Media

MiCA: EU Regulation and the Impacts for the Investigations Sphere

March 2024

In April 2023, the European Parliament voted in favour of passing the Markets in Crypto-Assets Regulation (‘MiCA’), bringing through the first comprehensive set of regulations for the cryptocurrency industry. MiCA’s scope of its regulations included those for crypto platforms, token issuers and traders, providing requirements for disclosure, transparency, authorisation and supervision of crypto transactions.

The wide reach of MiCA has meant that the European Banking Authority (‘EBA’) and European Securities and Markets Authority (‘ESMA’) have taken a phased approach to its implementation. Two consultation packages were published in July and October 2023, with a third to be released in Q1 2024.

MiCA’s regulations classify three types of crypto assets; E-money token (‘EMTs’), Asset-reference tokens (‘ARTs’) and Utility tokens.

The rules provided a breakdown of how issuers of crypto assets will be supervised. The EBA will take responsibility for issuers of significant EMTs and ARTs, whilst the EMSA will supervise large scale Crypto-Asset Service Providers (‘CASPs’). Lower-level cryptocurrency issuers and service providers will be supervised by national level authorities.

Disclosure

One of the key issues for investigators and legal teams in cases surrounding cryptocurrency fraud is identifying the real-world actors behind private and exchange addresses. Obtaining sufficient disclosure from exchanges and other service providers has been a minefield. A lack of regulation has allowed these entities to provide limited information in response to disclosure orders, which in turn continues to exacerbate the obfuscation or real-world identities. Fraudsters can largely act with impunity, off ramping the proceeds of fraud through legitimate exchanges, knowing their personal information is obscured.

The EU’s new regulations have sought to bring the cryptocurrency industry in line with previously issued anti-money laundering rules. In practice, these new requirements should aid both the public and private sectors’ ability to obtain information on bad actors.

MiCA’s regulations include stipulations for crypto-asset providers to comply with the EU’s 2015 4th Money Laundering Directive in order to be authorised. Notably, this would require entities to conduct enhanced Know Your Customer (‘KYC’) checks and keep accurate and current information on centralised beneficial ownership registers.

The EU’s 5th EU Anti-Money Laundering Directive, published in 2018, contained provisions for public access to beneficial ownership information, ensuring that parties with legitimate interest could obtain important information on entities. However, a ruling by the Court of Justice of the European Union (‘CJEU’) in November 2022, counteracted the provisions that had ensured public access. This directly led to journalists and civil society organisations encountering difficulties in accessing information on beneficial ownership registers across member states.

Transparency International found that in the year following the ruling, across 13 of the 27 EU member states, journalists and civil society organisations could either not access the information or had to meet complex requirements to prove legitimate interest. Following the 2022 ruling, eight countries suspended public access to their beneficial ownership registers. Notably, Transparency International highlighted that Cyprus, Malta and the Netherlands have denied access in cases where legitimate interest has been demonstrated.

In the context of MiCA, although the regulations specify compliance with 4th Money Laundering Directive, in practice the public access to registers from certain member states may remain restricted. This in turn would make it harder for investigators to obtain crucial real-world information for civil litigation cases on bad actors who are largely protected by the anonymous nature of cryptocurrency.

Tackling Crypto Privacy

The EU’s MiCA regulations are set to come into effect alongside a new Anti-Money Laundering Regulation (‘AMLR’). The new AMLR remains under negotiation but is forecasted to come into effect between 2026 and 2027.  

The new AMLR seeks to reduce crypto’s obscure nature, with the EU reportedly exploring a ban on coins such as Monero and Zcash which enhance a holder’s anonymity. This trend of scrutinising privacy coins is not new. In December 2023, OKX announced that it would delist Monero, Dash and Zcash in early 2024 as they did not meet the exchange’s listing criteria. By February 2024, Binance also stated it would delist Monero, after previously monitoring the cryptocurrency. Increasing regulatory pressure has been cited as a primary factor in these decisions.

Privacy coins became increasingly popular with cybercriminals to launder stolen funds. Notably Monero, which is has protocols to anonymise transaction amounts, senders and receivers by default, posed issues for investigators. With increased regulation on privacy coins, cybercriminals will find it progressively more difficult to utilise them to offramp stolen funds. In turn, this could force them to utilise traditional routes, which now face greater requirements for disclosure, thereby aiding investigators.

MiCA and ALMR also have provisions to prevent crypto businesses from offering anonymised accounts and restrictions on interactions with self-hosted wallets. In January 2024, the EU parliament reached a provisional agreement with the EU Council to make CASPs apply customer due diligence when carrying out transactions of €1,000 or more.

As part of the provisional agreement, further regulations are set to be implemented on transactions with self-hosted wallets. These include requiring CASPs to take measures to identify the beneficiary of transactions and obtain information on the origin and destination of the crypto assets.

Investigators will benefit from CASPs being required to obtain this information. Enhanced intelligence from disclosure, will allow investigators to determine if funds have potentially changed hands in the off-ramping process. Additionally, cybercriminals will find it harder to offramp stolen funds for fear of disclosing their identities through KYC processes.

Conclusion

The EU’s comprehensive approach to cryptocurrency regulation has been lauded by those who have been calling for the sector to be brought in line with traditional fiat markets. The regulations open avenues for investigators to better tackle the issues faced when dealing with cryptocurrency-based offences.

As first movers in the digital asset recovery space, Quintel Intelligence has partnered with CipherTrace by Mastercard and provides investigative support to auditors, liquidators, exchanges, and private clients on Cryptocurrency matters. Our reports are used in legal proceedings globally to assist claimants and their representatives to track and ultimately recover digital assets.