Stay Updated on Crypto Compliance & Crypto Regulation in the EU
Stay informed about the latest events, webinars, and news on crypto compliance in the European Union. Join our community of compliance professionals and ensure your business stays ahead of regulatory changes.
Your Hub for Cryptocurrency Compliance in the European Union
Welcome to your go-to resource for all things related to crypto compliance in the EU. Here, you’ll find the latest news, upcoming events, and insightful webinars to keep you informed and compliant.
Recent News on Crypto Regulation in the EU
Stay up-to-date with the latest news articles, regulatory updates, and industry insights on crypto compliance in the EU.
In July 2021, the European Commission submitted a legislative proposal for a regulation on information accompanying transfers of funds and certain crypto-assets - the “Transfer of Funds Regulation.”
Subsequently, the EU Parliament reviewed the proposal and, in April 2022, adopted a Report expressing its first reading position. The Report introduced quite a few changes to the text initially proposed by the Commission. The Commission, the Council, and the Parliament then initiated trilogues–informal meetings between representatives of the three bodies to reach a provisional agreement acceptable to both the Parliament and the Council. The Commission acts as a mediator of the discussion.
All parties finally reached a consensus on June 29th, 2022, which leads us to the final step of the legislative process: the formal approval of the Regulation by the Parliament and Council.
Below we summarize key points:
*Please note that where the Financial Action Task Force (FATF) uses VASPs (virtual asset service providers), the European Parliament uses CASPs (crypto asset service providers.)
1. The Travel Rule will not apply to peer-to-peer transactions.
The EU Parliament states:
The rules do not apply to person-to-person transfers conducted without a provider, such as bitcoins trading platforms, or among providers acting on their own behalf.
The FATF and local regulators have generally focused on enforcing AML/CTF controls on transactions that involve intermediaries, such as VASPs or other obliged entities. Thus, crypto transfers between unhosted wallets, so-called peer-to-peer transactions, are not explicitly covered by AML/CTF rules. This is in line with the regulatory paradigm of placing obligations on intermediaries rather than on individuals themselves.
The FATF opens the door to a future change of paradigm in case there is a distinct trend toward P2P transactions, as this would necessarily hurt the effectiveness of the AML/CTF frameworks as they exist today. The time for such a shift is not now, as:
- The available data on the P2P market is not reliable enough to make an informed policy decision.
- The intermediated transactions are still relevant enough to allow for effective implementation of the standards.
- P2P transactions that are visible on public ledgers enable financial analysis and law enforcement investigations.
2. Transfers between CASPs and unhosted wallets of third parties will be subject to enhanced due diligence measures. As a result of the trilogue negotiations, verifying the identity of a third-party beneficial owner is no longer mandatory.
In its first reading of the Report, the EU Parliament proposed that CASPs should be required to verify the identity of a third-party beneficial owner of the unhosted wallet to/from which funds are sent. Due to the trilogue negotiations, we welcome that this is no longer proposed as a mandatory requirement.
Although this is technically possible to do this with existing technology, it is unlikely that, with today’s adoption, CASPs will manage to implement these processes while ensuring that this does not cause undue delay to the execution of the transfers - a stated goal in the TFR. Until portable digital identities are widely adopted - which is an effort that the EU is leading with initiatives such as the eIDAS - verifying the identity of a third-party beneficial owner of the unhosted wallet to/from which funds are sent is a process that introduces significant friction in the transaction flow.
At least in the short/medium term, such a requirement would push CASPs only to allow first-party transfers to or from unhosted wallets (i.e., transfers to and from the wallets of their own customers).
3. Transfers of over 1000 euros between CASPs and unhosted wallets of their customers will trigger the obligation to verify whether the CASP’s customer effectively owns or controls the unhosted wallet.
Instead of relying on the self-declaration that a wallet belongs to the end customer, CASPs should verify beneficial ownership. This can be done by triggering the customer to perform a wallet ownership proof while in an authenticated session (therefore establishing a link between the identity and the wallet.)
The requirement to verify first-party ownership of the wallet is most helpful when there is also a requirement to verify the identity of a third-party beneficial owner (which, as said below, is not the approach of the EU). In those cases, the CASP must verify beneficial ownership. This ensures that the customer does not bypass the third-party verification requirement by falsely declaring they are transacting with their own wallet.
Nevertheless, this measure makes transaction risk management more robust by the following:
- CASPs can take a risk-based approach that facilitates transaction flows with unhosted wallets of their own customers and apply enhanced due diligence measures when transacting with third-party wallets;
- This will also bring additional data points that CASPs can rely on to evaluate and monitor customer risk.
It’s also worth noting that different methods for wallet ownership verification will have additional integration costs and impact the user journey and drop-off rates. Some practices with a lower economic burden of implementation, like the Satoshi Test, have a more significant impact/friction on the user journey, which could lead to higher attrition and overall higher economic loss (this method requires users to perform a transaction and entails dead-end scenarios such as no funds being available on the wallet, etc.)
How Notabene verifies beneficial owners of unhosted wallets:
Notabene uses cryptographic signatures as proof. There is a considerable technical burden in integrating with private wallets for these purposes due to the variety of private wallets. If CASPs want to ensure wide coverage to allow their users to perform proof regardless of the private wallet provider they are using, then the CASP would need to integrate with several different providers.
