New EBA guidelines to manage AML risk of crypto-asset service provider activity

EBA guidance amending ML/TF Risk Factors Guidelines to include crypto-asset service providers within its AML framework.

On January 16, 2024, the European Banking Authority (EBA) released its guidelines amending the ML/TF Risk Factors Guidelines (the Guidelines).

The Guidelines aim to extend the scope of the ML/TF Risk Factors Guidelines to crypto-asset service providers (the CASPs). The Guidelines thus enable understanding the money laundering and terrorist financing (ML/TF) risks associated with CASP and the steps CASPs and other credit and financial institutions should take to manage these risks.

Identifying risks

CASPs are exposed to ML/TF risks due to specific features of their business model and the technology used in their activities, such as:

  • the instant transfer of crypto-assets around the world;
  • the onboarding of customers in different jurisdictions;
  • the offering of products/services that favor the use of anonymity.

Thus, CASPs identify and assess risk factors regarding products, services and transactions, customer, country or geography, and distribution channel. For each category, the Guidelines provide for a list of factors that may contribute to increasing risks or to reducing risks. On this basis, CASPs ensure they have:

  • suitable and effective monitoring tools in place, including transaction monitoring tools and advanced analytics tools, depending on the nature and volume of their activities, and;
  • specialized training to enable their relevant employees to have a good understanding of crypto-assets and ML/TF risks to which they may be exposed.

CASPs have to apply customer due diligence (CDD) measures on a risk-based approach. Regarding recordkeeping requirements, where the information on customers and transactions is available on the distributed ledger, CASPs should not place reliance on the distributed ledger for recordkeeping but should take steps to fulfil their recordkeeping responsibilities. They should put in place procedures that allow them to associate the distributed ledger address to a private key controlled by a natural or legal person.

The Guidelines also pertain to credit and financial institutions (the Firms) whose customers provide crypto-assets services, but which are not authorized or regulated in accordance with Regulation (EU) 2023/1114 on markets in crypto-asset (MiCAR).


The Firms must assess ML/FT risks prior to the launch or the significant change of new products, services, business practices, new delivery channels or new innovative technology. Risk factors that may be relevant when identifying the risk associated with a customer’s or a customer’s beneficial owner’s business or professional activity include CASPs, in addition to money service businesses, casinos and dealers in precious metals. In the case of non-face-to-face situations, all firms have to apply Guidelines (EBA/GL/2022/15) on the use of Remote Customer Onboarding Solutions.

When the external provider is established in a non-EU country, or when an unusual transaction is made, specific verifications regarding the legal risks and analysis of the background and purpose of such transactions must be carried out. The Firms adjust the intensity and frequency of monitoring in line with the risk-based approach and use automated transaction monitoring systems and advanced analytics tools, such as distributed ledger or blockchain analytics tools.

The Firms organize staff training to ensure that staff understand how to recognize and proceed with a suspicious or unusual transaction or activity and how to use and interpret the outcomes from advanced analytics tools in addition to the topics previously required.

Due diligence

Regarding the sectoral guideline for retail banks and customer risks factors, banks apply full CDD measures where a bank’s customer opens a ‘pooled/omnibus account’ in order to administer funds or crypto-assets that belong to the customer’s own clients. When entering into a business relationship with a customer who is a CASP other than a CASP regulated under MiCAR, banks carry out the ML/TF risk assessment of such customer prior to establishing a business relationship.

Banks consider the ML/TF risk associated with the specific type of crypto-assets that are provided or serviced by such service provider. Banks mitigate ML/TF risks by way of measures set forth under the Guidelines, such as:

  • entering into a dialog to understand the nature of the business and the ML/TF risks to which it is exposed;
  • verifying the identity of the customer’s beneficial owner;
  • carrying out due diligence on senior management;
  • determining whether the services provided by the customer fall within the scope of the registration or license of the customer, notably where the customer’s business involves issuing crypto-assets to raise funds, such as initial coin offerings.

The Guidelines apply from December 30, 2024, as do the Risk‐Based Supervision Guidelines.

Aurélia Viémont is a partner in the Banking & Finance team; Sarah Hantscher is a managing associate in the Banking & Finance and Insurance practices; Anne Picot-Guillot is a professional support lawyer in CMS Luxembourg Banking & Finance practice; and Mélanie Poirrier is a managing associate in CMS Luxembourg Banking & Finance, Regulatory and Insurance practices.