Response to consultation on Guidelines on preventing the abuse of funds and certain crypto-assets transfers for ML/TF (Travel rule Guidelines)
Question 1. Do you agree with the proposed provisions? If you do not agree, please explain how you think these provisions should be amended, and set out why they should be amended. Please provide evidence of the impact these provisions would have if they were maintained as drafted'?
The Wolfsberg Group (the “Group”) welcomes the opportunity to provide comments on the Consultation Paper “Travel Rule Guidelines”, published on 24 November 2023 (EBA/CP/2023/35). The Group believes that it would be beneficial to the industry to have greater clarity with respect to the obligations for institutions emanating from the underlying “Funds Transfer Regulation” (FTR) and has structured its feedback accordingly. The Travel Rule Guidelines present an opportunity to look at the requirements so as to facilitate impactful controls, proven to manage financial crime risk effectively.
While this is outside the scope of the current consultation, the Group recommends that the FTR itself be reviewed to ensure it addresses current payment market practices such as many-to-many payments[1], the use of virtual IBANs/equivalents, the use of non-Swift messaging and the inclusion of ISO 20022 terminology.
The Group’s response focuses primarily on Payment Service Providers (PSPs) and fund transfers. It is organised into general comments first, followed by commentary on specific sections.
High-level Considerations
The Group considers that more explicit guidance from the EBA would be beneficial in the following areas:
Transfer of funds requirements
Role differentiation
- In a transfer chain, each PSP has a different role and, as a result, has access to different sets information. We believe that the responsibilities assigned to each actor – payer PSP, intermediary PSP (IPSP), payee PSP – need to reflect this. The draft Guidelines do not make this distinction and, in particular, fail to acknowledge the position of IPSPs, which lack the ability to collect or process information on non-customers.
- In many cases, e.g. Paragraphs 4, 21, 22, 26, 29 and 43, the requirements set out in the Guidelines should only be applicable to payer PSPs, as only they are in possession of the necessary information to satisfy the requirements.
- For a more detailed view of the Group’s stance on roles and responsibilities in the transfer chain, please refer to the 2023 Wolfsberg Group Payment Transparency Standards.[2]
Treatment of batch[3] payments
- We are concerned that the requirements introduced in Guidelines 3.2 may be interpreted as a new obligation to “un-batch” all payments, with the information on underlying payers and payees to be passed on to the next PSP including to and by IPSPs.
- The Group suggests that the Guidelines provide an acceptance of the limitations institutions face in obtaining Due Diligence information on non-customers and recognition that consumers may be unwilling to provide information to an institution with which they have no relationship. The responsibility for complying with the FTR in the scenario of batch transfers should be clarified and placed on the payer rather than the intermediary PSP.
Information accompanying transfers of funds
- It is standard industry practice to provide, in a payment message, the payer’s address or document number and account number or the date and place of birth. As opposed to what Guideline 4.3 suggests, the (offline) transmission of a combination of these data points should only be considered relevant or necessary where the payer is not sufficiently identified.
Detecting missing or incomplete information
- Certain provisions in the draft Guidelines appear to suggest that ex-post monitoring for missing or incomplete information – which is the expectation in the FTR – is not permitted (see paragraphs 33, 43, 44, 46, and 51).
Consistency in, and clarification of, terminology
In several instances, there would be benefit in clarifying the terminology used to ensure a consistent interpretation of requirements, thereby allowing for greater standardisation. Key examples include:
- The lack of definition of clear attributes that constitute “linked” transactions in Guideline 2.2.
- The lack of a specific definition of “messaging systems” in Guideline 3.1 including ambiguity in the use of the terms “payment and settlement” and “transfer and settlement” systems.
- The introduction of the new terms “unambiguous” and “inconsistent” in Guidelines 4.3 and 5.4 respectively.
CASP-focused remarks
- Although the Group’s feedback is centred on PSPs and funds transfers, we request that the Guidelines address the fact that CASPs cannot block or reject transfers akin to what happens in fiat currencies (Guideline 7.1) and the impossibility of identifying self-hosted wallets (Guideline 5.3).
- We also suggest that the Guidelines clarify that transaction fees relating to crypto asset transfer are not within scope of the travel rule; the reasons for the exemption are outlined below under Guideline 2.
In the sections that follow, feedback is provided as to specific provisions in the proposed Guidelines.