However, some aggregators, such as WalletConnect, can lower the effort significantly. Notabene integrates only with Metamask and WalletConnect, for instance. Using cryptographic signature aggregators should allow the proof process to scale fairly seamlessly, thus allowing smaller and larger CASPs to roll it out.
4. Negotiators agreed that the set-up of a public register for non-compliant and non-supervised CASPs would be covered in the Markets in Crypto-assets rules (MiCA), currently being negotiated.
From our perspective, the public register list should be used to support CASPs’ counterparty due diligence processes rather than as a list that CASPs are required to enforce blindly.
The European private sector, under close monitoring of the competent supervisory authorities, is better positioned to determine whether or not to transact with certain counterparties following a risk-based approach that takes into consideration the specificities of their businesses, the due diligence performed on these counterparties, and the risks associated with a particular transaction.
This is, in fact, one of the advantages of the Travel Rule - it allows CASPs to manage risk at the transaction level and adopt a more targeted approach when enforcing restrictions, and avoid blanket exclusions that can be disproportionate depending on the context.
Another question is what is meant by non-compliant and non-supervised CASPs. Recital 34a and Article 18aa of the Transfer of Funds Regulation (in the version proposed by the EU Parliament’s first reading Report) prevent CASPs from transacting with counterparties that are not established in any jurisdiction and are unaffiliated with a regulated entity. Our reading of the criteria is that it is cumulative - i.e., a CASP that is correctly established in a particular jurisdiction but is not regulated (e.g., due to the lack of a regulatory framework applicable to CASPs in that jurisdiction) would not be deemed a non-compliant CASP.
We hope the reading of the MiCA text that is finally approved clarifies this aspect and avoids the exclusion of CASPs located in jurisdictions that do not yet offer robust frameworks to regulate the crypto industry and register/license crypto firms. According to the FATF, “only 12 jurisdictions out of 53 (23%) have been assessed as largely compliant with R.15 [i.e., with the AML/CTF Standards for VAs and CASPs]”, which implies that this could potentially affect a large number of CASPs.
Finally, it is of paramount importance (i) that the process to include CASPs in this list is adversarial and involves the CASPs at issue and that (ii) CASPs can request to be taken out of the list in light of implemented improvements.
On April 6, 2022, the EU Parliament approved the text of the EU regulation on information accompanying transfers of funds and certain crypto-assets.
The authors felt that the previous European Commission package of proposals to improve the Union’s AML/CFT rules could use further strengthening to reflect the specific characteristics of crypto-assets better. In attempts to improve the Transfer of Funds Regulation to help protect EU citizens from crime and terrorism, this draft puts forth the following key proposals:
- Removing exemptions based on the value of the transfer.
- Applying Travel Rule to transfers from/to un-hosted wallets, when involving a VASP or other obliged entity
- Know your transaction - VASPs should also be expected to obtain information on the source and destination of crypto-assets involved in a transfer.
- Counterparty due diligence and protection of personal information - VASPs should assess the Counterparty VASP’s data protection policies and decide whether to send their customer’s PII (pre-transaction.)
- The European Banking Authority (EBA) to maintain a public register of non-compliant crypto-asset service providers.
- Decoupling this current recast proposal from the AML package and linking it to the existing Anti-money laundering directive (AMLD) framework to speed adoption.
The approved text will still be subject to negotiations between the EU Parliament, Council and European Commission, which may prompt changes to the proposed wording.
We’ve summarized our key highlights below.
1. Transmission of Travel Rule information is required for all blockchain transactions, regardless of the amount.
A limited scope of data can be transmitted if the transaction is below EUR 1000 and the transacting VASPs are within the European Union.
Pg 53.
Article 14.
Notabene’s comment: The decision to not differentiate the requirements applicable to transactions below and above EUR 1,000 facilitates the operationalization of the Travel Rule for VASPs. Monitoring whether the threshold is being circumvented by breaking down one transaction into several can be a cumbersome task that is avoided with the introduction of this provision. However, an approach that requires a broader scope of information to be transmitted above EUR 1,000 and a limited scope below that threshold may strike a better balance between AML/CTF objectives and data protection goals. Additionally, VASPs may consider it more cumbersome to carry out Travel Rule obligations under EUR 1000, given perceived resource intensity.
2. Travel Rule information does not need to be shared if the Originator VASP considers the Counterparty VASP not to apply suitable data protection measures.
An exception applies if, according to the assessment of the Originator VASP considering the criteria proposed by the EBA, the Counterparty VASP is deemed not to apply suitable data protection measures. The Travel Rule information does not need to be shared in these cases. However, VASPs shall apply alternative risk mitigation measures according to guidance issued by the EBA.
Article 14.4a
Article 14.4b
Notabene’s comment: This brings forth and centers data protection guidelines into the Travel Rule. Some questions remain around the appropriate alternative measures to be taken by a VASP and whether they should allow transactions of funds with said Counterparty VASP, but these could be clarified through the EBA guidelines mandated under Article 14.4b, which is a new instrument that we welcome!
