Stay Updated on Crypto Compliance & Crypto Regulation in the EU
Stay informed about the latest events, webinars, and news on crypto compliance in the European Union. Join our community of compliance professionals and ensure your business stays ahead of regulatory changes.
Your Hub for Cryptocurrency Compliance in the European Union
Welcome to your go-to resource for all things related to crypto compliance in the EU. Here, you’ll find the latest news, upcoming events, and insightful webinars to keep you informed and compliant.
Recent News on Crypto Regulation in the EU
Stay up-to-date with the latest news articles, regulatory updates, and industry insights on crypto compliance in the EU.
The European Union’s Transfer of Funds Regulation (TFR) and the European Banking Authority (EBA)’s Travel Rule Guidelines, updated with the EBA’s final Travel Rule guidelines published on July 4, set out specific requirements for transactions involving self-hosted wallets. These wallets, controlled by individuals rather than VASPs, pose unique challenges to regulatory compliance. This article summarizes the obligations for self-hosted wallet transactions under the TFR, focusing on different transaction scenarios and the required verification measures.
Highlights of What Changed in the EBA’s Final Travel Rule Guidelines
1. More Flexibility in the Scope of Required Originator Information:
The final version of the Travel Rule guidelines clarifies that CASPs have the discretion to determine which “alternative information items” about the originator customer to transmit and demand receiving, as long as they achieve unambiguous identification and support sanction screening. This approach is intended to be better suited for cross-border transfers.
2. Eased Requirements for SHW Transfers Below €1,000:
The final version of the Travel Rule guidelines removes verification requirements. Only information collection obligations apply, eliminating the need for technical means like blockchain analytics to cross-match collected data in order to identify and verify the originator or beneficiary.
3. Simplified Verification for 1st-Party SHW Transfers ≥ €1,000:
The requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control.
4. Clarification for 3rd-Party SHW Transfers Above €1,000:
The Travel Rule Guidelines now clarify the requirements, specifying that if the SHW is owned or controlled by a third party who is not a customer of the CASP, the requirements from Article 19a of Directive (EU) 2015/849 apply. Additionally, the originator/beneficiary identity verification required therein is deemed to be fulfilled by collecting additional information from other sources (e.g., blockchain analytics, third-party data, or recognized authorities’ data) or using other suitable means to ensure the originator/beneficiary’s identity is known.
{{european1="/cta-components"}}
Overview of Applicable Obligations
The TFR categorizes obligations based on the transaction amount and whether the wallet owner is a customer of the Crypto Asset Service Provider (CASP). These scenarios include:
- Transactions of 1,000 euros or less.
- Transactions over 1,000 euros where the wallet owner is a CASP customer.
- Transactions over 1,000 euros where the wallet owner is not a CASP customer.
Understanding these categories is crucial for CASPs to ensure compliance with the TFR and the associated Travel Rule Guidelines.
A. Transactions of 1,000 Euros or Less
For transactions of 1,000 euros or less involving self-hosted wallets, the TFR mandates that CASPs collect and hold specific information about the parties involved. As outlined in Articles 14/5 and 16/2 of the TFR, transactions involving self-hosted wallets of 1,000 euros or less require CASPs to obtain and hold information about the parties to the transaction. The scope of information that CASPs are required to collect mirrors that which is mandated for CASP-to-CASP transactions.
The Travel Rule Guidelines clarify in paragraph 80 that this information must be sourced from the CASP’s customer. This includes:
• Full name of the originator and beneficiary
• Distributed ledger address
• Account number
The final EBA Travel Rule Guidelines removed the requirement for CASPs to cross-match this information using suitable methods such as blockchain analytics and third-party data providers to verify the identity of the originator or beneficiary. Now, CASPs are mandated to collect and retain specific pieces of information from their customers. [1]
B. Transactions Exceeding 1,000 Euros Where the Wallet Owner is a Customer of the CASP
For self-hosted wallet transactions exceeding 1,000 euros, the TFR requires CASPs to verify whether their customer owns or controls the self-hosted wallet. [2] The originator CASP is tasked with evaluating whether the wallet is owned or controlled by the originator, while the beneficiary CASP must determine whether the wallet is owned or controlled by the beneficiary. [3]
The Travel Rule Guidelines set a non-exhaustive list of verification methods available to CASPs and mandate the use of at least one method for wallet ownership/control verification, such as:
- Advanced analytical tools
- Unattended verifications (e.g., displaying the address)
- Attended verifications (e.g., live customer interaction)
- Sending a predefined amount from the wallet to the CASP
- Signing a specific message in the account and wallet software
- Other suitable technical means, as long as they allow for reliable and secure assessment. [4]
Where one method on its own is not sufficiently reliable to reasonably ascertain the ownership or control of a self-hosted address, the CASP should use a combination of methods. [5]
C. Transactions Exceeding 1,000 Euros Where the Wallet Owner is Not a CASP Customer
The TFR does not explicitly address transactions over 1,000 euros involving third-party wallets. However, the Travel Rule Guidelines include a framework governing these transactions. According to the guidelines, the requirements outlined in Article 19a(1)/(a) of Directive (EU) 2015/849—verification of the originator or beneficiary’s identity—are considered fulfilled if the CASP:
- Collects additional information from other sources to verify the submitted information (e.g., from blockchain analytics, third-party data, or recognized authorities’ data)
- Uses other suitable means as long as it is fully satisfied that it knows the originator’s or beneficiary’s identity. [6]
Verification and Risk Assessment
CASPs must adopt a risk-based approach to all transactions involving self-hosted wallets. This includes assessing the risks associated with each transfer and applying enhanced due diligence when high ML/TF risks are detected. The verification process involves collecting additional data from various sources, such as blockchain analytics, third-party data providers, recognized authorities, and publicly available information.
General Obligations for Self-Hosted Wallet Transactions
In addition to specific transaction-based requirements, CASPs must adhere to several general obligations when dealing with self-hosted wallets:
1. Self-Hosted Wallet Identification
Use technical methods to discern whether the transaction involves a VASP or a self-hosted wallet. If technical means are insufficient, acquire the necessary information directly from the customer. [7]
2. Threshold Calculation
Compute the transaction amount based on the exchange rate prevailing at the time of the transfer. [8]
3. Risk Assessment
Assess the risks associated with self-hosted wallet transactions and apply appropriate risk mitigation measures. [9]
Additional Context and Considerations
FATF’s Recommendation 16
Transactions between VASPs and self-hosted wallets fall within the scope of FATF’s Recommendation 16, following its revision in October 2021. Unlike VASP-to-VASP transactions, there is no mandate to transmit originator and beneficiary details to a counterpart. Instead, VASPs must adhere to specific obligations, which can vary significantly across jurisdictions.
