The deadline is rapidly approaching.

5AMLD — the Fifth Anti-Money Laundering Directive — is a piece of legislation that brings fiat-to-crypto exchanges and custodial wallets across the European Union under a new first-of-its-kind regulatory framework. Exchanges must achieve compliance with the rules by January 10, 2020. Time is ticking away, causing some exchanges to scramble, while others stand ready to roll out compliance procedures.

David Carlisle knows a thing or two about crypto and regulations. As former United States Treasury Anti-Money Laundering (AML) specialist and the current Head of Community at the blockchain analytics provider Elliptic, Carlisle has inside knowledge about the upcoming transition facing crypto businesses across the continent. Much of Elliptic’s client list is confidential, but among their public-facing customers are some of the largest operators in the world, including Coinbase and Binance.

Elliptic’s services let exchanges monitor and protect against suspicious activities connected to illicit funding, dark web interactions, and crypto wallets controlled by cyber-criminals. Carlisle explained, “Despite the public myth that cryptocurrencies are untraceable and anonymous, the big ones, especially, tend to be very, very traceable.” The company researches which illicit actors may be sitting behind certain crypto addresses and helps businesses steer clear.

5AMLD in a nutshell

5AMLD’s main impact on the crypto industry is that all EU member states must implement AML regulations. These exchanges will now be required to follow Know Your Customer (KYC) rules for monitoring customer transactions and file suspicious activity reports.

Customers undergo KYC processes by providing documents as proof of identity. This will ensure customers “are who they say they are,'' Carlisle said, “and that they’re legitimate and not attempting to abuse the platform for malicious purposes.”

Crypto companies in the EU have so far been able to provide their services without any AML and KYC controls in place. This has created a competitive problem, Carlisle explained. “It affects a lot of the big U.S. exchanges, like Coinbase, that were already subject to regulation elsewhere. Many of them already do, in effect, comply with AML requirements.”

Yet many EU companies are not following security procedures that have long been considered the industry standard in other regions. The new rules set a defined standard across the EU that establishes a level playing field for all competitors, Carlisle said.

Are exchanges ready?

When asked whether exchanges were ready, Carlisle explained that the current outlook is a bit of a mixed bag. Businesses with operations elsewhere, especially U.S.-based exchanges that also operate in Europe, have already done their homework. They tend to be very prepared because they have already dealt with compliance in other jurisdictions.

But according to Carlisle, some Euro-centric businesses still show cause for concern. “We see that some businesses probably aren’t as prepared as they need to be. One of the major issues is that while 5AMLD, in theory, provides a harmonized framework for how to regulate cryptocurrencies, in practice what we see is a lot of divergence from country to country in terms of how they will actually carry out that regulation.”

Regulations and the way they are implemented can vary significantly from one country to the next. Some businesses may not be prepared to ensure they are compliant in every single country where they may operate across the EU, Carlisle said. While 5AMLD sets a minimum regulatory threshold, it allows for additional regulations and procedures that differ greatly from one region to another.

Kraken, a U.S.-based exchange that operates around the world, is busily preparing for the upcoming changes. According to a Kraken spokesperson, the company is “following the developments closely and [we’re] working hard to ensure we continue to offer our services to all of our EU clients.”

Exchange businesses operating in multiple EU member states need to ensure they are covered by applying for the appropriate licences in every jurisdiction. This is a key area of concern for complete 5AMLD preparation. Companies like Kraken appear to be facing the challenge head-on, while others might be procrastinating.

Carlisle expressed concerns for some companies who seem to be waiting until January to get their compliance operations in line: “Crypto businesses tend to achieve the best results when they’re proactive instead of just waiting for regulation to drop on them.” Exchanges need to ensure compliance operations are up and running on time and that they have access to the necessary monitoring tools. “They might be better to think about trying to get some of those things in line sooner,” he warned.

Why Europe? Why now?

Examining trends in criminal activity, European crypto exchanges process much higher volumes of illicit activity compared to regions where regulation has been in place, Carlisle said. Comparatively little illicit activity takes place in the U.S., where regulation has been established for years. “Criminals have been able to abuse European-based platforms more easily than they have in some other parts of the world,” he said.

A concrete example of such criminal abuse is the notorious BTC-e, an eastern European exchange that was a nexus for money-laundering. Malicious actors took advantage of the fact that the region had virtually no rules in place to protect against such activity.

Furthermore, drug-trafficking networks across Spain and the Netherlands used certain lax crypto companies and crypto ATMs to launder their funds. Carlisle said, “We’ve seen vulnerability as a whole across the EU in terms of susceptibility to money laundering. There’s not been regulation in place to date, and so, we see the 5AMLD measures as a pretty important first step in closing that gap.”

Will this help or hurt crypto?

Carlisle acknowledged that regulation will tend to be a pain-point for crypto companies in the near term — they must absorb new costs to make sure they’re compliant. But in the medium and long term, regulation enables adoption and success for the companies who choose to embrace it, he said.

“People using an exchange want to know that the platforms they’re using are safe, [and] that their funds and personally identifiable information will not be jeopardized,” he said.

Finding the right compromise between user privacy and regulatory safety may also prove to be an ongoing challenge. A Kraken spokesperson said that "the balance point is a constantly moving target,” adding that Kraken “strives to ensure we only collect the information required to meet our regulatory and banking expectations, while maintaining customer privacy.”

It is a challenge that may prove to be daunting for some exchanges. As the deadline approaches, companies must navigate through a potentially overwhelming maze of regulatory variations. For some of these businesses, there is plenty of work left to do, and not a whole lot of time remaining.

Carlisle concluded, “The most successful businesses, the exchanges that are really thriving, are the ones that tend to take a proactive stance towards compliance and towards protecting themselves from financial crime.”