CySEC Circular C640: EBA Guidelines on ML/TF Risk Factors for Crypto-Asset Service Providers

TO : Regulated Entities i. Crypto Asset Service Providers (‘CASPs’) ii. Cyprus Investment Firms (‘CIFs’) iii. Administrative Service Providers (‘ASPs’) iv. UCITS Management Companies (‘UCITS MC’) v. Self-Managed UCITS (‘SM UCITS’) vi. Alternative Investment Fund Managers (‘AIFMs’) vii. Self-Managed Alternative Investment Funds (‘SM AIFs’) viii. Self-Managed Alternative Investment Funds with Limited Number of Persons (‘SM AIFLNP’) ix. Companies with sole purpose the management of AIFLNPs x. Small Alternative Investment Fund Managers (‘Small AIFMs’) FROM : Cyprus Securities and Exchange Commission DATE : 26 April 2024 CIRCULAR NO. : C640 SUBJECT : European Banking Authority’s Guidelines amending Guidelines EBA/2021/02 on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions under Articles 17 and 18(4) of Directive (EU) 2015/849 - Guidance to crypto-asset service providers to effectively manage their exposure to ML/TF risks With this Circular, the Cyprus Securities and Exchange Commission (‘CySEC’) brings to the attention of the Regulated Entities the following: On the 16th January 2024, the European Banking Authority (‘EBA’) extended its Guidelines on money laundering (ML) and terrorist financing (TF) risk factors to crypto-asset service providers (CASPs). The new Guidelines (EBA/GL/2024/01) highlight ML/TF risk factors and mitigating measures that CASPs need to consider, representing an important step forward in the EU’s fight against financial crime. CASPs can be abused for financial crime purposes, including ML and TF. The risks of this happening can be increased, for example because of the speed of crypto-asset transfers or because some

2 products contain features that hide the user’s identity. Therefore, it is important that CASPs know about these risks and put in place measures that effectively mitigate them. The amendments aim to help CASPs identify these risks by providing a non-exhaustive list of different factors, which may indicate the CASP’s exposure to higher or lower levels of the ML/TF risk due to its customers, products, delivery channels and geographical locations. Based on these risk factors, CASPs can develop understanding of their customer base and to identify which part of their business or activity is most vulnerable to ML/TF. The Guidelines also explain how CASPs should adjust their mitigating measures, including the use of blockchain analytics tools. Given the interdependence of the financial sector, the new Guidelines also include guidance addressed to other credit and financial institutions that have CASPs as their customers or which are exposed to crypto assets. This risk is increased where credit and financial institutions engage in business relationships with providers of crypto-asset services which are not authorised under Regulation (EU) 2023/1114. In general, these Guidelines foster a common understanding of ML/TF risks associated with crypto-assets service providers (CASPs) and the steps CASPs and other credit and financial institutions should take to manage these risks. The amending Guidelines will apply from 30 December 2024. CySEC, within the context of its common supervisory approach for all the Regulated Entities in relation to the prevention and suppression of money laundering and terrorist financing, calls upon the Regulated Entities to comply with the Guidelines and be able to demonstrate that their AML/CFT policies, controls and procedures are appropriate in view of the ML/TF risks that have been identified and take the necessary mitigating measures. Sincerely, Dr George Theocharides Chairman, Cyprus Securities and Exchange Commission