Stay Updated on Crypto Compliance & Crypto Regulation in the EU
Stay informed about the latest events, webinars, and news on crypto compliance in the European Union. Join our community of compliance professionals and ensure your business stays ahead of regulatory changes.
Your Hub for Cryptocurrency Compliance in the European Union
Welcome to your go-to resource for all things related to crypto compliance in the EU. Here, you’ll find the latest news, upcoming events, and insightful webinars to keep you informed and compliant.
Recent News on Crypto Regulation in the EU
Stay up-to-date with the latest news articles, regulatory updates, and industry insights on crypto compliance in the EU.
The European Union’s Transfer of Funds Regulation (TFR) and the European Banking Authority (EBA)’s Travel Rule Guidelines, updated with the EBA’s final Travel Rule guidelines published on July 4, set out specific requirements for transactions involving self-hosted wallets. These wallets, controlled by individuals rather than VASPs, pose unique challenges to regulatory compliance. This article summarizes the obligations for self-hosted wallet transactions under the TFR, focusing on different transaction scenarios and the required verification measures.
‍
Highlights of What Changed in the EBA’s Final Travel Rule Guidelines
1. More Flexibility in the Scope of Required Originator Information:
The final version of the Travel Rule guidelines clarifies that CASPs have the discretion to determine which “alternative information items” about the originator customer to transmit and demand receiving, as long as they achieve unambiguous identification and support sanction screening. This approach is intended to be better suited for cross-border transfers.
2. Eased Requirements for SHW Transfers Below €1,000:
The final version of the Travel Rule guidelines removes verification requirements. Only information collection obligations apply, eliminating the need for technical means like blockchain analytics to cross-match collected data in order to identify and verify the originator or beneficiary.
3. Simplified Verification for 1st-Party SHW Transfers ≥ €1,000:
The requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control.
4. Clarification for 3rd-Party SHW Transfers Above €1,000:
The Travel Rule Guidelines now clarify the requirements, specifying that if the SHW is owned or controlled by a third party who is not a customer of the CASP, the requirements from Article 19a of Directive (EU) 2015/849 apply. Additionally, the originator/beneficiary identity verification required therein is deemed to be fulfilled by collecting additional information from other sources (e.g., blockchain analytics, third-party data, or recognized authorities’ data) or using other suitable means to ensure the originator/beneficiary’s identity is known.
‍
{{european1="/cta-components"}}
‍
Overview of Applicable Obligations
The TFR categorizes obligations based on the transaction amount and whether the wallet owner is a customer of the Crypto Asset Service Provider (CASP). These scenarios include:
- Transactions of 1,000 euros or less.
- Transactions over 1,000 euros where the wallet owner is a CASP customer.
- Transactions over 1,000 euros where the wallet owner is not a CASP customer.
Understanding these categories is crucial for CASPs to ensure compliance with the TFR and the associated Travel Rule Guidelines.
‍
A. Transactions of 1,000 Euros or Less
For transactions of 1,000 euros or less involving self-hosted wallets, the TFR mandates that CASPs collect and hold specific information about the parties involved. As outlined in Articles 14/5 and 16/2 of the TFR, transactions involving self-hosted wallets of 1,000 euros or less require CASPs to obtain and hold information about the parties to the transaction. The scope of information that CASPs are required to collect mirrors that which is mandated for CASP-to-CASP transactions.
The Travel Rule Guidelines clarify in paragraph 80 that this information must be sourced from the CASP’s customer. This includes:
• Full name of the originator and beneficiary
• Distributed ledger address
• Account number
The final EBA Travel Rule Guidelines removed the requirement for CASPs to cross-match this information using suitable methods such as blockchain analytics and third-party data providers to verify the identity of the originator or beneficiary. Now, CASPs are mandated to collect and retain specific pieces of information from their customers. [1]
‍
B. Transactions Exceeding 1,000 Euros Where the Wallet Owner is a Customer of the CASP
For self-hosted wallet transactions exceeding 1,000 euros, the TFR requires CASPs to verify whether their customer owns or controls the self-hosted wallet. [2] The originator CASP is tasked with evaluating whether the wallet is owned or controlled by the originator, while the beneficiary CASP must determine whether the wallet is owned or controlled by the beneficiary. [3]
The Travel Rule Guidelines set a non-exhaustive list of verification methods available to CASPs and mandate the use of at least one method for wallet ownership/control verification, such as:
- Advanced analytical tools
- Unattended verifications (e.g., displaying the address)
- Attended verifications (e.g., live customer interaction)
- Sending a predefined amount from the wallet to the CASP
- Signing a specific message in the account and wallet software
- Other suitable technical means, as long as they allow for reliable and secure assessment. [4]
Where one method on its own is not sufficiently reliable to reasonably ascertain the ownership or control of a self-hosted address, the CASP should use a combination of methods. [5]
‍
C. Transactions Exceeding 1,000 Euros Where the Wallet Owner is Not a CASP Customer
The TFR does not explicitly address transactions over 1,000 euros involving third-party wallets. However, the Travel Rule Guidelines include a framework governing these transactions. According to the guidelines, the requirements outlined in Article 19a(1)/(a) of Directive (EU) 2015/849—verification of the originator or beneficiary’s identity—are considered fulfilled if the CASP:
- Collects additional information from other sources to verify the submitted information (e.g., from blockchain analytics, third-party data, or recognized authorities’ data)
- Uses other suitable means as long as it is fully satisfied that it knows the originator’s or beneficiary’s identity. [6]
‍
Verification and Risk Assessment
CASPs must adopt a risk-based approach to all transactions involving self-hosted wallets. This includes assessing the risks associated with each transfer and applying enhanced due diligence when high ML/TF risks are detected. The verification process involves collecting additional data from various sources, such as blockchain analytics, third-party data providers, recognized authorities, and publicly available information.
