Key Takeaways from the EBA’s Consultation on Travel Rule Guidelines
In November 2023, the European Banking Authority (EBA) unveiled a Consultation Paper on the proposed Travel Rule Guidelines, marking a significant step in the evolution of EU financial regulation. This initiative addresses the growing need for clear regulatory frameworks as digital finance transforms the landscape of global transactions.
The EBA presented its proposed Travel Rule Guidelines as a direct response to the mandate outlined in Article 36 of the Transfer of Funds Regulation, which empowered the authority to issue guidelines to Crypto Asset Service Providers (CASPs), aiming to guide entities on how to comply with some of its requirements.
This article explores the key takeaways of the EBA’s Travel Rule Guidelines and provides enriching insights from Notabene’s presentation at the EBA’s public hearing.
Key Takeaways from the EBA’s Consultation on Travel Rule Guidelines
1. CASPs must consider interoperability when selecting a messaging protocol
The EBA emphasizes the need for interoperability among protocols used for transmitting Travel Rule information. The EBA advises CASPs to choose messaging protocols that are robust and interoperable, capable of seamless communication across various systems, and in line with industry standards. This approach aims to mitigate data integration challenges and enhance the efficiency of adhering to regulatory mandates.
“When choosing the messaging protocol, CASPs and ICASPs should ensure that the protocol’s architectures are sufficiently robust to enable the seamless and interoperable transmission of the required information by:
a. evaluating the protocol’s interoperability features to ensure it can seamlessly communicate with other systems, both within and outside CASPs and ICASPs;
b. considering the compatibility with existing industry standards, protocols, and blockchain networks to facilitate integration; and
c. assessing data integration and data reliability.”
Notabene’s commentary:
During the EBA’s public hearing, we praised the EBA for recommending interoperability assessments promoting open and interoperable communication standards. This concept aligns with the FATF calling for more interoperability in tools and with surveyed VASPs calling for a global unified approach in travel rule communication and reachability in response to Notabene’s 2023 State of Travel Rule Survey.
2. Deposits can only be accepted if the received information allows unambiguous identification of all parties involved in the transaction
The EBA outlined the procedures CASPs should implement to manage transfers lacking the required information.
The EBA’s Guidelines for Addressing Missing Information in a Crypto Transaction
Let’s break this down step by step.
Step 1: First, upon detecting missing information, the beneficiary CASP can either straightaway reject/return the transfer or request missing information from the prior CASP in the chain.
Where the crypto-asset service provider of the beneficiary becomes aware that the information referred to in Article 14(1) or (2), or in Article 15, is missing or incomplete, that crypto-asset service provider shall, on a risk-sensitive basis and without undue delay:
(a) reject the transfer or return the transferred crypto-assets to the originator’s crypto-asset account; or
(b) request the required information on the originator and the beneficiary before making the crypto-assets available to the beneficiary.
Decision Flowchart for Handling Missing Information in Crypto Transfers per the EBA
Step 2: If the beneficiary CASP decides to ask for missing information, it should set a reasonable deadline by which the information should be provided. Transfers within the Union require the information to be provided within three working days, while transfers outside the Union have a deadline of 5 working days. If more than two parties are involved in the transfer flow or at least one CASP is based outside of the EU, the deadline extends to up to 5 working days. Additionally, if a CASP requests information from a prior CASP in the transfer chain, it must notify the prior CASP of the transfer’s suspension due to missing or incomplete information.
Step 3: If the beneficiary CASP asks for missing information and the previous CASP fails to provide it, the beneficiary CASP:
- may only consider accepting the deposit if both the originator and beneficiary are unambiguously identified and
- must evaluate the future treatment of the previous CASP, ICASP, or self-hosted address in the transfer chain for AML/CFT compliance purposes
Where a CASP becomes aware that required information is missing, incomplete or provided using inadmissible characters during the transfer and executes the transfer, based on all relevant risks, and provided that the condition in paragraph 50 is not met, it should document the reason for executing that transfer and, in line with its risk-based policies and procedures, consider the future treatment of the prior CASP or self-hosted address in the transfer chain for AML/ CFT compliance purposes.
Where the payer, payee, originator, or beneficiary cannot be unambiguously identified due to missing or incomplete information or information provided using inadmissible characters, the CASP should not execute the transfer.
