Stay Updated on Crypto Compliance & Crypto Regulation in the EU

For compliance professionals across Europe, the Transfer of Funds Regulation (TFR) plays a pivotal role in enhancing transparency and combating money laundering and terrorist financing. While its primary objective is to align with the Financial Action Task Force’s (FATF) “Travel Rule” for European Union (EU) member states, it’s equally important—but sometimes overlooked—that it also applies to the European Economic Area (EEA) member states, namely Norway, Iceland, and Liechtenstein. This blog post delves into how the TFR extends to the EEA, ensuring a homogeneous regulatory framework across the region.

TFR in the EEA: Not Just an EU Regulation

The TFR was first established under Regulation (EU) 2015/847*, mandating that financial service providers share information accompanying transfers of funds. This regulation is designed to combat money laundering and terrorist financing by ensuring transparency in financial transactions. When the regulation was introduced, the EEA Joint Committee, responsible for aligning EEA non-EU members with relevant EU regulations, formally incorporated it into the EEA Agreement.

EEA Joint Committee Decision No. 198/2016*, adopted on 30 September 2016, amended Annex IX (Financial Services) of the EEA Agreement to include the TFR, thereby extending its applicability to Iceland, Liechtenstein, and Norway. This decision ensured that non-EU EEA members implement the TFR within their financial systems, thus aligning their AML measures with EU standards.

The Complete List of EEA Countries Impacted by the TFR

Understanding which countries the TFR applies to is key for compliance. Here’s the full list of EEA member states:

EU Member States (27 countries): 

• 🇦🇹 Austria
• 🇧🇪 Belgium
• 🇧🇬 Bulgaria
• 🇭🇷 Croatia
• 🇨🇾 Cyprus
• 🇨🇿 Czech Republic
• 🇩🇰 Denmark
• 🇪🇪 Estonia
• 🇫🇮 Finland
• 🇫🇷 France
• 🇩🇪 Germany
• 🇬🇷 Greece
• 🇭🇺 Hungary
• 🇮🇪 Ireland
• 🇮🇹 Italy
• 🇱🇻 Latvia
• 🇱🇹 Lithuania
• 🇱🇺 Luxembourg
• 🇲🇹 Malta
• 🇳🇱 Netherlands
• 🇵🇱 Poland
• 🇵🇹 Portugal
• 🇷🇴 Romania
• 🇸🇰 Slovakia
• 🇸🇮 Slovenia
• 🇪🇸 Spain
• 🇸🇪 Sweden

EEA EFTA States (3 countries): 

• 🇮🇸 Iceland
• 🇱🇮 Liechtenstein
• 🇳🇴 Norway
  

It’s worth noting that 🇨🇭 Switzerland, although part of the European Free Trade Association (EFTA), is not a member of the EEA and is therefore not directly subject to the TFR.

How the TFR Enhances AML/CFT Measures Across the EEA

The TFR strengthens AML and Counter Financing of Terrorism (CFT) measures by requiring payment service providers to attach detailed payer and payee information to transfers of funds. For the EEA as a whole, this means consistent AML compliance standards for financial institutions across both EU and non-EU EEA states.

When Regulation (EU) 2023/1113* updated the TFR, it further extended these obligations specifically for virtual asset service providers (VASPs), bringing them under the same AML/CFT standards. This update is part of the EU’s broader Markets in Crypto-Assets (MiCA) framework, which aims to regulate cryptocurrency service providers consistently across the EEA.

This update extended obligations to VASPs across the EEA as part of the region’s coordinated AML/CFT strategy and ensured that virtual asset transfers include necessary information about the originator and beneficiary, aligning with the FATF’s Travel Rule.

