Finland -- Travel Rule Implementation Regulatory Overview

Finland has fully adopted the FATF Travel Rule requirements, primarily through its Act on Virtual Currency Providers (Laki virtuaalivaluutan tarjoajista 572/2019). This legislation transposed the EU's 5th Anti-Money Laundering Directive (5AMLD) and subsequent amendments, aligning Finland with international AML/CFT standards for virtual assets.

Here's a breakdown of the implementation:

1. Adoption and Legal Basis

• Adopted: Yes, the FATF Travel Rule requirements are adopted in Finland.

• Legal Basis: The primary legal framework is the Act on Virtual Currency Providers (572/2019), which came into force in Finland on May 1, 2019. This Act places virtual asset service providers (VASPs) under the supervision of the Finnish Financial Supervisory Authority (FIN-FSA) and subjects them to AML/CFT obligations akin to traditional financial institutions.

• Relevant Sections: The requirements for information accompanying transfers of virtual assets are generally derived from the broader AML obligations within the Act, which mandate customer due diligence and monitoring of transactions. Specific provisions related to the transfer of funds and the information accompanying such transfers for virtual assets mirror the FATF recommendations and the EU's FTR (Funds Transfer Regulation, which the FATF Travel Rule is based on for traditional wires).

  • Act on Virtual Currency Providers (572/2019):
    • Finlex (Finnish Government database) - Laki virtuaalivaluutan tarjoajista 572/2019 (Finnish)

• Regulator Guidance: FIN-FSA provides guidance on virtual currency providers' obligations, including AML/CFT requirements.

  • FIN-FSA - Virtual Currency Providers
  • FIN-FSA - Anti-Money Laundering

2. Effective Date

• The Act on Virtual Currency Providers (572/2019) became effective on May 1, 2019. This means VASPs operating in Finland have been subject to these AML/CFT obligations, including the Travel Rule principles, since that date.

3. Threshold Amounts

Finland, following the EU's approach to the Travel Rule, generally applies the following thresholds:

• VASP-to-VASP Transfers: For transfers between two regulated VASPs, the Travel Rule applies without a de minimis threshold. This means that all relevant originator and beneficiary information must be collected and transmitted, regardless of the transaction amount.
• Transfers involving Unhosted Wallets/Non-Obligated Entities:
  • If a VASP initiates or receives a transaction where the counterparty is an unhosted wallet (private wallet) or a non-obligated entity, the VASP is expected to apply enhanced due diligence (EDD) and risk-based assessment.
  • While the Travel Rule's direct "information transmission" between VASPs isn't applicable, VASPs are generally required to collect and verify originator information from their customer for any transaction and screen for suspicious activities.
  • EU FTR Analogy: For traditional wire transfers, the EU's Funds Transfer Regulation sets a €1,000 threshold for information collection when one side is not a payment service provider (e.g., cash payment). While not directly specified for virtual assets in the same way, the overarching AML/CFT framework means VASPs must assess risks and perform CDD for transactions above certain amounts or when higher risk is identified, and always verify their own customer's identity.

4. Which VASPs are Covered

The Act on Virtual Currency Providers defines and covers the following types of virtual currency providers, requiring them to register with FIN-FSA and comply with AML/CFT obligations:

• Providers of virtual currency exchange services: Entities that exchange virtual currencies for fiat currency or other virtual currencies.
• Providers of virtual currency wallet services: Entities that offer safekeeping services for virtual currencies on behalf of customers (custodial wallet providers).
• Providers of virtual currency issuance services: Entities that issue virtual currencies (e.g., initial coin offerings where the issuer acts as a service provider).
• Providers of transfer services for virtual currencies: Entities that facilitate the transfer of virtual assets.

Essentially, any entity whose business model involves providing services related to virtual assets for third parties falls under the scope of this Act and is subject to Travel Rule requirements.

5. Technical Implementation Requirements

Finnish legislation, like most national AML laws, does not mandate a specific technical protocol (e.g., TRISA, Sygna, Travel Rule Universal Protocol - TRUP). Instead, it specifies the information that must be collected, stored, and transmitted, and requires VASPs to have robust systems and procedures in place to ensure compliance.

• Information to be Collected and Transmitted (Travel Rule data points):

  • Originator Information:
    • Name of the originator
    • Account number of the originator (or unique transaction identifier)
    • Address of the originator (or customer identification number, date and place of birth, or national identity number)
  • Beneficiary Information:
    • Name of the beneficiary
    • Account number of the beneficiary (or unique transaction identifier)

• Key Technical/Operational Requirements:

  • Secure Storage: VASPs must securely store all collected information for at least five years after the transaction.
  • Data Protection: Compliance with GDPR is mandatory for handling personal data.
  • Transmission Capabilities: VASPs must have technical capabilities to transmit the required information to the beneficiary VASP immediately and securely upon request or as part of the transaction process.
  • Record-Keeping: Comprehensive records of all transactions and accompanying information must be maintained and readily available to FIN-FSA or law enforcement.
  • Risk-Based Approach: VASPs are expected to implement a risk-based approach to identify, assess, and mitigate money laundering and terrorist financing risks, which includes developing appropriate technical solutions.
  • Internal Control Systems: Establishing and maintaining adequate internal control systems, procedures, and training for personnel to ensure compliance with Travel Rule and broader AML obligations.

6. Penalties for Non-Compliance

The Act on Virtual Currency Providers and the broader AML Act (Laki rahanpesun ja terrorismin rahoittamisen estämisestä 444/2017) outline various penalties for non-compliance, which can be severe:

• Administrative Sanctions:
  • Public Warning: FIN-FSA can issue a public warning.
  • Public Reprimand: A more severe public reprimand.
  • Administrative Fines: Significant financial penalties can be imposed on the VASP, its management, or individuals responsible for breaches. These fines can range from thousands to millions of euros, depending on the severity and nature of the non-compliance (e.g., up to €5 million or 10% of total annual turnover, or twice the benefit derived from the breach, whichever is higher, for serious AML breaches).
  • Order to Cease and Desist: FIN-FSA can order a VASP to cease specific activities or practices that violate regulations.
  • Withdrawal/Revocation of Registration: For serious or repeated breaches, FIN-FSA can withdraw a VASP's registration, effectively preventing it from operating in Finland.
• Criminal Penalties: In cases of severe or intentional violations related to money laundering or terrorist financing, individuals responsible (e.g., management, employees) can face criminal charges, leading to imprisonment and substantial fines under the Finnish Penal Code.

Finland has a robust regulatory framework for virtual assets, ensuring that VASPs operating within its jurisdiction comply with the FATF Travel Rule and broader AML/CFT obligations.