EU's Transfer of Funds Regulation: 5 Key Takeaways - April 2023
A Comparative Analysis of the EU's Transfer of Funds regulation with current industry standards on Travel Rule
Today marks the achievement of a major milestone in European crypto regulation: the European Parliament approved the Regulation on Markets in Crypto-Assets (MiCA) and the revision of the Regulation on information accompanying transfers of funds (TFR, or Transfer of Funds Regulation).
The approval of MiCA is a landmark that has the potential to set standards for crypto regulation globally. One of its main goals is to provide clarity and legal certainty for the crypto industry, which has been operating in a regulatory gray area for many years. MiCA establishes a level playing field for all European crypto-asset service providers (CASPs) and boosts consumers’ protection when using crypto-assets. It does so by introducing new rules for issuers of crypto-assets, CASPs, and trading platforms. It will also establish a new regulatory regime for stablecoins, which have become increasingly popular in recent years due to their stability and ease of use for payments.
Despite the press attention on MiCA, the TFR is a critical piece of legislation that will harmonize crypto Travel Rule requirements across Europe and fundamentally change how we transact in crypto. In June 2019, the FATF published its Guidance for a Risk-Based Approach to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs), extending anti-money laundering/countering the financing of terrorism (AML/CFT) obligations to cover VAs and VASPs. This directive included the Travel Rule, which obliges VASPs that exchange, hold, safe keep, convert, and sell virtual assets to obtain, hold, and transmit required originator and beneficiary information immediately and securely during VA transfers.
Since FATF introduced the crypto Travel Rule, national regulators have been working on transposing these requirements to their local frameworks, and significant progress has been achieved globally. With the introduction of the TFR, the EU follows in these footsteps and introduces Travel Rule obligations for European CASPs.
Notabene reports on the progress achieved in the implementation of the Travel Rule through an annual global crypto Travel Rule compliance report. The 2023 edition will be available soon, and today we share how the TFR compares with industry benchmarks using fresh findings from our report.
The revised Transfer of Funds Regulation
The European Commission made a significant move to combat money laundering and terrorism financing with an ambitious package of legislative proposals presented on July 20, 2021. The package aims to strengthen the EU's anti-money laundering and countering terrorism financing (AML/CFT) rules.
The package includes various measures to improve the EU's AML/CTF framework, including the revision of the Transfer of Funds Regulation to make it possible to trace transfers of crypto-assets by imposing Travel Rule requirements on CASPs.
As mentioned above, the revision of the Transfer of Funds Regulation was finally approved by the European Parliament plenary today (April 20, 2023). However, the EU’s AML/CTF legislative package is not yet finalized. Notably, the legislative process of the new proposed regulation on AML/CTF (AMLR) is still ongoing and is expected to impact the requirements applicable to transactions with self-hosted wallets.
For now, let’s dive into the TFR and how it compares to global industry standards on the crypto Travel Rule.
Five key TFR takeaways: EU vs. Global Industry Standards
1. Travel Rule comes into effect for all EU VASPs on December 30, 2024
The Transfer of Funds Regulation will start applying on December 30, 2024, 18 months after the regulation enters into force.
According to Notabene’s 2023 State of Travel Rule Report, the large majority (84%) of respondents are currently complying or intend to comply with the Travel Rule by Q4 2023. In the United Kingdom, Travel Rule will be enforced starting September 2023, and several other crypto hubs are enforcing Travel Rule compliance already. This creates a considerable gap between the EU’s and third-countries timelines for Travel Rule implementation, which may prevent the industry from overcoming the Sunrise Issue. To stay competitive and continue to be able to transact with counterparties outside the EU, CASPs will need to roll out Travel Rule ahead of the TFR deadline.
Notabene’ study also reveals that Europe's adoption is delayed compared to the rest of the market. In particular, EMEA is the region with the highest percentage of VASPs planning to be compliant after Q4 2023. This may have reflected a lack of regulatory urgency, with many EU VASPs awaiting the implementation of Travel Rule requirements through the revised Transfer of Funds Regulation which had just occurred.
2. Zero Exceptions: Travel Rule obligations apply to all transactions, regardless of amount or location - inside or outside the Union.
EU CASPs will be required to comply with Travel Rule obligations in every transaction, regardless of its amount. No de minimis threshold applies, and there is no simplification of requirements for transactions within the Union. It is also worth noting that the scope of originator and beneficiary information that the originator CASP is required to share also does not vary depending on the transaction amount - the same scope, defined in Article 14 (1) and (2), is required for every transaction.
