AFM Annex - Guidelines on the Wwft and Sanctions Act: Key Points for CASPs

AFM Annex - Guidelines on the Wwft and Sanctions Act Key Points for CASPs Publication date: May 2025

2 Annex - Guidelines on the Wwft and Sanctions Act Table of Contents Introduction 3 Applicability of Guidelines 4 Supervision by the AFM 4 Reader's Guide 4

1. Key Points Wwft (Money Laundering and Terrorist Financing Prevention Act) 5 1.1. Risk Assessment 5 1.2. Important Risk Factors for Risk Assessment 5 1.3. Enhanced Customer Due Diligence 6 1.4. Transaction Monitoring and Reporting Unusual Transactions to FIU-Nederland 7
2. Key Points Sanctions Act 9 2.1. Risk Assessment and Measures 9 2.2. Policy and Procedures 9 2.3. Verification at a Self-Hosted Address 10 2.4. Sanctions Act Reporting 10
3. Key Points Transfer of Funds Regulation (TFR) 12 3.1. Scope 12 3.2. CASP of the Initiator 13 3.3. CASP of the Beneficiary and the Intermediary CASP 15 3.4. Transfers to or from a Self-Hosted Address 16 3.5. Repeatedly Negligent CASPs and Reporting Obligation 17 3.6. GDPR Key Points 19 Appendix – Overview of Relevant Legislation 20

3 Annex - Guidelines on the Wwft and Sanctions Act Introduction In June 2024, the AFM published an update to the Guidelines on the Wwft and Sanctions Act (hereinafter, 'Guidelines'). This Annex is an addition to the Guidelines and is intended for providers of crypto-asset services (crypto-asset service providers, hereinafter 'CASPs'). From 30 December 2024, CASPs holding a license or notification on the European market may offer the following crypto-asset services.1 a) the custody and administration of crypto-assets on behalf of clients; b) the operation of a crypto-asset trading platform; c) the exchange of crypto-assets for money; d) the exchange of crypto-assets for other crypto-assets; e) the execution of crypto-asset orders on behalf of clients; f) the placement of crypto-assets; g) the reception and transmission of crypto-asset orders on behalf of clients; h) the provision of advice on crypto-assets; i) the management of portfolios for crypto-assets; j) the provision of crypto-asset transfer services on behalf of clients. Crypto-assets and underlying technologies can bring innovation to financial markets. Through the use of innovative technologies, values can be transferred quickly worldwide. This can also offer many potential advantages, such as faster and cheaper transactions. Due to the pseudo-anonymous nature and the ease and speed with which values can be sent anywhere in the world, crypto-assets are also attractive to criminals. Without good regulation, crypto-assets risk becoming a safe haven for money laundering and terrorist financing. 2 CASPs must comply with specific Anti-Money Laundering and Countering the Financing of Terrorism (hereinafter, 'AML/CFT') rules. 3 Thus, as of 4 February 2025, CASPs qualify as other financial enterprises as defined in the Act on the Prevention of Money Laundering and Financing of Terrorism (hereinafter, 'Wwft'). 4 Compliance with the Wwft by CASPs falls under the supervision of the AFM as of 4 February 2025. 5 As Wwft institutions, CASPs have certain obligations to prevent the misuse of the financial system for money laundering and terrorist financing. Under the Sanctions Act 1977 (hereinafter 'Sanctions Act') and the Sanctions Act 1977 Supervision Regulation, CASPs must also take measures as of 4 February 2025 in the area of administrative organization and internal control (AO/IC), to ensure that the provisions of the sanctions legislation are complied with. 1 Article 63 and 60 MiCAR. 2 FATF, Virtual Assets and Virtual Assets Red Flag Indicators of Money Laundering and Terrorist Financing and Europol Spotlight ‘Cryptocurrencies: tracing the evolution of criminal finances’ and National Risk Assessment Money Laundering 2023, (WODC, 3 April 2024) p. 74. 3 By Regulation (EU) 2023/1113, CASPs fall within the scope of the Anti-Money Laundering Directive (Directive (EU) 2015/849). The Implementation Act TFR gives effect to this Regulation. Relevant for compliance with rules on the prevention of money laundering and financing of terrorism are also the various Guidelines published by the European Banking Authority (hereinafter ‘EBA’). It is advisable to familiarize yourself with them. Various of these Guidelines are cited in this Annex. 4 Article 1a, third paragraph, sub k and l, Wwft. 5 Article 38 TFR, article 3, second paragraph, sub g, of the Fourth Anti-Money Laundering Directive (Directive (EU) 2015/849) and article 1a, third paragraph, sub k and l, Wwft. For providers of crypto-asset services who held a DNB registration before 30 December 2024 (hereinafter: 'registrants'), they may make use of the transitional regime that applies until 30 June 2025. During the transitional period, the AFM supervises compliance with the Wwft and Sanctions Act by registrants.

