New EBA guidelines to manage AML risks as part of the activities of crypto-asset service providers


EBA released guidelines amending ML/TF Risk Factors Guidelines to include crypto-asset service providers within its AML framework.

On 16 January 2024, the European Banking Authority (EBA) released its guidelines amending the ML/TF Risk Factors Guidelines (the “Guidelines”).

The Guidelines aim at extending the scope of the ML/TF Risk Factors Guidelines to crypto-asset service providers (the “CASPs”). The Guidelines thus enable understanding the money laundering and terrorist financing (“ML/TF”) risks associated with CASP and the steps CASPs and other credit and financial institutions should take to manage these risks.

CASPs are exposed to ML/TF risks due to specific features of their business model and the technology used in their activities, such as (i) the instant transfer of crypto-assets around the world, (ii) the onboarding of customers in different jurisdictions and (iii) the offering of products/services that favourise the use of anonymity.

Thus, CASPs identify and assess risk factors regarding (i) products, services and transactions, (ii) customer, (iii) country or geography, (iv) distribution channel. For each category, the Guidelines provide for a list of factors that may contribute to increasing risks or to reducing risks. On this basis, CASPs ensure they have (i) suitable and effective monitoring tools in place, including transaction monitoring tools and advanced analytics tools, depending on the nature and volume of their activities and (ii) specialised training to enable their relevant employees to have a good understanding of crypto-assets and ML/TF risks to which they may be exposed.

CASPs have to apply customer due diligence (“CDD”) measures on a risk-based approach. Regarding record keeping requirements, where the information on customers and transactions is available on the distributed ledger, CASPs should not place reliance on the distributed ledger for recordkeeping but should take steps to fulfil their recordkeeping responsibilities. CASPs should put in place procedures that allow them to associate the distributed ledger address to a private key controlled by a natural or legal person.

The Guidelines also pertain to credit and financial institutions (the “Firms”) whose customers provide crypto-assets services, but which are not authorised or regulated in accordance with Regulation (EU) 2023/1114 on markets in crypto-asset (“MiCAR”).

Among others, the Firms must assess AML/CFT risks prior to the launch or the significant change of new products, services, business practices, new delivery channels or new innovative technology. Now risk factors that may be relevant when identifying the risk associated with a customer’s or a customer’s beneficial owner’s business or professional activity include CASPs, in addition to money service businesses, casinos and dealers in precious metals. In case of non-face-to-face situations, all firms have to apply Guidelines (EBA/GL/2022/15) on the use of Remote Customer Onboarding Solutions. When the external provider is established in a non-EU country, or when an unusual transaction is made, specific verifications regarding the legal risks and analysis of the background and purpose of such transactions must be carried out. The Firms adjust the intensity and frequency of monitoring in line with the risk-based approach and use (i) automated transaction monitoring system and (ii) advanced analytics tools, like distributed ledger or blockchain analytics tools. The Firms organise staff training to ensure that staff understand how to recognize and proceed with a suspicious or unusual transaction or activity and how to use and interpret the outcomes from advanced analytics tools in additional to the topics which was previously required.

Regarding the sectoral guideline for retail banks and customer risks factors, banks apply full CDD measures where a bank’s customer opens a ‘pooled/omnibus account’ in order to administer funds or crypto-assets that belong to the customer’s own clients. When entering into a business relationship with a customer who is a CASP other than a CASP regulated under MiCAR, banks carry out the ML/TF risk assessment of such customer prior to establishing a business relationship with it. Banks consider the ML/TF risk associated with the specific type of crypto-assets that are provided or serviced by such service provider. Bank mitigate ML/TF risks by way of measures set forth under the Guidelines, such as (i) entering into a dialogue to understand the nature of the business and the ML/TF risks to which it is exposed, (ii) verifying the identity of the customer’s beneficial owner, (iii) carrying out due diligence on senior management, (iv) determining whether the services provided by the customer fall within the scope of the registration or license of the customer, notably where the customer’s business involves issuing crypto-assets to raise funds, such as initial coin offerings.

The Guidelines apply from 30 December 2024, as do the Risk‐Based Supervision Guidelines.

Should you have any questions on the above, please do not hesitate to contact one of our experts in the regulatory team.