Regulatory Expectations and Trends
Although regulatory expectations vary significantly across regions, the requirement for VASPs to verify their customer’s or a third party’s control over the wallet address involved in transactions is gaining traction. The TFR’s requirements reinforce this trend, as further detailed in the sections above.
Future Assessments
By July 1, 2026, the Commission will assess the necessity for additional measures to mitigate risks associated with self-hosted wallet transactions. This evaluation will encompass examining the efficacy and proportionality of verification mechanisms and considering potential restrictions.
The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. By doing so, CASPs can enhance the security and transparency of crypto-asset transfers, contributing to a safer financial ecosystem.
{{european2="/cta-components"}}
The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions.
Interested in learning more? Check out our blog on what the TFR says beneficiary VASPs should do when it comes to incoming transactions and the top 10 insights European CASPs need to know about their upcoming Travel Rule compliance framework.
The European Union's Transfer of Funds Regulation (TFR) and the European Banking Authority’s final Travel Rule Guidelines impose stringent requirements on Crypto Asset Service Providers (CASPs) to ensure transparency and security in crypto-asset transactions. Beneficiary CASPs, in particular, have critical responsibilities in managing incoming transactions despite their limited control over deposit flows compared to originating CASPs.
Beneficiary CASPs cannot proactively block incoming deposits and rely on the compliance of the originator CASP to meet obligations. Therefore, it is crucial to evaluate strategies for handling non-compliant deposits. This article focuses on the specific requirements for beneficiary CASPs and strategies for managing transactions that fail to meet compliance standards.
Required Information for Transactions
Under Article 16/1 of the TFR, beneficiary CASPs are obligated to receive specific information about both the originator and the beneficiary of each transaction. Articles 14(1) and 16(1) of the TFR specify the required information, including:
- Full name of the originator and beneficiary
- Distributed ledger address and account number
- Address and official personal document number of the originator
- Additional optional information, such as customer identification number or date and place of birth, to ensure unambiguous identification.
Monitoring Systems for Detecting Non-Compliance
The TFR mandates that beneficiary CASPs implement robust monitoring systems to detect non-compliant transactions. According to the Travel Rule Guidelines, these systems should include:
- Methods for detecting missing, incomplete, or meaningless information.
- Pre- and post-monitoring practices aligned with money laundering and terrorist financing (ML/TF) risk levels.
- Criteria for recognizing risk-increasing factors. [1]
Managing Non-Compliant Transactions
Beneficiary CASPs must follow specific procedures to detect a transaction lacking the required information. Article 17 of the TFR outlines four possible actions:
- Execute: The CASP can proceed with the transaction if the risk assessment allows it.
- Reject: The transaction can be rejected if it does not meet compliance standards.
- Return: The funds can be returned to the originator if the necessary information is not provided.
- Suspend: The transaction can be temporarily suspended while additional information is requested.
The Travel Rule Guidelines provide more granularity on how CASPs should define the appropriate follow-up action:
- Beneficiary CASPs can request missing information from the originator CASP rather than immediately rejecting or returning the transfer. [2]
- If the information is not provided within a specified timeframe (three working days for EU transfers and up to seven days for others), the CASP must decide whether to proceed based on a risk assessment. [3]
- If the rejection is technically impossible (e.g., the crypto-assets have already been received), the transfer should be returned to the originator. [4]
- If returning the transfer to the original address is not possible, CASPs should hold the returned assets in a secure, segregated account while communicating with the originator CASP to arrange the proper return of the crypto-assets. [4]
Managing Non-Compliant Counterparties
When beneficiary CASPs identify deposits missing Travel Rule data, it not only disrupts the transaction but also strains relationships with non-compliant counterparties. Here’s how CASPs should manage these situations according to Article 17/2 of the TFR:
- Reassess the Relationship: Evaluate if the counterparty repeatedly fails to provide the required information.
- Report Non-Compliance: Notify competent authorities about the non-compliance.
Assessment Criteria
To determine the appropriate course of action, CASPs must assess whether the counterparty has repeatedly failed to meet their obligations. The assessment involves both quantitative and qualitative criteria:
- Quantitative: Frequency of incomplete transfers and unanswered follow-up requests. [5]
- Qualitative: Counterparty cooperation, agreements for extended time, and reasons for missing data. [6]
Steps for Repeated Non-Compliance
- Issue Warnings: Inform the counterparty of potential consequences and set deadlines for compliance.
- Enhanced Due Diligence: Apply stricter measures to manage risk.
- Terminate Relationship: If necessary, end the business relationship or reject future transfers.
- Report Repeatedly Non-compliant CASPs: CASPs must report non-compliant counterparties within three months of identifying non-compliance and include details of the non-compliant counterparty CASP, nature and frequency of breaches, justifications provided, and actions taken. [7]
General Obligations
Finally, the Travel Rule Guidelines offer a concise overview of supplementary requirements that CASPs should consider when dealing with deposits.
Pre vs. Post Transaction Monitoring
CASPs are responsible for establishing policies and procedures to determine which transfers require monitoring before or during the transfer process. This decision should consider any factors that may increase risk, as specified in the “EBA’s Guidelines on Money Laundering/Terrorist Financing (ML/TF) Risk Factors.” [8]
Meaningless and Inconsistent Information
CASPs should treat information as missing if essential fields are left empty or if the provided information is deemed meaningless or inconsistent. For example, random strings of letters should be considered meaningless information. [9]
Communication Systems
When contacting the counterparty for clarification, CASPs should use the same messaging system utilized to transmit the initial information. [10]
Self-Hosted Wallet Deposits
For deposits from self-hosted wallets, any requests for clarification should be directed straight to the customer. [11]
Interested in learning more? Check out our articles on Self-Hosted Wallet Transaction Requirements Under the EU TFR and Top 10 Insights European CASPs Need to Know About the Upcoming Travel Rule Compliance Regulation.
A Comparative Analysis of the EU's Transfer of Funds regulation with current industry standards on Travel Rule
Today marks the achievement of a major milestone in European crypto regulation: the European Parliament approved the Regulation on Markets in Crypto-Assets (MiCA) and the revision of the Regulation on information accompanying transfers of funds (TFR, or Transfer of Funds Regulation).
