REGULATIONS

Crypto Travel Rule Regulations in

European Union

by

the European Parliament

🇪🇺
Travel Rule required from
Travel Rule regulation still pending
December 30, 2024
Content last updated
June 18, 2024

The European Union (EU) has established a regulatory framework for the crypto industry, including the Markets in Crypto-assets (MiCA) Regulation. MiCA provides a uniform legal framework for crypto-assets, covering consumer protection, asset classification, licensing requirements, and market abuse.
Additionally, the Transfer of Funds Regulation (TFR) oversees the implementation of the Financial Action Task Force’s (FATF) crypto Travel Rule in the EU. MiCA and TFR were adopted on May 31, 2023, and the Travel Rule for crypto-asset service providers (CASPs) will take effect on December 30, 2024.


Note: The EBA’s Travel Rule Guidelines are not final and may change. We will provide updates once the final Guidelines are published. VASP (Virtual Asset Service Provider) refers to transaction counterparties outside the EU. CASP (Crypto Asset Service Provider) is used within the EU.


Timeline of Regulatory Action in the European Union

  • May 20, 2015 - The EU adopted Regulation (EU) 2015/847 on information accompanying transfers of funds - the TFR - to apply the FATF’s requirements across the Union uniformly.
  • July 20, 2021 - The European Commission proposed a crypto legislative framework to create a new, more coherent AML/CTF regulatory and institutional framework for the crypto industry. This included a recast of the TFR to ensure the complete traceability of fund and crypto-asset transfers.
  • June 29, 2022 - All parties reached a provisional agreement on the TFR. 
  • April 20, 2023 - The European Parliament approved both MiCA and the revised TFR, establishing a uniform legal framework for crypto-assets in the EU and boosting consumer protection.
  • May 31, 2023 - The recast TFR was adopted.
  • June 9, 2023 - The recast TFR was published in the Official Journal of the European Union.
  • November 23, 2023 - The EBA launched a public consultation on new Travel Rule Guidelines, revising three guidelines: ML/TF Risk Factors, Travel Rule, and Risk-based Supervision. Read Notabene's summary of the EBA's guidelines.
  • February 26, 2024 - Deadline to submit a response to EBA’s public consultation on the Travel Rule guidelines. Read Notabene’s response.
  • June 2024 - Final Travel Rule Guidelines are expected in June 2024. National authorities will have two months to comply or explain non-compliance to the EBA.
  • December 30, 2024 - The crypto Travel Rule comes into effect for all EU CASPs.‍

Crypto Regulations in the European Union

1. Is cryptocurrency legal in the European Union?

Yes, cryptocurrency is legal in the European Union. The EU's MiCA establishes a comprehensive framework for crypto-assets, categorizing them into utility tokens, asset-referenced tokens (ARTs), and electronic money tokens (EMTs). 

MiCA provides clear regulatory guidelines to ensure market integrity, consumer protection, and financial stability while promoting innovation. The regulation also introduces specific rules for significant ARTs and EMTs and generally excludes non-fungible tokens (NFTs) and financial instruments from its scope.

2. Are there AML crypto regulations in the European Union?

Yes. In 2021, the European Commission published legislative proposals to strengthen the EU's anti-money laundering and counter-terrorism financing (AML/CFT) rules. 

3. Is the Crypto Travel Rule mandated in the European Union?

The crypto Travel Rule is already mandated in some member states that passed national legislation ahead of EU-wide adoption of the recast TFR.  The Travel Rule obligations foreseen in the recast TFR enter into force on 30 December 2024. ¹

4. Who is the Crypto Travel Rule Regulator in the European Union?

Each member state has its own regulator / supervisory authority responsible for the enforcement of the crypto Travel Rule. However, the EBA guidelines - including the Travel Rule Guidelines - aim to harmonize regulatory and supervisory practices across the EU. This means that all member states are expected to adopt and implement the same standards and practices, reducing regulatory arbitrage and ensuring a level playing field for financial institutions.


