Yesterday the EU Council announced a provisional agreement with the EU Parliament on parts of the anti-money laundering (AML) package that impacts cryptocurrencies. The European Union has a complex process for passing legislation that involves coordination between the Commission, Parliament, and the EU Council, representing individual state governments.
Last March, the EU Parliament passed a first vote on three pieces of legislation requiring crypto-asset service providers (CASP) to apply the same rules as banks to verify the identity and data about their customers. This impacts transactions of more than €1,000. However, the 2023 text also included NFT platforms and Decentralized Autonomous Organizations (DAOs). That has been dropped. We hope to add further details on self hosted wallets.
We held back on reporting the latest news until we had copies of the relevant clauses.
NFT platforms excluded until MiCA v2
The 2023 parliamentary vote included the MiCAR definition of a crypto-asset service provider, but in addition explicitly included NFT platforms. An entire section on NFT platforms has now been removed.
Instead the clause currently states:
“Article 2 (fb) ‘crypto-asset service provider’ means a crypto-asset service provider as defined in Article 3(1), point (15), of Regulation (EU) 2023/… [please insert reference – proposal for a Regulation on Markets in Crypto-assets, and amending Directive (EU) 2019/1937 – COM/2020/593 final] where performing one or more crypto-asset services as defined in Article 3(1), point (16), of that Regulation, with the exception of providing advice on crypto-assets as referred to in Article 3(1), point (16) (h) of that Regulation;
as well as transfers of crypto assets are defined as in the Article 3, point (10) of Regulation (EU) No 2023/1113 of the European Parliament and of the Council.(transfer of funds regulation).
On NFTs we will have a recital, indicating that the EC will consider inclusion of NFTs in the MICA review report.”
Self hosted wallets
Two parts of the 2023 document relate to self hosted wallets. This legislation covers AML in general, so is about more than just cryptocurrencies. On the face of it, the text below excludes self-hosted wallets but that’s not the case because the legislation applies to service providers. Hence, it precludes service providers from hosting anonymous wallets. The unchanged text currently reads as follows:
Article 58
Para 1 Credit institutions, financial institutions and crypto-asset service providers shall be prohibited from keeping anonymous bank and payment accounts, anonymous passbooks, anonymous safe-deposit boxes or anonymous crypto-asset accounts as well as any account otherwise allowing for the anonymisation of the customer account holder or the increased obfuscation of transactions.
Para 2 Owners and beneficiaries of existing anonymous bank and payment accounts, anonymous passbooks, anonymous safe-deposit boxes or crypto-asset accounts shall be subject to customer due diligence measures before those accounts, passbooks, deposit boxes or crypto-asset accounts are used in any way.
Enhanced due diligence if transactions involve self hosted wallets?
The 2023 Parliamentary document also included a clause that will sometimes require enhanced due diligence (EDD) if one side of the transaction incorporates a self-hosted wallet. So if someone sends crypto from an exchange to a self-hosted wallet or vice-versa. EDD is invasive and goes well beyond verifying identity. It includes questions about sources of funds and wealth.
We have yet to confirm whether the clause below is still included or not. However, the European Banking Authority has already included similar requirements in guidance that implements the ‘Travel Rule’ requiring transfers to carry data about the sender and recipient.
The following 2023 self hosted wallet text has yet to be confirmed:
Amendment (48a)
Self-hosted addresses enable their users to receive, send and exchange crypto-assets across the world, without revealing their identity or being subject to any customer due diligence measures. While transactions recorded on the distributed ledger can be traced back to a particular self-hosted address, it may be very difficult or impossible to link such address to a real person. For that reason, it is possible to misuse self-hosted addresses to conceal criminal activities or circumvent targeted financial sanctions.
In order to manage and mitigate those risks appropriately, crypto-asset service providers should be required to establish, to the extent possible, the identity of the originator or beneficiary of a transaction made from or to a self-hosted address and apply any additional enhanced due diligence measures adequate to the level of risk identified.
Crypto-asset service providers can rely on secure and trusted means of verification performed by third parties. The verification requirement should not be interpreted as implying onboarding the person who owns or controls the self-hosted address as a customer. In order to ensure consistent application of this Regulation, AMLA should develop draft regulatory technical standards to specify, taking into account the latest technological developments, the criteria and means for the identification and verification of the originator or beneficiary of a transaction with a self-hosted address.