Introduction
The regulatory treatment of non-custodial wallets under the EU Travel Rule is now a pressing compliance concern for all crypto-asset service providers (CASPs) operating in Cyprus and across the European Union. Following the Cyprus Securities and Exchange Commission (CySEC) Circular issued on 27 December 2024, the implementation of Regulation (EU) 2023/1113, also known as the Revised Transfer of Funds Regulation (TFR), is no longer optional.
1. What Is the Travel Rule?
The Travel Rule, originally developed by the Financial Action Task Force (FATF), requires crypto service providers to collect, verify, and transmit identifying information about the originators and beneficiaries of crypto-asset transfers.
Under the EU TFR (Regulation 2023/1113), this rule has been codified and applies to:
- All crypto-asset transfers, including cross-border and domestic.
- Transactions equal to or exceeding €1,000.
Transfers involving both custodial and non-custodial wallets, depending on risk.
2. What Are Non-Custodial Wallets?
Non-custodial wallets, also called self-hosted wallets, are cryptocurrency wallets controlled solely by the user, not by a third-party service provider. The private keys are stored on the user’s device, giving them full control over their crypto-assets.
Common examples include:
- Mobile wallets e.g., Trust Wallet, MetaMask.
- Hardware wallets e.g., Ledger, Trezor.
- Desktop wallets.
- Browser extensions.
While these wallets enhance privacy, they also pose challenges for KYC/AML compliance, since the user is often pseudonymous and unregulated.
3. What Does the CySEC Circular Say?
On 27 December 2024, CySEC issued a circular confirming that CASPs under its supervision are obliged to implement the Travel Rule under EU Regulation 2023/1113. According to the circular:
- CASPs must obtain and verify the originator and beneficiary information before transferring or receiving crypto-assets.
- This obligation extends to interactions with non-custodial wallets.
- The EBA Guidelines (EBA/GL/2024/11) must be used to inform compliance practices.
- National transposition law is pending, but the regulation is directly applicable as of 30 December 2024.
4. Required Information Under the Travel Rule
For crypto transfers involving a CASP and a non-custodial wallet, CASPs must collect at least:
For the originator (sender):
- Full name.
- Distributed ledger address (wallet address).
- One of: residential address, personal ID number, customer ID number, or date/place of birth.
For the beneficiary (receiver):
- Full name.
- Wallet address.
For transactions below €1,000, simplified obligations apply, but monitoring for linked transactions (structuring) is mandatory.
5. Risk-Based Approach for Non-Custodial Wallets
While the regulation applies by default, CySEC, in line with EBA guidelines, allows for a risk-based approach when dealing with self-hosted wallets. This includes:
Enhanced Due Diligence:
- Applied when transferring to high-risk jurisdictions.
- Where the source of funds is unknown.
- If the wallet has been flagged via blockchain analytics tools e.g., used with mixers, darknet, or sanctioned addresses.
KYC-Lite for Low-Risk Users:
- For first-time deposits, some CASPs use user declarations, browser fingerprinting, or email verification to gather minimum Travel Rule data.
- However, verification must follow before the transfer is completed, especially above the €1,000 threshold.
Avoiding compliance is not an option: transfers from/to non-custodial wallets cannot be used to bypass Travel Rule requirements. Failing to implement proper controls could lead to CySEC sanctions or criminal liability under AML laws.
6. Best Practices for CASPs
To comply with the Travel Rule when dealing with non-custodial wallets, CASPs should:
- Integrate Blockchain Analytics: use providers like Chainalysis, Elliptic, or TRM Labs to (i) screen wallet addresses for risk flags and (ii) identify links to sanctioned entities, darknet markets, or mixers.
- Update Internal AML Policies: (i) include procedures for identifying self-hosted wallets, (ii) define risk indicators and thresholds, and (iii) establish escalation protocols for suspicious transactions.
- Automate Transaction Monitoring: (i) detect structuring splitting transfers to avoid the €1,000 threshold, (ii) flag transactions with incomplete originator or beneficiary data, and (iii) implement real-time alerts for high-risk wallet addresses.
- Implement KYC Controls for P2P Transfers: (i) require users to verify ownership of their self-hosted wallets e.g., via signed messages or micro-deposits, and (ii) monitor ongoing use of non-custodial addresses within the platform.
Non-compliance with the EU Travel Rule, especially where non-custodial wallets are involved, exposes CASPs to fines and regulatory actions by CySEC, criminal sanctions under AML/CFT legislation, reputational damage and banking relationship disruptions, and/or possible suspension or revocation of MiCA authorisation.
Summary: What CASPs Must Do
Compliance Area | Obligation |
Originator/beneficiary info | Collect before executing the transfer |
Non-custodial wallet transfers | Subject to Travel Rule + risk-based assessment |
Threshold | Applies to crypto transfers ≥ €1,000 |
Structuring detection | Must aggregate linked transfers below threshold |
Tools to use | Blockchain analytics, KYC vendors, transaction monitoring systems |
Risk mitigation | Enhanced due diligence + source of funds for high-risk wallets |
We advise leading crypto exchanges, DeFi platforms, and blockchain firms on MiCA and regulatory compliance.
Disclaimer
This article does not constitute legal advice and is not intended to provide an exhaustive analysis of the topic. For information or guidance on this matter, you should seek legal counsel. You may contact us for appropriate assistance.