4 Annex - Guidelines on the Wwft and Sanctions Act In addition to the legal requirements resulting from the Wwft and Sanctions Act, CASPs must comply with the AML/CFT requirements laid down in the 'Regulation on attaching information to transfers of certain crypto-assets and amending the Fourth Anti-Money Laundering Directive' (also known as Transfer of Funds Regulation, hereinafter 'TFR'). 6 Thus, CASPs must send certain transaction data with each individual transfer of crypto-assets, also known as the 'Travel Rule'.7 Additionally, EBA has published Travel Rule Guidelines. 8 This Annex provides an explanation of the obligation to attach information to crypto-asset transfers. Applicability of Guidelines CASPs are subject to AML/CFT requirements as determined in the Wwft and Sanctions Act. Therefore, the current Guidelines generally apply in full to CASPs as an explanation of the Wwft and Sanctions Act. In short, this means that CASPs can use the Guidelines to fulfill the legal obligations applicable under the Wwft and Sanctions Act, including in the areas of risk assessment, drawing up policy and procedures, group policy, conducting customer due diligence, transaction monitoring, reporting unusual transactions, and compliance with the Sanctions Act. As indicated above, additional legal requirements apply to CASPs, such as the obligations arising from the TFR. This Annex is intended as supplementary explanation on sector-specific key points for CASPs and as an explanation of the specific legal AML/CFT obligations applicable to CASPs.9 The Guidelines and this Annex should therefore be read in conjunction. Supervision by the AFM The AFM supervises compliance with the Wwft and Sanctions Act in a risk-based manner. To this end, it requests institutions under its supervision to periodically complete the Wwft/Sanctions Act questionnaire. The AFM will also periodically send a Wwft/Sanctions Act questionnaire to CASPs. The AFM uses the information provided via this questionnaire to establish risk profiles of the institutions. The information obtained also provides a general picture of the state of the market regarding the inherent money laundering and terrorist financing risks and the extent to which these risks are controlled. Additionally, the AFM can use this information when making choices in the supervision strategy. Reader's Guide This Annex consists of three chapters: • Chapter 1 deals with the sector-specific key points of the Wwft, • Chapter 2 deals with the key points regarding the Sanctions Act, and • Chapter 3 provides an explanation of the obligations resulting from the TFR. 6 Regulation (EU) 2023/1113. 7 Regulation (EU) 2023/1113. 8 Guidelines on information requirements regarding fund transfers and certain transfers of crypto-assets under Regulation (EU) 2023/1113 (“Travel Rule Guidelines”): https://www.eba.europa.eu/publications-and-media/press-releases/eba-issues-travel-rule-guidance-tackle-money- laundry-and-terrorist-financing-transfers-funds-and. 9 For example, the Guidelines also include sector-specific key points for managers of investment undertakings, investment firms, and financial service providers.

5 Annex - Guidelines on the Wwft and Sanctions Act

1. Key Points Wwft In addition to the guidance on the Wwft included in the Guidelines, the AFM highlights several specific points for CASPs below. 1.1. Risk Assessment As emphasized in the Guidelines, the regulatory framework for managing risks on money laundering and terrorist financing is risk-based. CASPs are expected to make an assessment of the risks applicable to their business operations. This means that a robust risk assessment - as the basis for establishing policy, procedures, and measures - is of great importance for adequate compliance with the Wwft.10 The measures an institution must take to establish and assess its risks must be proportionate to the nature and size of the institution. The CASP must focus its risk assessment on the crypto-asset services it provides, always taking into account the risk factors related to client type, product, service, transaction, and delivery channel, as well as countries or geographic areas. Thus, it must be made visible in an accessible manner where the risks of money laundering and terrorist financing are greatest for this CASP and how they are controlled. When formulating the CASP's risk assessment, it is expected that it includes the most recent national risk assessment (hereinafter: NRA).11 The increased risks mean that much is expected of the CASP regarding its risk assessment and risk-controlling measures. It is particularly important that the CASP's risk assessment does not limit itself to abstract and generally formulated risks. 1.2. Important Risk Factors for Risk Assessment CASPs must take into account risk-increasing factors specifically applicable to them when formulating the risk assessment, such as the ability to transfer crypto-assets directly and globally, no or limited limits on transaction volumes and values, high volatility, and a certain degree of anonymity. In general terms, there is a relatively high risk of money laundering and terrorist financing in the provision of crypto-asset services. On 16 January 2024, the European Banking Authority (hereinafter: EBA) published additional guidelines for credit and financial institutions on risk factors for money laundering and the financing of terrorism, which apply from 30 December 2024 (hereinafter, 'Guidelines ML/TF Risk Factors'). 12 A part of these additional guidelines concerns CASPs. 10 The obligation to identify and assess risks follows from article 2b Wwft. In doing so, account must at least be taken of the risk factors related to client type, product, service, transaction, and delivery channel, as well as countries or geographic areas. 11 'Money laundering via provider of financial crypto services', see: “National Risk Assessment (NRA) Money Laundering 2023, Scientific Research and Data Centre (WODC), Cahier 2024-1 (online accessible)”. In the most recent NRA, terrorist financing was identified as one of the largest terrorist financing threats: 'Financing via provider of 'crypto services', see: “NRA Terrorist Financing 2023, WODC, Cahier 2024-2 (online accessible)”. 12 EBA/GL/2024/01, 16 January 2024, ‘Guidelines amending EBA Guidelines EBA/GL/2021/02 pursuant to Article 17 and Article 18, paragraph 4, of Directive (EU) 2015/849 concerning customer due diligence and the factors that credit institutions and financial institutions should take into consideration when assessing the money laundering risk and terrorist financing risk associated with individual business relationships and occasional transactions (hereinafter referred to as “the Guidelines ML/TF Risk Factors”): Guidelines on ML/TF risk factors | European Banking Authority.

