Source: OJ L 150, 9.6.2023, pp. 1–39Current language: EN
- Anti-money laundering
Basic legislative acts
- Transfer of funds regulation (TFR)
Article 38 Amendments to Directive (EU) 2015/849
Summary What does Article 38 of the Transfer of funds regulation (TFR) say?
This is the primary amendment article of the regulation, and its purpose is to update Directive (EU) 2015/849 (the Fourth Anti-Money Laundering Directive) to bring crypto-assets and crypto-asset service providers fully within the existing AML/CFT framework.
Rather than creating entirely new standalone obligations, it slots crypto-asset activity into the existing directive by updating definitions, inserting new articles on self-hosted addresses and cross-border correspondent relationships involving crypto-asset service providers, and tasking EBA with issuing supporting guidelines across several of these new areas.
Important points:
- Crypto-asset service providers are now explicitly included as a category of financial institution within Directive (EU) 2015/849, with updated definitions for crypto-asset, crypto-asset service provider, and self-hosted address inserted directly into that directive.
- As a crypto-asset service provider, implement internal policies, procedures and controls to identify and assess money laundering and terrorist financing risks associated with transfers to or from self-hosted addresses, and apply mitigating measures commensurate with the risks identified.
- Member States are required to transpose the changes introduced by this article into national law and apply them from 30 December 2024.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Directive (EU) 2015/849 is amended as follows:
in Article 2(1), point (3), points (g) and (h) are deleted;
Article 3 is amended as follows:
in point (2), the following point is added:
‘crypto-asset service providers;’;
point (8) is replaced by the following:
‘‘correspondent relationship’ means:
the provision of banking services by one bank as the correspondent to another bank as the respondent, including providing a current or other liability account and related services, such as cash management, international funds transfers, cheque clearing, payable-through accounts and foreign exchange services;
the relationships between and among credit institutions and financial institutions, including where similar services are provided by a correspondent institution to a respondent institution, and including relationships established for securities transactions or funds transfers or relationships established for transactions in crypto-assets or transfers of crypto-assets;’;
points 18 and 19 are replaced by the following:
‘“crypto-asset” means a crypto-asset as defined in Article 3(1), point (5), of Regulation (EU) 2023/1114 of the European Parliament and of the Council(25), except where falling within the categories listed in Article 2(2), (3) and (4) of that Regulation or otherwise qualifying as funds;
“crypto-asset service provider” means a crypto-asset service provider as defined in Article 3(1), point (15), of Regulation (EU) 2023/1114, where performing one or more crypto-asset services as defined in Article 3(1), point (16), of that Regulation, with the exception of providing advice on crypto-assets as referred to in Article 3(1), point (16)(h), of that Regulation;
the following point is added:
‘“self-hosted address” means a self-hosted address as defined in Article 3, point (20), of Regulation (EU) 2023/1113 of the European Parliament and of the Council(26).
in Article 18, the following paragraphs are added:
By 30 December 2024, EBA shall issue guidelines on risk variables and risk factors to be taken into account by crypto-asset service providers when entering into business relationships or carrying out transactions in crypto-assets.
EBA shall clarify, in particular, how the risk factors listed in Annex III shall be taken into account by crypto-asset service providers including when carrying out transactions with persons and entities which are not covered by this Directive. To that end, EBA shall pay particular attention to products, transactions and technologies that have the potential to facilitate anonymity, such as privacy wallets, mixers or tumblers.
Where situations of higher risk are identified, the guidelines referred to in paragraph 5 shall include enhanced due diligence measures that obliged entities shall consider applying to mitigate such risks, including the adoption of appropriate procedures to detect the origin or destination of crypto-assets.’
the following articles are inserted:
‘Article 19a
Member States shall require crypto-asset service providers to identify and assess the risk of money laundering and terrorist financing associated with transfers of crypto-assets directed to or originating from a self-hosted address. To that end, crypto-asset service providers shall have in place internal policies, procedures and controls. Member States shall require crypto-asset service providers to apply mitigating measures commensurate with the risks identified. Those mitigating measures shall include one or more of the following:
taking risk-based measures to identify, and verify the identity of, the originator or beneficiary of a transfer made to or from a self-hosted address or the beneficial owner of such originator or beneficiary, including through reliance on third parties;
requiring additional information on the origin and destination of the transferred crypto-assets;
conducting enhanced ongoing monitoring of those transactions;
any other measure to mitigate and manage the risks of money laundering and terrorist financing as well as the risk of non-implementation and evasion of targeted financial sanctions and proliferation financing-related targeted financial sanctions.
