Art. 40 Measures to mitigate risks in relation to transactions with a self-hosted address | Anti-money laundering regulation (AMLR) | AML

This article targets a specific area of risk unique to the crypto-asset space: transfers involving self-hosted addresses, commonly known as unhosted or private wallets.

It places obligations squarely on crypto-asset service providers to assess the money laundering and terrorist financing risks that arise from transfers going to or coming from these addresses, and to back that assessment up with internal policies and controls.

The article then provides a non-exhaustive menu of mitigating measures that providers must apply, scaled to the risks they identify.

It connects naturally to the broader enhanced due diligence framework in the regulation, applying sector-specific logic to a type of transaction that, by its nature, sits outside the traditional counterparty identification process.

AMLA is also tasked with issuing guidelines by 10 July 2027 to give further practical shape to how these obligations should be met.

Important points:

Implement internal policies, procedures and controls to assess the money laundering and terrorist financing risks posed by transfers to or from self-hosted addresses.
Apply mitigating measures commensurate with the risks identified, which may include identifying and verifying originators or beneficiaries, requesting additional information on the origin and destination of crypto-assets, or conducting enhanced ongoing monitoring.
AMLA is required to issue guidelines by 10 July 2027 specifying the criteria and means for identity verification in the context of self-hosted address transfers, including how to determine whether a self-hosted address is owned or controlled by a customer.

1. Crypto-asset service providers shall identify and assess the risk of money laundering and financing of terrorism associated with transfers of crypto-assets directed to or originating from a self-hosted address. To that end, crypto-asset service providers shall have in place internal policies, procedures and controls.
2. Crypto-asset service providers shall apply mitigating measures commensurate with the risks identified. Those mitigating measures shall include one or more of the following:
  1. taking risk-based measures to identify, and verify the identity of, the originator or beneficiary of a transfer made from or to a self-hosted address or beneficial owner of such originator or beneficiary, including through reliance on third parties;
  2. requiring additional information on the origin and destination of the crypto-assets;
  3. conducting enhanced ongoing monitoring of transactions with a self-hosted address;
  4. any other measure to mitigate and manage the risks of money laundering and financing of terrorism as well as the risk of non-implementation and evasion of targeted financial sanctions.
1. By 10 July 2027, AMLA shall issue guidelines to specify the mitigating measures referred to in paragraph 1, including:
  1. the criteria and means for identification and verification of the identity of the originator or beneficiary of a transfer made from or to a self-hosted address, including through reliance on third parties, taking into account the latest technological developments;
  2. criteria and means for the verification of whether or not the self-hosted address is owned or controlled by a customer.