Response to consultation on draft amending Guidelines on risk based supervision
Go back
Subjects of assessment: According to the revision on the implementation of the RBS model, a competent authority is given the authority to make a decision to remove a crypto asset service provider (CASP) from a cluster when a different level of risk (unassociated with the initial cluster the CASP pertains to) is identified, the authority should consider applying the joint ESMA and EBA ‘Fit and Proper’ Guidelines and Titles II, III, IV and V of the EBA internal governance guidelines for AML/CFT purposes mutatis mutandis until the relevant, crypto asset industry-specific guidelines under the MiCA Regulation have been issued. While DCGG and its members agree that there should be a temporary set of guidelines to be enforced in such instances until the MiCA guidelines are finalised to mitigate potential risk, we strongly urge the EBA to consider whether the Fit and Proper and Internal Governance Guidelines reflect the operational realities of CASPs and whether the sector would be put in a disadvantage by having to comply with guidelines applicable to traditional service providers. We welcome further clarity from the EBA on the extent to which these existing guidelines would be applied to CASPs, taking into consideration their cross-border nature, size, volume, type of activity and internal AML controls. Alternatively, we recommend that, if the revision of these comprehensive sets of guidelines to be applied and aligned with the crypto asset sector appears challenging or administratively burdensome for supervisors, competent authorities wait until the MiCA guidelines are issued to ensure consistency and strengthen CASP-specific supervision for AML/CFT purposes.
Cooperation: We have no comments to suggest.
Sources of information: We fully support the inclusion of Blockchain analytics as a verified and trusted source of information to be used by supervisory authorities under paragraph 31(k). This is an important improvement and step forward toward properly reflecting the realities of the sector, and acknowledging the numerous benefits of Blockchain technology, especially in the context of supervision and monitoring, and fighting AML/CFT more broadly.
Sector-wide ML/TF risk factors: DCGG supports the inclusion of CASPs in paragraphs 37 and 38 to align supervisory treatment under the AML Package, and we strongly encourage the EBA to take a proportionate approach to assessing the risks stemming from the specificities of the ecosystem to avoid disadvantaging CASPs in comparison to obliged entities from the traditional finance sector.
Type of information necessary to identify risk factors: DCGG supports the inclusion of distributed ledger technology in paragraphs 41(l) and 45(a)(v) as it highlights the importance of the underlying technology for a better and more holistic understanding of the sector by competent authorities and delegated staff. Using blockchain as an advanced analytics tool would significantly strengthen the resilience of the EU AML/CFT system, as it allows for traceability and monitoring in real time, as well as improved, prompt and more efficient risk assessment than traditional tools.
With regard to the amendment made to paragraph 44(c), whereby the type of transactions carried out would also be considered as necessary information to identify risk factors, we believe further clarity is necessary as to the typology of transactions needed for supervisory assessment, e.g., transactions pertaining to particular use-cases, transactions between certain parties, etc. From our perspective, further details on this obligation would help avoid potential uncertainties and would ensure this piece of information is actually useful and effective for understanding and monitoring inherent risk factors on the side of the competent authority, and for understanding compliance obligations from the side of the CASP.
In a similar vein, we encourage the EBA to provide further context on the amendment to paragraph 44(f) whereby the business activities not only carried out, but also located in high-risk third countries would be considered a factor in risk assessment. In particular, we would appreciate more clarity as to how this amendment could transpose into the compliance procedures for obliged entities in the context of correspondent relationships between CASPs.
Individual risk assessments: Under Article 19a of the AML Directive, DCGG and its members suggest that this amended supervisory guideline and respective compliance obligation should be accompanied by the following caveat:
“the AML/CFT systems and controls listed in Article 8(4) and, provided that this is feasible, 19a of Directive (EU) 2015/849 are put in place and applied”
From our perspective, requiring CASPs to enforce internal controls to be able to gather sufficient information about a third-country respondent CASPs to assess their way of business and reputation based on publicly available information is in principle a sensible supervisory approach for mitigating potential risk. Yet, we would like to highlight that the inherently cross-border nature of Blockchain technology might not always allow for sufficient publicly available information or full disclosure of all business activities of a third-country CASP, especially if no business agreement exists. Therefore, we recommend that the EBA revisits this point to reflect this technical aspect of CASP correspondent relationships to alleviate a potentially significant administrative burden for obliged entities.
Furthermore, we recommend that supervisory authorities consider the involvement of reputable third party providers, i.e., blockchain analytics providers, which have the resources to provide verified risk assessments on on-chain activities and profiling of CASPs around the globe (e.g., Chainalysis Kryptos). This way, competent authorities would be able to more easily conduct their supervisory responsibilities and CASPs would not be subject to increased administrative burden to collect large quantities of information in relation to correspondent relationships.
Furthermore, we fully support the addition of technical expertise as a very important component of the training of the competent authority’s staff. In our view, technical knowledge is crucial to a proper supervisory oversight of the crypto asset industry given its nature. As touched upon in our response to Question 4, we also support the involvement of third parties (e.g., industry experts), in this case involvement and collaboration in the training process to ensure supervisory staff approaches the sector with adequate understanding and prevent putting the industry at a disadvantage.
Finally, DCGG would welcome clarity on the amendment to Guideline 4.4.’s section on Supervisory tools, whereby “information from any other relevant authority” is listed as a source of information to substantiate risk assessment. While we understand the necessity of conducting on-site reviews on top of off-site reviews when the latter is not considered sufficient or accurate, we would appreciate further details from the EBA as to which other authorities would be considered relevant in this process, for the purposes of providing certainty for CASPs on the monitoring process.
1. Do you have any comments with the proposed changes to the ‘Subject matter, scope and definitions’?
DCGG and its members have no comments and agree with the proposed changes to this section of the amended guidelines.2. Do you have any comments with the proposed changes to the Guideline 4.1 ‘Implementing the RBS model’?
On the proposed changes to Guideline 4.1., DCGG offers the following comments:Subjects of assessment: According to the revision on the implementation of the RBS model, a competent authority is given the authority to make a decision to remove a crypto asset service provider (CASP) from a cluster when a different level of risk (unassociated with the initial cluster the CASP pertains to) is identified, the authority should consider applying the joint ESMA and EBA ‘Fit and Proper’ Guidelines and Titles II, III, IV and V of the EBA internal governance guidelines for AML/CFT purposes mutatis mutandis until the relevant, crypto asset industry-specific guidelines under the MiCA Regulation have been issued. While DCGG and its members agree that there should be a temporary set of guidelines to be enforced in such instances until the MiCA guidelines are finalised to mitigate potential risk, we strongly urge the EBA to consider whether the Fit and Proper and Internal Governance Guidelines reflect the operational realities of CASPs and whether the sector would be put in a disadvantage by having to comply with guidelines applicable to traditional service providers. We welcome further clarity from the EBA on the extent to which these existing guidelines would be applied to CASPs, taking into consideration their cross-border nature, size, volume, type of activity and internal AML controls. Alternatively, we recommend that, if the revision of these comprehensive sets of guidelines to be applied and aligned with the crypto asset sector appears challenging or administratively burdensome for supervisors, competent authorities wait until the MiCA guidelines are issued to ensure consistency and strengthen CASP-specific supervision for AML/CFT purposes.
Cooperation: We have no comments to suggest.
3. Do you have any comments on the proposed changes to the Guideline 4.2 ‘Step 1 – Identification of risk and mitigating factors’?
On the proposed amendments to Guideline 4.2., DCGG suggests the following comments:Sources of information: We fully support the inclusion of Blockchain analytics as a verified and trusted source of information to be used by supervisory authorities under paragraph 31(k). This is an important improvement and step forward toward properly reflecting the realities of the sector, and acknowledging the numerous benefits of Blockchain technology, especially in the context of supervision and monitoring, and fighting AML/CFT more broadly.
Sector-wide ML/TF risk factors: DCGG supports the inclusion of CASPs in paragraphs 37 and 38 to align supervisory treatment under the AML Package, and we strongly encourage the EBA to take a proportionate approach to assessing the risks stemming from the specificities of the ecosystem to avoid disadvantaging CASPs in comparison to obliged entities from the traditional finance sector.