3. VASPs must screen the Originator and Beneficiary customers against relevant sanction lists before allowing the transaction to go through.
Article 14/5a
Article 16/2a
Article 14/6a
Notabene’s comment: Travel Rule is an excellent way for crypto companies to identify and potentially block transactions to sanctioned parties. However, a high rate of false positives is expected when screening counterparties of a transaction. In this context, we welcome the acknowledgment in Article 14/6a that VASPs can rely on their counterparties for this process. By delegating sanction screening to the VASP that has a better resolution on the identity of the end customer at issue, this process becomes more effective, and false positives can be settled with more confidence.
4. When conducting transactions with unhosted wallets, VASPs are required to verify the identity of the respective beneficial owner.
Article 14/5b
Notabene comment: If the proposed provision is adopted as is, at least in the short/medium term, we foresee that this requirement will push VASPs to only allow first-party transfers to or from unhosted wallets (i.e., transfers to and from the wallets of their own customers). This is already the trend in jurisdictions like Singapore. With this, the third-party identity verification requirement is easily circumvented: the customer can transfer funds to their own wallet and subsequently to the third-party wallet. This will create a blindspot that backfires on the regulatory goals: the VASP will have less visibility on the transactions between their customers and unhosted wallets controlled by third parties.
5. VASPs are obliged to report incoming transactions from unhosted wallets above EUR 1000 to competent authorities.
Amendment 1
Notabene’s comment: This obligation assumes transactions with unhosted wallets inherently carry more risks. We believe that end-user privacy should be considered, especially as this threshold is inconsistent with reporting guidelines above 10K EUR. Additionally, this requirement would flood competent authorities with notifications of transactions that are mostly legitimate, making it difficult to leverage the cooperation with authorities for actually detecting and preventing illicit activity. An approach that requires VASP to make their own risk assessment and resort to competent authorities when suspicious activity is detected makes for a more efficient system and is more in line with data privacy protection goals.
Interested in learning how this proposed regulation impacts your Travel Rule obligations in your jurisdiction? Book a demo with our sales team.
On June 20, 2021, the European Commission published a proposal for regulating the transfers of funds and certain crypto-assets. This current proposal recasts Regulation EU 2015/847 as part of an AML/CFT package of four legislative proposals that are considered one coherent whole in implementing the Commission Action Plan of May 7, 2020. This proposal creates a new and more coherent AML/CFT regulatory and institutional framework within the EU. The package encompasses:
- a proposal for a regulation on the prevention of the use of the financial system for the purposes of money laundering (ML) and terrorist financing (TF)
- a proposal for a Directive establishing the mechanisms that Member States should put in place to prevent the use of the financial system for ML/TF purposes, and repealing Directive (EU) 2015/849;
- a proposal for a Regulation creating an EU Anti-Money Laundering Authority (AMLA)8, and
- This proposal for the recast of Regulation EU 2015/847 expanding traceability requirements to crypto-assets.
In essence, this regulation takes May 2015’s Directive (EU) 2015/847 on ‘the information accompanying transfers of funds and updates it to adequately cover virtual assets while repealing the over-reaching requirements of Directive (EU) 2015/849.
This regulation will enter into force on the 20th day after publication in the official journal.
Read Notabene's key takeaways:
1. The EU sees the need for harmonized international rules
This proposal package addressed the need for harmonized rules across the internal market.
On May 7, 2020, the Commission presented an Action Plan for a comprehensive Union policy on preventing money laundering and terrorism financing. In that Action Plan, the Commission committed to taking measures to strengthen the EU’s rules on combating money laundering and terrorism financing and their implementation, with six priorities or pillars:
1. Ensuring effective implementation of the existing EU AML/CFT framework,
2. Establishing an EU single rulebook on AML/CFT,
3. Bringing about EU-level AML/CFT supervision,
4. Establishing a support and cooperation mechanism for FIUs,
5. Enforcing EU-level criminal law provisions and information exchange,
6. Strengthening the international dimension of the EU AML/CFT framework.
Pillars 1, 5, and 6 of the Action Plan are currently being implemented partly due to the support of both The European Parliament and the Council. The other pillars demand legislative action. Yet, evidence provided by reports and internal assessments identified that. In contrast, the requirements of Directive (EU) 2015/84912 were far-reaching; their lack of direct applicability and granularity led to a fragmentation in their application along national lines and divergent interpretations.
In response, this proposal updates Regulation EU 2015/847 while repealing Directive (EU) 2015/849.
Notabene’s assessment: The EU believes a more harmonized front to combat money-laundering and terrorism financing is required. A country-by-country implementation has not proven very effective. They hope this would alleviate jurisdictional arbitrage or the milder term they call “jurisdictional shopping.”
2. GDPR applies to CASPs
The EU clarifies that GDPR applies to CASPs (crypto asset service providers - the EU’s terminology equivalent to FATF’s virtual asset service providers.)
Article 15:
The EU is committed to ensuring high standards of protection of fundamental rights. Under article 15 of the current regulation, the processing of personal data under this Regulation is subject to Regulation (EU) 2016/679 of the European Parliament and of the Council31.Personal data that is processed pursuant to this Regulation by the Commission or EBA is subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council32. The General Data Protection Regulation33 will apply to CASPs as regards the personal data handled and attached to cross-border transfers of value using virtual assets.