The approval of MiCA is a landmark that has the potential to set standards for crypto regulation globally. One of its main goals is to provide clarity and legal certainty for the crypto industry, which has been operating in a regulatory gray area for many years. MiCA establishes a level playing field for all European crypto-asset service providers (CASPs) and boosts consumers’ protection when using crypto-assets. It does so by introducing new rules for issuers of crypto-assets, CASPs, and trading platforms. It will also establish a new regulatory regime for stablecoins, which have become increasingly popular in recent years due to their stability and ease of use for payments.
Despite the press attention on MiCA, the TFR is a critical piece of legislation that will harmonize crypto Travel Rule requirements across Europe and fundamentally change how we transact in crypto. In June 2019, the FATF published its Guidance for a Risk-Based Approach to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs), extending anti-money laundering/countering the financing of terrorism (AML/CFT) obligations to cover VAs and VASPs. This directive included the Travel Rule, which obliges VASPs that exchange, hold, safe keep, convert, and sell virtual assets to obtain, hold, and transmit required originator and beneficiary information immediately and securely during VA transfers.
Since FATF introduced the crypto Travel Rule, national regulators have been working on transposing these requirements to their local frameworks, and significant progress has been achieved globally. With the introduction of the TFR, the EU follows in these footsteps and introduces Travel Rule obligations for European CASPs.
Notabene reports on the progress achieved in the implementation of the Travel Rule through an annual global crypto Travel Rule compliance report. The 2023 edition will be available soon, and today we share how the TFR compares with industry benchmarks using fresh findings from our report.
The revised Transfer of Funds Regulation
The European Commission made a significant move to combat money laundering and terrorism financing with an ambitious package of legislative proposals presented on July 20, 2021. The package aims to strengthen the EU's anti-money laundering and countering terrorism financing (AML/CFT) rules.
The package includes various measures to improve the EU's AML/CTF framework, including the revision of the Transfer of Funds Regulation to make it possible to trace transfers of crypto-assets by imposing Travel Rule requirements on CASPs.
As mentioned above, the revision of the Transfer of Funds Regulation was finally approved by the European Parliament plenary today (April 20, 2023). However, the EU’s AML/CTF legislative package is not yet finalized. Notably, the legislative process of the new proposed regulation on AML/CTF (AMLR) is still ongoing and is expected to impact the requirements applicable to transactions with self-hosted wallets.
For now, let’s dive into the TFR and how it compares to global industry standards on the crypto Travel Rule.
Five key TFR takeaways: EU vs. Global Industry Standards
1. Travel Rule comes into effect for all EU VASPs on December 30, 2024
The Transfer of Funds Regulation will start applying on December 30, 2024, 18 months after the regulation enters into force.
According to Notabene’s 2023 State of Travel Rule Report, the large majority (84%) of respondents are currently complying or intend to comply with the Travel Rule by Q4 2023. In the United Kingdom, Travel Rule will be enforced starting September 2023, and several other crypto hubs are enforcing Travel Rule compliance already. This creates a considerable gap between the EU’s and third-countries timelines for Travel Rule implementation, which may prevent the industry from overcoming the Sunrise Issue. To stay competitive and continue to be able to transact with counterparties outside the EU, CASPs will need to roll out Travel Rule ahead of the TFR deadline.
Notabene’ study also reveals that Europe's adoption is delayed compared to the rest of the market. In particular, EMEA is the region with the highest percentage of VASPs planning to be compliant after Q4 2023. This may have reflected a lack of regulatory urgency, with many EU VASPs awaiting the implementation of Travel Rule requirements through the revised Transfer of Funds Regulation which had just occurred.
2. Zero Exceptions: Travel Rule obligations apply to all transactions, regardless of amount or location - inside or outside the Union.
EU CASPs will be required to comply with Travel Rule obligations in every transaction, regardless of its amount. No de minimis threshold applies, and there is no simplification of requirements for transactions within the Union. It is also worth noting that the scope of originator and beneficiary information that the originator CASP is required to share also does not vary depending on the transaction amount - the same scope, defined in Article 14 (1) and (2), is required for every transaction.
Recital 27 justifies the policy option by citing the “inherent borderless nature and global reach of transfers of cryptoassets and of the provision of crypto-asset services,” and being “in line with the FATF requirement to treat all transfers of crypto-assets as cross-border,” which invalidates any distinction on the scope of obligations when transacting within and outside the Union. [1]
As reported in our 2023 global crypto Travel Rule compliance report, the approach taken by the TFR (imposing the same information transmission obligations regardless of the transaction amount) contrasts with the option taken by several other jurisdictions, notably Singapore, Germany, Hong Kong, and the United Kingdom, which allow a more limited scope of information to be shared below a certain threshold.
3. First-party transactions with self-hosted wallets over 1,000 euros require wallet ownership verification.
In line with FATF recommendations, transactions with self-hosted wallers fall within the scope of the revised Transfer of Funds Regulation [2].
When transacting with self-hosted wallets, European CASPs must collect the required originator and beneficiary information and comply with the following additional wallet verification obligations for transactions exceeding 1,000 Euros:
- When sending a transfer exceeding EUR 1,000 to a self-hosted wallet, the originator VASP is required to verify if that wallet is owned or controlled by the originator customer;
- When receiving a transfer exceeding EUR 1,000 from a self-hosted wallet, the beneficiary VASP must verify that the beneficiary customer owns or controls the originating wallet.
This means wallet ownership verification requirements apply to first-party transactions to/from self-hosted wallets exceeding EUR 1,000. [3]
Our 2023 State of Travel Rule Compliance Report revealed that the majority of surveyed VASPs already enforce restrictions when transacting with self-hosted wallets. Additionally, just over a third of companies (34.3%) only allow first-party transactions with self-hosted wallets, provided the customer can demonstrate ownership of the wallet address, which aligns with the approach taken by the TFR.
Going forward, VASPs will require a tool that allows them to determine if the transaction is with a self-hosted wallet and swiftly verify ownership before proceeding.
Notabene’s self-hosted wallet identification tool pinpoints the jurisdictional requirements of each transaction. It collects counterparty customer data from your withdrawal screen, creating an archive for sanctions compliance, record keeping, and Suspicious Activity Reports.
4. Due diligence measures for non-EU entities must adhere to correspondent banking standards.
In its Updated Guidance for VAs and VASPs (October 2021), FATF makes it clear that counterparty due diligence for the purposes of engaging in Travel Rule flows is distinct from the due diligence required to establish correspondent banking relationships [4]:
The nature of CASPs' relationships for transacting and sharing Travel Rule information is distinct from correspondent banking relationships and, hence, could justify a different - and more limited - scope of counterparty due diligence obligations to apply.
