EU’s revised Wire Transfer Regulation published in Official Journal
RegCORE Client Alert | Banking Union
QuickTake
On 9 June 2023, the EU’s recastThe recasting of EU legislation means the adoption of a new legal act, when an amendment is made to a basic instrument. The result is a single, legally binding act incorporating the initial legal act (the revised Wire Transfer Regulation) and any amendments to it resulting in the WTR II.Show Footnote Wire Transfer Regulation (WTR II)Regulation (EU) 2023/1113 – available here.Show Footnote (also sometimes referred to as the Transfer of Funds Regulation) was published in the EU’s Official Journal. The WTR II’s provisions enter into force on 30 June 2023 and shall apply from 30 December 2024 and thus repeal the existing “revised Wire Transfer Regulation”.Regulation (EU) 2015/847 - available here, which has applied since 26 June 2017, on which date it repealed and replaced the previous regime under Regulation (EC) 1781/2006.Show Footnote This Client Alert assesses the scope and application of WTR II generally as well as the new specific changes introduced, including on extension of rules applicable to transfers of funds to also cover transfers of crypto-assets.
As reported in our Client Alert from July 2022,Available hereShow Footnote the EU agreed that the so-called “travel rule”, which already applied to fiat and electronic money i.e., “transfer of funds” and EU and European Economic Area “payment services providers” (as such term is defined in EU legislation) (PSPs),As such term is defined in the PSD II, as amended.Show Footnote would be extended to cover “transfers in crypto-assets”. WTR II harmonises the travel rule across the EU and thereby replaces previous individual national legislative efforts.Notably the efforts of various EU Member States such as Germany, Lithuania, Malta and France who had developed and implemented their own individual national rules mandating some form of a travel rule ahead of the EU’s efforts culminating in WTR II. As discussed in our July 2022 Client Alert, G7 jurisdictions on 20 May 2022 published a statement confirming their intention to hold crypto-assets to the same standard as the rest of the (regulated) financial system and thus to introduce the travel rule, as proposed by the Financial Action Task Force (FATF) in the respective legislative and regulatory frameworks.Show Footnote
To recap, the EU’s travel rule requires that information on the source of the asset and its beneficiary travels with the transaction and is stored on both sides of the transfer. Pursuant to WTR II, crypto-asset service providers (CASPs) are required to provide this information to (national) competent authorities if an anti-money laundering (AML) and/or countering terrorist financing (CTF) investigation is started by such authorities. As in the proposal, WTR II, has two exclusions to that obligation, namely (1) for person-to-person transfers transacted without using a CASP and/or (2) when both originator and beneficiary are CASPs acting on their own behalf. Another exclusion (which is a national option and discretion) is made available for Member States to exempt these provisions applying to the transfer of crypto-assets where, if certain preconditions are met, the transaction is exclusively for the provision of goods or services. This follows the existing exemption in this area that applies to traditional money transfers.
With WTR II’s provisions having become a regulatory reality, CASPs, but equally PSPs and those other persons caught as “obliged entities” for AML/CTF purposes will want to consider how they will meet compliance with the travel rule, other changes introduced in the recast WTR II along with stricter supervisory expectations of relevant (national) competent authorities. This Client Alert should also be read with our respective coverage on the EU’s Markets in Crypto-Assets Regulation (MiCAR) available from PwC Legal’s EU RegCORE in particular as the definition of CASP in the WTR II comes from MiCAR.
What the WTR II requires
The WTR II creates EU-wide harmonised rules for the purposes of preventing, detecting and investigating money laundering and terrorist financing. Its focus is on (i) transfer of fundsThe WTR II retains the original definition of this term from the first WTR as being “…any transaction at least partially carried out by electronic means on behalf of a payer through aPSPShow Footnote, with a view to making funds available to a payee through a PSP, irrespective of whether the payer and the payee are the same person and irrespective of whether the PSP of the payer and that of the payee are one and the same, including (a) a credit transfer, (b) a direct debit, (c) a money remittance, or (d) a transfer carried a transfer carried out using a payment card, an electronic money instrument, a mobile phone or any other digital or IT prepaid or postpaid device with similar characteristics.”Show Footnote as well as (ii) transfer of crypto-assetsThe WTR II introduces the new following definition to mean “…any transaction with the aim of moving crypto-assets from one distributed ledger address, crypto-asset account or other device allowing the storage of crypto-assets to another, carried out by at least one crypto-asset service provider acting on behalf of either an originator or a beneficiary, irrespective of whether the originator and the beneficiary are the same person and irrespective of whether the crypto-asset service provider of the originator and that of the beneficiary are one and the same.”Show Footnote, including electronic money tokens defined under MiCAR).
The WTR II therefore applies where:
(1) at least one PSP (including intermediary PSPsThe WTR II retains the original definition of this term from the first WTR as being a PSP that is not the PSP of the payer or of the payee and that receives and transmits a transfer of funds on behalf of the PSP of the payer or of the payee or another intermediary PSP.Show Footnote) or one CASP (including intermediary CASPsThe WTR II introduces the new following new definition to capture a CASP that is not the CASP of the originator or of the beneficiary and that receives and transmits a transfer of crypto-assets on behalf of the CASP of the originator or of the beneficiary, or of another intermediary CASP.Show Footnote) is involved in the transfer of funds (whether sent or received) or is involved in the transfer of crypto-assets (including transfers executed by crypto-ATMsThe WTR II introduces the new following definition to mean “…physical or on-line electronic terminals that enable a CASPShow Footnote to perform, in particular, the activity of transfer services for crypto-assets…” as referenced in MiCAR.Show Footnote); and
(2) such PSP or CASP is established in the EU or has its registered office in the EU. As such the WTR II has extra-territorial relevance beyond the EU.
Where the WTR II applies, the travel rule provisions distinguish between:
(a) the information on payersThe term payer is defined as a person that holds a payment account and allows a transfer from funds from that payment account or a person that give a transfer of funds order where there is no payment account. The definition of payment account is outlined in PSD II.Show Footnote and payeesThe term payee is defined as a person who is the intended recipient of the transfer of funds. Show Footnote accompanying transfers of funds, in any currency,
1. that must be provided/exchanged by the PSP of the payer (Articles 4 and 5 WTR II);
2. certain additional requirements on transfers of funds outside of the EU (Article 6 WTR II);
3. obligations of the PSP of the payee to detect and provide missing information on the payee (Articles 7 and 8 WTR II subject to certain exemptions therein for transfer of funds not exceeding EUR 1,000); and
4. obligations on intermediary PSPs (Articles 10 to 13 WTR II); and
(b) the information on originators and beneficiaries accompanying transfers of crypto-assets which must be provided and exchanged. Conceptually this follows the same as per the above approach for transfer of funds however with obligations imposed on the:
1. CASP of the originator (Articles 14 and 15 WTR II);
2. CASP of the beneficiary (Articles 15 to 18 WTR II); and
3. intermediary CASPs (Articles 19 to 22 WTR II).
The requirements to detect and verify missing information may mean that some PSPs and CASPs will want to revisit whether their own know-your client (KYC) processes applied both at on-boarding and throughout the lifetime of the transaction. PSPs and CASPs will want to ensure that such KYC processes are sufficiently capable of capturing the required data needed to meet the travel rule’s requirements and to processes are sufficiently robust when verifying the accuracy of information provided to the PSP or CASP by their own customers. Where information remains missing the PSP of the payee or the CASP of the beneficiary must take into account missing or incomplete information as a factor when assessing whether a transfer of funds/crypto-assets or any related transaction, is suspicious and should be reported to the relevant financial intelligence unit (FIU) as required under the EU’s AML/CTF legislative and regulatory regime.
The WTR II equally sets out rules on internal policies, procedures and controls to ensure implementation of “restrictive measures” (Article 23 WTR II) where at least one PSP or CASP involved in the transfer of funds or transfer of crypto-assets is established or has its registered office in the EU. The European Banking Authority (EBA) is required, by 30 December 2024, to issue additional guidelines specifying the details required of PSPs and CASPs in respect of ensuring the implementation of such restrictive measures i.e. from tracing transfers through to blocking them and/or freezing accounts/wallets etc.
Article 24 WTR II requires that PSPs and CASPs provide information to (national) competent authorities fully and without delay, where contacted in respect of enquiries related to AML/CTF breaches, investigations and other preventive measures. Data protection standards and obligations are amended to bring CASPs into the fold of the existing data processing and consent obligations that already apply to PSPs. The European Data Protection Board, following consultation with the EBA, is required by the WTR II, to issue guidelines on the practical implementation of data protection requirements for transfers of personal data to third countries in the context of transfers of crypto-assets. The EBA is also required to issue guidelines on suitable procedures for determining whether to execute, reject, return or suspend a transfer of crypto-assets in situations where compliance with data protection requirements and the transfer of personal data to third countries cannot be ensured.