‍
General Obligations for Self-Hosted Wallet Transactions
In addition to specific transaction-based requirements, CASPs must adhere to several general obligations when dealing with self-hosted wallets:
1. Self-Hosted Wallet Identification
Use technical methods to discern whether the transaction involves a VASP or a self-hosted wallet. If technical means are insufficient, acquire the necessary information directly from the customer. [7]
2. Threshold Calculation
Compute the transaction amount based on the exchange rate prevailing at the time of the transfer. [8]
3. Risk Assessment
Assess the risks associated with self-hosted wallet transactions and apply appropriate risk mitigation measures. [9]
‍
Additional Context and Considerations
‍
FATF’s Recommendation 16
Transactions between VASPs and self-hosted wallets fall within the scope of FATF’s Recommendation 16, following its revision in October 2021. Unlike VASP-to-VASP transactions, there is no mandate to transmit originator and beneficiary details to a counterpart. Instead, VASPs must adhere to specific obligations, which can vary significantly across jurisdictions.
Regulatory Expectations and Trends
Although regulatory expectations vary significantly across regions, the requirement for VASPs to verify their customer’s or a third party’s control over the wallet address involved in transactions is gaining traction. The TFR’s requirements reinforce this trend, as further detailed in the sections above.
Future Assessments
By July 1, 2026, the Commission will assess the necessity for additional measures to mitigate risks associated with self-hosted wallet transactions. This evaluation will encompass examining the efficacy and proportionality of verification mechanisms and considering potential restrictions.
The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. By doing so, CASPs can enhance the security and transparency of crypto-asset transfers, contributing to a safer financial ecosystem.
‍
{{european2="/cta-components"}}
‍
The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions.Â
Interested in learning more? Check out our blog on what the TFR says beneficiary VASPs should do when it comes to incoming transactions and the top 10 insights European CASPs need to know about their upcoming Travel Rule compliance framework.
The European Union's Transfer of Funds Regulation (TFR) and the European Banking Authority’s final Travel Rule Guidelines impose stringent requirements on Crypto Asset Service Providers (CASPs) to ensure transparency and security in crypto-asset transactions. Beneficiary CASPs, in particular, have critical responsibilities in managing incoming transactions despite their limited control over deposit flows compared to originating CASPs.
Beneficiary CASPs cannot proactively block incoming deposits and rely on the compliance of the originator CASP to meet obligations. Therefore, it is crucial to evaluate strategies for handling non-compliant deposits. This article focuses on the specific requirements for beneficiary CASPs and strategies for managing transactions that fail to meet compliance standards.
Required Information for Transactions
Under Article 16/1 of the TFR, beneficiary CASPs are obligated to receive specific information about both the originator and the beneficiary of each transaction. Articles 14(1) and 16(1) of the TFR specify the required information, including:
- Full name of the originator and beneficiary
- Distributed ledger address and account number
- Address and official personal document number of the originator
- Additional optional information, such as customer identification number or date and place of birth, to ensure unambiguous identification.
Monitoring Systems for Detecting Non-Compliance
The TFR mandates that beneficiary CASPs implement robust monitoring systems to detect non-compliant transactions. According to the Travel Rule Guidelines, these systems should include:
- Methods for detecting missing, incomplete, or meaningless information.
- Pre- and post-monitoring practices aligned with money laundering and terrorist financing (ML/TF) risk levels.
- Criteria for recognizing risk-increasing factors. [1]
Managing Non-Compliant Transactions
Beneficiary CASPs must follow specific procedures to detect a transaction lacking the required information. Article 17 of the TFR outlines four possible actions:
- Execute: The CASP can proceed with the transaction if the risk assessment allows it.
- Reject: The transaction can be rejected if it does not meet compliance standards.
- Return: The funds can be returned to the originator if the necessary information is not provided.
- Suspend: The transaction can be temporarily suspended while additional information is requested.