Type of information necessary to identify risk factors: DCGG supports the inclusion of distributed ledger technology in paragraphs 41(l) and 45(a)(v) as it highlights the importance of the underlying technology for a better and more holistic understanding of the sector by competent authorities and delegated staff. Using blockchain as an advanced analytics tool would significantly strengthen the resilience of the EU AML/CFT system, as it allows for traceability and monitoring in real time, as well as improved, prompt and more efficient risk assessment than traditional tools.
With regard to the amendment made to paragraph 44(c), whereby the type of transactions carried out would also be considered as necessary information to identify risk factors, we believe further clarity is necessary as to the typology of transactions needed for supervisory assessment, e.g., transactions pertaining to particular use-cases, transactions between certain parties, etc. From our perspective, further details on this obligation would help avoid potential uncertainties and would ensure this piece of information is actually useful and effective for understanding and monitoring inherent risk factors on the side of the competent authority, and for understanding compliance obligations from the side of the CASP.
In a similar vein, we encourage the EBA to provide further context on the amendment to paragraph 44(f) whereby the business activities not only carried out, but also located in high-risk third countries would be considered a factor in risk assessment. In particular, we would appreciate more clarity as to how this amendment could transpose into the compliance procedures for obliged entities in the context of correspondent relationships between CASPs.
4. Do you have any comments on the proposed changes to the Guideline 4.3 ‘Step 2 – Risk assessment’?
On the proposed amendments to Guideline 4.3., DCGG suggests the following comments:Individual risk assessments: Under Article 19a of the AML Directive, DCGG and its members suggest that this amended supervisory guideline and respective compliance obligation should be accompanied by the following caveat:
“the AML/CFT systems and controls listed in Article 8(4) and, provided that this is feasible, 19a of Directive (EU) 2015/849 are put in place and applied”
From our perspective, requiring CASPs to enforce internal controls to be able to gather sufficient information about a third-country respondent CASPs to assess their way of business and reputation based on publicly available information is in principle a sensible supervisory approach for mitigating potential risk. Yet, we would like to highlight that the inherently cross-border nature of Blockchain technology might not always allow for sufficient publicly available information or full disclosure of all business activities of a third-country CASP, especially if no business agreement exists. Therefore, we recommend that the EBA revisits this point to reflect this technical aspect of CASP correspondent relationships to alleviate a potentially significant administrative burden for obliged entities.
Furthermore, we recommend that supervisory authorities consider the involvement of reputable third party providers, i.e., blockchain analytics providers, which have the resources to provide verified risk assessments on on-chain activities and profiling of CASPs around the globe (e.g., Chainalysis Kryptos). This way, competent authorities would be able to more easily conduct their supervisory responsibilities and CASPs would not be subject to increased administrative burden to collect large quantities of information in relation to correspondent relationships.
5. Do you have any comments with the proposed changes to the Guideline 4.4 ‘Step 3 – Supervision’?
DCGG supports and has no further comments to suggest on the majority of the proposed changes under Guideline 4.4., in particular on the matters of supervisory strategy, supervisory practices and the supervisory manual, supervisory follow-up, and feedback to the sector, including outreach and engagement with subjects of assessment when developing supervisory guidance.Furthermore, we fully support the addition of technical expertise as a very important component of the training of the competent authority’s staff. In our view, technical knowledge is crucial to a proper supervisory oversight of the crypto asset industry given its nature. As touched upon in our response to Question 4, we also support the involvement of third parties (e.g., industry experts), in this case involvement and collaboration in the training process to ensure supervisory staff approaches the sector with adequate understanding and prevent putting the industry at a disadvantage.
Finally, DCGG would welcome clarity on the amendment to Guideline 4.4.’s section on Supervisory tools, whereby “information from any other relevant authority” is listed as a source of information to substantiate risk assessment. While we understand the necessity of conducting on-site reviews on top of off-site reviews when the latter is not considered sufficient or accurate, we would appreciate further details from the EBA as to which other authorities would be considered relevant in this process, for the purposes of providing certainty for CASPs on the monitoring process.