Final EU travel rule guidelines to impact crypto-asset service providers CASPs in 2024 

European Banking Authority guidelines additionally impose communication and security guidelines imposed on CASPs. TRISA Envoy helps operators comply.

The European Banking Authority (EBA) has issued the final report on information requirements in relation to transfers of funds and certain crypto-assets transfers under Regulation (EU) 2023/1113 (‘Travel Rule Guidelines’). Additionally, the guidelines impose the European Banking Authority’s (EBA) Guidelines for Information and Communication Technology (ICT) and Security Risks. 

Section 4.3.1

  1. PSPs, IPSPs, CASPs and ICASPs should ensure that the systems they use for the transfer of information are secure. CASPs should also apply the guidance provided to PSPs by the EBA Guidelines on ICT and security risk management 6

It explicitly covers payment service providers (PSPs), intermediary PSPs (IPSPs), crypto-asset service providers (CASPs), and intermediary CASPs (ICASPs).

Travel Rule Guidelines: Key Points and Obligations

The EBA’s Travel Rule guidelines, set to take effect on December 30, 2024, extend existing anti-money laundering requirements to crypto transactions. Here are the crucial elements you need to understand:

  1. Information Transmission Requirement

For crypto transfers exceeding €1000, CASPs must transmit the following information about both the originator and the beneficiary:

  • Name of account holder and all joint account holders
  • Account number (e.g., wallet address)
  • Physical address, official personal document number, customer ID number, or date and place of birth

  1. Obligation to Verify Prior to Sending

CASPs must verify the accuracy of the originator’s information for their own customers before any transmission.

  1. Detecting Missing Information

CASPs are required to implement effective procedures to detect transfers lacking the required information.

Return of Crypto-Assets

When a CASP decides to reject or return a transfer due to missing information, they must inform the previous provider in the chain of this decision, and for crypto-assets, if rejection is not possible, the transfer should be returned to the originator or, if that’s not feasible, held securely while arranging an alternative return method with the originator.

TRISA added return addresses to the proposed vasp.txt standard to help VASPs discover counterparty compliance details.

Address Poorly-Compliant CASPs

The guidelines outline when virtual asset service providers should handle cases where other providers repeatedly fail to provide the required information for transfers. Key points include:

  • Establishing criteria to define “repeatedly failing” providers
  • Using quantitative metrics like the percentage of transfers with missing information
  • Considering qualitative factors like the level of cooperation
  • Issuing warnings to non-compliant providers
  • Rejecting future transfers or increasing monitoring
  • Considering enhanced due diligence before terminating relationships
  • Reporting repeatedly failing providers to authorities within 3 months                                                                                 

The guidelines aim to ensure providers have clear processes for addressing non-compliance, balancing the need for complete information with maintaining business relationships. They emphasize a graduated approach, starting with warnings and escalating to rejections or reporting if issues persist.                                                                                                                                                                                                  

  1. Risk-Based Measures for Incomplete Transfers

When a transfer lacks required information, financial service providers should assess ML/TF risks based on:

  1. Unusually large transfers
  2. Transactions involving sanctioned countries or high-risk territories
  3. Transfers linked to countries with poor AML/CFT measures
  4. Transactions with entities in non-compliant jurisdictions
  5. Transfers involving unregulated entities
  6. Self-hosted wallet transactions
  7. Transfers linked to suspicious activity
  8. Transactions with non-compliant providers
  9. Complex transaction patterns that obscure origins
  10. Use of anonymity-enhancing services

These factors help identify high-risk transfers requiring enhanced scrutiny to prevent financial crimes. Providers should integrate these considerations into their risk assessment processes, adjusting their due diligence and monitoring accordingly.

