Customer due diligence requirements that apply to crypto service providers

In most cases this also applies to providers of exchange services between virtual and fiduciary currencies. However, customer due diligence is not mandatory for transactions below EUR 15,000, unless there are indications suggesting that the customer is involved in money laundering or terrorist financing. Even in cases that demonstrably involve a one-off transaction a service provider is expected to establish and verify the customer's identity. The Explanatory Memorandum to the proposed Act clarifies that a business relationship is also deemed to exist if the service provider has reason to assume, at the time of the first service provision, that a customer might use its services more often in the future. This also applies if the service provider doubts the transaction's one-off nature or if the service provider is unable to verify whether the customer presents itself as a new customer. It is the service provider's responsibility to make a well-founded assessment of whether a transaction is a one-off.

The requirements for customer due diligence are set out in Chapter 2 of the Wwft. The purpose of customer due diligence is to enable the institution:

a. to identify the customer and verify their identity;
b. to identify the customer’s ultimate beneficial owner and take reasonable measures to verify their identity and, if the customer is a legal entity, take reasonable measures to gain an understanding of the ownership and control structure of the customer;
c. to establish the purpose and the intended nature of the business relationship;
d. to continuously monitor its business relationships and the transactions conducted during their existence so as to ensure that these are in line with the institution's knowledge of its customers and their risk profiles, where necessary carrying out further investigations into the origin of the funds used in the relevant business relationship or transaction;
e. to establish whether the natural person representing the customer is authorised to do so and, where relevant, to establish that natural person's identity and verify it;
f. to take reasonable measures to verify whether the customer is acting on his own behalf or on behalf of a third party.

In many cases enhanced customer due diligence will be required. See this page for more information. 

Identification and verification

For identification purposes, the customer must submit proof of identity. For example by submitting a paper or digital form.

The verification process is intended to determine whether the proof of identity submitted matches the customer’s real identity. On the basis of documents, data or information from credible and independent sources, the bank must check the accuracy of the proof of identity submitted by the customer. Section 4 of the Regulation implementing the Wwft lists a number of documents that can be used for this purpose. Examples include a passport, ID card, driver's licence, travel document or residence permit.

Other documents, information or data can also be accepted for the purpose of verifying the identity of a natural person, provided they originate from a credible and independent source. It is the service provider's responsibility to determine on the basis of the firm's risk assessment which documents, information or data are acceptable for the purpose of verifying a person's identity and accepting them as a customer.

If documents do not originate from public authorities or the courts, the service provider should question whether the documents are sufficiently reliable. In general, such documents will in themselves not be sufficient to verify a customer's identity. Examples include student cards, employee ID cards and telecom or utilities bills. Another example is a 1 cent payment procedure. Like the other examples, this does not necessarily ensure an adequate prior identification and verification procedure, by another institution, and should not be regarded as a secure means of verification.

Service providers must also check the authenticity of the documents submitted and other sources, considering the risk of forgery and deception attempts.

In practice, many crypto service providers will use innovative remote solutions to identify their customers, developed by themselves or applied through a third party. While this is permitted, service providers must be aware of the risks involved and satisfy themselves that the sources meet assurance level “substantial” within the meaning of Article 8 of the eIDAS Regulation. In practice, a service provider may need to take additional measures to mitigate the risks.

These risks must be accounted for in the service provider's risk analysis and be subject to an adequate risk management regime. In addition, the service provider must have sufficient knowledge of the innovative solution and have a contingency plan in place to cover incidents such as technical disruptions. The service provider is responsible for ensuring adequate Wwft compliance if it outsources the implementation of the solution to a third party. In this context, service providers should take note of the European Statistical Framework's (ESA) “Opinion on the use of innovative solutions by credit and financial institutions when complying with their customer due diligence (CDD) obligations”.