The European Union’s Revised Transfer of Funds Regulation (TFR)

Introduction: Understanding the Impact of Money Laundering and Terroist Financing

Money laundering and terrorist financing pose significant threats to national economies and global stability. These activities have significant effects on society and the integrity of the international financial system.

Money laundering involves disguising the origins of illegally obtained funds to make them appear legitimate. Thai allows criminals to enjoy the proceeds of their illegal activities without raising suspicion.

By introducing ‘dirty’ money into the legitimate economy, money laundering can disrupt economic systems. It not only undermines the credibility of financial institutions but also erodes public trust, leading to a vicious cycle of crime and corruption. Moreover, laundered funds can cross borders, potentially financing terrorist activities and posing a national security threat.

Given the seriousness of these issues, governments and international bodies have put in place Anti-Money laundering (AML) and Counter-Terrorist financing (CTF) regulations. The European Union (EU) has been at the forefront of this, establishing various directives and regulations to standardize AML/CTF measures across member states. These regulations seek to detect and prevent these activities, promoting the transparency and integrity of financial systems while protecting national security.

The recently reviewed Transfer of Funds Regulation (TFR) is a notable example of such regulations. The revised version of TFR passed in April 2023 and officially came into force in June 2023. Its provisions will be actively applied from January 2024, which is 18 months after its enactment.

The Revised Transfer of Funds Regulation (TFR)

The Revised Transfer of Funds Regulation (TRF) is the EU’s latest legislative response to combat money laundering and terrorist financing. This regulation aligns with the Financial Action Task Force’s (FATF) recommendations, particularly recommendation 16, which focuses on wire transfers, commonly referred to as the travel rule.

Within the EU, the TRF provides guidelines for sharing information about parties involved in transactions, covering all currencies, including virtual assets. The primary objective is to establish international standards that aid in preventing, detecting, and investigating money laundering and terrorist financing.

MICA and TFR: Strengthening the EU’s Crypto Assets Framework

Following the establishment of the Revised Transfer of Funds Regulation (TFR), the European Union’s commitment to a secure and transparent financial landscape doesn’t end there. Another pivotal regulation in this domain is the Markets in Crypto Assets (MICA).

While TFR focuses on enhancing the transparency and traceability of fund transfers, MICA offers a comprehensive regulatory framework specifically for crypto assets. Its primary goal is to ensure that crypto assets and their associated activities are held to the same standards as traditional financial instruments. MICA wants to make crypto market safer by clarifying laws, protecting consumers, and ensuring market fairness. Together, MICA and TFR form two foundational pillars of the EU’s crypto assets framework.

You can read morea about MICA here.

The Financial Action Task Force (FATF)

The Financial Action Task Force (FATF) is an intergovernmental organization that sets global standards for anti-money laundering (AML) and counter-terrorist financing (CTF) measures. Its 40+9 recommendations play a crucial role in shaping its member countries’ AML and CTF policies. Non-compliance with FATF’s guidelines can lead to severe consequences for a country, including economic sanctions, reputational harm, and limitations on financial operations.

In 2019, FATF updated its guidelines to include virtual assets, cryptocurrencies, and virtual asset service providers (VASPs) under the scope of AML/CTF regulations. This update means that entities dealing with these assets are now subject to the same regulatory requirements as traditional financial institutions. FATF’s decision to include these assets under its regulations is part of its ongoing efforts to tackle the emerging risks associated with these technologies and ensure that AML and CTF regulations remain effective in the digital era.

Furthermore, FATF reinforced the Travel Rule. This rule mandates financial entities to provide comprehensive details about both the sender and recipient during wire transfers, extending to virtual asset transactions. As a result, cryptocurrency dealings now undergo the same rigorous regulatory oversight as traditional financial exchanges.

EU’s Response to FATF Recommendations Update

The European Union responded to FATF’s 2019 virtual assets and VASPs guidelines by incorporating these guidelines into its regulatory framework. The EU developed an Action Plan in May 2020 and, in July 2021, published a package of legislative proposals to strengthen its AML/CFT rules. One of those legislative proposals was a recast of the Funds Transfer Regulation (Regulation 2015/847).

Regulation 2015/847 had provisions for wire transfers (the Travel Rule). However, it had a limitation that criminals exploited for money laundering. It only applies to traditional financial transactions and wire transfers, such as banknotes, coins, scriptural money, and electronic money.

Crypto assets were not covered, creating a regulatory gap that criminals could exploit for illicit financial activities. It limited the transparency and traceability of financial transactions involving virtual assets, making it difficult for authorities to detect and investigate suspicious activities. However, the new TFR regulation is an amendment to Regulation 2015/847, bridging the gap and creating a more transparent financial system. 

TFR’s Significance in the EU Framework

Sweden’s Finance Minister, Elisabeth Svantesson, expressed her support for this revision of TFR, stating:

‘’Today’s decision is bad news for those who have misused crypto-assets for their illegal activities, to circumvent EU sanctions, or to finance terrorism and war. Doing so will no longer be possible in Europe without exposure – it is an important step forward in the fight against money laundering.’’

