The Transfer of Funds Regulation (TFR) Summarised
The vote was cast last Thursday (20/04/2023), and the Transfer of Funds Regulation (TFR) was finalised. European crypto asset service providers* (CASPs) now have 18 months** to get their compliance regime on par with the EU’s implementation of the Financial Action Task Force’s (FATF’s) Travel Rule.
Below, we provide a comprehensive breakdown of the most critical changes in the TFR that are relevant to CASPs and compliance officers. As with all summaries provided by 21 Analytics, the intention is to capture the essence of the text and in no way constitutes legal advice.
What Changed in The Transfer of Funds Regulation (TFR)?
The TFR remained relatively similar to the version that reached provisional agreement last July, with minor changes. The most notable additions included the changed stance on domestic transfers and the timing of the exchange of the Travel Rule data. Additionally, further clarification was given regarding self-hosted wallets transfers involving CASPs.
The Transfer of Funds Regulation (TFR): Domestic Transfers
The initial TFR text proposed that less data be collected for transfers up to EUR 1000 between European CASPs (domestic transfers) unless the transfer posed an elevated risk. This ruling has fallen away, and irrespective of the CASP’s location and value transacted, complete Travel Rule information as per the TFR is to be collected, stored and exchanged.
It is up to the originating CASP to ensure that the transfer is accompanied by the TFR’s required Travel Rule data. When sending from an EU CASP to a CASP outside the territory, it is up to the originating CASP to ensure that the beneficiary CASP has appropriate safeguards in place to receive and store the data as per the General Data Protection Regulation (GDPR).
The European Parliament explained that due to the nature of crypto, these obligations should apply to all CASP-to-CASP transactions.
The Transfer of Funds Regulation (TFR): Travel Rule Data Timing
Previously, originating CASPs had to ensure that the TFR-required Travel Rule data was sent before the virtual asset transfer was executed. Now CASPs need to send the data before even allowing the transaction initiation. The Travel Rule aims to allow CASPs to screen both people involved in a transfer; therefore, information must be sent in real-time. Moreover, this data must be sent in accordance with the GDPR.
The Transfer of Funds Regulation (TFR): Self-hosted Wallets
The TFR does not apply to peer-to-peer (P2P) transactions; therefore, self-hosted wallets do not fall under the scope of the TFR unless a CASP is involved in the transaction.
CASPs are to collect and hold information of both the originator and beneficiary for all transactions involving a self-hosted wallet. The collected information does not need to be verified. However, for transactions summing to over EUR 1000 to or from a self-hosted wallet, CASPs must confirm that the client controls the involved address.
If the CASP suspects that inaccurate information is being provided or notices suspicious transaction patterns and so forth, it is up to the CASP to implement enhanced due diligence (EDD) measures to mitigate these risks.
*CASP has been used as an umbrella term within the text. The TFR applies to all obliged entities as defined by the Markets in Crypto Assets Regulation (MiCA). If you need clarification on what your business is defined as, please refer to the MiCA document.
*The 18-month grace period starts 20 days after the document has been published in the Official Journal of the European Union.