The EU's Transfer of Funds Regulation (TFR), effective as of December 30, 2024, imposes significant compliance requirements on Crypto Asset Service Providers (CASPs). Non-compliance can result in financial penalties, criminal and administrative sanctions, regulatory sanctions such as license revocation, reputational damage, heightened regulatory scrutiny, and counterparty risks. Entities must prepare for these consequences to avoid severe repercussions and ensure compliance with the new regulations.
As of 30 December 2024, compliance with the Transfer of Funds Regulation (TFR) and respective EBA Guidelines is mandatory for any CASPs operating in the EU.
▶︎ Watch this special video message from Lana Schwartzman, Head of Regulatory & Compliance at Notabene, explaining why compliance with TFR is so important, as what consequences may face CASPs that fail to comply.
A common misconception that we hear is that there is a “grace period” that delays the need to comply until July of this year. While it is true that the EBA guidelines foresee a transitional period until July 31, 2025, during which CASPs may exceptionally use infrastructures or services with certain technical limitations, this does not exempt them from Travel Rule compliance. CASPs using such infrastructures are required to take additional technical steps to ensure full compliance with the Travel Rule during this period.
This provision from the EBA Guidelines gave rise to misinterpretations that many are now incorrectly viewing as a grace period or exemption. The EBA already clarified that this is not the case. In page 51 of the final Guidelines “the EBA stresses that non-compliance with Regulation (EU) 2023/1113 is not accepted”. In fact, paragraph 24 of the EBA Guidelines clearly states that the technical limitations “need to be compensated by additional technical steps or fixes to fully comply with these Guidelines”.
It is therefore very clear that the TFR obligations must be fully complied with as of December 30, 2024.
CASPs that repeatedly or systematically fail to accompany crypto-asset transfers with the required information on the originator and beneficiary may face severe penalties and consequences under the Transfer of Funds Regulation and related EU directives. All told, the risks that a company faces by not complying with TFR are substantial.
Let’s have a look at the potential consequences of non-compliance with the TFR.
1. Financial Penalties
One of the most immediate and tangible consequences of non-compliance is the imposition of financial penalties. These can be substantial and may vary depending on the severity of the breach and the specific regulations in each EU member state. The regulation allows for substantial monetary sanctions:
- Standard Penalty: A maximum administrative fine of at least twice the amount of the benefit derived from the breach (if determinable) or a minimum of €1,000,000.
- Enhanced Penalties for Financial Institutions: For CASPs classified as credit or financial institutions, the penalties can be more severe:
- Legal Persons: Fines of up to €5,000,000 or 10% of the total annual turnover, whichever is higher.
- Natural Persons: Fines of up to €5,000,000
Keep in mind that penalties can accumulate, potentially resulting in daily fines. In addition, increased compliance costs and operational burdens may be necessary to resolve deficiencies, resulting in additional financial burden.
*Source: Article (3) of Directive (EU) 2015/849
2. Criminal and Administrative Sanctions
In more severe cases, particularly those involving deliberate non-compliance or gross negligence, entities and individuals may face criminal or administrative sanctions. This can include:
- Criminal liability for Chief Compliance Officers (CCOs) or executives responsible for overseeing AML/CFT protocols
- Administrative sanctions that could significantly impact business operations
- Public Statement: Authorities may issue a public statement identifying the CASP and detailing the nature of the breach.
- Cease and Desist Order: The CASP may be ordered to stop the non-compliant behavior and refrain from repeating it.
- Authorisation Suspension or Revocation: For authorized CASPs, their operating license may be suspended or withdrawn entirely.
- Managerial Ban: Individuals responsible for the breach, including those in managerial positions, may face a temporary ban from exercising managerial functions in obliged entities.
*Source: Article 29 of the TFR and Article 59(2) and (3) of Directive (EU) 2015/849)
3. Regulatory Sanctions
While exact details may vary, it's likely that regulatory sanctions for non-compliance could be severe:
- Suspension or revocation of operating licenses within the EU
- Restrictions on certain activities or prohibitions on cross-border crypto-asset transfers
4. Reputational Damage
In the highly regulated EU market, reputation is crucial. Non-compliance can lead to:
- Loss of trust from customers and partners
- Negative publicity that can be challenging to overcome
- Long-term impact on business relationships and growth opportunities
5. Heightened Regulatory Scrutiny
Entities found to be non-compliant will likely face increased attention from regulators:
- More frequent audits and inspections
- Increased reporting obligations, adding administrative burdens and costs
- Requirements to submit additional documentation to demonstrate compliance improvements
6. Counterparty Risks
Non-compliance can also affect business relationships, as partners may be hesitant to work with non-compliant entities, leading to lower transaction volumes and overall business success.
- Counterparties may report non-compliance to regulators. CASPs must report the repeatedly non-compliant counterparties to the competent authority responsible for Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF) supervision within three months of identifying the non-compliance.
- Counterparties of CASPs that repeatedly or systematically fail to accompany crypto-asset transfers with the required information on the originator and beneficiary may be required to reject incoming transfers and terminate the existing business relationship or all reject future transfers from the non-compliant counterparty.
While no one has a crystal ball, the consequences of non-compliance with the EU's TFR after December 30th, 2024, are far-reaching and potentially severe. From financial penalties to reputational damage, the possible risks suggest that CASPs and other obligated entities should take seriously the need to be fully prepared with a TFR-ready Travel Rule solution when the regulation comes into force.
