Crypto-Assets in the New EU “Single Rulebook” Regulation on Anti-Money Laundering

In a significant move to bolster the fight against money laundering and terrorist financing, the European Parliament has approved the reform package known as the AML Package. This set of measures includes the 6th Anti-Money Laundering Directive, the EU's "single rulebook" Regulation, and the creation of the new Anti-Money Laundering Authority (AMLA).

Among the main innovations of the package are immediate and free access to information on beneficial owners, more power for Financial Intelligence Units (FIUs), and stricter due diligence measures. Additionally, new supervisory provisions have been established for ultra-wealthy individuals and a limit of 10,000 euros for cash payments within the EU, except for private transactions. These measures are essential to strengthen the enforcement of imposed sanctions.

The AML Package includes important specific provisions for regulating crypto-assets, a necessary response due to technological evolution and the associated risks these assets represent. Technology continues to evolve and offers opportunities to the private sector, but it also allows criminals to find ways to conceal and move illicit funds. Therefore, we start our analysis of the new regulation, which, according to Recital 7, highlights that crypto-asset service providers are particularly exposed to these risks and, therefore, EU legislation must include these entities to detect and mitigate such illicit fund movements, in line with FATF standards.

It is important to remember that Directive (EU) 2018/843 was a pioneer in addressing the money laundering and terrorist financing risks associated with crypto-assets in the Union. In line with these recent efforts, the new legal document, according to Recital 14, emphasizes the need to revise this approach due to rapid technological evolution. Additionally, we must recall how Regulation (EU) 2023/1114 introduced requirements for crypto-asset service providers and expanded the definition of crypto-assets and their providers, and how Regulation (EU) 2023/1113 expanded traceability requirements to crypto-asset transfers.

Key Recitals of the New Regulation on Crypto-Assets

The creation of unique and non-fungible crypto-asset (NFT) markets is a recent phenomenon. According to Recital 15, the Commission must present a report by December 30, 2024, on the progress in these markets and evaluate the need and feasibility of regulating services related to these assets. This report will include an assessment of the development of these markets and the appropriate regulatory treatment of unique and non-fungible crypto-assets, which is crucial to anticipate and mitigate new money laundering and terrorist financing risks.

Recital 17 highlights that crowdfunding intermediaries, which manage digital platforms to connect funders with project owners, are exposed to money laundering and terrorist financing risks. These intermediaries must comply with the obligations of the current Regulation to prevent the diversion of funds, including crypto-assets obtained for illicit purposes.

Additionally, Recital 27 establishes that providing crypto-asset services through ATMs should be considered an establishment, due to the limited physical equipment required by operators who primarily provide services over the internet. This ensures adequate and continuous supervision.

Anonymity poses a significant risk in the use of crypto-assets for criminal purposes. According to Recital 160, it is necessary to prohibit anonymous crypto-asset accounts and other anonymization instruments to ensure transaction traceability and facilitate due diligence. This includes prohibiting the provision and custody of anonymous crypto-asset accounts or those that allow anonymization or increase the obfuscation of operations, especially through so-called "privacy-enhancing coins" as defined in the regulation.

To ensure adequate risk mitigation, Recital 29 states that obligated entities must have a robust internal control framework, with risk-based policies and procedures. This framework must include a clear division of responsibilities throughout the organization and be proportional to the nature, risks, complexity, and size of the obligated entity. This includes operations with self-hosted wallets, which are crucial for the security of the crypto-asset ecosystem.

Finally, Recital 80 notes that cross-border correspondent relationships with entities in third countries must be subject to enhanced due diligence measures based on a risk-based approach. Credit and financial institutions must refrain from entering into correspondent relationships with shell entities and their counterparts in third countries that allow the use of accounts by these entities. Crypto-asset service providers must also ensure that their accounts are not used by nested exchange services and have policies and procedures to detect such attempts.

Broader Considerations

Recital 4 emphasizes the importance of international cooperation and alignment with FATF standards. Measures taken at the Union level must be compatible with those undertaken in international forums and must be, at a minimum, equally rigorous. This is essential to reinforce the effectiveness of the fight against money laundering and terrorist financing, and relevant legislative acts must adapt to international standards when necessary.

The implementation of AML/CFT (Anti-Money Laundering and Counter-Terrorism Financing) measures must include appropriate training for employees and agents of obligated entities. According to Recital 40, entities must provide basic training on AML/CFT measures to all persons involved in implementing these measures. This is vital to ensure that employees understand the requirements and internal policies of the entity, thereby ensuring effectiveness in combating money laundering and terrorist financing.

