Stay Updated on Crypto Compliance & Crypto Regulation in the EU

A Comparative Analysis of the EU's Transfer of Funds regulation with current industry standards on Travel Rule

‍

Today marks the achievement of a major milestone in European crypto regulation: the European Parliament approved the Regulation on Markets in Crypto-Assets (MiCA) and the revision of the Regulation on information accompanying transfers of funds (TFR, or Transfer of Funds Regulation). 

The approval of MiCA is a landmark that has the potential to set standards for crypto regulation globally. One of its main goals is to provide clarity and legal certainty for the crypto industry, which has been operating in a regulatory gray area for many years. MiCA establishes a level playing field for all European crypto-asset service providers (CASPs) and boosts consumers’ protection when using crypto-assets. It does so by introducing new rules for issuers of crypto-assets, CASPs, and trading platforms. It will also establish a new regulatory regime for stablecoins, which have become increasingly popular in recent years due to their stability and ease of use for payments. 

Despite the press attention on MiCA, the TFR is a critical piece of legislation that will harmonize crypto Travel Rule requirements across Europe and fundamentally change how we transact in crypto. In June 2019, the FATF published its Guidance for a Risk-Based Approach to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs), extending anti-money laundering/countering the financing of terrorism (AML/CFT) obligations to cover VAs and VASPs. This directive included the Travel Rule, which obliges VASPs that exchange, hold, safe keep, convert, and sell virtual assets to obtain, hold, and transmit required originator and beneficiary information immediately and securely during VA transfers. 

Since FATF introduced the crypto Travel Rule, national regulators have been working on transposing these requirements to their local frameworks, and significant progress has been achieved globally. With the introduction of the TFR, the EU follows in these footsteps and introduces Travel Rule obligations for European CASPs. 

Notabene reports on the progress achieved in the implementation of the Travel Rule through an annual global crypto Travel Rule compliance report. The 2023 edition will be available soon, and today we share how the TFR compares with industry benchmarks using fresh findings from our report. 

The revised Transfer of Funds Regulation

The European Commission made a significant move to combat money laundering and terrorism financing with an ambitious package of legislative proposals presented on July 20, 2021. The package aims to strengthen the EU's anti-money laundering and countering terrorism financing (AML/CFT) rules.

The package includes various measures to improve the EU's AML/CTF framework, including the revision of the Transfer of Funds Regulation to make it possible to trace transfers of crypto-assets by imposing Travel Rule requirements on CASPs. 

As mentioned above, the revision of the Transfer of Funds Regulation was finally approved by the European Parliament plenary today (April 20, 2023). However, the EU’s AML/CTF legislative package is not yet finalized. Notably, the legislative process of the new proposed regulation on AML/CTF (AMLR) is still ongoing and is expected to impact the requirements applicable to transactions with self-hosted wallets. 

For now, let’s dive into the TFR and how it compares to global industry standards on the crypto Travel Rule. 

‍

Five key TFR takeaways: EU vs. Global Industry Standards

‍

1. Travel Rule comes into effect for all EU VASPs on December 30, 2024

The Transfer of Funds Regulation will start applying on December 30, 2024, 18 months after the regulation enters into force.

According to Notabene’s 2023 State of Travel Rule Report, the large majority (84%) of respondents are currently complying or intend to comply with the Travel Rule by Q4 2023. In the United Kingdom, Travel Rule will be enforced starting September 2023, and several other crypto hubs are enforcing Travel Rule compliance already. This creates a considerable gap between the EU’s and third-countries timelines for Travel Rule implementation, which may prevent the industry from overcoming the Sunrise Issue. To stay competitive and continue to be able to transact with counterparties outside the EU, CASPs will need to roll out Travel Rule ahead of the TFR deadline. 

‍

Notabene’ study also reveals that Europe's adoption is delayed compared to the rest of the market. In particular, EMEA is the region with the highest percentage of VASPs planning to be compliant after Q4 2023. This may have reflected a lack of regulatory urgency, with many EU VASPs awaiting the implementation of Travel Rule requirements through the revised Transfer of Funds Regulation which had just occurred.

2. Zero Exceptions: Travel Rule obligations apply to all transactions, regardless of amount or location - inside or outside the Union.

EU CASPs will be required to comply with Travel Rule obligations in every transaction, regardless of its amount. No de minimis threshold applies, and there is no simplification of requirements for transactions within the Union. It is also worth noting that the scope of originator and beneficiary information that the originator CASP is required to share also does not vary depending on the transaction amount - the same scope, defined in Article 14 (1) and (2), is required for every transaction.