Implications of the TFR for Financial Institutions and VASPs in the EEA

The TFR’s incorporation into the EEA Agreement means that financial institutions, including VASPs in Iceland, Liechtenstein, and Norway, must now comply with the same AML requirements as those in the EU. This uniformity is essential for:

1. Legal Alignment: Ensuring a homogenous legal framework across all EEA member states.
2. Compliance Requirements: Enforcing the same level of scrutiny for fund transfers within the EEA, enhancing transparency and reducing regulatory disparities.
3. AML/CFT Strengthening: Bolstering defenses against money laundering and terrorism financing across borders, especially in high-risk sectors like virtual assets.

Why Compliance Professionals Shouldn’t Overlook EEA Obligations

For compliance officers, particularly those dealing with cross-border transactions, it’s essential to remember that the TFR’s obligations span the entire EEA. Ignoring the non-EU EEA countries—Norway, Iceland, and Liechtenstein—can lead to gaps in compliance, risking penalties and reputational damage. Every compliance framework and transaction protocol should therefore account for the TFR’s reach across these territories.

The TFR is not just an EU obligation; it applies to the entire EEA, including Iceland, Liechtenstein, and Norway. Its aim is to create a consistent and robust AML framework across Europe, aligning the EEA non-EU members with the EU’s AML/CFT standards. Compliance professionals and financial institutions should ensure that their policies and procedures reflect this broader scope of the TFR, safeguarding against regulatory and operational risks in today’s complex financial landscape.

Where to Find Further Guidance on EEA Compliance

The EFTA Secretariat offers access to legal texts and guidance on implementing EU regulations within the EEA, including the TFR. Additionally, each EEA EFTA state’s financial supervisory authority provides national guidelines to help institutions comply with the regulation’s requirements.

For more detailed information on the TFR’s integration into the EEA, refer to EEA Joint Committee Decision No 198/2016, published in the EEA Supplement to the Official Journal of the European Union. The official EFTA website also provides a repository of EEA-related legislative documents, ensuring that compliance professionals have the resources they need to meet EEA-wide AML standards.

*Sources

Regulation (EU) 2015/847 - https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32015R0847#ntr2-L_2015141EN.01000101-E0002

EEA Joint Committee Decision No. 198/2016 -  https://www.efta.int/sites/default/files/documents/legal-texts/eea/other-legal-documents/adopted-joint-committee-decisions/2016%20-%20English/198-2016.pdf

Regulation (EU) 2023/1113 - 3 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32023R1113

As of 30 December 2024, compliance with the Transfer of Funds Regulation (TFR) and respective EBA Guidelines is mandatory for any CASPs operating in the EU.

▶︎ Watch this special video message from Lana Schwartzman, Head of Regulatory & Compliance at Notabene, explaining why compliance with TFR is so important, as what consequences may face CASPs that fail to comply.

A common misconception that we hear is that there is a “grace period” that delays the need to comply until July of this year. While it is true that the EBA guidelines foresee a transitional period until July 31, 2025, during which CASPs may exceptionally use infrastructures or services with certain technical limitations, this does not exempt them from Travel Rule compliance. CASPs using such infrastructures are required to take additional technical steps to ensure full compliance with the Travel Rule during this period.

This provision from the EBA Guidelines gave rise to misinterpretations that many are now incorrectly viewing as a grace period or exemption. The EBA already clarified that this is not the case. In page 51 of the final Guidelines “the EBA stresses that non-compliance with Regulation (EU) 2023/1113 is not accepted”. In fact, paragraph 24 of the EBA Guidelines clearly states that the technical limitations “need to be compensated by additional technical steps or fixes to fully comply with these Guidelines”.

It is therefore very clear that the TFR obligations must be fully complied with as of December 30, 2024. 

CASPs that repeatedly or systematically fail to accompany crypto-asset transfers with the required information on the originator and beneficiary may face severe penalties and consequences under the Transfer of Funds Regulation and related EU directives. All told, the risks that a company faces by not complying with TFR are substantial. 

Let’s have a look at the potential consequences of non-compliance with the TFR.

