

The AMLR expands the scope of ‘obliged entities’ to CASPS. CASPs are regulated undertakings that provide crypto-asset services, as defined under MiCAR, to clients. 

These services encompass:

• the custody and administration of crypto-assets on behalf of third parties;
• the operation of a trading platform for crypto-assets;
• the exchange of crypto-assets for funds;
• the exchange of crypto-assets for other crypto-assets;
• the execution of orders for crypto-assets on behalf of clients;
• placing of crypto-assets;
• the reception and transmission of orders for crypto-assets on behalf of clients;
• providing portfolio management on crypto-assets; and
• providing transfer services for crypto assets on behalf of clients.

However, CASPs that only provide advice in relation to crypto-assets will not be ‘obliged entities’ under the AMLR.

Under the AMLR, CASPs will be generally treated in the same way as, e.g. investment firms, and be subject to the same AML requirements, although certain exemptions apply. 

‘Crypto-assets’ are defined by reference to MiCAR. Against this background, AMLR will not be applicable to most non-fungible tokens (NFT). The agreed version does also not separately determine unregulated NFT platforms as ‘obliged entities’. 

2. Application of customer due diligence (CDD)

Obliged entities are required to carry out CDD measures under the circumstances set out in Art. 19 AMLR. This includes, but is not limited to,

• entering into a business relationship and
• carrying out an occasional transaction of a value of at least EUR 10,000.

For CASPs, the threshold for occasional transactions will, however, be lower. 

CASPs must

• apply CDD measures when carrying out an occasional transaction of a value of at least EUR 1,000; and
• at least identify the customer and verify its identity when carrying out an occasional transaction where the value is below EUR 1,000.

The thresholds for CASPS are, therefore, substantially lower than for other financial institutions. However, in practice CASPs will typically be required to carry out CDD measures when entering into a business relationship with their client anyway.

3. Enhanced due diligence (EDD) measures for cross-border correspondent relationships

EDD measures are typically applied for complex, unusual or other high-risk transactions. However, despite the AML risks that the European regulator associates with crypto-assets, transactions involving crypto-assets with EU counterparties are not per se subject to EDD requirements. Rather, the general rules for the application of EDD measures also apply to transactions involving crypto-assets.

A notable exception applies for cross-border correspondent relationships for CASPs. Correspondent relationships are relationships between financial institutions, which are characterised by their ongoing and repetitive nature. In general, the intensity of EDD measures is determined under a risk-based approach. However, this does not apply when interacting with a third country respondent institution that has no physical presence where the relationship is created, or with unregistered and unlicensed entities that provide crypto-asset services. When engaging in cross-border correspondent relationships, CASPs will therefore be required to determine whether a respondent entity that is not established in the EU is licensed or registered. 

4. Prohibition of anonymous crypto accounts

The AMLR will extend the ban on anonymous accounts and safe deposit boxes to anonymous crypto-asset accounts as well as all other accounts that enable anonymisation of the customer account holder or increased concealment of transactions. This is accompanied by prohibiting to offer accounts that hold anonymity-enhancing coins. This ban on ‘privacy coins’ aligns with MiCAR, which prohibits trading platforms from allowing crypto-assets with an anonymisation function (Article 72(2) MiCAR). 

5. Transactions with self-hosted wallets

Crypto-assets are held through wallets. The purpose of either wallet form is to protect the user’s unique private key or crypto-assets. Where the private keys or crypto-assets are custodied by a CASP, the wallet is typically referred to as custodial wallet. In the case of self-hosted wallets, such as physical wallets (typically resembling a USB stick) or locally installed software wallets, however, the token-holders have complete control over their private key. The respective public keys or addresses’ are not linked to a CASP.

Self-hosted wallets are not subject to AML regulation and therefore considered to be subject to greater AML/CFT risks. For carrying out transactions with self-hosted wallets, CASPs must, therefore, have in place internal policies, procedures and controls that address these AML/CFT risks. In addition, CASP apply risk mitigation measures that are appropriate to the risks identified. Those mitigating measures shall include one or more of the following:

• taking measures to identify the originator or beneficiary of a transfer made from or to a self-hosted address;
• requiring additional information on the origin and destination of the crypto-assets;
• conducting enhanced ongoing monitoring of transactions with a self-hosted address;
• any other measure to mitigate and manage the AML/CFT risks as well as the risk of non-implementation and evasion of targeted financial sanctions.

As such, the AMLR supplements the FTR requirement to collect information about the originator and the beneficiary of a transaction involving self-hosted wallets. 

Outlook

The AMLR was formally adopted by the European Council on 30 May 2024 and is expected to be published by the end of June 2024, entering into force 20 days later. AMLR will apply three years after entering into force. This will lead to a mismatch between MiCAR and AMLR, which will need to be bridged by national legislation (again) – a move already envisaged, for example, by the German draft act on the digitalisation of the financial market.