New EU anti-money laundering measures have been approved by European legislators.

The European Parliament and Council have finally signed off on the text of the fifth Anti-Money Laundering Directive (known as MLD5).

Overview

The new directive is of particular interest to the FinTech sector as, amongst other things, MLD5 includes measures to increase transparency around more recently developed instruments of payment — namely cryptocurrencies and prepaid cards. Both these instruments lend themselves to anonymity and raise concerns that they could be used to help fund terrorist activities.

MLD5 will lower the threshold for identifying the holders of anonymous prepaid cards from €250 to €150. It will also require know-your-customer (KYC) checks to be performed for remote payment transactions exceeding €50, or if a withdrawal of more than €50 is made. The new provisions will also mandate that prepaid cards issued outside the EU can only be used in the EU if they comply with equivalent anti-money laundering (AML) standards (although it seems that this is left for the EU acquirer to judge). This is largely driven by European lawmakers’ concerns that individuals can fund terrorism “on a shoestring”, as evidenced by the fact that rental cars used in terror attacks have been paid for using prepaid cards.

The new legislation will also require virtual currency exchange platforms and custodian wallet providers to perform due diligence on their customers, including KYC checks. Such entities will also need to be registered for AML purposes. Consequently, these entities will be regulated for AML purposes in the same way as financial services firms (and subject to the same AML regulatory obligations). This will be a significant change for relevant businesses, and is likely to increase their regulatory compliance costs substantially.

Member States will have 18 months to implement the new measures, so the sector will not feel the full impact of the changes for some time.

Do all virtual currencies / tokens fall within scope?

Virtual currencies are defined as a digital representation of value that:

  • Is not issued or guaranteed by a central bank or a public authority
  • Is not necessarily attached to a legally established currency, and does not possess a legal status of currency or money
  • Is accepted by natural or legal persons as a means of exchange
  • Can be transferred, stored, and traded electronically

This definition is very broad and the recitals to the directive confirm that the objective of MLD5 is to cover all the potential uses of virtual currencies. Therefore, it is likely that all cryptocurrencies and most tokens issued in an initial coin offering (ICO) will be covered by the definition.

Application to virtual currency exchange platforms

MLD5 applies to providers engaged in exchange services between virtual currencies and fiat currencies. While this will capture many virtual currency exchange platforms, it will not capture virtual currency platforms that only exchange cryptocurrencies / tokens for other cryptocurrencies / tokens, and do not provide services to convert those cryptocurrencies / tokens into fiat currency.

The recitals to MLD5 recognise that the directive will not entirely address the issue of anonymity attached to virtual currency transactions. This is because a large part of the virtual currency environment will remain anonymous, as users can also transact without providers engaged in exchange services between virtual currencies and fiat currencies, presumably on an over-the-counter basis or using an exchange that only allows crypto-to-crypto transfers. In order to address the issue of anonymity of virtual currency users, MLD5 proposes that a central database registering users’ identities and wallet addresses is established and made accessible to national Financial Intelligence Units. However, this proposal will only be introduced via separate legislation if the European Commission determines such a measure necessary and appropriate following its report on the implementation of MLD5, which is due to be published within two years of the transposition of MLD5. Nevertheless, the proposal for such a national register would be a significant development in addressing the anonymity and AML concerns in relation to virtual currencies. However, the proposal does raise questions as to how or whether such a register could capture the identity of non-EU citizens who trade cryptocurrencies with persons in the EU.

Application to custodian wallet providers

A custodian wallet provider is defined as an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store, and transfer virtual currencies. This definition will capture standalone crypto-custodians and wallet providers, but likely will also capture any blockchain platform that provides customers with a digital wallet for holding tokens, even if this is an ancillary part of the blockchain platform’s business.

Impact on ICO issuers?

ICO issuers will only fall within the scope of the new MLD5 requirements if they satisfy the definition of a custodian wallet provider by safeguarding the private keys of their tokenholders / platform users, or if they provide services to convert tokens into fiat currency. However, regardless of this determination, ICO issuers should consider carefully whether their broader activities fall within the scope of AML requirements, and the possible legal, business, and reputational risks of failing to conduct adequate AML/KYC checks on purchasers of tokens and users of their platform.