AMLD 5 and the EU May 2020 AML/CFT Action Plan – where do crypto assets fit into the emerging landscape?

AMLD 5 was published in the Official Journal of the EU on 19 June 2018 and called upon EU member states to transpose it by 10 January 2020. As the name would imply, it is the fifth iteration of the AML directive that was first introduced by the EU in 1991. It is, however, the first to mention and regulate “Virtual Currency”^[1] service providers.

In addition to AMLD 5 and AMLD 6^[2] (which will come into force on 3 December 2020 and inter alia introduces a unified list of predicate offences, criminal liability for organisations and increased international co-operation), there is also a growing amount of guidance in the EU that relates to AML and crypto assets.^[3] This year alone will mark the beginning of operations for the European Public Prosecutor’s Office, an audit of the effectiveness of the EU’s efforts to combat money laundering in the banking sector by the European Court of Auditors,^[4] and a plan for a revised AML landscape, which is discussed in the 7 May 2020 Communication from the European Commission (EC) on an Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing (C(2020) 2800 final) (“Action Plan”). The following six pillars of the Action Plan have brought together the piecemeal calls for creating a coordination and support mechanism for the cross-border work of FIUs^[5] and for conferring certain supervisory Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) powers to an EU watchdog^[6]:

Ensuring the effective implementation of the existing AML/CFT framework;
Establishing an EU single rule book on AML/CFT;
Bringing about EU level AML/CFT supervision;
Establishing a support and cooperation mechanism for FIUs;
Enforcing Union-level criminal law provisions and information exchange;
Strengthening the international dimension of the EU AML/CFT framework.

This blog piece will briefly focus on AMLD 5 and some of its provisions on crypto assets, before moving on to how the AML regulation of crypto assets fits into the Action Plan.

A. AMLD 5 and Virtual Currency Service Providers

Recital 9 of AMLD 5 states that “[t]he anonymity of virtual currencies allows their potential misuse for criminal purposes.” AMLD 5 paves the road to transparency by regulating two kinds of service providers:

“[P]roviders engaged in exchange services between virtual currencies and fiat currencies” (virtual currency exchanges)
Custodian wallet providers, which means “an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies.”

Just like the other “obliged entities”^[7]listed in AMLD 5 and AMLD 4,^[8] the AML/CFT and know your customer (KYC) / customer due diligence (CDD) duties^[9] fall on the person providing the virtual currency service. More specifically, these providers are “gatekeepers” of the points where fiat currencies are commonly converted into virtual currencies or where virtual currencies are converted into fiat currencies (e.g. virtual currency exchanges). Custodian wallet providers and virtual currency exchanges must now be registered with each EU member state’s competent authorities, such as Germany’s BaFin^[10]or France’s Autorité des marchés financiers (AMF).^[11]

B. Virtual Currency Exchanges

The following overview of how fiat currency enters and exists the virtual currency system through exchanges illustrates both the benefits and the shortcomings of AMLD 5.

Under AMLD 5 a virtual currency exchange is an “obliged entity” and will be required to perform extensive KYC and CDD procedures when establishing a business relationship. In practice this would mean collecting and verifying a customer’s means of identification (both private individuals and corporate entities)—including government-issued identity cards or passports, phone numbers, physical address, email address, and/or a utility bill. A customer may also be asked to declare their virtual currency addresses, source of funds and wealth, account numbers, IP address, or location information, which would facilitate the linking of virtual currency wallet addresses to the beneficial owners and in turn clamping down on the use of anonymous addresses on virtual currency exchanges. Ongoing CDD may also be warranted.^[12]
Once a person has successfully opened an account, they can use fiat or virtual currency to buy other virtual currencies. Reading AMLD 5 at face value would suggest that a virtual currency-only exchange, which provides the means for exchanging one virtual currency for another, would not be subject to AMLD 5 as its customers will buy and sell virtual currency—not fiat. These virtual currency exchanges usually require that their customers fund their accounts by depositing virtual currency into the pooled exchange wallet. The exchange will therefore be acting as a custodial wallet—an obliged entity—by safeguarding customers’ private keys in its exchange wallet.^[13] Without regulation, money launderers could easily abuse of this stage and use it as the “placement” stage of money laundering^[14]—where illicit proceeds enter the financial system. However, it is equally likely that virtual currency-only exchanges would be used at the “layering stage”, which is described in the following paragraph. Here, AMLD 5 is trying to stop “terrorist groups [that] may be able to transfer money into the Union financial system or within virtual currency networks by concealing transfers or by benefiting from a certain degree of anonymity on those platforms”.^[15]
A trace is created when virtual currency is purchased on a fiat-to-virtual currency exchange with CDD processes. Money launderers would then seek for ways to hide their trail. The virtual currency’s audit trail can be obfuscated through mixing/tumbling anonymity-enhancing services or CoinJoin.^[16] AMLD 5 does not include providers of tumbler or mixer services as obliged entities.^[17] Once the virtual currency wallet address is tumbled, a money launderer could then exchange the virtual currency bought on exchange 1 for a privacy virtual currency or virtual currency with privacy features (e.g. Zcash (ZEC), Monero (XMR), Dash (DASH), Beam (BEAM)^[18])^[19] on exchange 2. Given that, according to the EU Parliament report published in April 2020 (“EU Parliament Report”),^[20] illegal users tend to prefer mixers and tumblers, then it is likely that such privacy-enhancing coins would be used as an added layer of concealment. A person could also make off-chain transactions or exchange their tumbled virtual currency on exchanges based in jurisdictions without AML laws. Comparing this process to traditional money laundering, this would be the “layering stage”—to separate the illicit money from its source.
Finally, the virtual currency denominated illicit proceeds would then “exit” the system for “integration”^[21]into the legitimate economy. This could be done through means such as: (a) exchanges, which would leave a trail; (b) by transferring the virtual currency onto a hardware wallet, which is not regulated by AMLD 5, and simply giving the hardware wallet to someone in exchange for money; (c) through virtual currency ATMs,^[22] if the ATM does not require any KYC; or (d) by making purchases with virtual currencies.

