Home » Business » How the travel rule works and how it affects non-hosted cryptocurrency wallets

How the travel rule works and how it affects non-hosted cryptocurrency wallets

Let’s start in order, small first recap from the past. The so-called rules on fund transfers (Transfer of Funds RegulationTFR) are new European regulations that will come into effect together with the expected comprehensive crypto regulation MiCA. The TFR addresses a number of issues related to protection against money laundering and terrorist financing, especially in relation to cryptocurrencies. Crypto-assets service providers (CASP), i.e. typically exchanges, exchange offices, cryptocurrency “ATMs”, but also many others, will begin to fall under the supervision of the European Anti-Money Laundering Directive (AMLD).

With this, Europe will also see the application of the so-called travel rule, which we are talking about on Lupa they wrote for the first time in May 2019 in connection with the recommendations of the Financial Action Committee. It functions as an international intergovernmental organization recognized by most of the world as the global creator of standards and recommendations against money laundering and terrorist financing. The travel rule will require cryptocurrency service providers to collect information about their clients and share with other CASPs and relevant authorities information about who sends virtual assets, when and where.

In other words, when an exchange receives a crypto payment to a customer’s account, it will have an obligation to try to obtain information about its origin. It is somewhat similar to bank transfers, but with one significant difference. While in the world of traditional financial services there is a minimum amount whose movement is not subject to tracking, it will be a little different in the case of cryptocurrencies. The obligation will already apply to transactions worth just one euro. There is practically no threshold for cryptocurrency transactions. The reason apparently lies in the attempt to prevent popular money laundering techniques such as smurfing (sic), i.e. dividing a suspicious transaction into a number of smaller ones with amounts just below the detected threshold. But why different rules must apply to cryptocurrencies than to the euro and other fiat currencies is a bit of a mystery.

In the original FATF proposal, the threshold of 1,000 euros and 1,000 dollars existed. For a broader context, FATF updated its recommendations at that time, so that recommendation number fifteen, concerning new technologies, and sixteen, dealing with bank transfers, also started to include virtual assets. It required virtual service providers, or VASPs, to be licensed or registered and subject to systems to monitor and comply with anti-money laundering and anti-terrorist financing rules. The second recommendation required all VASPs to collect and share information about who sends virtual assets, when, and where. The client’s name, date of birth, bank account number or physical address is collected, and individual providers must then verify and provide this information with the transaction to each other and, upon request, to the relevant authorities.

Seemingly in a similar vein, the European Commission also proposed a new rule on fund transfers in July 2021. However, there are differences, one of which is obvious at first glance. CASP is a much more broadly defined category than the original VASP. On the one hand, this makes it possible to intercept various attempts to avoid regulation, on the other, it is like combing blueberries with a comb. It’s faster, but you also strip the bush of its life-giving leaves. For example, the provision of consulting services for crypto-assets also falls into the category of CASP.

And this is where it gets very interesting in relation to full-fledged user cryptocurrency wallets, which are also affected by the new regulation. They mean those that are not operated by a third party, but are managed and hosted directly by their users (either as a wallet on a computer, or for example cold storage). European regulators apparently don’t like it too much, and it shows in the name they chose for it. According to them, these are so-called non-hosted wallets, which for the uninitiated somewhat implies that normal wallets are hosted after all, which is of course nonsense and the exact opposite of reality. In any case, CASP is expected to apply the new reporting obligations to them as well.

However, there are at least a few minor differences. There will be a minimum threshold (1,000 euros) up to which transfers will remain without reporting obligations and for users without the need to provide additional information for the transaction, i.e. at least in cases that the system does not evaluate as suspicious. Of course, the users themselves do not have to report transactions between themselves at all.

If this sounds like a dystopia to you, then know that the original proposal of the European Parliament was even stricter, because it imposed the same requirements on CASP in the case of non-hosted wallets as for transactions sent between individual CASPs, which would also include verification of the information provided. However, there was a huge backlash against this in March, as it could easily lead to the complete cutting off of unhosted crypto-wallets from, for example, exchanges. It would be the easiest and cheapest solution for them. There is often no easy technological possibility to reliably verify the sender’s identity in the case of a “non-hosted wallet”.

The Parliament therefore made some concessions from its original proposal. But it’s no glory, let’s go through all the scenarios for clarity.

I am sending from my cold storage to a third-party wallet that falls under the CASP category, a crypto transaction greater than or equal to 1000 euros. It’s quite simple here. The service has an obligation to ask me if I’m the owner of the wallet, and if so, it’s up to me to prove it as well. The only advantage of the whole registration process is that you only need to go through it once, and from then until eternity such a wallet is paired with my identity. If the transaction is smaller at the given time, no verification takes place.

But then there may still be a situation when, for example, I send cryptocurrency from (or to) a CASP wallet from (or to) a non-hosted third-party wallet. In such a case, regardless of the size of the transaction (at least that’s how it appears so far), CASP has an obligation to obtain additional information about the given wallet.





In addition, they must apply a so-called risk assessment to the transaction. If the risk appears to be negligible, the transaction can go through, if not, CASP will have to take other steps that will reduce the risk (identity verification, additional information about the origin and destination of the transaction, extended monitoring of the next flow of funds).

The European Banking Authority is to present detailed instructions on risk assessment and steps leading to their elimination in the next 18 months.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.