EU Compliance Guide

EU digital currency compliance first involves Anti-Money Laundering compliance. Regulations are changing from 2017 – exchanges and custodians will need to be compliant.

The changing regime – an overview.

1) Application of 4AMLD to virtual currency operators

Digital currency businesses are subject to the 4th Anti-Money Laundering Directive (4AMLD).

This new directive will be transposed by member states in June 2017.

In the summer of 2016 the Commission suggested to add virtual currency businesses into the scope of the directive. Since then the Commission has presented an amendment to 4AMLD to include Custodians and Exchanges.

A Custodian is the provision of a service to hold and allow the transfer of virtual currency. An Exchange offers the ability to exchange one virtual currency for another. These businesses will be subject to registration/licensing obligations to operate their business in the European Union (EU).

To date, it is not yet clear whether virtual currency will be required to register in each member state where they have customers. The European Banking Authority (EBA) currently considers it to be the case.

However, it is clear that the state level registration requirement will consist of a ‘fit and proper’ test. In general terms, this will entail identifying whether a founder of a virtual currency business has any criminal convictions. The test may involve other requirements that are yet to be detailed.

Virtual currency businesses should therefore be prepared to manage the compliance of all operations.

The impact is likely to increase the overhead of virtual currency businesses significantly.

Coinbase operates an anti-money laundering (AML) compliant business and directs 20% of its salaried workforce dedicated towards compliance.

2) Transition process towards 4AMLD compliance

The following guidelines are not intended as legal advice.

There are a few procedures and policies needed for basic AML compliance:

  • An anti-money laundering and terrorist financing policy. This policy should cover areas such as Customer Due Diligence, Know Your Customer (KYC), record keeping, training, ongoing customer monitoring.

  • An anti-money laundering reporting officer.

  • A Risk management matrix – identification and mitigation of all AML risks.

  • Corporate governance policy – responsibility allocation and ongoing risk evaluation by the board.

  • Reporting lines within the business – process channels throughout the business, both up and downstream.

  • A risk mitigation policy for virtual currencies in general – specifically in terms of use for money laundering.

  • Staff training to ensure awareness of AML procedures and requirements.

  • Ensuring effective internal and external audit procedures to guarantee effective measures.

  • Devise processes to handle suspicious activity reporting.

  • Implementation of complementary AML and IT security procedures.

  • An internal vetting policy for staff and external supplier vetting.


The first step in 4AMLD compliance is understanding how and when to identity new customers. This is the most basic form of anti-money laundering compliance. This process is referred to as Customer Due Diligence (CDD), more commonly known as ‘Know Your Client’).

4AMLD requires the following standard CDD measures:

  • Collecting documents, data or information obtained from a reliable and independent source.

  • Identifying the beneficial owner (the person behind a transaction).

  • Understanding the ownership and control structure of the customer.

  • Identifying the purpose and intended nature of the business relationship.

  • Ongoing monitoring of business relationship. Ensuring all transactions are consistent with the obliged entity’s knowledge of the customer.

When should you do the checks?

  • The verification of the identity of customer and/or beneficial owner should take place before business relationship establishment.

  • CDD measures should also be applied to existing customers on a risk-sensitive basis.

If you are unable to complete the CDD you should not carry out the transaction –consider reporting to the Financial Intelligence Unit (FIU).

But 4AMLD compliance is about understanding that compliance is not a ‘blunt instrument’.

It must be flexible and adaptive to the risks posed by a particular situation.

This is called the Risk Based Approach (RBA) and is greatly encouraged in the 4AMLD. It involves distinguishing between certain types of risks and assessing the extent and appropriateness of the measures needed to address such risks.

There are key factors that come into play, as listed in the 4AMLD are as follows:

  • Product characteristics (for example, a standard pension versus a new technology)

  • Customer profiles (public companies versus companies that have nominees)

  • Country characteristics (member states of EU versus countries with non-effective AML systems – the EU Commission keeps a list of such countries)

  • Relationship factors (purpose of account/level of assets/size of transaction/regularity, duration of relationship).