C. Virtual Currency Custodian Wallet Providers

Wallet addresses (similar to an IBAN in bank transfers) and virtual currency transaction IDs (e.g. dates, values, counterparties) are publicly visible on a blockchain, but the owners of the virtual currency are not. This is what AMLD 5 sets out to prevent. At any given moment, a virtual currency is attached to a wallet address on the blockchain, which has a private key. private keys are long hexadecimal codes known only to the wallet holder and must match with a public key in order to make a virtual currency transfer.^[23] a virtual currency transfer is like a message broadcasted to the network that is signed by the private key, which must match the public address of the wallet the virtual currency will be assigned to. A node will pick this message and verify the transaction by matching the public key with the private key, passing it on to other nodes until the whole network “knows” it and either accepts the validity of the transaction or rejects it. If the public and private keys do match, the balance in a wallet will increase or decrease accordingly. This illustrates the importance of bringing wallet providers within the scope of AMLD 5, as wallet addresses are “pseudonymous” — as they do not, in themselves, reveal the identity of the owner —and CDD helps in linking the real-world identity behind the wallet with the wallet address itself. AMLD 5 therefore requires virtual currency custodian wallet providers to comply with its regulatory framework.

Wallets can be both “hot” (online/connected to the internet) or “cold” (offline) wallets. For virtual currency custodian wallet providers, the crucial element is custodianship. a virtual currency wallet provider wondering whether there is a duty to comply with AMLD 5 would begin by asking whether they “safeguard” private cryptographic keys. While most providers of virtual currency wallets offer their customers wallets in which their private key is stored,^[24] virtual currency wallet providers could be “non-custodian”—and therefore fall outside the scope of AMLD 5—if they do not control or have access to the private keys and merely provide users with the means to store their private keys themselves. In short, the responsibility of safeguarding private keys is the owner’s own responsibility. This could be the case with the mere provision of a virtual currency hardware wallet e.g. USB stick or software that runs on a user’s hardware. EU member states are of course free to further elaborate on the definition of a “custodian”^[25] or perhaps prescribe minimum standards for cyber security to be complied with when offering custodial wallet services for virtual currencies.^[26]

D. The EU AML Action Plan and AMLD 5 shortcomings

Both the EBA in its February 2020 Consultation Paper on revised guidelines on ML/FT risk factors and the EC, in its 24 July 2019 supranational risk assessment,^[27] have identified shortcomings with AMLD 5.

A commentary on the gaps left by AMLD 5 is worthy of a blog post in its own right, but here we will briefly analyse the Action Plan from the perspective of the crypto asset AML/CFT framework.

Pillar 1 of the Action Plan: Ensuring the effective implementation of the existing EU AML/CFT framework.

Challenge(s): While AMLD 5 has brought about a more harmonized framework, not all EU member states have transposed it into national law and will consequently face infringement proceedings by the European Commission. As of 5 June 2020, 4 countries have not notified the EC about whether AMLD 5 has been transposed into their legislation.^[28]

While the Action Plan explicitly identifies shell companies, golden visas and citizenship schemes as risks, the EC has also separately identified the following gaps in its 24 July 2019 supranational risk assessment:^[29] (i) custodian wallet providers that do not safeguard keys on behalf of their customers; (ii) virtual asset to virtual asset exchanges; and (iii) ‘participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset’. These topics will be discussed in Pillar 2 below, but we can expect to see a deeper analysis of crypto assets in the 2021 supranational risk assessment. The fact that the study of the application of AMLD 4 in EU member states will only be completed by mid-2021 indicates that more resources may be needed in identifying implementation challenges as they emerge rather than ex post facto.