However, the revised Transfer of Funds Regulation goes in a different direction: citing the “ongoing and repetitive” nature of the relationships between domestic CASPs and foreign VASPs for the purpose of transacting, the TFR deems these relationships as a type of correspondent relationship subject to enhanced due diligence measures.
The measures CASPs are required to apply will be further specified in guidance issued by the European Banking Authority. Clear and adequate regulatory guidance on counterparty due diligence obligations will be key to enabling European CASPs to comply adequately.
Notabene’s 2023 State of Crypto Travel Rule Compliance Report shows 52% of respondents send Travel Rule transfers to all VASPs without applying any criteria or counterparty due diligence process. This indicates that perhaps counterparty due diligence is a component of Travel Rule compliance that VASPs still struggle to grasp fully. Local laws and regulations are often vague or silent on this topic, although it is covered at length in the FATF Guidance. The upcoming guidance by the European Banking Authority should set expectations as to what counterparty due diligence measures are required for the purposes of transacting and engaging in Travel Rule flows. It will also be relevant to specify cases where VASPs may be exempt from carrying out due diligence (e.g., relying on the uniform requirements and supervision applied in the jurisdiction or region) or where simplified due diligence measures are permissible. [5]
5. CASPs are required to fulfill Travel Rule obligations prior to transacting
Notabene welcomes the clarification provided by the TFR that Travel Rule compliance needs to be performed pre-transaction. This is particularly important given the specific characteristics of virtual asset transactions: settlement is immediate and irreversible; hence, only pre-transaction actions can effectively mitigate risk.
In line with this, Notabene is a pre-transaction decision-making platform offering a secure, holistic view of crypto transactions that enables CASPs to identify and stop high-risk activity before it occurs on the blockchain.
According to the revised TFR, originator CASPs are required to transmit information to the beneficiary CASP before sending the corresponding crypto transaction. In turn, Beneficiary CASPs need to ensure that the required information was received before making funds available to the end customer. [6]
According to Notabene’s 2023 State of Crypto Travel Rule Report, although the industry is making significant progress in Travel Rule adoption, a notable discrepancy exists between VASPs’ claims of compliance and their fulfillment of pre-transaction obligations.
37.5% of companies reporting to be Travel Rule-compliant fulfill requirements post-transaction, which does not align with the TFR’s pre-transaction requirements or the FATF standards. Providing European CASPs with regulatory clarity in that Travel Rule is a pre-transaction requirement is a fundamental step to drive compliance in the right direction.
Next steps:
The revised Transfer of Funds Regulation will be supplemented by guidelines issued by the European Banking Authority on different aspects, for example:
- The factors to be taken into account by CASPs when entering into business relationships or carrying out transactions in crypto-assets and enhanced due diligence measures that obliged entities shall consider applying to mitigate higher risks when identified, including the adoption of appropriate procedures to detect the origin or destination of crypto assets;
- The criteria and means for identification and verification of the identity of the originator or beneficiary of a transfer made to or from a self-hosted address, in particular through reliance on third parties, taking into account the latest technological developments.
FATF Travel Rule Requirements in the European Union
Resources for Crypto Compliance
Explore our collection of whitepapers, case studies, and guides to deepen your understanding of crypto compliance in the EU.
In July 2021, the European Commission submitted a legislative proposal for a regulation on information accompanying transfers of funds and certain crypto-assets - the “Transfer of Funds Regulation.”
Subsequently, the EU Parliament reviewed the proposal and, in April 2022, adopted a Report expressing its first reading position. The Report introduced quite a few changes to the text initially proposed by the Commission. The Commission, the Council, and the Parliament then initiated trilogues–informal meetings between representatives of the three bodies to reach a provisional agreement acceptable to both the Parliament and the Council. The Commission acts as a mediator of the discussion.
All parties finally reached a consensus on June 29th, 2022, which leads us to the final step of the legislative process: the formal approval of the Regulation by the Parliament and Council.
Below we summarize key points:
*Please note that where the Financial Action Task Force (FATF) uses VASPs (virtual asset service providers), the European Parliament uses CASPs (crypto asset service providers.)
1. The Travel Rule will not apply to peer-to-peer transactions.
The EU Parliament states:
The rules do not apply to person-to-person transfers conducted without a provider, such as bitcoins trading platforms, or among providers acting on their own behalf.
The FATF and local regulators have generally focused on enforcing AML/CTF controls on transactions that involve intermediaries, such as VASPs or other obliged entities. Thus, crypto transfers between unhosted wallets, so-called peer-to-peer transactions, are not explicitly covered by AML/CTF rules. This is in line with the regulatory paradigm of placing obligations on intermediaries rather than on individuals themselves.
The FATF opens the door to a future change of paradigm in case there is a distinct trend toward P2P transactions, as this would necessarily hurt the effectiveness of the AML/CTF frameworks as they exist today. The time for such a shift is not now, as:
- The available data on the P2P market is not reliable enough to make an informed policy decision.
- The intermediated transactions are still relevant enough to allow for effective implementation of the standards.
- P2P transactions that are visible on public ledgers enable financial analysis and law enforcement investigations.
2. Transfers between CASPs and unhosted wallets of third parties will be subject to enhanced due diligence measures. As a result of the trilogue negotiations, verifying the identity of a third-party beneficial owner is no longer mandatory.
In its first reading of the Report, the EU Parliament proposed that CASPs should be required to verify the identity of a third-party beneficial owner of the unhosted wallet to/from which funds are sent. Due to the trilogue negotiations, we welcome that this is no longer proposed as a mandatory requirement.
Although this is technically possible to do this with existing technology, it is unlikely that, with today’s adoption, CASPs will manage to implement these processes while ensuring that this does not cause undue delay to the execution of the transfers - a stated goal in the TFR. Until portable digital identities are widely adopted - which is an effort that the EU is leading with initiatives such as the eIDAS - verifying the identity of a third-party beneficial owner of the unhosted wallet to/from which funds are sent is a process that introduces significant friction in the transaction flow.
At least in the short/medium term, such a requirement would push CASPs only to allow first-party transfers to or from unhosted wallets (i.e., transfers to and from the wallets of their own customers).
3. Transfers of over 1000 euros between CASPs and unhosted wallets of their customers will trigger the obligation to verify whether the CASP’s customer effectively owns or controls the unhosted wallet.
