New information duties on crypto-asset transfers

1. Introduction:

On 20 April 2023 it was announced that the European Parliament had approved a new regulation (EU Travel Rule Regulation) introducing new rules regarding the information that must follow fund transfers, extending the scope of application to crypto-asset transfers. The latest version of the Regulation is available here and now awaits publication in the Official Journal of the European Union.

The now approved regulation aims to extend the requirements currently provided for in Regulation (EU) 2015/847 (which will be repealed with the entry into force of the new Regulation) to Crypto-Assets Service Providers (hereinafter “CASP“) to facilitate the tracking of transfers of these assets and thus strengthen the measures to combat and prevent money laundering and terrorist financing (“MLTF“) in the crypto-asset markets, in line with the recommendations of the Financial Action Task Force (FATF).

It should be noted that Banco de Portugal Notice no. 1/2023 already prescribes, since 24 January 2023, requirements similar to those now established in this Regulation, aiming to establishing the travel rule applicable to transfers of virtual assets made by Virtual Asset Service Providers. The similarities between this regime and the new European Regulation are due to the fact that both the European and the Portuguese legislator were based on the FATF recommendations on Money Laundering and Terrorist Financing applicable to new technologies. The aforementioned notice of the Bank of Portugal will come into force on 15 July 2023 and, therefore, quite possibly before the Regulation.

2. Entities and Operations Covered:

The following are covered by this Regulation

• Transfers of funds, in any currency, sent or received by:

1. payment service providers;
2. intermediary payment service providers.

• Crypto-asset transfers, including crypto-asset transfers executed through crypto-asset ATMs involving:

1. CASPs;
2. Originator or beneficiary’s intermediary CASPs..

For the purposes of this Regulation, a crypto-asset is considered to be “a digital representation of value or rights that can be transferred and stored electronically, using distributed ledger technology or other similar technology;” excluding crypto-assets that are comparable to (i) financial instruments; (ii) electronic money; (iii) deposits; (iv) structured deposits or (v) securitised assets.

3. Obligations to be highlighted:

Regarding CASPs:

Defined as “any person whose occupation or economic activity is the provision of one or more crypto-asset services to third parties on a professional basis” (by reference to the MiCa Regulation[1]), this Regulation distinguishes between the CASP obligations of the originator and the beneficiary. We highlight the following obligations:

a) As regards the CASP obligations of the originator:

• Crypto-asset transfers are accompanied by the following information about the originator:
  • Name of the originator;
  • The distributed registration address of the originator, where a crypto-asset transfer is registered in a network using a DLT[2] or a similar technology, and the originator’s crypto-asset account number, if such account exists and is used to process the transaction;
  • Originator’s crypto-asset account number, where a crypto-asset transfer is not registered on a network using a DLT or similar technology;
  • Address, including the name of the country, official identification document number and customer identification number, or, alternatively, date and place of birth of the originator; and
  • Subject to the existence of the relevant field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in the absence thereof, any other equivalent official identifier available, of the originator.
• Crypto-asset transfers are accompanied by the following information about the beneficiary:
  • Name of beneficiary;
  • Beneficiary’s distributed registration address, where a crypto-asset transfer is registered on a network using a DLT or similar technology, and beneficiary’s crypto-asset account number, if such an account exists and is used to handle the transaction;
  • Beneficiary’s crypto-asset account number, where a crypto-asset transfer is not registered on a network using a DLT or similar technology; and
  • Subject to the existence of the relevant field in the relevant message format, and where provided by the originator to its crypto-asset service provider, current LEI or, failing that, any other available equivalent official identifier of the beneficiary.

Importantly, CASPs are now prohibited from initiating or executing crypto-asset transfers for which they are unable to verify the information listed above.

