AML Obligations of Crypto Service Providers in the EU
October 10, 2021 (Updated version of an article previously published in German on kryptorecht.xyz)
Last updated
Was this helpful?
October 10, 2021 (Updated version of an article previously published in German on kryptorecht.xyz)
Last updated
Was this helpful?
The AML regime of the EU requires providers of "crypto-asset services" to comply with risk management and customer due diligence (KYC) obligations, as well as adhere to the Travel Rule for crypto transfers.
For crypto-asset service providers in Germany, these regulations are already largely identical in substance under existing German laws and regulations.
The list of activities that will fall under "crypto-asset services" closely resembles the list of financial services that are already regulated in Germany for dealing with crypto assets.
The question of who qualifies as a crypto service provider in certain cases will not always be clear-cut and will need to be clarified through case law.
Providers of crypto-asset services will be largely treated the same as other obligated entities under AML regulations.
The AML directive allows Member States to require e-money, payment, and crypto service providers to maintain a "central contact point" in each Member State where they operate.
Alongside the establishment of a new EU Anti-Money Laundering and Countering the Financing of Terrorism Authority (AMLA), the European Union has introduced three key legislative measures as part of its AML package, which entered into force in 2023:
The ,
The , and
The revised .
Under the AMLR, crypto-asset service providers (CASPs) are now explicitly classified as obliged entities under AML law. This regulation aligns with the Financial Action Task Force (FATF) recommendations, which extended AML obligations to virtual asset service providers (VASPs).
The key provisions concerning CASPs are summarized and analyzed below, along with a comparison to the current AML framework in Germany for crypto-related activities.
This article does not cover the Regulation establishing the European Anti-Money Laundering Authority (AMLA), which is a separate initiative.
The AMLR aligns its definition with existing EU legislation — particularly with MiCA — and also incorporates the FATF recommendations (see the European Commission’s recitals to the AMLR).
"any of the following services and activities relating to any crypto-asset:
(a) providing custody and administration of crypto-assets on behalf of clients;
(b) operation of a trading platform for crypto-assets;
(c) exchange of crypto-assets for funds;
(d) exchange of crypto-assets for other crypto-assets;
(e) execution of orders for crypto-assets on behalf of clients;
(f) placing of crypto-assets;
(g) reception and transmission of orders for crypto-assets on behalf of clients;
(h) providing advice on crypto-assets;
(i) providing portfolio management on crypto-assets;
(j) providing transfer services for crypto-assets on behalf of clients;"
According to the AMLR, obliged entities will have to comply with certain organisational and risk management obligations (Chapter II AMLR) in the EU. Additionally, they must adhere to customer due diligence obligations (Chapter III AMLR) when:
Establishing a business relationship,
When participating in the creation of a new legal entity,
Conducting transactions over 10,000 EUR, or
When there are specific suspicious circumstances.
The scope of customer due diligence obligations is determined by the obliged entities based on an individual analysis of the risk of money laundering and terrorist financing. According to Art. 20(2) AMLR this analysis must consider:
The specific characteristics of the customer and the business relationship or occasional transaction,
Their risk assessment according to Article 10 AML/CFT Regulation,
The risk variables for money laundering and terrorist financing contained in Annex I AML/CFT Regulation, and
The risk factors mentioned in Annexes II and III AML/CFT Regulation.
According to Art. 19(3) AMLR, crypto-asset service providers are required to apply customer due diligence measures under specific conditions. By way of derogation from the general rule, these providers must:
Apply Full Customer Due Diligence: Implement comprehensive customer due diligence measures for occasional transactions that amount to at least EUR 1,000, or the equivalent in national currency. This requirement applies regardless of whether the transaction is conducted in a single operation or through linked transactions.
Apply Simplified Customer Due Diligence: For occasional transactions where the value is below EUR 1,000, or the equivalent in national currency, crypto-asset service providers must apply at least the simplified customer due diligence measures outlined in Article 20(1), point (a) of the AMLR. This provision ensures that even smaller transactions are subject to basic scrutiny to mitigate risks associated with money laundering and terrorist financing.
These measures are designed to enhance transparency and security in the crypto-asset sector, aligning it with the regulatory standards applied to traditional financial services.
If a crypto-asset service provider cannot comply with the due diligence measures regarding the customer, they must refrain from conducting a transaction or establishing a business relationship. They must also consider terminating the business relationship and submitting a suspicious activity report to the central reporting office according to Article 69 AMLR.
According to Article 20 AML/CFT Regulation, obliged entities must obtain at least the following information when establishing a business relationship or conducting an occasional transaction to understand the purpose and intended nature of the business relationship or transaction:
The purpose of the planned account, transaction, or business relationship,
The estimated amount of the planned transactions or activities and their economic rationale,
The origin of the funds, and
The destination of the funds.
According to the EU Commission's assessment (see recital (160) AMLR), the "anonymity of crypto-assets" poses particular risks of abuse by criminals. "Anonymous crypto-asset accounts" allegedly do not allow the tracing of cryptocurrency transfers, making it difficult to comply with customer due diligence obligations. Unfortunately, the preamble to the AMLR does not provide a more detailed justification for these assumptions. In any case, this assumption prompts the EU Commission to include the following regulation in Article 79 AMLR:
"Credit institutions, financial institutions and crypto-asset service providers shall be prohibited from keeping anonymous bank and payment accounts, anonymous passbooks, anonymous safe-deposit boxes or anonymous crypto-asset accounts as well as any account otherwise allowing for the anonymisation of the customer account holder or the anonymisation or increased obfuscation of transactions, including through anonymity-enhancing coins."
Besides the justification, the added value of this regulation also seems unclear. Given the existing customer due diligence obligations when establishing a business relationship between the crypto service provider and its customer, it seems impossible for a crypto service provider to maintain an anonymous cryptocurrency wallet without already violating customer due diligence obligations.
Due to the "rapid technological development" and the "evolution of FATF standards" (This likely refers to the "Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers" issued by FATF in June 2019, along with the 12-Month Review from July 2021, available at ), the European Commission has deemed it necessary to further develop the current AML supervision approach for the crypto market (See Recital 11 of the AMLR).
An initial step in updating and completing the EU legal framework for crypto assets is the . MiCA is designed to establish financial and capital market requirements for issuers of crypto-assets and crypto-asset service providers operating within the EU single market.
The AMLR, which is directly applicable in the Member States, expands the list of obliged entities at the EU level to include, among others, providers of crypto-asset services ("Crypto-Asset Service Provider" - CASP). The definition of CASP in Article 2(9) AML/CFT Regulation refers to . According to this, a provider of crypto-asset services is:
"a legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis, and that is allowed to provide crypto-asset services in accordance with ".
A crypto-asset service is defined in as: