Information accompanying transfers of funds and certain crypto assets

KEY POINTS

The regulation applies to transfers of funds (in any currency) and crypto assets sent or received by a payment service provider or intermediary registered in the EU.

It does not apply to:

• transfers of funds or electronic money tokens using payment cards, electronic money instruments, mobile phones or other similar digital or IT prepaid or postpaid devices when:
  • the transfer is to pay for goods or services,
  • the number of the card instrument or device accompanies all transfers flowing from the transaction;
• certain transfers such as a payer withdrawing money from their own account or the payment of taxes or fines to a public authority;
• transfers of crypto -assets when:
  • both the sender and the beneficiary are acting on their own behalf,
  • the transfer is from person to person without the involvement of a crypto asset service provider.

A payer’s payment service provider:

• must provide and verify information such as the name and account number of the payer and payee and the former’s address and official identity details when transferring funds;
• may limit the information to the account details of the payer and payee and, if necessary, the unique transaction identifier, if all the payment service providers involved in the transfer are established in the EU;
• must supply additional information within 3 working days if so requested by the payee’s service provider.

A payee’s service provider:

• must check whether all the required information on the payer and the payee has been inputted correctly in the messaging or payment and settlement system and determine whether any data are missing;
• decides whether to execute, reject or suspend a transfer if basic payer and payee information has not been provided and may request additional details;
• warns a payment service provider if they repeatedly fail to supply the information requested before rejecting transfers from that source and informing the authority responsible for anti-money laundering and counterterrorist financing;
• takes account of missing information when assessing whether a transfer is suspicious and should be reported to the financial intelligence unit.

Intermediary payment service providers also have obligations when confronted with missing information. They have the additional responsibility of ensuring all payer and payee details remain with the transfer at all times.

An originator’s crypto asset service provider:

• ensures that all transfers are accompanied by details of the originator and the beneficiary, such as their names, distributed ledger address and crypto asset account numbers;
• checks the accuracy of the information it has received;
• verifies whether a self-hosted address is owned or controlled by the originator for all transfers over €1,000.

A beneficiary’s crypto asset service provider:

• checks that the information about the originator and beneficiary is included with, or follows, the transfer or batch file transfer of crypto assets;
• ensures that the transfer of crypto assets from a self-hosted address can be individually identified;
• assesses, for all transfers over €1,000 from a self-hosted address, whether the beneficiary owns or controls that address;
• verifies the accuracy of the information about the beneficiary before handing over the crypto assets;
• decides whether to execute, reject, return or suspend a transfer of crypto assets that lacks information and takes appropriate follow-up action;
• may reject or return crypto assets or request further details if the information is missing or incomplete;
• warns a crypto asset service provider if they repeatedly fail to supply the information requested before rejecting transfers from that source, restricting or terminating its business relationship, and informing the authority responsible for anti-money laundering and counterterrorist financing;
• takes account of missing information when assessing whether a transfer is suspicious and should be reported to the financial intelligence unit.

Intermediary crypto asset service providers also have obligations when confronted with missing information. They have the additional responsibility of ensuring that all originator and beneficiary details are transmitted with the transfer and the information is kept and made available when requested.

Both payment and crypto asset service providers will:

• have internal policies, procedures and controls in place to ensure EU and national rules are applied when transferring funds or crypto assets;
• respond fully and without delay to enquiries from authorities responsible for preventing and combating money laundering and terrorist financing;
• keep information on the payer/payee and originator/beneficiary for 5 years with the option of a further 5 years if an EU Member State so decides.

The European Banking Authority and European Data Protection Board issue guidelines on implementing the legislation.

Member States:

• determine sanctions for breaches of the regulation;
• publish when these are applied;
• encourage reporting of law-breaking to the authorities charged with monitoring compliance.

The European Commission:

• will submit a report to the European Parliament and the Council of the European Union by 31 December 2026, and every 3 years thereafter, on sanctions and monitoring activities;
• will assess the risks of transfers to or from non-EU self-hosted addresses by 1 July 2026;
• will report to the Parliament and the Council by 30 June 2027 on the regulation’s application and enforcement;
• can authorise a Member State, under specific conditions, to treat transfers with a non-EU country as if they were a domestic operation.

The regulation:

• amends Directive (EU) 2015/849 (see summary);
• repeals Regulation (EU) 2015/847 (see summary).