VerifyVASP Highlights from EBA Travel Rule Guidelines

In July 2024, the European Banking Authority (EBA) published a final report entitled Guidelines for information requirements related to transfers of funds and certain crypto-assets under Regulation (EU) 2023/1113, known as the “Travel Rule Guidelines”.

Regulation 2023/1113, commonly referred to as the Transfer of Funds Regulation (TFR), is coming in force alongside the Markets in Crypto Asset Regulation (MiCA) from 30 December 2024. However, the detailed requirements for payment service providers (PSPs), crypto-asset service providers (CASPs), and competent authorities did not stipulate how to achieve compliance.

Specifically, the EBA was tasked to provide guidance on effective procedures and how they should be applied for:

• Detecting missing/incomplete information,
• Procedures for managing transfers lacking required information, and
• Technical aspects of applying the regulation to direct debits.

Following a consultation which VerifyVASP responded to earlier in the year, the final Guidelines aim to clarify how payment service providers (PSPs), crypto-asset service providers (CASPs), and competent authorities should comply with Regulation 2023/1113 on information accompanying transfers of funds and crypto-assets.

There are several themes that we wanted to highlight, along with our comments:

Privacy

In the background section, the EBA mentions: “Recital 19 of Regulation (EU) 2023/1113 states that ‘the processing of personal data under this Regulation should take place in full compliance with Regulation (EU) 2016/679 (…)’ and, equally, that ‘the transfer of personal data to a third country is required to be carried out in accordance with Chapter V of Regulation (EU) 2016/679’

Chapter V of Regulation (EU) 2016/679, the Global Data Protection Directive (GDPR) compliance requires the differentiation between countries or territories with and without adequacy decisions.

Unless the legal entity of the counterparty is located in a country or territory where a GDPR adequacy decision was granted and is maintained, personal data cannot flow without additional safeguards. In January 2024, the European Commission reported to the European Parliament and the Council that eleven countries or territories had retained their adequacy decisions. Adequacy is the recognition of a third country´s privacy framework as delivering a level of protection that is essentially equivalent to the EU´s.

Without an adequacy decision, a counterparty VASP located in a non-EU jurisdiction could lack the legal basis to receive Travel Rule information, even if it is regulated. Such cases would require additional safeguards in the form of an enhanced risk mitigation measure.

One such measure that allows for a significant use case is to limit transfers to first party only (same name account holders). VerifyName, our enhanced risk mitigation measure, is already being used by VASPs around the world for same name verification without the disclosure of PII.

Interoperability

In paragraph 26, EBA mentions: “CASPs and ICASPs should take proportionate, risk-sensitive measures to assess: a) the system’s ability to communicate with other internal core systems and with the messaging or payment and settlement systems of the counterparty of a transfer, and its compatibility with other blockchain networks;”

This aligns with our opinion that message system interoperability is not always necessary nor desirable in all cases. While interoperability between messaging protocols is useful, Travel Rule and data protection regulatory compliance itself should be placed as the higher priority. It is not possible or desirable for a CASP or ICASP to be connected to all VASPs, just as a bank is not connected with all banks in the world directly.

Assessing the TFR and Travel Rule Guidelines holistically, interoperability needs to be balanced with maintaining

• Compliance to data privacy/protection obligations
• FATF standards referencing the Guiding Questions published in FATF’s Targeted update against a backdrop of shortcomings identified in certain Travel Rule tools
• Connectivity options only to trusted, credible VASPs that have undergone adequate due diligence

The actual bottleneck in expanding counterparty relationships is not lack of interoperability, but rather the counterparty due diligence obligation for both R.13 (FATF Guidance on Correspondence Banking Services) and Travel Rule requirements.

Immediately and Securely

Paragraph 25(b) reiterates the FATF requirements to “transmit the required information immediately and securely and no later than the initiation of the blockchain transaction.”

For Travel Rule information to have been fully transmitted no later than the initiation of the blockchain transaction, we would suggest, where possible, a best practice of transmitting this data prior to the blockchain transaction.

This enables several important processes to take place: beneficiary verification, name screening and privacy protection prior to Travel Rule data being shared. It also limits the risk of returns. This limitation of not accepting transfers without full Travel Rule information transmission is only feasible when operating in a private virtual network, and only by consent of both counterparties to adopt agreed workflows to this effect. We suggest the below workflow to our members:

Returns

In paragraph 55, the EBA states “Where the rejection is technically not possible, the transfer should be returned to the originator. Where returning the transfer to the original address is not possible, CASPs should apply alternative methods. The alternative methods should be set out in their policies, and should include holding the returned assets in a secure, segregated account while communicating with the originator to arrange a suitable return method to the originator.