6 Annex - Guidelines on the Wwft and Sanctions Act Some risk-increasing factors noted by EBA are (not exhaustive): • When large amounts of money are received and/or withdrawn in a short period, where the money originates from the sale of crypto-assets; • The product does not impose limits on the total volume or total value of transfers; • A company that was recently established and processes large volumes of transactions; • Use of an IP address connected to a darknet or software that provides a high degree of anonymity or is linked to multiple users; • When the necessary client information is not provided; • When multiple payment accounts are used to fund the crypto-asset account; • Transfers of crypto-assets involve jurisdictions with higher ML/TF risk; • When new technologies are used that have not yet been fully tested or that have an increased ML/TF risk. If the client has met the information requirements in previous transfers of crypto-assets or if it concerns products with limited or low transaction volumes and values, this can have a risk-reducing effect. Another risk-reducing factor is when the nature and scope of the payment channels or systems used by the CASP are limited to closed-loop systems or systems intended to facilitate micro-payments or payments from governments to individuals or from individuals to governments. The AFM refers to the Guidelines ML/TF Risk Factors for an overview of risk-reducing and risk-increasing factors. Title I of these Guidelines ML/TF is of a general nature. Title II is sector-specific. In this context, Guideline 21 is important for CASPs. The sector-specific guidelines must be read in conjunction with Title I of the Guidelines ML/TF Risk Factors. The risk factors are related to client type, product, service, transaction, and delivery channel, as well as countries or geographic areas. The assessment of the risks of money laundering and financing of terrorism lies at the basis of the development of policy, procedures, and measures, to limit and effectively control the identified risks.13 1.3. Enhanced Customer Due Diligence If there is an increased risk of money laundering or financing of terrorism, the CASP performs enhanced customer due diligence14 and takes additional measures as intended in Guideline 21.12 of the Guidelines ML/FT Risk Factors. The cases in which enhanced customer due diligence must be performed are determined based on the risk assessment prior to the business relationship or transaction to be performed. Additionally, the CASP must in any case take into account the risk factors mentioned in Annex III of the revised fourth anti-money laundering directive.15 In the CASP's policy, it establishes in which cases and in what manner enhanced customer due diligence is performed. 13 Article 2c, first paragraph, Wwft. 14 Article 8 Wwft and Title I of the Guidelines ML/FT Risk Factors. 15 Directive (EU) 2015/849. The consolidated version can be found here: EUR-Lex - 02015L0849-20241230 - EN - EUR-Lex.

