On 2 May 2025, the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) published an annex (the Annex) to its guidelines on the Act on the Prevention of Money Laundering and Terrorist Financing (Wet ter voorkoming van witwassen en financiering van terrorisme, the Wwft), the Sanctions Act 1977 (Sanctiewet 1977, the SW), and the recast EU Transfer of Funds Regulation (Regulation (EU) 2023/1113, the TFR).

This Annex is specifically aimed at crypto-asset service providers (CASPs) and highlights key areas of supervisory focus intended to support CASPs in fulfilling their obligations under the Wwft, SW, and TFR. A summary of the main points covered in the Annex (which is available via this link) is provided below.

  1. Risk assessment

CASPs are expected to undertake comprehensive risk assessments tailored to their specific business models and client profiles. These assessments must:

  • incorporate insights from the national risk assessment (NRA), ensuring alignment with broader national anti-money laundering (AML) and counter-terrorist financing (CFT) strategies;
  • go beyond generic descriptions by addressing the unique characteristics of offered services and client types, backed by relevant data; and
  • take into account the guidelines of the European Banking Authority (the EBA) for credit- and financial institutions concerning money laundering and terrorist financing risk factors.
  1. Self-hosted addresses

Self-hosted wallets remain a key supervisory concern due to the heightened integrity risks associated with them, particularly given the potential anonymity of the wallet owner. Crypto-asset transfers to or from such wallets raise significant AML/CFT issues and are cited as scenarios warranting enhanced due diligence. CASPs are expected to:

  • identify AML/CFT risks linked to transactions involving self-hosted wallets, both inbound and outbound;
  • conduct a risk assessment to determine when there is more than a minimal risk that funds or economic resources may be made available to sanctioned individuals or entities and implement measures to address such risks; and
  • develop clear internal policies outlining when the identity of the individual or legal entity controlling a self-hosted address must be verified and describe the specific verification steps to be taken.
  1. Sanctions Act

CASPs must implement effective measures within their administrative organisation and internal control systems (AO/IC) to ensure compliance with sanctions regulations. This includes conducting a sanctions risk assessment and adopting targeted mitigation strategies. Key expectations from the AFM include:

  • developing clear internal policies and procedures to mitigate the risk of engaging with sanctioned individuals or entities;
  • screening all customers and transactions against relevant sanctions lists, with continuous monitoring, ideally supported by automated systems; and
  • employing geolocation and IP proxy detection tools to identify and block access from sanctioned or high-risk jurisdictions.
  1. TFR

The TFR imposes strict requirements on CASPs regarding the transmission of information with crypto-asset transfers, commonly known as the Travel Rule. Under the TFR, CASPs must ensure that specific identifying information accompanies each transfer and that appropriate measures are in place to handle non-compliance. The AFM expects CASPs to take, among other things, the following measures:

  • define the scope of application by clearly outlining in internal policies which transactions fall under the TFR, including when the CASP acts as the originator and when as the beneficiary of a transaction;
  • ensure that all crypto-asset transfers are accompanied by the required identifying information as outlined in the TFR;
  • implement procedures to assess whether the transmitted information is complete and accurate;
  • establish escalation procedures for instances of missing or incomplete data, including the ability to delay or reject a transaction and determine whether to notify the competent authority; and
  • outline internal reporting policies for handling non-compliant or missing data, in accordance with TFR reporting obligations.