AML guidelines for regulatory compliance of cryptocurrency businesses in the European Union: The 5th AML Directive

Posted Leave a commentPosted in Finance, Technology

On the 9th June 2018, the EU Commission brought crypto-fiat exchanges and custodian wallets under the anti-money laundering regulation vide the Fifth Anti-Money Laundering Directive (5MLD).

This requires cryptocurrency exchanges to perform KYC/Customer Due Diligence (CDD) on customers and fulfil standard reporting requirements. The Directive clearly mentions that while cryptocurrency is broadly considered legal across the member states, cryptocurrency exchange regime and taxation on crypto profits depend upon the regulations of individual member states. The 5th AMLD seeks to bring the unregulated digital currency sector under mandatory anti-money launderinglegislation.

This brings the EU bloc on par with some of the leading regulators across the world, including the U.S. and Australia. The law brings legitimacy and regulation to the cryptocurrency industry, while aiming to counter the risks of money laundering and terrorists financing arising from cryptocurrency.

Member states are obliged to transpose the modified regulations into national law by January 20th 2020, latest.


The 5th AMLD defines:

Cryptocurrency as “a digital representation of value that can be digitally transferred, stored or traded and is accepted by natural or legal persons as a medium of exchange”..

Virtual Currency Exchange Platforms (“VCEPs”) as providers engaged in exchange services between virtual currencies and fiat currencies” i.e. crypto-fiat currency exchanges

Custodian Wallet Providers (“CWPs”) as providers of “custodian wallets” or cryptocurrency wallet services; where the service provider holds the users’ private cryptographic keys “to hold, store and transfer virtual currencies”.

Beneficial Owners as “any natural person(s) who ultimately owns or controls the customer, and/or natural person(s) on whose behalf a transaction or activity is conducted.”


Who and what is covered?

Under this Directive, two types of cryptocurrency businesses are covered:

  • virtual currency exchange platforms
  • custodian wallet providers

These are the ‘obliged entities’ under the new law to follow the same regulations as banks and financial institutions.

Such ‘obliged entities’ will be required to implement measures to counter money laundering and terrorist fundraising.  KYC, CDD and transaction monitoring are compulsory obligations to be fulfilled. Maintenance of comprehensive records and reporting of suspicious transactions, are also required.

The 5AMLD makes it obligatory for crypto-to-fiat-exchanges and custodian wallet providers to register with the national agencies. Each of the EU’s 28 member states is covered by the 5AMLD.

Member countries are required to

  • Establish central databases, listing virtual currency users (the identities, wallet addresses), together with self-declaration forms submitted by virtual currency users.
  • Define ‘virtual currencies’ and ‘CWPs’, and lay down the governing AML/CTF regulations.

Special Focus on Risks associated with ML/TF

The EU Directive focuses on the risks associated with the use of virtual currencies, in particular naming

  • proceeds of crime launder through virtual currencies, anonymously and globally,
  • use of virtual currency remittance systems for terrorist or illicit activity financing,
  • the anonymity of virtual currency that enables criminals or terrorists to disguise the origins of proceeds, compromising the work of law enforcement agencies.

EU Guidelines for AML/CTF compliance of crypto businesses in member countries

Each EU member country is obliged to

a)     Maintain a “Register of Ultimate Beneficial Owners” (UBOs) that will contain information of the beneficial owner’s date of birth, country of residence, nationality, and the nature and extent of the beneficial interest held. Registers of UBOs are to be made publicly accessible, and inter-connected at pan-EU level for exchange of information to strengthen their UBO verification mechanisms.

b)     Maintain a PEP List of prominent politically exposed public functions to make easier for smaller compliance teams or SMBs, to identify PEPs while screening risks.

Member states must define a PEP within its national jurisdiction, and also include information from international databases in its list.

c)     Maintain centralised registries or electronic data retrieval systems to identify entities holding or controlling payment accounts, bank accounts, and safe-deposit boxes. The national Financial Intelligence Units (FIUs) of member states are to be allowed direct, access to the registries.


EU regulations for sanctions/PEP screening and beneficial ownership

KYC/Verification of Beneficial Ownership – Prior to any new business relationship or customer onboarding, “obliged entities” are required to perform KYC checks including validating against the corresponding beneficial ownership register in the EU.

“Obliged entities” should notify if any discrepancies are found in the beneficial ownership information on the registers while conducting CDD /KYC.

PEP and Sanctions Screening – Any PEP calls for enhanced due diligence.

Obligations of crypto businesses under 5AMLD

All cryptocurrency “obliged entities” across the EU bloc are to register themselves with the FIU, with complete details of ownership structures. They are to perform the sanctions screening and enhanced CDD measures and check against 

The FATF regulations for cryptocurrency business takes shape

Posted Leave a commentPosted in Finance, Technology

If there was ever a phenomenon that mirrored the situation of going down the rabbit’s hole (think Alice in Wonderland), it is cryptocurrency! Long considered with suspicion by global regulators, finance professionals and money laundering watchdogs, the cryptocurrency phenomenon while unmapped is increasingly becoming mainstream.