Next steps: The EU’s rationale is that common rules need a common supervisor. This is where the EBA steps in. Regulation (EU) 2019/2175 made the EBA the sole competent authority to carry out the tasks to “lead, coordinate and monitor” the AML/CFT efforts of all EU financial services providers and competent authorities.^[30] The EBA’s first report^[31] after this increase in powers does not refer to crypto assets, even though it discusses crypto assets in its 5 February 2020 Consultation Paper on revised guidelines on ML/FT risk factors.

Pillar 2: Establishing an EU single rule book on AML/CFT.

Challenge(s): A lack of harmonised legislation allows for regulatory arbitrage and deters cooperation, which is clear in the area of AML. While AMLD 5 has attempted to harmonise certain areas of AML processes with respect to crypto assets (certainly not the term “virtual currencies”, which outside AMLD 5 is often referred to as crypto assets), it has inter alia left gaps with respect to: (i) crypto-to-crypto exchanges; (ii) arranging, advising or benefiting from ‘initial coin offerings’ (ICOs); and (iii) decentralised systems, where users can engage in peer-to-peer transactions without intermediaries.

Crypto-to-crypto exchanges. See “B.” above.
Those who issue and sell crypto assets are at first glance not listed as obliged entities under AMLD 5. ICOs that are not listed on exchanges and conduct little to no KYC on buyers may allow criminals to swap virtual currency that originated from illicit activity or “tumbled” virtual currencies for freshly-minted tokens that can then be sold for fiat currency. Mining coins is also another way that criminals, through front men, can gain a hold of coins without a “tainted” history. The benefit of “clean” or freshly minted coins is that they will not be flagged by the transaction monitoring services mentioned in Pillar 4 below.
AMLD 5 does not mention trading platforms that allow peer-to-peer transactions, which was mentioned in the EBA 5 February 2020 Consultation Paper. A decentralised exchange is a crypto asset exchange that allows for peer-to-peer trading and operates without a supervisor and without a central wallet, thereby allowing users to retain ownership of their private cryptographic keys. Atomic swaps are also a form of peer-to-peer transfers across different blockchains that allows users to exchange digital tokens without them ever being transferred to an intermediary. Decentralised systems are trickier to regulate from an AML/CFT perspective for the simple reason there is no intermediary per se to regulate. In a report by RUSI, a defence and security think-tank in the UK, the challenges of decentralised systems are described as follows:

Some P2P exchanges are akin to a forum where buyers and sellers come together, with the added benefit of an escrow facility to prevent scams. Other exchanges operate on the basis of (self-executable) smart contracts and are often known as decentralised exchanges. In its most ambitious manifestation, a P2P exchange can be maintained by a dispersed community of users and therefore be highly resistant to attempts at regulating or closing it down. This can be potentially achieved through the use of a decentralised application (DApp), a software programme based on smart contracts.
_{^{From Intention to Action: Next Steps in Preventing Criminal Abuse of Cryptocurrency, Anton Moiseienko and Kayla Izenman, Occasional Papers, 10 September 2019, p. 16}}

Targeting obliged “centralised” entities or intermediaries is at the heart of EU AML legislation and it therefore struggles to regulate structures that do not fit into this mould e.g. peer-to-peer exchanges. Trying to regulate elements of the blockchain (e.g. a mining pool or nodes)^[32] would be challenging, even though the EU Parliament has explored in a report published in April 2020 (“EU Parliament Report”) the idea of regulating those who provide or are involved in the technology, miners and coin inventors.^[33] Discussion is also increasing around user registration for all activities^[34] and coin blacklisting.^[35] However, with respect to coin inventors, it is arguable that to put the onus of AML duties on those who merely provide technological tools would re-shape EU AML law as we know it. Further, it would go against AMLD 5 Recital 8, which suggests “a balanced and proportional approach, safeguarding technical advances and the high degree of transparency attained in the field of alternative finance and social entrepreneurship”.

Next steps: Further reflection is required on what to do as the technology used by criminals outpaces the legislation (e.g. “crypto dusting” is a type of blockchain spam that sends digital tokens to a large group of addresses and thereby taints addresses by making them transact with mixers without their consent). The 2018 study commissioned by the European Parliament states that:

[B]ecause the emphasis of regulatory regimes to date has been on placing oversight where users interact with centralised third-party gatekeepers, it remains unclear whether the regulatory regime as set out in the 5AMLD will remain relevant in the face of a growing range of DEXs, atomic swaps and other P2P applications that may sit outside the historical paradigm of the AML/CFT regime.
_{^{European Parliament, Virtual currencies and terrorist financing: assessing the risks and evaluating responses, p. 42}}

Two years on, this is still true. As the national laws of EU Member States set forth more stringent criteria than AMLD 5, discussions will intensify on an EU regulation.^[36] If it is challenging to establish uniformity in the area of virtual currencies alone, then further challenges are sure to lie ahead with establishing an EU single rule book on AML/CFT.

