On April 20, the European Parliament cast their final vote: European crypto asset service providers (CASPs) now have 18 months to align their compliance regime with the EU's implementation of the Financial Action Task Force's (FATF's) Travel Rule. This article presents an overview of the key changes in the TFR relevant to CASPs.
The Transfer of Funds Regulation (TFR) underwent a few changes from its provisional July version, before being passed into law together with the MiCA regulatory framework. Notable additions include updates on the threshold for domestic transfers. Also, there is further clarification on transfers involving CASPs and self-hosted wallets.
Who does the TFR apply to, and when?
The Financial Action Task Force (FATF) Travel Rule is a global regulatory guideline that requires financial institutions, including banks and crypto service providers, to collect and share customer information for transactions above a certain threshold. The aim of the rule is to prevent money laundering and terrorist financing by making it harder for criminals to transfer funds without being detected. The Transfer of Funds Regulation is essentially the EU’s implementation of the Travel Rule.
The TFR applies to all obliged entities as defined by the Markets in Crypto Assets Regulation (MiCA) Article 3(1), point (15). Twenty (20) days after the TFR has been published in the Official Journal, an 18-month grace period will begin. The Travel Rule will likely go live in the EU by January 2025.
Travel Rule information to be exchanged
Under the initial TFR text, less data would be collected for transfers up to EUR 1000 between European CASPs, unless the transfer posed an elevated risk. However, this ruling has been revoked, and complete Travel Rule information is required for all transfers.
CASPs must ensure that the transfer is accompanied by the TFR's required Travel Rule data, regardless of the CASP’s location or value, as the EU carries a EUR 0 threshold. When sending from an EU CASP to a CASP outside the territory, the originating CASP must ensure that the beneficiary CASP has appropriate safeguards to receive and store the data according to the European GDPR. The European Parliament explained, that due to crypto's borderless and global nature, these obligations should apply to all CASP-to-CASP transactions.
When should a CASP provide Travel Rule data?
Travel Rule data needs to be provided before a transaction can be initiated. One of the Travel Rule’s objectives is to prevent AML/CFT in real time; CASPs can screen addresses or counterparty CASPs before facilitating transfers.
Do self-hosted wallets fall under the TFR?
Self-hosted wallets do not fall under the scope of the TFR unless a CASP is involved in the transaction. For all transactions involving self-hosted wallets, CASPs must collect and hold information on the originator and beneficiary.
However, for transactions exceeding EUR 1000 to or from a self-hosted wallet, CASPs must confirm that the client controls the involved address. In case of suspected inaccurate information or suspicious transaction patterns, the CASP must implement enhanced due diligence measures to mitigate these risks.