The Travel Rule Guidelines provide more granularity on how CASPs should define the appropriate follow-up action:
- Beneficiary CASPs can request missing information from the originator CASP rather than immediately rejecting or returning the transfer. [2]Â
- If the information is not provided within a specified timeframe (three working days for EU transfers and up to seven days for others), the CASP must decide whether to proceed based on a risk assessment. [3]Â
- If the rejection is technically impossible (e.g., the crypto-assets have already been received), the transfer should be returned to the originator. [4]
- If returning the transfer to the original address is not possible, CASPs should hold the returned assets in a secure, segregated account while communicating with the originator CASP to arrange the proper return of the crypto-assets. [4]
‍
Managing Non-Compliant Counterparties
When beneficiary CASPs identify deposits missing Travel Rule data, it not only disrupts the transaction but also strains relationships with non-compliant counterparties. Here’s how CASPs should manage these situations according to Article 17/2 of the TFR:
- Reassess the Relationship: Evaluate if the counterparty repeatedly fails to provide the required information.
- Report Non-Compliance: Notify competent authorities about the non-compliance.
Assessment Criteria
To determine the appropriate course of action, CASPs must assess whether the counterparty has repeatedly failed to meet their obligations. The assessment involves both quantitative and qualitative criteria:
- Quantitative: Frequency of incomplete transfers and unanswered follow-up requests. [5]
- Qualitative: Counterparty cooperation, agreements for extended time, and reasons for missing data. [6]
Steps for Repeated Non-Compliance
- Issue Warnings: Inform the counterparty of potential consequences and set deadlines for compliance.
- Enhanced Due Diligence: Apply stricter measures to manage risk.
- Terminate Relationship: If necessary, end the business relationship or reject future transfers.
- Report Repeatedly Non-compliant CASPs: CASPs must report non-compliant counterparties within three months of identifying non-compliance and include details of the non-compliant counterparty CASP, nature and frequency of breaches, justifications provided, and actions taken. [7]Â
‍
General Obligations
Finally, the Travel Rule Guidelines offer a concise overview of supplementary requirements that CASPs should consider when dealing with deposits.Â
‍
Pre vs. Post Transaction Monitoring
CASPs are responsible for establishing policies and procedures to determine which transfers require monitoring before or during the transfer process. This decision should consider any factors that may increase risk, as specified in the “EBA’s Guidelines on Money Laundering/Terrorist Financing (ML/TF) Risk Factors.” [8]
Meaningless and Inconsistent Information
CASPs should treat information as missing if essential fields are left empty or if the provided information is deemed meaningless or inconsistent. For example, random strings of letters should be considered meaningless information. [9]
Communication Systems
When contacting the counterparty for clarification, CASPs should use the same messaging system utilized to transmit the initial information. [10]
Self-Hosted Wallet Deposits
For deposits from self-hosted wallets, any requests for clarification should be directed straight to the customer. [11]
Interested in learning more? Check out our articles on Self-Hosted Wallet Transaction Requirements Under the EU TFR and Top 10 Insights European CASPs Need to Know About the Upcoming Travel Rule Compliance Regulation.
A Comparative Analysis of the EU's Transfer of Funds regulation with current industry standards on Travel Rule
‍
Today marks the achievement of a major milestone in European crypto regulation: the European Parliament approved the Regulation on Markets in Crypto-Assets (MiCA) and the revision of the Regulation on information accompanying transfers of funds (TFR, or Transfer of Funds Regulation).Â
The approval of MiCA is a landmark that has the potential to set standards for crypto regulation globally. One of its main goals is to provide clarity and legal certainty for the crypto industry, which has been operating in a regulatory gray area for many years. MiCA establishes a level playing field for all European crypto-asset service providers (CASPs) and boosts consumers’ protection when using crypto-assets. It does so by introducing new rules for issuers of crypto-assets, CASPs, and trading platforms. It will also establish a new regulatory regime for stablecoins, which have become increasingly popular in recent years due to their stability and ease of use for payments.Â
Despite the press attention on MiCA, the TFR is a critical piece of legislation that will harmonize crypto Travel Rule requirements across Europe and fundamentally change how we transact in crypto. In June 2019, the FATF published its Guidance for a Risk-Based Approach to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs), extending anti-money laundering/countering the financing of terrorism (AML/CFT) obligations to cover VAs and VASPs. This directive included the Travel Rule, which obliges VASPs that exchange, hold, safe keep, convert, and sell virtual assets to obtain, hold, and transmit required originator and beneficiary information immediately and securely during VA transfers.Â
Since FATF introduced the crypto Travel Rule, national regulators have been working on transposing these requirements to their local frameworks, and significant progress has been achieved globally. With the introduction of the TFR, the EU follows in these footsteps and introduces Travel Rule obligations for European CASPs.Â
Notabene reports on the progress achieved in the implementation of the Travel Rule through an annual global crypto Travel Rule compliance report. The 2023 edition will be available soon, and today we share how the TFR compares with industry benchmarks using fresh findings from our report.Â
The revised Transfer of Funds Regulation
The European Commission made a significant move to combat money laundering and terrorism financing with an ambitious package of legislative proposals presented on July 20, 2021. The package aims to strengthen the EU's anti-money laundering and countering terrorism financing (AML/CFT) rules.