Detailed Considerations
Guideline 2, Exclusion from the scope of Regulation (EU) 2023/1113 and derogations
We request that the EBA confirm that transaction fees (gas fees) are out of scope of the FTR and these Guidelines, given that the unique characteristics of paying transaction fees will preclude the ability to apply these requirements to certain distributed ledger technologies. This aligns with the exemption in the Financial Action Task Force (FATF) Guidance on Virtual Assets and VASPs (paragraph 180).
Guideline 2.1, on determining whether a card, instrument or device is used exclusively for the payment of goods or services as per Article 2(3) point (a) and (5) point (b) of Regulation (EU) 2023/1113
We note that Article 2(3) exempts transfers of funds executed using a payment card, electronic money instrument, mobile phone or other digital or IT prepaid or postpaid device from the Regulation provided that the card, instrument, or device is used exclusively to pay for goods and services. We encourage the EBA to focus its guidance on the functionality of cards, instruments and devices provided by PSPs to their customers (the payers) and not to requiring PSPs to monitor how those cards, instruments and devices are used by customers. Industry practice is to consider the functionality of the card, instrument or device provided to customers, exempting those that cannot be used to make fund transfers from the Regulation (such as closed loop store cards). It is impracticable to monitor usage of card, instrument or device that can be used both for payment of goods and services and funds transfers in order to determine which customers that own that card, instrument or device qualify for this exemption.
While the payer’s PSP may reasonably be expected to know whether its customer (the payer) is engaged in economic or professional activity, the payer’s PSP would not have this information available about the payee unless the payee is its customer. We recommend that the EBA state that the requirements are not mandatory but rather suggested guidelines for PSPs to consider in their assessment of whether the transaction initiated by their customer is used for the purchase of goods or services. Similar considerations are applicable to transfers of crypto assets and Paragraphs 5(b) and 5(c).
In addition, we believe that the industry and consumers would benefit from the clarification of what falls in the category of goods and services through some real-life examples. For instance, whether the purchase of FX currencies and an associated transfer of funds in another country would be considered a service.
Guideline 2.2, on Linked transfers in relation to the 1000 EUR threshold (Article 2(5)(c), Article 5(2), Article 6(2) and Article 7(3) of Regulation (EU) 2023/1113)
We encourage the EBA to reconsider its guidance that funds transfers should be treated as linked where “sent by the same payer to the same payee or persons linked with them” and “sent from [...] different payers to the same payee or persons connected with them” (Paragraph 7(b)). We agree that a reasonable threshold should be set for verification measures to avoid impairing the efficiency of payment systems and to balance the risk of driving transactions underground. However, it is neither practical nor reasonable for PSPs to identify payers or payees that are “linked”, for example through family or professional connections, when they have only one of the parties as a customer. We caution that a new definition of “linked transfers” that incorporates ‘persons connected’ to the payer or payee sets an overly strict threshold that will result in PSPs being unable (and/or choosing not) to apply the EUR 1000 verification threshold. There is an additional risk that this may marginalise vulnerable people who may difficulty verifying their identity to the prescribed standard and could therefore ultimately drive transactions underground, away from regulated PSPs and out of sight of law enforcement.
In the same paragraph, a more specific definition of what is considered a “short timeframe” would enable PSPs to evaluate their ability to comply with this part of the Guidelines.
Guideline 3.1, on the interoperability of protocols
The term “messaging systems”, as distinct from transfers, payments and settlement systems, is not defined in Article 3 of the FTR nor in the Glossary on page 13 of the Guidelines. For this reason, it is open to varied interpretation. As the Guidelines apply to Funds Transfers, we would recommend that the term “messaging systems” be defined solely in the context of transfers, payments and settlement systems that move both information and value.
Paragraph 11 fails to recognise practical challenges that arise from the use of different protocols or messaging systems, across different jurisdictions, where differing formats are used that have varying levels of capacity to include information. While the Group supports the premise aimed at maintaining data integrity, the language as drafted (“Where PSPs […] cannot ensure that their systems are able to convert information into a different format without error or omission, the PSPs […] should not use such systems”) is not aligned to industry practice. We suggest amending the language as follows: “Where PSPs […] cannot <reasonably be expected to> ensure that their systems are able to convert information,” acknowledging that PSPs/IPSPs/CASPs/ICASPs should have processes in place to avoid the truncation of relevant information (e.g. by using abbreviations) and prioritise the information to be transmitted to the next PSP in the transfer chain.
