Response to consultation on Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures
Question 1: Do you agree with the proposed provisions? If you do not agree, please explain how you think these provisions should be amended, and set out why they should be amended. Please provide evidence of the impact these provisions would have if they were maintained as drafted'?
As an introductory matter, we note that the definition of crypto-asset service providers (CASPs) is set forth in the Markets in Crypto-Assets Regulation (MiCA) and is not subject to change here. That definition focuses on intermediaries who are engaged in particular activities. The definition also makes clear that there are certain actors who are not CASPs, including any actor that does not have custody and control over crypto-assets (such as personal, self-custodial wallet software); miners and validators (including delegators in proof of stake); providers of APIs, block explorers and other infrastructure providers; software developers; any decentralised protocol or application, where decentralised means that there is no single source of truth, no single point of failure and no authority capable or responsible for altering transactions. It is very important that all of these actors and activities have clarity that they are not CASPs and are not subject to the requirements placed on CASPs and similar intermediaries, so we want to emphasise these points.
While welcoming the overall existence of the Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures, the European Crypto Initiative (EUCI) and its members will use this opportunity to raise the following concerns:
- While collecting certain information about transfers is crucial for the implementation of Regulation (EU) 2023/1113 (Transfer of Funds Regulation, TFR), certain proposals, such as extending the requirements to include the purpose of transfers and additional details in free text fields (Guideline 4.1.5, point 22 (b)), could be seen as overreaching and even going beyond the European Banking Authority’s mandate. Expanding TFR requirements to include such detailed information might represent both an unnecessary burden for all senders and recipients of transfers (not to mention the concerns around privacy and surveillance) and a possible scope creep beyond the regulation's original intent. In addition, it will likely lead to the overburdening of both CASPs and PSPs with information that will have no meaningful impact on the effectiveness of transfer screening.
Furthermore, while we do understand that the impact of this proposal will likely be reduced in practice with the adoption of Guideline 4.2.4, point 39, the existence of this possibility brings forward even more arguments as to why the collection of the information under Guideline 4.1.5, point 22 (b) is unnecessarily burdening and should, as a general rule, not be requested.
We would also like to comment on Option 2a's choice (“Requesting institutions to appoint a senior staff member responsible for the compliance with restrictive measures”) when appointing a senior staff member responsible for compliance with restrictive measures. Several considerations emerge that challenge the necessity and efficiency of this approach, particularly when compared with Option 2b (“Not requesting institutions to appoint a senior staff member responsible for the compliance with restrictive measures”). Among them are the following:
- This requirement will result in an overlap with existing compliance roles: Financial institutions already have Chief Compliance Officers (CCOs) and AML/CFT compliance officers tasked with overseeing a broad range of regulatory and compliance-related responsibilities. Adding another layer of specific compliance oversight for restrictive measures could lead to duplication of efforts, as these areas often intersect, especially in identifying and preventing illicit financial activities.
- Another direct issue is the increased complexity of compliance structures: Introducing another high-level compliance role can add complexity to the organisational structure, potentially causing confusion regarding roles and responsibilities. We see a real possibility of this complexity hindering, rather than helping, the institution's ability to respond swiftly and effectively to compliance challenges.
- Directly related to the above points is also our concern that it would prove to be an unnecessary financial burden for financial institutions (particularly small and newly established ones): While the consultation document argues that its benefits exceed the costs associated with appointing a dedicated senior staff member, it's important to consider that this could represent a significant financial burden, especially for smaller institutions. The costs aren't just limited to the appointment but also encompass ongoing training, systems adaptation, and potential expansions of teams to support this role.
- Furthermore, and expanding on the above notes, we see a threat in implementing such a one-size-fits-all approach: While the consultation document mentions proportionality and flexibility, mandating a dedicated role might still be seen as a one-size-fits-all solution that doesn't adequately account for different institutions' varied sizes, risk profiles, and operational complexities. A more nuanced approach that allows institutions to tailor their compliance structures to fit their specific needs and contexts best could be more effective, particularly for smaller entities.
We do consider that the requirements for training and the provision of resources (including in relation to the direct application of the internal policies in place, such as those related to screening) to existing compliance officers on restrictive measures should be enough, at least in some cases, to ensure they have the knowledge and tools needed to integrate these considerations into the broader compliance framework effectively.
Therefore, we would ask that EBA reconsider its decision and instead choose Option 2b regarding financial institutions having to appoint a senior staff member responsible for compliance with restrictive measures.