A Deep Dive into Self-Hosted Wallet Transaction Requirements Under the EU TFR

The European Union’s Transfer of Funds Regulation (TFR) and the European Banking Authority (EBA)’s Travel Rule Guidelines, updated with the EBA’s final Travel Rule guidelines published on July 4, set out specific requirements for transactions involving self-hosted wallets. These wallets, controlled by individuals rather than VASPs, pose unique challenges to regulatory compliance. This article summarizes the obligations for self-hosted wallet transactions under the TFR, focusing on different transaction scenarios and the required verification measures.

‍

Highlights of What Changed in the EBA’s Final Travel Rule Guidelines

1. More Flexibility in the Scope of Required Originator Information:

The final version of the Travel Rule guidelines clarifies that CASPs have the discretion to determine which “alternative information items” about the originator customer to transmit and demand receiving, as long as they achieve unambiguous identification and support sanction screening. This approach is intended to be better suited for cross-border transfers.

2. Eased Requirements for SHW Transfers Below €1,000:

The final version of the Travel Rule guidelines removes verification requirements. Only information collection obligations apply, eliminating the need for technical means like blockchain analytics to cross-match collected data in order to identify and verify the originator or beneficiary.

3. Simplified Verification for 1st-Party SHW Transfers ≥ €1,000:

The requirement to use two methods for wallet ownership verification has been removed. CASPs are now required to use only one method by default for verifying wallet ownership/control.

4. Clarification for 3rd-Party SHW Transfers Above €1,000:

The Travel Rule Guidelines now clarify the requirements, specifying that if the SHW is owned or controlled by a third party who is not a customer of the CASP, the requirements from Article 19a of Directive (EU) 2015/849 apply. Additionally, the originator/beneficiary identity verification required therein is deemed to be fulfilled by collecting additional information from other sources (e.g., blockchain analytics, third-party data, or recognized authorities’ data) or using other suitable means to ensure the originator/beneficiary’s identity is known.

‍

{{european1="/cta-components"}}

‍

Overview of Applicable Obligations

The TFR categorizes obligations based on the transaction amount and whether the wallet owner is a customer of the Crypto Asset Service Provider (CASP). These scenarios include:

• Transactions of 1,000 euros or less.
• Transactions over 1,000 euros where the wallet owner is a CASP customer.
• Transactions over 1,000 euros where the wallet owner is not a CASP customer.

Understanding these categories is crucial for CASPs to ensure compliance with the TFR and the associated Travel Rule Guidelines.

‍

A. Transactions of 1,000 Euros or Less

For transactions of 1,000 euros or less involving self-hosted wallets, the TFR mandates that CASPs collect and hold specific information about the parties involved. As outlined in Articles 14/5 and 16/2 of the TFR, transactions involving self-hosted wallets of 1,000 euros or less require CASPs to obtain and hold information about the parties to the transaction. The scope of information that CASPs are required to collect mirrors that which is mandated for CASP-to-CASP transactions.

The Travel Rule Guidelines clarify in paragraph 80 that this information must be sourced from the CASP’s customer. This includes:

• Full name of the originator and beneficiary

• Distributed ledger address

• Account number

The final EBA Travel Rule Guidelines removed the requirement for CASPs to cross-match this information using suitable methods such as blockchain analytics and third-party data providers to verify the identity of the originator or beneficiary. Now, CASPs are mandated to collect and retain specific pieces of information from their customers. ^[1]

‍

B. Transactions Exceeding 1,000 Euros Where the Wallet Owner is a Customer of the CASP

For self-hosted wallet transactions exceeding 1,000 euros, the TFR requires CASPs to verify whether their customer owns or controls the self-hosted wallet. ^[2] The originator CASP is tasked with evaluating whether the wallet is owned or controlled by the originator, while the beneficiary CASP must determine whether the wallet is owned or controlled by the beneficiary. ^[3]

The Travel Rule Guidelines set a non-exhaustive list of verification methods available to CASPs and mandate the use of at least one method for wallet ownership/control verification, such as:

• Advanced analytical tools
• Unattended verifications (e.g., displaying the address)
• Attended verifications (e.g., live customer interaction)
• Sending a predefined amount from the wallet to the CASP
• Signing a specific message in the account and wallet software
• Other suitable technical means, as long as they allow for reliable and secure assessment. ^[4]

Where one method on its own is not sufficiently reliable to reasonably ascertain the ownership or control of a self-hosted address, the CASP should use a combination of methods. ^[5]

‍

C. Transactions Exceeding 1,000 Euros Where the Wallet Owner is Not a CASP Customer

The TFR does not explicitly address transactions over 1,000 euros involving third-party wallets. However, the Travel Rule Guidelines include a framework governing these transactions. According to the guidelines, the requirements outlined in Article 19a(1)/(a) of Directive (EU) 2015/849—verification of the originator or beneficiary’s identity—are considered fulfilled if the CASP:

• Collects additional information from other sources to verify the submitted information (e.g., from blockchain analytics, third-party data, or recognized authorities’ data)
• Uses other suitable means as long as it is fully satisfied that it knows the originator’s or beneficiary’s identity. ^[6]

‍

Verification and Risk Assessment

CASPs must adopt a risk-based approach to all transactions involving self-hosted wallets. This includes assessing the risks associated with each transfer and applying enhanced due diligence when high ML/TF risks are detected. The verification process involves collecting additional data from various sources, such as blockchain analytics, third-party data providers, recognized authorities, and publicly available information.

‍

General Obligations for Self-Hosted Wallet Transactions

In addition to specific transaction-based requirements, CASPs must adhere to several general obligations when dealing with self-hosted wallets:

1. Self-Hosted Wallet Identification

Use technical methods to discern whether the transaction involves a VASP or a self-hosted wallet. If technical means are insufficient, acquire the necessary information directly from the customer. ^[7]

2. Threshold Calculation

Compute the transaction amount based on the exchange rate prevailing at the time of the transfer. ^[8]

3. Risk Assessment

Assess the risks associated with self-hosted wallet transactions and apply appropriate risk mitigation measures. ^[9]

‍

Additional Context and Considerations

‍

FATF’s Recommendation 16

Transactions between VASPs and self-hosted wallets fall within the scope of FATF’s Recommendation 16, following its revision in October 2021. Unlike VASP-to-VASP transactions, there is no mandate to transmit originator and beneficiary details to a counterpart. Instead, VASPs must adhere to specific obligations, which can vary significantly across jurisdictions.

Regulatory Expectations and Trends

Although regulatory expectations vary significantly across regions, the requirement for VASPs to verify their customer’s or a third party’s control over the wallet address involved in transactions is gaining traction. The TFR’s requirements reinforce this trend, as further detailed in the sections above.

Future Assessments

By July 1, 2026, the Commission will assess the necessity for additional measures to mitigate risks associated with self-hosted wallet transactions. This evaluation will encompass examining the efficacy and proportionality of verification mechanisms and considering potential restrictions.

The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. By doing so, CASPs can enhance the security and transparency of crypto-asset transfers, contributing to a safer financial ecosystem.

‍

{{european2="/cta-components"}}

‍

The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. 

Interested in learning more? Check out our blog on what the TFR says beneficiary VASPs should do when it comes to incoming transactions and the top 10 insights European CASPs need to know about their upcoming Travel Rule compliance framework.