As the EU crypto industry welcomes MiCA, it also needs to up its ML/TF standards

Overview

For a number of years, EU crypto-asset service providers (CASPs) have been monitoring and anticipating the arrival of the Markets in Crypto-assets (MiCA) Regulation, a bespoke framework for CASPs and issuers of crypto-assets (CAs) which entered into force on 29 June 2023. It will be complemented by Guidelines and Technical Standards (what we call Level 2 Regulations) that may also bolster AML/CFT requirements for CASPs and also issuers of asset-referenced tokens (ARTs).

Although MiCA represents a substantial increase in regulatory obligations for CASPs, the EU’s new Anti-Money Laundering/Countering the Financing of Terrorism (AML/CFT) Package adds to the regulatory burden making them subject to additional AML/CFT obligations and supervision.

The AML/CFT Package consists of two elements that specifically address crypto-asset activity, a new single-rulebook Regulation (SRR) which awaits the final approval of its definitive text and a recast Transfer of Funds Regulation (ToFR), which entered into force on 29 June 2023 alongside MiCA. The package has prompted the European Banking Authority (EBA) to propose significant changes to its ML/TF Risk Factors Guidelines (which will also apply to CASPs) through a consultation process in which the industry can make submissions until 31 August 2023.

These pieces of legislation make up the meat of the EU’s wider AML/CFT regime, and they will soon have an unprecedented impact on CASPs entering the EU market.

MiCA and its Technical Standards and Guidelines

MiCA’s primary focus is not on AML/CFT. However, CASPs seeking authorisation under MiCA need to demonstrate how they will comply with EU and national AML/CFT laws. CASPs operating trading platforms must ensure systems are sufficiently robust to prevent ML/TF abuse.

When assessing the suitability of CAs, they are required to consider their potential to illicit fraudulent activities. Privacy tokens, or CAs with a built-in anonymisation function, may not be admitted to trading unless CA holders and transaction history can be identified.

The EBA, European Securities Markets Authority (ESMA) and European Central Bank (ECB) will be issuing Guidelines and Technical Standards in the coming months that may impact the details of MiCA’s AML/CFT requirements.

Single-rulebook Regulation (SRR or AMLR)

Under the proposed SRR, also referred to as the Anti-Money Laundering Regulation (AMLR), CASPs will become obliged entities and must comply with the same AML/CFT standards as other financial institutions.

They will be required to undertake risk-based customer due diligence and monitor and report suspicious transactions to their Financial Intelligence Unit (FIU). Many CASPs are already undertaking customer onboarding and KYC processes, but operating in line with regulated AML/CFT standards will present an additional challenge.

The SRR will also prohibit CASPs providing custody services from offering or dealing with anonymous wallets.

Although Non-Fungible Token (NFT) trading platforms are out of MiCA’s scope, it is possible they will be captured by the SRR, as evidenced by the position of the European Parliament’s Economic and Monetary Affairs (ECON) Committee and Civil Liberties, Justice and Home Affairs (LIBE) Committee.

Transfer of Funds Regulation (ToFR)

The recast ToFR, or Europe’s version of the Travel Rule, will require complete originator and beneficiary details to accompany crypto-asset transfers between CASPs for all transactions. When processing transactions over €1,000 that involve self-hosted addresses, or wallets where owners fully control private keys without any third-party intermediary, CASPs must verify the identity of the CA holder.

The EBA’s ML/TF Risk Factors Guidelines

The proposed changes to the EBA’s ML/TF Risk Factors Guidelines indicate that banks and other financial institutions will be obligated to assess CASPs for ML/TF risk before entering into business or correspondent relationships with them. If the CASP is not regulated under MiCA or an equivalent regulatory framework, it will be subject to an enhanced ML/TF assessment. Such firms will need to prepare for substantial scrutiny when dealing with EU-based financial institutions.

CASPs will also need to assess ML/TF risks when dealing with their customers.

The challenges of ML/TF compliance

The Travel Rule is potentially the largest AML/CFT compliance challenge CASPs will face. Most Travel Rule Solution Providers (TRSPs) are designed to facilitate the exchange of travel rule information between regulated CASPs. Obtaining travel rule information for transfers involving self-hosted addresses (or wallets) may prove extremely challenging or even impossible in certain cases as they face the task of verifying the identity of physical persons who are inherently anonymous.

As a result, CASPs may be forced to transact only with other CASPs and exclusively conduct transfers with wallets controlled by users if they are under the €1,000 threshold. This is also likely to increase unregulated, decentralised finance (DeFi) activity as self-hosted wallet holders that are typically hosted on DeFi protocols may opt to bypass CASPs entirely and engage in peer-to-peer transactions.

Other compliance challenges can come from the demands of law enforcement agencies, such as when a CASP needs to comply with an international sanction or AML/CFT order. Blockchain analytics and geolocation will be able to assist, but these tools can be expensive and resource intensive. The cost of compliance will undoubtedly increase, potentially pricing out smaller players and consolidating the market.

Where is AML/CFT headed for crypto in the EU?

Although the arrival of MiCA is a significant step forward in crypto regulation in the EU, the impact of the AML package cannot be understated.

The use of CAs in ML and TF, because of their in-built anonymity and ability to bypass the regulated institutions of traditional finance, has been a constant concern of EU legislators. The EU’s AML/CFT Package and MiCA address Europe’s apprehensiveness head-on by requiring CASPs to comply with the EU’s stringent AML/CFT rules.

CASPs will need to adopt bank-like due diligence and compliance standards and also navigate through the complexity of travel rule compliance and the interaction with self-hosted wallets. It is likely that interaction with the unregulated and anonymous crypto world of self-hosted wallets and DeFi will become increasingly challenging from a compliance perspective.

There can be little doubt that the EU’s AML/CFT requirements on crypto-asset businesses will continue to evolve in lock-step with wider developments in the EU’s regulatory oversight of ML/TF, and CASPs should look out for any developments as both MiCA and the AML/CFT measures are actively enforced by the EU authorities when they do go live.