What’s new in the EU’s AML/CFT package?

An overview of implications for the crypto industry

On July 20, 2021, the EU’s European Commission announced a package of legislative proposals to strengthen the EU’s anti-money laundering and countering terrorism financing (AML/CFT) rules and harmonizes rules across the single market, specifically targeting the crypto industry.

The package announcement builds on a series of initiatives in the EU, such as the 6AMLD that obliged entities had to take measures to comply with by June 2021. In this post, we will summarize the key changes that have implications for crypto asset service providers, companies handling virtual currencies or virtual assets, and digital services handling financial transactions more generally.

Key points in the European Commission’s AML/CFT announcement

The European Commission’s AML/CFT package contains many proposals that may already be familiar to companies that are taking steps to become regulatory compliant for the EU market. The package comes as part of the EU’s wider Security Union Strategy for 2020-2025, enhancing the EU’s framework for AML/CFT, so companies can expect additional announcements in the coming years.

The European Commission has noted that it will work closely with the Financial Actions Task Force’s (FATF) recommendations for anti-money laundering. Rather than using the FATF term Virtual Asset Service Provider (VASP), the EU AML/CFT rules use the term “crypto-assets service providers”, and explicitly mentions cryptocurrencies, virtual currencies, and virtual assets. This definition covers many crypto services, such as exchanges and wallet providers. However, companies that may fall under a broader definition of VASP or handling of virtual assets should also consider designing robust and user-friendly regulatory compliant features as precautionary measures.

Key components of the new measures include:

  • A single EU rulebook for AML/CFT
  • EU AML Authority (AMLA)
  • EU AML/CFT rules will apply fully to cryptocurrencies

A Single EU Rulebook for AML/CFT

The announcement also consolidates a series of measures that have been introduced in previous years. The 6AMLD provisions were announced to replace the 4AMLD and 5AMLD (Directive 2015/849/EU) where there were inconsistencies in handling crypto services.

In addition, prior rules left loopholes in implementation between EU member states and created confusion for companies trying to implement appropriate AML/CFT and KYC programs. The proposed Single EU Rulebook AML/CFT, containing directly-applicable rules aims to harmonize all directly-applicable AML/CFT rules, including what counts as customer due diligence (CDD) or Beneficial Ownership.

EU AML Authority (AMLA)

In order to enforce the new AML/CFT measures, the European Commission’s package will come with the creation of a new EU-wide Authority, known currently as the Anti-Money Laundering Authority (AMLA), which will be tasked to enhance cooperation among Financial Intelligence Units (FIUs) that member states are expected to establish. The AMLA is also expected to establishment of a single integrated AML/CFT supervision system to support national-level supervisory bodies and FIUs, as well as have monitoring capacities and oversight authority for financial institutions that are considered high risk and operate across member EU states.

In short, the AMLA is aimed to facilitate more information flow regarding financial transactions across borders and between regulatory bodies. For example, existing national registers of bank accounts will be connected, providing faster access for FIUs and law enforcement authorities will have access to this system. This initiative is aimed directly at cross-border investigations and criminal asset recovery and the AMLA is expected to be operational by 2024.

EU AML/CFT rules will apply fully to cryptocurrencies

The European Commission’s package explicitly mentions the full application of the EU AML/CFT rules to the crypto sector. Measures have been taken to revise the 2015 Regulation on Transfers of Funds to trace transfers of crypto-assets (Regulation 2015/847/EU). The reform will extend AML/CFT rules to the entire crypto sector, obliging all service providers to conduct necessary customer due diligence (CDD) and know who their customers are (KYC). This is explicitly to ensure the full traceability of crypto-asset transfers, such as Bitcoin. This also means that anonymous crypto asset wallets will be prohibited in the EU.

In addition, because the 6AMLD now extends liability to individuals, not just companies, creators of decentralized exchanges may also be held liable for transactions conducted on a created platform. It remains to be seen how these new AML/CFT measures will be enforced by EU member states.

Other notable changes

EU-wide limit of €10,000 on large cash payments

In addition the changes mentioned above, the European Commission has proposed an EU-wide limit of €10,000 on large cash payments. Limits already exist in many EU member states, but the goal is to provide an upper limit for states that do not have such provisions, while states with limits under €10,000 can keep existing regulations.

Third countries

Continuing its efforts to stop cross-border money laundering, the European Commission has confirmed that it will follow FATF recommendations for country risk assessments. This means that the countries listed on the FATF’s “black-list” and a “grey-list" will also be listed as such in the EU. The EU may also add countries that are considered a threat to the EU’s financial system that may not be on the FATF lists. Based on these listings, the EU will apply measures proportionate to the risks posed by the listed country, which means that companies serving customers in these countries or handling transactions in these countries should also take proper AML measures.

What measures should the crypto industry take in the EU?

As regulations and their enforcement continues to be rolled out in the coming years, companies in the cyrpto industry, handling crypto, or virtual assets such as NFTs should take preemptive measures to become regulatory compliant.

Instead of interpreting AML/CFT measures such as KYC or transaction monitoring as a regulatory burden, companies can incorporate these measures to enhance security and build trust with customers. In essence, knowing who your customers are (KYC) with features such as identity verification not only meets regulatory requirements, but enables businesses to serve customers more effectively.

We recommend taking steps to build KYC into your product so that you can delight customers through a better customer experience that also makes them feel more secure.

Understand the principles behind regulations

While there are a number of regulations, many of them operate on similar principles of doing customer due diligence, preventative measures against money laundering and fraud, proper documentation of transactions, and reporting. Incorporating suitable KYC checks, transaction monitoring, and security measures will cover many regulatory requirements and increase security for your business.

Assess available RegTech services

Explore the growing number of identity verification, KYC, and compliance-related service providers to find out what your business needs may be, and what features are available to meet them. Learn what features might matter most for your business, whether it’s speed and user-friendliness or cross-platform support. Using a third-party provider helps you identify your customer without the costly risk of collecting and securing their personal information.

Design AML/CFT compliance as part of product UX

Invest in designing a holistic compliance program that not only serves customers with convenient identity verification during customer onboarding, but also makes workflows for your teams more efficient. Use identity verification to equip your teams with tools to serve customers better, such as flagging suspicious behavior in customer’s identity timeline or accelerating document submissions for new services.

Implement a smooth solution directly into your product

With the available service options today, we recommend looking for a solution that supports your own branded identity verification flow. As identity verification grows mainstream, customers will be expecting conveniences, such as using video selfies to identify themselves for login or transactions.

Review CX optimization opportunities

Teams can introduce identity verification and KYC checks at various customer touchpoints. After identity verification has been incorporated into one part of the product, such as user onboarding, it can be offered as an option to customers who want a face scan for passwordless logins or transaction authorization.

Forward-thinking companies can no longer afford to stay reactive to the growing number of regulations. Companies in newer industries, such as crypto, can expect come under closer scrutiny and be held to the same standards as leading financial institutions.

The next generation of businesses will thrive by not only satisfying regulatory requirements, but delighting customers with secure, reliable, and easy-to-use features. If you would like to learn more about AML regulations in major markets such as the EU, US, and UK, you can download our free guide here.

Get the latest news from Passbase

Passbase © 2023


Passbase is an identity verification solution that makes facial recognition, liveness detection, ID verification and KYC and AML compliance accessible through a suite of flexible developer tools. A zero-knowledge architecture ensures that companies using Passbase can securely verify users from over 190 countries without having to store their data. Built for developers, it can be integrated with just a few lines of code on iOS, Android, and Web.