The Arbiter for Financial Services (the “Arbiter”) has delivered it first decision applying Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (the “TFR recast”), a case that will resonate well beyond the specific facts of a retail scam. While the Arbiter awarded only 40% of the loss, the reasoning significantly elevates expectations on crypto‑asset service providers (“CASPs”).
The complaint concerned two USDT transfers executed in January 2025 from a wallet operated by a Maltese licensed service provider (the “Service Provider”) to an external, self‑hosted wallet associated with an online trading scam. The transactions took place immediately after the TFR Recast and the related “Travel Rule” obligations became applicable to CASPs on 30 December 2024. The complainant alleged that the Service Provider failed to comply with its Travel Rule duties and broader Anti-Money Laundering (“AML”)‑related obligations, particularly by relying on a self‑declaration form and not verifying the ownership of the external wallet despite transaction amounts in excess of the EUR 1,000 threshold.
The Service Provider argued that the Arbiter is not the competent authority to adjudicate AML/Combatting the Financing of Terrorism (“CFT”) compliance, pointing to the exclusive remit of the Financial Intelligence Analysis Unit (the “FIAU”) under Chapter 272 for the investigation and sanctioning of breaches of AML/CFT obligations.
The Arbiter in its decision agreed that it has no competence to determine whether money‑laundering or terrorist‑financing suspicions existed or whether AML/CFT rules were breached as such as those matters fall squarely within the FIAU’s enforcement powers. However, a distinction was drawn between prudential/enforcement competence and its consumer‑protection mandate under Cap. 555 (the Arbiter for Financial Services Act); holding that it is competent to assess whether failures to comply with Travel Rule obligations, as part of the applicable financial services framework, prejudiced a financial consumer and gave rise to civil liability.
In doing so, the Arbiter anchored its jurisdiction to Article 19(3) Cap. 555 and in the fiduciary and duty‑of‑care obligations binding the service provider, as also recognised by the Court of Appeal in previous litigation.
The Arbiter recalled that a licensed Virtual Financial Asset (“VFA”)/Markets in Crypto-Assets (“MiCA”) provider owes fiduciary obligations and a duty of care to act honestly, fairly, professionally and in the best interests of its clients, as reflected in the VFA Rulebook and now in MiCA Article 66. He noted that the Court of Appeal (Inferior Jurisdiction) had already confirmed that the Service Providers’ services are subject to fiduciary obligations, reinforcing that contractual terms cannot exclude or dilute duties of skill, care and diligence owed to clients. The decision also sits against a line of prior Arbiter cases where CASPs were urged to adopt enhanced measures to protect consumers from increasingly sophisticated scams.
At the material time, the Service Provider was subject to the European Banking Authority (the “EBA”)’s “Guidelines on information requirements in relation to transfers of funds and certain crypto‑asset transfers”, adopted locally by the FIAU with effect from 30 December 2024. The Service Provider relied on paragraph 78 of the Guidelines, arguing that where information cannot be retrieved via technical means, the CASP may obtain it “directly from its customer” and that a signed declaration that the external wallet was self‑hosted and owned by the complainant sufficed.
The Arbiter rejected this narrow reading, emphasising paragraphs 83-86, which require CASPs, for transfers exceeding EUR 1,000 to or from self‑hosted addresses, to use at least one verification method to be “fully satisfied” that the address is owned or controlled by the customer. In the present case, the Service Provider produced no evidence that any such verification was applied; it relied solely on a tick‑box self‑declaration, and it failed to produce its internal Travel Rule policies and procedures when expressly ordered to do so.
The Arbiter accepted that the complainant had been grossly negligent, had ticked the ownership box under scammer guidance, and had ignored multiple generic warnings, and he reflected this in awarding only 40% of the loss. It was held that contractual terms and warnings cannot absolve a CASP from its statutory Travel Rule and fiduciary duties, and that the Travel Rule’s AML focus does not prevent its breach from constituting a civilly relevant failure of regulatory obligation when it causally contributes to consumer loss.
The decision is expressly being notified to the MFSA and FIAU, with the Arbiter noting that this is the first case applying the Travel Rule since the TFR Recast came into effect. The FIAU’s role features at two levels: first, as the authority that adopted the EBA Travel Rule Guidelines under the Prevention of Money Laundering and Funding of Terrorism Regulations, and second, as the enforcement body for any systemic AML/CFT breaches which may be indicated by the Arbiter’s findings but remain outside his sanctioning remit. For the MFSA, the decision feeds into prudential and conduct supervision of CASPs under MiCA, particularly regarding internal policies, customer‑onboarding flows, whitelisting procedures and broader duty‑of‑care expectations.
Operationally, the decision makes clear that Travel Rule compliance cannot be implemented as a minimalist form plus a self‑certification tick‑box. CASPs must embed at least one robust ownership‑verification method for self‑hosted wallets. Whitelisting must be supported by demonstrable technical verification steps and ongoing monitoring to detect changes in risk; merely recording that a customer declared ownership is insufficient. From a risk‑management perspective, accounts of customers who report suspected scams should be promptly risk‑re‑classified, with enhanced monitoring and, where justified, temporary suspension of further transfers to self‑hosted wallets pending additional checks.
For CASPs, payment institutions and other intermediaries facilitating crypto‑asset transfers, this decision is a clear signal: the Travel Rule is now part of the consumer‑protection landscape, and compliance will be assessed not only by AML supervisors but also in the context of civil liability before the Arbiter. Adapting day‑to‑day operations to meet this higher standard is no longer optional.
For any additional information or assistance, please contact us at info@gtg.com.mt
Author: Dr Neil Gauci