By Athos Myrianthous
Executive Director, MAP Fund Management Services (MAP FMS)
__________________________________________________________________________________
Origin of the Travel Rule
The ‘Travel Rule’ has its origins in wire transfers. The Financial Action Task Force (FATF) revised its Recommendation 16 in 2012 to ensure that adequate information on the payer and payee accompanies any transfer, therefore increasing transparency in financial transactions and mitigating the risk of money laundering and terrorist financing.
In the context of wire transfers, the Travel Rule has already been widely adopted, including in the EU through Regulation (EU) 2015/847 – The Funds Transfer Regulation.
Since the adoption of Regulation (EU) 2015/847, the FATF has extended the application of Recommendation 16 to virtual asset service providers (VASPs). This was because, in the FATF’s view, the transfer of virtual assets gives rise to ML/TF risks.
In July 2023, Regulation (EU) 2023/1113 came into force and recast Regulation (EU) 2015/847, extending it to transfers of crypto-assets. It also extends the definition of ‘financial institution’ in Directive (EU) 2015/849 to CASPs that are regulated in accordance with Regulation (EU) 2023/1114.
This means that based on Regulation (EU) 2023/1113 CASPs are subject to the same AML/CFT system and control requirements as other credit and financial institutions within the scope of Directive (EU) 2015/849.
When were the new EBA Travel Rule Guidelines introduced and come into effect?
The new European Banking Authority (EBA) Travel Rule Guidelines were introduced on 4th of July 2024 and shall come into effect on the 30th of December 2024. Competent authorities must report on their compliance two months after the official translations are available.
Regulation (EU) 2023/1113 does not set out in detail what payment service providers (PSPs), intermediary PSPs (IPSPs), crypto-asset service providers (CASPs), and intermediary CASPs (ICASPs) should do in order to comply with it. Instead, it mandates the EBA to issue guidelines to PSPs, IPSPs, CASPs, and ICASPs on the steps they should take to detect missing or incomplete information that accompanies a transfer of funds or crypto-assets, and the procedures they should put in place to manage a transfer of funds or a transfer of crypto-assets lacking the required information.
What are the identification details that the originator’s CASP should provide to accompany a transfer?
When establishing the information to accompany a transfer, CASPs should establish procedures to identify for each transfer their role as the originator’s CASP, the beneficiary’s CASP, or as an ICASP.
For transfers of crypto-assets above the threshold of EUR 1,000 CASPs must transmit the following information for the originator and beneficiary:
- Name of account holder and all joint account holders.
- Wallet address or number of account.
- Residential address, official personal document number, customer ID, or place and of birth.
Smaller crypto transactions, which fall below the EUR 1,000 threshold, may still be subject to certain due diligence requirements. In determining whether to apply due diligence measures to such smaller transactions, CASPs and ICASPs should apply a number of risk-based factors.
The Guidelines also provide what should be considered as alternative identifiers equivalent to the LEI.
How should information integrity be protected?
Technical infrastructure established by CASPs, should be robust and capable to fully transmit and receive information, maintaining data integrity with no gaps or errors, including during format conversions.
What are the communication channels for CASPs to transmit information?
- as part of the transfer on the blockchain or alternative DLT platform
- independently through other channels, such as direct communication between CASPs, APIs, code solutions on top of the blockchain
- via other third-party solutions.
Immediate and secure transmission is required as soon as the blockchain transaction is initiated.
How should CASPs select their messaging or payment and settlement systems?
CASPs should evaluate by using proportionate risk-based measures:
- the capability of the system when communicating with other internal core systems, the counterparty’s messaging or settlement systems as well as its interoperability with other blockchain networks,
- the system’s ability to detect transfers with missing or incomplete information,
- the protocols reachability in terms of accessibility of counterparties and success rate of transfers,
- data Security, data reliability and data integration. CASPs need to ensure that the systems they use for information transfer security in data transfers comply with the EBA Guidelines on information and communications technology (ICT).
Notably, CASPs may, until 31 July 2025, use infrastructures with limitations, if additional technical steps are in place to ensure compliance with the Guidelines including alternative processes to gather, maintain and make available information.
What are the provisions for detecting and monitoring missing Information?
CASPs should have processes, using risk-based factors for detecting missing, meaningless or incomplete information, identifying which transfers should be monitored and determining whether to reject, suspend, or execute a transfer. Provisions are also included for the return of a transfer in case rejection is not technically possible.
Guidelines are also included for requesting any missing information and establishing appropriate deadlines. Moreover, rules are set to detect missing information post-transfer, leading to a request for the missing information from the prior CASP in the transfer chain.
Can already transmitted information be altered?
Initial information transmitted should remain unaltered, except where alteration is requested by the ICASP or beneficiary’s CASP or where data is found by the originator’s CASP to be erroneous or incomplete. The next CASP in the transfer chain should be informed of any such alterations and re-evaluate the information.
How should repeatedly failing CASPs be identified and treated?
CASPs should assess quantitative and qualitative criteria to identify repeatedly failing CASPs. Guidelines also cover the reporting of repeatedly failing CASPs to Competent Authorities.
Do Guidelines cover transactions involving Self-Hosted Wallets?
The Travel Rule Guidelines set a threshold at EUR 1,000 for information collection obligations for self-hosted wallet transactions. CASPs are required to collect and verify specific information and keep records when transferring crypto-assets to or from self-hosted wallets, including the identification of the wallet owner. CASPs are required to apply enhanced due diligence, particularly for higher-risk transfers depending on the risk assessment performed. Compliance with AML and CTF regulations should be ensured for transactions involving self-hosted wallets.
Conclusion
By including in the Travel Rule Guidelines, provisions for the CASPs’ compliance with the Travel Rule and addressing the specific technical features in crypto-asset transactions, a global benchmark is set for combating money laundering and terrorist financing within the constantly changing digital assets eco-system.
MAP S.Platis can provide comprehensive advisory support to Crypto-Asset Service Providers. Please contact us or complete the form below for more information on our related services.