top of page

EBA issues guidance to crypto-asset service providers to effectively manage their exposure to ML/TF risks

The "Final Report on the Guidelines amending Guidelines EBA/2021/02," released on 16 January 2024 and cataloged as EBA/GL/2024/01, ushers in a pivotal evolution in the regulatory landscape. This document zeroes in on the intricacies of customer due diligence and the critical considerations for credit and financial institutions as they navigate the murky waters of money laundering and terrorist financing (ML/TF) risks, particularly within the realm of crypto-assets service providers (CASPs).

At the heart of document is a comprehensive dissection of substantial modifications and fresh inclusions to the pre-existing guidelines, casting a spotlight on the unique challenges and risk factors tethered to crypto-assets and CASPs. Noteworthy points include:

Navigating Uncharted Waters: Crypto-Asset Specific Risk Factors

The document provides a detailed set of Crypto-Asset Specific Risk Factors that are integral for CASPs to consider in their ML/TF risk assessment processes. Here's a summary of the risk factors highlighted:

  1. Anonymity-Enhancing Features:

    1. The use of privacy-enhancing tools is considered a risk factor, particularly when they are used to increase anonymity.

    2. Tools and features such as mixers, tumblers, obfuscated ledger technology, ring signatures, stealth addresses, ring confidential transactions, atomic swaps, non-interactive zero-knowledge proofs, and privacy coins are identified as anonymity-enhancing features that present a higher ML/TF risk.

  2. Transaction Risks:

    1. Payments made on behalf of a customer by a third party with no apparent economic rationale are highlighted as a risk factor due to the lack of identification or verification of these third parties.

    2. Large volumes or values of transactions, especially without upfront restrictions, are seen as increasing the level of ML/TF risk.

    3. The use of self-hosted addresses is discussed, noting that they are outside the scope of the AML/CFT legal framework but still present potential risks to CASPs.

    4. Engagements with peer-to-peer platforms, DeFi trading protocols/platforms, and transactions involving hardware used to exchange crypto-assets to official currencies are also flagged as potential risk factors.

  3. Customer Risk Factors:

    1. Various customer-related risks are highlighted, including the use of anonymous or temporary email addresses, the vulnerability or lack of knowledge of crypto-assets by a customer, and behaviors like opening multiple accounts under different names to circumvent trading or withdrawal limits.

  4. Country or Geographical Risk Factors:

    1. Links to high-risk jurisdictions and the involvement of high-risk non-EU countries are identified as risk factors. The guidelines emphasize that CASPs should have a clear understanding of the risks associated with different jurisdictions.

  5. Distribution Channel Risk Factors:

    1. Relationships established through intermediaries, particularly those outside the EU or those that are unregulated, are seen as inherently higher risk.

    2. New or untested distribution channels and technologies used for crypto-asset distribution are also categorized as high-risk factors, requiring thorough assessment and mitigation measures.

  6. Enhanced Customer Due Diligence Measures:

    1. The guidelines discuss the necessity of advanced analytics tools and the importance of proper record-keeping, especially in relation to transactions on the blockchain.

  7. Simplified Customer Due Diligence:

    1. The document addresses concerns about the restricted options for simplified CDD for CASPs and emphasizes that CASPs are responsible for identifying low-risk relationships where simplified CDD measures would suffice.

These risk factors provide a comprehensive framework for CASPs to assess and manage the ML/TF risks associated with their business relationships, transactions, and operational practices. The emphasis is on a nuanced understanding of the unique risks presented by crypto-assets and the need for robust and adaptable risk management strategies.

Bridging the Regulatory Gap: A Beacon for Non-Authorized CASPs

The guidelines extend a lifeline of detailed guidance to credit and financial institutions, addressing the looming ML/TF risks associated with customer engagements in crypto-asset services, especially those lacking authorization or regulation under pertinent EU statutes.

Tailored Strategies for CASPs: Sector-Specific Roadmaps

Catering to the unique landscape of CASPs, the guidelines provide a nuanced roadmap to scrutinize ML/TF risks within business relationships. This includes a thorough assessment of interactions with non-regulated crypto-asset service providers, transactions marked by anonymity-enhancing features, and ties to regions flagged for heightened risk.

Blueprint for Risk Mitigation: Proactive Measures for CASPs

In a strategic move, the guidelines advocate for proactive risk mitigation strategies for CASPs, particularly in scenarios brimming with ML/TF risks. This encompasses the deployment of sophisticated analytical tools, ensuring vigilant monitoring of business relationships and transaction flows.

A New Dawn: The Road Ahead

Envisioning a harmonized approach, the guidelines are slated for translation into all official EU languages and subsequent publication on the EBA’s digital portal. In a call to action, competent authorities are given a two-month window post-translation release to confirm their adherence to the guidelines, setting the stage for the guidelines to come into full effect from 30 December 2024.

80 views0 comments


bottom of page