On 29 June 2022, the Council and the European Parliament reached a provisional agreement on the text regarding the European Commission's proposal for a recast of Regulation (EU) 2015/847 (also referred to as the Transfer of Funds Regulation ("TFR")). The final text has not yet been published but the original proposal can be downloaded here.
The proposal is part of a larger package of four legislative proposals to achieve a more coherent anti-money laundering regulatory and institutional framework within the EU. The proposal extends the so-called "travel rule" to transfers of crypto-assets following the recommendation of the Financial Action Task Force ("FATF"). The travel rule refers to information-sharing duties in the context of crypto-asset transfers. Once the amendments to the TFR are in force and the information-sharing duties are applicable, crypto-asset service providers (CASPs) must accompany transfers of crypto-assets with information on their originators and beneficiaries, which they must obtain, hold, share with the counterpart on the recipient's side of the crypto-assets transfer and make available on request to appropriate authorities.
The purpose of the proposal is to expand the traceability requirements previously only applied to fiat money and electronic money also to crypto-assets. The proposal sets forth that traceability is necessary and important for the prevention, detection and investigation of money laundering and terrorist financing. The FATF sees similar risks in crypto-asset transfers and fiat money transfers, hence the same rules ought to be applied according to the FATF recommendations which are now followed by the EU Commission. In order to ensure the transmission of information throughout the transfers of crypto-assets chain, the EU Commission deems it appropriate to provide for a system imposing the obligation on CASPs to accompany transfers of crypto-assets with information on the originator and the beneficiary.
Although the Commission's proposal has not yet passed through the EU legislative processes and will likely be published together with the other legislative proposals in this area of AML rules (including the directly applicable Anti-Money Laundering Regulation) as well as the MiCAR, certain EU regulators (including the Austrian FMA) require CASPs to comply with the FATF travel rule to a certain extent already today.
What does the amended Regulation 2015/748 hold for CASPs?
A necessary requirement for the information-sharing duties and other stipulated obligations to apply is that at least one of the CASPs involved is established in the EU and that the transfer of crypto-assets is being sent or received by a provider (and that no exception is applicable). With regards to the crypto-assets and crypto-asset service providers, the proposal references the coming Markets in Crypto-Assets regulation ("MiCAR"), which corresponds to the definitions used by the FATF. A transfer of crypto-assets is defined as any transaction at least partially carried out by electronic means on behalf of an originator through a CASP, with a view to making crypto-assets available to a beneficiary through a CASP. The regulation, however, exempts certain transfers of crypto-assets, such as person-to-person transfers (P2P transfers) or transfers by the CASP acting on its own behalf. Under certain conditions, a Member State may exempt transfers of crypto-assets within its territory if the amount of the transfer does not exceed EUR 1,000.
If the regulation applies, it stipulates different obligations depending on whether the crypto-asset service provider acts on behalf of the originator, who is the sender, or the beneficiary, who is the recipient of the crypto transfer. When a transfer is being processed, then the CASP of the originator must ensure that it is accompanied by the name, account number (if an account is being used to process the transaction) and address, official personal document number, customer identification number or the date and place of birth of the originator as well as the name and account number (if such an account exists and is being used for the transaction) of the beneficiary. If the transfer or the batch of transfers does not exceed EUR 1,000 in total, it is sufficient to include the names of the originator and the beneficiary and the account number. If no account is being used, the CASP of the originator needs to ensure that the transfer can be individually identified and the record originator and beneficiary address identifiers on the distributed ledger. Before the transfer is processed, the service provider of the originator must verify the information sent on the basis of documents, data and information obtained from a reliable and independent source (which is assumed if the originator was verified in accordance with the proposed Anti-Money Laundering Regulation). Without the CASP being in full compliance, the transfer shall not be executed.
The CASP of the beneficiary has to detect whether the necessary information for the transfer is missing or incomplete. To achieve this, the service provider must implement effective procedures and monitoring after or during transfers where appropriate. The degree of verification that the beneficiary's CASP must take depends on the amount transferred. If the transfer exceeds EUR 1,000, then the beneficiary's service provider must verify the information on the basis of documents, data or information obtained from a reliable and independent source. If the transfer does not exceed EUR 1,000, the accuracy of the information shall only be verified if the beneficiary effects a pay-out in cash or anonymous electronic money or where reasonable grounds for money laundering exist. The verification process in all instances is nevertheless assumed to have taken place when the identity of the beneficiary has been verified in accordance with the proposed Anti-Money Laundering Regulation.