The package includes various measures to improve the EU's AML/CTF framework, including the revision of the Transfer of Funds Regulation to make it possible to trace transfers of crypto-assets by imposing Travel Rule requirements on CASPs.Â
As mentioned above, the revision of the Transfer of Funds Regulation was finally approved by the European Parliament plenary today (April 20, 2023). However, the EU’s AML/CTF legislative package is not yet finalized. Notably, the legislative process of the new proposed regulation on AML/CTF (AMLR) is still ongoing and is expected to impact the requirements applicable to transactions with self-hosted wallets.Â
For now, let’s dive into the TFR and how it compares to global industry standards on the crypto Travel Rule.Â
‍
Five key TFR takeaways: EU vs. Global Industry Standards
‍
1. Travel Rule comes into effect for all EU VASPs on December 30, 2024
The Transfer of Funds Regulation will start applying on December 30, 2024, 18 months after the regulation enters into force.
According to Notabene’s 2023 State of Travel Rule Report, the large majority (84%) of respondents are currently complying or intend to comply with the Travel Rule by Q4 2023. In the United Kingdom, Travel Rule will be enforced starting September 2023, and several other crypto hubs are enforcing Travel Rule compliance already. This creates a considerable gap between the EU’s and third-countries timelines for Travel Rule implementation, which may prevent the industry from overcoming the Sunrise Issue. To stay competitive and continue to be able to transact with counterparties outside the EU, CASPs will need to roll out Travel Rule ahead of the TFR deadline.Â
‍
Notabene’ study also reveals that Europe's adoption is delayed compared to the rest of the market. In particular, EMEA is the region with the highest percentage of VASPs planning to be compliant after Q4 2023. This may have reflected a lack of regulatory urgency, with many EU VASPs awaiting the implementation of Travel Rule requirements through the revised Transfer of Funds Regulation which had just occurred.
2. Zero Exceptions: Travel Rule obligations apply to all transactions, regardless of amount or location - inside or outside the Union.
EU CASPs will be required to comply with Travel Rule obligations in every transaction, regardless of its amount. No de minimis threshold applies, and there is no simplification of requirements for transactions within the Union. It is also worth noting that the scope of originator and beneficiary information that the originator CASP is required to share also does not vary depending on the transaction amount - the same scope, defined in Article 14 (1) and (2), is required for every transaction.
Recital 27 justifies the policy option by citing the “inherent borderless nature and global reach of transfers of cryptoassets and of the provision of crypto-asset services,” and being “in line with the FATF requirement to treat all transfers of crypto-assets as cross-border,” which invalidates any distinction on the scope of obligations when transacting within and outside the Union. [1]
As reported in our 2023 global crypto Travel Rule compliance report, the approach taken by the TFR (imposing the same information transmission obligations regardless of the transaction amount) contrasts with the option taken by several other jurisdictions, notably Singapore, Germany, Hong Kong, and the United Kingdom, which allow a more limited scope of information to be shared below a certain threshold.Â
3. First-party transactions with self-hosted wallets over 1,000 euros require wallet ownership verification.
In line with FATF recommendations, transactions with self-hosted wallers fall within the scope of the revised Transfer of Funds Regulation [2].Â
When transacting with self-hosted wallets, European CASPs must collect the required originator and beneficiary information and comply with the following additional wallet verification obligations for transactions exceeding 1,000 Euros:
- When sending a transfer exceeding EUR 1,000 to a self-hosted wallet, the originator VASP is required to verify if that wallet is owned or controlled by the originator customer;
- When receiving a transfer exceeding EUR 1,000 from a self-hosted wallet, the beneficiary VASP must verify that the beneficiary customer owns or controls the originating wallet.Â
​​This means wallet ownership verification requirements apply to first-party transactions to/from self-hosted wallets exceeding EUR 1,000. [3]
Our 2023 State of Travel Rule Compliance Report revealed that the majority of surveyed VASPs already enforce restrictions when transacting with self-hosted wallets. Additionally, just over a third of companies (34.3%) only allow first-party transactions with self-hosted wallets, provided the customer can demonstrate ownership of the wallet address, which aligns with the approach taken by the TFR.Â
‍
Going forward, VASPs will require a tool that allows them to determine if the transaction is with a self-hosted wallet and swiftly verify ownership before proceeding.
Notabene’s self-hosted wallet identification tool pinpoints the jurisdictional requirements of each transaction. It collects counterparty customer data from your withdrawal screen, creating an archive for sanctions compliance, record keeping, and Suspicious Activity Reports.