FATF Travel Rule Requirements in the European Union

1. Are there licensing or registration requirements for CASPs in the European Union?

When MiCA’s enters into force, CASPs will be required to obtain authorization from the competent authorities in their member state before providing services. Once authorized, CASPs can operate across the EU under a passporting regime, which allows them to provide services in other member states without needing separate authorizations in each one. This facilitates a unified and efficient regulatory framework across the EU.

However, CASPs may already have registration requirements with their respective national regulators, such as Germany's Financial Supervisory Authority (BaFin) or Italy's Ministry of Finance. 

2. When is the Crypto Travel Rule enforcement date in the European Union? 

The crypto Travel Rule will go into effect on December 30, 2024, 18 months after the Transfer of Funds regulation was published.

3. Does the European Union permit a grace period to comply with the Crypto Travel Rule?

Yes. European VASPs had an 18-month grace period after the TFR was approved‍.‍


Complying with the FATF Crypto Travel Rule in the European Union

1. What is the minimum threshold for the Crypto Travel Rule in the European Union? 

No minimum threshold applies. EU CASPs must comply with Travel Rule obligations for every transaction, regardless of its amount.

Unlike transfers of funds, crypto asset transfers are always subject to the same scope of obligations. This means that the scope of information EU CASPs are required to transmit does not vary depending on transaction amount or whether or not the transaction is cross-borders.
In contrast, in transfers of funds both of these requirements are relevant to determine the scope of applicable obligations. 

2. What are the PII requirements for the Crypto Travel Rule in the European Union?

Natural Persons

Under Article 14, paragraphs 1 and 2 of the TFR, CASPs must ensure transfers include the following for both originator and beneficiary:

The EBA Travel Rule Guidelines clarify that if the name, account number, address, and official personal document number are insufficient for identification, the date and place of birth must also be provided.


Legal Persons

The TFR does not specify the information required when the originator person is a legal person (e.g., a corporation). However, the EBA’s Travel Rule Guidelines provide helpful guidance in this respect by clarifying what information must be provided in such cases.

* Note: Regarding the date and place of birth, the EBA does not clarify what would be required instead if the originator is a legal person. In some jurisdictions, VASPs are required to provide a date and place of incorporation, but the EU requirement is unclear.


{{european1="/cta-components"}}


3. What are the obligations for beneficiary CASPs in the European Union?

European Beneficiary CASPs have the following requirements: 

  • Receive Required Information: Beneficiary CASPs must receive specific information about each transaction's originator and beneficiary customers. ²
  • Detect Non-Compliance: Beneficiary CASPs must implement robust policies and procedures to detect incoming transactions lacking necessary information.
    • Methods for detecting missing, incomplete, or meaningless information.
    • Pre and post-monitoring practices aligned with ML/TF risk levels.
    • Criteria for recognizing risk-increasing factors.
    • Clear responsibilities for staff in managing transactions with missing information. ³

4. How should beneficiary CASPs manage non-compliant transactions? 

The EBA’s Travel Rule guidelines outline steps beneficiary CASPs should do to handle transactions that lack information about the originator or beneficiary. 

  • Transaction Handling: If the beneficiary CASP detects a transaction lacking information, they may choose to execute, reject, return, or suspend the transfer, following effective risk-based procedures. ⁴
  • Requesting Missing Information: Beneficiary CASPs can request missing information instead of outright rejecting or returning a transfer. However, if they decide to reject or return the transfer, they must notify the prior CASP in the transfer chain of this action. ⁵
  • Insufficient Information: If the information received does not allow for unambiguous identification of transaction parties, the recommended action is to reject or return the crypto asset transfer. ⁶
  • Sufficient but Incomplete Information: In cases where the information, although incomplete, still allows for unambiguous identification of transaction parties, the beneficiary CASP can decide whether to execute, reject, or return the transfer. If opting to execute, the reasoning must be documented appropriately. ⁷

5. How should beneficiary CASPs manage non-compliant counterparties?

  • Assessment: CASPs must use both quantitative and qualitative criteria to assess whether the counterparty has repeatedly failed to meet its obligations.
  • Actions: If the assessment reveals repeated non-compliance, CASPs should consider the following steps:
    • Sending a warning to the counterparty.
    • Exploring alternative methods of managing counterparty risk.
    • Terminating the business relationship or rejecting future transfers.
    • Reporting repeatedly non-compliant counterparties to the competent authority responsible for AML/CTF supervision. ⁸

