A comparison of the data sharing requirements for crypto-asset service providers caught by the EU’s Transfer of Funds Regulation and virtual asset service providers in FATF’s Recommendation 16
In 1996, the global standard-setting body, the Financial Action Task Force (FATF) first published its 40 Recommendations for the combatting of money laundering and terrorist financing (ML/FT). FATF Recommendation 16 proposed global standards for transparent wire transfers. Often referred to as the Travel Rule, this Recommendation required financial institutions to identify both the originator (payer) and beneficiary (payee) at each end of a wire transfer and share required data.
In 2015, the Transfer of Funds Regulation (ToFR), or Europe’s version of the Travel Rule, was originally introduced to harmonise the EU approach and bring EU legislation in line with FATF Recommendation 16.
Three years later, in 2018, FATF broadened Recommendation 16 and extended the definition of ‘financial institution’ to include virtual asset service providers (VASPs), thus bringing virtual asset transfers in scope of the Travel Rule. In response to FATF’s update and in lock step with the Markets in Crypto-assets Regulation (MiCAR), which sets out the definition of a crypto-asset service provider (CASP), the EU enacted an update to the ToFR[1] in May 2023 obliging all European CASPs to comply with Travel Rule requirements by the end of 2024.
This update to the ToFR required that the European Banking Authority (EBA) issue guidelines to assist obliged entities in detecting and acting on missing or incomplete originator or beneficiary information. In November 2023, the EBA published a consultation on The Travel Rule Guidelines[2] (the Guidelines) and is accepting responses from the industry until 26 February 2024.
The updated ToFR and subsequent Guidelines and FATF’s Recommendation 16[3] present different data-sharing requirements that may have significant implications for Travel Rule-compliant entities that are outside of the EU and the European CASPs that transfer value with them.
While FATF’s required data points and those in the ToFR are largely aligned, there are a couple of key differences.
The ToFR data-sharing requirements make provisions for the transfer of assets that are not settled using DLT technology. For example, if an originator shares their private key with another user and provides them access to their wallet, a transfer of assets is handled off-chain, and a crypto-asset account number must be used in lieu of a distributed ledger address.
The ToFR mandates the transmission of a broader set of information on the originator, stating that the address (including the name of the country), official personal document number and customer identification number are all required data points. The FATF does not require the inclusion of all these pieces of information but makes it evident that, at minimum, an address, national identity number, customer identification or date and place of birth must be present.
The ToFR specifies that in the rare case where the originator’s name, account number, address and official personal document number are not enough to identify the originator, the CASP should also transfer information on the date and place of birth.
FATF does not outline specific data use cases for geographic addresses. On the other hand, the EBA’s Guidelines clarify that if the originator behind a transfer is:
The Guidelines further clarify that the address should be provided, to the extent possible, in the following order of priority:
1. Full country name[4]
2. Postal code
3. City
4. State
5. Province
6. Municipality
7. Street name
8. Building number
9. Building name
It is also noted that a PO box or virtual address is not permitted as a valid address type and will not be compliant with the ToFR requirement.
The EBA’s Guidelines specify that when transfers originate from a joint account, wallet or address, information must be disclosed on all holders of the account, wallet or address (unless there are technical limitations that prevent the transmission of this data).
There is no corresponding guidance issued by FATF on the subject of transferring data related to joint holders.
The FATF acknowledges that there may be technical limitations that prevent required originator and beneficiary information from accompanying a data submission. In such a circumstance, FATF mandates the beneficiary’s VASP keep a record from the originator’s VASP[5] for a minimum duration of 5 years.
The ToFR requires that intermediaries in a transfer chain must retain records of transmitted data and make them available on request to competent authorities. CASPs may use infrastructures or services that are not fully capable of transmitting the required information until July 2025, provided that additional policies and procedures are put in place. In cases where technical limitations prevent the transmission of:
The InterVASP Messaging Standard, IVMS 101.2023, has gained widespread adoption as the global data standard for Travel Rule compliance. Data compliant with the ToFR can be effectively transmitted adhering to IVMS 101.2023, ensuring broader interoperability between Travel Rule solutions. However, owing to the heightened standard of originator data required by the ToFR, not all data adhering to IVMS 101.2023 would be compliant with the ToFR.
Technical solution providers and CASPs that are ToFR-compliant will be responsible for the detection of missing, incomplete and meaningless information and completing additional validation checks upon the data payload.
In our comparative analysis of FATF Recommendation 16 and the EU’s ToFR, there are several subtle, but not insignificant, differences in requirements for originator and beneficiary data.
While both standards require the provision of verified information on the originator of a transfer, the ToFR has a higher standard of data requirements for originating CASPs than FATF. The ToFR also offers more complete guidance in the use of joint accounts and in cases where technical limitations prevent the transmission of mandated data.
The Guidelines identify steps to follow if a Travel Rule solution provider or protocol is not immediately technically capable of meeting the ToFR’s specific requirements.
[1] Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfer of funds and certain crypto-assets and amending Directive (EU) 2015/849 (Link)
[2] Consultation paper on the draft guidelines on preventing the abuse of funds and certain crypto-asset transfers for money laundering and terrorist financing purposes under regulation (EU) 2023/1113 (‘The Travel Rule Guidelines’) (Link)
[3] Including interpretative note 16 (INR 16)
[4] Or ISO-3166 Alpha 2.
[5] Para. 202, in FATF's Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (Link)
