After many discussions, the European Council has agreed on the most comprehensive and unique cryptocurrency regulation in the world to date. Although the exact details are still being finalized, these rules will come into effect across the European Union over the next 18 months.

Regardless of how much the new rules cost and how controversial they are, one thing is certain: if the industry has ever needed anything, it was clarification.

In one of the world’s largest markets, cryptocurrency businesses will now be regulated by clearly defined rules and will not have to deal with the specifics of each EU country. The EU agreement is also likely to serve as a standard for future legislation in other jurisdictions, thus shaping law-making globally.

The EU agreement has two key elements:

Regulation on the transfer of assets: the rule sets EU-wide standards in the sector, known as the ‘travel rule’. The regulation also defines the maximum amount above which crypto transactions are covered by the rule, with specific measures for transactions involving so-called “unhosted wallets”.

MiCA: the Markets in Crypto Assets Regulation (MiCA) establishes the licensing system for cryptocurrency businesses in the EU.

Transfer of funds and the Travel rule

We wrote more about the travel rule here, but in summary, it requires cryptocurrency businesses, such as exchanges, to identify the originators and beneficiaries of transactions above a certain value. The Travel Rule is the standard for transactions between financial institutions in the banking industry, while the FATF has mandated earlier that this should become the standard in the crypto industry as well.

Two key elements of the travel rule are:

• The value limit, which means the amount above which transfers are subject to the travel rule.

• How the travel rule applies to transactions with personal wallets (also known as “unhosted” wallets), transactions that are not held on a centralized platform (crypto exchange, wallet provider).

What threshold value has the EU set in its version of the travel rule? The FATF has previously recommended that member states set a threshold of 1,000 USD/EUR for cryptocurrency transactions. The US has a threshold value of $3,000, but the new EU rules have a threshold of €0. In other words, crypto businesses operating under an EU license will have to record information on the identity of the sender and recipient of the crypto transfer for all transactions, regardless of their volume.

While the justification for applying a €0 threshold to cryptocurrencies only is unclear, given what we know about the relatively low frequency of illegal activity involving cryptocurrency, it may not actually have that much impact on the day-to-day operations of crypto businesses already operating in Europe. In some EU countries, such as France, the EUR 0 limit has already been in place for some time, so exchanges there have already had to comply with this requirement.

Unhosted wallets

A second remarkable aspect of the money transfer regulation is how it applies to transactions between crypto businesses and personal wallets. Regulators have previously expressed their concerns about personal wallets, considering they may pose an increased risk of financial crime because they allow users to receive, hold and send cryptocurrencies without client identification.

These concerns have led some regulators to impose strict reporting requirements on all transactions involving personal wallets. Some have even suggested that exchanges should require their clients to provide information on all personal wallets they use.

Blockchain analysis shows that personal wallets do not indicate an increased risk of crime. Personal wallets do not provide a way to buy and withdraw cryptocurrencies. Users will still need to transfer their crypto assets to a centralized provider to convert it into fiat currency. Banks and centralized crypto providers are required to collect KYC information in most jurisdictions. It has been revealed that the new rules adopted by the EU do not impose the most restrictive reporting requirements. Instead, cryptocurrency businesses will be required to report on personal wallet transactions under the following circumstances:

• Transfers above €1000 involving the user’s own personal wallet.

If a user makes a transfer of more than €1,000 from their personal wallet to a cryptocurrency business, the business must ask the user if they are the owner of the wallet. If they are, the user must provide proof of ownership of the wallet. This only needs to be done once – there is no need to revalidate ownership for future transfers to that particular account. Transactions of less than €1000 to the user’s own personal wallet do not require proof of wallet ownership.

• Transfers involving personal wallets not owned by the user, such as a transfer between a crypto business and a third party’s personal wallet:

The crypto business must collect personal wallet information in all cases. They should also take a risk-based approach to determine whether additional safeguards are needed. This means that prior to completing a transaction, the platform must identify and analyze the potential money laundering and terrorist support risk reported by the wallet and apply mitigating mechanisms accordingly. The details of these requirements will be defined by the European Banking Authority over the next 18 months.

While some details still need to be finalized, the main conclusion suggests that if a user does not identify themselves as the owner of a private wallet, crypto businesses should evaluate the risk of the wallet before allowing users to transfer funds to it.