A Deep Dive into The EU's Transfer of Funds Regulation Provisional Agreement
In July 2021, the European Commission submitted a legislative proposal for a regulation on information accompanying transfers of funds and certain crypto-assets - the “Transfer of Funds Regulation.”
Subsequently, the EU Parliament reviewed the proposal and, in April 2022, adopted a Report expressing its first reading position. The Report introduced quite a few changes to the text initially proposed by the Commission. The Commission, the Council, and the Parliament then initiated trilogues–informal meetings between representatives of the three bodies to reach a provisional agreement acceptable to both the Parliament and the Council. The Commission acts as a mediator of the discussion.
All parties finally reached a consensus on June 29th, 2022, which leads us to the final step of the legislative process: the formal approval of the Regulation by the Parliament and Council.
Below we summarize key points:
*Please note that where the Financial Action Task Force (FATF) uses VASPs (virtual asset service providers), the European Parliament uses CASPs (crypto asset service providers.)
1. The Travel Rule will not apply to peer-to-peer transactions.
The EU Parliament states:
The rules do not apply to person-to-person transfers conducted without a provider, such as bitcoins trading platforms, or among providers acting on their own behalf.
‍
The FATF and local regulators have generally focused on enforcing AML/CTF controls on transactions that involve intermediaries, such as VASPs or other obliged entities. Thus, crypto transfers between unhosted wallets, so-called peer-to-peer transactions, are not explicitly covered by AML/CTF rules. This is in line with the regulatory paradigm of placing obligations on intermediaries rather than on individuals themselves.
The FATF opens the door to a future change of paradigm in case there is a distinct trend toward P2P transactions, as this would necessarily hurt the effectiveness of the AML/CTF frameworks as they exist today. The time for such a shift is not now, as:
- The available data on the P2P market is not reliable enough to make an informed policy decision.
- The intermediated transactions are still relevant enough to allow for effective implementation of the standards.
- P2P transactions that are visible on public ledgers enable financial analysis and law enforcement investigations.
2. Transfers between CASPs and unhosted wallets of third parties will be subject to enhanced due diligence measures. As a result of the trilogue negotiations, verifying the identity of a third-party beneficial owner is no longer mandatory.Â
In its first reading of the Report, the EU Parliament proposed that CASPs should be required to verify the identity of a third-party beneficial owner of the unhosted wallet to/from which funds are sent. Due to the trilogue negotiations, we welcome that this is no longer proposed as a mandatory requirement.
‍
Although this is technically possible to do this with existing technology, it is unlikely that, with today’s adoption, CASPs will manage to implement these processes while ensuring that this does not cause undue delay to the execution of the transfers - a stated goal in the TFR. Until portable digital identities are widely adopted - which is an effort that the EU is leading with initiatives such as the eIDAS - verifying the identity of a third-party beneficial owner of the unhosted wallet to/from which funds are sent is a process that introduces significant friction in the transaction flow.
At least in the short/medium term, such a requirement would push CASPs only to allow first-party transfers to or from unhosted wallets (i.e., transfers to and from the wallets of their own customers).
3. Transfers of over 1000 euros between CASPs and unhosted wallets of their customers will trigger the obligation to verify whether the CASP’s customer effectively owns or controls the unhosted wallet.
Instead of relying on the self-declaration that a wallet belongs to the end customer, CASPs should verify beneficial ownership. This can be done by triggering the customer to perform a wallet ownership proof while in an authenticated session (therefore establishing a link between the identity and the wallet.)
The requirement to verify first-party ownership of the wallet is most helpful when there is also a requirement to verify the identity of a third-party beneficial owner (which, as said below, is not the approach of the EU). In those cases, the CASP must verify beneficial ownership. This ensures that the customer does not bypass the third-party verification requirement by falsely declaring they are transacting with their own wallet.
Nevertheless, this measure makes transaction risk management more robust by the following:
- CASPs can take a risk-based approach that facilitates transaction flows with unhosted wallets of their own customers and apply enhanced due diligence measures when transacting with third-party wallets;
- This will also bring additional data points that CASPs can rely on to evaluate and monitor customer risk.Â
It’s also worth noting that different methods for wallet ownership verification will have additional integration costs and impact the user journey and drop-off rates. Some practices with a lower economic burden of implementation, like the Satoshi Test, have a more significant impact/friction on the user journey, which could lead to higher attrition and overall higher economic loss (this method requires users to perform a transaction and entails dead-end scenarios such as no funds being available on the wallet, etc.)
How Notabene verifies beneficial owners of unhosted wallets:
Notabene uses cryptographic signatures as proof. There is a considerable technical burden in integrating with private wallets for these purposes due to the variety of private wallets. If CASPs want to ensure wide coverage to allow their users to perform proof regardless of the private wallet provider they are using, then the CASP would need to integrate with several different providers.Â
However, some aggregators, such as WalletConnect, can lower the effort significantly. Notabene integrates only with Metamask and WalletConnect, for instance. Using cryptographic signature aggregators should allow the proof process to scale fairly seamlessly, thus allowing smaller and larger CASPs to roll it out.Â
4. Negotiators agreed that the set-up of a public register for non-compliant and non-supervised CASPs would be covered in the Markets in Crypto-assets rules (MiCA), currently being negotiated.
From our perspective, the public register list should be used to support CASPs’ counterparty due diligence processes rather than as a list that CASPs are required to enforce blindly.Â
The European private sector, under close monitoring of the competent supervisory authorities, is better positioned to determine whether or not to transact with certain counterparties following a risk-based approach that takes into consideration the specificities of their businesses, the due diligence performed on these counterparties, and the risks associated with a particular transaction.Â
This is, in fact, one of the advantages of the Travel Rule - it allows CASPs to manage risk at the transaction level and adopt a more targeted approach when enforcing restrictions, and avoid blanket exclusions that can be disproportionate depending on the context.Â
Another question is what is meant by non-compliant and non-supervised CASPs. Recital 34a and Article 18aa of the Transfer of Funds Regulation (in the version proposed by the EU Parliament’s first reading Report) prevent CASPs from transacting with counterparties that are not established in any jurisdiction and are unaffiliated with a regulated entity. Our reading of the criteria is that it is cumulative - i.e., a CASP that is correctly established in a particular jurisdiction but is not regulated (e.g., due to the lack of a regulatory framework applicable to CASPs in that jurisdiction) would not be deemed a non-compliant CASP.Â
We hope the reading of the MiCA text that is finally approved clarifies this aspect and avoids the exclusion of CASPs located in jurisdictions that do not yet offer robust frameworks to regulate the crypto industry and register/license crypto firms. According to the FATF, “only 12 jurisdictions out of 53 (23%) have been assessed as largely compliant with R.15 [i.e., with the AML/CTF Standards for VAs and CASPs]”, which implies that this could potentially affect a large number of CASPs.
Finally, it is of paramount importance (i) that the process to include CASPs in this list is adversarial and involves the CASPs at issue and that (ii) CASPs can request to be taken out of the list in light of implemented improvements.