4.05 Travel Rule

 

Contents

• What is travel rule?
• What are the principles of the Travel Rule?
• Subject matter and scope of application
• Definitions used
• Obligations of the originator's service provider
• Obligations of the beneficiary's service provider
• Transfers outside the Union
• Travel rule and protection of personal data
• Summary

 

What is travel rule?

The cryptocurrency sector's 'travel rule' is a reference to Financial Action Task Force (FATF) Recommendation 15 of June 2019. It states that all cryptocurrency companies, when processing transactions, must obtain and store the required information on both the sender and recipient of such a transfer. Furthermore, they must make them available to the competent authorities upon request.

 

What are the principles of the Travel Rule?

The main idea is to introduce new requirements into EU law in the area of obtaining information from crypto-related service providers specific to the originator and the beneficiary. These requirements were proposed in the Financial Action Task Force (FATF) Recommendation 15 of June 2019.

"Countries should ensure that service providers obtain and store the required information about the originator of the transfer, as well as its beneficiary, and make it available to the competent authorities upon request."

The proposal for a Regulation of the European Parliament and of the Council on information accompanying transfers of funds and certain crypto-actives is part of the AML/CFT package. This in turn is part of the European Commission's 7 May 2020 Action Plan. The regulation is due to enter into force on the twentieth day after its publication in the Official Journal. 

In the Action Plan, the Commission declared that it will introduce measures to strengthen the EU's anti-money laundering and counter-terrorist financing rules and make their implementation more effective. This is to be achieved by addressing six key priorities or pillars:

• Ensuring effective implementation of the existing EU AML/CFT framework,
• Establishing a single set of EU AML/CFT rules,
• Ensuring AML/CFT oversight at EU level,
• Establish a support and cooperation mechanism for FIUs, 
• Criminal law enforcement at EU level and exchange of information,
• Strengthening the international dimension of the EU AML/CFT framework.

The proposal complements the current provisions on transfers of funds by extending the scope of Regulation 2015/847 to include transfers of crypto-assets.

 

Subject matter and scope of application

The regulation lays down rules on the information on originators and beneficiaries to be stored for the purpose of preventing money laundering and terrorist financing. This makes it much easier to detect illegal activities if at least one of the service providers party to such a transfer is established in the Union.

The requirements apply to service providers where the transactions they carry out, whether denominated in fiat currency or cryptocurrencies, involve: 

• traditional electronic funds transfer,
• the transfer of crypto-assets between a crypto-asset service provider and another obligated entity - e.g. between two service providers or between a service provider and a bank or other financial institution).

Because crypto-assets are inherently international and risky, all transfers of crypto-assets should be treated as international electronic funds transfers, precluding the application of a simplified national transfer regulation regime.

The regulation does not apply to:

• the transfer of crypto-assets to public authorities as payment of taxes, fines or other dues in a Member State, 
• transfers where both the originator and the beneficiary are crypto service providers acting on their own account,
• transfers of crypto-assets between persons.

EXCLUSION

Member States should have the possibility to exclude from the scope of application of the Regulation transfers of low-value cryptocurrencies used for the acquisition of goods or services.

 

Definitions used

• Crypto-asset transfer - any transaction at least partially carried out electronically on behalf of an originator through a crypto-asset service provider, which takes place for the purpose of making crypto-assets available to a beneficiary through the service provider. The definition remains the same irrespective of whether the originator and the beneficiary are the same person, and irrespective of whether the originator's crypto service provider is the same as the beneficiary's crypto service provider.
• Person-to-person transfer of crypto-assets - a transaction between natural persons acting as consumers, for purposes other than a commercial, business or professional activity. The definition assumes that such a person is not using a supplier or other obligated entity in this case.
• Crypto-asset - a crypto-asset as defined in Article 3(1)(2) of the MiCA Regulation, except those that fall into the categories listed in Article 2(2) of that Regulation or qualify as funds under another title.
• Crypto-asset service provider - a crypto-asset service provider as defined in Article 3(1)(8) of the MiCA Regulation that provides at least one crypto-asset service as defined in Article 3(1)(9) of the MiCA Regulation. 
• Originator - a person who holds an account with a crypto-asset service provider and authorises a transfer from that account or, in the absence of an account, who places an order for the transfer of crypto-assets.
• Beneficiary - the person who is the intended recipient of the crypto-asset transfer in question.
• Legal Entity Identifier (LEI) - a unique alphanumeric reference code assigned to a legal entity based on ISO 17442. 
• Bulk transfer - a bundle of several individual transfers of cash or crypto-actives grouped together for the purpose of transmission.

