Travel Rule Compliance for VASPs in the European Union: An Exhaustive Guide

European Union

In an effort to strengthen anti-money laundering (AML) and counter-terrorism financing (CTF) measures, the European Union (EU) has implemented the Transfer of Funds Regulation (TFR). This regulation is designed to align with the Financial Action Task Force’s (FATF) Recommendation 16, also known as the Travel Rule, specifically for the digital asset space. On April 20, 2023, the European Parliament officially approved TFR legislation, targeting Crypto Asset Service Providers (CASPs) to ensure greater transparency, traceability, and compliance across the virtual asset ecosystem.

Below, we provide an in-depth overview of the Travel Rule compliance requirements for CASPs within the EU, along with specific mandates, thresholds, and procedural challenges.

Background of the EU Travel Rule Implementation

The EU’s TFR builds upon FATF’s Recommendation 16 for crypto transactions, expanding the regulation to align with traditional finance requirements. The Travel Rule obligates CASPs and financial institutions to obtain, hold, and share necessary information regarding both originators and beneficiaries for crypto-asset transfers. This regulation intends to harmonize the EU's approach and establish a uniform standard across all member states.

The new Transfer of Funds Regulation (TFR) is an amendment to Regulation (EU) 2015/847 and translates the Travel Rule from traditional finance to crypto, creating a compliance framework specifically for virtual assets.

Scope of the EU Transfer of Funds Regulation (TFR)

The TFR applies to both fiat currency and crypto transactions. This regulation mandates compliance for all transfers of virtual assets in which either the originator’s or the beneficiary’s CASP is established or registered in the EU. This applies regardless of transaction value, making the EU’s Travel Rule one of the strictest globally.

The scope of TFR includes

Crypto-ATMs and self-hosted wallets, as long as a CASP is involved.
Intermediary CASPs: This includes entities that receive and transmit transfers on behalf of either the originator or the beneficiary but are not the end parties.

Exemptions to the TFR include:

Cash transactions, paper checks, and electronic tokens used for goods and services.
Tax payments, fines, and payments to public authorities within member states.
Transactions where both originator and beneficiary CASPs are acting on their own behalf.
Peer-to-peer (P2P) transactions without CASP involvement.

TFR Compliance Thresholds in the EU

Although FATF’s Recommendation 16 suggests a threshold of EUR 1,000 for the Travel Rule, the EU requires that all crypto transactions, regardless of amount, comply with the TFR. However, for transactions involving self-hosted wallets, the TFR includes specific requirements based on thresholds:

Below EUR 1,000: CASPs are only required to collect information but do not need to verify the ownership of the self-hosted wallet.
Above EUR 1,000: CASPs must verify the ownership of the self-hosted wallet, ensuring that the wallet address is controlled by their customer.

Information Requirements Under the TFR for CASPs

To comply with the EU’s TFR, CASPs must obtain, hold, and share comprehensive information on both originators and beneficiaries. Here’s a breakdown of the information required for compliance:

Originator’s Information:

Full Name: The full legal name of the individual or entity initiating the transaction.
Distributed Ledger Address: The wallet or account number on the blockchain.
Physical Address: Including country, personal ID number, and LEI or equivalent official identifier.
Date and Place of Birth (if applicable for individual originators).

Beneficiary’s Information:

Full Name: The full legal name of the individual or entity receiving the transaction.
Distributed Ledger Address: The blockchain wallet or account number.
Legal Entity Identifier (LEI): Or equivalent official identifier for legal entities.

The EU mandates that the required information should be submitted concurrently with or prior to executing the transfer to ensure compliance. For any transaction above EUR 1,000 involving a self-hosted wallet, CASPs must assess the ownership and control of the wallet before processing the transfer.

Data Protection and Compliance with GDPR

Given the importance of data privacy in the EU, the TFR explicitly mandates compliance with the General Data Protection Regulation (GDPR). CASPs must ensure that personal data is processed solely for AML/CTF purposes, with commercial use strictly prohibited.

Some specific requirements under the TFR’s data protection mandate include:

Assessing Non-EU CASPs: CASPs transferring crypto-assets to or from non-EU providers must ensure that their counterparties can receive and protect data in accordance with GDPR.
Detecting Missing or Incomplete Data: CASPs must have procedures to monitor and detect if any required data on originators or beneficiaries is incomplete.
Addressing Missing Data: For incomplete data transfers, CASPs must implement risk-based procedures to decide whether to execute, reject, or suspend a transfer.

Handling Incomplete Data and Non-Compliant Counterparties

When a CASP identifies missing or incomplete data on the originator or beneficiary, they must:

Determine Appropriate Action: Options include rejecting, returning, or suspending the transfer.
Issue Warnings for Repeated Violations: If the CASP consistently fails to provide data, warnings and deadlines should be issued.
Terminate Business Relationships: As a final step, non-compliant CASPs may face business relationship termination if data requirements are repeatedly ignored.

The European Data Protection Board, in collaboration with the European Banking Authority (EBA), is expected to release further guidance on data protection protocols and handling incomplete information under TFR.

Additional Challenges of Implementing the EU Travel Rule

The EU’s stringent implementation of the Travel Rule introduces unique challenges for CASPs, including:

Cross-Border Compliance: Many global CASPs operate across borders, creating complex compliance challenges due to varied implementation timelines and requirements across jurisdictions.
Data Fragmentation: The fragmented approach in non-EU jurisdictions, or the so-called “sunrise issue,” makes collaboration difficult. Non-compliant jurisdictions may not fully support data exchange, complicating cross-border transactions.
Counterparty Due Diligence: The TFR mandates that EU CASPs perform due diligence on counterparties in third countries, ensuring they meet GDPR compliance and can safeguard personally identifiable information (PII).

Compliance Dates and Future Guidance

The final TFR text was published in the EU’s Official Journal on June 9, 2023, and became legally binding on June 29, 2023. It will be fully enforced across the EU by December 30, 2024. CASPs must adapt to meet these new compliance requirements and await additional guidelines from both the European Data Protection Board and the European Banking Authority on managing data protection and data sharing across borders.

How MarketGuard Supports EU CASPs in Achieving Travel Rule Compliance

For CASPs operating within the EU, MarketGuard offers a comprehensive suite of tools that facilitate Travel Rule compliance and data privacy adherence under GDPR. MarketGuard’s platform enables:

Seamless Data Collection and Verification: Automatic collection of originator and beneficiary information and verification of self-hosted wallets.
Enhanced Transaction Monitoring: Continuous transaction tracking and automated suspicious activity reporting to ensure CASPs remain compliant.
GDPR-Compliant Data Management: Secure data storage and sharing processes that meet GDPR and TFR standards, reducing compliance risks for EU CASPs.

By utilizing MarketGuard’s advanced compliance solutions, CASPs can ensure seamless integration of Travel Rule standards, meet data protection obligations, and maintain operational efficiency across the complex regulatory landscape of the European Union.