Article 20:
Payment and crypto-asset service providers shall ensure that the confidentiality of the data processed is respected.
Additionally, CASPs must keep records of information on the originator and the beneficiary for five years; they must delete them.
2015/847 recital 29:
As it may not be possible in criminal investigations to identify the data required or the individuals involved in a transaction until many months, or even years, after the original transfer of funds or transfer of crypto-assets , and in order to be able to have access to essential evidence in the context of investigations, it is appropriate to require payment service providers or crypto-asset service providers to keep records of information on the payer and the payee or the originator and the beneficiary for a period of time for the purposes of preventing, detecting and investigating money laundering and terrorist financing. That period should be limited to five years, after which all personal data should be deleted unless national law provides otherwise.
Notabene’s assessment: Many in the crypto industry have been long awaiting what the verdict on GDPR would be regarding the Travel Rule in the EU. The EU states that going forward, CASPs will need to implement a GDPR-compliant secure data storage solution, making it clear that AML/CFT measures supersede this.
3. Personally Identifiable Information obligations accompanying transfers of crypto-assets are in line with FATF
Article 14:
OBLIGATIONS ON THE CRYPTO-ASSET SERVICE PROVIDER OF THE ORIGINATOR
Information accompanying transfers of crypto-assets
1. The crypto-asset service provider of the originator shall ensure that transfers of cryptoassets are accompanied by the following information on the originator:
(a) the name of the originator;
(b) the account number of the originator, where an account is used to process the transaction;
(c) the originator’s address, official personal document number, customer identification
number or date and place of birth.
2. The crypto-asset service provider of the originator shall ensure that transfers of cryptoassets are accompanied by the following information on the beneficiary:
(a) the name of the beneficiary;
(b) the beneficiary’s account number, where such an account exists and is used to process the transaction.
Notabene’s assessment: By adhering to FATF suggested guidelines, it is easier for CASPs (or VASPs) to have unified rules as they comply cross-jurisdictionally.
4. Stakeholders consulted by the EU express concern about the walled garden of compliance.
pg 7:
Stakeholder input on the Action Plan was broadly positive. However, some European UnionVASP representatives claimed that the absence of a standardised global, open source and free, technical solution for the travel rule could lead to the exclusion of small actors from the crypto-assets market, with only important players being able to afford compliance with the rules.
Notabene’s assessment: Several working groups noted the possible exclusion of small players in the crypto-assets market if compliance is too complex and too expensive to roll out. If only a few exchanges can afford compliance or if messaging protocols are not free and open, a walled-garden scenario would cause a few “important” players to operate. At the same time, the rest may be hit with fines and must close.
5. The threshold is set at EUR 1000, but Travel Rule requirements still apply for lower thresholds (albeit with less PII shared)
The EU has set a threshold of EUR 1000, in line with FATF recommended guidelines. Above that, originator CASPs need to share originator identifying information beyond just name (i.e., physical address, official personal document number, customer identification number, or date and place of birth). The EU does call out transactions that may be part of structuring - whereby the asset appears to be linked to other transfers that amount to EUR 1000. The travel rule also applies to them.
2015/847 recital 16:
In order not to impair the efficiency of payment systems and crypto-asset transfer services, and in order to balance the risk of driving transactions underground as a result of overly strict identification requirements against the potential terrorist threat posed by small transfers of funds or crypto-assets, the obligation to check whether information on the payer or the payee, or, for transfers of crypto-assets, the originator and the beneficiary, is accurate should, in the case of transfers of funds where verification has not yet taken place, be imposed only in respect of individual transfers of funds or crypto-assets that exceed EUR 1000, unless the transfer appears to be linked to other transfers of funds or transfers of cryptoassets which together would exceed EUR 1000, the funds or crypto-assets have been received or paid out in cash or in anonymous electronic money, or where there are reasonable grounds for suspecting money laundering or terrorist financing.
The EU also calls out in Article 15 that the travel rule applies below the EUR 1000, but with only originator and beneficiary names shared.
Article 15:
By way of derogation from Article 14(1), transfers of crypto-assets not exceeding EUR1 000 that do not appear to be linked to other transfers of crypto-assets which, together with the transfer in question, exceed EUR 1 000, shall be accompanied by at least the following information:(a) the names of the originator and of the beneficiary;(b) the account number of the originator and of the beneficiary or, where Article 14(3)applies, the insurance that the crypto-asset transaction can be individually identified;
Notabene’s assessment: The European Commission has no desire to create overly strict requirements that impede the flow of transactions. But by requiring Travel Rule below the threshold, they are boldly signaling the importance of the Travel Rule to CASPs and asking them to take a more comprehensive or holistic approach to travel rule implementation.
6. Transfers of crypto assets from the EU to outside the EU should include a Legal Entity Identifier (LEI)
2015/847 recital 19 (adapted):
In order to allow the authorities responsible for combating money laundering or terrorist financing in third countries to trace the source of funds or crypto-assets used for those purposes, transfers of funds or transfer of crypto-assets from theUnion to outside the Union should carry complete information on the payer and the payee. Complete information on the payer and the payee should include the LegalEntity Identifier (LEI) when this information is provided by the payer to the payer’s service provider, since that would allow for better identification of the parties involved in a transfer of funds and could easily be included in existing payment message formats such as the one developed by the International Organisation for Standardisation for electronic data interchange between financial institutions.
