The updated EBA Guidelines on AML/CFT & CASP key considerations

While the Crypto-Asset Services Providers (CASP) are expecting their European Regulatory Framework to come into force end of 2024, the European Banking Authority (EBA) introduces guidelines on Anti-Money Laundering and Combatting the Financing of Terrorism (AML/CFT) regulatory requirements. Recognising the pressing need to cultivate a strong compliance culture within this emerging sector, competent authorities, and particularly the EBA, have taken a major step forward.

Within 2021, the EBA issued the Guidelines on the Money Laundering and Terrorist Financing (ML/TF) Risk Factors. Comprised of 20 Guidelines, the report focuses on Customer Due Diligence and the factors credit and financial institutions shall consider when assessing their ML/TF risk. This risk can be either associated with the establishment of an individual business relationship or the execution of occasional transactions.

Fast forward to mid-2023, considering the imperative need to minimise the legislative gap of CASP entities within the AML/CFT sector, the EBA in its wisdom has issued a Consultation Paper for the enhancement of the said Guidelines. The Consultation Paper makes a few amendments to the Guidelines and most importantly adds another Guideline, dedicated to forming the AML/CFT framework for EU CASP entities.

Considering the sui generis nature of the Crypto Asset Service Providers, they shall be cautious about the risks they attract. Due to the idiosyncrasy of their business model, it enables instant transfers of crypto assets globally that increase the ML/TF risks. Furthermore, it gives them the opportunity to accept customers from various jurisdictions and execute transactions with high levels of anonymity. In the below commentary, the SALVUS Crypto-Assets Licensing team discusses:

1. The challenges arising from the CASP sector
2. The need for measures to be introduced along with practical examples
3. The next steps forward
4. How SALVUS can help with the fulfillment of your CASP requirements

We regularly share bite-sized insights on LinkedIn such as those found in this article

1. The challenges arising from the CASP sector

CASP regulated entities are required to examine four primary factors for the assessment of the ML/TF risk they are subject to:

  1. The first factor is associated with the customers onboarded along with their nature and behaviour,
  2. The second factor examines the characteristics of the products and services offered, as well as the transactions executed,
  3. The third factor evaluates the customer’s or the product’s links to different geographical areas, and
  4. The fourth factor is the distribution channels used for the dissemination of the service or the product.

The following examples can increase or decrease the ML/TF risk associated with each primary risk factor.

  1. Customers – When considering the risk factors emanating from the face of customers in CASP entities, we can categorise them by the customer’s
  • Nature, such as
    • An entity that proceeds to high volumes of transactions.
    • A Non-Profit Organization (NPO) with ties to extremism or terrorism.
    • A person who uses an encrypted IP address (i.e. VPN) to be connected.
  • Behaviour, such as
    • Often changing his identification or payment details.
    • Proceeding with payments from various different accounts.
    • Repeatedly sending crypto assets connected to ML/TF.
    • Conducting business with crypto assets that provide privacy-enhanced features.

However, there are a few factors related to the customers that reduce the risk of a business relationship or a transaction. Specifically, if:

  • the CASP follows the “travel rule” obligations.
  • the customer is well established and known to the firm from previous transactions that give no rise to suspicion.
  • the customer proceeds to an exchange of crypto assets whose source and destination involve low-value payments for goods and services with legitimate merchants or service providers. The transaction reduces the ML/TF risk since merchants and service providers are subject to AML/CFT obligations, including the verification of the identity of customers.
  1. Products, Services and Transactions
  • Products that increase ML/TF risks if present in a transaction are the ones:
    • Involving new business practices, mechanisms, and technologies.
    • Allowing payments from unrelated third parties not connected with the transaction.
    • Imposing no restrictions on the overall volume or value of transactions.
  • On the other hand, a transaction reduces ML/TF risks, if it involves products:
    • with reduced functionality,
    • that allow transactions between the customer’s account and:
      • a bank account in the customer’s name at a credit institution subject to strong AML/CFT regulations.
      • products available only to specific categories of customers.
  1. Countries and Geographical areas

Factors that increase the level of risk in a transaction, we name the cases when the customer exploits funds coming from jurisdictions with higher level of ML/TF. Also, when the crypto asset account derives from a jurisdiction with either weak AML/CFT regime or with higher ML/TF risk. On the contrary, when the funds emerge from highly regulated areas with low levels of corruption and predicate offences, the risk of the transaction lessens.

  1. Distribution Channels

The risk of a transaction or a business relationship rises if newly introduced technologies or products, that are yet to be fully tested, are involved. Similarly, if the procedure of customer onboarding is conducted entirely online or through crypto Automated Teller Machines (ATMs), a higher risk factor is present.

Whereas if the firm depends on the appliance of Customer Due Diligence (CDD) measures from a third party located within the EU, then it is a factor that reduces the ML/TF risk.

2. The need for measures to be introduced along with practical examples

CASP entities, similarly to credit and financial institutions, are required to adhere to general AML/CFT obligations, such as considering the weight of each risk factor while taking a holistic view of all risk factors identified. They shall utilise suitable tools for transaction monitoring and analytics, based on their activities and available crypto assets. CDD measures should be put into place following the risk-based approach, to identify whether the transaction bears an advanced risk. If a high-risk relationship is identified, automatically there is a need for the appliance of Enhanced Due Diligence (EDD) measures.

Some of the examples of EDD to be used include:

  • Customer or customer’s Ultimate Beneficial Owner (UBO) verification of identity can be conducted from various reliable and independent sources.
  • The information requested for the purpose of the transaction is more detailed and in-depth.
  • Checking and comparing the IP address used – if it is the same with other IP addresses used by different customers.

In cases where the risk assessment of the customer is identified as low, CASP entities can apply Simplified Due Diligence (SDD) measures, only to the point permitted by national legislation.

If the risk is assessed as low, the following SDD measures shall apply:

  • Information or documentation relevant to CDD is being updated only if an event occurs, that compels the firm to change the risk status of the customer i.e. customer requests a higher-risk product.
  • Transaction monitoring is conducted more rarely.

3. The next steps forward

Considering the above-mentioned requirements, the enhancement of the EBA’s AML/CFT Guidelines is not just a regulatory requirement anymore, but also a sign of the growing maturity of the crypto assets sector. By categorising CASP entities along with credit and financial institutions, regulators are acknowledging the sector’s importance and impact on global finance. Moreover, the move towards homogenising regulatory frameworks across EU Member States signifies a collective effort to create a united front against financial crime.

Questions to be answered:

  • When will the consultation paper be consolidated with the other Guidelines and take full effect?
  • When will CASP become obliged entities on an EU level?

We compute that the Consultation Paper will be consolidated with the Guidelines taking full effect, once the Markets in Crypto-Assets (MiCA) Regulation is adopted. At the same time, CASP entities will become officially obliged entities and shall be subject to EU AML/CFT obligations by the end of 2024. This will ensure that the regulatory and supervisory framework for AML/CFT is in line with global recommendations and effectively manages ML/TF risks associated with this sector.

4. How SALVUS can help with the fulfilment of your CASP requirements

The Crypto-Assets team at SALVUS has been involved in the registration of several CASP business models. SALVUS team has real first-hand experience in the crypto space and has successfully built on that to hone its skillset and expertise.

Our CASP registration service guides crypto businesses into becoming supervised entities in Cyprus and complying with the AML/CFT regulatory framework.

Contact us at info@salvusfunds.com if you require support in fulfilling your CASP requirements and achieveing compliance with the AML/CFT regulatory framework.


Should you be interested to read more about Anti-Money Laundering, CASP and MiCA Regulation, please visit the selected articles below:

The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.

Share this post