We would add that if a VASP wishes to further mitigate risks associated with return transactions, returning the asset transfers back to the intended beneficiary’s other account kept in an approved VASP (upon the consent of originator) within Travel Rule or an enhanced risk mitigation process is a straightforward solution. Where possible, processes should be put in place for application of the Travel Rule or an enhanced risk mitigation measure on the return transfer. This, combined with name screening on the originator and on-chain screening on the requested destination wallet address, can help to avoid transferring assets to illicit actors.

Legal Entity Identifiers (LEIs)

Articles 4 and 14 of Regulation (EU) 2023/1113 require the provision of an LEI or equivalent identifier for legal entities involved in transfers of funds or crypto-assets.

The Guidelines specify criteria for what constitutes an equivalent identifier to an LEI.

According to paragraph 41, PSPs and CASPs should consider only those official identifiers as equivalent to an LEI that:

a) Are a single identification code that is unique to the legal entity

b) Are published in public registries

c) Are issued upon entity formation by a public authority in the jurisdiction where the legal entity is based

d) Allow for the identification of the name and address elements

e) Are accompanied by a description of the type of identifier used in the messaging system

The Guidelines clarify that an LEI or alternative identifier is only required to be provided where “the necessary field in the relevant payments message format” exists, as specified in the Level 1 text.

The EBA notes that a BIC (Bank Identifier Code) does not fulfil the criteria to be used as an alternative identifier in the absence of an LEI, as it refers to the unique ID assigned to banks in their group and cannot be used to identify individual legal entities.

The Guidelines state that the IBAN (International Bank Account Number) can be used as an alternative to the account number, but not as an alternative to the LEI.

As highlighted during the FSB/GLEIF/ROC Global LEI Conference on 9 July 2024:

An easy-to-comprehend analogy is that “you have an IBAN, you are an LEI”.

We note that the LEI is already so widely used in traditional financial services that the convergence of traditional and virtual asset industries, combined with innovative developments by the Global Legal Entity Identifier Foundation (GLEIF) such as the vLEI, make the LEI an obvious choice for CASPs. It is for this reason that VerifyVASP became the first LEI validation agent in the virtual asset industry, and LEI issuance is a complimentary service that we offer CASPs as part of our membership approval.

Self-Hosted Wallet Verification

Paragraph 83 outlines the verification methods CASPs should use for transfers above EUR 1,000:

“In order to assess whether the self-hosted address is owned or controlled by the originator or beneficiary, respectively, CASPs should use at least one of the following verification methods:

a) unattended verifications;

b) attended verification;

c) sending of a predefined amount (preferably the smallest denomination of a given crypto-asset), set by the CASP, from and to the self-hosted address to the CASP’s account;

d) requesting the customer to digitally sign a specific message into the account and wallet software with the key corresponding to that address;

e) other suitable technical means as long as they allow for reliable and secure assessment and the CASP is fully satisfied that it knows who owns or controls the address.”

Paragraph 89 requires a second level of verification for third party-owned self-hosted wallets: “Where, as a result of the assessment in Section 4.8.4., it is established that the self-hosted address is owned or controlled by a third person instead of the CASP’s customer, the verification referred to in Article 19a(1), point (a), of Directive (EU) 2015/849 can be deemed to have taken place if:

a) the CASP collects additional data from other sources to verify the submitted information, including but not limited to blockchain analytical data, third-party data, recognised authorities’ data and publicly available information, as long as these are reliable and independent.

b) the CASP uses other suitable means as long as the CASP is fully satisfied that it knows the identity of the originator or beneficiary and can demonstrate this to its competent authority.

We welcome the simplicity of one or two levels of verification but would add that verification methodologies have varying levels of reliability (as shown in the graphic below) that CASPs should carefully consider to commensurate the risks associated with such transactions.

The guidelines largely achieve their aim to standardise practices, clarify obligations, and promote a risk-based approach to compliance with the regulation across the EU. They seek to strike the delicate balance of providing detailed guidance while allowing some flexibility for PSPs and CASPs to tailor their approaches based on their specific circumstances and risk profiles.

In summary, we believe that the EBA’s Travel Rule Guidelines are largely congruent with the FATF guidelines and other largely compliant jurisdictions. To this end, we believe that the lessons learnt from Travel Rule compliance can be helpful in the formulation of CASP policies and procedures in this area.