Michał Barwicki
The crypto industry in the light of the proposed amendments to the EBA guidelines
The purpose of conducting the so-called risk assessment of an obliged institution, as defined in the AML and Terrorist Financing Law (AML Law), is for obliged institutions to understand how high the risks of money laundering and terrorist financing they are exposed to. With a properly conducted risk assessment, obliged institutions have a real chance to effectively prevent the diagnosed risks. This is particularly relevant for obliged institutions working with entities providing services from the cryptocurrency industry.
Obligations of obliged institutions
Obliged institutions should identify and assess money laundering and terrorist financing risks relating to their activities, taking into account risk factors relating to customers, countries or geographic areas, products, services, transactions or their delivery channels. What’s important, the lack of an analysis of any of the above-mentioned risk factors is considered by the the Polish Financial Supervision Authority (UKNF) – during audit proceedings – as a significant error in the development of the risk assessment methodology by controlled entities.
Obligations of crypto entities and the position of the Polish Financial Supervision Authority
It is worth recalling that, in the current state of the law, crypto industry entities are obliged to obtain an entry in the register of virtual currency activities, which is kept by the Director of the Tax Administration Chamber in Katowice.
This does not stop some crypto companies from ensuring that their activities are conducted under the supervision of the UKNF. For this reason, the UKNF in the official communique of 27 January 2023, reminded that it has no authority to license, register or supervise virtual currency exchanges and exchange offices for virtual currencies. At the same time, it advised exchanges and cryptocurrency exchanges to use the marketing message carefully and not to mislead customers.
European Banking Authority (EBA) guidelines
The need to include crypto-related risks in the risk assessment of obliged institutions is also recognised by the EBA, which on 31 May 2023 published a consultation document on the revision of the EBA/GL/2021/02 guidance of 1 March 2021 on customer due diligence and factors that credit and financial institutions should take into account when assessing the money laundering and terrorist financing risks associated with individual business relationships and occasional transactions. The publication of the document marks the start of a 3-month public consultation on the EBA’s proposed changes to the EBA/GL/2021/02 Guidelines.
New risk factors
The proposed changes include, among others, the addition of new customer risk factors that obliged institutions should take into account in their risk assessments. The EBA has indicated that the conduct of significant activities by a client of a mandatory institution on behalf of or with crypto asset providers based in third countries not subject to EU AML/CFT regulation, or the conduct of activities on behalf of a Crypto Asset Service Provider (CASP) allowing transfers to and from self-hosted addresses is associated with an increased risk of money laundering or terrorist financing. This means that obliged institutions with a customer meeting one of the above criteria should include the relevant risk factor in their risk assessment and give it an appropriate weighting for money laundering or terrorist financing risk. Another proposed risk factor is the circumstance where the owner of the IBAN account maintained by the CASP for the purpose of receiving fiduciary funds from customers is a company other than the CASP.
Assessment of the proposed changes
The above proposed changes to the guidelines are very specific for obliged institutions in terms of ML/FT risk assessment and, when they enter into force, it should be expected that national supervisors will require the risk assessment of obliged institutions to be updated accordingly, taking into account the EBA guidelines.
The EBA’s proposals appear to be consistent with the regulatory trend to regulate the cryptoassets market. It is worth mentioning at this point that a few weeks ago, the European Parliament adopted the Regulation on Cryptocurrency Markets (MiCA), which was analysed in our blog by legal counsel Michał Barwicki in the article “Cryptoassets – upcoming challenges and regulatory revolutions“.