EU tightens grip on privacy coins, leaves peer‑to‑peer Bitcoin transfers intact
The European Union has adopted a sweeping anti‑money‑laundering (AML) package that sharply restricts how privacy coins can be used on regulated crypto platforms, while deliberately keeping direct Bitcoin transfers between private wallets outside mandatory identity checks.
Under Regulation (EU) 2024/1624, due to apply from July 10, 2027, crypto‑asset service providers in the bloc will be subject to tougher customer verification rules and will be barred from offering services that mask the origin, destination, or ownership of funds. The aim is to close perceived loopholes used for money laundering and terrorist financing, without completely shutting down non‑custodial and peer‑to‑peer crypto activity.
Privacy coins pushed off regulated platforms
The most controversial part of the new rules targets so‑called privacy coins and anonymizing tools. The regulation explicitly bans anonymous crypto accounts and prohibits services that “allow transaction anonymisation or increased obfuscation,” explicitly including anonymity‑enhancing cryptocurrencies.
In practice, this means exchanges, custodians, and other licensed crypto‑asset service providers in the EU will not be allowed to list, hold, or process transactions involving privacy‑focused assets such as Monero or Zcash (and similar coins), at least in their privacy‑enhanced form. Any feature or tool that significantly obscures transaction trails is likely to be treated as non‑compliant.
However, the law stops short of an outright ban on these assets themselves. Individuals are not forbidden from holding or using privacy coins privately. The restrictions apply to regulated intermediaries, not to every interaction with a privacy‑focused blockchain. Users can still transact from one self‑hosted wallet to another, but moving those funds into or out of a regulated platform will be heavily constrained or entirely blocked.
Peer‑to‑peer Bitcoin transfers remain outside AML checks
One of the clearest carve‑outs concerns Bitcoin and other cryptocurrencies when used in a peer‑to‑peer manner. Clarifications accompanying Regulation (EU) 2024/1624 state that identification obligations apply to crypto‑asset service providers, not to all on‑chain transactions.
As a result, direct transfers between self‑hosted wallets – for example, one individual sending Bitcoin from their own wallet to another person’s own wallet with no regulated firm involved – are not covered by the new customer identification rules. These transactions fall outside the scope of mandatory AML checks under this regulation.
This approach draws an explicit line between activity processed through supervised intermediaries and private, self‑custodied use. From the EU’s perspective, the key AML risk lies where fiat on‑ramps, exchanges, and custodial services interact with the broader financial system, not where two private wallets transact directly on a public blockchain.
Stricter due diligence for regulated crypto providers
For businesses that are regulated, the framework sets clear thresholds. Crypto‑asset service providers must apply full customer due diligence measures when handling occasional transactions worth 1,000 euros (about 1,150 dollars) or more. This typically includes verifying identity documents, assessing the purpose and nature of the transaction, and, where necessary, monitoring for unusual patterns.
Even below this 1,000‑euro threshold, providers are still required to identify their customers. While the most stringent verification steps may not be mandatory for smaller, isolated transactions, anonymity is no longer an option where a regulated intermediary is involved. The concept of truly anonymous accounts at licensed crypto firms is effectively removed from the EU market.
In parallel, the EU’s Travel Rule framework, codified in Regulation (EU) 2023/1113, obliges regulated providers to transmit identifying information about both the sender and recipient when processing crypto transfers. Additional checks kick in once a transfer involving a self‑hosted wallet reaches 1,000 euros or more and passes through a regulated intermediary. That means moving funds between your own wallet and an exchange, or between two users via an exchange, will trigger data‑sharing requirements once the threshold is crossed.
What this means for everyday crypto users
For retail users who already trade through compliant exchanges, the immediate experience may not feel dramatically different. Know‑your‑customer (KYC) procedures are already the norm across most large platforms, and these will simply become more standardized and legally anchored. Users will continue to submit identity documents, proof of address, and, where applicable, provide information on the source of funds.
The bigger change will be felt by those who rely on privacy coins or complicated obfuscation tools as part of their financial habits. Once the rules are in force, obtaining or cashing out privacy assets via regulated EU platforms is likely to be extremely difficult. Holders may need to rely more heavily on decentralized markets or foreign platforms, which in turn introduces legal, liquidity, and counterparty risks.
On the other side, individuals who primarily use Bitcoin or major altcoins via self‑hosted wallets and transact directly with others will notice that the law still leaves room for peer‑to‑peer usage without mandatory identity disclosure. However, the moment they interact with a licensed exchange or payment provider, they fall back into the full AML perimeter.
New bloc‑wide limit on cash payments
The AML overhaul is not limited to digital assets. Regulation (EU) 2024/1624 also introduces a harmonized ceiling of 10,000 euros (roughly 11,500 dollars) for commercial cash payments across the entire EU. This cap is designed to make it harder to launder large amounts of money in physical currency, which remains a preferred medium for illicit transactions due to its untraceability.
Member states are allowed to maintain or adopt stricter national caps if they wish. Several countries already enforce lower limits, and those domestic rules can continue to apply. The EU ceiling is therefore a maximum common threshold rather than a uniform standard that overrides tougher local laws.