Instead of relying on the self-declaration that a wallet belongs to the end customer, CASPs should verify beneficial ownership. This can be done by triggering the customer to perform a wallet ownership proof while in an authenticated session (therefore establishing a link between the identity and the wallet.)
The requirement to verify first-party ownership of the wallet is most helpful when there is also a requirement to verify the identity of a third-party beneficial owner (which, as said below, is not the approach of the EU). In those cases, the CASP must verify beneficial ownership. This ensures that the customer does not bypass the third-party verification requirement by falsely declaring they are transacting with their own wallet.
Nevertheless, this measure makes transaction risk management more robust by the following:
- CASPs can take a risk-based approach that facilitates transaction flows with unhosted wallets of their own customers and apply enhanced due diligence measures when transacting with third-party wallets;
- This will also bring additional data points that CASPs can rely on to evaluate and monitor customer risk.
It’s also worth noting that different methods for wallet ownership verification will have additional integration costs and impact the user journey and drop-off rates. Some practices with a lower economic burden of implementation, like the Satoshi Test, have a more significant impact/friction on the user journey, which could lead to higher attrition and overall higher economic loss (this method requires users to perform a transaction and entails dead-end scenarios such as no funds being available on the wallet, etc.)
How Notabene verifies beneficial owners of unhosted wallets:
Notabene uses cryptographic signatures as proof. There is a considerable technical burden in integrating with private wallets for these purposes due to the variety of private wallets. If CASPs want to ensure wide coverage to allow their users to perform proof regardless of the private wallet provider they are using, then the CASP would need to integrate with several different providers.
However, some aggregators, such as WalletConnect, can lower the effort significantly. Notabene integrates only with Metamask and WalletConnect, for instance. Using cryptographic signature aggregators should allow the proof process to scale fairly seamlessly, thus allowing smaller and larger CASPs to roll it out.
4. Negotiators agreed that the set-up of a public register for non-compliant and non-supervised CASPs would be covered in the Markets in Crypto-assets rules (MiCA), currently being negotiated.
From our perspective, the public register list should be used to support CASPs’ counterparty due diligence processes rather than as a list that CASPs are required to enforce blindly.
The European private sector, under close monitoring of the competent supervisory authorities, is better positioned to determine whether or not to transact with certain counterparties following a risk-based approach that takes into consideration the specificities of their businesses, the due diligence performed on these counterparties, and the risks associated with a particular transaction.
This is, in fact, one of the advantages of the Travel Rule - it allows CASPs to manage risk at the transaction level and adopt a more targeted approach when enforcing restrictions, and avoid blanket exclusions that can be disproportionate depending on the context.
Another question is what is meant by non-compliant and non-supervised CASPs. Recital 34a and Article 18aa of the Transfer of Funds Regulation (in the version proposed by the EU Parliament’s first reading Report) prevent CASPs from transacting with counterparties that are not established in any jurisdiction and are unaffiliated with a regulated entity. Our reading of the criteria is that it is cumulative - i.e., a CASP that is correctly established in a particular jurisdiction but is not regulated (e.g., due to the lack of a regulatory framework applicable to CASPs in that jurisdiction) would not be deemed a non-compliant CASP.
We hope the reading of the MiCA text that is finally approved clarifies this aspect and avoids the exclusion of CASPs located in jurisdictions that do not yet offer robust frameworks to regulate the crypto industry and register/license crypto firms. According to the FATF, “only 12 jurisdictions out of 53 (23%) have been assessed as largely compliant with R.15 [i.e., with the AML/CTF Standards for VAs and CASPs]”, which implies that this could potentially affect a large number of CASPs.
Finally, it is of paramount importance (i) that the process to include CASPs in this list is adversarial and involves the CASPs at issue and that (ii) CASPs can request to be taken out of the list in light of implemented improvements.
On April 6, 2022, the EU Parliament approved the text of the EU regulation on information accompanying transfers of funds and certain crypto-assets.
The authors felt that the previous European Commission package of proposals to improve the Union’s AML/CFT rules could use further strengthening to reflect the specific characteristics of crypto-assets better. In attempts to improve the Transfer of Funds Regulation to help protect EU citizens from crime and terrorism, this draft puts forth the following key proposals:
- Removing exemptions based on the value of the transfer.
- Applying Travel Rule to transfers from/to un-hosted wallets, when involving a VASP or other obliged entity
- Know your transaction - VASPs should also be expected to obtain information on the source and destination of crypto-assets involved in a transfer.
- Counterparty due diligence and protection of personal information - VASPs should assess the Counterparty VASP’s data protection policies and decide whether to send their customer’s PII (pre-transaction.)
- The European Banking Authority (EBA) to maintain a public register of non-compliant crypto-asset service providers.
- Decoupling this current recast proposal from the AML package and linking it to the existing Anti-money laundering directive (AMLD) framework to speed adoption.
The approved text will still be subject to negotiations between the EU Parliament, Council and European Commission, which may prompt changes to the proposed wording.
We’ve summarized our key highlights below.
1. Transmission of Travel Rule information is required for all blockchain transactions, regardless of the amount.
A limited scope of data can be transmitted if the transaction is below EUR 1000 and the transacting VASPs are within the European Union.
Pg 53.
Article 14.
Notabene’s comment: The decision to not differentiate the requirements applicable to transactions below and above EUR 1,000 facilitates the operationalization of the Travel Rule for VASPs. Monitoring whether the threshold is being circumvented by breaking down one transaction into several can be a cumbersome task that is avoided with the introduction of this provision. However, an approach that requires a broader scope of information to be transmitted above EUR 1,000 and a limited scope below that threshold may strike a better balance between AML/CTF objectives and data protection goals. Additionally, VASPs may consider it more cumbersome to carry out Travel Rule obligations under EUR 1000, given perceived resource intensity.
2. Travel Rule information does not need to be shared if the Originator VASP considers the Counterparty VASP not to apply suitable data protection measures.
An exception applies if, according to the assessment of the Originator VASP considering the criteria proposed by the EBA, the Counterparty VASP is deemed not to apply suitable data protection measures. The Travel Rule information does not need to be shared in these cases. However, VASPs shall apply alternative risk mitigation measures according to guidance issued by the EBA.
Article 14.4a
Article 14.4b
Notabene’s comment: This brings forth and centers data protection guidelines into the Travel Rule. Some questions remain around the appropriate alternative measures to be taken by a VASP and whether they should allow transactions of funds with said Counterparty VASP, but these could be clarified through the EBA guidelines mandated under Article 14.4b, which is a new instrument that we welcome!