Pillar 3: Bringing about EU level AML/CFT supervision.

Challenge(s): national authorities very often operate in siloes, which works to the advantage of cross-border financial crime. The EU has therefore introduced the idea of an EU-level supervisor to increase compliance with the rules.

Next steps: The Action Plan describes the role of the new EU-level supervisor as:

[D]esigned in such a manner that ensures it has the necessary AML/CFT competences, investigative capacity and powers, and decision making structure to implement rules more effectively and act in a preventive way whenever suspicions arise to ensure effective application of the single rulebook.^[37]

The Action Plan introduces two options for doing this: 1. directly supervising all of the financial industry while supervising the non-financial industry indirectly; or 2. overseeing financial institutions only. To only regulate one sector would create asymmetrical results, cutting against one of the core principles driving the impetus for EU regulation in this area—combatting the patchwork application of the law. This pillar would also benefit from:

being more interlinked to the General Data Protection Regulation (EU) 2016/679 (GDPR) and anti-corruption/bribery.
increased focus on the use of regulatory technology (RegTech) for compliance with regulations within the financial and FinTech industries. For example, most KYC processes require individuals to provide personal data for identity verification. However, since the GDPR came into force, FinTech companies have been forced to create new mechanisms for storing and processing such personal data. Under the coordination of the ECB, the European System of Central Banks (ESCB) and the EUROchain research network has set up a proof of concept for a central bank digital currency that would offer some anonymity (i.e. the option to keep a user’s identity and transaction history hidden) between central banks and users, while also monitoring the transactions and automating limits on anonymous transactions to help intercept tax evasion, offshore accounts, money laundering, accounting tricks, and the movement of unclean money. Technical solutions like these help with GDPR and AMLD 5 compliance while also limiting anonymity, a key objective of AMLD 5. Further it helps reduce the repetitive and costly processes associated with CDD/KYC.

This pillar could benefit from a greater stricter delineation between the supervisor’s role and the EBA’s new role, otherwise there might be confusion between this pillar and Pillar 1. It could also benefit from justification for bestowing a supervisor with enforcement powers and tools e.g. asset freezes, as discussed in pillar 5 below. There should also be further consideration about how the use of technology can benefit this process, in-keeping with the European Commission 8 March 2018 FinTech Action Plan, COM(2018) 109 final.

Pillar 4: Establishing a support and cooperation mechanism for Financial Intelligence Units (FIUs).

Challenge(s): this pillar focuses on cross-border cooperation and coordinating national FIUs to ensure that the analysis of suspicious transaction reports are viewed with a trans-national lens. Investigating money laundering cases from the national perspective alone tends to obscure the full picture. This is also true for crypto assets and is why, in order to counteract anonymity, “competent authorities should be able, through obliged entities, to monitor the use of virtual currencies.”^[38]

AMLD 5 seeks to enable FIUs “to obtain information allowing them to associate virtual currency addresses to the identity of the owner of virtual currency.”^[39] Interestingly, AMLD 5 acknowledges that “a certain degree of a large part of the virtual currency environment will remain anonymous because users can also transact without such providers [crypto asset exchanges and custodian wallet providers]”.

The Action Plan mentions that FIUs still lack the necessary IT tools to effectively process and analyse information. Much like pillar 3, pillar 4 could also benefit from a further use of technology to track feedback and analyse suspicious transaction reports on the transnational level. The Action Plan proposes to do this inter alia by bolstering the capabilities of FIU.net and transferring its technical management from Europol to the European Commission.

Next steps: the EU should also consider available IT tools in the crypto asset sector. The Action Plan highlights the role of the private sector in AML/CFT. Investigations relating to crypto assets are often supported by private companies (e.g. Chainalysis, Elliptic, CipherTrace) who provide “Know your transaction” monitoring services and forensic tools. This enables companies to see how many funds have moved from one wallet to another and monitor transactions executed by their customers to help flag any potential suspicious or unusual transactions. Shapeshift, a decentralised exchange, published a blog post in 2019 describing how it handles law enforcement compliance requests.^[40] Interestingly, half of the requests it received in 2019 were by EU member states. Even on the U.S. centralised exchange, Kraken, EU member states account for about one quarter of requests.^[41] Both the number of requests and the fact that exchanges publish such information pertaining to requests indicate that the crypto asset world is starting to think more seriously about law enforcement. In turn, the EU should find ways of integrating this into the support and cooperation mechanism for FIUs.

Pillar 5: Enforcing Union-level criminal law provisions and information exchange.

