In June 2019, the Financial Action Task Force (“FATF”) issued a public statement in relation to virtual asset service providers. In the aforementioned public statement, the FATF stated that it would be subjecting virtual asset service providers to Recommendation 16, ergo the so-called ‘Travel Rule’. Following a supplementing amendment to the FATF’s Recommendation 16, the Travel Rule was rendered applicable on the 21st of June 2019. This new requirement, once implemented by FATF member states through their respective legislative frameworks, would oblige virtual asset service providers to obtain and hold the required and accurate originator information and the required beneficiary information of the parties carrying out a virtual asset transfer1.
Regulation (EU) 2023/1113 ergo the Transfer of Funds Regulation (“TFR”), plans to embody the Travel Rule and render it applicable to crypto asset service providers licensed and operating within the European Union. European Union Regulations are directly applicable throughout the entire Union without the need for Member States to transpose them. Thus, the embodiment of the Travel Rule within the TFR means that the Travel Rule will become directly applicable across all Member States and to all crypto asset service providers operating from such Member States. The proposal to integrate the Travel Rule in the TFR is part of a package of legislative proposals to strengthen the EU's anti-money laundering and countering terrorism financing (AML/CFT) rules, presented by the Commission on the 20th of July 20212.
The Travel Rule for crypto asset service providersAs previously stated, the Travel Rule applies to transfers of crypto assets where the crypto asset service provider of the Originator or the Beneficiary is established within the European Union. The TFR introduces numerous definitions relating to the crypto asset industry. The most important ones pertinent to the explanation of the Travel Rule are the following:
“Crypto Asset Account”, means an account held by a crypto-asset service provider in the name of one or more natural or legal persons and that can be used for the execution of transfers of crypto-assets3;
“Self-Hosted Address”, means a Distributed Ledger Address not linked to either of the following:
- a crypto-asset service provider;
- an entity not established in the Union and providing services similar to those of a crypto-asset service provider4;
“Batch File Transfer” means a bundle of several individual transfers of funds or transfers of crypto assets put together for transmission;
“Distributed Ledger Address” means an alphanumeric code that identifies an address on a network using distributed ledger technology (DLT) or similar technology where crypto-assets can be sent or received5;
“Originator” means a person that holds a crypto-asset account with a crypto-asset service provider, a Distributed Ledger Address or a device allowing the storage of crypto-assets, and allows a transfer of crypto-assets from that account, Distributed Ledger Address, or device, or, where there is no such account, Distributed Ledger Address, or device, a person that orders or initiates a transfer of crypto-assets6;
“Beneficiary” means a person that is the intended recipient of the transfer of crypto assets7.
The act of transferring crypto assets is defined by the TFR as any transaction with the aim of moving crypto assets from one Distributed Ledger Address, Crypto Asset Account or other device allowing the storage of crypto assets to another, carried out by at least one crypto asset service provider acting on behalf of either an Originator or a Beneficiary, irrespective of whether the Originator and the Beneficiary are the same person and irrespective of whether the crypto asset service provider of the Originator and that of the Beneficiary are one and the same8.
Information to be collected by crypto asset service providers on the Originator and the Beneficiary in relation to a transfer of crypto assets
Crypto asset service providers of the Originator shall ensure that the transfer of crypto assets is accompanied by the following Originator and Beneficiary information:
- Name of Originator and Beneficiary;
- The Originator’s and Beneficiary’s Distributed Ledger Address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the Crypto Asset Account number of the Originator, where such an account exists and is used to process the transaction;
- The Originator’s and Beneficiary’s Crypto Asset Account number, in cases where a transfer of crypto assets is not registered on a network using DLT or similar technology;
- The Originator’s (but not the Beneficiary’s) address, including the name of the country, official personal document number and customer identification number, or, alternatively, the Originator’s date and place of birth; and
- Subject to the existence of the necessary field in the relevant message format, and where provided by the Originator to its crypto asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the Originator & Beneficiary9.
Verification processes to be carried out by crypto asset service providers
The TFR envisages two verification processes that can be carried out by the crypto asset service provider. The first verification process relates to the crypto asset service provider carrying out customer due diligence measures as per Directive (EU) 2015/849 (4AMLD)12. The second verification process relates to the crypto asset service provider applying the aforementioned customer due diligence measures at appropriate times to existing customers on a risk-sensitive basis13, 14.
Storage of information collected by crypto asset service provider by virtue of the verification processes
A copy of the documents and information necessary to comply with the customer due diligence requirements shall be kept for a period of five years after the end of the business relationship with the customer or after the date of an occasional transaction.
The supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings under the applicable national law which are necessary to identify transactions, shall be kept for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction.
Upon expiry of the retention periods referred to above, Member States shall ensure that obliged entities delete personal data, unless otherwise provided for by national law, which shall determine under which circumstances obliged entities may or shall further retain data15.
Naturally, the processing of personal data is subject to the General Data Protection Regulation (Regulation (EU) 2018/1725)16.
1https://blog.bcas.io/everything-you-need-to-know-about-the-travel-rule-in-the-crypto-industry, accessed 8th June 2023
2https://www.consilium.europa.eu/en/press/press-releases/2021/12/01/anti-money-laundering-council-agrees-its-negotiating-mandate-on-transparency-of-crypto-asset-transfers/, accessed 8th June 2023
3Regulation (EU) 2023/1113, Article 3(19)
4Regulation (EU) 2023/1113, Article 3(20)
5Regulation (EU) 2023/1113, Article 3(18)
6Regulation (EU) 2023/1113, Article 3(21)
7Regulation (EU) 2023/1113, Article 3(22)
8Regulation (EU) 2023/1113, Article 3 (10)
9Regulation (EU) 2023/1113, Article 14
10Regulation (EU) 2023/1113, Article 14(5)
11Regulation (EU) 2023/1113, Article 15(2)
12Directive (EU) 2015/849, Article 16(4)(a)
13https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2021/EBA-GL-2021-16%20GL%20on%20RBA%20to%20AML%20CFT/1025507/EBA%20Final%20Report%20on%20GL%20on%20RBA%20AML%20CFT.pdf, accessed 8th June 2023
14Directive (EU) 2015/849, Article 16(4)(b)
15Directive (EU) 2015/ 849, Article 40
16Regulation (EU) 2023/1113, Recital 19