EU Fight against Crypto-Related Financial Crime

  • March 1, 2019

There has been a lot of engagement from the different European authorities regarding cryptocurrencies, their classification, application of different regulations and efforts to reduce risks connected to this issue. When we talk about the financial crime it is important that potentially exposed business (also known as a high-risk business) does not only have proper regulations to follow, but also internal bylaws, procedures, and strategies put in place, to mitigate risk.

This article will summarize the efforts of the European Union and its member states in fighting financial crime by enacting new EU and national regulations. All the relevant crypto industries will be mentioned in light of the relevant laws.


There are many forms of financial crime practices. This includes all kinds of frauds (for example: bank fraud, payment fraud, friendly / chargeback fraud), market manipulation, tax evasion, identity theft, counterfeiting, forgery, money laundering, terrorist financing, confidence tricks (also known as exit scams), investment frauds such as Ponzi and pyramid schemes, etc.

Most of the above-mentioned cases can also be seen in the crypto business, and as a fintech lawyer myself, who helps crypto businesses put in place all the procedures, bylaws and strategies, I learn (and fight against) new tricks to circumvent the law practically every day.

Financial crimes are very appealing to organized groups, due to the fact that the likelihood to detect and prosecute them is low because of the complexity of the investigations required. On the other hand, there are high profits associated with such crimes, and money laundering is one of the areas of the most specific interest of EUROPOL.

When fighting financial crime it is important to have in place such regulation that will require a certain amount of disclosure of different kinds of data and information about the (suspicious) transactions and data subjects. Certain information is necessary to prevent money laundering, terrorist financing, and tax evasion, which are the types of crimes of the highest magnitude and can potentially cause the greatest general damage.



In May 2018, European Union adopted the amended Anti-money laundering  legislation (the 5th AML Directive) with the aim to fight against the threat of money laundering and terrorist financing, brought to their attention due to the fact of the anonymity (and pseudo-anonymity) of cryptocurrencies.

The Directive now extends the scope of persons to which the Directive applies and also addressed virtual currencies, prepaid cards, and digital wallet providers. Among other things, the Directive:

  • enacts enhanced due diligence measures in connection to financial transaction flows that involve high-risk countries,
  • increases the transparency measures, including enhanced access to beneficial ownership registers,
  • obliges Member States to create lists of politically exposed persons (hereinafter: PEP),
  • gives more powers to the relevant authorities and financial intelligence units,
  • ends the era of anonymous safe deposit boxes and vaults at banks,
  • addresses tax obligations for certain activities (for example traders who trade volumes over 10.000 EUR),
  • gives the interested parties public access to the real-estate property registries,
  • Lowers thresholds for e-money transactions and prepaid cards.

Note, that the Directive is not directly applicable, which means that all the Member States have to implement the rules of the Directive into their national laws. Certain countries already did it, I have named a few most notable ones below.

With enhanced rules of the 5th AML Directive stated above the cases of money laundering, terrorist financing and tax evasion should be properly monitored. Of course, there are still black holes in this system, such as pure crypto-to-crypto exchanges, miners, hardware wallet providers, among others. The 5th AML Directive could potentially expand its scope of application, according to the Study of the EU Parliament on the Legal context and implications for financial crime, money laundering, and tax evasion.


The issue of anonymity is also the main issue when it comes to tax evasion, which impedes tax authorities to detect tax evasion or sanction it.

Another important Directive is the Directive on administrative cooperation in taxation (DAC5), which determines that from 1. january 2018 onwards tax authorities must have access to the AML information, procedures, documents and mechanisms gathered in the context of combating money laundering and terrorist financing, including the beneficial ownership register.


This regulation sets forth the rules about a transfer of funds and information about the payers and payees involved in the transaction (NOTE: this is only under the condition that one of the parties is located in the European Union). The Regulation requires the payment service provider (hereinafter: PSP) of the payer to ensure that the transaction is accompanied by certain personal data of the payer (name, address, date, and place of birth, account number, ID document number), and certain data of the payee (name, account number). If such data are not provided, the PSP can insert them if he is in possession of those data. If not, the transaction must be rejected.

It is important to note, that the Regulations applies to funds, namely banknotes and coins, scriptural money and electronic money, by PSP or intermediaries. Cryptocurrencies are neither treated as any of the funds by the definition of the Regulation nor are treated as a PSP or an intermediary. In this sense, these Regulations should determine rules or extend the scope, appropriate for cryptocurrencies.


