Amendments to Transfer of Funds Regulation

In this Article

Dr Justine Scerri Herrera

What is there to know about the amendments to the Transfer of Funds Regulation? On the 31st of March of 2022, the ECON-LIBE voting session of the EU Parliament voted for the proposal. Whereby it aimed to implement certain amendments to the Reg.2015/847 (Transfer of Funds Reg). The proposal passed with a majority of the votes.

The proposal targets Virtual Assets (VAs) and Virtual Assets Service Providers (VASPs). Among the many amendments brought forward, some of them have caught the special attention of Industry players. Rules will be imposed on “unhosted wallets”.

Money in water cash and coins FATF KYC AML Compliance Banking Industry Financial Institutions Transfer of Funds

The Play



Amendment 15. Recital 27 b (new). This rule imposes CASPs or any other entity to collect and retain information from the originator and beneficiary. When does this process occur?  When dealing with transactions that involve an “unhosted wallet”  (from the beneficiary, when feasible).

Moreover, entities should be able to reject or suspend the Tx if they deem it to be “suspicious”.  Accordingly, the risk-sensitive process deserves much scrutiny. 

Amendment 33 (Art.3 – paragraph 1 – point 17a (new)). This rule defines an “unhosted wallet” as any crypto-asset wallet not held by a CASP. In this scenario, therefore, the CASP does not manage the crypto-asset. The proposal aims to include Txs from/to “unhosted wallets” under Reg.2015/847, as soon as it obligates the entities involved. (with Ref. to explain statements, point 2 at the end of the doc).  Amendment 52. Art 14 – paragraph 5a (new). This rule institutes a burden on the entity and requires it to obtain and retain information related to the Txs from its customers, where available. This extends the obligation to serve the authorities. 

Amendment 59. Art. 16 obligates the beneficiary interacting with an “unhosted wallet” to provide the necessary information. Furthermore, it obligates CASPs to request such information. 

Amendment 78. Art. 30 extends the request for a further report on the progress made.  Point “b” requests an analysis of the needs, feasibility and proportionality of specific measures to mitigate risks posed by “unhosted wallets”. This includes possible requirements to identify beneficial owners. Point “c” requests an analysis of trends involving the use of “unhosted wallets” and associated risks related to terrorism and money laundry. It also limits CASPs and hardware & software providers on Txs.

Amendment 16. Recital 28. This amendment treats all transfers of crypto-assets as cross-border wire transfers, with no simplified domestic wire transfer regime.  Explanatory statements at the end of de doc), Point 2 establishes a lack of transmission of information regarding “unhosted wallets”.   

Point 3. Extending the information of disclosure established within Art. 14 and subsequent, to “know your transaction” requirements. This latter requirement involves the disclosure of the source and destination of Crypto-Assets involved in a Txs. 

Such highly qualified individuals in fast-growing markets such as Malta may apply for advantageous tax regime of the highly qualified persons scheme. This scheme includes flat tax rate of 15% up to a maximum income of EUR 5 million. Any excess above the EUR 5 million threshold is exempt from tax.

Part I



The proposal aims to implement a modification (or extension) of the “Travel Rule”. This was developed by FATF and tailored for VAs and VASPs (equivalent to CASPs in the EU under the governance of MICA). The history of the development of the “Travel rule” can be traced back to the U.S Banking Secrecy Act (BSA).

At the time, Capone and other characters gained their reputation as untouchables. Later on, Nations adopted the term “terrorism funding” and “Money Laundering” as their new legal basis to justify rules on disclosure of information. The attacks on the World Trade Center served to exacerbate this. Then the London and Paris attacks followed, serving as catalysts to further strengthen such measures.

Concurrently, KYC/AML requirements materialised those rules. Especially those on ‘disclosure’,  forever changing the Banking Industry and the privacy of Citizens.

From when we effectively adopted the BSA, the fight against terrorism funding and money laundering has achieved a legal footing. As such, Nations enjoy the physical capacity to request from Financial Institutions certain information from Citizens. Ergo, Nations implement such measures to serve the purposes of “National Security”.