1. Financial Penalties

One of the most immediate and tangible consequences of non-compliance is the imposition of financial penalties. These can be substantial and may vary depending on the severity of the breach and the specific regulations in each EU member state. The regulation allows for substantial monetary sanctions:

• Standard Penalty: A maximum administrative fine of at least twice the amount of the benefit derived from the breach (if determinable) or a minimum of €1,000,000.
• Enhanced Penalties for Financial Institutions: For CASPs classified as credit or financial institutions, the penalties can be more severe:
  • Legal Persons: Fines of up to €5,000,000 or 10% of the total annual turnover, whichever is higher.
  • Natural Persons: Fines of up to €5,000,000

Keep in mind that penalties can accumulate, potentially resulting in daily fines. In addition, increased compliance costs and operational burdens may be necessary to resolve deficiencies, resulting in additional financial burden.

*Source: Article (3) of Directive (EU) 2015/849

2. Criminal and Administrative Sanctions

In more severe cases, particularly those involving deliberate non-compliance or gross negligence, entities and individuals may face criminal or administrative sanctions. This can include:

• Criminal liability for Chief Compliance Officers (CCOs) or executives responsible for overseeing AML/CFT protocols
• Administrative sanctions that could significantly impact business operations
  • Public Statement: Authorities may issue a public statement identifying the CASP and detailing the nature of the breach.
  • Cease and Desist Order: The CASP may be ordered to stop the non-compliant behavior and refrain from repeating it.
  • Authorisation Suspension or Revocation: For authorized CASPs, their operating license may be suspended or withdrawn entirely.
  • Managerial Ban: Individuals responsible for the breach, including those in managerial positions, may face a temporary ban from exercising managerial functions in obliged entities.

  *Source: Article 29 of the TFR and Article 59(2) and (3) of Directive (EU) 2015/849)

3. Regulatory Sanctions

While exact details may vary, it's likely that regulatory sanctions for non-compliance could be severe:

• Suspension or revocation of operating licenses within the EU
• Restrictions on certain activities or prohibitions on cross-border crypto-asset transfers

4. Reputational Damage

In the highly regulated EU market, reputation is crucial. Non-compliance can lead to:

• Loss of trust from customers and partners
• Negative publicity that can be challenging to overcome
• Long-term impact on business relationships and growth opportunities

5. Heightened Regulatory Scrutiny

Entities found to be non-compliant will likely face increased attention from regulators:

• More frequent audits and inspections
• Increased reporting obligations, adding administrative burdens and costs
• Requirements to submit additional documentation to demonstrate compliance improvements

6. Counterparty Risks

Non-compliance can also affect business relationships, as partners may be hesitant to work with non-compliant entities, leading to lower transaction volumes and overall business success.

• Counterparties may report non-compliance to regulators. CASPs must report the repeatedly non-compliant counterparties to the competent authority responsible for Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF) supervision within three months of identifying the non-compliance.
• Counterparties of CASPs that repeatedly or systematically fail to accompany crypto-asset transfers with the required information on the originator and beneficiary may be required to reject incoming transfers and terminate the existing business relationship or all reject future transfers from the non-compliant counterparty.

While no one has a crystal ball, the consequences of non-compliance with the EU's TFR after December 30th, 2024, are far-reaching and potentially severe. From financial penalties to reputational damage, the possible risks suggest that CASPs and other obligated entities should take seriously the need to be fully prepared with a TFR-ready Travel Rule solution when the regulation comes into force.

The European Union's Transfer of Funds Regulation (TFR) and the associated Travel Rule Guidelines from the European Banking Authority (EBA) are set to significantly impact how Crypto Asset Service Providers (CASPs) handle crypto-asset transactions. As these regulations come into effect, it is crucial for CASPs to understand the key requirements and prepare for compliance. 

This blog highlights the top 10 things European CASPs need to know about the upcoming Travel Rule compliance enforcement.

1. Comprehensive Data Collection Requirements

Under Article 14, paragraphs 1 and 2 of the TFR, CASPs must ensure that all transfers include specific details about the originator and beneficiary.