Recital 47 allows obligated entities to outsource tasks related to AML/CFT compliance to service providers. However, the final responsibility for compliance remains with the obligated entity. It is crucial to ensure that any measures taken by service providers are adequate to mitigate observed money laundering and terrorist financing risks. Furthermore, final decisions on measures affecting the implementation of policies, procedures, and controls must always lie with the obligated entity.

Regulatory Changes for Crypto-Assets

In this section, we explore the specific definitions and regulations introduced by the new EU Regulation regarding crypto-assets. This context is essential to understand how the new measures integrate within the existing legal framework and impact crypto-asset service providers.

Article 2 of the Regulation focuses on general definitions, and its point 1 includes several crucial definitions. Within this point, paragraph 6 defines "financial entity" in various types. One of these types, mentioned in subparagraph i), is a crypto-asset service provider, which is the definition of interest for our analysis.

This part of Article 2 directly relates to Article 3 of the Regulation, which establishes which entities are obligated to comply with its requirements. Article 3 includes financial entities among the obligated entities. Given that a "financial entity" includes, according to subparagraph i) of paragraph 6 of Article 2, crypto-asset service providers, this legal link is fundamental to understanding the scope and responsibilities of these providers under the new Regulation. Additionally, it introduces a definition of "privacy-enhancing coins" in paragraph 24. These are crypto-assets designed with features that anonymize transfer information, either systematically or optionally.

Thus, in Article 3 of the Regulation, it is detailed that "obligated entities" include financial entities and natural or legal persons who, in their professional activity, manage funds, securities, or other assets, including crypto-assets, or open and manage crypto-asset accounts for their clients (paragraph 3, section b). This direct relationship between the definitions in Article 2 and the obligations in Article 3 establishes a clear basis for regulating crypto-asset service providers.

Chapter III, section 1, Article 19, point 3, stipulates that crypto-asset service providers must apply due diligence measures with respect to the client when conducting an occasional transaction worth a minimum of 1,000 EUR, regardless of whether it is a single transaction or several related ones. This provision ensures that even minor transactions are adequately monitored to prevent money laundering.

Article 37 focuses on cross-border correspondent relationships, requiring enhanced due diligence measures. Crypto-asset service providers must verify the authorization or registration of the client entity, understand the nature of their activities, evaluate their anti-money laundering and terrorist financing controls, and obtain senior management approval before establishing new correspondent relationships. They must also document the respective responsibilities of each party and ensure that the client entity has verified the identity of customers with access to the correspondent entity's accounts.

To prevent the misuse of crypto-asset services, Article 39 prohibits correspondent relationships with shell entities. Additionally, it requires crypto-asset service providers to implement policies, procedures, and controls to detect any attempts to use their accounts for unregulated crypto-asset services.

Article 40 addresses the identification and assessment of risks associated with crypto-asset transfers to or from a self-hosted address. Providers must apply mitigation measures proportional to the identified risks, which may include verifying the identity of the originator or beneficiary, obtaining additional information on the origin and destination of the crypto-assets, and continuous monitoring of transactions with a self-hosted address.

Finally, in Chapter VIII, we find Article 79, which prohibits credit institutions, financial entities, and crypto-asset service providers from maintaining anonymous accounts, including anonymous crypto-asset accounts, or any account that allows the anonymization of the holder or increases the obfuscation of operations. The holders and beneficiaries of these accounts must undergo customer due diligence measures before they can be used.

CONCLUSION

In conclusion, the new EU AML package marks a significant milestone in the fight against money laundering and terrorist financing, adapting to technological evolution and emerging risks, especially in the field of crypto-assets. With stricter due diligence measures, increased supervision and transparency, and comprehensive regulation that includes crypto-asset service providers, the EU strengthens its ability to detect and mitigate illicit activities. Moreover, the provisional agreement between the Council and the Parliament on stricter rules will enhance the collaboration and organization of national systems, preventing criminals from exploiting gaps in the financial system. Looking ahead, these reforms will strengthen the security of the financial system, reduce risks associated with crypto-assets, and foster a more transparent and regulated environment for digital transactions.

#CryptoAssets #AML #AntiMoneyLaundering #EURegulation #FinancialCompliance #DigitalAssets #CryptoRegulation #CryptoSecurity #BlockchainCompliance #FinancialCrime #FinTech #RegTech

European Parliament European Commission Financial Action Task Force (FATF) Europol European Banking Authority (EBA) European Securities and Markets Authority (ESMA) European Central Bank