Recital 27 justifies the policy option by citing the “inherent borderless nature and global reach of transfers of cryptoassets and of the provision of crypto-asset services,” and being “in line with the FATF requirement to treat all transfers of crypto-assets as cross-border,” which invalidates any distinction on the scope of obligations when transacting within and outside the Union. [1]
As reported in our 2023 global crypto Travel Rule compliance report, the approach taken by the TFR (imposing the same information transmission obligations regardless of the transaction amount) contrasts with the option taken by several other jurisdictions, notably Singapore, Germany, Hong Kong, and the United Kingdom, which allow a more limited scope of information to be shared below a certain threshold.
3. First-party transactions with self-hosted wallets over 1,000 euros require wallet ownership verification.
In line with FATF recommendations, transactions with self-hosted wallers fall within the scope of the revised Transfer of Funds Regulation [2].
When transacting with self-hosted wallets, European CASPs must collect the required originator and beneficiary information and comply with the following additional wallet verification obligations for transactions exceeding 1,000 Euros:
- When sending a transfer exceeding EUR 1,000 to a self-hosted wallet, the originator VASP is required to verify if that wallet is owned or controlled by the originator customer;
- When receiving a transfer exceeding EUR 1,000 from a self-hosted wallet, the beneficiary VASP must verify that the beneficiary customer owns or controls the originating wallet.
This means wallet ownership verification requirements apply to first-party transactions to/from self-hosted wallets exceeding EUR 1,000. [3]
Our 2023 State of Travel Rule Compliance Report revealed that the majority of surveyed VASPs already enforce restrictions when transacting with self-hosted wallets. Additionally, just over a third of companies (34.3%) only allow first-party transactions with self-hosted wallets, provided the customer can demonstrate ownership of the wallet address, which aligns with the approach taken by the TFR.
Going forward, VASPs will require a tool that allows them to determine if the transaction is with a self-hosted wallet and swiftly verify ownership before proceeding.
Notabene’s self-hosted wallet identification tool pinpoints the jurisdictional requirements of each transaction. It collects counterparty customer data from your withdrawal screen, creating an archive for sanctions compliance, record keeping, and Suspicious Activity Reports.
4. Due diligence measures for non-EU entities must adhere to correspondent banking standards.
In its Updated Guidance for VAs and VASPs (October 2021), FATF makes it clear that counterparty due diligence for the purposes of engaging in Travel Rule flows is distinct from the due diligence required to establish correspondent banking relationships [4]:
The nature of CASPs' relationships for transacting and sharing Travel Rule information is distinct from correspondent banking relationships and, hence, could justify a different - and more limited - scope of counterparty due diligence obligations to apply.
However, the revised Transfer of Funds Regulation goes in a different direction: citing the “ongoing and repetitive” nature of the relationships between domestic CASPs and foreign VASPs for the purpose of transacting, the TFR deems these relationships as a type of correspondent relationship subject to enhanced due diligence measures.
The measures CASPs are required to apply will be further specified in guidance issued by the European Banking Authority. Clear and adequate regulatory guidance on counterparty due diligence obligations will be key to enabling European CASPs to comply adequately.
Notabene’s 2023 State of Crypto Travel Rule Compliance Report shows 52% of respondents send Travel Rule transfers to all VASPs without applying any criteria or counterparty due diligence process. This indicates that perhaps counterparty due diligence is a component of Travel Rule compliance that VASPs still struggle to grasp fully. Local laws and regulations are often vague or silent on this topic, although it is covered at length in the FATF Guidance. The upcoming guidance by the European Banking Authority should set expectations as to what counterparty due diligence measures are required for the purposes of transacting and engaging in Travel Rule flows. It will also be relevant to specify cases where VASPs may be exempt from carrying out due diligence (e.g., relying on the uniform requirements and supervision applied in the jurisdiction or region) or where simplified due diligence measures are permissible. [5]
5. CASPs are required to fulfill Travel Rule obligations prior to transacting
Notabene welcomes the clarification provided by the TFR that Travel Rule compliance needs to be performed pre-transaction. This is particularly important given the specific characteristics of virtual asset transactions: settlement is immediate and irreversible; hence, only pre-transaction actions can effectively mitigate risk.
In line with this, Notabene is a pre-transaction decision-making platform offering a secure, holistic view of crypto transactions that enables CASPs to identify and stop high-risk activity before it occurs on the blockchain.
According to the revised TFR, originator CASPs are required to transmit information to the beneficiary CASP before sending the corresponding crypto transaction. In turn, Beneficiary CASPs need to ensure that the required information was received before making funds available to the end customer. [6]
According to Notabene’s 2023 State of Crypto Travel Rule Report, although the industry is making significant progress in Travel Rule adoption, a notable discrepancy exists between VASPs’ claims of compliance and their fulfillment of pre-transaction obligations.
37.5% of companies reporting to be Travel Rule-compliant fulfill requirements post-transaction, which does not align with the TFR’s pre-transaction requirements or the FATF standards. Providing European CASPs with regulatory clarity in that Travel Rule is a pre-transaction requirement is a fundamental step to drive compliance in the right direction.
