Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

Blockchain for Europe welcomes the opportunity to provide feedback on the draft Regulatory Technical Standards (RTS) proposed by the European Banking Authority (EBA), in response to the European Commission’s Call for Advice regarding the mandates for the new Anti-Money Laundering Authority (AMLA).

As the leading industry association representing blockchain and digital asset stakeholders in Europe, Blockchain for Europe is committed to fostering innovation and supporting a regulatory environment that promotes both growth and integrity within the European digital asset ecosystem. Our members span across the blockchain and crypto-asset value chain, unified in their aim to support a responsible and proportionate regulatory approach that strengthens financial integrity, improves access to financial services, and effectively combats financial crime.

We commend the EBA’s work in setting out a clear and technically sound foundation for a harmonised AML supervisory framework. The move toward greater regulatory coherence at the EU level, as envisaged in the AML legislative package, is a positive and much-needed development. In our view, harmonisation must be underpinned by a robust risk-based approach and grounded in the principle of proportionality.

We believe AMLA can play a central role in realising the EU’s policy objectives, notably by streamlining supervisory processes and reducing the administrative burden on crypto-asset service providers (CASPs) operating across multiple Member States. A well-calibrated supervisory regime will not only enhance compliance outcomes but also foster innovation and investment in Europe’s digital finance ecosystem.

Blockchain for Europe remains committed to working collaboratively with EU institutions and regulators to ensure the development of practical, risk-sensitive, and future-proof AML rules that support both market integrity and technological advancement.

RTS under Article 40(2) of the AMLD

Question 1
Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

We believe the RTS proposals do not align with the EBA’s guiding principles, particularly those relating to proportionality, risk-based supervision, and harmonisation across sectors and Member States. We have several concerns about the proposed approach for assessing and classifying the risk profile of obliged entities.

Data requirements for risk classification
While we welcome the EBA’s aim to align AMLA’s and national supervisors' methodologies (per Article 12(7)(b) AMLAR and Article 40(2) AMLD6), we are concerned that the granular data points listed in Annex 1 impose excessive operational burdens on obliged entities. These requirements may undermine the objective of proportionality and create significant cost and complexity for firms.

Interaction with obliged entities’ own risk assessments
The RTS does not clarify how the proposed supervisory assessments relate to the existing obligations under Article 10 AMLR, which already requires entities to conduct comprehensive, data-driven, business-wide risk assessments. AMLA is also expected to issue further guidelines on these assessments by July 2026.

Given that both supervisors and obliged entities will use similar data, the need for supervisors to duplicate these assessments is unclear. Article 40(2) AMLD6 mandates the development of a methodology, but not that supervisors must carry out the assessments themselves. Supervisory discretion, per Article 40(3) AMLD6, seems more appropriate.

Recommendation
We recommend that the RTS be revised to explain how the business-wide risk assessment under Article 10(4) AMLR will be taken into account by Member State supervisors. This will help ensure that the methodology used by obliged entities aligns with the approach used by supervisors under Article 40(2) AMLD6.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

As noted in our response to Question 1, we believe the data points listed in Annex I are overly granular and disproportionate, placing a significant operational burden on firms to build infrastructure and processes to meet these requirements.

For CASPs, several data points cannot be reliably collected, particularly those relating to geographical locations of on-chain transactions. Blockchain transactions inherently are geographically agnostic and it can be extremely difficult, if not impossible, to exactly determine the geographic origin or destination of a specific transaction based solely on on-chain analytics. On-chain analytics delivers valuable insight into the wider context of on-chain transactions, but it typically requires supplementary information such as user data or further off-chain context to establish the geographical location of a sender or receiver (we would be happy to explore this topic in more detail upon interest with data analytics providers). While Travel Rule data may help, it does not accurately reflect the true geographic source of transactions and is inconsistently implemented across jurisdictions (“Sunrise Issue”).