The new version of the TFR requires virtual asset service providers (VASPs) or crypto asset service providers (CASPs) to gather and share specific details about the person who sends and receives crypto assets through their services. As a result of this measure, the EU is able to address the risks of money laundering and terrorism financing associated with new technologies.

Key Definitions in TFR

Knowing the definitions of these terms will help your understanding of TFR. These definitions clarify the roles and entities involved in fund and crypto-asset transfers within the regulation.

1. Payer: An individual with a payment account who either initiates a transfer from that account or orders a transfer without possessing such an account.
2. Payee: The recipient of the funds transfer.
3. Payment Service Provider (PSP):  Entities that offer funds transfer services, including those with special permissions.
4. Intermediary Payment Service Provider: A PSP that isn’t directly linked to either the payer or payee. These entities receive and forward funds on behalf of other PSPs.
5. Crypto assets:  Decentralized digital assets that function as a store of value, means of payment, and medium of exchange. They rely on distributed ledger technology (DLT) and cryptographic techniques for functions like security, ownership verification, and transaction validation. Examples include cryptocurrencies, stablecoins, and tokens.
6. Crypto-Asset Service Provider (CASP): Entities that provide crypto-asset related services.
7. Intermediary Crypto-Asset Service Provider: A CASP that doesn’t directly serve the originator or beneficiary. Instead, it facilitates the transfer of crypto-assets on behalf of other CASPs.
8. Originator: The Originator is the person who holds a crypto-asset account, DLT address, or means of storing crypto-assets and initiates the transfer of crypto-assets.
9. Beneficiary: The person who receives the transferred crypto-assets.
10. Self-hosted addresses: Distributed ledger addresses are not associated with a CASP. They also aren’t linked to entities outside the European Union that provide similar services.

Where Does TFR Apply?

Under the new rules, every EU service provider must gather relevant details for each crypto asset transfer. This applies regardless of the transfer amount and whether it’s conducted via crypto-ATMs or through international transactions. This measure aims to prevent criminals from structuring large transactions into smaller amounts to avoid traceability. Criminals often take advantage of crypto assets’ pseudo-anonymity and technological advantages to avoid monitoring and traceability.

Crypto-asset automated teller machines (crypto-ATMs) enable users to send crypto-assets to a crypto-asset address by depositing cash. These machines are typically devoid of any customer identification or verification, making them vulnerable to money laundering and terrorist financing uses. They pose a significant risk as they accept cash from unknown sources and provide anonymity, which attracts illegal activities. 

Under the TFR, as with prior regulations, any fund transfers in the EU, regardless of currency, made or received by a payment service provider or its intermediary, are still subject. For transfers that exceed EUR 1,000, they must have accurate and verified payment details, unless connected to other transfers that also surpass EUR 1,000.

Exceptions Under the TFR

There are certain scenarios to the TFR where the regulation requirements do not apply. Here are a few exceptions: 

1. Transfers of funds or electronic money tokens using payment cards, electronic money instruments, mobile phones, or similar digital devices for goods or services where the device number accompanies the transaction are exempted. However, this exception doesn’t apply when used for non-business transfers.
2. Entities that exclusively convert paper documents to electronic data on a contractual basis are exempted from TFR. Additionally, those that provide support to payment service providers are also exempted.
3. Transfer of funds involving cash withdrawals from a payer’s payment account are exempted.
4. Transfers of funds to public authorities for taxes or levies within the EU.
5. Transfers between payment service providers acting on their behalf.
6. Transfers made through check image exchanges.
7. Regarding crypto-assets, TFR does not apply when both the sender and receiver are crypto-asset service providers acting independently or when there’s a person-to-person (p2p) transfer of crypto-assets without a crypto-asset service provider’s involvement.

Guidelines on the Travel Rule in TFR

The TFR has obligations for both PSPs and CASPs and their intermediaries.

Under TFR, specific information about the payer and payee should travel with the funds including: 

Payer’s Details: 

• Name
• Payment account number
• Address, including country, personal document number, or date and place of birth
• Optionally, the Legal Entity Identifier (LEI) of the payer or an equivalent identifier

Payee’s Details: 

• Name
• Payment account number
• Optionally, the LEI of the payee or an equivalent identifier

Transfers that don’t involve an account number must have a unique transaction identifier.

Before initiating a fund transfer, the payer’s payment service provider must ensure the information provided is accurate, authentic, and complete. If there are discrepancies, missing details, or any suspicious information about the payer or payee, the transfer may be declined. It might also require reporting to the Financial Intelligence Unit (FIU).

On the receiving end, the payee’s Payment Service Provider (PSP) is responsible for setting up effective procedures to identify any missing or incomplete information during a transfer. They must take necessary actions based on the transfer’s risk level.

