As discussed earlier on this blog, the European Commission has proposed a new regulation on information accompanying transfers of funds and certain crypto-assets. On 29 June 2022, the main European institutions reached a political agreement on the text, which will soon be put to a vote in the European Parliament. In this blog, we look at what has changed from the European Commission’s initial proposal during the legislative course.
The new regulation will apply to crypto-asset service providers whenever their transactions, whether in fiat or crypto-assets, involve a traditional wire transfer or a transfer of crypto-assets involving a crypto-asset service provider.
In such cases, the crypto-asset service providers will be required to identify both the payer and the payee and to exchange this information with each other. Concretely, the payer will need to provide name, account number, address, official personal document number, and customer identification number, or date and place of birth. The payee will need to provide name and account number. Where no account numbers are involved, the persons’ blockchain address identifiers should be used.
Important to note, however, is that the Regulation will not apply to consumer-to-consumer transfers of crypto-assets. Therefore, Alice sending some Bitcoin to Bob because she is a great friend will not be subject to this identification duty. It is only when Alice and Bob involve a crypto-asset service provider that the identification duty will be triggered.
This identification duty is often called the ‘Crypto Travel Rule’. It stems from a FATF Recommendation on wire transfers. It applies to both cross-border and domestic wire transfers. As a threshold, the Recommendation allows States to provide that for transfers below EUR/USD 1000 only limited information should be provided and that such information does not need to be verified, unless there is a suspicion of money laundering or other illicit activity.
The initial Recommendation did not specifically address crypto, but the FATF has since confirmed that it considers the Recommendation to apply to crypto as well.
The FATF also considered a deviation when only one party to a transaction is an obliged entity. That would, for instance, be the case when a consumer with an unhosted wallet transacts with a crypto exchange. In that case, only the obliged entity is subject to the identification duty and needs to gather the necessary information.
A few changes were proposed in the European Parliament’s Committee Report, which served as the basis with which it entered interinstitutional negotiations.
Notably, the Parliament wanted to remove the derogation that allowed Member States to not apply the Crypto Travel Rule to transactions below EUR 1000 and when the transaction can be traced via other means. It also proposed to clarify that the rule would apply to transactions including an unhosted wallet, but then only to the obliged entity counterpart. It would also expand the scope to crypto-ATMs.
Also notable is that the Parliament proposed to introduce additional information duties, including more details about the transaction as a whole to facilitate additional due diligence. This goes well beyond the FATF’s Recommendation, but it is a stance that has been advocated in certain countries such as the Netherlands.
Moreover, crypto-asset service providers should also identify each other, to ascertain whether the other party will also adhere to the Travel Rule. Additionally, crypto-asset service providers must notify authorities of everyone having received more than EUR 1000 in crypto.
Last, the Parliament wants to introduce a public list of non-compliant entities.
From what has been reported so far, it appears that these amendments have been accepted as part of the political agreement and will thus find their way into the final text.
The text will now move to the European Parliament, with the intention of adopting it at first reading. Given the political agreement, it is not expected that the Parliament will still introduce any significant changes.
Once adopted, the new framework will become applicable together with the upcoming Markets in Crypto-Assets Regulation (MiCAR), which should be at 18 months after adoption.
The immediate result is that all crypto-asset service providers regulated under the MiCAR will end up becoming subject to anti-money laundering law – and not just the exchanges and custodian wallet providers that are obliged entities today. This is a substantial scope enlargement, but one that could be expected.
However, the decision to take this text out of the anti-money laundering legislative package and insert it into the digital finance legislative package creates an inconsistency. Crypto exchanges and custodian wallet providers are, for the time being, the only ones already considered as obliged entities. Together with MiCAR, this creates a situation where they are subject to a license requirement with passporting possibility – as we already know under PSD2, EMD2 and MiFID2 – but are still subject to national registration under existing anti-money laundering laws. The other crypto-asset service providers are only subject to the license requirement and will in the future become subject to the upcoming anti-money laundering regulation. This can be considered as an unequal treatment of these service providers, resulting from the legislator deciding to mix-and-match texts from different legislative packages. And the whole point of legislative packages is to group together closely related frameworks to avoid such inconsistencies.
The main addition of the Crypto Travel Rule is that it increases the normal anti-money laundering requirements – such as know-your-customer and customer due diligence – by also requiring the identification of the counterparty. Moreover, the EU’s interpretation of the FATF’s Recommendation further increases the burden by adding additional requirements and enhanced due diligence, and by ignoring the proposed threshold.
This is, of course, an unfortunate development. The FATF’s Recommendation was well-reasoned and balanced, and there is little reason for the EU to show that it can be the toughest kid in class by adopting a much more onerous framework. Taking a long time to provide regulatory clarity and then adopting an unreasonably strict, unbalanced and inconsistent framework will certainly not help the EU’s goal of no longer missing the boat on innovation.
The framework will subject crypto-asset service providers in the EU to much stricter rules than elsewhere. The US, for instance, decided to increase the threshold for the Crypto Travel Rule to USD 3000, although there is a proposal to lower it for international transfers. Also the UK has retained the threshold, included a domestic exemption, and decided to make the information requirements for unhosted wallet applicable on a risk sensitive basis only. Maybe the Rt Hon. Rees-Mogg can chalk it up as a Brexit opportunity.
At the same time, the fear-mongering present in some parts of the crypto-community must also be dispelled. There have been cries that the Crypto Travel Rule would effectively ban unhosted wallets and thus force users into hosted wallets – which are of course less secure given the constant slew of crypto-exchange data breaches. It has also been said that the additional information required under the Crypto Travel Rule would be appended to the blockchain, which is entirely incompatible with GDPR. None of this is correct. Unhosted wallets will still be perfectly legal and none of this information should be included in the transaction itself. Crypto advocacy would be well-served by focusing on the genuine issues, such as the burdens imposed on market players, the ever-increasing data collection by governments and the resulting consolidation of the surveillance state.
Do you have questions about crypto-assets or anti-money laundering legislation? Please contact Timelex.