Moreover, some data points are not well-suited to the digital asset business model. For example, the number of customers holding crypto or the total assets in custody do not meaningfully indicate risk, as these figures fluctuate with market conditions and do not reflect how assets are used. More meaningful indicators would include the volume/amount of transactions associated with high-risk wallet addresses or counterparties – identified through advanced blockchain analytics – which provide enhanced alignment with the actual risk profiles of CASPs and enable more effective detection of suspicious activities leading to safer ecosystems.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

Conducting risk assessments is resource-intensive, requiring staff time, data collection, and potential hiring to meet analysis demands, especially if firms must follow both the proposed RTS methodology and existing local frameworks.

Annual reviews would significantly increase compliance costs, while a reduced frequency such as once every three years would meaningfully lower the burden. This approach aligns better with a risk-based model, as a firm’s size and overall risk profile typically do not shift dramatically year-to-year. Firms may conduct internal assessments more frequently for business and compliance purposes, but these serve different objectives than AMLA’s supervisory oversight.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

We generally support Option 4(c) as it aligns with a risk-based approach but suggest adding further criteria. Specifically, large obliged entities should qualify for reduced frequency (every three years) if there’s been no material change in their risk profile.

Additionally, obliged entities should be able to trigger an ad hoc review if they believe their risk profile has changed significantly and they no longer meet the criteria for enhanced oversight.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

EEA transactions should be considered lower risk given the harmonised MiCA framework and enhanced cooperation among Member States, law enforcement, and FIUs.

This does not mean all non-EEA jurisdictions are high risk. Instead, third countries should be assessed individually using a clear, published methodology to assign appropriate risk ratings. We also highlight the value of on-chain analytics in assessing the risk profile of a CASP’s counterparties, enabling real-time due diligence and a more dynamic understanding of AML risk.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

We do not agree with the thresholds in Article 1 of the draft RTS and believe they should be raised.

Customer threshold: The proposed 20,000-customer threshold is too low. Many obliged entities, especially CASPs, will easily exceed this due to passporting rights. This could overwhelm AMLA’s capacity and dilute its focus on high-risk entities. The threshold also doesn’t distinguish between active and inactive customers, which is crucial in the digital asset sector where many accounts are dormant for long periods.

Transaction threshold: The €50 million transaction threshold is also too low and can be met by a small number of high-net-worth clients. This doesn’t accurately reflect material risk or operational scale and may lead to over-inclusion of low-risk entities.

We propose increasing the customer threshold to 500,000 active customers, defined as custodial clients who transacted within the last year. Secondly, we suggest removing the transaction threshold altogether, as it does not reliably indicate risk or scale.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

We do not support lowering the thresholds in Article 1. As outlined in our response to Question 1, the current thresholds are already too low and should instead be increased to better target truly high-risk entities.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

We believe there should be a distinction between retail and institutional customers, as they carry different ML/TF risk levels. Retail customers typically involve lower-risk, lower-value transactions, while institutional clients, especially in correspondent relationships, pose higher inherent risks and require enhanced due diligence. The RTS should reflect this distinction when setting thresholds.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

We have concerns about the proposed methodology. It’s unclear who exactly performs the assessment – AMLA alone, or in collaboration with financial supervisors – and how this aligns with obliged entities’ own risk assessments under Article 10(4) AMLD6. There’s also no clarity on resolving disagreements between supervisors. More guidance is needed early on to ensure coherence and help entities plan, especially those operating cross-border.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

We disagree with disallowing adjustments to inherent risk scores. Qualitative overrides are essential when quantitative data doesn’t fully reflect a firm’s risk. However, such overrides should be limited to defined scenarios, require clear justification, and be approved at a senior level to prevent misuse.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

We have concerns with the group-wide scoring methodology in Article 5. While aggregating affiliate data is standard, the proposed use of three metrics may produce conflicting results and fail to reflect the true risk contribution of each entity. A more flexible approach that considers the most relevant weighting factors per affiliate is needed.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

