REGULATIONS

Crypto Travel Rule Regulations in

European Union

by

the European Parliament

🇪🇺
Travel Rule required from
Travel Rule regulation still pending
December 30, 2024
Content last updated
May 29, 2024

The European Union (EU) has established a regulatory framework for the crypto industry, including the Markets in Crypto-assets (MiCA) Regulation. MiCA provides a uniform legal framework for crypto-assets, covering consumer protection, asset classification, licensing requirements, and market abuse.

Additionally, the Transfer of Funds Regulation (TFR) oversees the implementation of the Financial Action Task Force’s (FATF) crypto Travel Rule in the EU. MiCA and TFR were approved on April 20, 2023, and the Travel Rule for crypto-asset service providers (CASPs) will take effect on December 30, 2024.

This page offers an overview of how the crypto Travel Rule applies in the EU, focusing on the TFR and the European Banking Authority (EBA)’s Travel Rule Guidelines.

Note: The EBA’s Travel Rule Guidelines are not final and may change. We will provide updates once the final Guidelines are published. VASP (Virtual Asset Service Provider) refers to transaction counterparties outside the EU. CASP (Crypto Asset Service Provider) is used within the EU.

Timeline of Regulatory Action in the European Union:

  • May 20, 2015 - The EU adopted Regulation (EU) 2015/847 on information accompanying transfers of funds to apply the FATF’s requirements across the Union uniformly.
  • June 21, 2019 - FATF extended the "Travel Rule" to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs), expanding AML/CTF recommendations to these technologies.
  • July 20, 2021 - The European Commission proposed a crypto legislative framework, recasting EU 2015/847 to create a new, more coherent AML/CTF regulatory and institutional framework for the crypto industry.
  • June 29, 2022 - All parties reached a provisional agreement on the TFR. 
  • April 20, 2023 - The European Parliament approved both MiCA and the revised TFR, establishing a uniform legal framework for crypto-assets in the EU and boosting consumer protection.
  • May 21, 2023 - To ensure the complete traceability of fund and crypto-asset transfers, the EU Parliament and Council updated Regulation (EU) 2015/847, releasing the TFR, which includes provisions for certain crypto-assets.
  • May 31, 2023 - The recast TFR was published to extend to crypto transfers.
  • June 9, 2023 - The TFR was published in the Official Journal of the European Union.
  • November 23, 2023 - The EBA launched a public consultation on new Travel Rule Guidelines, revising three guidelines: ML/TF Risk Factors, Travel Rule, and Risk-based Supervision. Read Notabene's summary of the EBA's guidelines.
  • February 26, 2024 - Deadline to submit a response to EBA’s public consultation on the Travel Rule guidelines. Read Notabene’s response.
  • June 2024 - Final Travel Rule Guidelines are expected in June 2024. Authorities will have two months to comply or explain non-compliance to the EBA.
  • December 30, 2024 - The crypto Travel Rule comes into effect for all EU CASPs.

Crypto Regulations in the European Union

1. Is cryptocurrency legal in the European Union?

Yes. Cryptocurrencies are legal across the European Union, and individual member states regulate them. Cryptocurrency taxation varies, with some countries charging tax on derived earnings from 0 to 50%. In 2015, the Court of Justice of the European Union ruled that exchanges between traditional and virtual currencies should be exempt from VAT as cryptocurrencies constitute services rather than goods.

2. Are there AML crypto regulations in the European Union?

Yes. In 2021, the European Commission published legislative proposals to strengthen the EU's anti-money laundering and counter-terrorism financing (AML/CFT) rules. This package, including MiCA and the TFR, was approved on April 20, 2023.

3. Is the Crypto Travel Rule mandated in the European Union?

Yes. The crypto Travel Rule was mandated in the European Union on June 20, 2021. [1] 

4. Who is the Crypto Travel Rule Regulator in the European Union?

The European Banking Authority (EBA) is the cryptocurrency regulator in the European Union.