Ensuring Transparency in Crypto-Asset Transfers

For transactions involving crypto-assets, the Crypto-Asset Service Provider (CASP) of the originator has specific obligations to ensure both transparency and security:

1. Before or during the transfer, the CASP must ensure that the following details accompany the transfer of crypto-assets:

Originator’s Details:

• Name
• Distributed ledger (DLT) address (for DLT network transfers) or crypto-asset account number (for non-DLT transfers),
• Address, including country
• Personal document number, and customer identification number, or date and place of birth
• LEI (Legal Entity Identifier) or equivalent official identifier (if available)

Beneficiary’s Details:

• Name
• DLT address (for DLT network transfers) or crypto-asset account number (for non-DLT transfers),
• LEI or equivalent official identifier (if available)

2. If the transfer doesn’t register on a DLT or similar technology and isn’t made to a crypto-asset account, the transfer must include a unique transaction identifier.

3. The above information should be securely submitted before or during the transfer in accordance with regulations.

4. For transfers to a self-hosted address, the originator’s CASP must collect the required information. For transfers exceeding EUR 1,000, the ownership of self-hosted addresses should be verified.

5. Before initiating or executing transfers, verify the accuracy of the beneficiary and originator’s information using reliable sources. Ensure all actions are in compliance with applicable directives.

6. For batch file transfers of crypto-assets from a single originator, each transfer within the batch should contain the same required information as standard transfers. Additionally, the information should be verified.

Just like in the transfer of traditional funds, the CASPs of the beneficiary must verify the accuracy of the information before making the crypto assets available to the beneficiary. They must also take appropriate steps when the information is incomplete or missing.

Other Applicable Measures for PSPs and CASPs

In transfers similar to those of traditional funds, the CASPs handling the beneficiary’s assets must ensure the information’s accuracy. This verification is crucial before releasing the crypto assets to the beneficiary. The regulation provides detailed guidelines on these and other measures. Here’s a brief overview:

1. Internal Policies for Restrictive Measures: Service providers must establish internal policies, procedures, and controls to ensure compliance with Union and national restrictive measures. This is essential when conducting transfers of funds and crypto-assets. Some of these restrictive measures may involve freezing certain funds and crypto-assets or placing specific restrictions on some transfers. The European Banking Authority (EBA) will issue guidelines for these measures by December 30, 2024.
2. Provision of Information: Service providers must promptly respond to inquiries from authorities responsible for preventing money laundering and terrorist financing concerning the information required under this Regulation. 
3. Data Protection: The processing of personal data is subject to the General Data Protection Regulation (GDPR). Per the law, personal data can only be used to prevent money laundering and terrorist financing. It cannot be used for commercial purposes. Before beginning any business relationship or conducting any transactions, new clients must be provided with clear and concise information regarding data processing. Additionally, they should be informed about their legal obligations under this regulation.
4. Record Retention: Information on the payer, payee, originator, and beneficiary must not be retained for longer than necessary. PSPs and CASPs should retain records of this information for five years. Upon expiry of this period, personal data should be deleted unless national law permits or requires further retention for money laundering or terrorist financing prevention. 

Implementation, Sanctions, and Monitoring Under TFR

The supervisory body responsible for implementing this regulation for the EU is the European Commission. They work alongside the committee on the prevention of money laundering and terrorist financing. However,

1. Member states must establish rules on administrative sanctions and measures for breaches of this regulation. These sanctions should be effective, proportionate, dissuasive, and published in accordance with relevant directives.
2. They can choose not to establish rules if breaches are already subject to criminal sanctions. However, they must communicate the relevant criminal law provisions to the commission.
3. Member states must require appropriate authorities to actively monitor and ensure compliance with this regulation. Additionally, they should establish mechanisms to encourage the reporting of breaches of this regulation.

Conclusion 

The EU’s proactive approach to regulating the crypto asset industry underscores its commitment to ensuring a safe and innovative financial landscape. With the introduction of MICA and TFR, the EU aims to increase investor protection, foster innovation in the realm of DLT, and uphold the integrity of financial institutions and markets.

They will stop criminals from hiding under the features of crypto-assets to commit illegal acts. While there may be concerns about the implications of increased oversight, especially regarding centralized data collection, these concerns are valid. However, it’s essential to note that these measures also shield the industry from negative perceptions caused by a few bad actors. Importantly, all personal data collection, processing, and retention align with the standards of GDPR, ensuring robust data protection in line with modern digital requirements.

About Identity.com

One of the procedures for ensuring that criminals are not exploiting the crypto industry is following AML/CFT regulations, including an effective KYC process. The work of Identity.com, as a future-oriented company, is helping many businesses by giving their customers a hassle-free identity verification process.

Our company envisions a user-centric identity where individuals maintain control over their data. This commitment drives Identity.com to actively contribute to this future through innovative identity management systems and protocols.

As members of the World Wide Web Consortium (W3C), we uphold the standards for the World Wide Web and work towards a more secure and user-friendly online experience. Please get in touch for more info about how we can help you take control of your digital identity.