6. Are there differences in customer PII requirements for cross-border transfers versus transfers within the EU?

No, there are no differences. The revised TFR removed simplified requirements for transactions within the EU. TFR Recital 27 highlights that cryptoasset transfers are inherently borderless with global reach. This revision aligns with FATF's requirement to treat all cryptoasset transfers as cross-border, eliminating distinctions in obligations within or outside the EU. ⁹ 


Recital 30 of the TFR justifies this due to the rapid, expansive, and pseudo-anonymous nature of crypto transactions, facilitating large, fast illicit transfers evading detection.


{{european2="/cta-components"}}

7. What are the non-custodial or self-hosted wallet requirements in the European Union?

The obligations applicable to transactions between CASPs and self-hosted wallets depend on the transaction amount and whether the transaction involves a CASP customer or a third party.

  • Transactions of 1,000 euros or less: CASPs must collect and retain specific information and cross-match it to identify or verify the originator or beneficiary's identity.
  • Transactions exceeding 1,000 euros where the wallet owner is a CASP customer: CASPs must verify whether the customer owns or controls the wallet using at least two methods.
  • For transactions exceeding 1,000 euros where the wallet owner is not a customer of the CASP, CASPs must verify wallet ownership or control, assess transaction risk, and implement suitable risk mitigation measures.


Why Choose Notabene for Crypto Travel Rule Compliance in the European Union?

Notabene enables European CASPs and financial institutions to comply with the EU's crypto Travel Rule. Our SafeTransact platform allows customers to identify and prevent high-risk activities before transactions occur. It includes a self-hosted wallet identification tool that collects verification data at the withdrawal screen, applying the necessary jurisdictional requirements for each transaction. Our privacy-preserving platform ensures end-to-end compliance with crypto Travel Rule regulations, accommodating the specific needs of various jurisdictions.


References

[1] The European Commission (2021). Proposal to regulate information accompanying transfers of funds and certain crypto assets, p. 3, COM(2021) 241 final.
[2] The European Parliament and the Council of the European Union (2023). Transfer of Funds Regulation, Article 16/1.
[3] European Banking Authority (2023). Travel Rule Guidelines, §29.
[4] The European Parliament and the Council of the European Union (2023). Transfer of Funds Regulation, Article 16/1.
[5] European Banking Authority (2023). Travel Rule Guidelines, §42.
[6] European Banking Authority (2023). Travel Rule Guidelines, §50.
[7] European Banking Authority (2023). Travel Rule Guidelines, §§48 and 49.
[8] European Banking Authority (2023). Travel Rule Guidelines, §§59-63.
[9] The European Parliament and the Council of the European Union (2023). Transfer of Funds Regulation, p. 6, para. 27.

Notabene's commitment to privacy + security:

Bank-grade security for an insecure world
  • Passed rigorous security reviews by more than 150 institutions, including global banks and top 20 crypto exchanges
  • Annual SOC 2 Type II Audit for Security and Data Privacy Categories
  • Regular penetration testing by security audit leader Cobalt
Industry’s strongest protection for your customer data
  • Industry’s only escrowed exchange of encrypted PII
  • Compliant with EU GDPR, Singapore PDA
  • Plug-and-play Travel Rule end-user data consent component
Enterprise White Glove features
  • 24h/7 days a week uptime
  • Configurable enterprise SLA
  • SOC2 compliant disaster recovery and business continuity plans
Learn more about our commitment to security
This content is provided for general informational purposes only. By using the content, you agree that the information on this content does not constitute legal, financial or any other form of professional advice. No relationship is created with you, nor any duty of care assumed to you, when you use this content. The content is not a substitute for obtaining any legal, financial or any other form of professional advice from a suitably qualified and licensed advisor. The information on this content may be changed without notice and is not guaranteed to be complete, accurate, correct or up-to-date.

Help us keep this page up to date! Any comments, corrections or suggestions on this page can be sent to
catarina@notabene.id.