Challenge(s): effective implementation cannot be achieved without effective enforcement. While handing such powers to bodies at the supranational level raises questions about the continued power of Member States to exclusively legislate criminal laws—traditionally a hallmark of a sovereign State—the principle of subsidiarity in Article 5(3) of the Treaty on European Union (TEU) allows the EU to act in areas which do not fall within its exclusive competence if it can be better achieved at the EU level. When it comes to the area of crypto assets, the EU has certainly begun to demonstrate that some enforcement actions necessitate transnational coordination—most notably through the EU Agency for Law Enforcement Cooperation (Europol) and European Agency for Criminal Justice Cooperation (formerly Eurojust^[42]). This is likely to be further improved with the new established European Economic and Financial Crimes Centre set up within Europol, which is currently focusing on sectors susceptible to fraud relating to the Covid-19 Pandemic e.g. medical equipment and subsidies. Due to the nature of cross-border crime, these agencies also co-operate with each other, including with the European Judicial Network and OLAF. A recent example is enforcement action against a criminal network which committed large-scale international fraud through the sale of Bitcoin and other virtual currencies. In 30 January 2020, Eurojust worked with French and Belgian authorities, with the support of Europol and European Investigation Orders.^[43]

Article 86 of the Treaty on the Functioning of the European Union (TFEU) introduced the European Public Prosecutor’s Office (EPPO) to combat crimes affecting the financial interests of the EU. When the EPPO becomes operational at the end of 2020, it will act as the EU’s independent and decentralised prosecution office, with the competence to investigate, prosecute and bring to judgment crimes against the EU budget, such as fraud, corruption or money laundering as defined in AMLD 4.

More legislative tools are set to populate the landscape. Directive (EU) 2019/1153, which will be transposed by EU member states on 1 August 2021, lays down measures to facilitate access to and the use of financial & bank account information by competent authorities for the prevention, detection, investigation or prosecution of serious criminal offences and facilitates access to FIUs by law enforcement. On 19 December 2020, Regulation (EU) 2018/1805 of the European Parliament and of the Council of 14 November 2018 on the mutual recognition of freezing orders and confiscation orders will enter into force. In the area of crypto assets, authorities will also have to grapple with what to do when wallets are frozen or virtual currencies are seized. The December 2019 Eurojust “Cybercrime Judicial Monitor” report – Issue 5, which is based on information provided by the European Judicial Cybercrime Network, states that “[m]ost countries do not have any specific (criminal) legal provisions on virtual currencies, and apply general provisions of criminal law on seizure and asset recovery or anti-money laundering and terrorism financing laws.” In most countries, the seized virtual currencies are transferred to law enforcement authority wallets. In Ireland, the independent auctioneer “Wilsons Auctions” has hosted several cryptocurrency auctions^[44]and on 24 March 2020 Wilsons Auctions Ireland was scheduled to help Belgium sell over EUR 110,000 worth of Bitcoin and cryptocurrency seized by the Belgian government.^[45]This could indicate a future trend for the rest of Europe.

Next steps: this pillar could benefit from a greater emphasis on the notion of coordination of enforcement actions, by including more detailed references to the workings of the EPPO, Europol and Eurojust.

Pillar 6: Strengthening the international dimension of the EU AML/CFT framework.

Challenge(s): there are currently discrepancies between standards set by the EU and FATF. For example, high-risk third countries which require enhanced CDD under AMLD 4 & 5 or the gap left by AMLD 5 with respect to decentralised systems, where users can transact without intermediaries. In this respect, the Financial Action Task Force (FATF) issued Recommendations which are more robust. The EC and 14 out of 27 EU member states that also form part of FATF will be subject to a 12-month review and have to show progress in implementing the travel rule (described below) at the FATF plenary meeting announced for 24 June 2020. Converging the EU and FATF efforts therefore makes practical sense and the importance of building the international dimension is further demonstrated by the challenges that are sure to arise once the UK’s Brexit transition period ends on 31 December, 2020—particularly in relation to judicial cooperation,^[46] law enforcement and the exchange of information.

Next steps: while the EU could have used the opportunity to fully embrace the FATF grey and black lists, the EU has instead updated its methodology for identifying high-risk third countries^[47] to be more in line with the FATF lists.

With respect to crypto assets, on 21 June 2019 FATF adopted the Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (“2019 Guidance”) and an Interpretive Note to Recommendation 15 on New Technologies (INR 15).^[48] INR 15 describes binding measures applicable to countries and VA service providers (VASPs), as well as other obliged entities that engage in or provide VA products and services. AMLD 5 is not as stringent as the FATF 2019 Guidance and INR 15. While VASPs are broader than AMLD 5’s list of obliged entities (VASPs include crypto-to-crypto exchanges; transfer of VAs; safekeeping of VAs; and activities related to issuing or underwriting VAs), the biggest divergence from AMLD 5 is INR 15 paragraph 7(b) R16, which states that “[c]ountries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information” in order to identify and report suspicious transactions and that all other requirements set forth in Recommendation 16 apply to VASPs. Previously, Recommendation 16—the “travel rule”—did not apply to VASPs and only imposed the requirement on financial institutions to collect and transmit information about the originator and the beneficiary of a wire transfer transaction to other financial institutions. The 2019 Guidance^[49]describes the information that needs to be collected on the originator and beneficiary. At present, it is technically difficult to pass on originator and beneficiary data, which is why FATF states it is “not necessary for the information to be attached directly to the VA transfer itself”.