Recital 27 justifies the policy option by citing the “inherent borderless nature and global reach of transfers of cryptoassets and of the provision of crypto-asset services,” and being “in line with the FATF requirement to treat all transfers of crypto-assets as cross-border,”  which invalidates any distinction on the scope of obligations when transacting within and outside the Union. [1]

As reported in our 2023 global crypto Travel Rule compliance report, the approach taken by the TFR (imposing the same information transmission obligations regardless of the transaction amount) contrasts with the option taken by several other jurisdictions, notably Singapore, Germany, Hong Kong, and the United Kingdom, which allow a more limited scope of information to be shared below a certain threshold. 

3. First-party transactions with self-hosted wallets over 1,000 euros require wallet ownership verification.

In line with FATF recommendations, transactions with self-hosted wallers fall within the scope of the revised Transfer of Funds Regulation [2]. 

When transacting with self-hosted wallets, European CASPs must collect the required originator and beneficiary information and comply with the following additional wallet verification obligations for transactions exceeding 1,000 Euros:

1. When sending a transfer exceeding EUR 1,000 to a self-hosted wallet, the originator VASP is required to verify if that wallet is owned or controlled by the originator customer;
2. When receiving a transfer exceeding EUR 1,000 from a self-hosted wallet, the beneficiary VASP must verify that the beneficiary customer owns or controls the originating wallet. 

​​This means wallet ownership verification requirements apply to first-party transactions to/from self-hosted wallets exceeding EUR 1,000. [3]

Our 2023 State of Travel Rule Compliance Report revealed that the majority of surveyed VASPs already enforce restrictions when transacting with self-hosted wallets. Additionally, just over a third of companies (34.3%) only allow first-party transactions with self-hosted wallets, provided the customer can demonstrate ownership of the wallet address, which aligns with the approach taken by the TFR. 

‍

Going forward, VASPs will require a tool that allows them to determine if the transaction is with a self-hosted wallet and swiftly verify ownership before proceeding.

Notabene’s self-hosted wallet identification tool pinpoints the jurisdictional requirements of each transaction. It collects counterparty customer data from your withdrawal screen, creating an archive for sanctions compliance, record keeping, and Suspicious Activity Reports.

4. Due diligence measures for non-EU entities must adhere to correspondent banking standards.

In its Updated Guidance for VAs and VASPs (October 2021), FATF makes it clear that counterparty due diligence for the purposes of engaging in Travel Rule flows is distinct from the due diligence required to establish correspondent banking relationships [4]:

The nature of CASPs' relationships for transacting and sharing Travel Rule information is distinct from correspondent banking relationships and, hence, could justify a different - and more limited - scope of counterparty due diligence obligations to apply. 

However, the revised Transfer of Funds Regulation goes in a different direction: citing the “ongoing and repetitive” nature of the relationships between domestic CASPs and foreign VASPs for the purpose of transacting, the TFR deems these relationships as a type of correspondent relationship subject to enhanced due diligence measures. 

The measures CASPs are required to apply will be further specified in guidance issued by the European Banking Authority. Clear and adequate regulatory guidance on counterparty due diligence obligations will be key to enabling European CASPs to comply adequately. 

‍

Notabene’s  2023 State of Crypto Travel Rule Compliance Report shows 52% of respondents send Travel Rule transfers to all VASPs without applying any criteria or counterparty due diligence process. This indicates that perhaps counterparty due diligence is a component of Travel Rule compliance that VASPs still struggle to grasp fully. Local laws and regulations are often vague or silent on this topic, although it is covered at length in the FATF Guidance. The upcoming guidance by the European Banking Authority should set expectations as to what counterparty due diligence measures are required for the purposes of transacting and engaging in Travel Rule flows. It will also be relevant to specify cases where VASPs may be exempt from carrying out due diligence (e.g., relying on the uniform requirements and supervision applied in the jurisdiction or region) or where simplified due diligence measures are permissible. [5]

‍

5. CASPs are required to fulfill Travel Rule obligations prior to transacting

Notabene welcomes the clarification provided by the TFR that Travel Rule compliance needs to be performed pre-transaction. This is particularly important given the specific characteristics of virtual asset transactions: settlement is immediate and irreversible; hence, only pre-transaction actions can effectively mitigate risk. 

