Policy & Regulation

MiCA’s Crypto Travel Rule: EU’s New Crypto Regulations, Part 1

After long negotiations, the European Council has agreed on some of the most comprehensive cryptocurrency regulations of any jurisdiction globally to date. While exact details still need to be worked out, these rules will take effect for the entire EU over the coming 18 months.

Some cryptocurrency businesses and users are likely to take issue with at least certain aspects of the rules. But regardless of the challenges those rules may present, this agreement gives the cryptocurrency industry one thing it’s wanted for a long time: Clarity. One of the world’s largest markets — and not only that, one of the most important markets for cryptocurrency adoption, as we’ve analyzed in our geographic research – will now have clear rules of engagement for cryptocurrency businesses, with no need to grapple with the particularities of each EU member state. The EU agreement will also likely serve as a benchmark for future regulation in other jurisdictions, influencing rulemaking around the world. 

The EU agreement has two key components:

  • Transfer of Funds Regulation (TFR): The TFR sets EU-wide rules for enforcement of what is commonly referred to by the industry as the “the Travel Rule.” The TFR establishes the monetary threshold above which cryptocurrency transactions are subject to the rule, with special provisions for transactions involving personal wallets. 
  • MiCA: MiCA, or the Markets in Crypto Assets regulation, lays out the licensing regime for cryptocurrency businesses in the EU, including all-important “passporting rules.”

While we are still awaiting finalization and release of all of the details of both TFR and MICA, industry reports have already described some of the key elements of the EU’s agreement. Based on those reports, we’ll break down the key elements of the TFR below, then cover MiCA in Part 2 of our analysis next week. 

Transfer of Funds, or the Travel Rule

You can read more about the Travel Rule here, but in short, it dictates that cryptocurrency businesses such as exchanges must identify the originators and beneficiaries of transactions above a certain monetary value. The Travel Rule is the standard in fiat currency for transactions between financial institutions, and FATF long ago decreed that it would be the standard in cryptocurrency as well. 

Two of the most important elements of the Travel Rule are:

  • The value threshold, meaning the size above which transfers are subject to the Travel Rule
  • How the Travel Rule applies for transactions involving personal wallets (or “unhosted” wallets as they’re sometimes known), meaning those that aren’t hosted by a centralized service

So, what threshold did the EU land on for its version of the Travel Rule? For context, FATF previously recommended that member jurisdictions impose a threshold of 1,000 USD/EUR for cryptocurrency transactions. The United States uses a threshold of $3,000. But the EU’s new rules will apply a €0 threshold. In other words, cryptocurrency businesses operating under an EU license, must capture information relating to the identity of the sender and recipient of a transfer of crypto assets for all transactions, regardless of their size.

While the rationale for applying a €0 threshold to cryptocurrency and cryptocurrency alone is unclear given what we know about the relatively low incidence of illicit activity in crypto, it may not actually impact day-to-day operations for cryptocurrency businesses already operating in Europe all that much. Some EU countries like France, for example, have already been using the €0 threshold for some time, so exchanges operating there have already had to comply with this requirement. 

Personal wallets

The second notable element of the Transfer of Funds regulation is how it applies to transactions between a cryptocurrency business and a personal wallet. Regulators have previously expressed concern around personal wallets, worrying that they may present increased risk of financial crime given that they allow users to receive, hold, and send cryptocurrency without providing KYC information, as they’re not hosted by centralized businesses.

These fears have prompted some regulators to call for strict reporting requirements on all transactions involving personal wallets. Some have even suggested that exchanges should be required to collect information on all personal wallets their customers transact with. Chainalysis has previously argued against such a rule for a few reasons: 

  • Blockchain analysis shows that personal wallets don’t present an increased risk of criminal activity.
  • Personal wallets don’t provide on-ramps or off-ramps from cryptocurrency. Users must still move their cryptocurrency to a centralized service to convert it into fiat currency. Banks, as well as centralized cryptocurrency services in most jurisdictions, are required to collect KYC information.

As it turns out, the new rules agreed to by the EU won’t impose the strictest proposed reporting requirements. Instead, cryptocurrency businesses will need to provide reporting on personal wallet transactions under the following circumstances:

  • Transfers above €1,000 involving a user’s own personal wallet. If a user transfers more than €1,000 between a cryptocurrency business and their own personal wallet, the business must ask the user if they are the owner of the wallet. If yes, then the user must verify their ownership of the wallet. This only needs to happen once – future transfers involving that wallet address do not require re-verification of the ownership by that cryptocurrency business. Transactions of less than €1,000 to a user’s own personal wallet do not require verification of the ownership of the wallet.
  • Transfers involving personal wallets which are not owned by user, i.e. transfers between a cryptocurrency business and a third party’s personal wallet: in all cases, the cryptocurrency business will need to collect information on the personal wallet. In addition, they must apply a risk-based approach to determine whether further measures are needed. This means that before transferring the assets, the business must identify and assess the AML/CTF risk presented by the wallet, and apply risk-mitigating measures accordingly. The details of these requirements will be specified by the European Banking Authority in the coming 18 months. 

While some details still need to be hammered out, the main takeaway is that unless a user identifies themselves as the owner of a private wallet, cryptocurrency businesses must assess that wallet for risk before letting users transfer funds to it. 

In Part 2 of our breakdown coming soon, we’ll cover the MiCA regulation and what it means for cryptocurrency business licensing in the EU.

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with Recipient’s use of this material.