The EU Parliament’s final vote in February 2024 on eIDAS 2.0 was a major step toward Europe’s digitization. The finalized draft of the European Regulation known as eIDAS (electronic Identification, Authentication and trust Services) was finally endorsed by the Council in March 2024 with an implementation set for 2026. 

Important milestones for eIDAS 2.0 include:

• April 24, 2024: Publication in the EU’s Official Journal and entering into force
• During 2024: Finalization of Implementing Acts: 
  • 6 months for Wallets and QEAA (Qualified Electronic Attestation of Attributes)
  • 12 months for Qualified Trust Services
• In parallel, the Architecture and Reference Framework (ARF) with the eIDAS Toolbox Expert Group and the EU standardization will take place

The EU has come a long way since 2021, when it first announced its plans to revise the law on electronic identification and trust services for digital transactions. Its aim was and is to introduce a legal and technical framework that enables each Member State to issue its citizens a digital identity and digital wallet to access, store, and reuse the digital identity for public and private services across the EU. 

The legal and technical frameworks stipulate that eIDAS 2.0 will remain compliant to existing laws on data privacy through the GDPR (General Data Protection Regulation) and Cyber Security Act. The technical and certification framework will ensure the wallet maintains strong cryptography and operates at a level of security “high”. The function will be for both online and offline purposes and the wallet will provide the end user with the ability to only share necessary credentials for a particular service. Known as selective disclosure, this allows users more control over their own personal data.

Member states will be obliged to provide the EUDI Wallet within 24 months of the entering into force of the Regulation, so likely around October 2026.

To enhance the EU’s response to money laundering and countering the financing of terrorism, a package consisting of three focus measures was decided upon:

1. The new EU AML Authority.

Obliged entities are currently supervised at a national level only, resulting in an inconsistent enforcement of European AML/CFT laws. To tackle this issue, the new EU AML authority (AMLA) will act as a central hub to coordinate the actions of supervisors in different EU countries and ensure convergence of supervisory practices.

The application process for the new EU AML authority quickly came to the conclusion to host its seat in Frankfurt am Main; with the European Central Bank (ECB) also in town, the city is now set to become the future center for anti-money laundering and financial decision making in Europe. 

2. New EU AML Regulation (AMLR), the so-called “single rulebook against money laundering and terrorist financing” 

EU legislators haven’t reached a political agreement on the Anti-Money Laundering Regulation yet; the first reading in the Parliament is scheduled for 22 April 2024.

For the crypto industry, the following changes will likely be implemented:

• Extension of the list of obliged entities to include crypto-asset service providers 
• More requirements for firms to identify and track their customers’ transactions to apply due diligence.
• A due diligence process for transactions as small as €1000.
• Merchants will be prevented from accepting payments from self-custody wallets that are not linked to a licensed crypto firm.
• There could be a ban on coins that enhances anonymity.
• Crypto mixers and privacy wallets are dubbed high risk. The European Commission will need to recommend whether to ban these tools 2-3 years after entering into force of the Regulation.
• AMLR should only apply to entities recognized by MiCA (Markets in Crypto Assets), which excludes decentralized protocols.

AML Rulebook and Requirements for Customer Due Diligence (CDD):

• Provisions for Know Your Customer (KYC) including remote KYC and electronic identification means according to eIDAS.
• EU AMLR includes a larger umbrella for obliged entities. 
• Limits for cash payments at €10,000 and occasional cash transactions between €3,000 and €10,000.

When the new AMLR law will come into force is still in negotiation, but it is expected between 2026 and 2027.

3. Revision of the AML Directive (AMLD6)

The content of the sixth revision of the AMLD reached a political agreement on January 18, 2024. This draft Directive grants certain powers to national supervisors over the senior management of certain obliged entities, especially in the case of conviction for money laundering or terrorist financing. 

Member States are obliged to create and maintain mechanisms, such as a central register or a central electronic data retrieval system, to allow identification of holders of bank accounts and safe deposit boxes, contained in the current AML Directive. The Commission’s proposal also includes new provisions on the responsibilities and tasks of the Financial Intelligence Units (FIUs), such as clarifications on the financial analysis function of FIUs and on their operational independence, their resources and their security; provisions on information exchange between FIUs and other competent authorities.

In late 2023, the European Banking Authority (EBA) released draft guidelines on crypto asset transfers with the objective of establishing a more uniform approach to applying the travel rule. These guidelines aim to make sure that everyone follows the same standards when moving money through cryptocurrencies. 

The EBA opened a consultation on these rules to prevent the misuse of crypto asset transfers. The travel rule guidelines will be applicable to Payment Service Providers (PSPs), crypto asset service providers (CASPs), and Intermediary CASPs. They are meant to make sure that all necessary information accompanies the transfer of funds or crypto assets. The objective is to promote a more uniform application of EU regulations and increased openness in the execution of AML/KYC regulations in the cryptocurrency sector.

Additionally, the EBA has also issued guidance to CASPs to effectively manage their exposure to money laundering (ML) and terrorist financing (TF) risks.

The amendments aim to assist CASPs in identifying these risks by providing a non-exhaustive list of factors that may indicate the CASP’s exposure to higher or lower levels of ML/TF risk (due to its customers, products, delivery channels, and geographical locations). CASPs can use these factors to better understand their customer base and find parts of their business that might be more vulnerable to money laundering or terrorist financing. The guidelines also suggest using tools like blockchain analytics to help manage these risks. 

The EBA has decided to expand the coverage of the ML/TF Risk Factors Guidelines to ensure consistency in the approach that CASPs throughout the EU should take when implementing a risk-based approach to AML/CFT as part of their business operations. Regulatory authorities must confirm they are following these guidelines within two months of the translations being available in all official EU languages.

The amending Guidelines will apply from December 30, 2024.

The UK Gambling Commission (UKGC) has been actively pursuing the objectives outlined in the Government’s Gambling White Paper, initiating a series of consultations that commenced in the summer of 2023. 

Following a thorough consideration of feedback received during the consultation phase, the UKGC has outlined its strategy regarding financial risk assessments as follows:

Frictionless, light-touch financial vulnerability checks

• These checks aim to identify vulnerabilities such as bankruptcy orders or outstanding debts based solely on publicly available data. Notably, in response to feedback received, these checks will not require gambling operators to collect personal details like postcodes or job titles.
• Initially, these checks will be implemented at a higher threshold for a brief period before transitioning to a lower threshold later in the year to facilitate smoother implementation for consumers. 
• Further details regarding this adjustment will be provided in the comprehensive response document.

Enhanced financial risk assessments – a pilot and data period

• The consultation proposed enhanced financial risk assessments, utilizing credit reference data, particularly targeting instances of unusually high losses where risks are elevated. Acknowledging the need for cautious implementation, many stakeholders voiced support for a pilot program to rigorously evaluate the practical aspects of data-sharing.
• The pilot initiative will enable the UKGC to scrutinize the intricacies of data-sharing in collaboration with credit reference agencies and gambling enterprises, ensuring a consumer-centric approach.
• Importantly, the pilot phase is designed to minimize consumer impact, prioritizing the refinement of data-sharing processes before transitioning to live implementation of the assessments.

These initiatives underscore the UKGC’s commitment to fostering a transparent and responsible gambling environment, leveraging innovative approaches to mitigate financial risks while safeguarding consumer interests.

In December 2023, the Brazilian Senate passed its gambling regulations for sports betting and online casinos. The regulations for sports betting and online casinos are a significant step toward Brazil’s modern online gambling landscape. 

To comply with the new law, operators must be based in Brazil. Foreign operators will be barred from offering regulated gambling. This will ensure the Brazilian government is able to collect the taxable revenue. 

Operators are also mandated to meet a range of integrity, responsibility and honesty requirements as proposed by the ABRADIE, a nonprofit organization created to ensure the Brazilian gambling and iGaming landscape remained safe and free from corruption, and IBJR, the Instituto Brasileiro de Jogo Responsável (a new organization in Brazil, spearheading the country’s growing focus on promoting responsible gambling practices), and are therefore required to be a member of a sports integrity body.

Other requirements operators will be forced to comply with include having a minimum value of share capital and being able to pass several technical requirements. Gaming operators will be required to verify the identity of players before accessing the platform, which will be done via a Cadastro de Pessoas Físicas (CPF) data check, the unique identification number for each user and all bets that are associated with the player.

KYC processes will enable age verification of players, and when a financial relationship is established, authorities will also have access to collect personal data and monitor fraud or money laundering activities. Operators must also ensure players are not politically exposed persons (PEPs) or part of any other restricted lists associated with criminal money laundering activities.

Get all information from our previous issues and benefit from our deep knowledge and stay up-to-date on all regulatory changes within financial services, gaming and gambling, telecommunications and many more by subscribing to KYC Insider.