New Era of AML & CFT - EBA's Guidance for CASP Supervision
Josef Bergt
2023
Abstract
In a move that marks a significant milestone in the regulation of the rapidly evolving crypto-asset sector, the European Banking Authority (EBA) has unveiled its final Risk-Based Supervision Guidelines (EBA/GL/2023/07). These guidelines signal a paradigm shift in the supervisory landscape for crypto-asset service providers (CASPs) under the European Markets in Crypto-Assets Regulation (MiCAR) and Anti-Money Laundering Directive (AMLD). This article assesses the challenges and opportunities presented by the EBA's approach to Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) in the CASP sector.
Introduction
On November 27, 2023, the European Banking Authority (EBA) issued its final Risk-Based Supervision Guidelines (EBA/GL/2023/07), expanding the ambit of AML/CFT supervision for authorities overseeing CASPs. This moment in regulatory oversight is a response to the emerging significance of crypto-assets and their service providers in the financial landscape. As legal entities engaged in providing crypto-asset services professionally, CASPs are now enshrined in a more robust regulatory framework, necessitating nuanced understanding and stringent compliance.
Evolution of CASP Regulation Under MiCAR and AMLD
The European Markets in Crypto-Assets Regulation (MiCAR) defines CASPs as legal entities professionally engaged in crypto-asset services. These entities must obtain authorization in accordance with Article 59 of MiCAR, once the regulation is applicable. This incorporation of CASPs into the realm of regulated entities marks a significant departure from previous regulatory approaches. Prior to this amendment, only providers engaged in exchange services between virtual currencies and fiat currencies, as well as custodian wallet providers (known as virtual asset service providers or VASPs), fell within the purview of regulatory oversight. The proposed Anti-Money Laundering Regulation (AMLR) is set to further extend the coverage of CASPs under MiCAR as obliged entities under AMLR, creating a comprehensive regulatory net.
EBA's Risk-Based Supervision Guidelines: A Closer Look
Crucially, the EBA's Risk-Based Supervision Guidelines focus on national competent authorities rather than the regulation of entities subject to due diligence duties themselves. The EBA aims to provide future guidance on AML for CASPs and has initiated consultations in this regard. These guidelines underscore the importance of competent authorities understanding the technological landscape's impact on AML risk profiles. This necessitates a thorough assessment of factors like centralization, decentralization, open-source and proprietary wallets, permissioned or permissionless ledgers, and varying degrees of anonymity.
The EBA advocates for a consistent, risk-based approach in the AML/CFT supervision of CASPs. These guidelines serve as a critical source of information for competent authorities in assessing ML/TF risks associated with CASPs. It is incumbent upon these authorities to identify risk factors pertinent to different sectors under their supervision, especially those utilizing technologies like Distributed Ledger Technology (DLT) or anonymity-enhancing features. The guidelines call for periodic reviews of risk assessments and emphasize the need for comprehensive training for both competent authority staff and internal business personnel.
Reach out to us at Bergt Law if you have any questions related to crypto asset services or compliance matters.
Source: Guidelines EBA/GL/2023/07 27.11.2023
Executive Summary:
- The EBA has issued final Risk-Based Supervision Guidelines, expanding AML/CFT supervision for CASPs.
- MiCAR requires CASPs to be authorized, reflecting a broader regulatory scope than before.
- The proposed AMLR will further encompass CASPs under MiCAR as obliged entities.
- The EBA's guidelines focus on the role of national competent authorities, not directly on CASPs.
- A consistent risk-based approach in AML/CFT supervision is advocated by the EBA.
- Competent authorities must assess technology's impact on ML/TF risks and adapt their supervision accordingly.
- The guidelines highlight the importance of continuous risk assessment and staff training in the context of DLT and anonymity-enhancing technologies.