The EU’s fifth Anti Money Laundering Directive (AMLD5) comes into force in all Member States on 10 January 2020. This latest version of the directive broadens its regulatory scope by including two types of crypto service providers (CSP): virtual-fiat exchanges and custodian wallet providers. The main driver behind this regulatory update is to decrease anonymity in crypto transactions and hence combat money laundering and the financing of terrorism. The change in the regulation confronts CSPs with three main uncertainties that need careful consideration… and with the deadline rapidly approaching, there is not much time left. Read this blog to learn how to start preparing your client- and internal processes before it is too late.
Generally speaking, CSPs are not used to being regulated. Many will find it challenging to demonstrate regulatory compliance whilst ensuring optimal continuity of their activities. The difficulty of this task is mainly due to the following three uncertainties:
- the applicable regulatory scope and definition of CSPs
- diverging regulatory procedures and requirements between countries
- how to design compliant, risk-based Customer Due Diligence (CDD) procedures whilst minimising client impact.
As the first in a series of blogs, this article aims to help existing and prospective CSPs with understanding and managing these uncertainties, and with proving their compliance to regulators whilst continuing their activities with the minimum of disruption. But first, let’s remind ourselves of the recent crypto market developments.
As the crypto market has matured, regulators have responded
The crypto asset ecosystem has undergone significant changes. The aggregate market capitalisation of global crypto assets skyrocketed from around EUR 30 billion in April 2017 to more than EUR 700 billion at its peak in early January 2018, until coming down again to hover at around EUR 200 billion . The industry was confronted with massive inflows of new users and funds. This has led to the emergence of additional service providers such as crypto exchanges, wallet providers and brokers. The broader application of crypto assets, combined with its unregulated status and relative anonymity, increased the risk of crypto assets being used for financial crime.
Regulators around the world have responded to these newly emerging risks by introducing new regulations. The AMLD5  is part of the European Commission’s anti-money laundering and anti-terrorism efforts, aimed at increasing transparency (e.g. national UBO registers) and expanding its reach (e.g. prepaid cards, specific CSPs). AMLD5 is the first European Union (EU) legislation which provides a legal definition for the term ‘virtual currency’. Due to its multi-interpretability, however, this definition is already being widely debated . For both CSPs and regulators, this makes it difficult to determine which requirements apply in certain cases.
Uncertainty around the applicable regulatory scope and definitions of CSP
Depending on the exact business model and activities of a CSP, different authorisation (i.e. registration or licence) requirements may apply. If CSPs are uncertain about the requirements for their specific activity, they can reach out to the regulator in their home country. This will prevent them from unexpectedly having to cease their crypto activities later on. In the EU we mainly see three forms of legal classifications of crypto asset activities which require an authorisation from a regulatory authority:
- E-money, which is broadly defined as ‘electronically/magnetically stored monetary value as represented by a claim on the issuer, which is accepted as a payment method by parties other than the issuer’ and requires an e-money institution licence under EMD2 
- Financial instruments, as it is sometimes argued that investors treat crypto assets as a substitute for financial instruments such as securities trading, which requires an investment firm licence under MIFID2 
- Virtual currencies, which are broadly defined as ‘a digital representation of value that is not issued or guaranteed by a central bank or public authority and is accepted as means of exchange’ and where two specific CSPs require a registration under AMLD5.
Two specific types of CSPs have been added in AMLD5: virtual-fiat exchanges and custodian wallet providers (for definitions, see Figure 1).
Two examples of virtual-fiat exchanges are Binance and Bitonic. A custodian wallet service provider, such as Bitvavo or Freewallet, controls the user’s private keys and is in full control of the customer’s funds. Wallet providers who do not control the user’s private keys currently remain beyond the scope of AMLD5 because they cannot access the user’s funds in any way. This limits their ability to comply with AMLD5 rules such as transaction monitoring.
If CSPs fall under either of these two definitions, they need to comply with the AMLD5 requirements before 10 January 2020 and obtain a registration at the regulatory authority in each of the EU countries in which they operate. Passporting, a regulatory practice which allows firms registered in the EU to do business in other Member States without need for further authorisation, is not possible for the AMLD5 registration.
Uncertainty around diverging regulatory procedures and requirements between countries
All CSPs with activities that fall under the three above-mentioned crypto asset classifications (e-money, financial instruments and virtual currencies) must comply with the AMLD5 requirements, which are broadly summarised and visualised in Figure 2.
This confronts CSPs with another uncertainty and complicating factor. In principle, AMLD5 aims to harmonise the requirements for CSPs across the EU, but individual Member States may interpret the requirements differently as the AMLD5 is transposed into national legislation, resulting in differences between countries. Current examples of deviating requirements are in Lithuania, where crypto-crypto exchanges are also expected to be in the scope (as opposed to only crypto-fiat exchanges)  and in The Netherlands, where the board members (day-to-day policymakers) of the entity need to be approved before a registration can be obtained . As not all supervisors have published their approach towards authorisations yet, CSPs should keep a close eye on the developments to determine the organisational impact of the requirements.
Uncertainty around how to design compliant, risk-based Customer Due Diligence (CDD) procedures whilst minimising client impact
Achieving and maintaining compliance on the above-mentioned topics not only affects the internal organisation, but also directly affects customers. Since AMLD5 aims to reduce the risk of money laundering and terrorist financing, CSPs are required to conduct Customer Due Diligence. This means that they need to collect and verify information about who their customer is, perform a risk assessment before the customer is accepted and subsequently monitor customers and their transactions. These requirements are at odds with the relative anonymity that customers currently enjoy. As a result, CSPs are required to substantially change their customer onboarding and monitoring processes. Inadequate design of these processes can negatively impact a CSP’s business by harming conversion rates. Even seasoned financial institutions such as traditional banks struggle to comply with these strict rules, so these processes need to be designed with due care.
Digital onboarding and monitoring requirements imply that CSPs need to obtain and monitor identity-related attributes from the customer, but the specific requirements may vary per country. Furthermore, it is not specified how these attributes should be obtained and verified, because the regulations aim to remain technology agnostic  and advocate a risk-based approach. This gives you room to design your customer journey as you see fit, but also leads to uncertainties on how to determine the risk-associated and design-compliant processes, especially as CSPs have limited experience in doing so. To help CSPs with this challenge, Figure 3 summarises the process for designing compliant and risk-based onboarding and monitoring procedures.
To summarise, this blog discusses three main uncertainties around achieving and maintaining AMLD5 compliance as a CSP:
- Do you fall within the scope of the AMLD5 and which authorisations do you need?
- Which (local) regulatory requirements exist and what is the impact on your operating model?
- How can you ensure a compliant approach on key processes such as customer onboarding and monitoring, whilst minimising the effect on your customers?
Since not all local legislation and supervisory approaches are final or publicly available yet, CSPs are advised to keep a close eye on these market developments to determine how to demonstrate their compliance to regulators whilst ensuring optimal continuity of their activities. INNOPAY can help CSPs with all these challenges. If you are looking for best practices, expertise on regulatory requirements and their impact on your operating model, or support with authorisation procedures with your respective supervisor, please feel free to contact Josje Fiolet.
 Some exceptions may apply, for example in Germany where the BaFin prescribed the use of video technology for digital identification