On 31 May 2023, the European Banking Authority (EBA) published a Consultation Paper setting out proposals to amend its guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering (ML) and terrorist financing (TF) risk associated with individual business relationships and occasional transactions (ML/TF Risk Factors Guidelines) under Articles 17 and 18(4) of the Fourth Anti-Money Laundering Directive.


Crypto-asset service providers (CASPs), as well as other credit and financial institutions, are exposed to ML/TF risks. For CASPs, these risks can be increased, due to, for example, the use of technologies, instant transfers of crypto-assets across the world and services that contain privacy-enhancing features.

The EBA is proposing to amend its ML/TF Risk Factors Guidelines to set common, regulatory expectations of the steps CASPs should take to identify and mitigate these risks effectively.


The amendments introduce new sector specific guidance for CASPs, which highlights factors that may indicate the CASP’s exposure to the higher or lower ML/TF risk. CASPs should consider these factors when carrying out the ML/TF risk assessments of their business and customers, at the outset and during the business relationship.

The amending guidelines:

  • Highlight the specific factors in Title I of the Risk Factor Guidelines, that reflect specific features of crypto-assets and CASPs and which should be considered by credit and financial institutions when entering into a business relationship or correspondent relationship with CASPs.
  • Emphasise the need for a secure remote onboarding tool to be put in place by credit and financial institutions.
  • Provide further guidance for credit and financial institutions when entering into business relationships with service providers in a crypto-assets’ ecosystem established in a third country, that are not regulated under either the upcoming MiCA Regulation, or under any other relevant EU regulatory framework.
  • Provide guidance on mitigating measures CASPs should apply in situations where the risk is either increased or reduced.
  • Provide new sector-specific guidance for CASPS in Title II of the ML/TF Risk Factors Guidelines (Guideline 21), explaining the risk increasing and reducing factors that CASPs should consider when assessing risks associated with their customer business relationships. In addition to cross-sectoral risk factors relevant in all sectors, the guidelines emphasise the risks of CASPs that are associated with:
  • Transactions, such as transactions with self-hosted addresses or with service providers in a crypto-assets’ ecosystem established in a third country that are not regulated under the MiCA Regulation, or under any other relevant regulatory framework within or outside the EU.
  • Products such as those containing privacy-enhancing features or allowing the use of cash and crypto-ATMs when exchanging crypto-assets to fiat currencies.
  • The nature of customers and their behaviour, for example, customers who use IP addresses that are linked to the dark-net or customers that are involved in crypto mining in high-risk jurisdictions.
  • The customers’ or beneficial owners’ links to high-risk jurisdictions or transactions to/from jurisdictions associated with high risk of ML/TF, including the location of crypto-ATMs in those jurisdictions.

Next steps

The deadline for comments on the Consultation Paper is 31 August 2023.