3. VASPs must screen the Originator and Beneficiary customers against relevant sanction lists before allowing the transaction to go through.
Article 14/5a
Article 16/2a
Article 14/6a
Notabene’s comment: Travel Rule is an excellent way for crypto companies to identify and potentially block transactions to sanctioned parties. However, a high rate of false positives is expected when screening counterparties of a transaction. In this context, we welcome the acknowledgment in Article 14/6a that VASPs can rely on their counterparties for this process. By delegating sanction screening to the VASP that has a better resolution on the identity of the end customer at issue, this process becomes more effective, and false positives can be settled with more confidence.
4. When conducting transactions with unhosted wallets, VASPs are required to verify the identity of the respective beneficial owner.
Article 14/5b
Notabene comment: If the proposed provision is adopted as is, at least in the short/medium term, we foresee that this requirement will push VASPs to only allow first-party transfers to or from unhosted wallets (i.e., transfers to and from the wallets of their own customers). This is already the trend in jurisdictions like Singapore. With this, the third-party identity verification requirement is easily circumvented: the customer can transfer funds to their own wallet and subsequently to the third-party wallet. This will create a blindspot that backfires on the regulatory goals: the VASP will have less visibility on the transactions between their customers and unhosted wallets controlled by third parties.
5. VASPs are obliged to report incoming transactions from unhosted wallets above EUR 1000 to competent authorities.
Amendment 1
Notabene’s comment: This obligation assumes transactions with unhosted wallets inherently carry more risks. We believe that end-user privacy should be considered, especially as this threshold is inconsistent with reporting guidelines above 10K EUR. Additionally, this requirement would flood competent authorities with notifications of transactions that are mostly legitimate, making it difficult to leverage the cooperation with authorities for actually detecting and preventing illicit activity. An approach that requires VASP to make their own risk assessment and resort to competent authorities when suspicious activity is detected makes for a more efficient system and is more in line with data privacy protection goals.
Interested in learning how this proposed regulation impacts your Travel Rule obligations in your jurisdiction? Book a demo with our sales team.
On June 20, 2021, the European Commission published a proposal for regulating the transfers of funds and certain crypto-assets. This current proposal recasts Regulation EU 2015/847 as part of an AML/CFT package of four legislative proposals that are considered one coherent whole in implementing the Commission Action Plan of May 7, 2020. This proposal creates a new and more coherent AML/CFT regulatory and institutional framework within the EU. The package encompasses:
- a proposal for a regulation on the prevention of the use of the financial system for the purposes of money laundering (ML) and terrorist financing (TF)
- a proposal for a Directive establishing the mechanisms that Member States should put in place to prevent the use of the financial system for ML/TF purposes, and repealing Directive (EU) 2015/849;
- a proposal for a Regulation creating an EU Anti-Money Laundering Authority (AMLA)8, and
- This proposal for the recast of Regulation EU 2015/847 expanding traceability requirements to crypto-assets.
In essence, this regulation takes May 2015’s Directive (EU) 2015/847 on ‘the information accompanying transfers of funds and updates it to adequately cover virtual assets while repealing the over-reaching requirements of Directive (EU) 2015/849.
This regulation will enter into force on the 20th day after publication in the official journal.
Read Notabene's key takeaways:
1. The EU sees the need for harmonized international rules
This proposal package addressed the need for harmonized rules across the internal market.
On May 7, 2020, the Commission presented an Action Plan for a comprehensive Union policy on preventing money laundering and terrorism financing. In that Action Plan, the Commission committed to taking measures to strengthen the EU’s rules on combating money laundering and terrorism financing and their implementation, with six priorities or pillars:
1. Ensuring effective implementation of the existing EU AML/CFT framework,
2. Establishing an EU single rulebook on AML/CFT,
3. Bringing about EU-level AML/CFT supervision,
4. Establishing a support and cooperation mechanism for FIUs,
5. Enforcing EU-level criminal law provisions and information exchange,
6. Strengthening the international dimension of the EU AML/CFT framework.
Pillars 1, 5, and 6 of the Action Plan are currently being implemented partly due to the support of both The European Parliament and the Council. The other pillars demand legislative action. Yet, evidence provided by reports and internal assessments identified that. In contrast, the requirements of Directive (EU) 2015/84912 were far-reaching; their lack of direct applicability and granularity led to a fragmentation in their application along national lines and divergent interpretations.
In response, this proposal updates Regulation EU 2015/847 while repealing Directive (EU) 2015/849.
Notabene’s assessment: The EU believes a more harmonized front to combat money-laundering and terrorism financing is required. A country-by-country implementation has not proven very effective. They hope this would alleviate jurisdictional arbitrage or the milder term they call “jurisdictional shopping.”
2. GDPR applies to CASPs
The EU clarifies that GDPR applies to CASPs (crypto asset service providers - the EU’s terminology equivalent to FATF’s virtual asset service providers.)
Article 15:
The EU is committed to ensuring high standards of protection of fundamental rights. Under article 15 of the current regulation, the processing of personal data under this Regulation is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council31.Personal data that is processed pursuant to this Regulation by the Commission or EBA is subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council32. The General Data Protection Regulation33 will apply to CASPs as regards the personal data handled and attached to cross-border transfers of value using virtual assets.
Article 20:
Payment and crypto-asset service providers shall ensure that the confidentiality of the data processed is respected.
Additionally, CASPs must keep records of information on the originator and the beneficiary for five years; they must delete them.
2015/847 recital 29:
As it may not be possible in criminal investigations to identify the data required or the individuals involved in a transaction until many months, or even years, after the original transfer of funds or transfer of crypto-assets , and in order to be able to have access to essential evidence in the context of investigations, it is appropriate to require payment service providers or crypto-asset service providers to keep records of information on the payer and the payee or the originator and the beneficiary for a period of time for the purposes of preventing, detecting and investigating money laundering and terrorist financing. That period should be limited to five years, after which all personal data should be deleted unless national law provides otherwise.
Notabene’s assessment: Many in the crypto industry have been long awaiting what the verdict on GDPR would be regarding the Travel Rule in the EU. The EU states that going forward, CASPs will need to implement a GDPR-compliant secure data storage solution, making it clear that AML/CFT measures supersede this.