In fact,  the FATF and the “Travel rule” play an essential part in materialising such national policies. They help form the regulatory framework.

The information necessary to honour the “Travel Rule” is found throughout Amendments 42 and 57. 

 Regardless of whether we gather data from a hosted or “unhosted wallet”, this approach holds every user of VAs and CASPs as a potential terrorist or money launderer, directly or indirectly.

This places users of VAs and CASPs under the highest-risk category for compliance purposes. The higher the level of risk, the harder the measures to apply. That’s a far extreme approach to adopt considering the EU Digital Finance Package and the true valuation of Blockchain Technology as ICT with the capacity to foster a DATA-driven society. The ramifications of such consequences shouldn’t be taken lightly. 

As a heritage, there is a matter with Legacy systems. Realistically,  the Travel Rule’s data request is gathered and processed within a centralised database. Moreover, such systems aren’t resilient to human error. For example, when information is unintentionally wrong or incomplete, transfers can be “red-flagged” as “suspicious” and under the “presumption” of tTF and/or ML. The same can happen with unrecognised IP addresses, geolocalization of IP addresses and countries under “grey lists”.

Operatively, this implies possible cancellation of the Txs and further investigation of the facts. Potentially, the originator of the data could be “Blacklisted”, thus triggering further complications for future transactions.  Evidently, we can present independent evidence upon a Financial Institution’s request and wait until it updates the Ledger. Even then, the user has no certainty about their details being effectively erased from that Blacklist. 

Part II

Transfer of Funds Regulation


We have had numerous instances in which people receive a phone call from their bank after their attempt to deposit or withdraw funds to a crypto exchange. In addition, these were also requested to present themselves in person at the Bank’s premisses along with evidence..

From a legal perspective, they sound very confident in accusing people devoid of independent evidence. Nonetheless, we all still pay banking charges for putting our funds at the disposal of the Banking sector. Once again, within that Legacy system that “red flag” triggers that categorisation. Whatever the justification, by this point the damage is already done.

This imposes a burden on users to defend themselves from crimes that they never committed. Not to mention the remaining issues arising out of being placed on a Blacklist. Such as sustaining banking correspondence.

Furthermore, the level of scrutiny applied to the data in order to detect terrorism funding and money laundering is far more intrusive and sensitive. Finally, there is no evidence supporting a clear link between the increase of terrorism funding and money laundering with the usage of  “unhosted wallets”. Or not beyond the hypothetical risk attached to the technical qualities of decentralisation and speed endowed by Blockchain. Alas, it might be wiser to have a look at the current issues created by those Legacy systems prior to blaming new technology.

The process for Money Laundering consists of three phases: placement, layering and integration. Yet, a Financial Institution willing and capable to engage in the process will steer the funds outside of the accounting ledgers of the financial system. As a result, Financial Institutions are liable under the “Travel Rule”.

 “Unhosted wallets”, on the other hand, are nothing more than a communication layer between different protocols. Eventually, users of “unhosted wallets” already comply with KYC/AML.  As a reference, before being able to dispose of funds within the Metamask wallet, one needs to go through a Financial Institution to clear FIAT funds (either a Bank or an Investment Firm or a regulated Institution offering Stablecoins). Sequentially, one needs to convert funds into the format of the token that the Protocol supports. Only then can they transfer to Metamask. 

Cloning the same rule over “unhosted wallets” implies the third or fourth layer of replicated enforcement. In practical terms, this decision might come at the expense of a misallocation of resources in Compliance programs and software development and maintenance. Thus, offering nothing more than duplicated information. At the same time, it burdens users with an unnecessary layer of identification. Therefore slowing adoption and deterring interaction with Blockchain Protocols and Defi.

We take this point  seriously. Considering that fulfilling KYC/AML requirements is an ongoing activity, it more often than not annoys users. Altogether, these measures delay the development of other technologies like IoT and Web 3.0 (Especially, the Metaverse). Thereby relying heavily upon Blockchain Technology and deep databases for development.

