The European Banking Authority’s (EBA) new rules on crypto-assets

1. What is most significant about these new regulations? 

Every day, the organized crime wakes up and tries to find loopholes in the legal frameworks. The United Nations Office on Drugs and Crime (UNODC) in 2022 estimated that between $800 million and $2 trillion are laundered annually in legal tender, equivalent to 5% of the global GDP. 

The new EBA Guidelines on Information Requirements for Transfers of Funds and Certain Crypto-Assets, the so-called “Travel Rule Guidelines”, attempt through a soft-law mechanism to implement Directive (UE) 2023/1113. The significance lies in addressing the anonymity and decentralized nature of crypto-assets, which have historically facilitated illicit activities like money laundering and tax evasion. 

More concretely, they outline whether a card, instrument or device is used exclusively to pay for goods or services; technical limitations refer to data-related constraints, boundaries or shortcomings that arise from the technological components, systems and frameworks involved in the processing of transfers; the specific data points to be transmitted as part of the information required; the required information to be transmitted to the Authorities and how PSPs and CASPs should set out in their policies and procedures the quantitative and qualitative criteria they will use to determine, whether the systems used by those companies are ‘repeatedly failing’ and document all transfers with missing or incomplete information. 

Each EU Member State must confirm compliance with these guidelines within two months of the official translations’ publication. The revised regulations will be enforced starting December 30, 2024, necessitating national Authorities to interpret and apply these rules effectively. 

2. Which financial institutions will be most affected and how? 

Contrary to the common perception that financial transactions belong only to banks, money flows, more and more, as the G7 Financial Action Task Force showed in 2017, through crypto-assets and PSPs. 

The financial institutions mostly affected by the new regulations are Payment Service Providers (PSPs), Intermediary PSPs (IPSPs), Crypto-Assets Service Providers (CASPs), and Intermediary CASPs (ICASPs). 

The risk of these guidelines is that they might end up becoming a tool of overregulation, further burdening the already extremely complex banking and finance sector. However, the principle of proportionality, and how will be interpreted by supervisory Authorities, will play a crucial role in implementing and determining the exact impact of these EBA Guidelines. 

3. How burdensome will they be? Is this a significant new compliance burden? 

While it is true that post-2008 financial regulations have surged in both the EU and US, leaving banks exhausted, as underlined before, the new EBA guidelines could represent a nuanced approach. The guidelines employ soft law, providing flexibility in their implementation, making the compliance burden vary across institutions. 

In this regard, according to the EU legislative drafting procedure, the EBA conducted an impact assessment and public consultation, highlighting that all considered options create one-off costs for reviewing and adapting existing systems and controls and consequently, there will be ongoing costs for training staff to apply and assess these new systems and controls. 

Moreover, the risk-based approach and the principle of proportionality ensure that the burden hopefully should be tailored to the nature and size of business, aiming to strike a balance between stringent compliance and operational feasibility.

4. What are the aims of the new regulations? Will they be effective? What is controversial about them?

As Sophocles aptly depicted in his Antigone, Legislators once more face a dilemma: on one hand fighting the organized crime and on the other hand protecting the freedom of economic initiative. 

As evidenced by the WannaCry incident in 2017, where over 200,000 computers in a hundred countries were infected by ransomware that demanded bitcoin payments for data restoration, affecting big players like Nissan, Santander, BBVA, FedEx, and Hitachi, in this regard, the new regulations aim to make it more challenging for organized crime to exploit financial systems for money laundering and terrorist financing by ensuring transparency and accountability in fund and crypto-asset transfers. 

The effectiveness of the new rules is mixed. Firstly, they improve the identification of individuals and ensure data integrity, which should help tracing illicit activities, as the emphasis on reputation and accountability is a positive step, acting as a barrier to entry for malicious operators; secondly, some aspects, like the monitoring procedures in section 4.5.3, seem weak since they are left to internal policies, lacking uniformity and strict enforcement. 

While the regulations have clear objectives and some strong points, their effectiveness may be hampered by the creativity of the organized crime and the sometimes vague implementation requirements.

Edited by Marco Carlizzi & Francesca Bazzani