Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Central Bank (1),

Having regard to the opinion of the European Economic and Social Committee (2),

Acting in accordance with the ordinary legislative procedure (3),

Whereas:

(1) Regulation (EU) 2015/847 of the European Parliament and of the Council (4) has been substantially amended (5). Since further amendments are to be made, that Regulation should be recast in the interests of clarity.

(2) Regulation (EU) 2015/847 was adopted to ensure that the Financial Action Task Force (FATF) requirements on wire transfer service providers, and in particular the obligation on payment service providers to accompany transfers of funds with information on the payer and the payee, were applied uniformly throughout the Union. The latest changes introduced in June 2019 in the FATF standards on new technologies, with the aim of regulating virtual assets and virtual asset service providers, have provided new and similar obligations for virtual asset service providers, with the purpose of facilitating the traceability of transfers of virtual assets. Further to those changes, virtual asset service providers are to accompany transfers of virtual assets with information on the originators and beneficiaries of those transfers. Virtual asset service providers are also required to obtain, hold and share that information with their counterpart on the other end of the virtual assets transfer and make it available on request to competent authorities.

(3) Given that Regulation (EU) 2015/847 currently only applies to transfers of funds, that is to banknotes and coins, scriptural money, and electronic money as defined in Article 2, point 2, of Directive 2009/110/EC of the European Parliament and of the Council (6), it is appropriate to extend the scope of Regulation (EU) 2015/847 in order to also cover transfers of virtual assets.

(4) Flows of illicit money through transfers of funds and virtual assets can damage the integrity, stability and reputation of the financial sector, and threaten the internal market of the Union as well as international development. Money laundering, terrorist financing and organised crime remain significant problems which should be addressed at Union level. The soundness, integrity and stability of the system of transfers of funds and virtual assets, and confidence in the financial system as a whole, could be seriously jeopardised by the efforts of criminals and their associates to disguise the origin of criminal proceeds or to transfer funds or virtual assets for criminal activities or terrorist purposes.

(5) In order to facilitate their criminal activities, money launderers and financers of terrorism are likely to take advantage of the freedom of capital movements within the Union’s integrated financial area unless certain coordinating measures are adopted at Union level. International cooperation within the framework of FATF and the global implementation of its recommendations aim to prevent money laundering and terrorist financing while transferring funds or virtual assets.

(6) By reason of the scale of the action to be undertaken, the Union should ensure that the International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation adopted by FATF on 16 February 2012 and then revised on 21 June 2019 (the ‘revised FATF Recommendations’), and in particular FATF Recommendation 15 on new technologies, FATF Recommendation 16 on wire transfers and the revised interpretative notes on those recommendations, are applied uniformly throughout the Union and that, in particular, there is no discrimination or discrepancy between, on the one hand, national payments or transfers of virtual assets within a Member State and, on the other, cross-border payments or transfers of virtual assets between Member States. Uncoordinated action by Member States acting alone in the field of cross-border transfers of funds and virtual assets could have a significant impact on the smooth functioning of payment systems and virtual asset services at Union level and could therefore damage the internal market in the field of financial services.

(7) In order to foster a coherent approach in the international context and to increase the effectiveness of the fight against money laundering and terrorist financing, further Union action should take account of developments at international level, in particular the revised FATF Recommendations.

(8) Their global reach, the speed at which transactions can be carried out and the possible anonymity offered by their transfer make virtual assets particularly susceptible to criminal misuse, including in cross-border situations. In order to effectively address the risks posed by the misuse of virtual assets for money laundering and terrorist financing purposes, the Union should promote the application at global level of the standards implemented by this Regulation and the development of the international and cross-jurisdictional dimension of the regulatory and supervisory framework for transfers of virtual assets in relation to money laundering and terrorist financing.

(9) Directive (EU) 2015/849 of the European Parliament and of the Council (7), as a result of its amendment by Directive (EU) 2018/843 of the European Parliament and of the Council (8), introduced a definition of virtual currencies and recognised providers engaged in exchange services between virtual currencies and fiat currencies, as well as custodial wallet providers, among the entities subject to anti-money laundering and counter-terrorist financing requirements under Union law. Recent international developments, in particular within the framework of FATF, now imply the need to regulate additional categories of virtual asset service providers not yet covered and to broaden the current definition of virtual currency.

(10) The definition of crypto-assets in Regulation (EU) 2023/1114 of the European Parliament and of the Council (9) corresponds to the definition of virtual assets set out in the revised FATF Recommendations, and the list of crypto-asset services and crypto-asset service providers covered in that Regulation also encompasses the virtual asset service providers identified as such by FATF and considered likely to raise money laundering and terrorist financing concerns. In order to ensure coherency of Union law in that area, this Regulation should use the same definitions of crypto-assets, crypto-asset services and crypto-asset service providers as those used in Regulation (EU) 2023/1114.