Part III

Transfer of Funds Regulation


Regarding the request of data by the “Travel Rule”. What methodology so we apply to the processing of such data?  Are we speaking of a deductive or inductive methodology? What’s the rate of false positives? This is essential considering the facts at stake.

For reference, we all may provide wallet addresses, dates of birth and details about the source and destination of the funds. However, those details in isolation do not suffice to reach certainty about terrorist funding activities or money laundering. Conversely, details analysed in combination with inductive methodologies might give some extra hints that allow whoever is analysing the data to “theorise” about an individual’s. Also at the expense of implementing methodologies for data analysis not disclosed to the citizens.

It is essential to deal with this aspect very delicately, considering the immutable and perpetual properties of Blockchain Technology in conjunction with the developments of AI in the field of behavioural recognition. Otherwise, the wrong approach may lead to a clash between the development of Blockchain and human freedom. We need more clarification from the Legislator to understand the operative aspect of this point. with no exclusion of the risks involved in the processing of data to pursue public policies against ML and TF.

In tandem, Blockchain technology leverages the same level of scrutiny, which can be placed upon disclosure and transparency coming from States and Institutions of certain dimensions. In addition,  there is no need for a de-minimis threshold of USD 1000 to track the allocation of the funds collected from the taxpayers.    

Furthermore, in terms of identity, it is worth mentioning the progress made by Decentralized Identifiers (DIDs) Self-sovereign Identities (SISs) Data Monetization and Data Portability. Another example of progress in terms of privacy and scalability is “Whisper”. Most of these developments can be implemented in “unhosted wallets” without the need to expose data to centralised Legacy systems while relaxing the burden for disclosure and protecting privacy.

Perhaps a conversation between the FATF (or the EU Parliament) and the Blockchain industry may help to bring more useful tools in terms of privacy and data management. This should come instead of imposing outdated solutions for novel technologies and drive us towards decentralisation, privacy, and simplicity.

In Conclusion

Transfer of Funds Regulation

To date, FATF is not aware of any technically proven means to identify the VASP that manages the “unhosted wallet” accurately, precisely and exhaustively. Read Footnote 30

The amendments towards “unhosted wallets” give us only one piece of the puzzle. The real issue comes with a degree of surveillance to delegate to the EBA towards DEFI through Reg. 2018/847 and MICA.  The consequences of this may lead to a de-facto expropriation of the DeFI ecosystem through the imposition of formalities biased towards economic interests. We’re awaiting more updates on the Transfer of Funds Regulation.

How Can We Help?

Need some form of training on CASPS or further details about the Amendments? Has the Transfer of Funds Regulation changed your business in anyway? We can help! Drop us a line:

Key Contact

Dr Justine Scerri Herera


More about MK Fintech Partners Ltd.

Michael Kyprianou Fintech Partners Ltd. is a Maltese company providing services in the FinTech sector. It comprises a team of dedicated experts who provide services such as Legal Advisory, Crypto Licensing, Token Issuers’ Licensing, Investment Services Licensing, and registrations of activities related to Fintech, Crypto, Blockchain & Data Protection, Investment Funds Services & Banking, Company Incorporations, and M&As.

MK Fintech Partners forms part of the Michael Kyprianou Group, a top tier international legal and advisory firm. It has established an enviable reputation as a broad-based legal practice over the years. Mainly by keeping at heart its principle to always exceed its clients’ expectations. MK has grown to become one of the largest law firms in Cyprus with offices in Nicosia, Limassol and Paphos. The MK Group’s international presence also includes fully-fledged offices in Greece (Athens and Thessaloniki), Malta (Birkirkara), Ukraine (Kiev), the United Arab Emirates (Dubai), United Kingdom (London), Israel (Tel Aviv), and Germany (Frankfurt).

The content of this article is valid as at the date of its first publication. It intendeds to provide a general guide to the subject matter and does not constitute legal advice. We recommend that you seek professional advice on a specific matter before acting on any information provided. For further information, contact us at MK Fintech Partners via email at or by telephone +356 2016 1010.

Share this article: