Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
The European Crypto Initiative (EUCI) and its members welcome the opportunity to provide feedback on the EBA’s Consultation Paper on the draft Regulatory Technical Standards (RTS) under the new Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) framework. While the RTS are formally addressed to all financial institutions, it is important to note that their application to crypto-asset service providers (CASPs), as defined under Article 2(1)(6)(i) of the AML Regulation (AMLR), should account for the distinct operational models and risk profiles that characterise this part of the financial sector. This response offers a crypto-specific perspective, with a view to ensuring that technical standards reflect, rather than expand, the legislative intent of the Level 1 framework and apply fit-for-purpose risk modelling approaches to CASPs operating across the EU.
1. Ensuring Proportional and Effective Central Supervision of CASPs by AMLA
We strongly support the principle of AMLA’s central supervisory role as a cornerstone of a harmonised and credible EU-wide AML/CFT framework. However, we urge refinements in its application to crypto-asset service providers (CASPs), in order to ensure regulatory effectiveness, proportionality, and sectoral relevance.
The draft RTS under Article 12(7) AMLAR establish the methodology for selecting obliged entities for AMLA’s direct supervision. While CASPs are not explicitly singled out, their inclusion within the broader category of financial institutions renders them fully subject to these provisions. In this context, it is essential to ensure that the application of AMLA’s direct supervisory remit to CASPs is risk-based, targeted, and appropriately phased.
CASPs form a highly diverse category of actors, ranging from global exchanges to small service providers, with varying levels of maturity, systemic importance, and AML/CFT risk exposure. A uniform supervisory approach risks obscuring these distinctions and may ultimately reduce the efficiency and focus of AMLA’s operations.
A central concern arises from the thresholds used to determine cross-border relevance. Under the draft RTS, institutions operating in at least six Member States, either via establishment or the freedom to provide services, are eligible for AMLA supervision. Importantly, the proposed criteria for defining "operation" are set very low: 20,000 customers or €50 million in transactions in a Member State, with no requirement to meet both conditions. This design would be particularly challenging for CASPs, many of which provide inherently digital and cross-border services under the MiCA passporting framework. These thresholds risk capturing a large number of small and mid-sized CASPs that do not pose systemic risk, inflating the pool of entities eligible for AMLA supervision.
Such an approach could result in a significant capacity overstretch for AMLA, thereby undermining the system's efficiency. To deliver on its mandate, AMLA should focus on entities with demonstrable systemic relevance and heightened risk profiles. Supervisory resources diverted to low-risk actors may weaken the credibility and effectiveness of the overall framework.
Moreover, the current risk-scoring methodology lacks sufficient adaptation to the crypto sector. Several indicators listed in the Annex—such as volume of virtual asset exposure, customer geography, and cross-border flows—have a structurally inflationary effect on CASPs’ risk scores. For example, a CASP that operates as a staking-as-a-service platform or a fiat on/off ramp integrated with decentralised protocols usually deploys multiple sophisticated compliance frameworks, such as address-screening APIs, real-time anomaly detection, transaction context enrichment through blockchain analytics, circuit breakers to limit rapid fund movement, and rigorous endpoint security for user-facing infrastructure. Without factoring in such mitigation measures, the RTS risk prematurely classifying many CASPs as “high risk” and bringing them under AMLA’s remit despite limited systemic impact or proven threat levels.
In addition, the potential overlaps between AMLA’s supervisory scope and obligations under the Transfer of Funds Regulation (TFR) merit careful coordination. Ambiguity in the coordination of responsibilities between AMLA and national competent authorities (NCAs) may result in overlapping or conflicting supervisory expectations for CASPs, especially in areas such as customer identification and transaction monitoring. This is particularly burdensome for smaller CASPs with limited compliance capacity. A targeted and well-calibrated application of AMLA’s powers will help establish its role as a strategic EU-level supervisor, while respecting the primary oversight functions of NCAs.
Finally, while we note the EBA’s intention to publish an interpretative note alongside the final RTS, it is unfortunate that the current scoring logic and data weighting were not part of the public consultation. To foster accountability and informed implementation, the final framework should adequately reflect sector-specific risks and include meaningful engagement with affected subsectors, including CASPs.
We encourage the EBA to support a more targeted and risk-calibrated approach to AMLA’s supervisory portfolio. This would include:
- Prioritising entities based on real-world risk indicators and systemic impact;
- Refining the cross-border thresholds to distinguish between market penetration and incidental service reach; and
- Ensuring that risk mitigation measures—particularly technological safeguards—are factored into scoring mechanisms.
2. Ensuring Consistency with the Transfer of Funds Regulation and Level 1 Boundaries
As previously noted, CASPs already face a complex supervisory landscape. The RTS on Customer Due Diligence must not add contradictory or duplicative expectations, particularly in relation to the Transfer of Funds Regulation (TFR). There is a clear risk that the proposed RTS introduce overlapping or even contradictory obligations regarding customer identification and transaction monitoring, leading to legal uncertainty and added pressure on the smaller actors in the crypto space.
Furthermore, it is important to avoid any interpretation of the RTS that effectively expands Level 1 requirements through Level 2 instruments. The scope of obligations imposed on CASPs must remain within the boundaries of the AMLR and AMLAR, and should not be redefined via technical standards without proper democratic scrutiny. This principle of legal certainty is fundamental to the credibility and enforceability of the EU’s financial regulatory framework.
3. Supervisory Data Collection: Need for Clarity and Proportionality
While we support the EBA’s decision not to prescribe how data for the risk assessment should be collected, we remain concerned about the insufficiently defined nature of the indicators listed and the risk of inconsistent implementation across Member States. In the absence of further guidance or harmonisation, national supervisors may interpret data requirements in divergent ways, leading to compliance uncertainty for cross-border CASPs.
The crypto industry has consistently expressed concern with unclear and overly broad data collection expectations, particularly when they imply the collection of personal data that may not otherwise be required under MiCA, TFR, or AMLR. This is particularly problematic for services built on privacy-enhancing technologies or for business models that deliberately minimise personal data collection in order to reduce risk. Any further elaboration of the RTS should ensure that the principle of data minimisation is respected, and that no entity is indirectly required to collect more data than Level 1 mandates permit.
Conclusion
We welcome the EBA’s efforts to develop a robust and harmonised supervisory framework that reflects the evolving landscape of financial services in the EU. As CASPs come under the scope of AMLA’s oversight, it is essential that the final RTS are calibrated in a way that reflects the diversity of the sector, the specificities of crypto-related risks, and the importance of proportionality.
In particular, we encourage refinements to the thresholds for direct supervision, the integration of effective risk mitigation measures into the risk assessment model, and greater clarity regarding data collection expectations. These steps would help ensure that supervisory efforts remain focused, practicable, and consistent with the broader legal framework, including the Transfer of Funds Regulation and Level 1 provisions.
By tailoring its approach to the specificities of the crypto sector, the EBA can support both regulatory effectiveness and innovation, while reinforcing trust in AMLA’s role as a credible and risk-focused supervisory authority.
EUCI and its members remain committed to supporting the EBA’s work and stand ready to contribute further to the development of balanced, risk-based, and innovation-compatible supervisory standards for the crypto-asset sector.