Notabene’s assessment: Many in the crypto industry had pushed for the adoption of LEIs in the FATF guidance. While suggested as an identifier, the FATF did not introduce them as a requirement. We see the EU requirement as an excellent first step in accepting a more unified, global identification system for legal entities that will reduce diligence costs for CASPs for cross-border transfers.
7. Beneficiary CASPs should have effective risk-based procedures that apply where a transfer lacks the required information
2015/847 recital 22 (adapted):
As regards transfers of crypto-assets, the crypto-asset service provider of the beneficiary should implement effective procedures to detect whether the information on the originator is missing or incomplete. These procedures should include, where appropriate, monitoring after or during the transfers, in order to detect whether the required information on the originator or the beneficiary is missing. It should not be required that the information is attached directly to the transfer of crypto-assets itself, as long as it is submitted immediately and securely, and available upon request to appropriate authorities.
Article 12 calls for the beneficiary CASP to reject a transfer if it is missing data.
Article 12:
Transfers of funds with missing information on the payer or the payee
1. The intermediary payment service provider shall establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds lacking the required payer and payee information and for taking the appropriate follow up action.
Additionally, the proposal goes on to say, “If a CASP continues to submit transfers with incomplete data, the counterparty CASP could take steps to reject any future transfers of funds or terminate the business relationship.” Beneficiary CASPs must implement adequate procedures to detect whether the originator information is missing or complete.
2015/847 recital 23 (new):
Given the potential threat of money laundering and terrorist financing presented by anonymous transfers, it is appropriate to require payment service providers to request information on the payer and the payee. In line with the risk-based approach developed by FATF, it is appropriate to identify areas of higher and lower risk, with a view to better targeting the risk of money laundering and terrorist financing. Accordingly, the crypto-asset service provider of the beneficiary, the payment service provider of the payee and the intermediary payment service provider should have effective risk-based procedures that apply where a transfer of funds lacks the required information on the payer or the payee, or where a transfer of crypto-assets lacks the required information on the originator or the beneficiary, in order to allow them to decide whether to execute, reject or suspend that transfer and to determine the appropriate follow-up action to take.
Notabene’s assessment: A risk-based approach to compliance is urged and recommended for CASPs. This is good news for companies who can take a more nuanced approach to travel rule, especially during the sunrise period when many counterparty institutions may not respond quickly.
8. Member states should lay down sanctions to encourage compliance
2015/847 recital 30:
In order to improve compliance with this Regulation, and in accordance with theCommission Communication of 9 December 2010 entitled ‘Reinforcing sanctioning regimes in the financial services sector’, the power to adopt supervisory measures and the sanctioning powers of competent authorities should be enhanced. Administrative sanctions and measures should be provided for and, given the importance of the fight against money laundering and terrorist financing, Member States should lay down sanctions and measures that are effective, proportionate and dissuasive. Member States should notify the Commission and the Joint Committee of EBA, EIOPA and ESMA(the ‘ESAs’) thereof.
The proposal goes on to state that legal persons can be held liable for breaches:
Chapter 5: Sanctions and monitoring:
5. Member States shall ensure that legal persons can be held liable for the breaches referred to in Article 2318 committed for their benefit by any person acting individually or aspart of an organ of that legal person, and having a leading position within the legal person based on any of the following:(a) power to represent the legal person;(b) authority to take decisions on behalf of the legal person; or(c) authority to exercise control within the legal person.
Competent authorities may impose administrative sanctions and measures in collaboration with other authorities.
Chapter 5: Sanctions and monitoring:
7. Competent authorities shall exercise their powers to impose administrative sanctions and measures in accordance with this Regulation in any of the following ways:EN 41 EN(a) directly;(b) in collaboration with other authorities;(c) under their responsibility by delegation to such other authorities;(d) by application to the competent judicial authorities.In the exercise of their powers to impose administrative sanctions and measures, competent authorities shall cooperate closely in order to ensure that those administrative sanctions or measures produce the desired results and coordinate their action when dealing with cross-border cases
Article 23:
Member States shall ensure that their administrative sanctions and measures include at least those laid down by Articles 40(2), 40(3) and 41(1)59(2) and (3) [...] in the event of the following breaches of this Regulation:
(a) repeated or systematic failure by a payment service provider to include the required information on the payer or the payee, in breach of Article 4, 5 or 6 or by a crypto-asset service provider to include the required information on the originator and beneficiary, in breach of Articles 14 and 15;
(b) repeated, systematic or serious failure by a payment service provider or crypto-asset service provider to retain records, in breach of Article 2116;
(c) failure by a payment service provider to implement effective risk-based procedures, in breach of Articles 8 or 12 or by a crypto-asset service provider to implement effective risk-based procedures, in breach of Article 17;
(d) serious failure by an intermediary payment service provider to comply with Article 11 or 12.
