Regulation (EU) 2023/1113 has been published last week in the Official Journal of the European Union and will bring forth important changes regarding the transfer of funds and certain crypto-assets. This regulation expands the obligations of Crypto-Asset Service Providers (CASPs) and Payment Service Providers (PSPs), building upon the existing framework established by Regulation (EU) 2015/847. These developments are crucial for promoting transparency and combating money laundering and terrorist financing.
Inclusion of CASPs
The revised regulation extends the requirement of identifying originators and beneficiaries to CASPs. It will hence applyies to transfers involving crypto-assets, including those facilitated through crypto ATMs, where CASPs or intermediary CASPs are registered within the EU (Article 1). Luxembourg CASPs already adhere abide to this obligation due to the AML/CFT Law of 12 November 2004.
Obligations of CASPs
Chapter III of the regulation outlines the specific obligations for CASPs, following a similar logic as applied to Payment Service Providers (PSPs) (Articles 14 to 22). Definitions relevant to crypto-assets and CASPs are included in Article 2.
Information obligations for CASPs
Recital 36 and Articles 14, 16, and 19 detail the information obligations for CASPs acting as originators, beneficiaries, or intermediaries. These obligations are akin to those imposed on PSPs, considering the technical nuances of CASPs. Special provisions are in place for transfers involving self-hosted addresses.
Changes for PSPs
The new regulation introduces a minor change regarding the inclusion of the Legal Entity Identifier (LEI) when providing information (Article 4: PSP of the payer).
Verification and retention of information
Both PSPs and CASPs must establish procedures to ensure the completeness and accuracy of payer/payee or originator/beneficiary information. The obligation to verify information accuracy applies to individual fund transfers exceeding EUR 1,000, with exceptions. PSPs and CASPs are required to retain the information for a period of five years, followed by deletion, unless national law specifies otherwise.
Guidelines and risk assessment
The European Banking Authority (EBA) is assigned the task of providing guidance on how CASPs should consider the risk factors listed in Annex III of the AML Directive. Additionally, the EBA will issue guidelines for CASPs to adhere to restrictive measures and address situations involving missing or incomplete originator/beneficiary information.
Future review and classification
By 1 July 2026, the European Commission will evaluate the risks associated with self-hosted addresses, determining the necessity for additional measures. CASPs will be classified as financial institutions under the Anti-Money Laundering Directive (AMLD) (Directive (EU) 2015/849 as amended).
In brief, effective from 29 June 2023 but applying as from December 2024, Regulation (EU) 2023/1113 will expand the “fund transfers” to CASPs. The regulation emphasizes the importance of transparency in combating money laundering and terrorist financing by obliging CASPs to keep trace of the originators and beneficiaries of crypto assets’ transfers. Compliance with these obligations necessitates the implementation of robust verification procedures, crucial for PSPs and CASPs. The EBA will provide further guidance, while the European Commission will review risks associated with self-hosted addresses. These regulatory measures contribute to the ongoing efforts to ensure the integrity of financial systems and protect against illicit activities/financial crime.
Contact
Contact Julien Leroy, Senior Legal Adviser at the ABBL