What are the new Dutch anti-money laundering obligations for crypto-asset service providers?
Published on 2nd June 2025
In addition to new regulations, the financial markets regulator has published some welcome guidance for CASPs
The Dutch authority for the financial markets (AFM) recently published specific Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) regulations with which crypto-asset service providers (CASPs) are obliged to comply.
What is the general AML/CTF framework for CASPs and what are the key points from the additional guidance issued by the AFM specifically for CASPs?
Anti-money laundering
CASPs are subject to the general AML/CTF framework that applies to all regulated financial institutions: the Dutch Anti-Money Laundering and Counter-Terrorism Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme, or Wwft).
This framework has a risk-based character. Financial institutions must develop comprehensive risk assessments tailored to the services that are provided. The risk assessment should consider factors such as the type of client, product, service, transaction, delivery channel and geographical location and should be updated regularly. Under the AFM guidance, CASPs specifically should consider factors which increase the risk of money laundering and terrorist financing, such as the ability to transfer crypto-assets globally, high transaction volumes, volatility and anonymity.
In cases where there is an increased AML/CTF risk, institutions are required to perform enhanced due diligence. This includes additional measures such as verifying the identity of clients, obtaining more detailed information about the origin and destination of funds, and closely monitoring transactions. With regard to CASPs, the AFM guidance states that enhanced due diligence is particularly important for transactions involving self-hosted addresses or third countries, which pursuant to the AFM carry higher integrity risks.
Based on the Wwft, financial institutions must also implement robust transaction monitoring systems to continuously oversee business relationships and transactions. The AFM guidance specifies that, for CASPs, this includes monitoring both fiat and crypto transactions to detect unusual activities. Advanced analytical tools should be used to assess transaction histories and identify potential links to criminal activities, especially for transactions involving self-hosted addresses.
All financial institutions are obligated to report unusual transactions to the Netherlands Financial Intelligence Unit (FIU-the Netherlands) without undue delay. This includes transactions that raise suspicions of money laundering or terrorist financing. When dealing with crypto-assets, the AFM guidance clarifies that the lack of information from the originator or beneficiary in crypto-asset transfers may also be grounds for reporting an unusual transaction.
Sanctions
CASPs are subject to general sanction obligations that apply to all regulated financial institutions pursuant to the Dutch Sanctions Act (Sanctiewet 1977) and the Regulation on Supervision pursuant to the Sanctions Act 1977 (Regeling toezicht Sanctiewet 1977, RtSw). Among other things, these require the assessment of the risk of sanctions evasion and violations of sanctions regulations. This involves developing policies, procedures and measures to mitigate these risks. Institutions must ensure that business relationships and transactions do not involve transferring financial resources to sanctioned individuals or entities. Measures should include screening business relationships against sanctions lists and using geolocation tools to identify and prevent transactions from sanctioned countries.
Under the AFM guidance, CASPs must establish policies and procedures that enable compliance with sectoral sanctions and sanctioned distributed-ledger addresses. These policies should outline measures to be taken in case of a true match with a sanctioned (legal) person, including freezing assets immediately. Sanctions matches are reported to the AFM. The policies should also define the term "relationship" in accordance with the Sanctions Act and provide guidance on handling sanctions screening.
The European Banking Authority (EBA)’s guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures, which are expected to be in force as of 30 December 2025, provide guidance in the design of the CASPs sanctions screening policy.
Financial institutions must prevent economic resources from being provided to sanctioned persons. When executing transactions involving self-hosted addresses, CASPs must verify the identity of the individuals or entities owning or controlling the addresses.
Transfer of Funds Regulation
The Transfer of Funds Regulation (TFR) applies to CASPs of the originator, beneficiary and intermediary CASPs for crypto-asset transfers. It requires attaching verified information to transfers to ensure traceability. The regulation covers all transfers carried out by at least one CASP established in the EU, including those involving crypto vending machines.
Detailed information about the originator and beneficiary must be attached to each transfer. This includes names, addresses, distributed-ledger addresses, crypto-asset account numbers and legal entity identifiers (LEIs). The information must be verified based on reliable and independent sources before the transfer is initiated or executed.
For batch file transfers, CASPs can provide all required information in one batch file. Each transaction in the batch must have a separate DLT address, crypto-asset account number, or unique transfer identification code. The batch file must originate from one originator, and all information should be provided separately for each transaction.
Other obligations include that CASPs must identify whether a transfer involves a self-hosted address using technical means, such as blockchain analytics and third-party data providers. For transfers exceeding €1,000, CASPs must verify the ownership or control of the self-hosted address by the originator or beneficiary. Verification methods include unattended and attended verification, sending predefined amounts and digital signatures (Guideline 83 of EBA's Travel Rule Guidelines).
CASPs must report instances where another CASP repeatedly fails to provide required information. This includes documenting the nature of the breach, the frequency of missing information and the actions taken. Reports must be submitted to the AFM without delay.
Ensuring compliance with the General Data Protection Regulation (GDPR) is important as well. This includes implementing adequate technical and organisational measures to protect personal data against accidental loss, alteration, unauthorized disclosure, or access. CASPs operating in multiple jurisdictions must facilitate the sharing of information about unusual transactions within the same organisation while adhering to AML/CFT obligations.
Osborne Clarke comment
The additional guidance on AML/CTF specifically for CASPs is welcome. The general AML/CFT guidance by the AFM was not tailored to CASPs and this additional guidance provides some clarity and direction for CASPs to ensure compliance with the stringent AML/CFT regulations. It is a positive step towards enhancing the integrity and security of the crypto-asset sector in the Netherlands.
However, while the AFM guidance outlines the key principles and requirements, it lacks detailed instructions on how CASPs should implement these measures in practice. This could lead to varying interpretations and implementations across different CASPs, potentially resulting in inconsistencies in compliance and enforcement.
This insight was written with the assistance of Legal Assistant, Floor van de Swaluw.