Notabene’s assessment: While there will be a centralized body for AML/CFT revision at the EU level, enforcement (e.g., sanctions) still gets performed at the member state level. We’re interested to see how effective this approach will be for EU member states.
9. This regulation does not apply to p2p transfers
Article 2:
Electronic money tokens, as defined in Article 3(1), point 4 of Regulation shall be treated as crypto-assets under this Regulation. This Regulation shall not apply to person-to-person transfer of crypto-assets.
Notabene’s assessment: While P2P is not affected, the EU does not comment on transactions between CASPs and noncustodial or unhosted wallets. This is good news for now, though certain member states have rolled out their own requirements (e.g., Netherlands).
10. The originator CASP should provide appropriate customer PII within three working days of receiving a request from the beneficiary CASP
Article 5: Transfers within the European Union:
2. Notwithstanding paragraph 1, the payment service provider of the payer shall, within three working days of receiving a request for information from the payment service provider of the payee or from the intermediary payment service provider, make available the
following:
(a) for transfers of funds exceeding EUR 1000, whether those transfers are carried
out in a single transaction or in several transactions which appear to be linked, the
information on the payer or the payee in accordance with Article 4;
(b) for transfers of funds not exceeding EUR 1000 that do not appear to be linked
to other transfers of funds which, together with the transfer in question, exceed EUR
1000, at least:
(i) the names of the payer and of the payee; and
(ii) the payment account numbers of the payer and of the payee or, where Article 4(3) applies, the unique transaction identifier
FATF Travel Rule Requirements in the European Union
Resources for Crypto Compliance
Explore our collection of whitepapers, case studies, and guides to deepen your understanding of crypto compliance in the EU.
Today, the European Banking Authority (EBA) released an explainer entitled Preventing Money Laundering and Terrorism Financing in the EU’s Crypto-Assets Sector. As the crypto landscape evolves, the EU is tightening its grip on compliance with the introduction of MiCAR (Markets in Crypto-Assets Regulation) and its accompanying AML/CFT rules, including the Transfer of Funds Regulation (TFR).
One common misconception among crypto-asset service providers (CASPs) is that MiCAR includes a “grandfathering” exemption under the new European Travel Rule.
Let’s set the record straight: this is definitively not the case.
What Does Article 143(3) of MiCAR Really Say?
The much-discussed Article 143(3) states:
“Crypto-asset service providers that provided their services in accordance with applicable law before 30 December 2024, may continue to do so until 1 July 2026 or until they are granted or refused an authorization pursuant to Article 63, whichever is sooner.”
At first glance, this might appear to grant a blanket reprieve for CASPs operating before the cut-off date. In reality, the provision is far more limited in scope.
What This Provision Actually Means
While this transitional clause provides a limited window for CASPs to continue operating while applying for MiCAR authorization, it is not a free pass to avoid compliance. CASPs operating under existing frameworks—such as AMLD (Anti-Money Laundering Directive) or domestic AML/CFT regimes—must still adhere to all applicable AML/CFT requirements and that includes the Regulation (EU) 2023/1113, also know as the Transfer of Funds Regulation (TFR).
In simple terms:
- Yes, CASPs can keep operating during the transitional period.
- No, this does not exempt them from complying with the updated AML/CFT framework (including TFR).
The same stringent rules that apply to credit and financial institutions also apply to “grandfathered” CASPs.
The Travel Rule is Here to Stay
A major component of these regulations is the European Travel Rule, requiring CASPs to ensure that crypto transfers include comprehensive information about both originators and beneficiaries with the goal of preventing illicit activities like money laundering and terrorist financing in the crypto ecosystem and reporting it. This rule is non-negotiable and applies equally to CASPs during the transitional period.
Furthermore, CASPs engaging in transactions with self-hosted wallets or operating across borders will need to implement robust measures to trace and verify transfers.
Why Compliance Matters Now
While the transitional period may offer some operational flexibility, CASPs that delay in meeting compliance requirements risk jeopardizing their long-term viability. Here’s why:
- Increased Scrutiny: The EBA and upcoming EU AML Authority are tasked with enforcing strict compliance.
- Reputation at Stake: Operating without adherence to AML/CFT standards could harm trust with customers, partners, and regulators. As a matter of fact, we published earlier this year the results of our State of Crypto Travel Rule Report which showed from the survey that 66% of VASPs restrict withdrawals that do not comply with Travel Rule requirements
- Operational Risks: Failure to comply could lead to service suspension, fines, or denial of authorization.
For more on the risks of not complying with TFR, read our recent article on the Consequences of Non-Compliance with EU's Travel Rule After December 30th.
The Path Forward for CASPs
For CASPs looking to thrive under the new regime:
- Act Now: Begin implementing Travel Rule solutions and robust AML/CFT measures immediately.
- Understand the Framework: Familiarize yourself with MiCAR, Regulation (EU) 2023/1113, and the EBA Travel Rule Guidelines.
- Prepare for Licensing: Gather the necessary documentation and establish a compliance-first culture to streamline your MiCAR authorization process.
Debunking the Myth
The takeaway is clear: there is no blanket “grandfathering clause” exempting CASPs from compliance. The transitional provision simply ensures continuity while maintaining full AML/CFT obligations.