(11) The implementation and enforcement of this Regulation represent relevant and effective means of preventing and combating money laundering and terrorist financing.

(12) This Regulation is not intended to impose unnecessary burdens or costs on payment service providers, crypto-asset service providers or persons who use their services. In that regard, the preventive approach should be targeted and proportionate and should be in full compliance with the free movement of capital, which is guaranteed throughout the Union.

(13) The Union’s Revised Strategy on Terrorist Financing of 17 July 2008 (the ‘Revised Strategy’) states that efforts must be maintained to prevent terrorist financing and to control the use by suspected terrorists of their own financial resources. It recognises that FATF is constantly seeking to improve its recommendations and is working towards a common understanding of how they should be implemented. The Revised Strategy notes that implementation of the revised FATF Recommendations by all FATF members and members of FATF-style regional bodies is assessed on a regular basis and that a common approach to implementation by Member States is therefore important.

(14) In addition, the Commission in its communication of 7 May 2020 on an Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing identified six priority areas for urgent action to improve the Union’s anti-money laundering and counter-terrorist financing regime, including the establishment of a coherent regulatory framework for that regime in the Union to obtain more detailed and harmonised rules, in particular to address the implications of technological innovation and developments in international standards and to avoid diverging implementation of existing rules. Work at international level suggests a need to expand the scope of sectors or entities covered by that regime and to assess how it should apply to crypto-asset service providers not covered so far.

(15) In order to prevent terrorist financing, measures with the purpose of freezing the funds and economic resources of certain persons, groups and entities have been taken, including Council Regulations (EC) No 2580/2001 (10), (EC) No 881/2002 (11) and (EU) No 356/2010 (12). To the same end, measures with the purpose of protecting the financial system against the channelling of funds and economic resources for terrorist purposes have also been taken. Directive (EU) 2015/849 contains a number of such measures. Those measures do not, however, fully prevent terrorists or other criminals from accessing payment systems for transferring their funds.

(16) The traceability of transfers of funds and crypto-assets can be a particularly important and valuable tool in the prevention, detection and investigation of money laundering and terrorist financing, as well as in the implementation of restrictive measures, in particular those imposed by Regulations (EC) No 2580/2001, (EC) No 881/2002 and (EU) No 356/2010. It is therefore appropriate, in order to ensure the transmission of information throughout the payment chain or the transfer of crypto-assets chain, to provide for a system imposing the obligation on payment service providers to accompany transfers of funds with information on the payer and the payee and the obligation on crypto-asset service providers to accompany transfers of crypto-assets with information on the originator and the beneficiary.

(17) Certain transfers of crypto-assets entail specific high-risk factors for money laundering, terrorist financing and other criminal activities, in particular transfers related to products, transactions or technologies designed to enhance anonymity, including privacy wallets, mixers or tumblers. To ensure the traceability of such transfers, the European Supervisory Authority (European Banking Authority), established by Regulation (EU) No 1093/2010 of the European Parliament and of the Council (13) (EBA), should clarify, in particular, how the risk factors listed in Annex III to Directive (EU) 2015/849 are to be taken into account by crypto-asset service providers, including when carrying out transactions with non-Union entities that are not regulated, registered or licensed in any third country, or with self-hosted addresses. Where situations of higher risk are identified, EBA should issue guidelines specifying the enhanced due diligence measures that obliged entities should consider applying to mitigate such risks, including the adoption of appropriate procedures such as the use of distributed ledger technology (DLT) analytic tools, to detect the origin or destination of crypto-assets.

(18) This Regulation should apply without prejudice to the national restrictive measures and Union restrictive measures imposed by regulations based on Article 215 of the Treaty on the Functioning of the European Union, such as Regulations (EC) No 2580/2001, (EC) No 881/2002 and (EU) No 356/2010 and Council Regulations (EU) No 267/2012 (14), (EU) 2016/1686 (15) and (EU) 2017/1509 (16), which may require that payment service providers of payers and of payees, crypto-asset service providers of originators and of beneficiaries, intermediary payment service providers, as well as intermediary crypto-asset service providers, take appropriate action to freeze certain funds and crypto-assets or that they comply with specific restrictions concerning certain transfers of funds or of crypto-assets. Payment service providers and crypto-asset service providers should have in place internal policies, procedures and controls to ensure implementation of those restrictive measures, including screening measures against Union and national lists of designated persons. EBA should issue guidelines specifying those internal policies, procedures and controls. It is intended that the requirements of this Regulation on internal policies, procedures and controls related to restrictive measures will be repealed in the near future by a Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.

