Introduction

‍

Over the next 18 months, the implementation of the Markets in Crypto-assets Regulation (MiCA), which provides a harmonised framework for the regulation of crypto-asset issuers and service providers across the EU, will continue to escalate as EU countries begin accepting authorisation applications.

‍

Businesses that secure authorisations to operate as crypto-asset service providers (CASPs) and passport services throughout the EU are subsequently caught by AML regulations and a web of additional regulations in the EU’s Digital Finance Package.

‍

An important piece of the puzzle is the Transfer of Funds Regulation (TFR), or the EU’s version of the Travel Rule, which aligns EU-wide regulation with Financial Action Task Force (FATF) requirements for financial institutions to identify and verify the originator and beneficiary at each end of a wire transfer and share required data.

‍

The TFR, which applies to all crypto transactions undertaken by CASPs regulated under MiCA from January 2025, builds on anti-money laundering and countering the financing of terrorism (AML/CFT) requirements. It has been put in place to ensure CASPs uphold mandated record-keeping standards on participants in crypto transfers and fulfil obligations to conduct counterparty due diligence and transaction screening to stop the flow of illicit funds and prevent financial crime.

‍

Compliant CASPs undertaking crypto transactions in Europe will be forced to implement and maintain robust AML/CFT compliance systems and comply with requirements under TFR.

‍

Due diligence requirements for EU CASPs

‍

When determining the necessary steps to take regarding an individual transfer, CASPs must first determine whether the beneficiary or originator’s wallet at the other end of the transfer is associated with a service provider or a self-hosted wallet, in which case the recipient controls access to funds, and no service provider is present).

‍

Self-hosted wallets

‍

If a CASP determines that a self-hosted wallet is sending or receiving a transfer and the transaction amount is greater than €1,000, the CASP is required to verify whether that self-hosted wallet is effectively owned or controlled by that client.

‍

Service providers

‍

If a CASP determines the destination or origin of a transfer is a wallet or account address associated with a service provider, it must first and foremost identify the entity sending or receiving the transfer on behalf of the client. In the context of the TFR, the entity almost certainly refers to the specific legal entity and not the trading name.

‍

For example, a CASP may identify that a beneficiary has a Coinbase wallet, Coinbase being the trading name of the counterparty. However, the CASP will also need to identify the counterparty entity associated with the wallet, in this case, the difference between Coinbase Ireland Inc. and Coinbase Canada Inc. will determine the level of due diligence required under TFR.

‍

Identifying the counterparty entity is a necessary first step for CASPs to take in order to meet TFR requirements, regardless of whether the crypto-asset transfer is national, cross-border within the EU or sent to an entity that is not established within the EU.

‍

Transfers to and from CASP entities in the EU

‍

If a CASP verifies that the entity sending or receiving funds on behalf of the originator or beneficiary is established in the EU, they are required to ensure the timely and complete transfer of required data.

‍

As it currently stands, TFR does not specify how CASPs should treat relationships with counterparty entities that may be established in the EU but are no longer regulated or explicitly not permitted to undertake crypto-asset activities. Based on the Guidelines issued by the European Banking Authority at the beginning of 2024, we can assume they will be required to demonstrate a risk-based approach.

‍

Transfers to and from entities outside of the EU

‍

If a CASP wishes to execute transfers with an entity that is not established in the EU, it is obliged by TFR to treat this as a correspondent relationship. Unlike counterparties, correspondent relationships are ongoing business relationships that pose greater risks, and CASPs are required to undertake enhanced due diligence measures before commencing such relationships.

‍

Under TFR^[1], enhanced due diligence includes:

‍

• determining whether the correspondent's entity is licensed or registered (both in their home jurisdiction and other jurisdictions in which registration or licensing may be required)
• the quality of supervision in these jurisdictions
• the quality of the entity's AML/CFT controls
• the reputation of the entity and whether the entity conducts adequate record keeping and due diligence on customers.

‍

After undertaking such an assessment, approval from senior management must be obtained before establishing the correspondent relationship.

‍

Conclusion

‍

The EU’s implementation of the updated TFR, with its comprehensive AML/CFT and due diligence requirements, aims to protect the EU’s financial system by preventing the flow of illicit funds and reducing financial crime.

‍

First, a CASP must identify whether a transfer is to or from a self-hosted wallet or to a wallet controlled by a service provider. In the case that the transfer is to or from a service provider, the CASP must identify the specific legal entity of the counterparty sending or receiving the transfer on behalf of the client. Transfers to regulated EU entities require the complete and timely transfer of data. The TFR lacks specific guidelines for dealing with unregulated EU entities, which undoubtedly pose compliance risks. CASPs are left to decide whether or not doing business with such unregulated entities falls within their risk appetite.

‍

Transfers to entities incorporated outside of the EU are treated as higher-risk correspondent relationships, and CASPs are required to determine whether or not such an entity is licensed or registered and to apply enhanced due diligence measures.

‍

^{[1] Article 19b}

‍