7 Annex - Guidelines on the Wwft and Sanctions Act A situation where enhanced customer due diligence must be performed is, for example, in the case CASPs enter into a correspondent relationship16 and/or when a transfer takes place of crypto-assets to or from a self-hosted address. 17 When a transfer takes place of crypto-assets to or from a self-hosted address, this is accompanied by potentially high integrity risks.18 For example, it is not always clear who the owner of the address is. Therefore, risk-limiting measures must be taken when providing services related to a self-hosted address. In this context, CASPs must analyze what risks are associated with the transactions. If the CASP has (become aware) that the information about the initiator or beneficiary using the self-hosted address is incorrect or if the CASP encounters unusual or suspicious transaction patterns or an increased risk of money laundering and terrorist financing in transfers to or from a self-hosted address, the CASP must take enhanced customer due diligence measures to appropriately control the risks. Here, it must concern one or more of the following control measures19: • taking risk-based measures to identify and verify the identity of the initiator or beneficiary of a transfer to or from a self-hosted address, or of the ultimate beneficial owner of the initiator or beneficiary, including by relying on third parties; • requiring additional information about the origin and destination of the transferred crypto-assets; • tightening the permanent monitoring of these transactions; • all other measures to limit and control the risks of money laundering and terrorist financing as well as the risk of non-compliance and evasion of targeted financial sanctions and of targeted financial sanctions related to the financing of proliferation. The control measures must be proportionate to the established risks. Given the international nature of CASPs' transactions, we draw attention to paragraph 5.8 of the Guidelines regarding enhanced customer due diligence, which goes further into business relationships or transactions with third countries. In this paragraph (and paragraph 5.1) of the Guidelines, it also addresses distance onboarding and the EBA’s ‘Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849’. 1.4. Transaction Monitoring and Reporting Unusual Transactions to FIU-Nederland 1.4.1. Transaction Monitoring20 CASPs must, when fulfilling the requirement to exercise continuous control over a business relationship and the transactions performed during the duration of this relationship21, distinguish between monitoring fiat transactions and monitoring crypto-asset transactions. In both cases, CASPs must have a transaction monitoring system. CASPs must establish in their policy which tools 22 22 Article 2c, first and second paragraphs, Wwft juncto article 3, second paragraph, sub d Wwft. 23 Article 21.13 Guidelines ML/FT Risk Factors. 24 Article 16, first paragraph, Wwft.

8 Annex - Guidelines on the Wwft and Sanctions Act are used in transaction monitoring and what configuration the tools have, including which 'business rules' (the pre-defined criteria against which transactions are tested for possible unusual nature) are used and why they are appropriate. 22 When monitoring crypto-asset transfers, CASPs must apply advanced analysis instruments to assess the risk associated with transactions so that they are able to trace the history of transactions and identify potential links with criminal activities, persons, or entities. This applies in particular (but not exclusively) to transactions with self-hosted addresses.23 Blockchain technology enables CASPs to, by applying blockchain monitoring, investigate the origin and destination of crypto-assets and thus assess any risks of money laundering and terrorist financing. 1.4.2. Reporting Unusual Transactions Table 2 of Annex I of the Implementation Decree Wwft 2018 has been amended and lists the indicators for reporting unusual transactions to the Financial Intelligence Unit (FIU-Nederland): Providers of crypto-asset services as referred to in article 3, first paragraph, item 16, sub a, b, and d to j, of Regulation (EU) 2023/1114 of the European Parliament and the Council of 31 May 2023 A transaction where the institution has reason to suspect that it may be related to money laundering and financing of terrorism. Providers of exchange services as referred to in article 3, first paragraph, item 16, sub c, of Regulation (EU) 2023/1114 of the European Parliament and the Council of 31 May 2023 A transaction where the institution has reason to suspect that it may be related to money laundering and financing of terrorism. A transaction of an amount of € 10,000 or more where an exchange takes place between virtual currency and cash fiduciary currency. CASPs must ensure that they are registered as reporters with FIU-Nederland, so that they can meet the obligation to report unusual transactions without delay.24 See more on this in paragraph 6.2 of the Guidelines. The absence of information from the initiator or beneficiary in transfers of crypto-assets can also be grounds for making a report of an unusual transaction to FIU-Nederland. In paragraph 3.5 of this Annex, this is discussed further. 22 Article 2c, first and second paragraphs, Wwft juncto article 3, second paragraph, sub d Wwft. 23 Article 21.13 Guidelines ML/FT Risk Factors. 24 Article 16, first paragraph, Wwft.

9 Annex - Guidelines on the Wwft and Sanctions Act 2. Key Points Sanctions Act In addition to the guidance on the Sanctions Act included in the Guidelines, the AFM highlights several specific points for CASPs below. A CASP must, pursuant to article 2, first paragraph, of the Sanctions Act 1977 Supervision Regulation (RtSw) 25 take measures in the area of administrative organization and internal control (AO/IC) to ensure that the provisions of the sanctions legislation are complied with. 2.1. Risk Assessment and Measures The CASP is expected to perform an assessment of the risks of sanctions violations and sanctions evasion, in order to take robust measures to control these risks. To this end, the CASP must in any case establish policy, procedures, and measures. In doing so, the CASP must constantly ensure that the risk is minimal that financial funds go to a person or entity as referred to in the sanctions legislation in the case of a service or transaction.26 The measures that must be taken must at least concern the screening of the CASP's relationships with persons or entities on the sanctions lists.27 To this end, CASPs must apply continuous screening, for example through an automated system. Another example of a robust measure is the inclusion of geolocation instruments and instruments that recognize the use of proxy IP services, in cases where increased exposure to sanctions measures is indicated by the risk assessment. In this way, the CASP can identify and prevent that its relationships originate from countries with sanctions measures.28 Other measures in case of increased sanctions risks may include: • when entering into business