Enhanced customer due diligence in the crypto sector under AMLR

Welcome to part 14 of our AMLR blog series. This post focuses on Article 37, which sets out specific enhanced customer due diligence measures for cross-border correspondent relationships for crypto-asset service providers. The provision builds on earlier parts of the framework, where establishing information and conducting checks on the counterparty entity as a customer due diligence measure is a central starting point. Readers who wish to explore enhanced customer due diligence measures in more depth are encouraged to read part 11 of the series on third countries and risk identification. Obliged entities are required to take steps to assess and understand the purpose of a transaction or business relationship. In this instalment, the question of purpose is placed in a more complex context shaped by technological development, cross-border structures and elevated risk levels. Access to qualified operational support for customer due diligence and transaction monitoring is therefore of material importance for governance and control in organisations operating in the crypto market.

Crypto-asset services and AMLR’s risk-based approach to customer due diligence

AMLR introduces a far-reaching harmonisation of customer due diligence rules across the EU and now expressly covers crypto-asset service providers. This reflects the increased use of crypto-assets in international transactions and the specific risk profile arising from rapid transferability, technical complexity and potential anonymity. In this context, establishing and managing an ongoing business relationship with counterparty entities outside the EU becomes particularly risk-sensitive. Article 37 addresses precisely these scenarios and supplements the general rules on cross-border correspondent relationships in Article 36. The provision is a clear expression of AMLR’s risk-based approach, under which customer due diligence requirements increase as risks increase. At the same time, the requirements are closely linked to the analysis of purpose and the business relationship, since understanding why a relationship is established is essential when assessing which risk-mitigating measures are proportionate and effective.

Article 37 AMLR: enhanced customer due diligence for cross-border correspondent relationships for crypto-asset service providers

Article 37 applies to cross-border correspondent relationships involving the provision of crypto-asset services with a counterparty entity that is not established in the Union and that provides similar services. By way of derogation from Article 36 and in addition to the customer due diligence measures under Article 20, crypto-asset service providers must take certain steps when entering into a business relationship.

Under Article 37(1)(a), crypto-asset service providers must establish whether the counterparty entity is authorised or registered. Further, under Article 37(1)(b), the obliged entity must collect sufficient information to gain an understanding of the counterparty’s business activities. The information must enable an assessment of the counterparty’s reputation and the quality of its supervision. Article 37(1)(c) also requires obliged entities to assess the counterparty’s internal controls for combating money laundering and the financing of terrorism.

A recurring theme in AMLR is that responsibility for risk management must be clearly anchored at senior management level. Article 37(1)(d) therefore provides that senior management approval is required before a new correspondent relationship is established. Under Article 37(1)(e), the respective responsibilities of each party within the correspondent relationship must also be documented. This documentation is central from both a governance and supervisory perspective and provides an important basis for ensuring clarity as to who is responsible for which steps in the customer due diligence process.

Article 37(1)(f) specifically regulates so-called payable-through accounts for crypto-assets. In such cases, the crypto-asset service provider must satisfy itself that the counterparty entity has verified customers’ identities and has carried out ongoing customer due diligence measures for those customers who have direct access to the correspondent entity’s accounts. The counterparty entity must also be able to provide relevant customer due diligence information on request.

If a crypto-asset service provider decides to terminate the correspondent relationship for reasons connected to its strategy for combating money laundering and terrorist financing, the provider must document its decision. Article 37 also includes requirements for the ongoing updating of customer due diligence information. Crypto-asset service providers must regularly, or where new risks arise, update the customer due diligence information for the correspondent relationship.

Under Article 37(2), the information collected must be taken into account in order, on the basis of a risk assessment, to determine which measures are appropriate to reduce the risks associated with the counterparty entity.

Finally, Article 37(3) provides that AMLA must, by no later than 10 July 2027, issue guidelines specifying the criteria and aspects that crypto-asset service providers must consider when assessing counterparty entities, as well as the risk-mitigating measures to be taken. The guidelines must also cover minimum measures that crypto-asset service providers must take in situations where the counterparty is found to lack authorisation or registration.

How Article 37 AMLR reshapes customer due diligence for crypto-asset service providers

Article 37 clearly illustrates how AMLR is being adapted to new financial technology and how customer due diligence requirements are developing as new business models emerge. For crypto-asset service providers, the provision entails extensive responsibility to understand, document and continuously follow up each cross-border business relationship.

Morling Consulting supports obliged entities with specialist legal advice and practical, operational customer due diligence support. Through deep expertise in AMLR and risk management, our lawyers help organisations implement the framework in a proportionate, business-aligned manner across Europe.