By 30 December 2024, EBA shall issue guidelines to specify the measures referred to in this Article, including the criteria and means for identification and verification of the identity of the originator or beneficiary of a transfer made to or from a self-hosted address, in particular through reliance on third parties, taking into account the latest technological developments.
Article 19b
By way of derogation from Article 19, with respect to cross-border correspondent relationships involving the execution of crypto-asset services as defined in Article 3(1), point (16), of Regulation (EU) 2023/1114, with the exception of point (h) of that point, with a respondent entity not established in the Union and providing similar services, including transfers of crypto-assets, Member States shall, in addition to the customer due diligence measures laid down in Article 13 of this Directive, require crypto-asset service providers, when entering into a business relationship with such an entity, to:
determine if the respondent entity is licensed or registered;
gather sufficient information about the respondent entity to understand fully the nature of the respondent’s business and to determine from publicly available information the reputation of the entity and the quality of supervision;
assess the respondent entity’s AML/CFT controls;
obtain approval from senior management before establishing new correspondent relationships;
document the respective responsibilities of each party to the correspondent relationship;
with respect to payable-through crypto-asset accounts, be satisfied that the respondent entity has verified the identity of, and performed ongoing due diligence on, the customers having direct access to accounts of the correspondent entity, and that it is able to provide relevant customer due diligence data to the correspondent entity, upon request.
Where crypto-asset service providers decide to terminate correspondent relationships for reasons relating to anti-money laundering and counter-terrorist financing policy, they shall document and record their decision.
Crypto-asset service providers shall update the due diligence information for the correspondent relationship on a regular basis or when new risks emerge in relation to the respondent entity.
Member States shall ensure crypto-asset service providers take into account the information referred to in paragraph 1 in order to determine, on a risk-sensitive basis, the appropriate measures to be taken to mitigate the risks associated with the respondent entity.
By 30 June 2024, EBA shall issue guidelines to specify the criteria and elements that crypto-asset service providers shall take into account when conducting the assessment referred to in paragraph 1 and the risk mitigating measures referred to in paragraph 2, including the minimum action to be taken by crypto-asset service providers where the respondent entity is not registered or licensed.’
the following article is inserted:
‘Article 24a
By 1 January 2024, EBA shall issue guidelines specifying how the enhanced customer due diligence measures in this Section apply when obliged entities perform crypto-asset services as defined in Article 3(1), point (16), of Regulation (EU) 2023/1114, with the exception of point (h) of that point, as well as transfers of crypto-assets as defined in Article 3, point (10), of Regulation (EU) 2023/1113. In particular, EBA shall specify how and when those obliged entities shall obtain additional information on the originator and beneficiary.’
in Article 45, paragraph 9 is replaced by the following:
Member States may require electronic money issuers as defined in Article 2, point (3), of Directive 2009/110/EC, payment service providers as defined in Article 4, point (11), of Directive (EU) 2015/2366 and crypto-asset service providers established on their territory in forms other than a branch, and whose head office is situated in another Member State, to appoint a central contact point in their territory. That central contact point shall ensure, on behalf of the entity operating on a cross-border basis, compliance with AML/CFT rules and shall facilitate supervision by supervisors, including by providing supervisors with documents and information on request.’
in Article 47, paragraph 1 is replaced by the following:
Member States shall ensure that currency exchange and cheque-cashing offices and trust or company service providers are licensed or registered, and that providers of gambling services are regulated.’
in Article 67, the following paragraph is added:
Member States shall adopt and publish, by 30 December 2024, the laws, regulations and administrative provisions necessary to comply with Article 2(1), point 3, Article 3, point (2)(g), Article 3, points (8), (18), (19) and (20), Article 19a(1), Article 19b(1) and (2), Article 45(9) and Article 47(1). They shall immediately communicate the text of those measures to the Commission.
They shall apply those measures from 30 December 2024.’.
Relevant recitals
Recital 17 High-risk anonymising crypto-asset products and EBA guidelines
Certain transfers of crypto-assets entail specific high-risk factors for money laundering, terrorist financing and other criminal activities, in particular transfers related to products, transactions or technologies designed to enhance anonymity, including privacy wallets, mixers or tumblers. To ensure the traceability of such transfers, the European Supervisory Authority (European Banking Authority), established by Regulation (EU) No 1093/2010 of the European Parliament and of the Council(13) (EBA), should clarify, in particular, how the risk factors listed in Annex III to Directive (EU) 2015/849 are to be taken into account by crypto-asset service providers, including when carrying out transactions with non-Union entities that are not regulated, registered or licensed in any third country, or with self-hosted addresses. Where situations of higher risk are identified, EBA should issue guidelines specifying the enhanced due diligence measures that obliged entities should consider applying to mitigate such risks, including the adoption of appropriate procedures such as the use of distributed ledger technology (DLT) analytic tools, to detect the origin or destination of crypto-assets.
