On March 1st, 2021, the European Banking Authority published final revised guidelines on money laundering and terrorist financing risk factors, offering directions on how it intends to lead, coordinate, and monitor the fight against money laundering and terrorist financing.
Nearly three years later, on January 16th, 2024, the EBA published guidelines amending the earlier ones.
So, what do these amendments imply? How do they impact CASPs, the crypto asset service providers? What do the CASP/VASPs need to do to comply with these amendments? These are the aspects we will discuss in the segments below.
The amendments outline what CASPs must do to handle potential money laundering and terrorist financing risks in their overall business and each transaction.
The new guidelines recognize that Crypto Asset Service Providers operate differently from traditional banks. They point out that CASPs often deal with transfers to self-managed wallets and various decentralized platforms, which aren't uniformly regulated worldwide. This might make them more vulnerable to money laundering and terrorist financing. The guidelines also note that certain features in crypto assets, which can keep transactions anonymous, could increase these risks.
The EBA is advising Crypto Asset Service Providers to increase vigilance against the risks of money laundering and terrorist financing, especially due to the ease of anonymous international transfers.
Their advice includes practical steps like limiting product features to control where money can be sent. This means allowing transfers only to certain approved parties, such as crypto-asset accounts or bank accounts in the customer's name, which are already following strict anti-money laundering and counter-terrorist financing regulations.
Additionally, the EBA suggests CASPs could use more controlled payment systems, like those used for small payments or transactions with the government. Another idea is to offer services specifically to certain groups, like a company's employees, to better manage risk.
The EBA also notes that CASPs can lower their risk by ensuring customers meet regulatory standards and have a clean history of crypto transactions. Transactions that involve converting to or from official currency, especially through bank accounts in low-risk areas, are seen as safer. The same goes for low-value transactions for goods and services, as long as there's no negative information about the involved crypto accounts.
CASPs are also encouraged to think about the risks linked to how and where they offer their services.
While these suggestions can help minimize risks, the EBA emphasizes the need for CASPs to actively implement measures that make their operations more secure.
The EBA wants CASPs to have suitable and effective monitoring tools, including transaction monitoring tools and advanced analytics tools. The CASPs must also train relevant employees for them to have a wholesome understanding of crypto assets and ML/TF risks to which they may expose the provider.
According to the European Banking Authority’s published final revised guidelines,
CASPs must verify the identities of customers and beneficial owners using multiple trusted and independent sources. They also need to identify and verify majority shareholders who are not yet compliant.
EBA underlines that to understand customer relationships better, gathering more information about the customer and the business's nature and purpose is essential, including tracing the origins of their funds and wealth.
CASPs are also advised to increase the frequency of monitoring crypto-asset transactions. And upon any triggering event, they need to rigorously review, update, and document relevant customer information. Conducting business relationship reviews more regularly is part of this protocol.
According to EBA, CASPs should use investigation tools more extensively for a deeper investigation into crypto assets. This includes examining all distributed ledger addresses a customer might use, particularly if they have several. They also need to monitor customer IP addresses more frequently.
Understanding a customer's knowledge about crypto assets is another focus area of the amended guidelines. CASPs should take additional steps when withdrawal or redemption patterns do not align with the customer's usual profile and determine whether the customer or a third party initiates these transactions.
Lastly, CASPs have the responsibility to verify that a customer truly controls and owns their self-hosted wallet address. To aid in this process, CASPs can now utilize Veriscope’s User Signing feature. It allows them to directly request cryptographic proof from users’ self-hosted wallets.
The EBA guidelines recommend the application of advanced analytics tools to transactions on a risk-sensitive basis. Their deployment must come as a supplementary addition to the standard monitoring tools. This is particularly important for transactions involving self-hosted wallets.
These advanced tools are designed to help CASPs trace a wallet’s transaction history and check for any possible connections to criminal activities or suspicious persons and entities.
Additionally, the guidelines highlight the need for CASPs to go beyond relying solely on distributed ledgers for record-keeping. They should have procedures to link each distributed ledger address with its corresponding private key, controlled by an individual or a legal entity.
Overall, these updated guidelines from the EBA are directing CASPs to adopt a more thorough approach to tackling money laundering and the use of crypto in terrorism financing.
This will likely mean that CASPs have to allocate more resources, including manpower and training, to comply with these guidelines and enhance their monitoring capabilities.
Shyft Network powers trust on the blockchain and economies of trust. It is a public protocol designed to drive data discoverability and compliance into blockchain while preserving privacy and sovereignty. SHFT is its native token and fuel of the network.
Shyft Network facilitates the transfer of verifiable data between centralized and decentralized ecosystems. It sets the highest crypto compliance standard and provides the only frictionless Crypto Travel Rule compliance solution while protecting user data.
Visit our website to read more, and follow us on X (Formerly Twitter), GitHub, LinkedIn, Telegram, Medium, and YouTube. Sign up for our newsletter to keep up-to-date on all things privacy and compliance.