Download the European Union Travel Rule Regulation Guide

Get the PDF

FATF Travel Rule requirements in the European Union

1. Are there licensing or registration requirements for CASPs in the European Union?

Currently, EU CASPs are not subject to licensing or registration requirements at the EU level. However, CASPs may have registration requirements with their respective national regulators, such as Germany's Financial Supervisory Authority (BaFin) or Italy's Ministry of Finance. Once CASPs are authorized or receive licenses from these regulatory bodies, they can operate across Europe under a single regime.

2. When is the Crypto Travel Rule enforcement date in the European Union?  

The crypto Travel Rule will go into effect on December 30, 2024, 18 months after the Transfer of Funds regulation was published.

3. Does the European Union permit a grace period to comply with the Crypto Travel Rule?

The recent European proposal for crypto regulations did not mention a grace period.

Complying with the FATF Crypto Travel Rule in the European Union


1. What is the minimum threshold for the Crypto Travel Rule in the European Union?

The revised TFR removed the de minimis threshold, meaning that, once in force, EU CASPs must comply with Travel Rule obligations for every transaction, regardless of its amount. Previously, the threshold was set at 1,000 EUR.

2. What are the PII requirements for the Crypto Travel Rule in the European Union?

Natural Persons

Under Article 14, paragraphs 1 and 2 of the TFR, CASPs must ensure transfers include the following for both originator and beneficiary:

The EBA Travel Rule Guidelines clarify that if the name, account number, address, and official personal document number are insufficient for identification, the date and place of birth must also be provided.

Legal Persons

In addition to defining what information CASPs are required to transmit, the TFR and the Travel Rule guidelines also set requirements on how this information should be transmitted. The requirements cover Information transmission infrastructure, compliance timing, joint accounts, information submission changes, and protocol interoperability. 

Protocol interoperability
Selected messaging protocols must enable seamless and interoperable transmission of information. CASPs should evaluate these capabilities by considering whether the messaging protocol can seamlessly communicate with other systems and is compatible with industry standards, protocols, and blockchains, as well as by assessing data integration and reliability. Travel Rule Guidelines (§15)


3. What are the obligations for beneficiary CASPs in the European Union?

European Beneficiary CASPs have the following requirements

  • Receive Required Information: Beneficiary CASPs must receive specific information about each transaction's originator and beneficiary customers. [2]
  • Detect Non-Compliance: Beneficiary CASPs must implement robust policies and procedures to detect incoming transactions lacking necessary information.
    • Methods for detecting missing, incomplete, or meaningless information.
    • Pre and post-monitoring practices aligned with ML/TF risk levels.
    • Criteria for recognizing risk-increasing factors.
    • Clear responsibilities for staff in managing transactions with missing information. [3]

4. How should beneficiary CASPs manage non-compliant transactions?

The EBA’s Travel Rule guidelines outline steps beneficiary CASPs should do to handle transactions that lack information about the originator or beneficiary.

  • Transaction Handling: If the beneficiary CASP detects a transaction lacking information, they may choose to execute, reject, return, or suspend the transfer, following effective risk-based procedures. [4]
  • Requesting Missing Information: Beneficiary CASPs can request missing information instead of outright rejecting or returning a transfer. However, if they decide to reject or return the transfer, they must notify the prior CASP in the transfer chain of this action. [5]
  • Insufficient Information: If the information received does not allow for unambiguous identification of transaction parties, the recommended action is to reject or return the crypto asset transfer. [6]
  • Sufficient but Incomplete Information: In cases where the information, although incomplete, still allows for unambiguous identification of transaction parties, the beneficiary CASP can decide whether to execute, reject, or return the transfer. If opting to execute, the reasoning must be documented appropriately. [7]

5. How should beneficiary CASPs manage non-compliant counterparties?

  • Assessment: CASPs must use both quantitative and qualitative criteria to assess whether the counterparty has repeatedly failed to meet its obligations.
  • Actions: If the assessment reveals repeated non-compliance, CASPs should consider the following steps:
    • Sending a warning to the counterparty.
    • Exploring alternative methods of managing counterparty risk.
    • Terminating the business relationship or rejecting future transfers.
    • Reporting repeatedly non-compliant counterparties to the competent authority responsible for AML/CTF supervision. [8]

Learn the concise overview of supplementary requirements that CASPs should consider when dealing with deposits.

