Briefings

A New Frontier for AML Regulation: The Fifth Anti-Money Laundering Directive and Cryptocurrencies

Cryptocurrencies have been in existence for almost a decade, proliferating in number since the initial launch of BitCoin to approximately 2,000. Whereas the main distinction for the average consumer between fiat currencies is likely to be their value, or exchange rate, the host of cryptocurrencies are not only stores of value and units of exchange but also pieces of technology that potentially offer their users very different experiences.

We are in the midst of a period of fundamental importance for cryptocurrency companies, as they make the transition from market disruptors to established players on the financial system. This transition hinges upon how the international community of financial regulators chooses to regulate this virtual world. Regulation in most fields is reactive and implementing fundamental regulatory change can be a laborious process at the national level, let alone the international level. The rapid rise in the popularity of cryptocurrencies created a regulatory vacuum which is now tentatively starting to be filled in.

The EU has a reputation for being proactive when it comes to regulation and its fifth Anti-Money Laundering Directive (Directive 2018/843) (AMLD5), published on 19 April 2018 directly tackles the cryptocurrency market, bringing the key gatekeepers to crypto-trading within the ambit of the EU's anti-money laundering (AML) regime.

Why do Cryptocurrencies Need Regulation?

Banks spend billions each year on ensuring compliance with financial regulations and many are forced to spend even more in fines and litigation for failures to meet these standards. However, the fact that the crypto-market is on the cusp of a major regulatory revolution should be treated as an opportunity for a number of reasons.

Reputation & Business Mandate

The cryptocurrency market is growing exponentially. For this growth to be sustainable there needs to be confidence in the integrity and stability of the established players and new market entrants. Compliance with regulation, including AML, helps establish a level playing field and broadens the scope of investors willing to invest in what is still viewed by many as the 'frontier' of the financial market.

Investor Protection

Regulators' primary concern is to protect investors from excessive levels of uncertainty and risk.

The greater the level of regulatory compliance the cryptocurrency market takes on, the safer the market becomes, resulting in access to a far wider and deeper pool of investors. The big institutional investors, like pension funds, predominantly invest in established listed companies. The scalability of the cryptocurrency market depends upon the stability that regulation is designed to provide.

Prevention of Crime

Regulators have expressed their concerns over the potential misuse of cryptocurrencies by those with improper motives, including money launderers, sponsors of terrorism and ransomware hackers, seeking to take advantage of loopholes, legal grey areas and the lack of global consensus on the regulation of financial markets. Amongst their greatest concerns is the scope for anonymity that certain cryptocurrencies offer trading parties, which makes tracing transactions potentially very difficult.

Regulators' criticisms of the cryptocurrency markets are to an extent attributable to the length of time it is taking them to formulate regulations suitable for the market. The twin benefits that AML regulation in particular would bring to the cryptocurrency market are transparency and accountability, which could open the market up to more potential investors, confident that the sector is subject to enhanced regulatory oversight. However, this would pose something of an existential test for the market given that anonymity is seen by many as a crucial feature of the underlying technology.

What is the Impact of AMLD5 on the Cryptocurrency Market?

The treatment of cryptocurrencies across the EU currently lacks uniformity. Germany and Italy have already put in place national measures that mirror many of the requirements of AMLD5, whereas the UK has largely left the market alone, with the Financial Conduct Authority (FCA) taking the view that pure (or spot) cryptocurrencies do not qualify as "specified investments" that would be subject to the restrictions imposed by the Financial Services and Markets Act 2000. However, to the extent that a financial product labelled as a cryptocurrency is actually a security, or has the attributes of a specified investment and/or financial instrument, then the FCA's view would be that these would be subject to the UK financial services regulatory regime. Indeed, the financial press has recently reported that a number of cryptocurrency firms have been subject to regulatory scrutiny in respect of their activities and the FCA has launched investigations against a number of firms seeking to determine whether they were carrying on regulated activities without authorisation.

Consistent Framework

For the uninitiated, the world of cryptocurrencies appears rife with esoteric terminology, far removed from the established, albeit also complex, lexicon of the traditional financial markets. As cryptocurrencies are inherently international, capable of being traded instantaneously across the globe, it is important that regulators adopt a consistent approach to the market. We are a long way from achieving a global regulatory framework but AMLD5 does help institute a common framework for regulators across the EU to adopt when dealing with cryptocurrencies, including its first official definition of what a "virtual currency" actually is¹.

Enhanced Scope of the AML Regime

The EU's AML regime applies to "Obliged Entities" (OEs). AMLD5's predecessor AMLD4 introduced this term, replacing "Designated Entities". AMLD4's definition of OEs covered the established players in the financial markets, from banks to law firms and estate agents – the traditional targets of money launderers.

AMLD5 expands the scope of the OE definition to cover virtual currency exchange platforms (VCEPs), which trade cryptocurrencies in exchange for fiat currencies, just like platforms for trading listed securities, and custodian wallet providers (CWPs), which hold private accounts on customers' behalves, like a virtual bank account.