Moreover, the obligation to monitor information is not satisfied by merely forwarding that information, is also being necessary for the originator’s CASP to verify the accuracy of the information on the basis of documents, data or information obtained from a reliable and independent source.

b) As regards the obligations of the beneficiary’s CASP:

The CASP of the beneficiary shall now have the following obligations:

• Adopts effective and adequate procedures to verify the effective monitoring of the information provided by the originator’s CASP upon or after the transfer of crypto-assets.
• In the case of crypto-asset transfers made from a self-hosted address, the beneficiary’s crypto-asset service provider obtains and retains the information to be provided by the originating CASP, and ensures that crypto-asset transfers can be individually identified.
• Verifies the accuracy of the information to be provided by the originating CASP based on documents, data or information obtained from a reliable and independent source.

Compliance with the duty to verify information, set out above, is deemed to be carried out by verifying duties related to Directive (EU) 2015/849 (on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing).

In cases where, in crypto-asset transfers, there is omission or incompleteness of information from the originator CASP to the beneficiary CASP, the beneficiary CASP shall apply effective procedures to determine the execution, rejection, return or suspension of the crypto-asset transfer concerned:

• rejecting the transfer or returning the funds to the originator or;
• requesting the required information from the originator’s CASP about the originator and the beneficiary before making the crypto-actives available to the beneficiary.

There is also a duty on the beneficiary CASP to report the failure to provide information to the competent authority supervising compliance with MLTF provisions in cases where a particular originator CASP frequently omits information it is obliged to transmit when transferring crypto-assets.

c) As for the Intermediate CASPs:

Defined as “a crypto-asset service provider, other than neither the originator’s nor the beneficiary’s, that receives and transmits a crypto-asset transfer on behalf of the originator’s or the beneficiary’s crypto-asset service provider or another intermediary crypto-asset service provider;”, intermediary CASPs are now bound to:

• Retention of originator and beneficiary information accompanying transfers;
• Detection of the omission of originator or beneficiary information;
• Assessment and reporting of suspicious transfers to prevent and combat MLTF
• Obligation to implement effective procedures to control risks when transferring crypto-asset assets where there is no monitoring of the information required from originators and beneficiaries of crypto-asset transfers.

4. Obligations common to CASPs and Intermediate CASPs:

• Adoption and implementation of policies, procedures and internal controls to ensure the application of restrictive measures;
• Obligation to provide information to Member States’ authorities responsible for preventing and combating MLTF;
• Data protection;
• Record Keeping;

5. Entry into force and other relevant provisions:

a) The Regulation will enter into force 20 days after its publication in the Official Journal of the European Union;
b) The Regulation shall apply from the date of entry into force of the MiCa Regulation;
c) Under an amendment to Directive (EU) 2015/849 (on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing), CASPs are now considered to be Financial Institutions for the purposes of that Directive and are bound by the duties imposed on them.

6. Differences to be highlighted in relation to Notice of the Bank of Portugal 1/2023:

The duties that emerge from this Notice, as well as the ratio of both regimes, are very similar. Nevertheless, there are differences which we will now point out:

