Fund transfers, crypto-assets and AML/CTF – the European Banking Authority’s take on the ‘Travel Rule’
The fight against money laundering (ML) and terrorism financing (TF) continues to be at the forefront of European financial regulation. This holds true in particular with respect to crypto-assets. Their global reach, the speed at which transactions can be carried out and the potential for anonymous transfer of values make crypto-assets particularly susceptible to criminal misuse, including in cross-border situations.
With respect to crypto-assets in particular and fund transfers more generally, the full traceability of transfers of funds is a key milestone of the European Anti Money Laundering (AML) and Countering Terrorism Financing (CTF) regulation, which is achieved by way of implementing the so-called ‘Travel Rule’ into the Funds Transfer Regulation (FTR), in relation to which the European Banking Authority (EBA) has now launched a public consultation on new Guidelines.
What is the ‘Travel Rule’?
The ‘Travel Rule’ is a set of guidelines designed to prevent money laundering and terrorist financing. It requires the payment service provider (PSP) of the payer to ensure that transfers of funds are accompanied by information on (i) the name of the payer, (ii) the payer’s payment account number; and (iii) the payer's address, official personal document number, customer identification number or date and place of birth. Before transferring funds, the PSP of the payer must verify the accuracy of this information on the basis of documents, data or information obtained from a reliable and independent source.
Although the transfer of personal data between financial institutions has been an established process in the context of more traditional payment services, the ‘Travel Rule’ is a new requirement for the crypto industry. Originally proposed by the Financial Action Task Force (FATF), the EU has only recently expanded the application of the ‘Travel Rule’ to CASPs by amending the Funds Transfer Regulation.
The Funds Transfer Regulation does not set out in detail what PSPs and crypto-asset service providers (CASPs) should do in order to comply with the ‘Travel Rule’. Instead, it mandates the EBA to issue guidelines on the steps these entities should take to detect missing or incomplete information that accompanies a transfer of funds or crypto-assets, and the procedures they should put in place to manage a transfer of funds or a transfer of crypto-assets lacking the required information. Through these Guidelines, the EBA aims to promote the development of a common understanding by service providers across the EU.
In the consultation, the EBA focusses, among others, on the following issues:
Electronic money token exemption
The FTR does not apply to the transfer of funds or transfer of electronic money tokens carried out using a payment card, an electronic money instrument, a mobile phone or any other digital or IT prepaid or postpaid device with similar characteristics used exclusively for the payment of goods and services. It may be difficult to determine whether a card, instrument or device is used exclusively for this purpose and any such assessment may lead to divergent outcomes.
For this reason, EBA now proposes that PSPs and CASPs should (a) identify the use of any merchant categorisation codes that are used to categorise the type of goods or services sold, (b) determine whether the payer or payee is engaged in an economic or professional activity and (c) analyse, where available, trends and behaviours, including transfer history and patterns to determine whether the payer makes payments for goods or services, or the payee receives payments for goods or services.
Infrastructure and transmission of data
The FTR stipulates high-level requirements for data points that need to be submitted with a transfer of funds. The EBA require that PSPs and CASPs should use secure infrastructures and services for the transmission and reception of information, fully capable of transmitting and receiving the information required under the FTR. These infrastructures should be inter-operable, which is still an issue for CASPs. Traditionally, PSPs generally rely on SWIFT for complying with the Travel Rule for funds.
However, there is no similar infrastructure in place for crypto-assets, where transfers are processed on a decentralised basis The EBA Guidelines provide for broad discretion how a solution may be implemented, including a transfer on the blockchain itself (where the smart contract permits to transfer this information), or independently via direct communication between CASPs. Market-wide solutions are still to be developed. Therefore, the EBA permits that infrastructure that is not fully capable of transmitting required information and require additional technical solutions can be used by CASPs until 31 July 2025.
Self-hosted wallets are wallets where the owner has complete control over their private key. They are used in the context of P2P crypto transactions. According to the FATF, they can be used to avoid AML/CFT controls, and therefore pose specific ML/TF risks. The FTR addresses these risks with respect to transfers of crypto-assets to or from a self-hosted address, as long as there is one CASP involved.
The FTR requires CASPs to (a) obtain and hold the information on the self-hosted address, (b) ensure that the transfer of crypto-assets can be individually identified, and (c) assess whether that address is owned or controlled by the CASP customer where the transfer amount exceeds EUR 1,000.
To address the practical challenges arising from the application of these requirements, the draft Guidelines provide details on the steps to be taken, to identify, among others, a transfer from or to self-hosted addresses and to identify the originator and beneficiary. Most notably, CASPs will be able to rely to a large extent on blockchain analytics and third-party service provider to identify self-hosted addresses and the identity of originator and beneficiary. To the extent that the transferred amount from or to a self-hosted address exceeds EUR 1,000.00, however, more sophisticated technical measures must be used to verify that the controller of the self-hosted address is similar to the CASP’s client. If that is not the case, mitigating measures must be applied, including enhanced due diligence measures if the risk associated with that transfer is considered to be high.
Obligations where a transfer is a direct debit
Direct debits are payment instructions sent by the PSP of the payee to the payer’s PSP. Unlike a credit transfer, which is initiated by the payer, a direct debit is a transaction initiated by the payee. This means that the payee’s PSP holds the information that the payer’s PSP would need to comply with their obligations. As a result, in the direct debit context, the payer’s PSP may not be able to fulfil the requirements set out in the FTR.
EBA therefore clarifies that the PSP of the payee should send the required information on the payee to the PSP of the payer at the time when the direct debit mandate is established or modified
EBA will receive comments on the consultation by 26 February 2024. A virtual public hearing on the consultation paper will be held on 17 January 2024. Once finalised, the guidelines will apply from 30 December 2024.