No, the parent company and affiliates should not be given equal weight in group-wide risk assessments. This could distort results, especially for EU-regulated CASPs, as non-EU entities may offer different services or operate under different controls. Only the control environment of EU-regulated entities should be used to assess their residual risk.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

The transitional rules are generally appropriate, but more guidance is needed on how control environment scores may be adjusted after supervisory exams. For example, downgrades should only follow material regulatory actions or significant control issues to ensure consistency across supervisors and avoid unjustified score changes.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We believe parts of Section 1 of the draft RTS should be revised, as some provisions impose disproportionate KYC obligations that go beyond the intent of the AMLR and introduce unnecessary operational burdens.

• Article 3 (Place of Birth): Requiring both city and country of birth is excessive. Country alone suffices for risk assessment and avoids excluding vulnerable populations or increasing costs to update legacy customer data.
• Article 5 (ID Verification): The definition of "identity document" should be clarified and expanded to include commonly accepted forms (e.g., driver’s licences, residence permits). The criteria should be flexible and not require all listed attributes to avoid excluding customers or driving them toward unregulated channels.
• Articles 9 & 12 (Beneficial Owners & Senior Managers): We support the use of “reasonable measures” but propose clarifying that these examples are non-exhaustive and allowing use of central registers as a valid source. The same flexibility should apply to verifying persons acting on behalf of legal entities.
• Article 13 (Trust Beneficiaries): Identification should occur only at the time of payout or exercise of rights, not at onboarding, to align with AMLR Article 22(4).

Overall, these changes would reduce compliance burdens while still meeting AML/CFT objectives.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

We support allowing reliable remote onboarding solutions alongside e-IDAS, as not all customers have access to e-IDAS credentials. However:

• Article 6(3): Requiring explicit consent for remote identification is duplicative, unnecessary under GDPR, and operationally burdensome. It should be removed.
• Article 6(4)(b): Limiting verification to “end-to-end encrypted video chats” is overly prescriptive and not technologically neutral. Other secure, biometric methods (e.g., selfie, liveness, motion tests) used by leading vendors are equally effective and widely adopted. Mandating live video chats would significantly increase compliance costs and raise privacy concerns.

We recommend amending Article 6 to allow a broader range of secure, remote identification technologies. These solutions can provide equal or better protection against identity fraud compared to e-IDAS and should be a permanent option, in line with the EBA’s stated goal of technological neutrality.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We recommend clarifying Articles 15 and 16:

• Article 15(d): The term “determine” source of wealth is unclear and suggests verification, which is only required for PEPs under AMLR. We propose aligning with Article 34(4)(c) and using “obtain additional information” instead.
• Article 16(d): Requiring customers to identify expected recipients, jurisdictions, and intermediaries upfront is unrealistic and would impose enormous compliance costs. Existing monitoring and the EU Funds Transfer Rule already mitigate these risks.

We suggest providing a non-exhaustive list of recipient types and removing overly prescriptive requirements.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We recommend clarifying Article 22. It’s unclear if the 5-year update requirement applies only to pre-AMLR low-risk customers. To align with Article 26(2) AMLR, we propose confirming that in low-risk cases, updates should follow a trigger-based approach with a 5-year backstop for all customers where no trigger event occurs.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

Retail financial services offered to individuals, such as deposit accounts, credit cards, and small personal loans, should be deemed lower ML/TF risk when certain conditions are met (e.g., customer is not a PEP or from a high-risk jurisdiction, sanctions screening is performed, and ongoing monitoring is in place). These services involve low-value transactions and pose minimal risk.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We disagree with the requirement to collect “original or certified copies” of documents from high-risk customers. This approach is outdated and impractical for remote onboarding. Instead, obliged entities should be allowed to use risk-based methods to assess document reliability without requiring certified physical copies.

Name of the organization