• The European Regulation goes further than the national legislator in the definition of services/activities in crypto-asset assets. Thus, the number of entities covered by the duties to monitor information regarding crypto-asset transfers is more comprehensive in the Regulation:o Under national law, Law no. 83/2017, of 18 August (Measures to Combat Money Laundering and Terrorist Financing) crypto-asset activity is considered to be: “any of the following economic activities, performed in the name or on behalf of a client: (i) exchange services between virtual assets and fiat currencies; (ii) exchange services between one or more virtual assets; (iii) services whereby a virtual asset is moved from one address or wallet to another (transfer of virtual assets); (iv) safekeeping and administration services of virtual assets or of instruments that allow to control, hold, store or transfer those assets, including private cryptographic keys. “.
• Under EU law, the MiCa Regulation defines crypto-asset services as being “any of the services and activities listed below relating to any crypto-asset: (a)Custody and administration of crypto-assets on behalf of a third party; (b)Operation of a crypto-asset trading platform; (c)Exchange of crypto-assets for legal tender; (d)Exchange of crypto-assets for other crypto-assets; (e)Execution of orders relating to crypto-assets on behalf of a third party; (f)Placement of crypto-assets; (g)Receipt and transmission of orders relating to crypto-asset assets on behalf of third parties; (h)Advice on crypto-assets;
• The Notice prescribes a regime for transfers of virtual assets originating from, or destined to, self-hosted addresses, a matter which the European legislator has left for further consideration;
• With regard to the duties associated with transfers received by the CASP from the beneficiary, the Notice requires that the actions to be taken in the event of repeated non-receipt of the information to be made available by the originating CASP must also be taken when, repeatedly, the originating CASP makes this information available in a merely incomplete form.
o However, it should be noted that the measures to be adopted in this case are different, since while the Notice states that the CASP of the beneficiary in this case “adopts measures appropriate to the deficiencies detected”, listing, by way of example, a set of measures to be adopted (similar to the measures imposed by the European legislator), the European legislator determines, in an exhaustive manner, the actions to be adopted by the CASP of the beneficiary in these situations.

7. Sanctions and Supervision

On penalties and applicable administrative measures, the Regulation states that Member States must provide for penalties which are effective, proportionate and dissuasive and consistent with those laid down in each domestic law following the transposition of Directive EU 2015/849 (on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing).

With specific regard to payment service providers and crypto-asset service providers, breaches of the Regulation may be subject to sanctions and/or measures, without prejudice to the national law of each Member State, which may be addressed to members of the management body of the service provider concerned and to any other natural person who under national law is responsible for the breach.

The Regulation also provides that Member States will have to ensure that, in situations where service providers repeatedly or systematically fail to comply with a set of rules (which are the rules on the identification of the beneficial owner or, for services provided using crypto-asset substances, the rules required concerning the originator and the beneficiary, rules on record keeping, failure to adopt risk-based prevention procedures, as well as failure to provide information on the originator and beneficiary of transfers of funds and failure to adopt mechanisms to detect such omissions), at least the following sanctions will be applied to such situations:

a) obligation to issue a public statement identifying the natural or legal person and the nature of the breach;

b) a determination requiring the natural or legal person to cease the conduct and to refrain from repeating it;

c) the revocation or suspension of the authorisation if the obliged entity is subject to authorisation;

d) a temporary ban on directors of obliged entities for members of the obliged entity’s management body or any other natural person held responsible for the breach;

e) maximum fines of at least twice the amount of the benefit derived from the infringement where that benefit is determinable, or at least 1 000 000 euros, or alternatively, where the obliged entity is a credit or financial institution, the following sanctions may also be imposed: a) in the case of a legal person, maximum fines of at least 5 000 000 euros or 10 % of the total annual turnover according to the last available consolidated accounts approved by the management body; where the obliged entity is a parent undertaking or a subsidiary of the parent undertaking required to prepare consolidated financial accounts in accordance with Article 22 of Directive 2013/34/EU, the relevant total annual turnover shall be the total annual turnover or corresponding type of income according to the last available consolidated accounts approved by the management body.

Provision is also made for the publication of penalties and administrative measures applicable by the competent authorities.

Conclusion

Under these soon-to-be-implemented new rules, CASPs will be required to collect and make available a wide range of information on the originators and beneficiarys of the crypto-asset transfers they process with a view to enhancing the financial transparency of these transactions, ensuring their traceability, thereby making it more difficult to use them for illicit purposes.

How can we help you?

Abreu Advogados’ APDFin team has a team that is especially dedicated and prepared to support crypto-asset services providers, investors in crypto-asset markets, or any other players in these markets in the planning and execution of all the necessary actions to comply with these new rules that will be implemented in our market.

[1] Approved on 20 April 2023 by the European Parliament and now awaiting publication in the Official Journal of the European Union

[2] Distributed Ledger Technology which is a decentralised information register technology