Next steps:
The revised Transfer of Funds Regulation will be supplemented by guidelines issued by the European Banking Authority on different aspects, for example:
- The factors to be taken into account by CASPs when entering into business relationships or carrying out transactions in crypto-assets and enhanced due diligence measures that obliged entities shall consider applying to mitigate higher risks when identified, including the adoption of appropriate procedures to detect the origin or destination of crypto assets;
- The criteria and means for identification and verification of the identity of the originator or beneficiary of a transfer made to or from a self-hosted address, in particular through reliance on third parties, taking into account the latest technological developments.
[1] TFR page 18, paragraph 27
(27) Due to the inherent borderless nature and global reach of transfers of cryptoassets and of the provision of crypto-asset services, there are no objective reasons to distinguish the treatment of money laundering and terrorist financing risks of national transfers from that of cross-border transfers. In order to reflect those specific features, no exemption from the scope of this Regulation should be granted to domestic low-value transfers of crypto-assets, in line with the FATF requirement to treat all transfers of crypto-assets as cross-border.
[2] TFR Page 26, paragraph 38:
Recital (38) Regarding transfers of crypto-assets, the requirements of this Regulation should apply to all transfers including transfers of crypto-assets to or from a self-hosted address, as long as there is a crypto-asset service provider involved.
[3] TFR, Recital (39)
(...) Nonetheless, in the case of a transfer of an amount exceeding EUR 1 000 that is sent or received on behalf of a client of a crypto-asset service provider to or from a self-hosted address, that crypto-asset service provider should verify whether that self-hosted address is effectively owned or controlled by that client.
TFR, Article 14 (5)
In the case of a transfer of crypto-assets made to a self-hosted address, the cryptoasset service provider of the originator shall obtain and hold the information referred to in paragraphs 1 and 2 and shall ensure that the transfer of cryptoassets can be individually identified.
Without prejudice to specific risk mitigating measures taken in accordance with Article 19b of Directive (EU) 2015/849, in the case of a transfer of an amount exceeding EUR 1 000 to a self-hosted address, the crypto-asset service provider of the originator shall take adequate measures to assess whether that address is owned or controlled by the originator.
TFR, Article 16 (2)
In the case of a transfer of crypto-assets made from a self-hosted address, the crypto-asset service provider of the beneficiary shall obtain and hold the information referred to in Article 14(1) and (2) and shall ensure that the transfer of crypto-assets can be individually identified.
Without prejudice to specific risk mitigating measures taken in accordance with Article 19b of Directive (EU) 2015/849, in the case of a transfer of an amount exceeding EUR 1 000 from a self-hosted address, the crypto-asset service provider of the beneficiary shall take adequate measures to assess whether that address is owned or controlled by the beneficiary.
[4] FATF, Page 54, paragraph 169:
For clarity, counterparty due diligence for the purpose of complying with Recommendation 16 is distinct from the obligations applicable to cross-border correspondent relationships. Unlike the banking sector, it is possible for transfers of VA for or on behalf of another person to occur between VASPs, even in the absence of a correspondent relationship or any other relationships. In such circumstances, the VASPs involved in the transfer may undertake counterparty due diligence to ensure they are able to comply with the travel rule and apply measures to mitigate the ML/TF risk
[5] TFR, Recital (60)
Relationships established between crypto-asset service providers and entities established in third countries for the purpose of executing transfers of cryptoassets or the provision of similar crypto-asset services present similarities to correspondent banking relationships established with a third country’s respondent Institution. As those relationships are characterised by an ongoing and repetitive nature, they should be considered a type of correspondent relationship and be subject to specific enhanced due diligence measures similar in principle to those applied in the context of banking and financial services.
[6] TFR, Article 14 (4)
The information referred to in paragraphs 1 and 2 shall be submitted in advance of, or simultaneously or concurrently with, the transfer of crypto-assets and in a secure manner and in accordance with Regulation (EU) 2016/679.
TFR, Article 17 (1)
The crypto-asset service provider of the beneficiary shall implement effective risk based procedures, including procedures based on the risk-sensitive basis referred to in Article 13 of Directive (EU) 2015/849, for determining whether to execute, reject, return or suspend a transfer of crypto-assets lacking the required complete information on the originator and the beneficiary and for taking the appropriate follow-up action.
Where the crypto-asset service provider of the beneficiary becomes aware that the information referred to in Article 14(1) or (2), or in Article 15, is missing or incomplete, that crypto-asset service provider shall, on a risk-sensitive basis and without undue delay: (a) reject the transfer or return the transferred crypto-assets to the originator’s crypto-asset account; or (b) request the required information on the originator and the beneficiary before making the crypto-assets available to the beneficiary