Lastly, the EBA is required to issue the following other guidelines not mentioned elsewhere in this Client Alert. These include EBA guidelines on:
1. the technical aspects of the application of the WTR II to direct debits as well as measures to be taken by payment initiation service providers (as defined in PSD II) in light of their limited role in payment transactions;
2. the characteristics of a risk-based approach to supervision of CASPs and the steps to be taken when conducting such supervision;
The EBA is also tasked with “ensuring a regular dialogue with stakeholders on the development of technical interoperable solutions with the view of facilitating the implementation of the requirements [of the WTR II]”.
Lastly, the WTR II also has its own record retention rules set out in Article 26 WTR II. The information on the payer and the payee or on the originator and beneficiary must be held for a period of five years or in the context of criminal proceedings under Member State law, for a further five years. It is conceivable that the EBA and/or (national) competent authorities may issue further guidance on record retention requirements.
Whom and what the WTR II does not apply to
While the WTR II’s requirements are comprehensive, there are number of exclusions to whom and to what it does not apply to. The exclusions differ depending on whether it concerns the transfer of funds or the transfer of crypto-assets.
Accordingly, the WTR II does not apply to:
(i) the majority of types of payment transactions excluded from the scope of PSD II;Directive (EU) 2015/2366 – PSD II – available here. Article 2(2) WTR II cross-refers to the exclusions set out in Article 3, points (a) to (m) and point (o) of PSD II.Show Footnote
(ii) transfer of funds or to transfers of electronic money tokens (as defined in MiCAR) carried out using a payment card, an electronic money instrument, a mobile phone or any other digital or IT prepaid or postpaid device with similar characteristics, provided that the following conditions are met:
a. that card, instrument or device is used exclusively to pay for goods or services; and
b. the number of that card, instrument or device accompanies all transfers flowing from the transaction
However, the WTR II does apply when a payment card, an electronic money instrument, a mobile phone, or any other digital or IT prepaid or postpaid device with “similar characteristics”, is used in order to affect a transfer of funds or electronic money tokens between natural persons acting as consumers for purposes other than trade, business or professional activity. A key interpretational point remains in WTR II, as it did in the original text, around what amounts to “similar characteristics”.
(iii) persons digitising paper documents into electronic data and doing so pursuant to a contract with a PSP or that have no activity other than to provide PSPs with messaging or other support systems for transmitting funds or with clearing and settlement systems;
(iv) transfer of funds where any of the following conditions is met:
a. it involves the payer withdrawing cash from the payer’s own payment account;
b. it constitutes a transfer of funds to a public authority for taxes, fines or other levies within a Member State (but not across Member States);
c. both the payer and the payee are PSPs acting on their own behalf;
d. it is carried out through cheque images exchanges, including truncated cheques;
(v) transfer of crypto-assets where any of the following conditions is met:
a. both the originator and the beneficiary are CASPs acting on their own behalf;
b. the transfer constitutes a person-to-person transfer of crypto assets carried out without the involvement of a CASP.
As stated above, the WTR II retains the national option and discretion in Article 2(5), whereby a Member State may decide not to apply the WTR II to transfer of funds within its territory to a payee’s account permitting payment exclusively for the provision of goods or services where all of the following conditions are met:
1. the PSP of the payee is subject to the fourth AML Directive ((EU) 2015/849);
2. the PSP of the payee is able to trace back, through the payee, by means of a unique transaction identifier, the transfer of funds from the person who has an agreement with the payee for the provision of goods or services;
3. the amount of transfer of funds does not exceed EUR 1,000.
Crypto-asset accounts and self-hosted addresses
The WTR II distinguishes between:
• crypto-asset accounts – an account (also known as a wallet) that is held by a CASP in the name of one or more natural or legal person and that can be used for the execution of transfers of crypto-assets; and
• self-hosted addresses (also known as an unhosted wallet or self-custodied walletsWTR II does not refer to nor distinguish between hot or cold wallets. The final version of the WTR II nor MiCAR, unlike previous proposals and discussions do not prohibit the use of self-hosted addresses. Show Footnote) – a distributed ledger address not linked to either of the following:
o a CASP; or
o an entity not established in the EU and providing services similar to the CASP.
The WTR II requires that a CASP verify the source of the crypto-assets, before transferring crypto-assets to the receiving party i.e., the beneficiary. The WTR II also applies to all transfers including transfers of crypto-assets to or from a self-hosted address, as long as there is a CASP involved.
In the case of a transfer to or from a self-hosted address, the CASP should collect the information on both the originator and the beneficiary, usually from its client. The WTR II states that a CASP should in principle not be required to verify the information on the user of the self-hosted address. Nonetheless, in the case of a transfer of an amount exceeding EUR 1,000 that is sent or received on behalf of a client of a CASP to or from a self-hosted address, that CASP should verify whether that self-hosted address is effectively owned or controlled by that client. The aforementioned EUR 1,000 threshold however does not apply to transfers to and from crypto-asset accounts.
