Response to consultation on revised Guidelines on money laundering and terrorist financing (ML/TF) risk factors

Go back

Question 1: Do you have any comments on the proposed changes to definitions.

The Wolfsberg Group (the Group) welcomes the opportunity to comment on the EBA’s proposed guidelines on variables and factors to be considered by credit and financial institutions, including crypto asset service providers (CASPs), when addressing money laundering and terrorist financing (ML/TF) risks. The Group further welcomes that the EBA acknowledges that the ML/TF Risk factor Guidelines apply to CASPs “as they do to other firms” and notes the affirmation of this principle in the new section 21.1.

The Group is of the view that those who undertake the same activity and create the same risk should be subject to the same rules. The Group recommends that the EBA enhances its approach to supervision for all entities including CASPs that engage in the movement of financial value and notes that this Principle as it applies to crypto-asset activities was reaffirmed by the FSB in a publication on 17 July 2023 (

Definitions for CASP activities have evolved rapidly over recent years as have international standards (for example, FATF’s ‘Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers’ issued in 2021 – and the Group recommends that the EBA ensure that CASP-specific definitions are clearly understood by all parties. The Group has recognised challenges in this space and is currently in the process of seeking to produce a standardised set of definitions to ensure that everyone has a consistent idea of the same concepts when discussing whether the activity is the same. The Group would welcome the opportunity to review this further with the EBA.

With regards to definitions and terms used throughout this document, the Group notes that ‘bank’, ‘firm’, ‘Money Service Business’, ‘PSP’ (defined on page 26 as Payment Solutions Providers, which differs from the definition used in the second Payment Services Directive which defines it as Payment Service Provider), and ‘CASP’ are used in various places through the Guidelines and requests that there be greater consistency. We would suggest the inclusion of a definitions section where it can be made clear that the Guidelines apply to all these types of entities and that they are referred to as ‘firms’ throughout.

Section 12p) includes a reference to ‘bank accounts’ which we suggest is too specific as, for example, pooled wallets can exist and Payment Service Providers other than banks may provide similar functionality.

Question 2: Do you have any comments on the proposed changes to Guideline 1.

The Group considers that an ML/TF assessment should be conducted at the product’s design as well as periodically if the way that the product is configured or used, or the market in which it is offered, varies significantly from inception. This will ensure that risk assessment is a dynamic process rather than being fixed at a point in time.

The Group recommends that the term ‘launching’ not be used as new products may be made available initially as a pilot, trial, or proof of concept whose limited scope might not be considered by its provider as a ‘launch’ – the Group suggests referring to product provision in order to cover this nuance.

Question 3: Do you have any comments on the proposed changes to Guideline 2.

The Group recommends deleting ‘unregulated’ in the following text “for example ……, unregulated businesses that provide services….” since virtual currency activities are usually viewed as inherently high risk and requests the EBA to verify whether the reference made to Guideline 9.21 should be to the new Guideline 9.21 or 9.20.

Please refer to our response to Question 1 regarding definitions and the use of the term ‘Money Service Business’ in this proposed addition.

Question 4: Do you have any comments on the proposed changes to Guideline 4.

The group has two comments relating to Guideline 4.6:
1) Referencing lists of published red flags is likely to result in a static and ineffective approach to risk management as the publication of the red flags means that they are visible to criminals who can be expected to alter their behaviour based on what they read. The Group recommends that references to red flags also include references to a risk-based approach and the need to consider other factors as they become known to the industry or to the firm.
2) The reference to ‘economic rationale’ in Guideline 4.60 excludes the possibility of rationales that may be broader than simply economic; the Group suggests referring to ‘business purpose and/or economic rationale’.

The Group also wishes to highlight that the revised ‘CDD measures to be applied by all firms’ do not include any provisions relating to the need to understand the types of crypto asset that the underlying customer is offering or facilitating. We believe that, regardless of whether a firm is facilitating crypto asset transactions associated with the CASP customer or not, firms should have a general understanding of the types of the crypto assets their customers are engaged in. The same observation is relevant to Guidelines 8 and 9.

Question 5: Do you have any comments on the proposed changes to Guideline 6.

The Group supports these amendments but recommends a revision to the newly added 6.2d) as this appears directed at a smaller set of staff than those affected by a)-c). We recommend 6.2d) be amended as follows:
“d) How to use automated systems RELEVANT TO THEIR RESPONSIBILITIES, including advanced analytics tools, to monitor transactions and business relationships, and how to interpret the outcomes from these systems and tools.”

Question 6: Do you have any comments on the proposed changes to Guideline 8.

The Group believes that the extension of correspondent banking-like obligations to CASPs who provide services to other CASPs is appropriate and warranted. However, to the extent that usage of terminology such as ‘correspondent’ and ‘respondent’ may not be common practice by CASPs, a clear statement that this is what the Guideline means would be beneficial. This is especially necessary in the newly added 8.8d) where reference to the respondent assessing its customers could be taken to imply that the correspondent has an obligation to determine this – please also see our response to Question 7 on KYCC below.

We have three observations on Section 8.17c)
1) The proposed revision to 8.17c) contains a reference to ‘correspondent banking services’ which does not seem appropriate and could cause confusion if not changed – we would suggest ‘correspondent services’ instead to be clear that such services could be provided by PSPs other than banks.
2) We suggest that the following edit be made in the third sentence “This assessment should include CONSIDERATION OF the transaction monitoring tools in place to ensure that they are adequate for the type of business carried out by the respondent.” Since, in practice, evaluating a customer’s transaction monitoring tool is performed at a high level.
3) We suggest amending the fourth sentence references so that it reads “This assessment should be documented appropriately in line with the correspondent’s policies and procedures using a risk-based approach” as this provides practical guidance.

Question 7: Do you have any comments on the proposed changes to Guideline 9.

Please see our response to Question 1 regarding definitions as several of the sections under Guideline 9 refer only to banks. We recommend that these apply more broadly to firms, rather than just banks, in line with the principle of same activity, same risk, same regulation/supervision.

Guideline 9.16 seems to suggest that there is a KYC obligation by the firm towards the CASPs’ customers. The situation described in 9.16 is that of a correspondent relationship. The international standard as well as industry practice in these situations is to NOT KYC the customer’s customer (see FATF Guidance on Correspondent Banking Services, 2016, p.4 (, Bafin Guidance section 5.5.1, p10;jsessionid=F2575DC835BE494E764AB4A420E2E82A.2_cid503?__blob=publicationFile&v=7, ACPR Guidelines on Correspondent Banking paragraph 41 on p.18 ( Following the logic that we support, i.e. to apply similar rules to CASPs where similar rules can be applied (please see also our additional remark under question 6), we ask that the EBA puts the focus under 9.16 on the CASPs rather than the CASPs’ customers. If the responsibility is not placed on the CASP, it may result in derisking of correspondent services businesses as many may deem this requirement as impracticable.

We recommend that Guideline 9.17 require CASPs to perform EDD when they determine that their customer poses high ML/TF risk.

Question 8: Do you have any comments on the proposed changes to Guideline 10, 15 and 17.

The Group supports the amendments.

Question 9: Do you have any comments on the proposed changes to Guideline 21.

The Group supports the amendments.

Name of the organization

The Wolfsberg Group