Norway -- Travel Rule Implementation Regulatory Overview

Norway has implemented the FATF Travel Rule, largely mirroring the requirements stemming from the EU's 5th and 6th Anti-Money Laundering Directives (AMLDs) and the FATF recommendations. The Financial Supervisory Authority of Norway (Finanstilsynet) is the primary regulator responsible for oversight.

Here's a breakdown of the implementation:

1. Adoption and Legal Basis

• Adopted: Yes, Norway has adopted the FATF Travel Rule requirements. These are incorporated into Norwegian law, primarily through the Money Laundering Act (Hvitvaskingsloven) and its associated regulations (Hvitvaskingsforskriften).

• Legal Basis:

  • Lov om tiltak mot hvitvasking og terrorfinansiering (hvitvaskingsloven) (Act on measures against money laundering and terrorist financing). This Act requires obliged entities, including Virtual Asset Service Providers (VASPs), to collect and transmit information about the originator and beneficiary of transfers.
  • Hvitvaskingsforskriften (Money Laundering Regulation) further elaborates on the requirements.
  • Finanstilsynet's Guidance: Finanstilsynet issues guidance documents and circulars to clarify how the law and regulations apply to VASPs.

• URL for Hvitvaskingsloven (Norwegian): https://lovdata.no/dokument/NL/lov/2018-06-01-23 (This is the authoritative source on Norwegian legislation).

2. Effective Date

• While the core Money Laundering Act (Hvitvaskingsloven) came into force on October 15, 2018, the specific provisions and interpretations applying the Travel Rule to virtual assets have been progressively clarified and enforced, especially following amendments and guidance issued by Finanstilsynet, aligning with the EU's 5AMLD (effective January 2020 for member states) and later 6AMLD.
• For VASPs, the full expectation to comply with Travel Rule principles (collecting and transmitting originator/beneficiary info) has been increasingly explicit since 2020/2021 as Finanstilsynet issued clearer guidance on their obligations.

3. Threshold Amounts

• Norway generally follows the FATF and EU standard for the Travel Rule.
• Threshold: A de minimis threshold of EUR 1,000 (or its equivalent in NOK) applies to virtual asset transfers.
• Application:
  • Below this threshold, VASPs typically do not need to transmit all required originator and beneficiary information (though they still need to collect some basic information for AML/CFT purposes).
  • For transfers equal to or exceeding EUR 1,000 (or NOK equivalent), VASPs are required to collect and transmit the full set of originator and beneficiary information.
  • Important Note: Even for transactions below the threshold, VASPs must still collect sufficient information to identify the customer and monitor transactions for suspicious activity as part of their broader AML obligations. Finanstilsynet also expects VASPs to aggregate linked transactions.

4. Which VASPs Are Covered

The Norwegian Money Laundering Act and its regulations define and cover a broad range of entities dealing with virtual assets, aligning with the FATF definition of a Virtual Asset Service Provider (VASP). This includes, but is not limited to:

• Exchanges: Providers engaged in the exchange between virtual assets and fiat currencies, or between one or more forms of virtual assets.
• Custodians: Providers offering custody or administration of virtual assets or instruments enabling control over virtual assets.
• Transfer Services: Providers engaged in the transfer of virtual assets (performing a transaction on behalf of another natural or legal person that moves a virtual asset from one virtual asset address or account to another).
• Issuers: In some cases, entities involved in the initial offering and sale of a virtual asset may also be covered if they additionally provide services like exchange or custody.

Essentially, any business that facilitates virtual asset activities on behalf of a third party, and is considered an "obliged entity" under the Money Laundering Act, must comply.

5. Technical Implementation Requirements

Norway, like most jurisdictions, does not mandate a specific technical solution or protocol for implementing the Travel Rule. Instead, it focuses on the information that must be exchanged and the security of that exchange.

• Required Information (for transfers ≥ EUR 1,000):

  • Originator Information:
    • Name (natural person) or legal name (legal entity)
    • Account number used to process the transaction (e.g., virtual asset wallet address)
    • Physical address
    • National identity number (for natural persons) or customer identification number (for legal entities), or date and place of birth (for natural persons)
  • Beneficiary Information:
    • Name (natural person) or legal name (legal entity)
    • Account number used to process the transaction (e.g., virtual asset wallet address)

• Method of Exchange: VASPs are expected to use secure and reliable methods to transmit this information to the beneficiary VASP (or to collect it from the originator VASP). Industry solutions like TRISA, OpenVASP, Sygna, or other peer-to-peer protocols are generally acceptable as long as they meet the data and security requirements.

• Data Retention: VASPs must retain all collected information for at least five years after the transaction.

• Finanstilsynet Guidance: Finanstilsynet has issued guidance that details these requirements, emphasizing secure data transfer and adherence to data protection regulations (like GDPR).

• URL for Finanstilsynet Guidance (Example - often thematic or integrated): Finanstilsynet’s general "Veiledning om hvitvaskingsloven og hvitvaskingsforskriften" (Guidance on the Money Laundering Act and Regulation) contains sections applicable to virtual asset service providers. Specific circulars or news releases often provide updates. You might need to navigate their website: https://www.finanstilsynet.no/ and search for "virtuelle eiendeler" or "hvitvaskingsloven veiledning."

6. Penalties for Non-Compliance

Non-compliance with the Money Laundering Act and its regulations, including Travel Rule obligations, can result in significant penalties, both administrative and criminal.

• Administrative Penalties:
  • Fines: Finanstilsynet can impose substantial administrative fines (foretaksstraff/sanksjonsgebyr) on VASPs for breaches of their AML/CFT obligations. The amount of the fine can be significant, calculated based on the severity and duration of the breach, the financial strength of the VASP, and the potential for financial gain.
  • Orders and Sanctions: Finanstilsynet can issue orders requiring a VASP to take specific corrective actions.
  • Withdrawal of License/Registration: In severe cases or for persistent non-compliance, Finanstilsynet can withdraw a VASP's registration or license to operate.
• Criminal Penalties:
  • Fines and Imprisonment: Individuals responsible for serious breaches of the Money Laundering Act, particularly those involving wilful intent or gross negligence that facilitate money laundering or terrorist financing, can face criminal prosecution. This can lead to personal fines and imprisonment.
  • Corporate Criminal Liability: The VASP itself (as a legal entity) can also be held criminally liable, leading to corporate fines.

The specific penalties are outlined in Chapter 10 of the Hvitvaskingsloven (Sections 10-1 to 10-5).

Norway is committed to a robust AML/CFT regime, and its implementation of the FATF Travel Rule for virtual assets reflects this commitment. VASPs operating in Norway are expected to adhere strictly to these requirements.