EBA AML/CFT Newsletter

In January, we extended our Guidelines on money laundering and terrorist financing (ML/TF) risk factors to crypto-asset service providers (CASPs). CASPs can be abused for financial crime purposes, including ML/TF. The risk of this happening can be increased as a result of, for example, the speed of crypto-asset transfers or because some products contain features that allow the user’s identity to be hidden.

These amendments will help CASPs identify whether they are exposed to higher or lower levels of ML/TF risk due to its customers, products, delivery channels and geographical locations. Given the interdependence of the financial sector, other credit and financial institutions may also be exposed to risks associated with crypto assets and therefore more guidance is also provided on this.

The two-month notification deadline for competent authorities to confirm their intention to comply or not comply with the EBA Guidelines begins once all translations have been published. Accordingly, the deadline for competent authorities to notify the EBA of their intention is 13 May 2024.

Compliance notifications are public and can be accessed on the EBA’s website.

In December 2023, we consulted on new Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures. Restrictive measures are binding on any person or entity under the jurisdiction of Member States. Through these Guidelines, the EBA creates, for the first time, a common understanding, among payment service providers (PSPs), CASPs and their supervisors, of the steps they need to take to be able to comply with restrictive measures. We held a virtual public hearing on the consultation paper on 8 February with 113 interested stakeholders. We received 21 responses and are now finalising the Guidelines in light of the comments received.

In February, we published a follow up to the EBA 2021 peer review report on the application of the Joint ESAs Guidelines on the prudential assessment of the acquisition of qualifying holdings. The review assesses the adequacy and effectiveness of the actions undertaken by the competent authorities subject to the previous review and finds good progress in remedying the deficiencies identified in 2021. All competent authorities have taken the need to respond to the assessment of the initial peer review seriously and most have adopted measures to remedy the deficiencies identified. We noted particular improvements in relation to the steps competent authorities have taken to identify and act upon suspicion of ML/TF.

In March, we received a 'Call for Advice' (CfA) from the European Commission on important aspects of the future EU AML/CFT framework. Our response will form the basis of legal instruments that the new AML/CFT Authority (AMLA) will prepare and ensure that AMLA can begin to operate quickly once established.

Specifically, the European Commission asked us to advise it on a common ML/TF risk assessment methodology for AML/CFT supervisors in line with Article 31(2) of the AMLD6 and on the methodology AMLA will use to select institutions that will be directly supervised by it pursuant to Article 12(5) of the AMLA Regulation.

Our advice will also cover customer due diligence under Article 22(1) of the AMLR and the criteria that supervisors will use to determine pecuniary sanctions or administrative measures under Article 39(7) of the AMLD6.  In addition, the European Commission asked us to consider possible guidance on the base amounts for pecuniary sanctions under Article 39(8) of the AMLD6 and on the minimum requirements for group-wide policies under Article 13(3) of the AMLR.

We will consult on our draft response in Q1 2025 and revert to the European Commission by 31 October 2025.

This factsheet provides an overview of the work we have done to tackle unwarranted de-risking and to safeguard legitimate customers’ access to financial services, including: the Guidelines on the effective management of ML/TF risks when providing access to financial services, additional guidance to financial institutions that service nonprofit organisations (NPOs) to the ML/TF Risk Factors Guidelines, and the joint EC/EBA factsheet on access to EU financial services as an NPO.

The AMLA will be able to build on these guidelines as the new EU supervisory framework takes shape.

Our AML/CFT database (EuReCA) is collecting information about the AML/CFT material weaknesses identified by supervisor and measures taken in response to such material weaknesses. Following the publication of the RTS in the Official Journal of the European Union on 16 February 2024, the database is ready to start collecting information on natural persons associated with the infringements.

National competent authorities are increasingly reporting AML/CFT material weaknesses and measures. In the first four months of 2024, EuReCA received 344 material weaknesses and 138 measures associated with 117 entities. While credit institutions are the most reported entities, there has been an increase in the number of submissions related to payment institutions and e-money institutions. In line with the overall figures, the material weaknesses submitted in the first four months of 2024 mainly concern deficiencies in customer due diligence (CDD) measures applied by credit and financial institutions. The types of measures reported most often are orders to comply, followed by fines/administrative pecuniary sanctions.

We have also updated the Data Protection Impact Assessment (DPIA) performed in accordance with Article 39 of Regulation (EU) 2018/1725 (EUDPR). A summary of this updated DPIA is published on our website along a notice explaining how the personal data are processed.

The Guidelines are addressed to issuers of ART and of EMT, and to competent authorities under MiCAR. They specify the content of the redemption plan, timeframe for review and triggers for its implementation. In particular, the draft Guidelines clarify the main principles governing the redemption plan (eg. the equitable treatment of token holders or governance principles) and describe the main steps for the orderly and timely implementation of the plan. They also cover the case of a pooled issuance (ie. where the same token is issued by multiple issuers).

Having regards to AML/CFT, the draft Guidelines require that relevant checks are performed and that, if the issuer is not subject to ML/TF obligations, such activities have to be performed by an intermediary which is an obliged entity under AMLD. The consultation runs until 10 June 2024 and a virtual public hearing will be held on 22 May from 14:00 to 16:00 (CET).

In November 2023, we launched a survey to collect information from national competent authorities on the extent of the use and issuing of vIBANs in their Member States and potential risks and supervisory challenges they associated with vIBANs. In February, we also sought input from representatives of the private sector via a round-table discussion and bi-lateral meetings to better understand how vIBANs work and why they are issued.

We will publish a report on the use of vIBANs in the EU and their impact on financial institutions and their customers in May 2024.