4MLD Update: New CCP Requirements and AML/CFT Obligations CASPs

On December 4, 2024, the European Banking Authority (EBA) published a consultation paper on draft Regulatory Technical Standards (RTS). These standards propose criteria for appointing central contact points (CCPs) for crypto-asset service providers (CASPs). This update, stemming from the requirements under the EU Fourth Money Laundering Directive (4MLD), addresses the evolving dynamics of crypto-asset regulation, particularly focusing on anti-money laundering (AML) and counter-terrorism financing (CFT). It builds on existing provisions for electronic money issuers (EMIs) and payment service providers (PSPs), expanding their scope to CASPs. Public consultation on this draft will close by February 4, 2025, with final standards expected by mid-2025.

Source

[1]

EBA proposes criteria to appoint a central contact point for crypto-asset service providers to strengthen the fight against money-laundering and terrorism financing in host Member States | European Banking Authority

European Banking Authority logo

[2]

Regulatory Technical Standards on CCP to strengthen fight against financial crime | European Banking Authority

European Banking Authority logo

Background: Legal Framework and Challenges Addressed

The Fourth Money Laundering Directive (4MLD), formally known as Directive (EU) 2015/849, was established to combat money laundering and terrorist financing within the European Union. Initially, 4MLD focused on traditional financial institutions, implementing measures such as customer due diligence, record-keeping, and reporting obligations. However, the rapid evolution of the financial landscape, particularly the emergence of crypto-asset service providers (CASPs), introduced new challenges.

Crypto-assets, characterized by their pseudonymity and decentralized nature, have become attractive tools for illicit activities. For instance, the U.S. Department of Justice's 2024 case against Roman Sterlingov, operator of Bitcoin Fog, highlighted the laundering of approximately $400 million through cryptocurrencies over a decade. Similarly, the 2023 takedown of ChipMixer, a Vietnam-based cryptocurrency tumbler, revealed its role in laundering over $3 billion, facilitating transactions for darknet markets and ransomware attacks.

Recognizing these vulnerabilities, the European Union amended 4MLD through Regulation (EU) 2023/1113 to encompass CASPs, aligning with the Markets in Crypto-Assets Regulation (MiCAR). This amendment mandates that CASPs implement robust anti-money laundering (AML) and counter-terrorism financing (CFT) measures, including customer due diligence and transaction monitoring. The European Banking Authority (EBA) has been instrumental in this integration, issuing guidelines to assist CASPs in effectively mitigating ML/TF risks.

The inclusion of CASPs under 4MLD signifies the EU's commitment to addressing the misuse of crypto-assets in financial crimes. By extending regulatory oversight to this sector, the EU aims to enhance the integrity of its financial system and prevent the exploitation of emerging technologies for illicit purposes.

Key Points of the Update

1. Expansion to CASPs under the Fourth Money Laundering Directive

The update marks a significant step in extending AML/CFT requirements to CASPs. Historically, 4MLD applied predominantly to financial institutions such as electronic money issuers (EMIs) and payment service providers (PSPs). However, with the rapid rise of crypto-assets and their inherent AML/CFT risks, Regulation (EU) 2023/1113 amended 4MLD to include CASPs. This update ensures that CASPs operating in host Member States without formal branches are now explicitly required to designate CCPs. The goal is to centralize compliance functions, streamlining the interface between CASPs and regulators.

In addition to being a legislative necessity, this extension reflects the EU’s broader commitment to ensuring the financial system remains resilient against the exploitation of crypto-assets for money laundering and terrorist financing. The EBA’s criteria focus on adapting existing frameworks for EMIs and PSPs to fit the distinct characteristics of CASPs.

2. Criteria for Appointment of CCPs for CASPs

The updated criteria for CCP appointment under the 4MLD emphasize key requirements for CASPs:

• Thresholds for Appointment: CASPs with a cumulative annual service volume exceeding €3 million in a host Member State must appoint a CCP. This ensures proportional regulation, targeting entities with significant operational risks.
• Non-Physical Operations: The definition of "establishment" has been broadened to include non-physical service models, ensuring compliance for CASPs operating digitally.
• Risk Sensitivity: Member States may mandate CCPs for CASPs with high money laundering or terrorist financing risks, even if financial thresholds are not met.

3. Expanded Functions of Central Contact Points

The updated Regulatory Technical Standards (RTS) define comprehensive functions for central contact points (CCPs), ensuring compliance with AML/CFT obligations for crypto-asset service providers (CASPs). These include:

1. Policy Development and Oversight: CCPs must align CASPs' AML/CFT policies with host Member State regulations, overseeing their effective implementation to mitigate money laundering and terrorist financing risks.
2. Customer Due Diligence and Risk Assessments: CASPs must conduct enhanced customer due diligence for high-risk jurisdictions and large-volume transactions. CCPs ensure these measures are rigorously applied alongside regular AML/CFT risk assessments.
3. Data and Transaction Monitoring: CCPs are responsible for ensuring CASPs implement robust mechanisms to monitor transactions, particularly involving self-hosted wallets, and comply with the EU "travel rule," which mandates detailed originator and beneficiary information.
4. Training and Capacity Building: CCPs organize tailored AML/CFT training programs for CASP staff, updating them regularly to reflect emerging threats and regulatory changes.
5. Communication and Reporting: Acting as the primary interface, CCPs handle communication with regulatory authorities, responding to inquiries, submitting reports, and providing compliance updates.
6. Corrective Actions: CCPs must address operational deficiencies and ensure CASPs implement corrective measures to maintain compliance with regulatory standards.