Guideline 3.2, on Multi-intermediation and cross-border transfers
The Group recognises that this Section aims to address the complexities of cross-border/domestic payment flows. Nonetheless, the proposed solution in Paragraph 17 (“Where the transfer is made from a cross-border channel to a domestic channel the domestic IPSPs or PSPs should assess whether the transfer is correctly identified as a cross-border transfer.”) may be viewed as a new requirement which goes beyond the scope of the FTR and presents significant implementation challenges. The absence of an internationally applied cross-border transfer indicator/marker in payments and messaging systems, as well as the technical limitations of some Swift and non-Swift messaging systems in allowing the transmission of all relevant information to the next PSP, will make it challenging – if at all possible – for PSPs to be able to comply with the Guideline as it is currently drafted.
The Group recommends revising the language to “PSPs should select the domestic system that maximises the transparency of the cross-border nature of the payment and the information about the parties to the payment transmitted to the next PSP in the payment chain, that can be readily understood by all intermediary and/or beneficiary PSPs.” This retains the spirit of maximising payment transparency. For further context, please refer to the Wolfsberg Payment Transparency Standards.
In addition, Paragraph 17 (“…when the PSP or IPSP handling a transfer does not have a direct relationship with the payer, that PSP or IPSP should ensure that the next PSP in the transfer chain receive the information on the payer and payee.”) may also have significant unintended consequences with regards to batch transfers. The indication that PSPs/IPSPs should ensure that the next PSP in the transfer chain receives the information on payer and payee can be construed as a requirement to un-batch all batch payments, and for the information on underlying payers and payees to be passed on to the next PSP. If interpreted this way, this requirement will have a considerable impact on how the industry operates, as illustrated in our comments in the section below (Guideline 3.3). The Group is firmly of the view, as set out in our Payment Transparency Standards, that IPSPs should pass on all the information that they receive within payment messages, to the fullest extent permitted by the relevant payment and messaging systems, to the next PSP in the transfer chain. Provided that adequate steps are taken to ensure complete message transmission, the Guidelines should state explicitly that further requirements to un-batch will not apply.
We recommend that Paragraph 17 be revised so that it is clear that it refers only to transfers that have not been batched, and that our comments relating to that Paragraph also be considered for Paragraph 19.
Guideline 3.3, Batch transfers (Article 6(1), Article 7(2) (c), Article 15, Article 16(1), Article 20 of Regulation (EU) 2023/1113)
With regards to batch transfers – Paragraph 19, we would reiterate our previous comments (see Paragraph 17) that the primary responsibility for ensuring compliance with the FTR should be that of the payer PSP (or payee PSP for direct debit transactions), as it is best placed to capture, verify, and retain the required information given that it maintains the customer relationship. If an IPSP were required to receive all the underlying information then the benefits of batching will be negated as, rather than processing a single payment (without underlying information), the IPSP will effectively be processing all the underlying payments along with their respective information, which will inevitably have an impact on both costs and speed of execution.
The increase in costs to consumers would be due to a loss of the economies achieved by batching and the impact on the speed of execution of the transfer would be a result of the additional controls that will need to be performed. These include:
- If existing batch payments were required to be un-batched, then controls currently applied to a single payment (without payer and payee information) would have to be applied to each individual payment in the batch, thereby increasing the likelihood of false positives from screening which would increase costs and possibly introduce delays in the execution of the payments.
- If “missing information” is routed “via an alternate channel mechanism”, the PSP will need to reconcile the two different transmissions of information, possibly sent at different times, so that screening of the information on the parties to, and purpose of, the payment is performed prior to the payment being processed which may cause delays. Transaction monitoring systems would also need to be reconfigured to be able to receive data from two different sources.
Guideline 4, on identifying the specific data points to be transmitted as part of the information required under Article 4(1) and (2) and Article 14(1) and (2) of Regulation (EU) 2023/1113
The Group suggests that the EBA focus on the following challenges with respect to Section 4.3.
To foster more standardisation, and leave less room for interpretation of what these terms mean, we suggest that Paragraphs 23(a) and 23(b) should be consistent with the proposed text for the so-called EU AML/CTF Regulation (COM/2021/420 final) and particularly Article 18(1). As such, in 23(a), we recommend that “habitual residence” be changed into “usual place of residence,” and that the word “postal” be inserted before “address” in the sentence “the PSP or the CASP may use an address…”. In paragraph 23(b), we recommend changing “registered office” into “address of the registered or official office, or, if different, the principal place of business”.
We strongly suggest that Post Office Box numbers be considered as an acceptable identifier of address for jurisdictions where these are considered acceptable and adequate absent any other form of address, (Paragraph 25), given that these are considered as acceptable in a number of jurisdictions. As in prior comments, only the PSP holding the customer relationship will be able to know if an address is “virtual”.