Recital 59 Extension of Directive (EU) 2015/849 to all crypto-asset service provider categories
At present, Directive (EU) 2015/849 only applies to two categories of crypto-asset service providers, namely, custodial wallet providers and providers engaged in exchange services between virtual currencies and fiat currencies. In order to close existing loopholes in the anti-money laundering and counter-terrorist financing framework and to align Union law with international recommendations, Directive (EU) 2015/849 should be amended to include all categories of crypto-asset service providers as defined in Regulation (EU) 2023/1114, which covers a broader range of crypto-asset service providers. In particular, with a view to ensuring that crypto-asset service providers are subject to the same requirements and level of supervision as credit and financial institutions, it is appropriate to update the list of obliged entities by including crypto-asset service providers within the category of financial institutions for the purpose of Directive (EU) 2015/849. In addition, taking into account that traditional financial institutions also fall within the definition of crypto-asset service providers when offering such services, the identification of crypto-asset service providers as financial institutions allows for a single consistent set of rules that applies to entities providing both traditional financial services and crypto-asset services. Directive (EU) 2015/849 should also be amended in order to ensure that crypto-asset service providers are able to appropriately mitigate the money laundering and terrorist financing risks to which they are exposed.
Recital 60 Correspondent relationships with third-country crypto-asset entities and enhanced due diligence
Relationships established between crypto-asset service providers and entities established in third countries for the purpose of executing transfers of crypto-assets or the provision of similar crypto-asset services present similarities to correspondent banking relationships established with a third country’s respondent institution. As those relationships are characterised by an ongoing and repetitive nature, they should be considered a type of correspondent relationship and be subject to specific enhanced due diligence measures similar in principle to those applied in the context of banking and financial services. In particular, crypto-asset service providers should, when establishing a new correspondent relationship with a respondent entity, apply specific enhanced due diligence measures in order to identify and assess the risk exposure of that respondent, based on its reputation, the quality of supervision and its anti-money laundering and counter-terrorist financing (AML/CFT) controls. Based on the information gathered, the correspondent crypto-asset service providers should implement appropriate risk mitigating measures, which should take into account in particular the potential higher risk of money laundering and terrorist financing posed by unregistered and unlicensed entities. That is especially relevant as long as the implementation of the FATF standards relating to crypto-assets at global level remains uneven, which poses additional risks and challenges. EBA should provide guidance on how crypto-asset service providers should conduct the enhanced due diligence and should specify the appropriate risk mitigating measures, including the minimum action to be taken, when interacting with unregistered or unlicensed entities which provide crypto-asset services.
Recital 61 Removal of duplicate registration requirements under Directive (EU) 2015/849
Regulation (EU) 2023/1114 has established a comprehensive regulatory framework for crypto-asset service providers which harmonises the rules pertaining to the authorisation and operation of crypto-asset service providers across the Union. In order to avoid duplication of requirements, Directive (EU) 2015/849 should be amended to remove registration requirements in relation to those categories of crypto-asset service providers which will become subject to a single licensing regime under Regulation (EU) 2023/1114.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
crypto-asset services
Definition
supervisor
Definition
senior management
Definition
self-hosted address
- a crypto-asset service provider;
- an entity not established in the Union and providing services similar to those of a crypto-asset service provider;
Definition
funds
Definition
originator
Definition
financial mixed activity holding company
Definition
crypto-asset service provider
Definition
cash
Definition
electronic money
Definition
funds or other assets
Definition
credit institution
- a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013;
- a branch of a credit institution, as defined in Article 4(1), point (17), of Regulation (EU) No 575/2013, when located in the Union, whether its head office is located in a Member State or in a third country;
Definition
crypto-asset account
Definition
crypto-asset
Definition
payment service provider
Definition
payment account
Definition
transfer of funds
- a credit transfer as defined in Article 4, point (24), of Directive (EU) 2015/2366;
- a direct debit as defined in Article 4, point (23), of Directive (EU) 2015/2366;
- a money remittance as defined in Article 4, point (22), of Directive (EU) 2015/2366, whether national or cross-border;
- a transfer carried out using a payment card, an electronic money instrument, a mobile phone or any other digital or IT prepaid or postpaid device with similar characteristics;
Definition
property
Definition
express trust
Definition
legal arrangement
Definition
management body
