EU regulation of cryptocurrency exchanges

On June 19, 2018, the European Union’s Fifth Anti-Money Laundering Directive (5AMLD) was formally published in the European Union’s Office Journal, following its adoption by the European Parliament and Council earlier in the year.

The application of EU financial regulation to cryptocurrency exchanges

Financial regulation in the EU is governed by a complex patchwork of EU legislation and member states’ national laws. In certain member states, the applicable EU legislation has not been fully implemented and, in others, there are ancillary or supplementary national laws that co-exist alongside the relevant EU rules. The result is a complex patchwork of legislation that is not uniform across every member state.

Prior to the introduction of 5AMLD, there has been no EU-wide regulatory framework dealing expressly with the regulation of cryptocurrency exchanges. Notwithstanding this, depending on how an exchange is structured, and the nature of the tokens being made available on the exchange, it may fall within the scope of existing financial regulation at EU (and/or member state) level. For example, if the tokens being made available on the exchange constitute “financial instruments” within the meaning of the EU Markets in Financial Instruments Directive II (MiFID II), the process by which the tokens are distributed or traded on an exchange is likely to involve some regulated activities/services under MiFID II. Where that is the case, the organizational requirements, conduct of business rules and transparency requirements laid down in MiFID II could apply to the exchange. Other cryptocurrency exchanges, by contrast, may be structured and operate in a way that falls outside of the regulated space in the EU.

5AMLD is notable because it represents the EU’s first attempt to expressly regulate cryptocurrency exchanges at EU-level. Before 5AMLD, EU financial authorities have emphasized that “exchanges where virtual currencies are traded and digital wallets used to hold, store or transfer virtual currencies, are unregulated under EU law.” This can be contrasted with the approach of FinCEN in the US, which indicated in a guidance note as early as 2013 that it regards exchanges and administrators of convertible virtual currency as money transmitters, subject to licensing and anti-money laundering requirements the US Bank Secrecy Act.

By imposing express registration and anti-money laundering requirements on virtual currency exchanges and wallet holders for the first time, 5AMLD will narrow the gap considerably between the US and EU regulatory position in this regard.

The evolution of the EU anti-money laundering regime

The European Union adopted its first anti-money laundering directive in 1991. This directive imposed minimum requirements on EU member states relating to the prevention of money-laundering, including a general requirement for “designated persons” (broadly speaking, financial institutions) to verify the identity of customers and to monitor and report suspicious transactions.

The regime established under the first anti-money laundering directive has been regularly revised and updated in the period following its adoption in order to further mitigate risks and address new threats associated with money laundering and terrorist financing. In particular, it has been updated over time to reflect current recommendations issued by the international anti-money laundering watchdog, the Financial Action Task Force (FATF). Subsequent amendments have broadened the categories of “designated persons” covered by the regime and set out more prescriptive anti-money laundering requirements, particularly around the identification of customers.

This process of revision and amendment culminated with the adoption in 2015 of the Fourth Anti-Money Laundering Directive (4AMLD). 4AMLD sought to introduce a modernized anti-laundering regime, based on FATF’s 2012 recommendations. 4AMLD saw the EU move to a risk-based approach to customer identification, and set out prescriptive requirements around customer due diligence, the identification of beneficial ownership, tax crimes and funds transfers. It also reinforced the enforcement powers of national competent authorities.

The provisions of 4AMLD were required to be implemented by EU member states prior to June 26, 2017, although several member states have since missed that deadline.

The path to 5AMLD

In advance of the 4AMLD implementation deadline, and with many EU member states yet to implement its provisions, a proposal for a fifth anti-money laundering directive (5AMLD) was presented by the European Commission in July 2016. This proposal was presented in the wake of terrorist attacks and the revelations of the Panama Papers scandal, and was part of the Commission’s Action Plan of February 2016 to strengthen the fight against terrorist financing. Following its formal approval by the European Parliament and Council earlier this year, the final text of 5AMLD, as adopted by them, was published in the European Union’s Official Journal on June 19, 2018.

5AMLD, as adopted, includes a number of amendments aimed at further strengthening the modernized EU anti-money laundering regime established under 4AMLD. These amendments include additional transparency provisions around beneficial ownership, enhanced due diligence measures around high risk third countries, and transparency measures around the use of prepaid cards. 5AMLD also seeks to broaden the categories of “obliged entities” that are subject to the provisions of the EU anti-money laundering regime, to include, most notably, virtual currency exchange platforms and wallet providers.

