What CASPs Need to Remember about the TFR's Final Version
The final version of the Transfer of Funds Regulation (TFR) was published on 31 May 2023. This version will be applicable when the TFR is applied on 30 December 2024.
Previous versions of the document differ slightly from this version and have caused some confusion between the 2. This blog addresses common issues surrounding the previous TFR draft and provides the correct information per the current document.
All Transfers Require Travel Rule Data Irrespective of Value
In its initial draft, the TFR stipulated that for transfers below EUR 1000 - between crypto-asset service providers (CASPs) registered in the EU - the originating CASP could send less information in instances that posed no elevated risks. This ruling has fallen away. As of 31 May 2023, CASPs are to exchange the full data set stipulated in the TFR, irrespective of the transaction value for every transaction.
The Full Travel Rule Data List Includes:
originator name,
originator distributed ledger address,
originator crypto asset account number,
originator address, which must include the name of the country, official personal document number and customer identification number, or alternatively, date and place of birth,
originator LEI (where applicable, or an equivalent official identifier).
beneficiary name,
beneficiary distributed ledger address,
beneficiary crypto asset account number,
beneficiary LEI (where applicable, or an equivalent official identifier).
Travel Rule Data Must Be Exchanged for All Transactions Irrespective of Location
The originating CASP is responsible for ensuring that the transfer includes the necessary Travel Rule data. When transmitting funds from an EU CASP to one outside the EU, it falls upon the originating CASP to confirm that the beneficiary CASP has adequate measures in compliance with the GDPR to receive and securely store the data.
Failure to exchange the data based purely on the fact that the CASP is foreign is insufficient reasoning and will result in a transaction not compliant with the TFR. Only if the originator has ascertained that their counterparty cannot receive or store the Travel Rule data securely as outlined in Regulation (EU) 2016/679, using, where appropriate, the options available in Chapter V of Regulation (EU) 2016/679, are they permitted not to send it.
The European Data Protection Board*, after consulting with the European Banking Authority (EBA), has been tasked with issuing guidelines regarding the practical application of data protection standards for the transfer of personal data to third countries within the framework of crypto-asset transfers.
Going forward, guidelines on suitable procedures for determining whether the transfer of crypto assets should be executed, rejected or suspended in such cases will be provided to CASPs to provide further clarity on the matter.
*At the time of writing, the EDPB had not provided these guidelines.
Self-hosted Wallet Verification Is Required for Transfers over EUR 1000 and in Suspicious Circumstances
For transactions totalling more than EUR 1000* to or from a self-hosted wallet, CASPs must verify that the client has control over the associated address through a technical solution. Examples include Address Ownership Proof Protocol (AOPP) or a Satoshi Test.
In cases where the CASP suspects misleading information or detects suspicious transaction trends, it is the CASP's responsibility to apply enhanced due diligence (EDD) procedures and request wallet ownership proof.
For all self-hosted wallet transactions, CASPs must gather and retain data on the originator and beneficiary; however, this information does not need to be verified. However, wallet verification is to be requested for all transactions over EUR 1000 OR if the transaction is suspicious, for example, irregular for the user’s profile.
*EUR 1000 is per transfer or collective transfers using the same address, summing to EUR 1000 plus.
The TFR Is Live in Less than a Year: CASPs Need a Solution Now
Technically speaking, CASPs have until the end of 2024 to implement a Travel Rule solution as the TFR will only be applied (go live) on 30 December 2024.
However, if waiting until the last minute to implement a Travel Rule solution due to the logic of “why pay for a product that isn’t needed right now?", CASPs are putting their businesses at risk for several reasons. The most obvious is a loss of money in the long run.
CASPs Should Implement a Travel Rule Solution Now
Above, we explain the potential loss of money in the long run; let’s delve into that. Assuming a CASP’s devs team isn’t on their annual Christmas break and can implement a Travel Rule solution on 30 December with zero issues, what about the compliance team?
Will they be able to hit the ground running? That is, will they set the required solution parameters, for example, fuzzy name matching or the Satoshi Test limit, learn how to operate the new program and its tools, figure out how to request and review self-hosted wallet ownership proofs and continue with their usual workload in their regular 8 hour day. Probably not, which can result in customer dissatisfaction and the possibility of these customers seeking a CASP that is more organised to conduct their business.
Read more about 21 Travel Rule, the only Travel Rule solution that guarantees GDPR-compliance.
SaaS Travel Rule Solutions Do Not Offer Adequate Data Privacy and Protection
As the Travel Rule is the exchange of delicate customer data, CASPs must consider all the options when choosing a Travel Rule solution.
Software-as-a-Service (SaaS) solutions have benefits; for example, they are generally simpler to get going than on-premises Travel Rule solutions. However, they may add significant risks, especially regarding data protection. SaaS solutions are run in the cloud and are susceptible to hacks and data leaks. Apart from the risks of breaches, with enough data, a software provider can generate intelligence and profit from this information.
The EU Commission even voiced its concern over cloud storage at an FATF VACG meeting last year, cautioning the users of SaaS Travel Rule solutions to set up their data protection contracts with great care.
An on-premises setup means that the solution is installed and operated on the servers of the CASP company. Since it resides within the company's premises, no external entity can access the data. Transactions remain confidential, known only to the involved CASPs, aligning with the objective of implementing a Travel Rule solution. This internal handling is crucial for maintaining security.
By employing an on-premises solution, CASPs can ensure better adherence to the GDPR, as data is not shared with any external Travel Rule provider and remains under the direct control of the CASP. Consequently, CASPs retain complete oversight of customer data storage, enabling comprehensive compliance with the European GDPR.
Still have doubts about the TFR?
Download the “European Union’s Travel Rule” below or reach out to us with further questions.
Download the EU Travel Rule Guide by EY and 21 Analytics