CASPs must take risk-based actions such as:

  • Rejecting the transfer
  • Suspending the transfer
  • Requesting the missing information
  • Detecting linked transfers

  1. Obligations at the Off-Ramps: Payment Service Provider

Regulation (EU) 2023/1113 requires CASPs to:

  • obtain and hold information on self-hosted addresses
  • ensure transfers of crypto-assets can be individually identified
  • assess whether an address is owned/controlled by a customer for transfers over €1,000

The Guidelines provide details on the steps to be taken for self-hosted addresses to:

  • Individually identify a transfer
  • Identify transfers from/to self-hosted addresses
  • Identify the originator and beneficiary
  • Prove ownership/controllership (if applicable)
  • Put in place mitigating measures (if applicable)

  1. Travel Rule Covers Intermediary CASPs and Intermediary PSPs 

The explicitly covers Intermediary CASPs (ICASPs)  and Intermediary PSPs (IPSPs)

  1. Unhosted Wallet Transfers

Regulation (EU) 2023/1113 requires CASPs to:

  • Get and keep info on self-hosted addresses
  • Make sure crypto transfers can be individually identified
  • Check if the address is owned or controlled by the CASP customer when the transfer is over EUR 1,000

The Guidelines explain how to:

  • Individually identify a transfer
  • Identify transfers from or to self-hosted addresses
  • Identify the sender and receiver
  • Prove ownership or control (when needed)
  • Implement mitigating measures (when needed)

  1. Record-Keeping

CASPs must maintain records of the transmitted information for five years.

  1. Compliance Procedures

CASPs need to establish risk-based policies and procedures to determine when to execute, reject, or suspend transfers lack

  1. Operational security 

Financial institutions, including CASPs should implement procedures to prevent the occurrence of security issues in ICT systems and ICT services and should minimize their impact on ICT service delivery. TRISA’s security framework provides for the following measures: 

1) Implementation of the encryption of network traffic classified as EBA Restricted Use and EBA Confidential Use 

2) Ensuring that mechanisms are in place to verify the integrity of software, firmware, and data; 

3) Encryption of data at rest and in transit that is classified as EBA Restricted Use and EBA Confidential required information.

Implementing the Travel Rule: Key Challenges and Solutions

Technical Integration

Challenge: Implementing systems to seamlessly transmit and receive Travel Rule information.

Solution: Explore industry solutions like (Travel Rule Information Sharing Alliance) and TRISA’s open source solution or engage with commercial travel rule compliance solutions such as 21 analytics, Osprey, and blockchain analytics firms to integrate Travel Rule compliance into your existing systems.

Data Privacy Compliance

Challenge: Balancing Travel Rule requirements with data protection regulations like GDPR.

Solution: Implement robust data protection measures, including encryption and access controls. Clearly communicate to users how their data will be used and shared.

Unhosted Wallet Verification

Challenge: Verifying ownership/control of unhosted wallets for high-value transfers.

Solution: Develop a risk-based approach for wallet verification, which could include:

  • Requesting signed messages from the wallet
  • Using blockchain analytics to assess wallet history
  • Implementing additional Know Your Customer (KYC) measures for high-risk transfers

Interoperability

Challenge: Ensuring your Travel Rule solution can communicate with other CASPs globally.

Solution: Participate in industry working groups and consider adopting widely-used protocols to maximize interoperability.

Interoperability is one of TRISA’s foundational values. We collaborate on interoperability with Global Digital Finance, InterVASP, OpenVASP, Travel Rule Protocol, 21Analytics, Notabene, Sygna, and more.

Customer Experience

Challenge: Implementing Travel Rule requirements without significantly impacting user experience.

Solution: Integrate Travel Rule data collection seamlessly into your onboarding and transaction processes. Educate users about the requirements and their benefits.

Security Requirements Imposed by EU Travel Rule Guidance

While the Travel Rule guidelines focus on information sharing, it also specifies security from the Information and Communication Technology (ICT) and security risks and Security Risk Management guidelines that are crucial for effective implementation:

Strong Authentication

Implementing robust authentication methods is essential for both Travel Rule compliance and overall security. Consider:

  • Multi-factor authentication (MFA) for account access and high-value transactions
  • Risk-based authentication, increasing security for Travel Rule-applicable transfers
  • Continuous authentication to ensure ongoing transaction legitimacy

TRISA’s Public Key Infrastructure, PKI, uses the same robust digital certificates and roots of trust that are used to secure banking, e-commerce, and digital communication. For additional privacy control, TRISA enables mutual authentication of counter-party VASPs and CASPs and secure communication over mTLS. Importantly, TRISA’s connections are continuously authenticated and the certificate revocation function provides for ongoing transaction legitimacy.

