Head of Legal, Risk and Compliance
The growing cryptocurrency usage, rise in crypto-related (illicit) activities coupled with discrepancies between member states' regulatory and policy approach, created political pressure on the EU institutions to come up with a uniform regulatory response.
Following the informal negotiations between the representatives of the three EU institutions, a draft package was agreed on 5th of October, 2022. The EU came to a provisional agreement on the transfer of funds regulation (TFR). This legislative package is the implementation of recommendation no.16 by the Financial Action Task Force (FATF), the so-called “travel rule”. The objective of the recommendation is to ensure that basic information on the originator and the beneficiary of wire transfers is immediately available and information can be used by the law enforcement agencies.
It is worth noting that the ‘‘travel rule’’ already applies to wire transfers into the traditional financial services sector and will be an extension on virtual asset service providers. Compared to directives, the EU regulations are of general application, binding in their entirety, and directly applicable. The TFR will become directly applicable and binding on member states, private individuals, and EU institutions due to its status as a regulation. The TFR is projected to come into effect in 2024.
Crypto asset service providers (CASPS) - will be obliged to provide complete information on the payer and payee, CASPs will have to collect, verify, send and store information on originator and beneficiary.
CASP shall provide following information on the payer:
Information on the payee:
For transactions below EUR 1000, CASPs will only have to provide limited information regarding payer and payee. It must include the names, payment account numbers or a unique transaction identifier.
There are no minimum thresholds nor exemptions for low-value transfers, as originally proposed. Before making the crypto-assets available to beneficiaries, providers will have to verify that the source of the asset is not subject to restrictive measures or sanctions and that there are no risks of money laundering or terrorism financing. CASPs will be obliged to perform sanction screening on originator and beneficiary and suspend or reject a transaction when this information is either incorrect, missing, or incomplete.
The regime will also apply for transactions from so-called unhosted wallets (a crypto-asset wallet address that is in the custody of a private user) when they interact with hosted wallets managed by CASPs. In case the customer sends or receives more than 1000 euros to or from unhosted wallets, CASP will have to verify if the unhosted wallet is actually owned or controlled by this customer.
Exception: TFR regulation would not apply to private wallets and person to person transfers conducted without a provider, such as bitcoin trading platforms, or among providers acting on their behalf.
One of the main objectives of TFR is to minimise and avoid crypto-related illicit activities by requiring broad data collection and stricter AML/CTF checks. It will be useful to dive into statistics and analyse the background and possible effects of the TFR regulation.
In 2021, crypto-based crime reached an all-time high, statistics show that 14 billion dollars were tracked to be received from illicit addresses (Chainalysis). Two categories of illicit sources stand out the most, stolen funds and scams, both strongly connected to “DeFi”. However, In the meantime, cryptocurrency usage is growing fast and transactions involving illicit addresses represent only 0.15% of the total amount (Chainalysis).
Critics of TFR argue that with new measures, CASPs have to record and transfer very large amounts of personal data and run additional, in some cases unnecessarily strict checks that could seriously undermine privacy and security and cannot be in practice with the article 7 of the EU charter “right to privacy” and article 8, “right to the protection of personal data”. TFR skeptics refer to the CJEU decision in 2014 when the court struck down a controversial data retention directive and argue that TFR will face a similar outcome.
Based on CJEU’s observation, the data retention directive would have enabled the disclosure of information on the identity of both ends of communication, time, place, and frequency of the communication. This data, as a whole, “may provide very precise information on the private lives of the persons whose data are retained.” Additionally, the court raised questions regarding the role of the competent authority, data retention period, and differentiation policy.
The Court has concluded that “By adopting the Data Retention Directive, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality and declared the data retention directive to be invalid.”
Although TFR obliges CASPs to collect and retain a significant amount of data traction with information on payer and payee, the nature of the data is different from social interactions, daily habits, locations, activities, and frequencies. Besides, the Travel Rule already exists on the EU level and regulates traditional finance. Therefore, the chance that the CJEU will apply an analogous argument and reach a similar conclusion is unlikely.
Controversy and disagreement about whether TFR will build a more secure and stable crypto environment or if it will undermine the privacy and trust offered by it, will continue. However, for now, one fact is certain, the TFR regulation will be impactful in the EU and beyond.
Thank you for reading the article, please let us know if you find it helpful or have any suggestions. Too funging long? Too funging short?