Key Highlights:
- Updated guidelines include crypto asset service providers (CASPs).
- CASPs offering DeFi products, crypto-ATMs, or privacy-focused services (like mixers and privacy coins) are flagged for enhanced due diligence.
- Special attention is required for P2P transfers, anonymous transactions, frequent small transactions (just under EUR 1,000), transfers between two CASPs, and transactions involving privacy coins.
- CASPs must maintain records linking wallet addresses to customers.
- Teams must be trained on crypto risks and blockchain analytics tools.
The European Banking Authority (EBA) has updated its guidelines on how financial institutions assess risks related to money laundering and terrorism financing (ML/TF).
The new rules will take effect on December 30, 2024.
These updates make it easier for organizations to spot red flags: they introduce clearer risk indicators, especially in high-risk areas like customer profiles and certain geographical locations. New rules also focus on transparency and expand the list of risky products and services.
Let’s break it down to understand how you’ll have to change your operations.
How to change your flows based on the EBA guidelines – 2024
Step 1. Update customer risk assessment
- Focus on checking your counterparties — crypto asset service providers (CASPs) and customers involved in decentralized finance (DeFi) or using self-hosted addresses.
- Identify customers with ties to high-risk non-EU countries.
Check the list of high-risk jurisdictions as defined by the EU here.
Step 2. Enhance geographical risk monitoring
- Track ML/TF hotspots — countries with higher ML/TF risks because of crypto activities, unregulated markets, and decentralized platforms.
FATF black & gray lists of countries with weak or non-existent AML/CFT regulations are here.
Step 3. Adjust product/service risk criteria
- Heighten monitoring on CASPs offering decentralized products (DeFi), crypto-ATMs, or self-hosted addresses.
- Watch for crypto products with enhanced anonymity features (e.g., mixers, privacy coins).
A screenshot from GL Vision shows transactions made through Wasabi Wallet, a wallet designed to protect privacy. It mixes several Bitcoin transactions into one, making it harder to trace
Step 4. Strengthen transaction monitoring
- Monitor high-risk crypto transactions, peer-to-peer (P2P) transfers, and anonymous transfers via decentralized platforms.
- Pay special attention to frequent small transactions — just under EUR 1,000 — that may be used to avoid detection.
- Focus on transactions with unregulated providers, decentralized exchanges, and privacy-enhanced coins.
With GL Entity Explorer, you can find out if your counterparties are regulated, what their domiciled country is, check their licenses (if there are any), and discover if they support privacy coins.
A screenshot from GL Entity Explorer shows data on EnExchanger, an Iranian (1) sanctioned exchange (2) that doesn’t require KYC (3) and allows transactions with privacy coins (4).
- Flag transfers between two CASPs or self-hosted addresses for further due diligence
- Watch frequent, unexplained, or cross-border transactions
- Set up proper transaction monitoring systems to track and analyse transactions.
GL Monitoring tool tracks crypto transactions in real time, using the latest data on hacks and sanctions. It sends alerts for suspicious activity to help prevent dealing with illegal funds.
Step 5. Apply enhanced due diligence (EDD)
- Ensure all CASPs handling decentralized apps (dApps), DeFi platforms, or self-hosted addresses are subject to EDD.
- Verify:
- Both customers and beneficial owners using more than one reliable source to prevent hidden structure
- The majority shareholders that don’t meet the “beneficial owner” definition
- Anyone with control over crypto accounts, including those authorized to transfer or manage assets on behalf of customers.
Step 6. Train your team
- At least some employees need to focus on the tech aspects of crypto and the use of blockchain analysis tools.
Need a training program tailored to your needs? Check out GL Compliance Certification. The program is designed to help your team understand blockchain and crypto fundamentals, create compliance structures, and meet regulators’ requirements.
Step 7. Keep detailed records
- Keep records that connect wallets and blockchain addresses to specific customers.
The updated guide doesn’t change the record-keeping time requirements. According to the Directive (EU) 2015/849 regarding AML, a 5-year record period would still apply. Stick to it.
Yes-No flowchart for compliance with EBA guidelines
Put the guidelines into practice
Imagine you as a CASP receive a transaction e7124ca3ea96e28202684e7772fc59a4791d14c270c9e0ea2854efe32208a9de from a new counterparty.
GL Vision screenshot showing the transaction e7124ca3ea96e28202684e7772fc59a4791d14c270c9e0ea2854efe32208a9de
Here is how the flowchart can help you assess the risks using GL tools.
- Start by checking if your counterparty is linked to a high-risk country.
In GL Vision, you can click on the address → entity name. It will redirect you to the Entity Explorer:
GL Entity Explorer screenshot with the entity overview
❌ Vietnam is on FATF’s gray list. It’s a red flag, and enhanced due diligence is needed.
- Is the counterparty involved in DeFi or using self-hosted addresses?
❌ It does. As you see in the screenshot above, it’s a mixing service. These services typically use self-hosted addresses. It makes it harder to trace the origins or destinations of transactions.
- Is the product or service flagged as high-risk?
❌ Yes, a mixing service is high-risk and requires additional monitoring and stricter checks. That’s why GL labels them with a 69 risk score.
- Is the transaction anonymous or peer-to-peer (P2P)?
❌ Mixing services blend multiple users’ transactions. It increases anonymity, and that’s a red flag.
- Is the entity making frequent small transactions just under EUR 1,000?
✅ It doesn’t.
❗️However, note how four out of the five inputs are structured into 4.096 BTC. This is how the mixer works — divides assets into equal parts for further withdrawal.
- Is the transaction between two CASPs or self-hosted addresses?
✅ It’s not. It’s a transaction between a CASP and a self-hosted address.
So, in this example, the flowchart guides you through assessing the risks of a transaction from a new counterparty using GL tools. We identified several red flags:
- The counterparty is from a risky country (Vietnam)
- It uses self-hosted wallets
- It is a high-risk service
- It blends users’ transactions to increase anonymity.
Additionally, GL provides even deeper insights by offering data on source of funds and use of funds, entities, transaction histories, and risk scores—all within a single report.
To sum up
The updated EBA Guidelines for 2024 bring new requirements for CASPs. Focusing on customers, geographical risks, and high-risk products and services (like mixers and privacy coins), the guidelines emphasize the importance of enhanced due diligence and rigorous transaction monitoring. The new guidelines demand not only strong compliance measures but also well-trained teams and accurate record-keeping to trace wallet activity.