On April 6, 2022, the EU Parliament approved the text of the EU regulation on information accompanying transfers of funds and certain crypto-assets.
The authors felt that the previous European Commission package of proposals to improve the Union’s AML/CFT rules could use further strengthening to reflect the specific characteristics of crypto-assets better. In attempts to improve the Transfer of Funds Regulation to help protect EU citizens from crime and terrorism, this draft puts forth the following key proposals:
- Removing exemptions based on the value of the transfer.
- Applying Travel Rule to transfers from/to un-hosted wallets, when involving a VASP or other obliged entity
- Know your transaction - VASPs should also be expected to obtain information on the source and destination of crypto-assets involved in a transfer.
- Counterparty due diligence and protection of personal information - VASPs should assess the Counterparty VASP’s data protection policies and decide whether to send their customer’s PII (pre-transaction.)
- The European Banking Authority (EBA) to maintain a public register of non-compliant crypto-asset service providers.
- Decoupling this current recast proposal from the AML package and linking it to the existing Anti-money laundering directive (AMLD) framework to speed adoption.
The approved text will still be subject to negotiations between the EU Parliament, Council and European Commission, which may prompt changes to the proposed wording.
We’ve summarized our key highlights below.
1. Transmission of Travel Rule information is required for all blockchain transactions, regardless of the amount.
A limited scope of data can be transmitted if the transaction is below EUR 1000 and the transacting VASPs are within the European Union.
Notabene’s comment: The decision to not differentiate the requirements applicable to transactions below and above EUR 1,000 facilitates the operationalization of the Travel Rule for VASPs. Monitoring whether the threshold is being circumvented by breaking down one transaction into several can be a cumbersome task that is avoided with the introduction of this provision. However, an approach that requires a broader scope of information to be transmitted above EUR 1,000 and a limited scope below that threshold may strike a better balance between AML/CTF objectives and data protection goals. Additionally, VASPs may consider it more cumbersome to carry out Travel Rule obligations under EUR 1000, given perceived resource intensity.
2. Travel Rule information does not need to be shared if the Originator VASP considers the Counterparty VASP not to apply suitable data protection measures.
An exception applies if, according to the assessment of the Originator VASP considering the criteria proposed by the EBA, the Counterparty VASP is deemed not to apply suitable data protection measures. The Travel Rule information does not need to be shared in these cases. However, VASPs shall apply alternative risk mitigation measures according to guidance issued by the EBA.
Notabene’s comment: This brings forth and centers data protection guidelines into the Travel Rule. Some questions remain around the appropriate alternative measures to be taken by a VASP and whether they should allow transactions of funds with said Counterparty VASP, but these could be clarified through the EBA guidelines mandated under Article 14.4b, which is a new instrument that we welcome!
3. VASPs must screen the Originator and Beneficiary customers against relevant sanction lists before allowing the transaction to go through.
Notabene’s comment: Travel Rule is an excellent way for crypto companies to identify and potentially block transactions to sanctioned parties. However, a high rate of false positives is expected when screening counterparties of a transaction. In this context, we welcome the acknowledgment in Article 14/6a that VASPs can rely on their counterparties for this process. By delegating sanction screening to the VASP that has a better resolution on the identity of the end customer at issue, this process becomes more effective, and false positives can be settled with more confidence.
4. When conducting transactions with unhosted wallets, VASPs are required to verify the identity of the respective beneficial owner.
Notabene comment: If the proposed provision is adopted as is, at least in the short/medium term, we foresee that this requirement will push VASPs to only allow first-party transfers to or from unhosted wallets (i.e., transfers to and from the wallets of their own customers). This is already the trend in jurisdictions like Singapore. With this, the third-party identity verification requirement is easily circumvented: the customer can transfer funds to their own wallet and subsequently to the third-party wallet. This will create a blindspot that backfires on the regulatory goals: the VASP will have less visibility on the transactions between their customers and unhosted wallets controlled by third parties.
5. VASPs are obliged to report incoming transactions from unhosted wallets above EUR 1000 to competent authorities.
Notabene’s comment: This obligation assumes transactions with unhosted wallets inherently carry more risks. We believe that end-user privacy should be considered, especially as this threshold is inconsistent with reporting guidelines above 10K EUR. Additionally, this requirement would flood competent authorities with notifications of transactions that are mostly legitimate, making it difficult to leverage the cooperation with authorities for actually detecting and preventing illicit activity. An approach that requires VASP to make their own risk assessment and resort to competent authorities when suspicious activity is detected makes for a more efficient system and is more in line with data privacy protection goals.
Interested in learning how this proposed regulation impacts your Travel Rule obligations in your jurisdiction? Book a demo with our sales team.