(19) The processing of personal data under this Regulation should take place in full compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (17). Further processing of personal data for commercial purposes should be strictly prohibited. The fight against money laundering and terrorist financing is recognised as an important public interest ground by all Member States. In applying this Regulation, the transfer of personal data to a third country is required to be carried out in accordance with Chapter V of Regulation (EU) 2016/679. It is important that payment service providers and crypto-asset service providers operating in multiple jurisdictions with branches or subsidiaries located outside the Union should not be prevented from transferring data about suspicious transactions within the same organisation, provided that they apply adequate safeguards. In addition, the crypto-asset service providers of the originator and of the beneficiary, the payment service providers of the payer and of the payee and the intermediary payment service providers and intermediary crypto-asset service providers should have in place appropriate technical and organisational measures to protect personal data against accidental loss, alteration, or unauthorised disclosure or access.

(20) Persons that merely convert paper documents into electronic data and are acting under a contract with a payment service provider, and persons that provide payment service providers solely with messaging or other support systems for transmitting funds or with clearing and settlement systems should not fall within the scope of this Regulation.

(21) Persons that provide only ancillary infrastructure, such as internet network and infrastructure service providers, cloud service providers or software developers, that enables another entity to provide transfer services for crypto-assets, should not fall within the scope of this Regulation unless they perform transfers of crypto-assets.

(22) This Regulation should not apply to person-to-person transfers of crypto-assets conducted without the involvement of a crypto-asset service provider, or to cases where both the originator and the beneficiary are providers of transfer services for crypto-assets acting on their own behalf.

(23) Transfers of funds corresponding to services referred to in Article 3, points (a) to (m) and point (o), of Directive (EU) 2015/2366 of the European Parliament and of the Council (18) do not fall within the scope of this Regulation. It is also appropriate to exclude from the scope of this Regulation transfers of funds and of electronic money tokens, as defined in Article 3(1), point (7), of Regulation (EU) 2023/1114, that represent a low risk of money laundering or terrorist financing. Such exclusions should cover payment cards, electronic money instruments, mobile phones or other digital or information technology (IT) prepaid or postpaid devices with similar characteristics, where they are used exclusively for the purchase of goods or services and the number of the card, instrument or device accompanies all transfers. However, the use of a payment card, an electronic money instrument, a mobile phone or any other digital or IT prepaid or postpaid device with similar characteristics in order to effect a transfer of funds or of electronic money tokens between natural persons acting as consumers for purposes other than trade, business or professional activity, falls within the scope of this Regulation. In addition, automated teller machine withdrawals, payments of taxes, fines or other levies, transfers of funds carried out through cheque images exchanges, including truncated cheques, or bills of exchange, and transfers of funds where both the payer and the payee are payment service providers acting on their own behalf should be excluded from the scope of this Regulation.

(24) Crypto-assets that are unique and not fungible are not subject to the requirements of this Regulation unless they are classified as crypto-assets or funds under Regulation (EU) 2023/1114.

(25) Crypto-asset automated teller machines (the ‘crypto-ATMs’) can enable users to perform transfers of crypto-assets to a crypto-asset address by depositing cash, often without any form of customer identification and verification. Crypto-ATMs are particularly exposed to money laundering and terrorist financing risks because the anonymity they provide, and the possibility of operating with cash of unknown origin, make them an ideal vehicle for illicit activities. Given the role of crypto-ATMs in providing or actively facilitating transfers of crypto-assets, transfers of crypto-assets linked to crypto-ATMs should fall under the scope of this Regulation.

(26) In order to reflect the special characteristics of national payment systems, and provided that it is always possible to trace the transfer of funds back to the payer, Member States should be able to exempt from the scope of this Regulation certain domestic low-value transfers of funds, including electronic giro payments, used for the purchase of goods or services.

(27) Due to the inherent borderless nature and global reach of transfers of crypto-assets and of the provision of crypto-asset services, there are no objective reasons to distinguish the treatment of money laundering and terrorist financing risks of national transfers from that of cross-border transfers. In order to reflect those specific features, no exemption from the scope of this Regulation should be granted to domestic low-value transfers of crypto-assets, in line with the FATF requirement to treat all transfers of crypto-assets as cross-border.

(28) Payment service providers and crypto-asset service providers should ensure that the information on the payer and the payee or on the originator and the beneficiary is not missing or incomplete.