The impact of 5AMLD on cryptocurrency exchanges

Once implemented into national law, cryptocurrency exchanges and wallet providers covered by 5AMLD will be subject to the anti-money laundering requirements set out in 4AMLD. In particular, they will be subject to the requirement to carry out identity checks on their customers, as well as their customers’ beneficial owners (where applicable), the aim being to help reduce the anonymity associated with cryptocurrency transactions. They will also be subject to specific obligations around the reporting of suspicious transactions.

In addition, 5AMLD requires EU member states to introduce measures for the registration of cryptocurrency exchanges and custodian wallet providers.

Will 5AMLD impact all cryptocurrency exchanges?

5AMLD extends EU anti-money laundering requirements to “providers engaged in exchange services between virtual currencies and fiat currencies.” In its original proposal for 5AMLD, the European Commission noted that it regarded this approach of targeting “gatekeepers that control access to virtual currencies” as a proportional attempt to address the risks associated with virtual currencies, while also “preserving the innovative advances offered by such currencies.

Fiat-to-crypto exchanges

The concept of “virtual currencies” is defined broadly in 5AMLD to mean, “a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically.” Given the broad nature of this definition, it is likely that, in practice, most forms of virtual currency and tokens (as we know them today) will fall within the scope of 5AMLD. This would appear to be in line with the objective of the directive which states in its recitals that “although virtual currencies can frequently be used as a means of payment, they could also be used for other purposes and find broader applications such as means of exchange, investment, store-of-value products or use in online casinos. The objective of this directive is to cover all the potential uses of virtual currencies.

As a result, it is likely that, in practice, most crypto-to-fiat (or fiat-to-crypto) exchanges will be covered by 5AMLD.

Crypto-to-crypto exchanges

5AMLD does not expressly bring crypto-to-crypto exchanges within the scope of the EU anti-money laundering regime. Notwithstanding this, it is still possible that certain crypto-to-crypto exchanges may fall within the scope of the EU anti-money laundering regime if their activities are such that they fall within the definition of “obliged entity” for other reasons. For example, it is not unusual for crypto exchanges to bundle their exchange services with other types of related services, such as custodian wallet services (see further below) or more traditional banking or investment services. If a crypto-to-crypto exchange incorporates these types of ancillary services into its offering, it may still be subject to the EU anti-money laundering regime, notwithstanding that it does not per se fall within the scope of the legislation in its capacity as a cryptocurrency exchange. An exchange may also be regulated at member-state level in particular EU jurisdictions, depending on how each member state incorporates the new EU directive’s provisions into its national law. This would ultimately need to be reviewed and confirmed on a case-by-case basis, taking into account the particular business activities of the exchange in question and any nuances under the national laws of the particular member state.

Custodian wallet providers

5AMLD also designates “custodian wallet providers” as obliged entities for the purposes of the regime. The concept of “custodian wallet provider” is defined in 5AMLD to mean “an entity that provides services to safeguard private cryptographic keys on behalf of its customers, to hold, store and transfer virtual currencies.

The definition only appears to capture wallet providers that maintain control (via a private cryptographic key) over customers’ wallets and the assets in it. It does not appear to extend to non-custodian wallets where the user (rather than the provider) holds the private key. However, similar to crypto-to-crypto exchanges, if a non-custodian wallet holder bundles its services with other regulated services, it may still fall within the scope of 5AMLD. It may also be regulated at EU member state level, depending on how 5AMLD is ultimately incorporated into the laws of member states.

Conclusion: impact for the crypto industry

A recent study carried out by identity verification software company, Mitek Systems, and commissioned by PAID Strategies, surveyed the Know Your Customer (KYC) practices of 25 different cryptocurrency exchanges and wallet providers across Europe and the US and revealed that only 32% of those surveyed currently carry out full identity on their users. The report noted that “the majority of exchanges and wallets do not have KYC procedures in place and are not ready for [next year’s] (sic.) 5AMLD introduction.

While some of the exchanges and wallet providers included in the report may fall outside the scope of the new EU rules (for the reasons outlined above), it is nevertheless clear from its findings that the increased compliance burden introduced by 5AMLD is likely to have a significant cost impact for many exchanges and wallet providers operating in the EU. Despite this, the introduction of the new regime has generally been welcomed by the crypto industry, which views it as an important step towards legitimizing the industry in Europe.

While EU member states have until January 20, 2020 to implement 5AMLD’s provisions into their national law, the small Eastern European nation of Estonia has got off to a head start, having already adopted regulations to transpose the new provisions into national law. Other “crypto-friendly” EU member states will no doubt be quick to follow suit in the race to position themselves as the leading European crypto hub.

This article was written by Gina Conheady, Corporate and M&A. First published by Bloomberg on June 27 2018 - Reproduced with permission from Copyright 2018 The Bureau of National Affairs, Inc. (800-372-1033) www.bna.com. 

Date published: 28 June 2018