A specific discussion point in the political trilogue was the issue how unhosted wallets should be treated under the new TFR regime (and whether CASPs would be required to obtain and verify encompassing information about the originator and beneficiary also in such cases).
The regulation prescribes that CASPs of the beneficiary have to implement effective risk-based procedures to determine whether to execute or reject a transfer and ask for the required information before or after making the transfer available on a risk-sensitive basis. If a crypto-asset service provider repeatedly fails to provide complete information, the beneficiary's provider may issue warnings and set deadlines or transfer the crypto-assets back or withhold them from the beneficiary pending a review by the relevant authority monitoring compliance. When assessing whether a transfer of crypto-assets is suspicious and whether it is to be reported to the Financial Intelligence Unit (FIU) in accordance with the proposed Anti-Money Laundering Regulation, the CASP shall take the missing or incomplete information into account.
The TFR only permits the collected information to be processed for the purposes of preventing money laundering and terrorist financing. It obliges CASPs to retain the records of the information that accompanied the transfers for five years and ensure the confidentiality of the data and their subsequent deletion.
The regulation requires Member States to provide for and impose administrative or criminal sanctions and measures applicable for breaches. Member States ensure that legal and natural persons as well as management boards are held liable for breaches. The competent authority will also be permitted to publish any breach of the provisions if necessary and proportionate.
The problems and challenges of compliance going forward
A range of issues were raised during the consultation phase of the proposal. Most pressing is the absence of a standardised global open source and free technical solution to manage compliance with the travel rule for transfers of crypto-assets. Currently only the private cryptographic key and the wallet address of the recipient are needed to transfer crypto-assets. Hence the current information available to CASPs is insufficient to comply with the amended TFR and travel rule. The required information must be transmitted immediately and securely according to recital 31 of the amended TFR. Immediate transfer means the information needs to be transmitted either prior to, simultaneously or concurrently with the transfer. The TFR or the FATF do not mandate a system or software given their technology-neutral approach to compliance. The blockchain itself does not provide an information sharing protocol and the required information cannot be retrieved from it. A solution for obtaining, holding and transmitting the required information could be code that is built into the crypto-asset transfer's underlying distributed ledger technology (DLT) transaction protocol or that runs on top of the DLT platform (e.g. using a smart contract) or an independent messaging platform. This poses a significant barrier to entry for small players or start-ups due to the significant costs involved. A historically similar initiative by financial institutions to create a system for financial messaging took years to develop and required agreeing on a common language of communication. In the end this led to the SWIFT system or, in Europe, the SEPA system.
Another concern that was raised during the consultation phase was about divergent jurisdictional rules leading to significant compliance costs for CASPs operating cross-border, as FATF recommendations have been transposed differently around the world.
One more issue raised among CASPs regarding compliance lies in the unique nature of the DLT. The TFR requires CASPs to potentially hold the transfer of crypto-assets pending a review by the competent authority or even reject the transfer, similar to wire transfers. However, it is hardly possible to reject transfers in DLT, let alone hold them. The FATF provides as examples of possible methods to either putting a wallet on hold until the screening is completed or arranging to receive the crypto-asset transfer with a provider's wallet that links to a wallet and transferring the crypto-assets after screening is completed. Both methods require compliance with the regulation at the expense of the immutability of transfers, which is among the inherent advantages of DLT.
In conclusion, the amendments to the TFR introduce the travel rule and stipulate that the CASP of the originator must submit and verify a range of information of the originator and the beneficiary to the CASP of the beneficiary, which needs to monitor and detect any missing or incomplete information. Despite CASPs welcoming initiatives to fight money laundering and terrorism financing and hoping to further improve the industry's public image with regards to money laundering, the current proposal stipulates requirements that are hard to fulfil in the short term. It poses a wide range of issues around the nature of DLT and the lack of a data submission system. Regardless of the path chosen to comply with the travel rule, it will mean a significant burden for a highly agile sector working on solutions for the future of finance and will potentially eliminate several positive features of DLT.