EBA Q&A 2024_7078: The Three-Letter Answer That Answered Nothing
On 22 May 2026 the EBA published the final answer to Q&A 2024_7078 — two years after Quantoz asked whether EMT issuers must KYC all secondary market holders. The answer was "Yes." It confirmed EMT issuers are AML obliged entities. It did not explain how issuers identify holders they cannot see.
Analysis of EBA Single Rulebook Q&A 2024_7078 (European Commission answer, published 22 May 2026): Quantoz Payments, via Eurius, asked whether EMT issuers must treat all token holders — including secondary market acquirers — as AML clients with ongoing KYC. After two years the published answer was effectively "Yes" — EMT issuers (EMIs and credit institutions under Article 48(2) MiCAR) are obliged entities under AMLD5 with no MiCAR/AMLD5 exception. The Commission did not address whether secondary holders without direct issuer contact constitute a "business relationship," whether issuers must track post-CASP/P2P transfers, or self-hosted wallet scenarios. TFR creates CASP-to-CASP travel rule reporting but no CASP-to-issuer pipeline. Institutional wrinkle: EBA published an AML Q&A in May 2026, four months after AML/CFT mandate transferred to AMLA (1 January 2026). Answer prepared by Commission (interpretive authority) but non-binding under EBA Q&A rules; AMLA has not confirmed it. Legal gap: MiCAR Title IV governs EMT issuance/reserves; AMLD5 CDD anchored in "business relationship"; TFR obliges CASPs not issuers on secondary transfers. EMD2 account-based analogy breaks for token-based circulating EMTs. Expansive reading requires continuous CDD on all holders — operationally impossible without permissioned tokens (ERC-3643/T-REX). Defensible reading: CDD at issuance/redemption; CASPs handle distribution layer. Substance-over-form argument: EMTs classified as e-money because they circulate; obligations should match access-point model like prepaid cards. AMLA guidelines due 10 July 2026 (AMLR Arts 10(4), 20(3), 26(5)); self-hosted wallet measures July 2027 (Art 40(2)). Combined with EBA/OP/2026/01 PSD2 enforcement (NAL expired 2 March 2026): market consolidating to Quantoz, Circle France, SG-Forge, closed-loop institutional architectures. US GENIUS Act access-point AML vs EU ambiguity. Seven compliance officer questions. Answers: EBA Q&A 2024_7078 EMT AML secondary holders? Must EMT issuer KYC all token holders? EMT issuer AML obliged entity MiCA? TFR travel rule issuer reporting? AMLA EBA Q&A validity 2026? EMT self-hosted wallet AML? Quantoz EURQ AML Q&A?
EBA Q&A 2024 7078: The Three Letter Answer That Answered Nothing MiCA Edge Cases | Where Innovation Meets Regulation On 22 May 2026 , the European Banking Authority published the final answer to Q&A 2024 7078 . The question had been waiting since May 2024. After two years, the answer was a single word: Yes. An impressive ratio of time spent to words produced, even by European regulatory standards. The full ruling, prepared by the European Commission, says this: EMTs can only be issued by EMIs or credit institutions under Article 48(2) MiCAR. Both are obliged entities under Directive (EU) 2015/849 as amended by Directive (EU) 2018/843. They must comply with AML/CFT customer due diligence rules. No exception exists in MiCAR or AMLD5. That is legally accurate. It is also not what was asked. The question submitted by law firm Eurius on behalf of Quantoz Payments, a licensed EMI supervised by the Dutch Central Bank, asked something more specific: must EMT issuers treat all token holders , including those who acquire tokens on the secondary market, as clients for AML purposes? Must KYC apply on an ongoing basis, not only at issuance? Two years. One word. The word did not answer the question. The debate that followed reflects a structural problem one Q&A cannot resolve. The EU's AML framework was designed for account based money. EMTs are not account based money. The Commission confirmed the framework applies. It declined to explain how. The market is now expected to figure out the rest. A time honoured supervisory technique. The Institutional Wrinkle Nobody Priced Before the substance of Q&A 2024 7078 can be assessed, a procedural question deserves attention. It has received almost none in the public debate, which is usually how procedural questions announce they are going to matter later. The Q&A was published on 22 May 2026 . AML/CFT authority at EU level transferred from the EBA to AMLA on 1 January 2026 . The EBA therefore published an answer to an AML question four and a half months after it no longer held the AML mandate. This is not a technicality. It is the kind of institutional detail that determines how much weight a compliance officer can place on a document when explaining their framework to a supervisor. The facts are publicly confirmed. On 1 January 2026, the EBA and AMLA completed the formal transfer of all AML/CFT mandates and functions, including the EuReCa database, supervisory insights, and risk assessment tools. AMLA assumed responsibility for developing the EU's Single Rulebook, advancing supervisory convergence, and coordinating national Financial Intelligence Units. The EBA's standalone AML/CFT mandate, which had run