red 
On June 29, European policymakers reached a provisional agreement on the application of the EU Funds Transfer Regulation (TFR) to digital assets.
The extension of the TRF to most crypto transfers will have major implications for cryptoasset service providers (CASPs) operating in the EU, which is committed to improving the transparency of fund transfers. The agreement comes amid concerns across the EU that Russia could use cryptoassets to evade sanctions – a factor that has fueled the urgency around the proposal.
As part of the agreement, the EU has also decided to speed up the implementation of these measures by aligning them with the introduction of the bloc’s separate – but related – regulation on markets in crypto-assets (MiCA), which was also agreed by EU policymakers on 30 June. While technical aspects of the text to implement the TFR must be finalized and approved before they come into effect, key provisions agreed last week are likely to remain.
So what is covered by the newly agreed TFR measures and what does it mean for EU crypto compliance teams?
Travel rule
Under the amended TFR, all CASPs in the EU will have to comply with the Travel Rule – a data exchange requirement that is part of the FATF standard – and collect relevant originator and beneficiary information for all CASP-to-CASP transfers of cryptoassets, without de minimum threshold.
The EU’s decision to require the Travel Rule for all transactions – regardless of value – goes even further than the Financial Action Task Force (FATF) Standards, which only require the exchange of travel rule information on transfers above €1,000.
CASPs in the EU will need to ensure that they can comply with the Travel Rules for any transaction where a direct transfer is made to another CASP. The measures clarify that CASPs must comply with the EU General Data Protection Regulation (GDPR) in the process of undertaking the sharing of travel rules data and should not process a transfer with another CASP if they are not sure that data privacy standards cannot be met. .
Balancing the dual requirement of sharing customer data while preserving privacy presents significant compliance challenges. European CASPs must implement a reliable travel compliance solution that can enable them to meet these requirements.
At Elliptic, we have integrated our blockchain analytics capabilities with leading travel compliance providers such as Notabene and Sygna to enable our clients to stay compliant. Given the significant Travel Rule compliance challenges, CASPs should begin the process of integrating Travel Rule data sharing capabilities into their compliance workflow today.
CASP counterparty due diligence
As part of the data exchange process under the Travel Rule, CASPs will also need to carry out due diligence on the CASPs of counterparties with whom they transact outside the EU.
This is hardly a surprise; earlier this year, Elliptic predicted that CASP due diligence would be high on regulators’ agendas. After all, CASP due diligence is a core component of the updated FATF standards. The latter highlighted the risks that unregulated and non-compliant VASPs, which Elliptic’s research has shown are common channels for laundering the proceeds of crimes such as ransomware.
In order to help the private sector identify and manage these risks, under MiCA the EU will publish a blacklist of non-compliant and unsupervised CASPs. EU-based CASPs will need to be particularly vigilant about potential transactions with these high-risk counterparties.
Available compliance solutions can enable compliance teams to conduct CASP due diligence and manage counterparty risk.
Elliptic Discovery is our in-depth analysis database of over 1300 CASPs. Discovery contains detailed profiles of CASPs, such as information on their regulatory status, countries of operation, and detailed blockchain analytics that highlight transaction risks.
This data allows CASPs to identify potential risk factors among counterparties, ensuring that they can safely trade with approved CASPs while avoiding unacceptably high risk operations. For example, Elliptic Discovery contains profiles of more than 400 CASPs that we have identified as having ties to Russia.
Embedding these types of due diligence data sources as part of your compliance workflow will become essential for any EU-based CASP.
Unhosted wallets
The new EU measures also address the ever-controversial topic of hostless wallets. In line with FATF standards, the EU aimed to address the risks of unhosted wallets, which enable transfers outside the regulated sector
In a positive development, the EU backed off on a previous controversial proposal to require CASPs to verify the identities of counterparties for all transfers with non-hosted wallet transfers – a proposal criticized by the crypto industry as unworkable.
However, under the newly agreed measures, CASPs will still face strict expectations when it comes to unhosted wallets. The measures agreed yesterday will require that for any unhosted wallet transaction above €1,000, CASP must verify that the wallet is owned and controlled by its client. The aim of the measure is to reduce the potential of CASP users to send funds to unknown and unverified actors.
This is in line with the approach on non-hosted wallets taken in Switzerland, where regulated entities must verify that their customers control transfers to third-party non-hosted wallets.
CASPs will also need to assess the illicit financial risks for all transactions with non-hosted wallets and apply appropriate risk-based due diligence measures. In addition, before making escrow funds available to their clients, CASPs must assess the source of the funds and determine that they do not involve exposure to sanctioned actors, and must also check for indicators of money laundering and other illicit financial risks.
This is similar to a recent proposal from the UK, which will also require CASPs to conduct risk-based due diligence on non-hosted wallets.
EU-based CASPs should rely on blockchain analytics capabilities to help meet management and risk assessment requirements with non-hosted wallets. Wallet verification solutions, such as Elliptic Lens, can enable CASPs to identify unhosted wallets belonging to sanctioned actors, ransomware gangs, and other illicit actors before enabling customer withdrawals.
CASPs will also need to ensure that they assess the risk of all cryptoasset transactions they process using transaction verification capabilities such as Elliptic Navigator, which can enable the detection of high-risk and blacklisted wallets.
Preparing for the changes ahead
The newly agreed EU measures will not take effect immediately. The current plan envisages the adoption of these new proposals alongside the implementation of MiCA – currently on schedule for the first half of 2024. The EU has also indicated that it will also review the proposals around non-hosted wallets in approximately 18 months to determine whether they remain appropriate.
However, CASPs should not remain complacent. Businesses that take steps now to prepare for the pending measures by implementing a compliance solution will position themselves for a smooth transition to the new rules.
Elliptic’s blockchain analytics and CASP due diligence solutions already enable some of Europe’s largest crypto firms and financial institutions to meet AML and sanctions requirements. Contact us to find out more about how we can help you meet evolving regulatory requirements across Europe.
Key takeaways
- Ensure your compliance team uses block analysis solutions to identify high risk exposure or blacklisted unhosted wallets.
- Use a CASP due diligence database such as Elliptic Discovery to assess the risk of our non-EU partners.
- Make sure you implement a Travel Rule solution that is integrated with blockchain analytics capabilities.
Regulation on compliance with the law