As the compliance deadline of December 30, 2024 approaches, proactive measures will separate the leaders from those left scrambling to catch up. The time to act is now—ensure your operations are Travel Rule-ready and compliant with the evolving regulatory landscape.
Let’s work together to build a safe, compliant, and thriving crypto ecosystem in the EU. 🌍
As the EU’s Travel Rule regulations continue to advance, other global regions are beginning to feel the ripple effects. The Transfer of Funds Regulation (TFR), notably Regulation (EU) 1113/2023, sets stringent requirements on crypto asset service providers (CASPs) within the EU to mitigate risks of money laundering, terrorist financing, and other financial crimes.
Yet, the effects of these rules extend beyond EU borders, influencing jurisdictions worldwide as they adapt to the standards set forth by these robust regulations.
Let’s have a look at some of the ways the EU’s TFR could impact regions globally.
A Surge in Global Compliance Demand
North America
VASPs in the US and Canada are closely observing the EU’s strict stance, with regulators considering updates or FAQs to enhance their own frameworks. The EU’s Travel Rule has set a benchmark, making it difficult for non-compliant entities to serve EU-based customers without adhering to similar standards.
Asia-Pacific
Countries like Singapore and Japan, which have already implemented Travel Rule provisions, are likely to refine their compliance measures further to align with EU requirements. This is especially important as EU-based financial institutions increasingly demand verification of counterparties in these regions.
Strengthening Due Diligence and AML Practices
The EU’s TFR mandates comprehensive due diligence for CASPs, which has led other jurisdictions to adopt or enhance similar anti-money laundering (AML) practices. For instance, LATAM countries, particularly those with high remittance flows, are tightening scrutiny on VASP activities to align with FATF recommendations and TFR influences.
For example, according to Reuters, Argentina’s cryptocurrency transactions have surged to $85.4 billion in the past year, raising concerns about money laundering. In response, the government is implementing new regulations, including a July 2024 fiscal package offering tax amnesty for individuals declaring up to $100,000 in registered crypto assets. This initiative aims to align with Financial Action Task Force (FATF) standards and prevent Argentina from being placed on the FATF’s grey list, which could deter foreign investment and harm the economy. Additionally, the government is amending laws related to money laundering and reporting entities to strengthen oversight of the crypto market. Regionally, the Financial Action Task Force of Latin America (GAFILAT), comprising 18 countries from South, Central, and North America, is enhancing anti-money laundering frameworks to align with global standards.
These efforts ensure that transactions from different regions meet EU standards, thereby reinforcing global AML practices.
Influencing Emerging Economies and Adoption Challenges
For emerging markets, particularly in Africa, the drive toward compliance is becoming essential as EU-based users and entities prefer to transact only with VASPs in compliance with their own regulatory standards.
This could either foster rapid compliance adoption or limit market access for non-compliant VASPs in these regions. This was also noted in our State of Crypto Travel Rule Report where survey results showed that VASPs are increasingly intolerant towards transacting with counterparties that do not comply with the Travel Rule. In fact, over 66% of VASPs somehow restrict withdrawals that don't comply with Travel Rule requirements.
In Nigeria, a leading African cryptocurrency market, VASPs face pressure to align with international standards to maintain global market access. In December 2023, the Central Bank of Nigeria (CBN) issued guidelines for VASPs, lifting a two-year restriction on financial institutions operating accounts for cryptocurrency service providers or processing crypto-related transactions. However, smaller VASPs often struggle with the financial and operational burdens of compliance, creating a dichotomy:
- Rapid Compliance Adoption: VASPs that can afford necessary compliance measures may gain a competitive advantage by attracting EU-based clients and partners, thereby expanding their market reach.
- Limited Market Access: Conversely, VASPs unable to meet these standards risk exclusion from transactions with EU entities, limiting their growth potential.
This dynamic underscores the importance for African VASPs to invest in compliance infrastructure. While initial costs may be high, the long-term benefits include maintaining access to international markets, fostering trust with global partners, and enhancing the overall credibility of the African cryptocurrency market, which can attract more investors and users.
Increasing Demand for Compliance Technology
As VASPs worldwide aim to meet EU standards, the demand for compliance technology is surging. Many are adopting regtech solutions to streamline KYC, AML, and data-sharing processes, enabling efficient alignment with international standards, particularly for cross-border transactions. This trend is reshaping how global VASPs approach compliance.
The Road Ahead: Potential Challenges and Opportunities
The EU’s TFR is reshaping the regulatory landscape, creating both challenges and opportunities for global VASPs. Increased regulatory pressure may lead to market consolidation, where larger entities excel while smaller players struggle to adapt. However, harmonized regulations promise more secure, trustworthy global transactions, offering users a safer and more navigable digital asset ecosystem.
This evolving environment demands proactive investment in compliance solutions. For VASPs, adapting to these changes is not just a regulatory necessity—it’s an opportunity to enhance credibility, foster innovation, and help standardize the global digital transaction landscape.
If your business is located outside of the EU and you would like to speak with our team about implementing a TFR-compliant Travel Rule program, you can schedule a free demo of our solution at notabene.id/demo
Lately, we’ve been hearing a recurring question from our customers and prospects: Is the EU Transfer of Funds Regulation (TFR) being postponed by six months? Let’s set the record straight.