3. Personally Identifiable Information obligations accompanying transfers of crypto-assets are in line with FATF
Article 14:
OBLIGATIONS ON THE CRYPTO-ASSET SERVICE PROVIDER OF THE ORIGINATOR
Information accompanying transfers of crypto-assets
1. The crypto-asset service provider of the originator shall ensure that transfers of cryptoassets are accompanied by the following information on the originator:
(a) the name of the originator;
(b) the account number of the originator, where an account is used to process the transaction;
(c) the originator’s address, official personal document number, customer identification
number or date and place of birth.
2. The crypto-asset service provider of the originator shall ensure that transfers of cryptoassets are accompanied by the following information on the beneficiary:
(a) the name of the beneficiary;
(b) the beneficiary’s account number, where such an account exists and is used to process the transaction.
Notabene’s assessment: By adhering to FATF suggested guidelines, it is easier for CASPs (or VASPs) to have unified rules as they comply cross-jurisdictionally.
4. Stakeholders consulted by the EU express concern about the walled garden of compliance.
pg 7:
Stakeholder input on the Action Plan was broadly positive. However, some European UnionVASP representatives claimed that the absence of a standardised global, open source and free, technical solution for the travel rule could lead to the exclusion of small actors from the crypto-assets market, with only important players being able to afford compliance with the rules.
Notabene’s assessment: Several working groups noted the possible exclusion of small players in the crypto-assets market if compliance is too complex and too expensive to roll out. If only a few exchanges can afford compliance or if messaging protocols are not free and open, a walled-garden scenario would cause a few “important” players to operate. At the same time, the rest may be hit with fines and must close.
5. The threshold is set at EUR 1000, but Travel Rule requirements still apply for lower thresholds (albeit with less PII shared)
The EU has set a threshold of EUR 1000, in line with FATF recommended guidelines. Above that, originator CASPs need to share originator identifying information beyond just name (i.e., physical address, official personal document number, customer identification number, or date and place of birth). The EU does call out transactions that may be part of structuring - whereby the asset appears to be linked to other transfers that amount to EUR 1000. The travel rule also applies to them.
2015/847 recital 16:
In order not to impair the efficiency of payment systems and crypto-asset transfer services, and in order to balance the risk of driving transactions underground as a result of overly strict identification requirements against the potential terrorist threat posed by small transfers of funds or crypto-assets, the obligation to check whether information on the payer or the payee, or, for transfers of crypto-assets, the originator and the beneficiary, is accurate should, in the case of transfers of funds where verification has not yet taken place, be imposed only in respect of individual transfers of funds or crypto-assets that exceed EUR 1000, unless the transfer appears to be linked to other transfers of funds or transfers of cryptoassets which together would exceed EUR 1000, the funds or crypto-assets have been received or paid out in cash or in anonymous electronic money, or where there are reasonable grounds for suspecting money laundering or terrorist financing.
The EU also calls out in Article 15 that the travel rule applies below the EUR 1000, but with only originator and beneficiary names shared.
Article 15:
By way of derogation from Article 14(1), transfers of crypto-assets not exceeding EUR1 000 that do not appear to be linked to other transfers of crypto-assets which, together with the transfer in question, exceed EUR 1 000, shall be accompanied by at least the following information:(a) the names of the originator and of the beneficiary;(b) the account number of the originator and of the beneficiary or, where Article 14(3)applies, the insurance that the crypto-asset transaction can be individually identified;
Notabene’s assessment: The European Commission has no desire to create overly strict requirements that impede the flow of transactions. But by requiring Travel Rule below the threshold, they are boldly signaling the importance of the Travel Rule to CASPs and asking them to take a more comprehensive or holistic approach to travel rule implementation.
6. Transfers of crypto assets from the EU to outside the EU should include a Legal Entity Identifier (LEI)
2015/847 recital 19 (adapted):
In order to allow the authorities responsible for combating money laundering or terrorist financing in third countries to trace the source of funds or crypto-assets used for those purposes, transfers of funds or transfer of crypto-assets from theUnion to outside the Union should carry complete information on the payer and the payee. Complete information on the payer and the payee should include the LegalEntity Identifier (LEI) when this information is provided by the payer to the payer’s service provider, since that would allow for better identification of the parties involved in a transfer of funds and could easily be included in existing payment message formats such as the one developed by the International Organisation for Standardisation for electronic data interchange between financial institutions.
Notabene’s assessment: Many in the crypto industry had pushed for the adoption of LEIs in the FATF guidance. While suggested as an identifier, the FATF did not introduce them as a requirement. We see the EU requirement as an excellent first step in accepting a more unified, global identification system for legal entities that will reduce diligence costs for CASPs for cross-border transfers.
7. Beneficiary CASPs should have effective risk-based procedures that apply where a transfer lacks the required information
2015/847 recital 22 (adapted):
As regards transfers of crypto-assets, the crypto-asset service provider of the beneficiary should implement effective procedures to detect whether the information on the originator is missing or incomplete. These procedures should include, where appropriate, monitoring after or during the transfers, in order to detect whether the required information on the originator or the beneficiary is missing. It should not be required that the information is attached directly to the transfer of crypto-assets itself, as long as it is submitted immediately and securely, and available upon request to appropriate authorities.
Article 12 calls for the beneficiary CASP to reject a transfer if it is missing data.
Article 12:
Transfers of funds with missing information on the payer or the payee
1. The intermediary payment service provider shall establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds lacking the required payer and payee information and for taking the appropriate follow up action.
Additionally, the proposal goes on to say, “If a CASP continues to submit transfers with incomplete data, the counterparty CASP could take steps to reject any future transfers of funds or terminate the business relationship.” Beneficiary CASPs must implement adequate procedures to detect whether the originator information is missing or complete.
2015/847 recital 23 (new):
Given the potential threat of money laundering and terrorist financing presented by anonymous transfers, it is appropriate to require payment service providers to request information on the payer and the payee. In line with the risk-based approach developed by FATF, it is appropriate to identify areas of higher and lower risk, with a view to better targeting the risk of money laundering and terrorist financing. Accordingly, the crypto-asset service provider of the beneficiary, the payment service provider of the payee and the intermediary payment service provider should have effective risk-based procedures that apply where a transfer of funds lacks the required information on the payer or the payee, or where a transfer of crypto-assets lacks the required information on the originator or the beneficiary, in order to allow them to decide whether to execute, reject or suspend that transfer and to determine the appropriate follow-up action to take.
Notabene’s assessment: A risk-based approach to compliance is urged and recommended for CASPs. This is good news for companies who can take a more nuanced approach to travel rule, especially during the sunrise period when many counterparty institutions may not respond quickly.