These factors can lead to a situation of low or high risk.

In “cases of higher risk” (article 18) enhanced due diligence (EDD) measures will be required.

Enhanced due diligence (EDD) measures are also required in other specified scenarios. For example, clients who may be politically exposed, correspondent banking relationships, life insurance and shell banks.

Some general enhanced measures include:

  • Examining the “background and purpose of all complex and unusually large transactions”,

  • Examining “all unusual patterns of transactions, which have no apparent economic or lawful purpose”,

  • Increasing the “degree and nature of monitoring of the business relationship, to determine whether those transactions or activities appear suspicious”.

The Joint Money Laundering Steering Group (JMLSG) in the UK suggests looking at “source of wealth and source of funds” as an enhanced due diligence measure: requesting “information as to the customer’s residential status, employment and salary details, and other sources of income or wealth […] in order to decide whether to accept the application or continue with the relationship”. This source of wealth measure is usually applicable when dealing with politically exposed persons, but can be applied in a more general manner for EDD.

Further guidance on the appropriate enhanced measures to be used is to be provided by European Supervisory Authorities.

There are, however, other 4AMLD obligations beyond customer and EDD measures.

If suspicious activity in your business is identified, this should be handled appropriately. If it is known, or suspected, or have reasonable grounds to suspect, that funds – regardless of the amount – are the proceeds of criminal activity or terrorist financing, a report should be filed to the FIU. All suspicious transactions should be reported.

In addition, there is record-keeping. Records should be retained for five years after the end of the business relationship to ensure an organised and responsive methodology. The 4AMLD intends to ensure that regulated companies are able to be respond to information requests (article 42).

3) Treatment of Virtual Currencies

How to treat virtual currencies and transactions involving virtual currencies.

Comprehensive guidance has been provided by the Financial Action Task Force (FATF) with regard to virtual currencies.

The FATF wrote a comprehensive report in June 2015 on the treatment of virtual currencies.

Its guidance – while specific guidance is produced by the EU commission or other ESAs – should be relied upon for regulated entities.

The FATF 2015 report identifies specific risks associated with virtual currencies and provides guidelines on how to deal with such risks.

The FATF states that “due to anonymity and the challenges to conduct a proper identification of the participant, convertible decentralised VCPPSs in general may be regarded of higher risk of ML/FT which would require the application of enhanced due diligence measures.”

This means that EDD will become the benchmark for the standard engagement of any new virtual currency customer.

While adhering to the CDD measures above you will also need to implement EDD measures such as identifying source of wealth and funds of a customer.

Other specific CDD measures that the FATF recommends
for virtual currency businesses are as follows:


“These, to the extent applicable, include: corroborating identity information received from the customer, such as a national identity number, with information in third party databases or other reliable sources; potentially tracing the customer’s Internet Protocol (IP) address; and searching the Web for corroborating activity information consistent with the customer’s transaction profile, provided that the data collection is in line with national privacy legislation.”


“At a minimum, financial institutions and DNFBP (Designated Non-Financial Businesses and Professions) should be required to maintain transaction records that include: information to identify the parties; the public keys, addresses or accounts involved; the nature and date of the transaction, and the amount transferred. The public information available on the blockchain provides a beginning foundation for record keeping, provided institutions can adequately identify their customers.”


“As with NPPS, VCPPS (Virtual Currency Payment Products and Services) business should consider, for occasional transactions above a given threshold, limiting the source of funds to a bank account, credit or debit card, or at least applying such limitations to initial loading, or for a set period until a transaction pattern can be established, or for loading above a given threshold.”


The FATF has encouraged the use of technology to manage risks appropriately. Some of these systems will provide information on the blockchain that can be used to corroborate information provided by a customer.

The 4AMLD comes into force by the summer of 2017. In the meantime, virtual currency exchanges and/or custodians should prepare to transition into a regulated environment. This means having controls and processes in place to become AML compliant. In addition, specific measures to deal with the particular risk profile of virtual currencies should be implemented.