Data Protection

Securing the additional personal data required for Travel Rule compliance is crucial:

  • Implement end-to-end encryption for data transmission
  • Ensure secure storage of Travel Rule data, with strict access control
  • Regularly audit data access and usage

TRISA’s mTLS connections make sure that data is only sent to the intended CASP in an encrypted tunnel. TRISA envelopes are also encrypted in transit and at rest. This system, with an encrypted data layer and a secure ‌transport layer delivers the industry’s strongest protection of travel rule data. 

Transaction Monitoring

Effective transaction monitoring supports both Travel Rule compliance and security:

  • Implement real-time screening of transactions against sanctions lists
  • Develop algorithms to detect suspicious patterns in Travel Rule data
  • Integrate Travel Rule data into your broader AML monitoring systems

Incident Response

Robust incident response procedures are crucial for addressing potential security breaches, Travel Rule data breaches, or compliance failures:

  • Develop specific incident response plans for Travel Rule-related issues
  • Conduct regular drills to test your response capabilities
  • Establish clear communication protocols with other CASPs and regulators

Action Plan for PSPs and CASPs with exposure to EU customers

Some CASPs will choose to exit the EU rather than pay the high cost of compliance. To prepare for the December 30, 2024 Travel Rule implementation deadline, CASPs that plan to stay in the EU should immediately consider the following action items:

  1. Systems Gap Analysis: Conduct a thorough assessment of your current systems and processes against the Travel Rule requirements. Identify key areas needing improvement.
  2. Security Gap Analysis: Conduct a thorough assessment of your security and incidence response and processes against the EBA Guidelines on ICT and security risk management. Identify key areas needing improvement.
  3. Budget Analysis: Plan and budget for systems and staff
  4. Community Participation: Participate in the Travel Rule Informations Sharing Alliance and community calls
  5. Technology Evaluation: Research and evaluate available Travel Rule solutions. Consider factors like cost, interoperability, scalability, and integration with your existing systems. If interested, schedule a demo of TRISA Envoy.
  6. Policy Development: Draft comprehensive policies and procedures for Travel Rule compliance, including risk-based measures for handling incomplete transfers.
  7. Staff Training: Develop a training program to ensure all relevant staff understand the Travel Rule requirements and your new procedures.
  8. Customer Communication Plan your strategy for communicating the new requirements to customers. Consider updating your terms of service and privacy policies.
  9. Testing & Implementation: Allow ample time for testing your Travel Rule solution before the compliance deadline. Consider a phased rollout to identify and address any issues.
  10. Ongoing Monitoring: Establish processes for ongoing monitoring of your Travel Rule compliance, including regular audits and reviews.

Conclusion

The rapidly approaching Travel Rule guidelines represent a significant expense for CASPs and PSPs operating in the EU. While compliance may require substantial effort and investment, TRISA can help ease the burden. By joining the TRISA community, you gain access to best-of-breed security infrastructure and open-source secure communication software. Interested CASPs and PSPs should also schedule a demo of TRISA Envoy.

Glossary

CASP is any legal person or undertaking whose occupation or business is the provision of one or more crypto-asset services to third parties on a professional basis. It is a subset of Virtual Asset Service Providers with covers all virtual assets including crypto-assets

Key services that define a CASP include:

  1. Custody and administration of crypto-assets on behalf of third parties.
  2. Operating a trading platform for crypto-assets.
  3. Exchanging crypto-assets for fiat currency or other crypto-assets.
  4. Executing orders for crypto-assets on behalf of third parties.
  5. Placing crypto-assets on the market.
  6. Providing transfer services for crypto-assets.
  7. Providing advice on crypto-assets.
  8. Providing portfolio management services for crypto-assets.

Links

The European Banking Authority (EBA) final report on information requirements in relation to transfers of funds and certain crypto-assets transfers under Regulation (EU) 2023/1113 (‘Travel Rule Guidelines’). 

The European Banking Authority’s (EBA) Guidelines for Information and Communication Technology (ICT) and Security Risks

Back To Top