Europe rang in the new year by bringing its fifth Anti-Money Laundering Directive (5AMLD) into force. Per the European Union’s official statement, “these new rules will bring more transparency to improve the fight against money laundering and terrorist financing across the European Union.”
First, the good news: 5AMLD, which went live on January 10, is not as extensive as the previous 4AMLD. Instead, it’s a series of amendments or changes to the existing framework. For those in jurisdictions that already have cryptocurrency AML regulation (e.g. Gibraltar) this will be a relatively light lift to implement. On the other hand, those in jurisdictions with no preexisting regulatory requirements will need to build out compliance programs quickly. But fear not: 5AMLD is fairly straightforward.
One of the more notable changes from the previous 4AMLD is that Virtual Asset Service Providers (VASPs) are now obliged entities. In short, this means VASPs – including cryptocurrency exchanges – will now be subject to registration and supervision from their local regulator for AML compliance. We will dive deeper into specifics later, but VASPs will need to implement processes and procedures to meet these AML requirements.
This is new ground in many parts of the EU. Some firms, such as Chopcoin, Simplecoin, and Bottle Pay chose to fold rather than adhere to the new regulations.
Additionally, regulators in some jurisdictions may choose to apply more stringent and enhanced local AML/CFT regulations that go beyond the requirements of 5AMLD. Certain EU member states, including Germany, are already doing this. This could prove to be very costly for organizations in these markets. It could also potentially lead to regulatory arbitrage; in other words, some cryptocurrency businesses may choose to move to other markets with lighter regulatory environments (see Kyberswap).
Lastly, cryptocurrency businesses will need to walk the tightrope of finding balance between their AML and their data privacy obligations.
Core Requirements for 5AMLD
VASPs will now need to take three main actions to meet their AML/CFT obligations:
- Conduct Know Your Customer (KYC) and Customer Due Diligence (CDD)
- Use blockchain analysis software for ongoing transaction monitoring
- File suspicious activity reports (SARs) and suspicious transaction reports (STRs).
Let’s look at each step more closely.
KYC and CDD. 5AMLD requires European Financial Intelligence Units (FIUs) to obtain the identities and addresses of owners of virtual currency. This means the industry will have to execute comprehensive know your customer (KYC) and customer due diligence (CDD) on all new and pre-existing customers.
Blockchain analysis and transaction monitoring. Blockchain analysis and transaction monitoring services like Chainalysis KYT (Know Your Transaction) are a core component of successful AML/CFT regulatory compliance in the cryptocurrency industry, and 5AMLD is no different. Transaction monitoring is required to identify and prevent illicit and risky activity.
Filing of STRs/SARs to law enforcement. Cryptocurrency businesses will now need to file STRs and SARs to relevant law enforcement bodies. This becomes increasingly important under 5AMLD as FIUs now have unprecedented access to information from obliged entities where they see fit, regardless of any preexisting filing on an organization or entity. If an organization has not screened or filed appropriately and an FIU identifies such deficiencies, that organization could be in a very bad position.
Next steps to success
There are three things cryptocurrency businesses can do now to start complying with 5AMLD requirements.
Conduct a risk assessment. In the cryptocurrency space, risks include money laundering, fraud, theft, sanctions evasion, and terrorism financing. Understanding the local regulation and specific risks to your business will allow you to initiate proportionate controls and programs. This, in turn, will assist with licensing, as local regulators will audit firms for appropriate compliance programs prior to issuance.
Take a risk-based approach. Based on their risk assessments, cryptocurrency businesses should take a risk-based approach in building out their compliance program. Having identified the risks to the business, the organization should allocate the appropriate resources and build programs to mitigate the risks they’ve identified.
Registration and licensing. Firms then need to register and obtain relevant licensing where they operate. Understanding local requirements is key, as they may vary across the EU. This should be initiated as soon as possible, as the process may take longer in certain jurisdictions than in others. If an organization previously initiated a risk assessment and is actively applying a risk-based approach to their business model, they should be in a good position when their application is reviewed.
EU member states are expected to begin implementing the FATF’s virtual asset recommendations on top of 5AMLD in the near future, and this will impact their local AML laws. For example, the UK is already doing this. This may impact everything from defined thresholds for CDD to obligated entities. The EU is expected to bring the FATF recommendations, interpretive notes, and guidance formally into effect with the future 6AMLD.
While meeting these new requirements may be arduous for some, the result will be a more aligned and comprehensive AML framework across the EU. This will provide more financial integrity, and decrease the illicit activity executed in the space. Since the cryptocurrency industry took flight over the last decade, most financial institutions have been unwilling to provide financial services given the perceived inherent risk and lack of regulatory supervision and enforcement. Once these same AMLD requirements are in practice across both cryptocurrency and the traditional financial sector, these financial institutions may be more willing to collaborate and engage. Ultimately, this kind of institutional adoption will lead to unprecedented growth for cryptocurrency.