Decision Path for Missing Information Response in Crypto Transfers per the EBA
Step 4: In cases where a CASP consistently fails to provide the required Travel Rule information, specific actions are mandated for the beneficiary CASP. Initially, steps such as issuing warnings and setting deadlines must be taken to address the issue. If the required information is still not provided despite these measures, the provider has the authority to reject, restrict, or terminate the transaction per established procedures. Additionally, it is required that the beneficiary CASP reports such failures and the steps taken to the competent authority responsible for monitoring compliance with AML/CTF regulations. This ensures accountability and regulatory oversight in addressing non-compliance issues within the crypto-asset service industry.
Notabene’s commentary:
During the public hearing, Notabene challenged the strict rejection of deposits when the identity of the parties cannot be unambiguously confirmed, proposing a nuanced approach based on risk assessment, particularly in transactions with jurisdictions not yet enforcing the Travel Rule.
3. The EBA provided guidelines for verifying ownership or control of self-hosted wallets in transactions over 1,000 EUR
As established in the TFR, if a crypto-asset transfer is made to/from a self-hosted address, the originator or beneficiary CASP must gather and retain specific information, ensuring the transfer can be tracked individually. If the transfer exceeds EUR 1,000, additional measures must be taken to verify whether the address belongs to the originator or beneficiary. These measures are further specified in the proposed EBA guidelines, which state that the verification should be conducted using at least two suitable methods:
- Advanced analytical tools
- Unattended verifications
- Attended verification
- Sending of a predefined amount set by the CASP from and to the self-hosted address to the CASP’s account
- Signing of a specific message in the account and wallet software, which can be done through the key associated with the transfer
- Requesting the customer to digitally sign a specific message into the account and wallet software with the key corresponding to that address
- Other suitable technical means
The guidelines from the EBA appear to introduce the possibility of accepting transactions from third-party self-hosted wallets, a detail not explicitly outlined in the TFR text, which primarily focuses on verifying whether the CASP’s own customer maintains control over the self-hosted wallet.
Where the self-hosted address is owned or controlled by a third person instead of the CASP customer, the CASP should, in addition to applying the verification requirement in accordance with Article 14 (5) or Article 16 (2) of Regulation (EU) 2023/1113, apply mitigating measures commensurate with the risks identified as per Article 19a of Directive (EU) 2015/849
Notabene’s commentary:
During the public hearing, Notabene suggested that using more than one method for wallet ownership verification should not be required as a rule but recommended only for cases where it proves necessary. We also sought clarification on the treatment of third-party self-hosted wallet transactions.
4. The status of Travel Rule enforcement in the counterparty jurisdiction is a relevant risk factor
The TFR specifies that the beneficiary CASP must establish procedures to detect whether the required Travel Rule information was provided. In turn, the proposed EBA guidelines elaborate on the monitoring process, highlighting the need for beneficiary CASPs to develop policies and procedures for determining which transfers require pre-transfer or post-transfer monitoring. This involves assessing various risk factors, including the regulatory treatment in the counterparty’s jurisdiction, in particular, the Travel Rule implementation status.
Notabene’s commentary:
Understanding the global status of Travel Rule requirements is thus crucial for a comprehensive Travel Rule policy. Notabene offers valuable resources in this regard, including information on our website and our annual State of Crypto Travel Rule Compliance Report, which features a detailed chart presenting a comprehensive overview of global Travel Rule adoption, including enforcement status in each jurisdiction, compliance thresholds, and obligations related to self-hosted wallets. These are valuable resources for CASPs in establishing procedures aligned with EBA guidelines.
What's next?
As the European Union ramps up for its Travel Rule enforcement deadline, the EBA’s proposed Travel Rule Guidelines stand as a pivotal development for CASPs and the broader digital finance ecosystem. These guidelines aim to enhance transparency and security in crypto-asset transactions and reflect a collaborative effort to adapt to the digital age’s complexities.
Notabene’s insightful contributions during the public hearing and the industry’s collective feedback underscore the importance of a unified approach to regulatory compliance. As we approach the public consultation deadline and anticipate the final guidelines, it’s crucial for stakeholders to remain engaged and proactive in shaping a regulatory environment that supports innovation while safeguarding integrity.
The EBA’s guidelines will undoubtedly play a crucial role in harmonizing practices across Europe, setting a precedent for global regulatory coherence in the digital finance realm. As we mark our calendars for the key dates leading up to the TFR enforcement, let’s continue to foster dialogue and collaboration, ensuring that the future of trusted crypto transfers is secure, transparent, and inclusive.