The regulation controls the movement of cash money in and out of the EU. All cash equal or above 10.000 EUR must be declared. The definition of cash by this regulation is that cash can be represented by currency (banknotes and coins that are in circulation as a medium of exchange), bearer-negotiable instruments including monetary instruments in bearer form such as travelers’ cheques, negotiable instruments (including cheques, promissory notes, and money orders) (…).

It would be hard to apply such definition to a movement of the virtual money since they are not moved physically.


EU has also issued several guidelines and viewpoints related to the:

Initial coin offerings and classification of different types of tokens (ESMA Report on initial coin offerings and crypto-assets). The financial classification of the token has an impact on several legal aspects, such as tax issues, shareholders rights, potential merger or acquisition, reporting obligations, and much more. The report is an important development and contribution to upcoming EU regulation and will affect everybody — the creators of tokens, crypto trading, and exchange platforms and users of tokens.

– reports on the application of financial and banking regulation to cryptocurrencies (EBA report on crypto-assets). EBA is the European Banking Authority which made detailed research on cryptocurrencies in connection to banking regulations, especially the EMD2 (E-money Directive) and PSD2 (Payment service Directive).

– studies on cryptocurrencies and blockchain by EU Parliament (such as Study on the Legal context and implications for financial crime, money laundering, and tax evasion).


Some Member States have quickly adapted to the new changes of the revolutionizing blockchain/DLT technology and new ways of crowdfunding. Most of them have issued ICO guidelines and alerts in order to protect the general (non-tech savvy) population from making reckless investments, driven by the fear of missing out (FOMO), greed, hope and other feelings on one hand, and control over the money on the other hand.

I will mention a few jurisdictions that stand out the most and adopted national laws specifically dedicated to crypto business.

A good example of a fast-moving regulator is Estonia, which has created a new regulation regarding crypto exchanges and digital wallet providers, by introducing mandatory licenses for such business. Licenses provide a strict anti-money laundering (AML) and counter-terrorist financing (CTF) policies that license holders must follow in order to have a compliant business.

Swiss Financial Market Supervisory Authority (FINMA) grants so-called directly subordinated financial intermediary (DSI) license, which must be obtained by all the financial intermediaries who are not members of a self-regulatory organization. Similar to Estonia, applicants must comply with strict rules on AML and CTF in order to obtain the license.

Another country granting a license for virtual financial assets (VFA) is Malta, which regulates virtual financial asset services, such as crypto exchanges, brokerage, portfolio management, wallet and custodian services, investment advisory services. Virtual financial asset act (VFAA) shall grant 4 types of licenses: Class 1 is a license for Simple consulting and placement of VFAs, Class 2 is a license for services without authorization to trade on one’s own account, Class 3 is a license for any type of VFA service but a VFA exchange and Class 4 for VFA Exchanges.

Gibraltar has enacted special authorisation by the Gibraltar Financial Services Commission (GFSC) for any business that uses distributed ledger technology (DLT) for storing or transmitting value belonging to others (DLT activities). Such business is classified as a DLT provider, which must honour the 9 principles and, among others, address the AML and CTF risk management and policies.

The Czech Republic has also amended the AML Act, which requires crypto exchanges to collect (personal) data and determine the identity of their customers.

Germany does not issue any license but grants authorization for certain crypto businesses, such as investment brokerage platforms, investment advisors, multilateral trading facilities, contract broking, portfolio management, etc.

In general, most of the EU member states are waiting for the effects of the regulation enacted by the above countries, use cases and possibly court cases for laying down the foundations of comprehensive crypto legislation on a national level.


Crypto companies have different approaches regarding where to set up a company. Some projects are betting on legal compliance and wish to set up a company in a jurisdiction that offers licenses, and with that also legal security and legal certainty.

On the other hand, other crypto projects wish to make services more anonymous and thus client-friendly. Such platforms do not perform due diligence and obtain personal data (this procedure is called “Know Your Customer”), which makes the process of buying, exchanging, selling cryptocurrencies shorter, easier and more private.

In general, the EU Parliament puts crypto businesses into 7 classes, which are regulated differently, are to be regulated or cannot be regulated, namely:

  • users,
  • miners,
  • crypto exchanges,
  • trading platforms,
  • wallet providers,
  • coin inventors,
  • coin offerors.


Users are not considered as obliged entities under the 5th AML Directive, which means that they are not the ones who need to disclose their personal data in advance but are obliged to do it if the obliged entity requires personal data from the user.


Same as users, miners are not obliged entities according to the 5th AML Directive, they are considered as technical service providers. Regardless of this fact, mining can be used for illicit activity. There has been a consideration of implementing a “Know Your Miner” policy for the reason that mining can be done by criminals.