4. Due diligence measures for non-EU entities must adhere to correspondent banking standards.
In its Updated Guidance for VAs and VASPs (October 2021), FATF makes it clear that counterparty due diligence for the purposes of engaging in Travel Rule flows is distinct from the due diligence required to establish correspondent banking relationships [4]:
The nature of CASPs' relationships for transacting and sharing Travel Rule information is distinct from correspondent banking relationships and, hence, could justify a different - and more limited - scope of counterparty due diligence obligations to apply.Â
However, the revised Transfer of Funds Regulation goes in a different direction: citing the “ongoing and repetitive” nature of the relationships between domestic CASPs and foreign VASPs for the purpose of transacting, the TFR deems these relationships as a type of correspondent relationship subject to enhanced due diligence measures.Â
The measures CASPs are required to apply will be further specified in guidance issued by the European Banking Authority. Clear and adequate regulatory guidance on counterparty due diligence obligations will be key to enabling European CASPs to comply adequately.Â
‍
Notabene’s  2023 State of Crypto Travel Rule Compliance Report shows 52% of respondents send Travel Rule transfers to all VASPs without applying any criteria or counterparty due diligence process. This indicates that perhaps counterparty due diligence is a component of Travel Rule compliance that VASPs still struggle to grasp fully. Local laws and regulations are often vague or silent on this topic, although it is covered at length in the FATF Guidance. The upcoming guidance by the European Banking Authority should set expectations as to what counterparty due diligence measures are required for the purposes of transacting and engaging in Travel Rule flows. It will also be relevant to specify cases where VASPs may be exempt from carrying out due diligence (e.g., relying on the uniform requirements and supervision applied in the jurisdiction or region) or where simplified due diligence measures are permissible. [5]
‍
5. CASPs are required to fulfill Travel Rule obligations prior to transacting
Notabene welcomes the clarification provided by the TFR that Travel Rule compliance needs to be performed pre-transaction. This is particularly important given the specific characteristics of virtual asset transactions: settlement is immediate and irreversible; hence, only pre-transaction actions can effectively mitigate risk.Â
In line with this, Notabene is a pre-transaction decision-making platform offering a secure, holistic view of crypto transactions that enables CASPs to identify and stop high-risk activity before it occurs on the blockchain.Â
According to the revised TFR, originator CASPs are required to transmit information to the beneficiary CASP before sending the corresponding crypto transaction. In turn, Beneficiary CASPs need to ensure that the required information was received before making funds available to the end customer. [6]
‍
According to Notabene’s 2023 State of Crypto Travel Rule Report, although the industry is making significant progress in Travel Rule adoption, a notable discrepancy exists between VASPs’ claims of compliance and their fulfillment of pre-transaction obligations.
37.5% of companies reporting to be Travel Rule-compliant fulfill requirements post-transaction, which does not align with the TFR’s pre-transaction requirements or the FATF standards. Providing European CASPs with regulatory clarity in that Travel Rule is a pre-transaction requirement is a fundamental step to drive compliance in the right direction.Â
‍
Next steps:
The revised Transfer of Funds Regulation will be supplemented by guidelines issued by the European Banking Authority on different aspects, for example:
- The factors to be taken into account by CASPs when entering into business relationships or carrying out transactions in crypto-assets and enhanced due diligence measures that obliged entities shall consider applying to mitigate higher risks when identified, including the adoption of appropriate procedures to detect the origin or destination of crypto assets;
- The criteria and means for identification and verification of the identity of the originator or beneficiary of a transfer made to or from a self-hosted address, in particular through reliance on third parties, taking into account the latest technological developments.Â
FATF Travel Rule Requirements in the European Union
Resources for Crypto Compliance
Explore our collection of whitepapers, case studies, and guides to deepen your understanding of crypto compliance in the EU.
For compliance professionals across Europe, the Transfer of Funds Regulation (TFR) plays a pivotal role in enhancing transparency and combating money laundering and terrorist financing. While its primary objective is to align with the Financial Action Task Force’s (FATF) “Travel Rule” for European Union (EU) member states, it’s equally important—but sometimes overlooked—that it also applies to the European Economic Area (EEA) member states, namely Norway, Iceland, and Liechtenstein. This blog post delves into how the TFR extends to the EEA, ensuring a homogeneous regulatory framework across the region.
TFR in the EEA: Not Just an EU Regulation
The TFR was first established under Regulation (EU) 2015/847*, mandating that financial service providers share information accompanying transfers of funds. This regulation is designed to combat money laundering and terrorist financing by ensuring transparency in financial transactions. When the regulation was introduced, the EEA Joint Committee, responsible for aligning EEA non-EU members with relevant EU regulations, formally incorporated it into the EEA Agreement.
