The AMLD5 dilemma of crypto-service providers: registration or license?
The fifth AML Directive has been transposed in national legislations in 2019-2020. The most important change that this directive has brought forward is the inclusion of crypto-service providers in its scope, as obliged entities.
As crypto-service providers, AMLD5 mentions Virtual Currency Exchange Providers (VCEP) and Custodian Wallet Providers (CWP). VCEP refers to entities that exchange fiat currency for virtual currency, while CWP refers to entities that safeguard the virtual money on behalf of their customers in the form of a digital wallet, and allows the customers to hold, store and transfer the virtual currency.
Being an obliged entity means that the crypto-service providers now have to implement their own AML Compliance Framework, including performing CDD, risk assessments and report suspicious activity. Moreover AMLD5 also allows Financial Intelligence Units to obtain the addresses and identities of owners of virtual currencies and anonymous safe deposit boxes will no longer be allowed.
The most controversial requirement, at least in the Netherlands, is the registration requirement, meaning that the crypto-service providers will now have to be registered with the competent authorities, in this case being DNB (the Dutch National Bank).
The reason why this requirement has been controversial is because of the manner it has been transposed in national legislation and implemented by DNB.
DNB expects crypto-service providers to comply not only with Wwft (the Dutch AML Act that transposes AMLD5), but also with Sw (Dutch Sanctions Act). Crypto-service providers have to effectively screen their customers and match the identity of a transaction with a natural or legal person or entity as referred to in the Sanctions Act. This means that for every transaction from and to external wallets the provider has to establish the identity and place of residence of the counterparty and check the sanction lists to prevent customers from having business relationships with sanctioned natural or legal persons.
This requirement also applies if a provider only allows transactions from customers to its own wallet. If the requirement is not complied with or if other information provided is incomplete or incorrect, DNB will not register the entity as a crypto-service provider.
The first company to raise concerns and to actually take DNB to court was Bitonic, with the latest update in their litigation being published on 7 April 2021. Bitonic argues that this implementation of the AMLD5 requirement is problematic because, according to them, it effectively turns the registration procedure into a licensing procedure, where the company needs to undergo extensive checks and controls before receiving approval to operate their business.
Bitonic is a crypto-service provider through which customers can send virtual currency exclusively to their self-managed wallet. Customers cannot do transactions with third parties. Therefore Bitonic claims the requirement imposed by DNB is unnecessary and burdensome for them and for their customers as well.
What they are also pointing out is that there is a big discrepancy between the Netherlands and other Member States, where such extensive requirements are not imposed before registration. This means that Dutch crypto-service providers have a disadvantage on the market because it is harder for them to make themselves attractive to customers over their international competitors that do not require such thorough identity screening processes.
Bitonic claims that DNB is overstepping its powers and extending the scope of AMLD5 by combining the provisions with the Sanctions Act. However, AMLD5 does not work on its own. Legislative acts that combat money laundering, corruption, fraud need to be read together in order to implement them as effectively as possible. According to DNB, the high degree of anonymity of crypto transactions raises the risks of misuse for money laundering, terrorist financing or doing business with sanctioned persons.
In its latest preliminary decision, the Court of Rotterdam has ruled that it will not suspend DNB’s registration requirement, but that DNB should provide further reasoning for the implementation of this requirement before the 6 week deadline when the court will give its final decision.
For now there is no clear answer whether or not the national competent authorities are allowed to make such additions and modifications to the European AML framework, but the developments in this case and in the cryptocurrency field are definitely worth following.