While the final version of WTR II provides for a more pragmatic approach on verification and in respect of self-hosted wallets when compared to the draft analysed in our July 2022 Client Alert, such verification means CASPs reviewing that there is no risk of money laundering or terrorist financing in connected to the crypto-assets or the transfer. This requirement is part of the broader overarching obligations applicable to CASPs to implement and maintain effective procedures to detect suspicious crypto-assets, in particular those suspected of being linked to illegal activities (such as fraud, extortion, ransomware or darknet marketplaces) and/or those that have passed through mixers, tumblers or other anonymising services. This is especially important for transfers involving unhosted wallets or non-EU CASPs that do not comply with the EU standards on the travel rule.
As highlighted in our Client Alert in July 2022, it should be noted that a number of CASPs may have already begun to undertake efforts to enhance AML risk identification, mitigation and management measures as well as more robust KYC processes. While such developments are welcome, certain problems may continue to arise where an EU-domiciled CASP (or indeed any other “obliged entity”), that is complying with WTR II and the travel rule, is engaging with a non-EU domiciled counterparty (including for example non-EU unhosted wallets) that is not required to conduct KYC or otherwise collect such comparable information as required under WTR II. Failure to correct such information could result in a mismatch on who needs to comply with what requirement and equally the question as to whether they can and by when.
Unless such a mismatch is resolved promptly, a transaction could be prevented until a full AML/KYC process or other due diligence exercise is completed. While this is not a new problem for traditional financial transactions, the extent of change and compliance burden for CASPs may prevent smooth settlement (at least from a legal perspective) and liability for those parties involved.
Further work ahead
Within 12 months after entry into force of the EU’s proposed Anti Money Laundering Regulation (AMLR), the European Commission will review the WTR II and shall issue a report which may propose amendments to WITR II to align it with the AMLR’s provisions. This alignment report will also assess the costs and benefits of introducing a de minimis threshold relating to:
1. in the case of the transfers of funds, an assessment of the effectiveness and suitability of the de minimis thresholds related to such transfers of funds, in particular with respect to the scope of application and the set of information accompanying transfers, and an assessment of the need to lower or remove such thresholds; and
2. in the case of transfers of crypto-assets, an assessment on the costs and benefits of introducing de minimis thresholds related to the set of information accompanying transfers of crypto-assets, including an assessment of related AML/CTF risks.
The European Commission is also tasked with, following consultation with the EBA, issuing a report assessing the risks posed by transfers to or from self-hosted addresses or entities not established in the EU, as well as the need for specific measures to mitigate those risks and thus to propose amendments to WTR II. The deadline imposed by the Commission to provide that report is “by 1 July 2026”.
Over time it is also expected that the EBA’s Interactive Single Rulebook (ISRB),Available here.Show Footnote which had already included the revised WTR, will be updated to include the changes made pursuant to WTR II. The ISRB allows for PSPs (and with WTR II – now CASPs), supervisors and other stakeholders to submit questions on the application of the revised WTR / recast WTR II and related EBA work. Subject to meeting prescribed criteria, submitted questions are published on the EBA website while the answers are prepared.
Lastly and certainly not least, the EU’s AML/CTF legislative and regulatory framework is being revised and equally, perhaps more far reaching the PSD II is in the process itself of being revised, so that any PSD III may include a greater number of persons that qualify as PSPs to whom WTR II would apply. See separate coverage from our EU RegCORE on these two developments.
Outlook and next steps
Full compliance with WTR II will be required by 30 December 2024. A number of market participants may want to step up their preparatory measures and efforts to ensure they are ready to require with this new regulatory reality and a host of stricter supervisory expectations. The same also applies to affected persons considering how to translate WTR II driven compliance efforts across similar compliance reforms underway, notably in order to meet (new) crypto-asset specific tax data and reporting standards.
As a result of the above, some market participants may also want to take stock and forward plan for any necessary changes to technical processes as well as corresponding changes in counterparty and/or client-facing documentation relevant to KYC conducted both (i) at on-boarding and (ii) throughout the lifetime of a relationship.
Lastly, it may also be recommendable that some affected persons conduct a gap analysis of how their EU travel rule and WTR II compliance efforts may impact compliance with similar requirements as currently in existence or in the process of being reformed in other non-EU jurisdictions, notably the UK, the US and further afield.
About us
PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from these developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators. Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner solution for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from over 750 stakeholders in over 170 jurisdictions impacting financial services firms and their business.
If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.