Dutch AML/CTF rules for crypto-asset service providers (CASPs)

The Dutch authority for the financial markets (AFM) recently published specific Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) regulations with which CRYPTO-ASSET SERVICE PROVIDERS (CASPs) are obliged to comply.

The general AML/CTF framework for CASPs, and the key points from the additional guidance issued by the AFM specifically for CASPs, follow below:-

ANTI-MONEY LAUNDERING

1. CASPs are subject to the general AML/CTF framework that applies to all regulated financial institutions:
1. The Dutch Anti-Money Laundering and Counter-Terrorism Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme, or Wwft).
2. This framework has a risk-based character.
2. Financial institutions must develop comprehensive risk assessments tailored to the services provided.
1. The risk assessment should consider factors such as the type of client, product, service, transaction, delivery channel and geographical location and should be updated regularly.
3. Under the AFM guidance, CASPs should consider factors that increase the risk of money laundering and terrorist financing, such as
1. The ability to transfer crypto-assets globally, high transaction volumes, volatility and anonymity.
4. Institutions must perform enhanced due diligence in increased AML/CTF risk cases.
1. This includes additional measures such as verifying clients' identities, obtaining more detailed information about the origin and destination of funds, and closely monitoring transactions.
5. Regarding CASPs, the AFM guidance states that enhanced due diligence is critical for
1. Transactions involving self-hosted addresses or third countries, which, under the AFM, carry higher integrity risks.
6. Based on the Wwft, financial institutions must also implement robust transaction monitoring systems to continuously oversee business relationships and transactions.
1. The AFM guidance specifies that, for CASPs, this includes monitoring both fiat and crypto transactions to detect unusual activities.
2. Advanced analytical tools should be used to assess transaction histories and identify potential links to criminal activities, especially for transactions with self-hosted addresses.
7. All financial institutions must report unusual transactions to the Netherlands Financial Intelligence Unit (FIU- the Netherlands) without undue delay.
1. This includes transactions that raise suspicions of money laundering or terrorist financing.
8. When dealing with crypto-assets, the AFM guidance clarifies
1.  Thehe lack of information from the originator or beneficiary in crypto-asset transfers may also be grounds for reporting an unusual transaction.

SANCTIONS

1. Financial institutions must prevent the provision of economic resources to sanctioned persons. CASPs are subject to
1. General sanction obligations that apply to all regulated financial institutions according to the Dutch Sanctions Act (Sanctiewet 1977) and
2. The Regulation on Supervision under the Sanctions Act 1977 (Regeling toezicht Sanctiewet 1977, RtSw).
2.  These require assessing the risk of sanctions evasion and violations of sanctions regulations.
1. This involves developing policies, procedures, and measures to mitigate these risks.
3. Institutions must ensure that business relationships and transactions do not transfer financial resources to sanctioned individuals or entities. Measures should include
1. Screening business relationships against sanctions lists and
2. Geolocation tools are used to identify and prevent transactions from sanctioned countries.
4. Under the AFM guidance, CASPs must establish policies and procedures that enable compliance with sectoral sanctions and sanctioned distributed-ledger addresses.
1. The European Banking Authority (EBA)’s guidelines on internal policies, procedures, and controls to ensure the implementation of Union and national restrictive measures, which are expected to be in force as of 30 December 2025, guide the design of the CASPs sanctions screening policy.
5. These policies should outline
1. Measures to be taken in case of a proper match with a sanctioned (legal) person, including freezing assets immediately.
2. Sanction matches are reported to the AFM.
3. the term "relationship" following the Sanctions Act and the guide on handling sanctions screening.
4. When executing transactions involving self-hosted addresses, CASPs must verify the identity of the individuals or entities owning or controlling the addresses.

TRANSFER OF FUNDS REGULATION

1. The Transfer of Funds Regulation (TFR) applies to CASPs of the originator, beneficiary and intermediary CASPs for crypto-asset transfers. It requires attaching verified information to transfers to ensure traceability. The regulation covers all transfers carried out by at least one CASP established in the EU, including those involving crypto vending machines.
1. Each transfer must include detailed information about the originator and beneficiary, including names, addresses, distributed-ledger addresses, crypto-asset account numbers, and legal entity identifiers (LEIs).
2. Reliable and independent sources must verify the information before initiating or executing the transfer.
2. For batch file transfers, CASPs can provide all required information in one batch file.
1. Each transaction in the batch must have a separate DLT address, crypto-asset account number, or unique transfer identification code. The batch file must originate from one originator, and all information should be provided separately for each transaction.
3. Other obligations include CASPs identifying whether a transfer involves a self-hosted address using technical means, such as blockchain analytics and third-party data providers.
4. For transfers exceeding €1,000, CASPs must verify the originator or beneficiary's ownership or control of the self-hosted address. Verification methods include unattended and attended verification , and sending predefined amounts and digital signatures (Guideline 83 of EBA's Travel Rule Guidelines).
5. CASPs must report instances where another CASP repeatedly fails to provide required information. This includes documenting the nature of the breach, the frequency of missing information and the actions taken. Reports must be submitted to the AFM without delay.

GDPR

1. Ensuring compliance with the General Data Protection Regulation (GDPR) is also essential. This includes implementing adequate technical and organisational measures to protect personal data against accidental loss, alteration, unauthorised disclosure, or access.
2. CASPs operating in multiple jurisdictions must facilitate sharing information about unusual transactions within the same organisation while adhering to AML/CFT obligations.

Source

https://www.osborneclarke.com/insights/what-are-new-dutch-anti-money-laundering-obligations-crypto-asset-service-providers