Definition
crypto-asset
Definition
terrorist financing
Definition
DLT
Definition
terrorist financing
Definition
gambling service
Definition
correspondent relationship
- the provision of banking services by one credit institution as the correspondent to another credit institution as the respondent, including providing a current or other liability account and related services, such as cash management, international transfers of funds as defined in Article 4, point (25), of Directive (EU) 2015/2366, cheque clearing, payable-through accounts and foreign exchange services;
- the relationships between and among credit institutions and financial institutions including where similar services are provided by a correspondent institution to a respondent institution, and including relationships established for securities transactions or transfers of funds as defined in Article 4, point (25), of Directive (EU) 2015/2366, transactions in crypto-assets or transfers of crypto-assets;
Definition
distributed ledger technology
Definition
trust or company service provider
- the formation of companies or other legal persons;
- acting as, or arranging for another person to act as, a director or secretary of a company, a partner of a partnership, or a similar position in relation to other legal persons;
- providing a registered office, business address, correspondence address or administrative address, as well as other related services for a company, a partnership or any other legal person or legal arrangement;
- acting as, or arranging for another person to act as, a trustee of an express trust or performing an equivalent function for a similar legal arrangement;
- acting as, or arranging for another person to act as, a nominee shareholder for another person;
Definition
targeted financial sanctions
Definition
beneficiary
Definition
crypto-asset service provider
Definition
money laundering
Definition
financial institution
- an undertaking other than a credit institution or an investment firm, which carries out one or more of the activities listed in points (2) to (12), (14) and (15) of Annex I to Directive 2013/36/EU of the European Parliament and of the Council(32), including the activities of currency exchange offices (bureaux de change), but excluding the activities referred to in point (8) of Annex I to Directive (EU) 2015/2366, or an undertaking the principal activity of which is to acquire holdings, including a financial holding company, a mixed financial holding company and a financial mixed activity holding company;
- an insurance undertaking as defined in Article 13, point (1), of Directive 2009/138/EC of the European Parliament and of the Council(33), insofar as it carries out life or other investment-related assurance activities covered by that Directive, including insurance holding companies and mixed-activity insurance holding companies as defined, respectively, in Article 212(1), points (f) and (g), of Directive 2009/138/EC;
- an insurance intermediary as defined in Article 2(1), point (3), of Directive (EU) 2016/97 where it acts with respect to life insurance and other investment-related insurance services, with the exception of an insurance intermediary that does not collect premiums or amounts intended for the customer and which acts under the responsibility of one or more insurance undertakings or intermediaries for the products which concern them respectively;
- an investment firm as defined in Article 4(1), point (1), of Directive 2014/65/EU of the European Parliament and of the Council(34);
- a collective investment undertaking, in particular:
- an undertaking for collective investment in transferable securities (UCITS) as defined in Article 1(2) of Directive 2009/65/EC and its management company as defined in Article 2(1), point (b), of that Directive or an investment company authorised in accordance with that Directive and which has not designated a management company, that makes available for purchase units of UCITS in the Union;
- an alternative investment fund as defined in Article 4(1), point (a), of Directive 2011/61/EU and its alternative investment fund manager as defined in Article 4(1), point (b), of that Directive that fall within the scope set out in Article 2 of that Directive;
- a central securities depository as defined in Article 2(1), point (1), of Regulation (EU) No 909/2014 of the European Parliament and of the Council(35);
- a creditor as defined in Article 4, point (2), of Directive 2014/17/EU of the European Parliament and of the Council(36) and in Article 3, point (b), of Directive 2008/48/EC of the European Parliament and of the Council(37);
- a credit intermediary as defined in Article 4, point (5), of Directive 2014/17/EU and in Article 3, point (f), of Directive 2008/48/EC, when holding the funds as defined in Article 4, point (25), of Directive (EU) 2015/2366 in connection with the credit agreement, with the exception of the credit intermediary carrying out activities under the responsibility of one or more creditors or credit intermediaries;
- a crypto-asset service provider;
- a branch of a financial institution referred to in points (a) to (i), when located in the Union, whether its head office is located in a Member State or in a third country;
Definition
transfer of crypto-assets
Definition
distributed ledger address
Definition
payee
Definition
self-regulatory body
Definition
third country
Definition
funds
Definition
beneficial owner
Definition
business relationship
Definition
supervisory authority
Definition
payer
Definition
money laundering
Definition
management body in its management function
Definition
criminal activity
Footnote 26
Footnote 25
Footnote 13