EEA Joint Committee Decision No. 198/2016*, adopted on 30 September 2016, amended Annex IX (Financial Services) of the EEA Agreement to include the TFR, thereby extending its applicability to Iceland, Liechtenstein, and Norway. This decision ensured that non-EU EEA members implement the TFR within their financial systems, thus aligning their AML measures with EU standards.
The Complete List of EEA Countries Impacted by the TFR
Understanding which countries the TFR applies to is key for compliance. Here’s the full list of EEA member states:
EU Member States (27 countries):Â
- 🇦🇹 Austria
- 🇧🇪 Belgium
- 🇧🇬 Bulgaria
- đź‡đź‡· Croatia
- 🇨🇾 Cyprus
- 🇨🇿 Czech Republic
- 🇩🇰 Denmark
- 🇪🇪 Estonia
- 🇫🇮 Finland
- 🇫🇷 France
- 🇩🇪 Germany
- 🇬🇷 Greece
- đź‡đź‡ş Hungary
- 🇮🇪 Ireland
- 🇮🇹 Italy
- 🇱🇻 Latvia
- 🇱🇹 Lithuania
- 🇱🇺 Luxembourg
- 🇲🇹 Malta
- 🇳🇱 Netherlands
- 🇵🇱 Poland
- 🇵🇹 Portugal
- 🇷🇴 Romania
- 🇸🇰 Slovakia
- 🇸🇮 Slovenia
- 🇪🇸 Spain
- 🇸🇪 Sweden
EEA EFTA States (3 countries):Â
- 🇮🇸 Iceland
- 🇱🇮 Liechtenstein
- 🇳🇴 Norway
It’s worth noting that 🇨🇠Switzerland, although part of the European Free Trade Association (EFTA), is not a member of the EEA and is therefore not directly subject to the TFR.
How the TFR Enhances AML/CFT Measures Across the EEA
The TFR strengthens AML and Counter Financing of Terrorism (CFT) measures by requiring payment service providers to attach detailed payer and payee information to transfers of funds. For the EEA as a whole, this means consistent AML compliance standards for financial institutions across both EU and non-EU EEA states.
When Regulation (EU) 2023/1113* updated the TFR, it further extended these obligations specifically for virtual asset service providers (VASPs), bringing them under the same AML/CFT standards. This update is part of the EU’s broader Markets in Crypto-Assets (MiCA) framework, which aims to regulate cryptocurrency service providers consistently across the EEA.
This update extended obligations to VASPs across the EEA as part of the region’s coordinated AML/CFT strategy and ensured that virtual asset transfers include necessary information about the originator and beneficiary, aligning with the FATF’s Travel Rule.
Implications of the TFR for Financial Institutions and VASPs in the EEA
The TFR’s incorporation into the EEA Agreement means that financial institutions, including VASPs in Iceland, Liechtenstein, and Norway, must now comply with the same AML requirements as those in the EU. This uniformity is essential for:
- Legal Alignment: Ensuring a homogenous legal framework across all EEA member states.
- Compliance Requirements: Enforcing the same level of scrutiny for fund transfers within the EEA, enhancing transparency and reducing regulatory disparities.
- AML/CFT Strengthening: Bolstering defenses against money laundering and terrorism financing across borders, especially in high-risk sectors like virtual assets.
Why Compliance Professionals Shouldn’t Overlook EEA Obligations
For compliance officers, particularly those dealing with cross-border transactions, it’s essential to remember that the TFR’s obligations span the entire EEA. Ignoring the non-EU EEA countries—Norway, Iceland, and Liechtenstein—can lead to gaps in compliance, risking penalties and reputational damage. Every compliance framework and transaction protocol should therefore account for the TFR’s reach across these territories.
The TFR is not just an EU obligation; it applies to the entire EEA, including Iceland, Liechtenstein, and Norway. Its aim is to create a consistent and robust AML framework across Europe, aligning the EEA non-EU members with the EU’s AML/CFT standards. Compliance professionals and financial institutions should ensure that their policies and procedures reflect this broader scope of the TFR, safeguarding against regulatory and operational risks in today’s complex financial landscape.
Where to Find Further Guidance on EEA Compliance
The EFTA Secretariat offers access to legal texts and guidance on implementing EU regulations within the EEA, including the TFR. Additionally, each EEA EFTA state’s financial supervisory authority provides national guidelines to help institutions comply with the regulation’s requirements.
For more detailed information on the TFR’s integration into the EEA, refer to EEA Joint Committee Decision No 198/2016, published in the EEA Supplement to the Official Journal of the European Union. The official EFTA website also provides a repository of EEA-related legislative documents, ensuring that compliance professionals have the resources they need to meet EEA-wide AML standards.