While VASPs are therefore subjected to the same AML/CFT obligations as traditional financial service providers, systems which can assist in complying with the respective duties are only beginning to develop.^[50] Finally, while the “travel rule” requires VASPs to gather data on both the recipient and the sender, as well as liaising with other VASPs, AMLD 5 merely requires record-keeping and the submission of data to FIUs upon request.

Conclusion

The EU is moving closer towards supranational harmonisation of financial crime, prompted in part by several high-profile money laundering scandals involving European banks. The EU is testing the waters with its AML Action Plan and its stricter approach to AML/CFT supervision. But this is not just an opportunity to reflect on past shortcomings, but a chance to consolidate the EU’s previously piecemeal approach and move forward with synergies e.g. linking this AML/CFT Action Plan to the 2018 Fintech Action Plan. Crypto assets and blockchain give the EU the chance to move forward on two important streams: technological innovation and understanding new ways in which technology can be abused by criminals.

Kristina Miggiani graduated from Harvard Law School (LL.M.) and from the University of Malta (LL.B., LL.D.). She specialises in financial crime and has a deep interest in RegTech.

[1] According to Article 1(2)(d) AMLD 5 amending Article 3(18) AMLD 4, virtual currencies are:

A digital representation of value that is not issued or guaranteed by a central bank or a public authority (e.g. proposed Swedish e-Krona would not be a virtual currency within the meaning of AMLD 5);
Not necessarily attached to a legally established currency (virtual currencies can be pegged to external references such as fiat currencies, commodities with a fixed exchange rate system, underlying assets or even virtual currencies). These are referred to as “stablecoins”);
Does not possess a legal status of currency or money (e.g. electronic money);
Accepted by natural or legal persons as a means of exchange and which can be transferred, stored, and traded electronically.

To be classified as a virtual currency, the token must be accepted as a means of exchange, have the technical capability of being “transferred” (from one Blockchain user to another), “stored” (e.g. in a wallet) and “traded electronically” (on virtual currency exchanges and in virtual currency markets)—this would exclude tokens with a “lockup” mechanism, which restricts their transfer. While Recital 10 of AMLD 5 states that virtual currencies “could also be used for other purposes and find broader applications such as means of exchange, investment, store-of-value products or use in online casinos” the definition in Article (1) (2) (d) does not provide for this and in this respect is narrower than the FATF definition of “virtual assets” which covers investment tokens, utility tokens or in-game currencies.

[2] AMLD 6 (Sixth Anti-money Laundering Directive) is the 2018/1673 Directive of the European Union and was adopted in 12 November 2018 and must be implemented by EU member states by no later than 3 December 2020. It does not add anything new to the topic of VCs, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32018L1673&from=EN

[3] Such as the guidance published by ESMA, the EBA and European Insurance and Occupational Pensions Authority (EIOPA) e.g.16 December 2019 Final Report on Joint guidelines on cooperation and information exchange for the purpose of Directive (EU) 2015/849 between competent authorities supervising credit and financial institutions, https://www.esma.europa.eu/sites/default/files/library/joint_guidelines_on_cooperation_and_information_exchange_on_aml_-_cft.pdf

[4] See Audit Preview (June 2020), The EU’s AML policy in the banking sector: https://www.eca.europa.eu/Lists/ECADocuments/AP20_05/AP_anti-money-laundering_EN.pdf.

[5] See para. 17 of the 5 December 2019 Council conclusions on strategic priorities on AML/CFT, as adopted by the Council (ECOFIN).

[6] ibid, para. 20. See also the EU Parliament Report, pp. 58 – 59. See: https://www.euractiv.com/section/economy-jobs/news/commission-proposes-pan-european-authority-to-fight-against-dirty-money/

[7] See Article 2(1) of AMLD 4.

[8] 4th Anti-Money Laundering Directive (2015/849/EU).

[9] As AMLD 5 is a minimum harmonisation directive, it is up to EU member states to determine whether all transactions—whether occasional or part of an ongoing business relationship—will need to be subject to CDD. This could include identifying the customer and verifying their identity and the veracity of the information provided. See Articles 11 and 13 of AMLD 4.

[10] See: https://www.bafin.de/EN/Aufsicht/FinTech/VirtualCurrency/virtual_currency_node_en.html

[11] Article 1(29) of AMLD 5 amending Article 47(1) AMLD 4.

