In 2023 the EU finalized the Markets in Crypto-Assets Regulation (MiCAR) which had a companion anti money laundering (AML) regulation relating to the travel rule. This involves passing details along with a transaction. Today, the European Banking Authority (EBA) published the AML guidelines that implement the regulations. They apply from 30 December 2024. Transfers by CASPs to self hosted wallets are treated as high risk.
These kinds of transactions generally trigger enhanced due diligence, which can be invasive. Instead of just asking about identity, it involves questions about sources of income and wealth. We highlighted these issues when the EBA ran a consultation last year.
On the one hand, this could be very challenging for NFT platforms as many people keep NFTs in self hosted wallets. However, the EBA also outlined steps that will reduce risk. For example, if the product allows transactions with a customer’s bank account in the EU, AML compliance would also have been conducted elsewhere.
Mainstream AML rules have a long list of risk factors, and the crypto-asset rules are also subject to those.
Crypto specific AML risks
Regarding crypto-specific risks, alongside self hosted wallets, it listed four other transaction risk factors. They include transfers to a DeFi platform, those involving crypto-ATMS not under EU oversight, payments via mixers and transactions to CASPs in risky jurisdictions.
These are transaction-specific risks. However, CASPs also have to assess the customer and the customer’s behavior. For example, if customers frequently conduct transactions just under the €1,000 threshold limit, they might be doing something dodgy. Depositing money in a P2P lending platform not regulated under MiCA is considered high-risk behavior. Privacy protocols such as Monero or Zcash are explicitly mentioned as high risk.
A couple of the customer behavior risks are broad. If a customer tops up a crypto account from multiple bank accounts or credit cards, that’s considered high risk. Another is if the bank account is in a jurisdiction different from the customer’s address. In Europe, many people use Revolut and Wise, which have pan-European operations. Wise’s European bank account is based in Belgium, and Revolut’s is in Lithuania. So, would any EU person using Wise or Revolut not based in Belgium or Lithuania be considered high-risk?
The guidelines also include instructions for banks interacting with CASPs. Money remittance firms notoriously struggle with AML rules, and CASPs not registered under MiCA are lumped in with them. However, even if a CASP is MiCA registered, it’s likely to be lumped with remittance firms if it allows transfers to self hosted wallets or DeFi protocols.
Update: Clarified that the EBA guidelines relate ti MiCAR and its companion AML legislation.