*Sources
Regulation (EU) 2015/847 -Â https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015R0847#ntr2-L_2015141EN.01000101-E0002
EEA Joint Committee Decision No. 198/2016 -Â Â https://www.efta.int/sites/default/files/documents/legal-texts/eea/other-legal-documents/adopted-joint-committee-decisions/2016%20-%20English/198-2016.pdf
Regulation (EU) 2023/1113 -Â 3Â https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32023R1113
As the European Union's Transfer of Funds Regulation (TFR) comes into force on December 30th, 2024, Crypto Asset Service Providers (CASPs) and other obliged entities must be prepared for the stringent compliance requirements. But what happens if an entity fails to comply after this crucial date? Let's explore the potential consequences of non-compliance with the TFR.
1. Financial Penalties
One of the most immediate and tangible consequences of non-compliance is the imposition of financial penalties. These can be substantial and may vary depending on the severity of the breach and the specific regulations in each EU member state. It's important to note that:
- Penalties can accumulate, potentially resulting in daily fines
- Non-compliant CASPs may face enhanced regulatory oversight
- Increased compliance costs and operational burdens may be necessary to resolve deficiencies
2. Criminal and Administrative Sanctions
In more severe cases, particularly those involving deliberate non-compliance or gross negligence, entities and individuals may face criminal or administrative sanctions. This can include:
- Criminal liability for Chief Compliance Officers (CCOs) or executives responsible for overseeing AML/CFT protocols
- Administrative sanctions that could significantly impact business operations
3. Regulatory Sanctions
While exact details may vary, it's likely that regulatory sanctions for non-compliance could be severe:
- Suspension or revocation of operating licenses within the EU
- Restrictions on certain activities or prohibitions on cross-border crypto-asset transfers
4. Reputational Damage
In the highly regulated EU market, reputation is crucial. Non-compliance can lead to:
- Loss of trust from customers and partners
- Negative publicity that can be challenging to overcome
- Long-term impact on business relationships and growth opportunities
5. Heightened Regulatory Scrutiny
Entities found to be non-compliant will likely face increased attention from regulators:
- More frequent audits and inspections
- Increased reporting obligations, adding administrative burdens and costs
- Requirements to submit additional documentation to demonstrate compliance improvements
6. Counterparty Risks
Non-compliance can also affect business relationships:
- Counterparties may report non-compliance to regulators
- Partners may be hesitant to work with non-compliant entities
- This can lead to lower transaction volumes and overall business success
While no one has a crystal ball, the consequences of non-compliance with the EU's TFR after December 30th, 2024, are far-reaching and potentially severe. From financial penalties to reputational damage, the possible risks suggest that CASPs and other obligated entities should take seriously the need to be fully prepared with a TFR-ready Travel Rule solution when the regulation comes into force.
‍
The European Union's Transfer of Funds Regulation (TFR) and the associated Travel Rule Guidelines from the European Banking Authority (EBA) are set to significantly impact how Crypto Asset Service Providers (CASPs) handle crypto-asset transactions. As these regulations come into effect, it is crucial for CASPs to understand the key requirements and prepare for compliance.Â
This blog highlights the top 10 things European CASPs need to know about the upcoming Travel Rule compliance enforcement.
1. Comprehensive Data Collection Requirements
Under Article 14, paragraphs 1 and 2 of the TFR, CASPs must ensure that all transfers include specific details about the originator and beneficiary.
This includes:
Natural persons
Legal persons
This comprehensive data collection ensures that all parties in a transaction can be unambiguously identified.
2. Robust Monitoring Systems
Beneficiary CASPs must implement robust monitoring systems to detect and manage non-compliant transactions. These systems should be capable of identifying missing, incomplete, or meaningless information and should align with the risk levels associated with money laundering and terrorist financing. [1]
{{european2="/cta-components"}}
3. Handling Non-Compliant Transactions
When a transaction lacks the required information, CASPs have four options: execute, reject, return, or suspend the transfer. The appropriate action depends on the specific circumstances and the risk assessment results. [2]
4. Managing Non-Compliant Counterparties
Repeated non-compliance by counterparties requires CASPs to reassess their relationships. This includes applying stricter monitoring and verification measures, potentially terminating business relationships, and reporting non-compliant counterparties to the relevant authorities. [3]
5. Verifying Self-Hosted Wallet Transactions
For transactions involving self-hosted wallets, the requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control. [4]
6. Understanding Different Self-Hosted Wallet Transaction ScenariosÂ
The TFR categorizes self-hosted wallet obligations based on the transaction amount and whether the wallet owner is a customer of the CASP. These scenarios include transactions of 1,000 euros or less, transactions over 1,000 euros where the wallet owner is a CASP customer, and transactions over 1,000 euros where the wallet owner is not a CASP customer.