4. Alignment with Broader EU Regulations

The update aligns the CCP framework for CASPs with other EU regulations, including the Markets in Crypto-Assets Regulation (MiCAR). MiCAR introduced a unified rulebook for crypto-asset issuance, trading, and service provision, complementing the AML/CFT requirements under 4MLD. Together, these frameworks provide a comprehensive regulatory approach, addressing both market integrity and financial crime risks in the crypto sector.

Additionally, the RTS integrates principles from Recital 27 of Regulation (EU) 2024/1624, emphasizing the adaptability of AML/CFT measures to the unique characteristics of crypto-assets. By leveraging blockchain’s transparency and traceability features, CASPs can enhance compliance while minimizing disruptions to their business models.

5. Operational and Supervisory Implications

The operationalization of these updates requires CASPs to:

• Evaluate their service footprints in host Member States to determine CCP obligations.
• Allocate resources to establish CCPs where required, including hiring dedicated compliance personnel and investing in AML/CFT technology.
• Engage with host Member States’ authorities proactively to clarify compliance expectations and address potential gaps.

Supervisory authorities in Member States benefit from a streamlined compliance interface, reducing the administrative burden of monitoring decentralized operations. The centralized reporting facilitated by CCPs enhances data accessibility, enabling faster detection and response to AML/CFT risks.

6. Broader Implications for the Crypto-Asset Industry

This update reinforces the EU’s commitment to a secure and transparent crypto-asset ecosystem. By holding CASPs to the same high standards as traditional financial institutions, the EBA aims to enhance the sector’s credibility while mitigating systemic risks. For CASPs, these measures signal the importance of embedding compliance into their operational frameworks, paving the way for long-term growth and legitimacy.

EBA’s Update on CASPs under 4MLD

Key Milestones:

1. December 4, 2024: EBA released draft Regulatory Technical Standards (RTS) for public consultation.
2. January 16, 2025: Virtual public hearing to discuss the RTS.
3. February 4, 2025: Deadline for public feedback on the draft RTS.
4. Q2 2025: Finalized RTS to be published.
5. December 30, 2024: Regulation (EU) 2023/1113 comes into effect, extending 4MLD to CASPs.
6. July 1, 2026: Transitional deadline for CASPs operating under existing frameworks to comply with MiCAR or receive new authorization.

4MLD: Impact of the Update

This update significantly impacts CASPs, EMIs, and PSPs:

• Institutions Affected: CASPs must now meet strict AML/CFT compliance standards, which were previously not uniformly applied to the sector. PSPs and EMIs remain under similar obligations, with minor procedural changes.
• Operational Adjustments: CASPs must establish CCPs where required, incurring costs for compliance infrastructure and potential operational delays during the transition.
• Regulatory Supervision: Local authorities gain a centralized point of contact, improving AML/CFT oversight and enforcement in cross-border scenarios.

Action Points for Institutions:

To comply with the updated 4MLD requirements, crypto-asset service providers (CASPs) must prioritize the following actions:

1. Assess Compliance Obligations

• Evaluate Service Footprints: CASPs must determine if their operations in host Member States meet the €3 million annual activity threshold that mandates CCP appointment.
• Risk Assessment: Institutions should conduct thorough AML/CFT risk assessments to identify vulnerabilities in their business models, including the use of decentralized platforms and self-hosted wallets.

2. Appoint Central Contact Points (CCPs)

• Criteria for Appointment: Identify and appoint CCPs based on the scale and scope of activities in host Member States, ensuring adherence to the thresholds and risk factors outlined in the updated RTS.
• Operational Role: Ensure CCPs are equipped to handle responsibilities, including:
  • Facilitating AML/CFT policy development.
  • Communicating with local regulatory authorities.
  • Overseeing compliance at operational levels.
• Resource Allocation: Allocate adequate resources, including personnel and technological tools, to support CCP functions effectively.

3. Strengthen AML/CFT Frameworks

• Policy Updates: Revise internal policies to align with host Member State requirements and EU-wide standards under 4MLD.
• Transaction Monitoring: Implement enhanced measures to trace and monitor transactions, particularly those involving high-risk jurisdictions or large volumes.
• Customer Due Diligence: Conduct rigorous due diligence for new and existing clients, focusing on risk-based evaluations.

4. Enhance Communication with Regulators

• Proactive Engagement: Establish regular communication channels with host Member States’ competent authorities and Financial Intelligence Units (FIUs) to ensure timely compliance reporting.
• Reporting Mechanisms: Develop robust systems for responding to regulatory inquiries and providing periodic updates on compliance status.

Future Trends

The regulatory landscape for CASPs is poised for further evolution. The forthcoming EU AML Authority (AMLA), set to assume oversight in 2026, may refine these standards further. Meanwhile, the integration of blockchain’s traceability potential with AML/CFT mechanisms could enhance compliance effectiveness.

In conclusion, this update marks a critical step in harmonizing crypto-asset regulation under the 4MLD framework. It balances the need for regulatory clarity with the dynamic nature of crypto services, reinforcing the EU's commitment to combating financial crime. As crypto-assets gain mainstream acceptance, CASPs must adapt to these standards to ensure their legitimacy and compliance within the global financial ecosystem.