For cash transactions valued at 3,000 euros (around 3,450 dollars) or more, traders and other obligated entities must verify the identity of their customers and carry out due diligence checks before completing the deal. This means more documentation for high‑value purchases in sectors such as luxury goods, art, jewelry, and certain types of vehicles.
The regulation clarifies that this 10,000‑euro ceiling does not apply to deposits or payments carried out through banks, payment institutions, or electronic money providers. Those channels are already subject to continuous monitoring, transaction reporting, and suspicious activity detection systems under existing AML rules.
Expanded list of sectors under AML obligations
A major structural change in the law is the expansion of the sectors formally placed under the EU’s AML regime. In addition to financial institutions and crypto‑asset service providers, the regulation brings several new categories into the net.
Professional football clubs and football agents, for instance, will now need to implement compliance programs, verify their counterparties, and report suspicious activity. The sector has long been flagged by regulators as vulnerable to opaque transfers, inflated fees, and the use of complex ownership structures to move funds discreetly.
Crowdfunding operators are also covered, reflecting concerns that online fundraising platforms can be used to channel illicit funds under the guise of legitimate campaigns. Investment migration services – programs that offer residency or citizenship in exchange for investment – face heightened scrutiny as well, in line with fears that such schemes can be abused to launder wealth and secure access to the EU.
Luxury goods dealers and several other high‑value sectors will have to build AML compliance into their daily operations, including customer onboarding procedures, ongoing monitoring, staff training, and record‑keeping.
Stronger transparency on beneficial ownership
To further reduce anonymity in company and trust structures, the EU has tightened beneficial ownership transparency rules. Legal entities operating across the bloc must identify and register their ultimate beneficial owners in national registries. Typically, a person is considered a beneficial owner when they hold at least 25% of ownership or control; for certain high‑risk structures, this threshold can be reduced to 15%.
Trusts, foundations, and non‑EU entities that engage in specific business activities or real estate deals within the EU will also face disclosure obligations. Trustees are required to update beneficial ownership information within 28 calendar days when changes occur, ensuring that registries reflect more accurate and timely data.
These measures are intended to close off the use of shell companies, layered corporate vehicles, and opaque trusts to hide the identity of those who ultimately control assets or businesses. For regulators, law enforcement, and financial institutions, easier access to reliable ownership data is seen as crucial in tracing suspicious flows and freezing illicit wealth.
Balancing privacy, innovation, and enforcement
The new AML framework reflects a broader tension in financial regulation: how to combat crime without erasing personal privacy or stifling innovation. On one hand, the EU is clearly signaling that the era of anonymity at regulated on‑ and off‑ramps is over. On the other, it is leaving a degree of freedom for users who prefer self‑custody and peer‑to‑peer transactions, especially with mainstream cryptocurrencies like Bitcoin.
Privacy advocates argue that constraining privacy coins and imposing stricter checks could drive some activity into less regulated corners of the market, potentially undermining the stated objective of transparency. Industry participants also warn that smaller platforms may face rising compliance costs, reducing competition and entrenching larger incumbents that can afford robust AML systems.
Regulators counter that public blockchains, by design, create auditable records, and that properly designed AML obligations can coexist with decentralization. By focusing on intermediaries and fiat interfaces, they aim to target the most vulnerable points for abuse while not attempting to police every direct transaction between private wallets.
How businesses should prepare
Crypto‑asset service providers operating in or targeting EU customers will need to prepare well before 2027. This includes:
– Reviewing product offerings to identify any privacy‑enhancing features or coins that may fall under the new prohibitions.
– Strengthening KYC processes to ensure they meet the upcoming standards for both occasional and ongoing customer relationships.
– Implementing or upgrading Travel Rule compliance solutions to exchange sender and recipient data securely with other providers.
– Training staff on red flags specific to crypto transactions, such as rapid movement through multiple wallets, use of mixers, or frequent cross‑border flows without clear economic rationale.
Businesses in newly covered sectors – from football clubs to luxury retailers – will have to design AML frameworks from the ground up, including appointing compliance officers, adopting internal policies, and establishing systems to identify and report suspicious activity.
What EU residents should expect going forward
For individuals living in the EU, the immediate impact will be most visible in two areas: the way they interact with crypto platforms and the way they pay for high‑value goods in cash.
Opening accounts on exchanges, sending large transfers through custodial services, or using certain crypto payment providers will increasingly resemble dealing with traditional banks in terms of documentation and identity checks. Users will also find it harder, or impossible, to use privacy coins via regulated venues.
At the same time, people who wish to keep using Bitcoin and other mainstream assets in a self‑custodied, peer‑to‑peer fashion will see that this remains legally possible without automatic identification under this regulation, provided no regulated intermediary is involved in the transfer. Cash‑heavy users and businesses will confront new 10,000‑euro limits and greater scrutiny for transactions above 3,000 euros.
The EU’s approach illustrates a clear policy trajectory: curbing anonymity at regulated gateways, tightening oversight in traditionally opaque sectors, and increasing transparency on who truly owns and controls assets – while still leaving some space, at least for now, for private, direct transactions on public blockchains.