In line with this, Notabene is a pre-transaction decision-making platform offering a secure, holistic view of crypto transactions that enables CASPs to identify and stop high-risk activity before it occurs on the blockchain. 

According to the revised TFR, originator CASPs are required to transmit information to the beneficiary CASP before sending the corresponding crypto transaction. In turn, Beneficiary CASPs need to ensure that the required information was received before making funds available to the end customer. [6]

‍

According to Notabene’s 2023 State of Crypto Travel Rule Report,  although the industry is making significant progress in Travel Rule adoption, a notable discrepancy exists between VASPs’ claims of compliance and their fulfillment of pre-transaction obligations.

37.5% of companies reporting to be Travel Rule-compliant fulfill requirements post-transaction, which does not align with the TFR’s pre-transaction requirements or the FATF standards. Providing European CASPs with regulatory clarity in that Travel Rule is a pre-transaction requirement is a fundamental step to drive compliance in the right direction. 

‍

Next steps:

The revised Transfer of Funds Regulation will be supplemented by guidelines issued by the European Banking Authority on different aspects, for example:

• The factors to be taken into account by CASPs when entering into business relationships or carrying out transactions in crypto-assets and enhanced due diligence measures that obliged entities shall consider applying to mitigate higher risks when identified, including the adoption of appropriate procedures to detect the origin or destination of crypto assets;
• The criteria and means for identification and verification of the identity of the originator or beneficiary of a transfer made to or from a self-hosted address, in particular through reliance on third parties, taking into account the latest technological developments. 

In July 2021, the European Commission submitted a legislative proposal for a regulation on information accompanying transfers of funds and certain crypto-assets - the “Transfer of Funds Regulation.”

Subsequently, the EU Parliament reviewed the proposal and, in April 2022, adopted a Report expressing its first reading position. The Report introduced quite a few changes to the text initially proposed by the Commission. The Commission, the Council, and the Parliament then initiated trilogues–informal meetings between representatives of the three bodies to reach a provisional agreement acceptable to both the Parliament and the Council. The Commission acts as a mediator of the discussion.

All parties finally reached a consensus on June 29th, 2022, which leads us to the final step of the legislative process: the formal approval of the Regulation by the Parliament and Council.

Below we summarize key points:

*Please note that where the Financial Action Task Force (FATF) uses VASPs (virtual asset service providers), the European Parliament uses CASPs (crypto asset service providers.)

1. The Travel Rule will not apply to peer-to-peer transactions.

The EU Parliament states:

The rules do not apply to person-to-person transfers conducted without a provider, such as bitcoins trading platforms, or among providers acting on their own behalf.

‍
The FATF and local regulators have generally focused on enforcing AML/CTF controls on transactions that involve intermediaries, such as VASPs or other obliged entities. Thus, crypto transfers between unhosted wallets, so-called peer-to-peer transactions, are not explicitly covered by AML/CTF rules. This is in line with the regulatory paradigm of placing obligations on intermediaries rather than on individuals themselves.

The FATF opens the door to a future change of paradigm in case there is a distinct trend toward P2P transactions, as this would necessarily hurt the effectiveness of the AML/CTF frameworks as they exist today. The time for such a shift is not now, as:

• The available data on the P2P market is not reliable enough to make an informed policy decision.
• The intermediated transactions are still relevant enough to allow for effective implementation of the standards.
• P2P transactions that are visible on public ledgers enable financial analysis and law enforcement investigations.

2. Transfers between CASPs and unhosted wallets of third parties will be subject to enhanced due diligence measures. As a result of the trilogue negotiations, verifying the identity of a third-party beneficial owner is no longer mandatory. 

In its first reading of the Report, the EU Parliament proposed that CASPs should be required to verify the identity of a third-party beneficial owner of the unhosted wallet to/from which funds are sent. Due to the trilogue negotiations, we welcome that this is no longer proposed as a mandatory requirement.
‍
Although this is technically possible to do this with existing technology, it is unlikely that, with today’s adoption, CASPs will manage to implement these processes while ensuring that this does not cause undue delay to the execution of the transfers - a stated goal in the TFR. Until portable digital identities are widely adopted - which is an effort that the EU is leading with initiatives such as the eIDAS - verifying the identity of a third-party beneficial owner of the unhosted wallet to/from which funds are sent is a process that introduces significant friction in the transaction flow.

At least in the short/medium term, such a requirement would push CASPs only to allow first-party transfers to or from unhosted wallets (i.e., transfers to and from the wallets of their own customers).

