Essential Overview of EU Crypto Travel Rule Compliance for CASPs
The European Union's Transfer of Funds Regulation (TFR) enforces the Crypto Travel Rule to combat money laundering and terrorist financing. This rule, initially mandated by the U.S. Financial Crimes Enforcement Network (FinCEN), was extended in June 2019 by the Financial Action Task Force (FATF) to include virtual assets (VAs) and Virtual Asset Service Providers (VASPs). The Travel Rule requires VASPs to securely obtain, hold, and transmit originator and beneficiary information during VA transfers.
This article provides an overview of the crypto Travel Rule in the European Union, pulling from the Transfer of Funds Regulation (TFR) and the European Banking Authority (EBA)’s draft Travel Rule Guidelines.
{{cta-learnmore1="/cta-components"}}
Regulatory Milestones in the EU
The EU has been proactive in aligning its regulations with FATF’s recommendations:
- FATF Guidance (2019): The FATF issued its first guidance on a risk-based approach to virtual assets and VASPs, marking a significant expansion of AML/CTF measures.
- EU Regulation (2015/847): This regulation was adopted to apply FATF’s requirements uniformly across member states, ensuring fund transfers include payer and payee information.
- TFR Recast (2023): The TFR was extended to include crypto transfers, setting uniform Travel Rule requirements across all 27 EU member states.
- Travel Rule Comes into Force (2024): The European Banking Authority (EBA) will publish final Travel Rule guidelines in June 2024, and crypto Travel Rule obligations will become enforceable on December 30, 2024.
Information Transmission Requirements
The TFR mandates uniform obligations for crypto transfers, regardless of the transaction amount or whether they are cross-border. CASPs must include specific details about the originator and beneficiary in all transfers.
Required Information for Crypto Transfers
Natural Persons
Legal Persons
* Note: Regarding the date and place of birth, the EBA does not clarify what would be required instead if the originator is a legal person. In some jurisdictions, VASPs are required to provide a date and place of incorporation, but the EU requirement is unclear.
{{cta-learnmore1="/cta-components"}}
General Obligations for Information Transmission
CASPs must ensure their information transmission infrastructure is fully capable of compliance without technical limitations. The information should be transmitted immediately and securely before or at the same time as the crypto-asset transfer is completed. For joint accounts, transfers must include information about all account holders. Selected messaging protocols must enable seamless and interoperable transmission of information.
Travel Rule Obligations in Deposits
Beneficiary CASPs also have responsibilities upon receiving a transaction. They must implement robust policies and procedures to detect incoming transactions lacking necessary information and handle such transactions appropriately. If a transaction lacks the required information, beneficiary CASPs can choose to execute, reject, return, or suspend the transfer based on a risk-based approach.
Managing Non-Compliant Counterparties
When deposits lack Travel Rule data, CASPs must reassess their relationships with non-compliant counterparties. If a counterparty repeatedly fails to meet obligations, CASPs should consider enhanced due diligence measures, potentially terminating the business relationship, and reporting the non-compliance to competent authorities.
Self-Hosted Wallet Transactions
Transactions between CASPs and self-hosted wallets fall within the scope of FATF’s Recommendation 16. The regulatory requirements vary depending on the transaction amount and whether the wallet owner is a CASP customer or a third party.
Transactions of 1,000 Euros or Less
For transactions involving self-hosted wallets of 1,000 euros or less, CASPs must obtain and hold information about the parties to the transaction. This information should be cross-matched using suitable methods, such as blockchain analytics and third-party data providers, to verify the originator's or beneficiary's identity.
Transactions Over 1,000 Euros Where the Wallet Owner is a CASP Customer
For transactions exceeding 1,000 Euros, CASPs must verify whether the customer owns or controls the wallet. The EBA’s Travel Rule guidelines specify that CASPs must use at least two methods for this verification. Methods include advanced analytical tools, sending a predefined amount from the wallet to the CASP’s account, and signing a specific message in the account and wallet software.
Transactions Over 1,000 Euros Where the Wallet Owner is Not a CASP Customer
While the TFR is silent on the obligations for transactions involving third-party wallets, the Travel Rule Guidelines provide a framework. CASPs must verify wallet ownership/control and apply risk mitigation measures proportional to the identified risks, such as verifying the originator's or beneficiary's identity and requesting additional information about the transfer.
{{cta-learnmore1="/cta-components"}}
The EU’s implementation of the Travel Rule through the TFR sets a comprehensive regulatory framework for CASPs, ensuring that crypto asset transfers are transparent and secure. By adhering to these requirements, CASPs can help mitigate the risks of money laundering and terrorist financing, fostering a safer and more trustworthy environment for digital asset transactions. As the regulatory landscape evolves, staying informed and compliant with these obligations will be crucial for CASPs operating within the EU.