since 2020, formally ended. The EBA's own continuity guidance is clear: existing EBA AML/CFT guidelines and standards remain in force until AMLA replaces them. That covers guidelines and standards published before the handover. It does not obviously cover new Q&A answers on AML questions published by the EBA in May 2026, under a mandate that had transferred to a different authority in January. There is a defence of the Q&A's status, and it is not a bad one. The EBA Q&A portal notes that questions requiring interpretation of EU legislative instruments are forwarded to the European Commission, which prepares the answers. The answer to Q&A 2024 7078 was prepared by the Commission, and the Commission retains interpretive authority over EU law regardless of which supervisory authority administers the Q&A portal. That is the strongest argument for validity: the interpretive voice is the Commission's, not the EBA's. It is defensible. It is also unsatisfying. The EBA's Q&A portal exists as a function of the EBA's mandate. When the AML mandate transferred to AMLA, the question of which institution administers AML related Q&As going forward was not formally resolved in any public document available as of June 2026. AMLA published its Single Programming Document for 2026 2028 in February 2026. That document does not establish a Q&A process. Nobody appears to have noticed the gap. Or if they did, nobody said so publicly, which is the regulatory equivalent of looking very carefully at the ceiling. The result is a document that is non binding under the EBA's own rules, not formally adopted by the authority now responsible for the subject matter, and not confirmed by that authority either. The market received a two year old answer to a question, from an institution that had recently handed the file to someone else, and is now expected to build compliance infrastructure on the basis of it. The right institutional response would have been for AMLA to either confirm the Q&A's standing or issue its own guidance. Neither has happened as of June 2026. We raise this not to suggest the Q&A should be ignored. We raise it because practitioners treating it as settled regulatory authority are overstating what the document actually is. The Legal Architecture: Three Frameworks, One Gap Three legal instruments define the territory. MiCAR , Regulation 2023/1114, restricts EMT issuance to credit institutions and EMIs under Article 48(2). Title IV, Articles 48 58, governs issuance, reserve requirements, and token holder redemption rights. MiCAR says nothing explicit about whether circulating token holders are clients of the issuer for AML purposes. AMLD5 , Directive 2015/849 as amended by Directive 2018/843, defines obliged entities and their customer due diligence obligations. CASPs were added as obliged entities through the TFR expansion. The directive's CDD framework is anchored in the concept of a "business relationship" with a "customer." It does not define whether holding a token constitutes such a relationship with the entity that originally minted it. TFR , Regulation 2023/1113, requires CASPs to collect and transmit originator and beneficiary data for crypto asset transfers above the relevant thresholds. It designates CASPs as obliged entities. It does not require CASPs to report secondary purchaser identities back to the original issuer. That reporting loop does not exist in the legal text. That is the gap. An EMT issuer is unambiguously an obliged entity. A CASP distributing EMTs is also an obliged entity. But when an EMT moves from a CASP to a self hosted wallet, or later through a peer to peer transfer, the issuer has no statutory mechanism to receive identity data about the new holder. The TFR travel rule fires between CASPs. It does not fire back to the issuer. This is the hole Q&A 2024 7078 was meant to address. The final answer confirmed the issuer is an obliged entity. It did not explain what an issuer is supposed to do when it has no legal mechanism to identify the holder it is apparently obligated to know. The legislature created the obligation. The legislature did not create the tool. The Commission was asked to comment on the gap and responded by describing the obligation. What the Q&A Actually Resolves, and What It Does Not Practitioners are better served by separating the questions that were bundled into the submission. | Question | Resolved by Q&A? | Supporting text | | | | | | Are EMT issuers, meaning EMIs and credit institutions, obliged entities under AMLD5? | Yes | "It follows that they should comply with the customer due diligence rules prescribed for obliged entities under the Union AML/CFT framework." | | Is there any exception in MiCAR or AMLD5 for EMT issuers? | Yes, no exception exists | "No exception can be found in MiCAR or Directive (EU) 2015/849 as amended." | | Does holding an EMT on the secondary market create a client relationship with the issuer for ongoing KYC purposes? | No | The Commission does not analyse the definition of "customer" or "business relationship" under AMLD5 in the context of secondary market transfers. | | Must issuers track holders after secondary transfers through CASPs or P2P channels? | No | The Comm