Currently, crypto exchanges that offer only crypto-to-crypto payments, do not qualify as custodian wallet providers since they have no dealings with fiat money. This means that such exchanges fall out of the scope of the 5th AML Directive. The EU Parliament is of the opinion that this is a blind spot in the legal system, which allow cryptocurrencies to be used completely outside of the legal system. Such exchanges will be hard to regulate and the origin of the crypto will be hard to follow once crypto assets will pass through an obliged company (an obliged company is a company to which AML rules apply for they deal with the fiat money).

For this reason, many of the fiat gateways, liquidity providers (such as trading platforms), payment and credit card processors already require a tracking history of the crypto asset or implementation of crypto tracking mechanisms, which detect black crypto and reject such transaction.


Trading platforms are peer-to-peer marketplaces for cryptocurrencies. Centralized trading platforms that offer fiat money for purchase fall under the scope of the AML Directive. On the other hand, pure crypto-to-crypto and decentralized trading platforms are not subordinated to any central authority, meaning that they are hard (if not impossible) to regulate. When no central authority is in place, such services cannot be controlled by the government, meaning that legal regulation and control, prosecution, enforcement, and other procedures are nearly impossible.


There are different wallet providers to mention, namely:

  • Hard wallets, which provide a physical wallet (like a USB stick), such as Nano Ledger, BC Vault, Trezor.
  • Software wallets, which provide a desktop, mobile or online software to send, receive and store cryptocurrencies. Such wallets are Atomic, Jaxx, Electrum.
  • Custodian wallets, which provide online custody of cryptographic keys. Such wallets are most often operated by crypto exchanges, such as Kriptomat, Bitstamp, Kraken.

The AML Directive applies only to custodian wallets because those are entities that provide services to safeguard private cryptographic keys on behalf of their customers and have control over users’ crypto assets. Additionally, crypto assets in custodian wallets can be seized by the court order in the same way as fiat money can be seized from the bank account — it is worth a mention at this point that custody wallets are not a part of any public registry (such as bank accounts), therefore it will be hard for the authorities to get to information which custody wallet user has, unless the court gets information from the bank from which user transferred fiat money for purchasing cryptocurrency.


Coin inventors are companies who issued certain coin and set the initial rules for its use. If coin inventors are only technical inventors and provide only tools for others to use them, then they are most probably not a data subject and AML Directive does not apply. Most of the times such inventors are not identified. If they are also offerors, the situation might be different.


EU Parliament defined coin offerors as organizations or individuals that offer cryptocurrencies to users upon the coin’s initial release, either against payment (i.e. through an initial crowd sale) or at no charge (such as airdrop).

Depending on the nature of a token/coin and depending on the jurisdiction of an ICO company it can be decided if such offerors are subject to disclosure requirements of anti-money laundering laws. Always consult your fintech lawyer regarding this matter.


As explained in this article, some of the business can still operate anonymously and these businesses leave room for financial crime. With the new AML Directive, some businesses have been regulated, especially custodian wallet providers and fiat-to-crypto exchange platforms. These will no longer be anonymous, because of the user due diligence requirements vested upon the fiat-to-crypto exchanges and custodian wallet providers.

EU regulators are working hard on trying to set a new legal framework (or adjust the current one) for crypto businesses and risk mitigation rules on one hand and not to impede the evolution of the technology on the other hand. Member states are putting efforts to make a good environment for crypto business and consumers, some of them by issuing a set of rules that would attract and protect at the same time.

However, countries will have to decide how they will regulate the areas that fall outside the scope of data disclosure requirements. They can either ban cryptocurrencies or decide to put a mandatory disclosure onto users and miners as well. More to that, if countries indeed decide to do that they will have to set up a whole sanction framework for non-compliance cases.

In this light crypto intermediaries (offerors, crypto exchanges, etc.) could decide for themselves not to accept anonymous cryptocurrencies in the course of their business. That could not only give them an advantage over other market players but could also lead to a commercial advantage and (in my own opinion) a good night sleep. In case that self-regulation would become an industry trend, hard law approach with the mandatory registration of users, might not even be necessary. Nonetheless, Europe will have to continue to talk about these issues and make regulatory changes, since this is not something that member states should regulate on their own.

If you need a fintech lawyer, contact us here.

Mina Krzisnik, fintech lawyer CEO & FOUNDER at IURICORN Ltd, legal and technology solutions

Call Now ButtonCall Us