This includes:

Natural persons

Legal persons

This comprehensive data collection ensures that all parties in a transaction can be unambiguously identified.

2. Robust Monitoring Systems

Beneficiary CASPs must implement robust monitoring systems to detect and manage non-compliant transactions. These systems should be capable of identifying missing, incomplete, or meaningless information and should align with the risk levels associated with money laundering and terrorist financing. ^[1]

{{european2="/cta-components"}}

3. Handling Non-Compliant Transactions

When a transaction lacks the required information, CASPs have four options: execute, reject, return, or suspend the transfer. The appropriate action depends on the specific circumstances and the risk assessment results. ^[2]

4. Managing Non-Compliant Counterparties

Repeated non-compliance by counterparties requires CASPs to reassess their relationships. This includes applying stricter monitoring and verification measures, potentially terminating business relationships, and reporting non-compliant counterparties to the relevant authorities. ^[3]

5. Verifying Self-Hosted Wallet Transactions

For transactions involving self-hosted wallets, the requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control. ^[4]

6. Understanding Different Self-Hosted Wallet Transaction Scenarios 

The TFR categorizes self-hosted wallet obligations based on the transaction amount and whether the wallet owner is a customer of the CASP. These scenarios include transactions of 1,000 euros or less, transactions over 1,000 euros where the wallet owner is a CASP customer, and transactions over 1,000 euros where the wallet owner is not a CASP customer.

‍

7. Implementing Appropriate Risk Mitigation Measures on Self-Hosted Wallet Transactions

CASPs should adopt a risk-based approach to transactions involving self-hosted wallets and implement any necessary risk mitigation measures proportional to the identified risks. These measures may include verifying the identity of the transfer's originator or beneficiary, requesting additional information, and conducting enhanced ongoing monitoring of transactions. ^[5]

8. Ensuring Compliance with General Obligations

CASPs must ensure compliance with several general obligations, such as:

• Information transmission infrastructure: Must be fully capable of transmitting information without technical limitations. A transitional period until July 31, 2025, allows for exceptions with compensatory policies in place. ^[6]
• Compliance timing: Information must be transmitted immediately and securely, before or at the same time the crypto-asset transfer is completed. ^[7]
• Joint accounts: Transfers from joint accounts, addresses, or wallets must include information about all holders. ^[8]‍
• Information submission changes: Initial information submissions cannot be changed unless requested by the beneficiary CASP or if an error is identified. Subsequent CASPs must be informed and required to detect any missing or incomplete information. ^[9]

9. Evaluating Payment and Messaging Systems (Travel Rule solutions)

Payment and messaging system requirements: CASPs must evaluate selected messaging or payment protocols based on the following aspects:

• Communication with internal core systems and counterparty messaging or payment systems.
• Compatibility with other blockchain networks.
• Reachability, including the ability to reach counterparties and the success rate of transfers.
• Detection of transfers with missing or incomplete information.
• Data integration, security, and reliability. ^[10]

10. Preparing for the Future

By July 1, 2026, the European Commission will assess the necessity for additional measures to mitigate risks associated with self-hosted wallet transactions. This evaluation will encompass examining the efficacy and proportionality of verification mechanisms and considering potential restrictions. ^[11]

‍

{{european1="/cta-components"}}

‍

The upcoming Travel Rule compliance regulation imposes comprehensive requirements on CASPs to ensure the integrity of crypto-asset transactions. By understanding and adhering to these requirements, CASPs can effectively manage transaction information, monitor compliance, handle non-compliant transactions, and manage relationships with non-compliant counterparties. This regulatory framework not only helps in mitigating risks associated with money laundering and terrorist financing but also fosters a more secure and transparent crypto-asset ecosystem in the European Union.

‍

Want to learn more? Read our blogs on beneficiary VASPs' transaction requirements under the TFR and the upcoming self-hosted wallet requirements.