 

Obligations of the originator's service provider

The crypto service provider relevant to the originator must implement the obligation to include in the transfer data such as:

• the name of the originator,
• his account number, if used to process the transaction,
• the originator's address,
• the number of the official personal document,
• customer identification number or date and place of birth,
• name of the beneficiary,
• his account number, if such an account exists and is used to process the transaction.

This information need not be attached directly to or included in the transfer. By way of derogation, if the transfer is not from or to an account, it is possible to identify the transfer individually and record the addresses of the originator and the beneficiary in a distributed register.

By way of derogation, in the case of a transfer of crypto-assets with a value of up to EUR 1,000 that does not appear to be linked to other transfers with a value in excess of EUR 1,000, at least: 

• the name of the originator and the beneficiary; 
• the account number of the originator and of the beneficiary. 

In other cases, the supplier responsible for the initiator of the transaction must meet the requirements described earlier in order to be able to carry out the transfer.

 

Obligations of the beneficiary's service provider

The beneficiary's relevant service provider should implement effective procedures that include, inter alia, monitoring the transfer during or after processing. These procedures are designed to detect whether information concerning the originator or the beneficiary has been transferred with the transfer.

In the case of transfers of crypto-assets with a value in excess of €1,000, regardless of whether the transfers are made as a single transaction or several, the relevant service provider must verify the accuracy of the information received before making these funds available to the beneficiary. Furthermore, it should implement effective procedures to detect incompleteness of the data provided, which will allow the rejection of the transfer order or the triggering of a procedure to complete the information.

In the absence of the required originator or beneficiary data, the provider may return the transferred crypto-actives to the originator's account, or address, as well as hold them pending investigation by the competent authority.

 

Transfers outside the Union

In order to prevent money laundering and terrorist financing in third countries, transfers from the Union outside the Union should be accompanied by full payer and recipient information - this enables the source of the crypto-assets to be identified.

Full payer and recipient information should include the legal entity identifier (LEI) if the payer has provided it to its service provider. This would enable a more efficient identification of the parties involved in the money transfer.

 

Travel rule and protection of personal data

Suppliers who collect personal data for the purpose of complying with the Travel Rule must not process it for other purposes. Consequently, they should have appropriate technical and organisational measures in place to protect this data against accidental loss, alteration, unauthorised disclosure or access.

Before establishing a business relationship or carrying out a transaction, service providers should inform new customers of their legal obligations regarding the processing of personal data to prevent money laundering and terrorist financing.

 

Data retention

Service providers are required to keep information on originators and beneficiaries for a certain period of time in order to improve the detection and prevention of money laundering or terrorist financing. This period should not exceed five years, after which all personal data should be erased, unless otherwise provided for under applicable national law. This will make possible investigations easier in the event of suspected illegal activities.

 

Penalties and administrative measures

In the case of violations of this regulation by service providers, EU Member States may apply penalties or measures in accordance with national law to the members of the board of directors of the company concerned, or other persons responsible for the violation.

 

Summary

The obligations imposed by the regulation will pose various technical challenges, as service providers will have to develop technological solutions to collect the necessary information and exchange it both among themselves and with the competent authorities.

In order to comply with the new requirements, it will not only be necessary to update existing internal guidelines, but also to expand and adapt them to the new ones. This is another case of rules already in place in the banking sector being extended to the cryptocurrency industry.