EBA issues guidance to crypto-asset service providers to effectively manage their exposure to ML/TF risks

  • Press Release
  • 16 January 2024

The European Banking Authority (EBA) today extended its Guidelines on money laundering (ML) and terrorist financing (TF) risk factors to crypto-asset service providers (CASPs). The new Guidelines highlight ML/TF risk factors and mitigating measures that CASPs need to consider, representing an important step forward in the EU’s fight against financial crime. 

CASPs can be abused for financial crime purposes, including ML and TF. The risks of this happening can be increased, for example because of the speed of crypto-asset transfers or because some products contain features that hide the user’s identity. Therefore, it is important that CASPs know about these risks and put in place measures that effectively mitigate them. 

Today’s amendments aim to help CASPs identify these risks by providing a non-exhaustive list of different factors, which may indicate the CASP’s exposure to higher or lower levels of the ML/TF risk due to its customers, products, delivery channels and geographical locations.  Based on these risk factors, CASPs can develop understanding of their customer base and to identify which part of their business or activity is most vulnerable to ML/TF.  The Guidelines also explain how CASPs should adjust their mitigating measures, including the use of blockchain analytics tools. 

Given the interdependence of the financial sector, the new Guidelines also include guidance addressed to other credit and financial institutions that have CASPs as their customers or which are exposed to crypto assets. This risk is increased where credit and financial institutions engage in business relationships with providers of crypto-asset services which are not authorised under Regulation (EU) 2023/1114. 


By extending the scope of the ML/TF Risk Factors Guidelines, the EBA harmonises the approach that CASPs across the EU should adopt when implementing the risk-based approach to AML/CFT as part of their business. The deadline for competent authorities to report whether they comply with the Guidelines will be two months after the publication of the translations into the official EU languages. The amending Guidelines will apply from 30 December 2024.

The EBA has published Guidelines on risk-based AML/CFT supervisors of crypto-asset service providers (CASPs) and is currently consulting on the new Guidelines to prevent the abuse of fund and crypto-asset transfers for ML/TF purposes (the ‘Travel Rule Guidelines’), and on Guidelines on internal policies, procedures and controls to comply with restrictive measures that apply to CASPs as well as other financial institutions.

Legal basis 

Directive (EU) 2015/849 puts the risk-based approach at the centre of the EU’s anti-money laundering and countering the financing of terrorism (AML/CFT) regime. The requirements in this Directive were complemented by the mandate given to the EBA under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions.

Article 38 of Regulation (EU) 2023/1113 amends Article 18 of the Directive (EU) 2015/849 and mandates the EBA to issue guidelines on the risk variables and risk factors CASPs should take into account when entering into a business relationship or carrying out transactions in crypto-assets, including transactions originating from or directed to self-hosted addresses. It also introduced new provisions in Article 19b to Directive (EU) 2015/849, mandating the EBA to clarify the due diligence requirements CASPs should apply in high ML/TF risk situations, and when entering into correspondent relationships with respondents that are CASPs from non-EU countries.

Additionally, Regulation (EU) 2023/1114 brings crypto-asset services and activities within the EU regulatory scope and ensures that CASPs become subject to EU AML/CFT obligations and supervision. This ensures that the AML/CTF regulatory and supervisory framework is aligned with international recommendations and that the ML/TF risks associated with this sector are addressed and effectively managed.


Final report on amending Guidelines on MLTF risk factors

(718.11 KB - PDF)

Press contacts

Franca Rosa Congiu