[12] Article 1(9)(b) of AMLD 5, updating Article 14(5) of AMLD 4.

[13] Exchanges do not always have their own wallet and sometimes hold private keys in addition to the wallet services provider. This is the case with multi-signature wallets. See, for example, BitGo’s terms and conditions, which states that BitGo controls only one of the three private keys for a “Digital Asset” wallet provided by the service: https://www.bitgo.com/terms

[14] See: https://www.fatf-gafi.org/publications/virtualassets/documents/virtual-assets.html?hf=10&b=0&s=desc(fatf_releasedate)

[15] Recital 8, AMLD 5.

[16] The Wasabi Wallet uses CoinJoin, which is a non-custodial, privacy-focused Bitcoin wallet, that implements trustless coin shuffling. For more information on CoinJoin, see: https://www.investopedia.com/terms/c/coinjoin.asp

[17] According to Europol, more than fourty percent of online transactions used Bitcoin, virtual currency mixers, and tumblers for illegal ends. See European Monitoring Centre for Drugs and Drug Addiction and Europol (2017), Drugs and the darknet: Perspectives for enforcement, research and policy, EMCDDA–Europol Joint publications, Publications, Office of the European Union, Luxembourg.

[18] Beam is based on the confidential transaction protocol MimbleWimble and has a transaction auditability feature: https://beam.mw/faq/what-is-auditability

[19] EU officials have discussed the following crypto assets, making a distinction between optional anonymous coins (e.g. Dash), pseudo-anonymous coins (e.g. NEO’s Gas, IOTA, Ada, Bitcoin and Lumens) and anonymous coins (e.g. Monero): Monero is an anonymous crypto asset due to its use of ring confidential transactions and stealth addresses that ensure there are no links on the blockchain between the sender’s and the recipient’s address, as well as its ease of convertibility to any major virtual currency. It describes Dash as having a privacy option through the presence of PrivateSend, which obscures the origins of a user’s funds through mixing. Interestingly, it does not mention Zcash.

[20] April 2020 EU Parliament Report Requested by the ECON committee, “Crypto-assets: Key developments, regulatory concerns and responses”, p. 28. Available at: https://www.europarl.europa.eu/RegData/etudes/STUD/2020/648779/IPOL_STU(2020)648779_EN.pdf

[21] The Italian National Council of Notaries has advised notaries to make suspicious transaction reports for every real estate purchase with virtual currencies. See Quesito Antiriciclaggio n. 3-2018/B, Consiglio Nazionale del Notariato (13 March, 2018), http://www.dirittobancario.it/sites/default/files/allegati/quesito_antiriciclaggio_n._3- 2018-b.pdf

[22] See p. 51 of the 2018 study commissioned by the European Parliament, “Virtual currencies and terrorist financing: assessing the risks and evaluating responses”, https://www.europarl.europa.eu/RegData/etudes/STUD/2018/604970/IPOL_STU(2018)604970_EN.pdf. Dutch law has differentiated between providers of physical ATMs that offer exchange services and shop owners who only make such ATMs available. See the Explanatory Memorandum to the Act Implementing Amendments to the Fourth Anti-Money Laundering Directive (AMLD 5 Implementation Act), https://www.rijksoverheid.nl/documenten/kamerstukken/2019/07/02/memorie-van-toelichting-implementatiewet-wijziging-vierde-anti-witwasrichtlijn. In Germany, these ATMs are considered as companies conducting “cross-border proprietary trading” since virtual assets are considered as financial instruments: https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Verbrauchermitteilung/unerlaubte/2020/meldung_200304_KKT_UG_Berlin_en.html

[23] See the following for an explanation: https://medium.com/coinmonks/blockchain-public-private-key-cryptography-in-a-nutshell-b7776e475e7c

[24] Additionally, custodian wallet providers are beginning to enhance the appeal of their services through, for e.g., insurance. They are also developing methods to allow crypto asset owners to stake their assets or exercise governance rights while crypto assets are in custody. See https://www.edisongroup.com/wp-content/uploads/2020/02/Diginexreport270220.pdf

[25] The German Act Implementing the Amending Directive on the Fourth EU Anti-Money Laundering Directive (Gesetz zur Umsetzung der Änderungsrichtlinie zur Vierten EU-Geldwäscherichtlinie) (Federal Law Gazette I of 19 December 20119, p.2602) incorporates “crypto custody business” into the German Banking Act (Kreditwesengesetz – KWG). Germany goes beyond AMLD 5 in Section 1 (1a) sentence 2 no. 6 of the KWG, which defines crypto custody business as providing custody, management and backup services for cryptoassets or for private cryptographic keys which are used to keep, store or transfer cryptoassets for others. This is an activity that must be licensed.

[26] April 2020 EU Parliament Report, pp. 62-64.

