Yesterday the European Parliament passed the final version of three sets of broad anti money laundering (AML) legislation that include clauses that impact cryptocurrencies and crypto-assets more broadly. The timing was critical as Parliament recesses today ahead of elections. Crypto receives the most attention in the EU single rulebook regulation. The final necessary step is for the European Council to approve the legislation.
While the legislation is by no means a light touch, several crypto-related clauses were watered down compared to the early drafts. As reported in January, the major impact is crypto asset service providers (CASPs) now have to implement the same AML rules as banks for transactions of more than €1,000.
The good news is that they dropped the original plan to include NFT platforms and Decentralized Autonomous Organizations (DAOs), which are not classified as CASPs. However, the legislation notes that by the end of the year the Commission will report to Parliament on crypto-assets in general and NFTs in particular. Hence NFT AML legislation could still arrive, just not yet. There’s no mention of DAOs.
Self hosted wallets
Self hosted wallets were another contentious area. CASPs are not allowed to provide custody for anonymous crypto accounts, nor are they allowed to custody ‘anonymity-enhancing coins’. However, the legislation explicitly does not impose AML requirements on self hosted wallet providers:
“The prohibition does not apply to providers of hardware and software or providers of self-hosted wallets insofar as they do not possess access to or control over those crypto-assets wallets.”
One clause deals with the steps a CASP needs to take when a transaction involves a self-hosted wallet. The CASP needs to try to identify the wallet holder “including through reliance on third parties” which likely means blockchain intelligence firms. It must collect additional information on the origin and destination of the crypto and conduct enhanced ongoing monitoring.
Other regulations already substantially covered CASP transactions with self hosted wallets. When the EU passed the MiCA regulations there was a companion AML regulation relating to the travel rule. For self hosted wallet transactions, enhanced due diligence is required. That’s the highly invasive type where they ask about all your assets, sources of income, etc.
The European Banking Authority published guidelines on the implementation of the regulations in January. It’s not just self hosted wallets that are considered high risk. Some pretty innocuous behaviors are as well. One of the benefits of the EU is people can work in other countries. However, using a bank account from a different jurisdiction – highly likely if you work in another EU country – is considered high risk. If you use more than one card or bank account to top up the crypto account, that’s dodgy! And if you deposit crypto in an unregulated P2P lending platform, you must be iffy, apparently.