We encourage the EBA to reconsider its guidance in Paragraph 26. Firstly, it is not industry practice for PSPs to include the payer's official personal document number, customer number or date and place of birth in outbound payments. Official personal document number and date and place of birth are interpreted as alternatives to providing the payer’s address. A customer identification number will typically only be provided when the payer does not have an account. As such, industry practice is typically to provide payer’s name, account number (or customer identification number where there is no account), address (including the country) and date and place of birth (the latter when needed). This information is sufficient for sanctions screening, analysis of suspicious activity and for assisting law enforcement in detection, investigation, and asset recovery.
We welcome acknowledgement in Regulation (EU) 2023/1113 that Union action should take account of developments at an international level. We note that peer countries such as the UK and US, do not require payments to contain all the data points set out in paragraph 26. As such, if EU PSPs are required to monitor and suspend/reject payments that do not include all this information, the result will be disruption of legitimate payments into the EU to the detriment of the soundness of the financial system and of EU consumers and businesses and place EU PSPs at a competitive disadvantage.
The introduction of the term “unambiguous” in Paragraph 26, without further clarification, will present significant challenges to the speed of payment processing and resultant delays for consumers and businesses. As the FTR does not use such terminology, referring only to “accurate” and “complete” information, this appears to introduce a higher standard than outlined in the FTR. We recommend strongly that the term be removed, as its subjective nature may inadvertently create the very ambiguity that the Guidelines are seeking to resolve, and the language used in the FTR (“complete” and “accurate”) retained with the possibility to further clarify these requirements by referencing the Basel Committee on Banking Supervision’s language on “manifestly meaningless information”[4]. Should the EBA nonetheless retain the term, it would need to be clearly articulated how this would substantiate the regulatory requirements it is linked to, as well as what would qualify as “unambiguous.”
Guideline 4.4, Providing an equivalent Identifier to the LEI of the payer (Article 4(1) point (d) of Regulation (EU) 2023/1113), of the payee (Article 4(2) point (c) of Regulation (EU) 2023/1113), of the originator (Article 14(1) point (e) of Regulation (EU) 2023/1113) and of the beneficiary (Article 14(2) point (d) of Regulation (EU) 2023/1113)
The Group requests clarification as to whether all the criteria listed are required or whether the items can be taken as a list of alternatives.
Guideline 5.3, Monitoring of transfers (Articles 7(2), Article 11(2), Article 16(1) and Article 20 of Regulation (EU) 2023/1113)
We strongly recommend that the EBA amend Paragraph 33 (“…procedures how to determine which transfers are appropriate to be monitored before the transfer takes place and which transfers are appropriate to be monitored during the transfer”) to acknowledge the possibility of deploying ex-post monitoring for detecting missing information. This is clearly allowed under Article 7(2) of the FTR (“…including, where appropriate, monitoring after or during the transfers”) and called out in Paragraph 29(b) of these Guidelines (“a combination of monitoring practices during and after the transfer…”).
With respect to the list of risk factors set out in Paragraph 34, we believe it is far more effective to assess a combination of risk relevant factors, rather than imply or require that all of them be considered; we therefore suggest that the language be rephrased, as follows: “PSPs, IPSPs, CASPs and ICASPS should consider one or more among the factors below:”.
On CASPs specifically, in relation to Paragraph 34(e), we wish to bring the EBA’s attention to the fact that, at present, it is not possible to fully identify and differentiate a hosted or self-hosted wallet.
Guideline 5.4, Missing information checks (Article 7 (2), Article 11 (2), Article 16 (1) and Article 20 of Regulation (EU) 2023/1113)
Referring to the earlier point, the Group suggests that the EBA update Paragraph 37 to focus only on empty mandatory fields as defined by regulation and provide clear guidance on how to determine whether some information is “inconsistent”; if no such guidance is possible then we recommend deletion of the term. As set out in this response, the industry is familiar with the concepts of missing, incomplete, inaccurate information. The introduction of new terminology without sufficient clarification would contribute to hinder consistency in the application of requirements.