8. Member states should lay down sanctions to encourage compliance
2015/847 recital 30:
In order to improve compliance with this Regulation, and in accordance with theCommission Communication of 9 December 2010 entitled ‘Reinforcing sanctioning regimes in the financial services sector’, the power to adopt supervisory measures and the sanctioning powers of competent authorities should be enhanced. Administrative sanctions and measures should be provided for and, given the importance of the fight against money laundering and terrorist financing, Member States should lay down sanctions and measures that are effective, proportionate and dissuasive. Member States should notify the Commission and the Joint Committee of EBA, EIOPA and ESMA(the ‘ESAs’) thereof.
The proposal goes on to state that legal persons can be held liable for breaches:
Chapter 5: Sanctions and monitoring:
5. Member States shall ensure that legal persons can be held liable for the breaches referred to in Article 2318 committed for their benefit by any person acting individually or aspart of an organ of that legal person, and having a leading position within the legal person based on any of the following:(a) power to represent the legal person;(b) authority to take decisions on behalf of the legal person; or(c) authority to exercise control within the legal person.
Competent authorities may impose administrative sanctions and measures in collaboration with other authorities.
Chapter 5: Sanctions and monitoring:
7. Competent authorities shall exercise their powers to impose administrative sanctions and measures in accordance with this Regulation in any of the following ways:EN 41 EN(a) directly;(b) in collaboration with other authorities;(c) under their responsibility by delegation to such other authorities;(d) by application to the competent judicial authorities.In the exercise of their powers to impose administrative sanctions and measures, competent authorities shall cooperate closely in order to ensure that those administrative sanctions or measures produce the desired results and coordinate their action when dealing with cross-border cases
Article 23:
Member States shall ensure that their administrative sanctions and measures include at least those laid down by Articles 40(2), 40(3) and 41(1)59(2) and (3) [...] in the event of the following breaches of this Regulation:
(a) repeated or systematic failure by a payment service provider to include the required information on the payer or the payee, in breach of Article 4, 5 or 6 or by a crypto-asset service provider to include the required information on the originator and beneficiary, in breach of Articles 14 and 15;
(b) repeated, systematic or serious failure by a payment service provider or crypto-asset service provider to retain records, in breach of Article 2116;
(c) failure by a payment service provider to implement effective risk-based procedures, in breach of Articles 8 or 12 or by a crypto-asset service provider to implement effective risk-based procedures, in breach of Article 17;
(d) serious failure by an intermediary payment service provider to comply with Article 11 or 12.
Notabene’s assessment: While there will be a centralized body for AML/CFT revision at the EU level, enforcement (e.g., sanctions) still gets performed at the member state level. We’re interested to see how effective this approach will be for EU member states.
9. This regulation does not apply to p2p transfers
Article 2:
Electronic money tokens, as defined in Article 3(1), point 4 of Regulation shall be treated as crypto-assets under this Regulation. This Regulation shall not apply to person-to-person transfer of crypto-assets.
Notabene’s assessment: While P2P is not affected, the EU does not comment on transactions between CASPs and noncustodial or unhosted wallets. This is good news for now, though certain member states have rolled out their own requirements (e.g., Netherlands).
10. The originator CASP should provide appropriate customer PII within three working days of receiving a request from the beneficiary CASP
Article 5: Transfers within the European Union:
2. Notwithstanding paragraph 1, the payment service provider of the payer shall, within three working days of receiving a request for information from the payment service provider of the payee or from the intermediary payment service provider, make available the
following:
(a) for transfers of funds exceeding EUR 1000, whether those transfers are carried
out in a single transaction or in several transactions which appear to be linked, the
information on the payer or the payee in accordance with Article 4;
(b) for transfers of funds not exceeding EUR 1000 that do not appear to be linked
to other transfers of funds which, together with the transfer in question, exceed EUR
1000, at least:
(i) the names of the payer and of the payee; and
(ii) the payment account numbers of the payer and of the payee or, where Article 4(3) applies, the unique transaction identifier
Introducing SafeConnect Components: Seamless end-to-end TFR Compliance
Become an Expert on Travel Rule in the EU
Compliance Deep Dive: Travel Rule in the European Union (2022)
Navigating Crypto Regulations in the UK and EU in 2021
Response to the Public Consultation on the Draft Legislative Decrees for Adapting National Legislation to the 'MiCAR' and 'TFR' Regulations on Crypto-Assets
Upcoming Events on EU Crypto Industry Compliance
Join us at the latest events focused on crypto compliance in the EU. Network with industry leaders and gain insights into the latest regulatory developments.
Get Certified as an Expert in EU Travel Rule Compliance
Sign up for our course to teach you everything you need to know about Travel Rule compliance in the EU.
FAQs
What is crypto compliance in the EU?
Crypto compliance in the EU involves adhering to regulatory standards set by the European Union for cryptocurrency operations, including anti-money laundering (AML) and counter-terrorism financing (CTF) measures.
What is the EU Travel Rule?
The EU Crypto Travel Rule requires cryptocurrency exchanges and wallet providers to share specific information about transactions to comply with AML and CTF regulations. This rule aims to enhance transparency and security in crypto transactions.
How does financial crime impact crypto compliance?
Financial crime, such as money laundering and fraud, poses significant risks to the crypto industry. Crypto compliance measures, including AML and CTF regulations, are crucial in mitigating these risks and ensuring the integrity and security of cryptocurrency transactions.
Are stablecoins regulated?
Yes, stablecoins are regulated to ensure they adhere to financial regulations, particularly concerning anti-money laundering (AML) and counter-terrorism financing (CTF) standards. Regulatory bodies require stablecoin issuers to maintain transparency and ensure that their assets are properly backed and audited.
What regulations do crypto exchanges need to comply with?
Crypto exchanges need to comply with a range of regulations, including:
- Anti-Money Laundering (AML): Implement measures to detect and prevent money laundering activities.
- Know Your Customer (KYC): Verify the identity of users to prevent fraud and illegal activities.
- Counter-Terrorism Financing (CTF): Ensure transactions do not facilitate terrorism financing.
- Crypto Travel Rule: Share specific transaction information to comply with international regulatory standards.
- Data Protection: Adhere to data protection laws such as GDPR to ensure user privacy and data security.
Hosting these gateways within the VASP's own infrastructure, such as a data center or cloud account, is advised for optimal security. This approach, particularly when using an enclave server, allows for enhanced security measures, aligning with the principle that control over the hosting environment can significantly bolster security.