Due Diligence & KYC

By bringing these gatekeepers of the cryptocurrency market within the EU's AML regime, AMLD5 imposes the same compliance obligations on VCEPs and CWPs as on any other OE. They will need to undertake the following procedures:

1. Registering with their national AML regulator
2. Due diligence processes to identify and verify the transacting party
3. Due diligence processes to identify the beneficial owners of these parties (being entities holding a 25% or greater interest)
4. AML risk assessment procedures for transactions
5. Monitoring and reporting mechanisms for suspicious transactions
6. Record-keeping of the above-mentioned procedures.

In practical terms, these obligations will mean enhanced costs for VCEPs or CWPs, who will need to implement appropriate systems and controls, including ensuring they have suites of policies that can be applied uniformly, staff training and risk assessments to determine what each entity's particular AML vulnerabilities are. These are all areas that HFW has experience advising on.

Impact on Individual Users

The dilemma for regulators is that the peer-to-peer nature of the blockchain technology upon which cryptocurrencies operate allows parties to conduct transactions directly, without the need for intermediaries who might act as AML checkpoints.
The solution advocated by AMLD5 is the proposal that each member state create a central database to register users' identifies and wallet addresses. EU regulators would be authorised to access the contents of the databases in a bid to increase the transparency of the whole EU-wide cryptocurrency market. This is similar to requirements on energy market participants to register with Agency for the Cooperation of Energy Regulators (ACER) under REMIT.

AMLD5 also raises the possibility of allowing cryptocurrency users to voluntarily self-declare themselves to their regulator through specific forms.

How Does AMLD5 Compare With Regulation Elsewhere?

Regulators outside the EU have also taken major steps toward regulating cryptocurrencies, including imposing AML obligations.
In the US, AML obligations are triggered through classification as a "financial institution" – VCEPs, CWPs and many issuers of cryptocurrencies will be caught by this definition and be required to undertake AML measures including maintaining records and reporting suspicious activity. Notably, the US does impose AML obligations on not only the buying and selling of cryptocurrencies for fiat currencies but also the exchange of one cryptocurrency for another ², an area that AMLD5 is silent on.

The lack of regulatory uniformity across Asia is notable. In Japan VCEPs, known as "Virtual Currency Exchange Operators" must be registered and ensure AML compliance. These entities have even formed their own self-regulatory body earlier this year, the Japanese Cryptocurrency Exchange Association, that will seek to create best practice across the national market³. In contrast, China has adopted a prohibition on the issuing of cryptocurrencies and the use of VCEPs, restricting the market to peer-to-peer trading between individuals.

What About Initial Coin Offerings (ICOs)?

If cryptocurrencies are the new frontier of the financial system, then ICOs represent the cutting edge of this frontier. They have grabbed headlines in recent years as the cryptocurrency market's answer to venture capital funding and angel investing. ICOs raise funds by issuing tokens or units in a cryptocurrency to investors in exchange for cryptocurrency – the nature of these tokens differs between ICOs but in essence the investor hopes that the value of the token increases.

AMLD5 does not state that the developers and issuers of tokens used in ICOs are OEs and therefore they are not subject to the EU's AML regime. ICO issuers still need to exercise caution as their activities may result in them being caught by other aspects of the EU's system of financial regulation under the Markets in Financial Instruments Directive (MiFID II). The European Securities and Markets Authority (ESMA) has warned that issuers could be deemed to be engaging in "investment activities", particularly if their tokens qualify as financial instruments⁴, while the FCA states that issuers may be engaging in "regulated activities" under the UK financial services perimeter.

What Next?

While the deadline for implementation of AMLD5 is 10 January 2020, after the March 2019 Brexit deadline, the UK is likely to implement AMLD5. So far in Brexit negotiations, the Government has sought to allay concerns that the UK, and the City specifically, will become a low-regulation financial hub on the EU's doorstep, indicating that the cryptocurrency market will not be able to avoid requirements akin to financial institutions.

Entrants to the cryptocurrency market are advised to take a proactive approach to regulation. Rather than waiting for regulators to draw red lines, companies should actively consider whether they need to take action now. While regulators have expressed caution about cryptocurrencies, the FCA does tend to be quite open minded with respect to innovation. For instance, the FCA's regulatory "Sandbox"⁵ programme allows companies the space to test the regulatory impacts of their commercial activities before launching on a national or international scale.

Overall, AMLD5 is an indication that the EU accepts that cryptocurrencies are here to stay and, as such, it is likely that further regulation will follow. The cryptocurrency market will have to adapt but it should take comfort from the fact that policymakers and regulators, like investors, do not want to miss out on the next big thing.

For more information please contact the author of this briefing:

Adam Topping
Partner, London
T +44 (0)20 7264 8087
Eadam.topping@hfw.com

Footnotes

1. A "digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency and does not possess a legal status of currency or money, but is accepted by natural or legal persons as a means of exchange and which can be transferred, stored and traded electronically"
2. Page 2 of FinCEN's 2013 Guidance: https://www.fincen.gov/sites/default/files/shared/FIN-2013-G001.pdf
3. https://cointelegraph.com/news/japan-finally-gets-self-regulatory-body-for-cryptocurrency-exchanges
4. https://www.esma.europa.eu/sites/default/files/library/esma50-157-828_ico_statement_firms.pdf
5. https://www.fca.org.uk/firms/regulatory-sandbox