The short answer: No, the TFR is not being delayed.
Understanding the Source of the Confusion
This misunderstanding likely stems from recent discussions around MiCA (Markets in Crypto-Assets) regulatory technical standards (RTS). As members of BlockchainForEurope, we’ve joined others in addressing concerns about MiCA’s RTS and its implementation timeline. The letter we co-signed with other industry members highlights several key challenges that MiCA introduces, including:
- Timing and Legal Uncertainty: With less than two months left before MiCA’s application on December 30, 2024, delays in RTS adoption have left both national competent authorities (NCAs) and CASPs scrambling to prepare.
- Inconsistent Transitional Periods: Divergent “grandfathering” clauses across Member States create a compliance patchwork—5 months in Lithuania versus 18 months in France—undermining the intended harmonization.
- Foreseeable Delays and Risks: Without coordinated measures, we risk regulatory uncertainty, market disruptions, and reputational harm, detracting from MiCA’s goals.
- Operational Challenges: CASPs face impractical requirements, such as applying in all Member States, while some states have ceased accepting pre-MiCA applications.
- Proposed Mitigations: The letter calls for ESMA to issue a “no action” letter to promote consistency among NCAs and extend transitional arrangements.
How Does This Relate to TFR?
It’s crucial to understand that MiCA and TFR are separate regulations. While MiCA includes transitional or “grandfathering” clauses for existing CASPs, the TFR does not.
For TFR, there is no "traditional" transitional period. Under the EBA Travel Rule Guidelines, until July 31, 2025, CASPs may exceptionally use infrastructures or services with technical limitations, but are required to implement additional technical steps to ensure full compliance with the requirements. This does not exempt them from Travel Rule compliance. CASPs using such infrastructures are required to take additional technical steps to ensure full compliance with the Travel Rule during this period. This means that all existing CASPs, regardless of their new status, must fully comply with the TFR requirements by the official application date. Any delays or mitigations proposed under MiCA will not directly impact TFR timelines.
Failing to comply with the TFR by the December 30, 2024, deadline carries serious consequences, including the potential for service disruptions, reputational damage, and regulatory penalties. We recently explored this topic in detail in our article: The Consequences of Non-Compliance with the EU’s Travel Rule After December 30th. If you’re preparing for compliance, it’s worth a read.
At Notabene, we’re committed to helping businesses navigate these regulatory complexities. If you have questions or concerns about preparing for the TFR, we’re here to help. Feel free to reach out to our Regulatory & Compliance team at [email protected]
Notabene Customer Workshop - EU Travel Rule (Session 2)
Notabene Customer Workshop - EU Travel Rule
Introducing SafeConnect Components: Seamless end-to-end TFR Compliance
Become an Expert on Travel Rule in the EU
Compliance Deep Dive: Travel Rule in the European Union (2022)
Navigating Crypto Regulations in the UK and EU in 2021
Response to the Public Consultation on the Draft Legislative Decrees for Adapting National Legislation to the 'MiCAR' and 'TFR' Regulations on Crypto-Assets
Upcoming Events on EU Crypto Industry Compliance
Join us at the latest events focused on crypto compliance in the EU. Network with industry leaders and gain insights into the latest regulatory developments.
Get Certified as an Expert in EU Travel Rule Compliance
Sign up for our course to teach you everything you need to know about Travel Rule compliance in the EU.
FAQs
What is crypto compliance in the EU?
Crypto compliance in the EU involves adhering to regulatory standards set by the European Union for cryptocurrency operations, including anti-money laundering (AML) and counter-terrorism financing (CTF) measures.
What is the EU Travel Rule?
The EU Crypto Travel Rule requires cryptocurrency exchanges and wallet providers to share specific information about transactions to comply with AML and CTF regulations. This rule aims to enhance transparency and security in crypto transactions.
How does financial crime impact crypto compliance?
Financial crime, such as money laundering and fraud, poses significant risks to the crypto industry. Crypto compliance measures, including AML and CTF regulations, are crucial in mitigating these risks and ensuring the integrity and security of cryptocurrency transactions.
Are stablecoins regulated?
Yes, stablecoins are regulated to ensure they adhere to financial regulations, particularly concerning anti-money laundering (AML) and counter-terrorism financing (CTF) standards. Regulatory bodies require stablecoin issuers to maintain transparency and ensure that their assets are properly backed and audited.
What regulations do crypto exchanges need to comply with?
Crypto exchanges need to comply with a range of regulations, including:
- Anti-Money Laundering (AML): Implement measures to detect and prevent money laundering activities.
- Know Your Customer (KYC): Verify the identity of users to prevent fraud and illegal activities.
- Counter-Terrorism Financing (CTF): Ensure transactions do not facilitate terrorism financing.
- Crypto Travel Rule: Share specific transaction information to comply with international regulatory standards.
- Data Protection: Adhere to data protection laws such as GDPR to ensure user privacy and data security.
Hosting these gateways within the VASP's own infrastructure, such as a data center or cloud account, is advised for optimal security. This approach, particularly when using an enclave server, allows for enhanced security measures, aligning with the principle that control over the hosting environment can significantly bolster security.