On November 27, the European Banking Authority (“EBA”) published its final Risk-Based Supervision Guidelines, expanding the scope of AML/CFT supervision for competent authorities supervising crypto-asset service providers (“CASP”).

AML regulation of CASPs

The European Markets in Crypto-Assets Regulation (“MiCAR”) defines CASPs as legal entities engaged in providing crypto-asset services professionally and must now be authorised in accordance with article 59 of the MiCAR. CASPs have become covered by the Anti-Money Laundering Directive (AMLD) due to a recent amendment (included in the new Transfer of Funds Regulation and to be transposed into national law by 30 December 2024). Before, providers engaged in exchange services between virtual currencies and fiat currencies as well as custodian wallet providers (VASP) are covered. Those, however, are only a sub-group of CASPs. The proposal for a new Anti-Money Laundering Regulation (AMLR) will also cover CASPs under MiCAR as obliged entities under AMLR.

Content of the EBA Risk-Based Supervision Guidelines

The EBA Risk-Based Supervision Guidelines do not cover the regulation of obliged entities but addresses the national competent authorities. The EBA intends to issue guidance on AML for CASPs at a later stage and has already conducted a consultation on this.

National competent authorities will begin to supervise CASPs and therefore must consider the impact of the technology on the AML risk profile. Factors such as centralisation, decentralization, open-source and proprietary wallets permissioned or permissionless ledgers, and varying degrees of anonymity must be assessed. The EBA calls for a consistent risk-based approach by competent authorities in AML/CFT supervision of CASPs.

The guidelines serve as a source of information that each competent authority should consider when assessing ML/TF risks associated with CASPs. The competent authority must identify risk factors that are relevant in different sectors under their supervision. In the use of technology, such as distributed ledger technology (DLT) or anonymity enhancing features, where it is essential to the sector’s, or subsector’s, business model and operation, the competent authority must know the effect this technology has on the sector’s or subsector’s money laundering and terrorist financing (ML/TF) risk exposure.

For businesses utilising distributed ledger technology (DLT) or blockchain, the guidelines recommend periodic reviews of risk assessments and necessary staff training. Competent authorities are urged to understand the inherent risk factors within sectors and subsectors employing DLT. The guidelines underscore the importance of comprehensive training for competent authority staff, internal business training tailored to AML/CFT responsibilities, and addressing knowledge gaps through strategic hires or leveraging in-house specialists.