[27] See EC, “Commission Staff Working Document accompanying the document Report from the Commission to the European Parliament and the Council on the assessment of the risk of money laundering and terrorist financing affecting the internal market and relating to cross-border activities”, SWD(2019) 650 final, July 2019, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52019SC0650&from=EN, p. 103.

[28] Available at: https://eur-lex.europa.eu/legal-content/EN/NIM/?uri=CELEX%3A32018L0843

[29] See (n 27).

[30] In 2019, the European legislature consolidated the AML/CFT mandates of the EBA, EIOPA and ESMA within the EBA. It also gave the EBA a legal duty to contribute to preventing the use of the financial system for AML/CFT purposes and to lead, coordinate and monitor the AML/CFT efforts of all EU financial services providers and competent authorities. See: https://eba.europa.eu/sites/default/documents/files/document_library/News%20and%20Press/Press%20Room/Press%20Releases/2020/EBA%20acts%20to%20improve%20AML/CFT%20supervision%20in%20Europe/AML%20CFT%20Factsheet.pdf

[31] EBA report on competent authorities’ approaches to the anti-money laundering and countering the financing of terrorism supervision of banks, EBA/Rep/2020/06

[32] See: https://coinrivet.com/es/enemy-mine-crypto-mining-pools-linked-to-crime-and-terrorism/

[33] April 2020 EU Parliament Report, pp. 53-54.

[34] ibid., p. 58.

[35] ibid., pp. 64-65.

[36] See Action Plan, p. 6. See also para. 18 of 5 December 2019 Council conclusions on strategic priorities on AML/CFT, as adopted by the Council (ECOFIN) at its 3736th meeting held on in Brussels, http://data.consilium.europa.eu/doc/document/ST-14823-2019-INIT/en/pdf. See also 26 February, 2020 “Banking Union – annual report 2019” https://www.europarl.europa.eu/doceo/document/A-9-2020-0026_EN.html. Section 38 of the report “welcomes the joint position paper of 8 November, prepared by several euro area finance ministers, which calls for the harmonisation of the European money laundering and terrorism financing regulatory framework”. On 8 November 2019, the Dutch Minister of Finance sent a joint position paper to the Dutch Parliament regarding the need for a European AML supervisor. The paper was prepared by the Ministers of Finance of Germany, France, Italy, Spain, Latvia and the Netherlands. P. 2 of the joint position paper mentions an AML regulation, as opposed to a directive. See https://www.rijksoverheid.nl/documenten/kamerstukken/2019/11/08/position-paper

[37] Action Plan, p. 4.

[38] Recital 8, AMLD 5.

[39] Recital 9, AMLD 5.

[40] See: https://info.shapeshift.io/blog/2019/01/18/pulling-back-the-curtain-how-shapeshift-handles-law-enforcement-compliance/

[41] See: https://cointelegraph.com/news/law-enforcement-requests-to-kraken-hit-all-time-high-up-49-in-2019

[42] On 12 December 2019, Eurojust became the European Agency for Criminal Justice Cooperation, with Regulation (EU) 2018/1727 as the legal basis.

[43] See: http://www.eurojust.europa.eu/press/PressReleases/Pages/2020/2020-01-30.aspx

[44] See: https://cointelegraph.com/news/belgian-govt-will-sell-125k-of-seized-bitcoin-in-irish-public-auction and https://cointelegraph.com/news/crypto-auctions-where-do-arrested-bitcoins-end-up

[45] See: https://www.wilsonsauctions.com/news/wilsons-auctions-to-host-first-public-cryptocurrency-auction-in-ireland/

[46] See, for e.g., Lorenzo Salazar, “La cooperazione giudiziaria penale nell’Unione ai tempi della Brexit” in Sistema Penale, 10 March 2020 for a detailed discussion on this topic.

[47] See: https://ec.europa.eu/info/sites/info/files/business_economy_euro/banking_and_finance/documents/200507-anti-money-laundering-terrorism-financing-action-plan-methodology_en.pdf

[48] In October 2018, the FATF made changes to its Recommendations to extend its scope to financial activities involving virtual assets, and added “virtual asset” (VA) and VASPs to its glossary.

[49] Para. 114 of FATF (2019), Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, FATF, Paris, www.fatf-gafi.org/publications/fatfrecommendations/documents/Guidance-RBA-virtual-assets.html

[50] For example, CipherTrace’s Travel Rule Information Sharing Architecture (TRISA) makes it easier for companies to comply with the FATF travel rule as it applies public key infrastructure to identify and verify VASPs. See the white paper here: https://ciphertrace.com/wp-content/uploads/2019/08/TRISA-Enabling-FATF-Travel-Rule-V4.pdf. Further, However, privacy coin developers maintain that their protocols can comply with FATF recommendations and the Travel rule since a VASP has done KYC on its customer and can therefore always give information of its transactions with other VASPs.