The European Banking Authority (EBA) has updated its guidelines on how financial institutions assess risks related to money laundering and terrorism financing (ML/TF).
The new rules will take effect on December 30, 2024.
These updates make it easier for organizations to spot red flags: they introduce clearer risk indicators, especially in high-risk areas like customer profiles and certain geographical locations. New rules also focus on transparency and expand the list of risky products and services.
Let’s break it down to understand how you’ll have to change your operations.
Check the list of high-risk jurisdictions as defined by the EU here.
FATF black & gray lists of countries with weak or non-existent AML/CFT regulations are here.
A screenshot from GL Vision shows transactions made through Wasabi Wallet, a wallet designed to protect privacy. It mixes several Bitcoin transactions into one, making it harder to trace
With GL Entity Explorer, you can find out if your counterparties are regulated, what their domiciled country is, check their licenses (if there are any), and discover if they support privacy coins.
A screenshot from GL Entity Explorer shows data on EnExchanger, an Iranian (1) sanctioned exchange (2) that doesn’t require KYC (3) and allows transactions with privacy coins (4).
GL Monitoring tool tracks crypto transactions in real time, using the latest data on hacks and sanctions. It sends alerts for suspicious activity to help prevent dealing with illegal funds.
Need a training program tailored to your needs? Check out GL Compliance Certification. The program is designed to help your team understand blockchain and crypto fundamentals, create compliance structures, and meet regulators’ requirements.
The updated guide doesn’t change the record-keeping time requirements. According to the Directive (EU) 2015/849 regarding AML, a 5-year record period would still apply. Stick to it.
Imagine you as a CASP receive a transaction e7124ca3ea96e28202684e7772fc59a4791d14c270c9e0ea2854efe32208a9de from a new counterparty.
GL Vision screenshot showing the transaction e7124ca3ea96e28202684e7772fc59a4791d14c270c9e0ea2854efe32208a9de
Here is how the flowchart can help you assess the risks using GL tools.
In GL Vision, you can click on the address → entity name. It will redirect you to the Entity Explorer:
GL Entity Explorer screenshot with the entity overview
❌ Vietnam is on FATF’s gray list. It’s a red flag, and enhanced due diligence is needed.
❌ It does. As you see in the screenshot above, it’s a mixing service. These services typically use self-hosted addresses. It makes it harder to trace the origins or destinations of transactions.
❌ Yes, a mixing service is high-risk and requires additional monitoring and stricter checks. That’s why GL labels them with a 69 risk score.
❌ Mixing services blend multiple users’ transactions. It increases anonymity, and that’s a red flag.
✅ It doesn’t.
❗️However, note how four out of the five inputs are structured into 4.096 BTC. This is how the mixer works — divides assets into equal parts for further withdrawal.
✅ It’s not. It’s a transaction between a CASP and a self-hosted address.
So, in this example, the flowchart guides you through assessing the risks of a transaction from a new counterparty using GL tools. We identified several red flags:
Additionally, GL provides even deeper insights by offering data on source of funds and use of funds, entities, transaction histories, and risk scores—all within a single report.
The updated EBA Guidelines for 2024 bring new requirements for CASPs. Focusing on customers, geographical risks, and high-risk products and services (like mixers and privacy coins), the guidelines emphasize the importance of enhanced due diligence and rigorous transaction monitoring. The new guidelines demand not only strong compliance measures but also well-trained teams and accurate record-keeping to trace wallet activity.