In addition to the new regulations, the financial market regulator has published welcome advice for the casps
The Dutch Authority for Financial Markets (AFM) has recently published anti-flowage regulations and for the financing of terrorism financing (AML / CFT) with which Crypto-Set (CASPS) service providers are forced to comply.
What is the general AML / CTF framework for CASPS and what are the key points of the additional directives published by AFM specifically for Caps?
Anti-flow
CASPs are subject to the general framework of the LMA / CTF which applies to all regulated financial institutions: the Dutch law on anti-flask and the fight against terrorism (Humid ter ouorokoming van witwassen in finance van terrorismor wwft).
This framework is based on risks. Financial institutions must develop comprehensive risks adapted to the services provided. Risk assessment must take into account factors such as customer, product, service, transaction, delivery channel and geographic location and must be updated regularly. Within the framework of AFM directives, CASP should specifically take into account factors that increase the risk of money laundering and terrorist financing, such as the ability to transfer cryptocurrency worldwide, high transactions volumes, volatility and anonymity.
In cases where there is an increased risk of LMA / CTF, institutions are necessary to make an increased reasonable diligence. This includes additional measures such as verification of customer identity, obtaining more detailed information on the origin and destination of funds and close supervision of transactions. With regard to CAPS, AFM directives indicate that increased reasonable diligence is particularly important for transactions involving self-hosted addresses or third-party countries, which in accordance with AFM include higher risk of integrity.
Based on WWFT, financial institutions must also implement solid transactions monitoring systems to continuously supervise commercial relations and transactions. AFM guidelines say that, for Caps, this includes monitoring of Fiat and Crypto transactions to detect unusual activities. Advanced analytical tools should be used to assess transaction stories and identify potential links with criminal activities, in particular for transactions involving self-hosted addresses.
All financial institutions are forced to report unusual transactions to the Netherlands Financial Intelligence Unit (Fiu-les Netherlands) without undue delay. This includes transactions that raise suspicions of money laundering or terrorist funding. When it comes to cryptocurrencies, AFM directives specify that the lack of information from the initiator or the beneficiary in crypto-active transfers may also be reasons for reporting an unusual transaction.
Sanctions
CASPs are subject to general sanction obligations that apply to all regulated financial institutions in accordance with the Dutch sanctions law (Sanctity 1977) and the Surveillance Regulation under the 1977 law on sanctions (Repeling Toezicht Sanctiviewet 1977, RTSW). Among other things, these require the evaluation of the risk of escape of sanctions and violations of regulations on sanctions. This implies developing policies, procedures and measures to mitigate these risks. Institutions must ensure that commercial relations and transactions do not imply the transfer of financial resources to sanctioned individuals. The measures should include screening for trade relations against sanctions lists and the use of geolocation tools to identify and prevent transactions from sanctioned countries.
Within the framework of AFM directives, CASPS must establish policies and procedures which allow compliance with sectoral sanctions and the addresses of distributed lips sanctioned. These policies should describe the measures to be taken in the event of a real correspondence with a sanctioned (legal) person, including freezing assets. Sanctions are reported to AFM. Policies should also define the term “relationship” in accordance with the sanctions law and provide advice on the processing of sanctions.
The European Banking Authority (EBA) guidelines on internal policies, procedures and controls to ensure the implementation of the restrictive and national restrictive measures, which should be in force on December 30, 2025, provide advice in the design of the policy of screening the sanctions in Cass Casps.
Financial institutions must prevent economic resources from being provided to sanctioned persons. When carrying out transactions involving self-hosted addresses, the casps must verify the identity of individuals or entities with or controlling addresses.
Fund transfer regulations
Fund transfer regulations (TFR) applies to the Caps of the intermediary, the beneficiary and the intermediate cores for cryptocurrency transfers. It requires fixing verified information to transfers to ensure traceability. The regulation covers all the transfers made by at least one CASP drawn up in the EU, including those involving automatic crypto distributors.
Detailed information on the initiator and the beneficiary must be attached to each transfer. This includes names, addresses, Ledger Distributed addresses, Crypto-Aset account numbers and legal entity identifiers (Leis). The information must be checked on the basis of reliable and independent sources before the transfer is launched or executed.
For batch file transfers, CASPS can provide all the required information in a batches file. Each transaction in the lot must have a separate DLT address, a Crypto-Aset account number or a single transfer identification code. The batch file must come from an initiator and all the information must be provided separately for each transaction.
Other obligations include that the casps must identify whether a transfer involves a self-centered address using technical means, such as blockchain analysis and third-party data suppliers. For transfers exceeding € 1,000, the casps must check the property or control of the self-hosted address by the initiator or the beneficiary. The verification methods include unattended and assisted verification, sending predefined amounts and digital signatures (Directive 83 EBA travel rule directives).
Caps must report cases where another CASP fails to provide required information. This includes the documentation of the nature of the violation, the frequency of missing information and the actions taken. The reports must be submitted to the AFM without delay.
It is also important to guarantee compliance with the General Data Protection Regulations (GDPR). This includes the implementation of adequate technical and organizational measures to protect personal data from accidental loss, modification, unauthorized disclosure or access. Caps operating in several jurisdictions must facilitate the sharing of information on unusual transactions within the same organization while joining the AML / CFT obligations.
Comment by Osborne Clarke
Additional advice on AML / CTF specifically for Caps are welcome. The general directives of the LMA / CFT by the AFM have not been adapted to the Caps and these additional advice give a certain clarity and orientation for the Caps in order to guarantee compliance with strict AML / CFT regulations. This is a positive step towards improving the integrity and security of the crypto-active sector in the Netherlands.
However, although AFM directives describe key principles and requirements, it lacks detailed instructions on how CASP should implement these measures in practice. This could lead to variable interpretations and implementations between different bars, potentially resulting in inconsistencies in terms of compliance and application.
This insight was written with the help of the legal assistant, the Van de Swaluw floor.