3. Transfers of over 1000 euros between CASPs and unhosted wallets of their customers will trigger the obligation to verify whether the CASP’s customer effectively owns or controls the unhosted wallet.

Instead of relying on the self-declaration that a wallet belongs to the end customer, CASPs should verify beneficial ownership. This can be done by triggering the customer to perform a wallet ownership proof while in an authenticated session (therefore establishing a link between the identity and the wallet.)

The requirement to verify first-party ownership of the wallet is most helpful when there is also a requirement to verify the identity of a third-party beneficial owner (which, as said below, is not the approach of the EU). In those cases, the CASP must verify beneficial ownership. This ensures that the customer does not bypass the third-party verification requirement by falsely declaring they are transacting with their own wallet.

Nevertheless, this measure makes transaction risk management more robust by the following:

• CASPs can take a risk-based approach that facilitates transaction flows with unhosted wallets of their own customers and apply enhanced due diligence measures when transacting with third-party wallets;
• This will also bring additional data points that CASPs can rely on to evaluate and monitor customer risk. 

It’s also worth noting that different methods for wallet ownership verification will have additional integration costs and impact the user journey and drop-off rates. Some practices with a lower economic burden of implementation, like the Satoshi Test, have a more significant impact/friction on the user journey, which could lead to higher attrition and overall higher economic loss (this method requires users to perform a transaction and entails dead-end scenarios such as no funds being available on the wallet, etc.)

How Notabene verifies beneficial owners of unhosted wallets:

Notabene uses cryptographic signatures as proof. There is a considerable technical burden in integrating with private wallets for these purposes due to the variety of private wallets. If CASPs want to ensure wide coverage to allow their users to perform proof regardless of the private wallet provider they are using, then the CASP would need to integrate with several different providers. 

However, some aggregators, such as WalletConnect, can lower the effort significantly. Notabene integrates only with Metamask and WalletConnect, for instance. Using cryptographic signature aggregators should allow the proof process to scale fairly seamlessly, thus allowing smaller and larger CASPs to roll it out. 

4. Negotiators agreed that the set-up of a public register for non-compliant and non-supervised CASPs would be covered in the Markets in Crypto-assets rules (MiCA), currently being negotiated.

From our perspective, the public register list should be used to support CASPs’ counterparty due diligence processes rather than as a list that CASPs are required to enforce blindly. 

The European private sector, under close monitoring of the competent supervisory authorities, is better positioned to determine whether or not to transact with certain counterparties following a risk-based approach that takes into consideration the specificities of their businesses, the due diligence performed on these counterparties, and the risks associated with a particular transaction. 

This is, in fact, one of the advantages of the Travel Rule - it allows CASPs to manage risk at the transaction level and adopt a more targeted approach when enforcing restrictions, and avoid blanket exclusions that can be disproportionate depending on the context. 

Another question is what is meant by non-compliant and non-supervised CASPs. Recital 34a and Article 18aa of the Transfer of Funds Regulation (in the version proposed by the EU Parliament’s first reading Report) prevent CASPs from transacting with counterparties that are not established in any jurisdiction and are unaffiliated with a regulated entity. Our reading of the criteria is that it is cumulative - i.e., a CASP that is correctly established in a particular jurisdiction but is not regulated (e.g., due to the lack of a regulatory framework applicable to CASPs in that jurisdiction) would not be deemed a non-compliant CASP. 

We hope the reading of the MiCA text that is finally approved clarifies this aspect and avoids the exclusion of CASPs located in jurisdictions that do not yet offer robust frameworks to regulate the crypto industry and register/license crypto firms. According to the FATF, “only 12 jurisdictions out of 53 (23%) have been assessed as largely compliant with R.15 [i.e., with the AML/CTF Standards for VAs and CASPs]”, which implies that this could potentially affect a large number of CASPs.

Finally, it is of paramount importance (i) that the process to include CASPs in this list is adversarial and involves the CASPs at issue and that (ii) CASPs can request to be taken out of the list in light of implemented improvements.

On April 6, 2022, the EU Parliament approved the text of the EU regulation on information accompanying transfers of funds and certain crypto-assets.