Guideline 6.2, Rejecting or returning a transfer (Article 8(1) point (a), Article 12 point (a), Article 17(1) point (a) and Article 21(1) point (a) of Regulation (EU) 2023/1113)
Requests for Information (RFIs) turnaround times can be affected by e.g. the number of parties in a payment flow, language differences between those parties, time zone differences and the presence of non-working days. Placing limitations on the turnaround times for RFIs may therefore not be practicable and we suggest that some assurance that longer than three or five working days (though still reasonable) timelines can be applied as this would be beneficial to the effectiveness and desired intent of the process and not cause suspended payments to be returned simply because the indicative RFI turnaround time has been exceeded rather than for risk-relevant reasons.
Moreover, while the Group recognises the importance of the content of this section, we note that many CASPs will not have the ability to reject payments, which should be accounted for in the Guidelines.
Guideline 6.3, Requesting required information (Article 8(1) point (b), Article 12(1) point (b), Article 17(1) point (b) and Article 21(1) point (b) of Regulation (EU) 2023/1113)
The Group is concerned that, as currently phrased, Paragraphs 43 and 44 do not leave room for ex-post monitoring. Articles 8(1)(b) and 12(1)(b) of the FTR state explicitly that, when information is missing or incomplete, PSPs may, on a risk-sensitive basis, “request the required information on the payer and the payee before or after crediting the payee’s payment account or making the funds available to the payee/the transmission of the transfer of funds”. Paragraph 43 of the Guidelines sets out a 3- or 5-working day deadline for obtaining the required information and Paragraph 44 states that, if an RFI is sent, the prior PSP/IPSP in the transfer chain needs to be notified that “the transfer has been suspended due to missing or incomplete information”. This suggests that the transfer is necessarily suspended before processing and does not recognise the possibility of ex-post monitoring and review. Equally, Paragraph 46 requires PSPs/IPSPs to either reject or execute the transfer if no response is received by the set deadline, which assumes that the transfer is still suspended. Indeed, it is not possible to reject or execute a transfer that has already been processed. The EBA should address the inconsistency between the requirements of SEPA Instant Payments where payments must be made or rejected within specified timeframes and the suspension option set out in these Guidelines.
In addition, under Paragraph 43, it is unclear whether the responsibility lies on the PSP’s customer to supply the missing/incomplete information within the timeframe and if it is not met, who should be held accountable.
Guideline 6.4, Executing a transfer (Article 8(1), Article 12, Article 17(1) and Article 21 of Regulation (EU) 2023/1113)
We welcome the acknowledgement in Paragraph 51 that PSPs may detect missing/incomplete information or inadmissible characters, ex post. However, as highlighted in our comments to Paragraphs 33, 43, 44 and 46, the Guidelines should also recognise that the receiving PSP can pass the information along to the next institution as received and take remedial actions regarding missing/incomplete information ex post. Ex-post monitoring can identify data completeness issues without impacting the timeliness of payment processing (and hence minimising inconvenience to the payer/payee) and can be used to identify remedial action needed to be taken by the PSPs involved. This is in line with existing Repeatedly Failing FI requirements in the FTR.
Guideline 7, Repeatedly failing PSPs, CAPSs, IPSP or ICASPs (Article 8 (2), Article 12 (2), Article 17 (2), and Article 21 of Regulation (EU) 2023/1113)
The Group stresses that it will be both inefficient and ineffective to leave individual PSPs and CASPs to determine the criteria as to when entities should be considered as “repeatedly failing” and if so, what action should be taken. This could promote an inconsistent approach which prevent establishment of a level playing field. We recommend that standardisation be undertaken via a Regulatory Technical Standard, which should set out both the criteria for categorising institutions as “repeatedly failing” institutions and actions for remediation. This should also include possible restrictions in extreme cases where requests for remedial actions sent from PSPs/CASPs do not result in changes in behaviour by the entity deemed as ‘repeatedly failing’.
Paragraph 59 should address the fact that CASPs do not have the possibility to block or reject funds received via distributed ledger technologies.
Thank you in advance for your consideration of our feedback. Please do not hesitate to contact the Wolfsberg Group Secretariat at info@wolfsberg-group.org if you have any questions or would like to discuss this submission further.
[1] As the FTR only appears to envisage transfers of funds from a single payer to several payees.
[2] https://db.wolfsberg-group.org/assets/13422898-fba1-44b3-9679-a8c7406e9e78/Wolfsberg%20Group%20Payment%20Transparency%20Standards%202023.pdf, also attached.
[3] “Batch” is used here for consistency with the FTR and these Guidelines to capture any aggregation of payments, sometimes referred to as “bundled” or “bulk” payments.
[4] Due diligence and transparency regarding cover payment messages related to cross-border wire transfers (https://www.bis.org/publ/bcbs154.pdf).