While most countries are yet to declare cryptocurrency as legal tender, or even regulate crypto businesses, it cannot be denied that crypto is fast emerging as a part of the global financial system. This has prompted many jurisdictions like Australia, Singapore, UK, USA and Japan, to establish taxation norms and requirements for engaging in any form of crypto activity.

As FATF took a slow and measured pace to form any conclusive guidelines, it fell upon individual countries to take some concrete steps towards regulating crypto activities. Australia (AUSTRAC) and the EU are some of the regimes to have included crypto businesses in the framework of “regulated entities” for AML/CTF compliance.

Why does cryptocurrency conjure up a fear amongst regulators?

The key to tackling financial crime and terror financing and fraud is the ability to trace the beneficial ownership and touchpoints of financial transactions. Every day the world witnesses billions and billions of dollars transferred across geographies for the purpose of financing regional and global terrorism. Drugs, gambling, illicit activities and financial crime occur every day both in the open economy and in connivance with shadow banking and the dark web. Just as the Vancouver model in Canada has created a phenomenal rise in drug crimes and deaths together with an abnormal spike in real estate prices, other countries too with uncontrolled money laundering mechanisms have witnessed a spurt in terrorist financing and financial crime.

Governments are the custodians of the citizen wealth. They are reposed with the responsibility of maintaining internal security and a stable financial system, both props of a stable economy. This makes it incumbent upon every government to frame AML/CTF regulations that attempt at tackling money laundering activities.

The anonymity aspect of the cryptocurrency is the very bane of its functionality. Despite the many benefits of crypto, it cannot be ignored that cryptocurrency has a vast potential of being used to launder dirty money and finance crime. The ownership of cryptocurrency and its money trails cannot be traced, which is the very backbone of the money laundering and terror financing mechanism.

An AML/KYC Approach to Cryptocurrency Regulations is considered the ultimate solution of a tech-driven virtual currency that is fast emerging a part of money remittance systems.

The FATF solution – from declaring crypto as a “virtual asset” to setting out requirements

The FATF finally comes clear on the risks of cryptocurrency businesses. In its February 22 Plenary, the FATF issued a Draft Interpretive Note to FATF Recommendation 15 that sets the tone for the final Regulatory Guidance scheduled for release in June 2019. This Draft takes the October 2018 FATF Recommendation 15 of crypto as a “virtual asset” a step further.

In October 2018, FATF had declared clearly that while “Virtual assets and related financial services have the potential to spur financial innovation and efficiency and improve financial inclusion, but they also create new opportunities for criminals and terrorists to launder their proceeds or finance their illicit activities.” FATF gave a clarion call for “an urgent need for all countries to take coordinated action to prevent the use of virtual assets for crime and terrorism.” Following this, FATF has now set out detailed implementation requirements for the regulation and monitoring of virtual asset service providers (VASPs) or cryptocurrency businesses.

What does the latest FATF Draft convey?

The latest rollout by FATF, which become part of the June Final Guideline, details the compliance requirements of crypto businesses.

  • VASPs will be required to be licensed or registered in the jurisdiction(s) where they are created.
  • Competent authorities in the jurisdiction are required to implement the necessary legal and regulatory measures to prevent criminals or their associates from being a beneficial owner, holding controlling interest, or a management function, in a VASP.
  • VASPs are subject to regulation and monitoring for AML/CFT compliance and relevant FATF Recommendations. The objective is to mitigate money laundering and terrorist financing risks from virtual assets.
  • A range of sanctions, whether criminal, civil or administrative, will be available with the “competent authorities” to deal with VASPs that fail to comply with AML/CFT requirements.

Sanctions are applicable not only to VASPs, but also to their directors and senior management.

  • VASPs must comply with FATF Recommendations 10-22 for transactions with a threshold above USD/EUR 1000. In such case, the VASPs must obtain information on both, the sender and the beneficiary. The VASP is also required to share this information with the beneficiary VASP, thus removing anonymity from the “virtual asset”.

This also means having in place a system of KYCCustomer Due DiligencePEP Screening, and Sanctions Checks against high-risk third countries/business activities, and reporting such suspicious activity to the “competent authority”.

  • The “competent authority” must monitor the submission of such information, and take necessary freezing action and/or prohibiting transactions with designated persons and entities, and use such other instruments of risk-based regulatory compliance.

What does this mean for you as a cryptocurrency business or a legal and financial professional in cryptosphere?

Whether a virtual currency exchange platform or a custodian wallet provider, any crypto business will:

  • Need to be registered in a country where it is permitted.
  • Registration must be as a “virtual asset provider”.
  • The crypto business must ensure that any trustee, beneficial owner, or management, does not hold a criminal record.
  • The business must comply with the AML/CTF laws in that jurisdiction, and fulfil the requirements of a “regulated entity” or “obliged entity”.
  • Compliance includes obtaining and sharing information of the sender and receiver in a transaction exceeding USD/EUR 1000, and ensuring a compliance mechanism of CDD, PEP Screening, and other Checks.
  • Use third party services for KYC, PEP, and Sanctions Checks, and Watchlist Screening.
  • Compliance and cooperation with the relevant “competent authority” and other legal and criminal systems in the jurisdiction where it is registered.

Don’t miss our next event

Posted Posted in Finance, Fraud, Technology

A blog post by Jonathan Jensen, Commercial Director Identity Verification

When fraud takes place, individuals lose money. Investors are affected because their returns in financial firms are reduced. Retailers have to deal with sorting out stolen cards or identities. These are all personal experiences.

Financial Services has had a number of achievements in the fight against financial crime in recent years. Chip and PIN, tokenisation of card details, and more recently, Confirmation of Payee and strong customer authentication, show how far we’ve come.

BUT, there is still more that can and should be done to prevent and reduce the impact of financial crime.

In their recent report “Facing up to Financial Crime”, the Emerging Payments Association (EPA) looks at the state of financial crime and its impact on the payments market.

The ambitious use of technology and greater industry collaboration have been identified as the two key enablers to achieving further success. The EPA is uniquely placed to drive industry debate across its members and other payments stakeholders, including customer groups, law enforcement, government and regulators.

Here’s a summary of the EPA’s key recommendations where the financial services industry can take a more proactive approach to mitigating the impact of financial crime:

Digital identity: an industry approach

Identity linked fraud has a significant cost to the industry – authorised push payment fraud cost £236 million and card not present ecommerce fraud £310 million in 2017.

The opportunity to build an industry led digital identity scheme should be explored via collaboration across the financial services industry combined with engagement with government and regulators.

UK Finance has endorsed the BSI Code of Practice on Digital Identification & Authentication (PAS499) which creates a framework for the industry to build on.

Really knowing who the customer is

Customer verification can build on existing processes to use additional data points like location, device, mobile usage and spending patterns. More points of reference raises the level of assurance around a customer’s identity.

Transaction analytics

Network level analysis of all payment transactions across all payment service providers between given points in time would be a powerful tool in the detection of financial crime. Pay.UK and Vocalink have had some early success in this area detecting mule accounts.

The EPA’s findings support the results of the research GBG commissioned last year with Forrester. The report found that 84 per cent of UK financial service organisations are concerned about their ability to identify customers correctly.

Moreover, a third believe they are ‘seriously lagging behind competitors’ when it comes to fraud checks

We’re pleased to be a member of the EPA, and support the industry in using innovation in the fight against fraud.

To find more information about what we do with the EPA, see here:

UK financial services lagging behind global rivals in digital

Posted Posted in News
  • 84 per cent of UK financial service organisations are concerned about their ability to identify customers correctly
  • A third believe they are ‘seriously lagging behind competitors’ when it comes to fraud checks
  • UK firms have less interest in adopting new approaches to authenticate customer identity, lagging behind China, Singapore and the US

Seismic changes in UK policy and legislation could be negatively impacting the UK financial service industry’s ability to build a globally competitive digital customer experience.

According to an international study commissioned by identity data intelligence specialist GBG and conducted by Forrester Consulting, the UK financial sector is lagging behind China, Singapore, the US and Australia in adopting new approaches to authenticating customer identity.

The findings show that 84 per cent of UK financial service firms are concerned about their ability to identify customers but UK firms are less focused on new technology solutions to address this, and appear more inward-looking, more focused on cost-control and less inclined to invest in new technology than their global counterparts.

Major regulatory changes this year including Open Banking and GDPR, as well as ongoing Brexit negotiations, are impacting the sector. At the same time customer expectations continue to rise as a result of digital empowerment and great experiences from the likes of Amazon, Apple, and Facebook.

Research highlights

Despite the UK’s reputation as a world-leader in artificial intelligence, interest in new technology such as facial recognition, automated data capture and social media data analysis, has yet to be widely adopted in the UK. This means customers are missing out on seamless online transactions enjoyed in other markets.

In 2018 we’ll see unprecendented change in the financial service sector. At the same time, consumers are increasingly happy to use everyday digital services provided by organisations from across the world.

According to the Forrester Study, financial service firms will live (or die) by delighting customers via digital channels. A tough economic environment, increased regulation, and greater competition have created challenges for incumbent financial service organisations; on the flip side fintechs delight with great experiences, but lack the strategic execution to comply with regulatory requirements.[i]

In order to improve customer retention, loyalty, advocacy and customer satisfaction, UK financial service firms need to address the gap between their approach to new technology and that of their global competition.

Financial service firms should build relationships through services that exceed customers’ current expectations and anticipate their future needs, improving financial wellbeing.

Mick Hegarty, Managing Director at identity data intelligence specialist GBG, said: “Although the UK is currently behind the rest of the world in its digital approach to customer identity, there are some promising signs for the future. Our research shows that UK fintechs are more interested than the established banks in adopting new approaches and more are planning to increase investment in the next 12 months. The fintech innovators and challenger banks will prove vital to the UK financial service sector in keeping pace with the rest of the world whilst we navigate a challenging year of legislation and policy change.”

To download the full report, and to register for our webinar with Forrester Consulting, visit