The authors felt that the previous European Commission package of proposals to improve the Union’s AML/CFT rules could use further strengthening to reflect the specific characteristics of crypto-assets better. In attempts to improve the Transfer of Funds Regulation to help protect EU citizens from crime and terrorism, this draft puts forth the following key proposals:

1. Removing exemptions based on the value of the transfer. 
2. Applying Travel Rule to transfers from/to un-hosted wallets, when involving a VASP or other obliged entity 
3. Know your transaction - VASPs should also be expected to obtain information on the source and destination of crypto-assets involved in a transfer.
4. Counterparty due diligence and protection of personal information - VASPs should assess the Counterparty VASP’s data protection policies and decide whether to send their customer’s PII (pre-transaction.) 
5. The European Banking Authority (EBA) to maintain a public register of non-compliant crypto-asset service providers.
6. Decoupling this current recast proposal from the AML package and linking it to the existing Anti-money laundering directive (AMLD) framework to speed adoption. 

The approved text will still be subject to negotiations between the EU Parliament, Council and European Commission, which may prompt changes to the proposed wording.

We’ve summarized our key highlights below.

1. Transmission of Travel Rule information is required for all blockchain transactions, regardless of the amount.

A limited scope of data can be transmitted if the transaction is below EUR 1000 and the transacting VASPs are within the European Union.

‍

Pg 53. 

  Article 14.

‍

Notabene’s comment: The decision to not differentiate the requirements applicable to transactions below and above EUR 1,000 facilitates the operationalization of the Travel Rule for VASPs. Monitoring whether the threshold is being circumvented by breaking down one transaction into several can be a cumbersome task that is avoided with the introduction of this provision. However, an approach that requires a broader scope of information to be transmitted above EUR 1,000 and a limited scope below that threshold may strike a better balance between AML/CTF objectives and data protection goals. Additionally, VASPs may consider it more cumbersome to carry out Travel Rule obligations under EUR 1000, given perceived resource intensity.

2. Travel Rule information does not need to be shared if the Originator VASP considers the Counterparty VASP not to apply suitable data protection measures.

An exception applies if, according to the assessment of the Originator VASP considering the criteria proposed by the EBA, the Counterparty VASP is deemed not to apply suitable data protection measures. The Travel Rule information does not need to be shared in these cases. However, VASPs shall apply alternative risk mitigation measures according to guidance issued by the EBA.

Article 14.4a

Article 14.4b

Notabene’s comment: This brings forth and centers data protection guidelines into the Travel Rule. Some questions remain around the appropriate alternative measures to be taken by a VASP and whether they should allow transactions of funds with said Counterparty VASP, but these could be clarified through the EBA guidelines mandated under Article 14.4b, which is a new instrument that we welcome!

3. VASPs must screen the Originator and Beneficiary customers against relevant sanction lists before allowing the transaction to go through.

‍

Article 14/5a

Article 16/2a

Article 14/6a 

‍

Notabene’s comment: Travel Rule is an excellent way for crypto companies to identify and potentially block transactions to sanctioned parties. However, a high rate of false positives is expected when screening counterparties of a transaction. In this context, we welcome the acknowledgment in Article 14/6a that VASPs can rely on their counterparties for this process. By delegating sanction screening to the VASP that has a better resolution on the identity of the end customer at issue, this process becomes more effective, and false positives can be settled with more confidence. 

4. When conducting transactions with unhosted wallets, VASPs are required to verify the identity of the respective beneficial owner.

Article 14/5b

‍

Notabene comment: If the proposed provision is adopted as is, at least in the short/medium term, we foresee that this requirement will push VASPs to only allow first-party transfers to or from unhosted wallets (i.e., transfers to and from the wallets of their own customers). This is already the trend in jurisdictions like Singapore. With this, the third-party identity verification requirement is easily circumvented: the customer can transfer funds to their own wallet and subsequently to the third-party wallet. This will create a blindspot that backfires on the regulatory goals: the VASP will have less visibility on the transactions between their customers and unhosted wallets controlled by third parties. 

5. VASPs are obliged to report incoming transactions from unhosted wallets above EUR 1000 to competent authorities.

Amendment 1

Notabene’s comment: This obligation assumes transactions with unhosted wallets inherently carry more risks. We believe that end-user privacy should be considered, especially as this threshold is inconsistent with reporting guidelines above 10K EUR. Additionally, this requirement would flood competent authorities with notifications of transactions that are mostly legitimate, making it difficult to leverage the cooperation with authorities for actually detecting and preventing illicit activity. An approach that requires VASP to make their own risk assessment and resort to competent authorities when suspicious activity is detected makes for a more efficient system and is more in line with data privacy protection goals. 

Interested in learning how this proposed regulation impacts your Travel Rule obligations in your jurisdiction? Book a demo with our sales team.