‍
7. Implementing Appropriate Risk Mitigation Measures on Self-Hosted Wallet Transactions
CASPs should adopt a risk-based approach to transactions involving self-hosted wallets and implement any necessary risk mitigation measures proportional to the identified risks. These measures may include verifying the identity of the transfer's originator or beneficiary, requesting additional information, and conducting enhanced ongoing monitoring of transactions. [5]
8. Ensuring Compliance with General Obligations
CASPs must ensure compliance with several general obligations, such as:
- Information transmission infrastructure: Must be fully capable of transmitting information without technical limitations. A transitional period until July 31, 2025, allows for exceptions with compensatory policies in place. [6]
- Compliance timing: Information must be transmitted immediately and securely, before or at the same time the crypto-asset transfer is completed. [7]
- Joint accounts: Transfers from joint accounts, addresses, or wallets must include information about all holders. [8]‍
- Information submission changes: Initial information submissions cannot be changed unless requested by the beneficiary CASP or if an error is identified. Subsequent CASPs must be informed and required to detect any missing or incomplete information. [9]
9. Evaluating Payment and Messaging Systems (Travel Rule solutions)
Payment and messaging system requirements: CASPs must evaluate selected messaging or payment protocols based on the following aspects:
- Communication with internal core systems and counterparty messaging or payment systems.
- Compatibility with other blockchain networks.
- Reachability, including the ability to reach counterparties and the success rate of transfers.
- Detection of transfers with missing or incomplete information.
- Data integration, security, and reliability. [10]
10. Preparing for the Future
By July 1, 2026, the European Commission will assess the necessity for additional measures to mitigate risks associated with self-hosted wallet transactions. This evaluation will encompass examining the efficacy and proportionality of verification mechanisms and considering potential restrictions. [11]
‍
{{european1="/cta-components"}}
‍
The upcoming Travel Rule compliance regulation imposes comprehensive requirements on CASPs to ensure the integrity of crypto-asset transactions. By understanding and adhering to these requirements, CASPs can effectively manage transaction information, monitor compliance, handle non-compliant transactions, and manage relationships with non-compliant counterparties. This regulatory framework not only helps in mitigating risks associated with money laundering and terrorist financing but also fosters a more secure and transparent crypto-asset ecosystem in the European Union.
‍
Want to learn more? Read our blogs on beneficiary VASPs' transaction requirements under the TFR and the upcoming self-hosted wallet requirements.
Travel Rule Compliance in the European Union: Summary
FATF Travel Rule Requirements in the European Union
Travel Rule Compliance in the European Union: An In-Depth Analysis
Introducing SafeConnect Components: Seamless end-to-end TFR Compliance
Become an Expert on Travel Rule in the EU
Compliance Deep Dive: Travel Rule in the European Union (2022)
Navigating Crypto Regulations in the UK and EU in 2021
Response to the Public Consultation on the Draft Legislative Decrees for Adapting National Legislation to the 'MiCAR' and 'TFR' Regulations on Crypto-Assets
Upcoming Events on EU Crypto Industry Compliance
Join us at the latest events focused on crypto compliance in the EU. Network with industry leaders and gain insights into the latest regulatory developments.
Get Certified as an Expert in EU Travel Rule Compliance
Sign up for our course to teach you everything you need to know about Travel Rule compliance in the EU.
FAQs
What is crypto compliance in the EU?
Crypto compliance in the EU involves adhering to regulatory standards set by the European Union for cryptocurrency operations, including anti-money laundering (AML) and counter-terrorism financing (CTF) measures.
What is the EU Travel Rule?
The EU Crypto Travel Rule requires cryptocurrency exchanges and wallet providers to share specific information about transactions to comply with AML and CTF regulations. This rule aims to enhance transparency and security in crypto transactions.
How does financial crime impact crypto compliance?
Financial crime, such as money laundering and fraud, poses significant risks to the crypto industry. Crypto compliance measures, including AML and CTF regulations, are crucial in mitigating these risks and ensuring the integrity and security of cryptocurrency transactions.
Are stablecoins regulated?
Yes, stablecoins are regulated to ensure they adhere to financial regulations, particularly concerning anti-money laundering (AML) and counter-terrorism financing (CTF) standards. Regulatory bodies require stablecoin issuers to maintain transparency and ensure that their assets are properly backed and audited.
What regulations do crypto exchanges need to comply with?
Crypto exchanges need to comply with a range of regulations, including:
- Anti-Money Laundering (AML): Implement measures to detect and prevent money laundering activities.
- Know Your Customer (KYC): Verify the identity of users to prevent fraud and illegal activities.
- Counter-Terrorism Financing (CTF): Ensure transactions do not facilitate terrorism financing.
- Crypto Travel Rule: Share specific transaction information to comply with international regulatory standards.
- Data Protection: Adhere to data protection laws such as GDPR to ensure user privacy and data security.
Hosting these gateways within the VASP's own infrastructure, such as a data center or cloud account, is advised for optimal security. This approach, particularly when using an enclave server, allows for enhanced security measures, aligning with the principle that control over the hosting environment can significantly bolster security.