Download the Guide

6. Are there differences in customer PII requirements for cross-border transfers versus transfers within the EU?

No, there are no differences. The revised TFR removed simplified requirements for transactions within the EU. TFR Recital 27 highlights that cryptoasset transfers are inherently borderless with global reach. This revision aligns with FATF's requirement to treat all cryptoasset transfers as cross-border, eliminating distinctions in obligations within or outside the EU. [9] 

Recital 30 of the TFR justifies this due to the rapid, expansive, and pseudo-anonymous nature of crypto transactions, facilitating large, fast illicit transfers evading detection.

7. What are the non-custodial or self-hosted wallet requirements in the European Union?

The obligations applicable to transactions between CASPs and self-hosted wallets depend on the transaction amount and whether the transaction involves a CASP customer or a third party.

  • Transactions of 1,000 euros or less: CASPs must collect and retain specific information and cross-match it to identify or verify the originator or beneficiary's identity.

  • Transactions exceeding 1,000 euros where the wallet owner is a CASP customer: CASPs must verify whether the customer owns or controls the wallet using at least two methods.

  • For transactions exceeding 1,000 euros where the wallet owner is not a customer of the CASP, CASPs must verify wallet ownership or control, assess transaction risk, and implement suitable risk mitigation measures.

Why Choose Notabene for Crypto Travel Rule Compliance in the European Union?

Notabene enables European CASPs and financial institutions to comply with the EU's crypto Travel Rule. Our SafeTransact platform allows customers to identify and prevent high-risk activities before transactions occur. It includes a self-hosted wallet identification tool that collects verification data at the withdrawal screen, applying the necessary jurisdictional requirements for each transaction. Our privacy-preserving platform ensures end-to-end compliance with crypto Travel Rule regulations, accommodating the specific needs of various jurisdictions.

References

[1] The European Commission (2021). Proposal to regulate information accompanying transfers of funds and certain crypto assets, p. 3, COM(2021) 241 final.

[2] The European Parliament and the Council of the European Union (2023). Transfer of Funds Regulation, Article 16/1.

[3] European Banking Authority (2023). Travel Rule Guidelines, §29.

[4] The European Parliament and the Council of the European Union (2023). Transfer of Funds Regulation, Article 16/1.

[5] European Banking Authority (2023). Travel Rule Guidelines, §42.

[6] European Banking Authority (2023). Travel Rule Guidelines, §50.

[7] European Banking Authority (2023). Travel Rule Guidelines, §§48 and 49.

[8] European Banking Authority (2023). Travel Rule Guidelines, §§59-63.

[9] The European Parliament and the Council of the European Union (2023). Transfer of Funds Regulation, p. 6, para. 27.

Notabene's commitment to privacy + security:

Bank-grade security for an insecure world
  • Passed rigorous security reviews by more than 50 institutions, including global banks and top 20 crypto exchanges
  • Annual SOC 2 Type II Audit for Security and Data Privacy Categories
  • Regular penetration testing by security audit leader Cobalt
Industry’s strongest protection for your customer data
  • Industry’s only escrowed exchange of encrypted PII
  • Compliant with EU GDPR, Singapore PDA
  • Plug-and-play Travel Rule end-user data consent component
Enterprise White Glove features
  • 24h/7 days a week uptime
  • Configurable enterprise SLA
  • SOC2 compliant disaster recovery and business continuity plans
Learn more about our commitment to security
This content is provided for general informational purposes only. By using the content, you agree that the information on this content does not constitute legal, financial or any other form of professional advice. No relationship is created with you, nor any duty of care assumed to you, when you use this content. The content is not a substitute for obtaining any legal, financial or any other form of professional advice from a suitably qualified and licensed advisor. The information on this content may be changed without notice and is not guaranteed to be complete, accurate, correct or up-to-date.

Help us keep this page up to date! Any comments, corrections or suggestions on this page can be sent to
catarina@notabene.id.