By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

A Deep Dive into Self-Hosted Wallet Transaction Requirements Under the EU TFR

Catarina Veloso
Catarina Veloso
May 29, 2024
Catarina, Regulatory & Compliance Senior Associate at Notabene, specializes in global crypto regulations. With roles including co-chair of the CryptoUK Travel Rule group and part of the EBA Expert Group, she shapes Travel Rule compliance. Holds Masters in Energy Law and BA in Law.
Summary

The European Union's Transfer of Funds Regulation (TFR) and the European Banking Authority (EBA)’s Travel Rule Guidelines set out specific requirements for transactions involving self-hosted wallets. These wallets, controlled by individuals rather than VASPs, pose unique challenges for regulatory compliance. 

This article provides a summarized overview of the obligations for self-hosted wallet transactions under the TFR, focusing on different transaction scenarios and the required verification measures. 

Overview of Applicable Obligations

The TFR categorizes obligations based on the transaction amount and whether the wallet owner is a customer of the Crypto Asset Service Provider (CASP). These scenarios include:

  1. Transactions of 1,000 euros or less.
  2. Transactions over 1,000 euros where the wallet owner is a CASP customer.
  3. Transactions over 1,000 euros where the wallet owner is not a CASP customer¹.

Understanding these categories is crucial for CASPs to ensure compliance with the TFR and the associated Travel Rule Guidelines.


Transactions of 1,000 Euros or Less

For transactions of 1,000 euros or less involving self-hosted wallets, the TFR mandates that CASPs collect and hold specific information about the parties involved. This information includes:

  • Full name of the originator and beneficiary
  • Distributed ledger address and account number
  • Address and official personal document number of the originator 

The Travel Rule Guidelines further require CASPs to cross-match this information using suitable methods such as blockchain analytics and third-party data providers to verify the identity of the originator or beneficiary. This ensures that even smaller transactions are subject to rigorous due diligence².


Transactions Over 1,000 Euros Where the Wallet Owner is a CASP Customer

For transactions exceeding 1,000 euros, the TFR requires CASPs to verify whether the self-hosted wallet is owned or controlled by their customer. The verification process involves using at least two suitable technical methods, such as:

  • Advanced analytical tools
  • Unattended verifications (e.g., displaying the address)
  • Attended verifications (e.g., live customer interaction)
  • Sending a predefined amount from the wallet to the CASP
  • Signing a specific message in the account and wallet software³

If these methods are insufficient, CASPs must employ additional measures to ensure reliable verification. This multi-faceted approach helps in accurately determining wallet ownership or control, thus preventing misuse³.


Transactions Over 1,000 Euros Where the Wallet Owner is Not a CASP Customer

The TFR does not explicitly address transactions over 1,000 euros involving third-party wallets. However, the Travel Rule Guidelines fill this gap by requiring CASPs to:

  1. Verify the wallet ownership or control as per the TFR.
  2. Implement risk mitigation measures proportionate to the identified risks, as mandated by Article 19a of the AMLD⁴.

These measures include verifying the identity of the transfer's originator or beneficiary, requesting additional information about the origin and destination of the transfer, and conducting enhanced ongoing monitoring of the transactions⁴.

Interested in learning more? Download our comprehensive EU Travel Rule Compliance Guide for a detailed breakdown of all obligations and requirements.

Verification and Risk Assessment

CASPs must adopt a risk-based approach to all transactions involving self-hosted wallets. This includes assessing the risks associated with each transfer and applying enhanced due diligence when high ML/TF risks are detected. The verification process involves collecting additional data from various sources, such as blockchain analytics, third-party data providers, recognized authorities, and publicly available information⁵.

General Obligations for Self-Hosted Wallet Transactions

In addition to specific transaction-based requirements, CASPs must adhere to several general obligations when dealing with self-hosted wallets:

1. Self-Hosted Wallet Identification

Use technical methods to discern whether the transaction involves a VASP or a self-hosted wallet. If technical means are insufficient, acquire the necessary information directly from the customer⁶.

2. Threshold Calculation

Compute the transaction amount based on the exchange rate prevailing at the time of the transfer⁷.

3. Risk Assessment

Assess the risks associated with self-hosted wallet transactions and apply appropriate risk mitigation measures⁸.


{{european1="/cta-components"}}


Additional Context and Considerations

FATF's Recommendation 16

Transactions between VASPs and self-hosted wallets fall within the scope of FATF's Recommendation 16, following its revision in October 2021. Unlike VASP-to-VASP transactions, there is no mandate to transmit originator and beneficiary details to a counterpart. Instead, VASPs must adhere to specific obligations, which can vary significantly across jurisdictions¹⁴.

Regulatory Expectations and Trends

Although regulatory expectations vary significantly across different regions, the requirement for VASPs to verify their customer's or a third party's control over the wallet address involved in transactions is gaining traction. This trend is reinforced in the requirements set by the TFR, as further detailed in the sections above.

Future Assessments

By July 1, 2026, the Commission will assess the necessity for additional measures to mitigate risks associated with self-hosted wallet transactions. This evaluation will encompass examining the efficacy and proportionality of verification mechanisms and considering potential restrictions¹⁵.

The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. By doing so, CASPs can enhance the security and transparency of crypto-asset transfers, contributing to a safer financial ecosystem.


{{european2="/cta-components"}}


The EU TFR sets comprehensive requirements for self-hosted wallet transactions to mitigate the risks associated with money laundering and terrorist financing. CASPs must ensure compliance by verifying wallet ownership, implementing robust monitoring systems, and adopting a risk-based approach to all transactions. 


Interested in learning more? Check out our blog on what the TFR says beneficiary VASPs should do when it comes to incoming transactions and the top 10 insights European CASPs need to know about their upcoming Travel Rule compliance framework.

References
1. EU Travel Rule Compliance Guide. (2023). Travel Rule Compliance Guide: The European Union.
2. Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (Transfer of Funds Regulation or TFR).
3. European Banking Authority (EBA). (2023). Draft Guidelines on preventing the abuse of funds and certain crypto-assets transfers for money laundering and terrorist financing purposes under Regulation (EU) 2023/1113 (Travel Rule Guidelines).
4. Article 19a of the AMLD.
5. Travel Rule Guidelines, §67.
6. Travel Rule Guidelines, §65.
7. Travel Rule Guidelines, §68.
8. Article 19a of Directive (EU) 2015/849.
9. Travel Rule Guidelines, §72.
10. Travel Rule Guidelines, §67.
11. Travel Rule Guidelines, §65.
12. Travel Rule Guidelines, §68.
13. Travel Rule Guidelines, §73.
14. FATF Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, §179.
15. Regulation (EU) 2023/1113.

FAQs