In the ever-evolving landscape of finance, cryptocurrencies have emerged as a groundbreaking investment category and, at the same time, a target for exploitation by money launderers. The EU regulator is under pressure to extend conventional due diligence measures on crypto-assets transfers. 

As a step towards common EU anti-money laundering law, the European Banking Authority (EBA) has recently conducted a consultation on new Guidelines on preventing the abuse of funds and certain crypto-asset transfers for money laundering and terrorist financing purposes under Regulation EU 2023/1113 (Travel Rule Guidelines).¹

The new Regulation is expected to take effect from 30 December 2024 and will extend traditional due diligence measures for payment service providers (PSPs), intermediary PSPs (IPSPs), crypto-asset service providers (CASPs) and intermediary CASPs (ICASPs) involved in the execution of crypto-asset and fund transfers.² 

The proposed Guidelines set out a clear action guide that the payment and crypto-asset providers need to take to prevent crypto-assets transfers being used for money laundering and terrorism financing. This brings changes to processes, data, and IT systems around the identification of the origins and destinations of crypto transactions. In this article we will look at the main changes and actions to be taken by providers. 

REGULATION OVERVIEW AND CHALLENGES 

According to the new Regulation, payment and crypto-asset providers will be obliged to take measures to detect missing or insufficient information about the payer/originator while executing fund and crypto-asset transfers. This should ensure full traceability of the transfer of funds and crypto-assets and make supporting information on the payer, originator, payee and beneficiary available throughout the whole transfer chain. 

In addition, the Regulation stipulates new rules for payment and crypto-asset providers which require them to establish effective systems and controls to detect transfers that are missing the required information. Providers will be expected to implement risk-based policies and procedures to decide whether to execute, reject or suspend the transfer where the required information is not presented. The EBA Guidelines will also require relevant payment and crypto-assets providers to report to the competent authorities without undue delay the repeatedly failing counterparty, providing information on such transfers.

The scope of the new Travel Rule Guidelines is limited to three main provisions, namely: 

1. Factors that payment and crypto-assets providers should consider when establishing effective procedures to detect and manage transfer of funds and crypto-assets lacking the required information on the payer/originator and/or the payee/beneficiary, and to ensure that these procedures are effective.
   
2. Specification of what payment and crypto-assets providers should do to manage the risk of money laundering or terrorism financing where the required information on the payer, originator, payee or beneficiary is missing or incomplete.
   
3. Specific technical aspects of how the Regulation applies to direct debits.

KEY TAKEAWAYS FOR PAYMENT PROVIDERS 

To establish effective procedures to detect and manage transfers of funds and crypto-assets lacking the necessary information, providers will need to include in the procedures (and describe) their detection methods of missing, incomplete or meaningless information. This will need to contain, for example, a description of systems that prevent sending or receiving transfers, where inadmissible characters or inputs are detected as well as a description of ‘missing information’ (e.g. when fields are empty or if the information supplied is meaningless or inconsistent, etc.). 

Effective policies and procedures must also contain staff obligations to detect which information required by the Regulation is missing and the processes they should follow. For example, before taking action on returning or suspending a transfer, providers will first need to assess whether the information provided allows to determine the subject of transfer and whether any risk factors have been identified (e.g. transfers where the payer or originator is based in a country associated with high risk). 

The new Guidelines further specify provisions on technical aspects for direct debits payments.  As the direct debit is a transaction initiated by the payee, the payee’s PSP holds the information that the payer’s PSP would need to comply with their obligations. Where a transfer of funds is a direct debit, the payee’s PSP should provide the necessary information on the payee to the payer’s PSP at the time when the direct debit mandate is established or modified. 

HOW CAPCO CAN HELP

Capco can play an instrumental role in helping your business implement new due diligence measures for crypto-assets transfers, ensuring that your business keeps up to date with evolving regulations. 

We assist you in implementing new guidelines by providing expertise in compliance frameworks, technology solutions and project management tailored to the specific needs of your firm. 

Capco has a strong and varied track record of supporting clients with their change processes, spanning a wide range of business and regulatory requirements, process, data and IT implementations. We have developed a unique approach to integrating regulatory requirements and creating a robust compliance and IT framework. 

Additionally, Capco has already supported many financial services institutions in the end-to-end implementation of, for example, crypto custody and trading solutions, fully compliant with regulatory requirements (e.g. focusing on the upcoming Markets in Crypto-assets (MiCA) regulation). 

As a trusted partner to our clients, we simplify complexity and bring expertise in all areas relevant to transformation - business analysis, regulatory compliance, technology, project/program and test management.

REFERENCES

1. https://www.eba.europa.eu/legacy/regulation-and-policy
2. https://www.eba.europa.eu