EU TFR: What It Requires and Who It Applies To

What is EU TFR?

The EU Transfer of Funds Regulation (Regulation (EU) 2023/1113) is an EU directly applicable law requiring payment service providers and crypto-asset service providers to attach complete originator and beneficiary data to every payment or crypto-asset transfer they process. The European Parliament and the Council published it on 9 June 2023. It replaced the earlier Wire Transfer Regulation (Regulation (EU) 2015/847) and became fully applicable on 30 December 2024, timed to coincide with the start of MiCA licensing for crypto-asset service providers across the EU.

The regulation's foundation is FATF Recommendation 16, the Travel Rule, which has required wire transfers to carry originator information since 2003. The EU's 2015 rule covered fiat transfers adequately for traditional banking. The 2023 recast extended identical obligations to crypto-assets. EU supervisors and FIUs had flagged that gap for years. A payment on the SWIFT network carried name and account data. An equivalent transfer of stablecoins between exchange wallets carried nothing.

The policy logic is direct. An FIU analyst following a suspicious transaction chain needs to know who sent the funds and to whom. Without Travel Rule data attached at the point of transfer, reconstruction requires subpoenas, delays, and cross-border legal assistance letters that take months. Attaching the data at transmission costs the PSP or CASP minimal overhead. It's the payments equivalent of requiring a return address on an envelope.

EBA and ESMA were both mandated to produce regulatory technical standards under the regulation, covering standardised data fields, procedures for handling missing information, and risk-based approaches for transfers involving self-hosted crypto wallets. Unlike an EU directive, Regulation (EU) 2023/1113 is directly applicable in all 27 member states without national transposition. That eliminates the compliance patchwork that undermined the fourth and fifth AML directives.

Who does EU TFR apply to?

The regulation covers three distinct categories of firm, with no size thresholds or transaction volume exemptions.

Payment service providers (PSPs): Credit institutions (banks), electronic money institutions, payment institutions, and post office giro institutions that execute payment transactions. This covers the full range. A large universal bank processing millions of cross-border wires each day and a small remittance startup moving €50,000 a month face identical data obligations. Being small doesn't create a compliance carve-out.

Intermediate PSPs: Any firm acting as an intermediary in the payment chain, including correspondent banks and payment processors, must pass on and verify originator and beneficiary data received from the ordering PSP. If an intermediate PSP receives a transfer with missing information, it can't simply ignore the gap and process the payment.

Crypto-asset service providers (CASPs): Firms licensed under MiCA to provide crypto-asset transfer services. This includes spot exchanges, custodians, brokers executing transfers on behalf of clients, and any other MiCA-licensed entity moving crypto-assets between accounts. CASP-to-CASP transfers are fully in scope. So are transfers to or from self-hosted (unhosted) wallets.

Jurisdictional reach is EU-wide. The regulation applies when either the ordering or beneficiary PSP/CASP is in the EU. A US exchange receiving a transfer from an EU-licensed CASP will find that the EU counterpart is obligated to transmit Travel Rule data, creating operational pressure on the non-EU side even if that firm isn't directly bound.

There are no exemptions for specific payment types, transaction sizes at the entity level, or product categories. If you hold an EU license and move value, the Travel Rule applies.

What does EU TFR require?

The regulation's core obligations, structured by transaction type:

1. Fiat transfers below €1,000 between EU PSPs: Minimum data is payer and payee names plus account numbers (IBANs or equivalent payment transaction identifiers). Full address and identity details aren't required at this threshold, but the information must be available to the beneficiary PSP or competent authority within three business days on request.

2. Fiat transfers of €1,000 or more: Full data is mandatory. For the payer: full name, account number, and at least one of the following: postal address, national identity document number, or date and place of birth. For the payee: full name and account number. This data must travel with the payment in a structured, machine-readable form.

3. Crypto-asset transfers, all amounts: No de minimis threshold exists for crypto. Every transfer of crypto-assets by a licensed CASP, regardless of value, must carry the originator's name, distributed ledger address or account identifier, and identity details, plus the beneficiary's name and account information. One euro of USDC triggers the same data obligation as a €500,000 BTC transfer.

4. Self-hosted wallet transfers of €1,000 or more: The CASP must collect and verify the identity of the person controlling the unhosted wallet. A risk-based assessment determines whether the wallet belongs to the CASP's own customer. Where it does, standard CDD is sufficient. Where it doesn't, enhanced due diligence applies. EBA's RTS sets the specific assessment methodology.

5. Missing information procedures: PSPs and CASPs must have documented processes for transfers arriving without required originator or beneficiary data. The options are to request the missing information, hold the transfer pending receipt, or reject it outright. Processing a non-compliant transfer is not an option under any reading of the regulation.

6. Record retention: All originator and beneficiary information must be retained for a minimum of five years. Competent authorities can extend this to ten years for specific investigations.

What evidence do regulators expect?

An examiner reviewing EU TFR compliance on audit day will expect to see:

• Written policies and procedures covering how payer and payee data is collected at origination, validated before transmission, and verified on receipt. Policies written at a high level of abstraction without operational workflow detail won't satisfy an examiner.
• System architecture documentation showing the specific data fields captured in the payment or crypto transfer system, how they map to regulatory requirements, and the technical mechanism by which they're transmitted with the transfer rather than stored separately and matched retroactively.
• Transaction record samples: Reviewers typically pull a random cross-section of transfers and verify that originator and beneficiary data is present, complete, and correctly formatted. For CASPs, this sample will include low-value crypto transfers, testing awareness of the zero-threshold rule.
• Hold and rejection logs: A firm claiming to have a missing-information process should be able to produce records of transfers actually held or rejected. If a PSP with thousands of monthly incoming transfers has never held a single one for missing data, that's a red flag.
• Unhosted wallet assessment records for CASPs: the risk methodology applied, the specific wallets assessed, outcomes, and the enhanced measures used where elevated risk was identified.
• Staff training records: Personnel involved in payment processing and compliance oversight must demonstrate Travel Rule awareness. For CASPs newly in scope from December 2024, examiners expect onboarding training documentation specifically addressing the EU TFR obligations.
• Periodic self-testing results: Sample checks the institution runs internally, with documented findings and remediation actions.

The Customer Due Diligence records underlying the Travel Rule data, particularly for high-value and crypto transfers, should be cross-referenceable. Examiners will verify that the identity data transmitted in the Transfer of Funds message corresponds to a verified customer record in the CDD file, not a data field that was populated without proper verification at onboarding.

Common failure modes

Supervisory reviews of the predecessor regulation and equivalent Travel Rule implementations elsewhere consistently turn up the same gaps:

• Threshold confusion: PSPs transmit account numbers only for all EU transfers, treating the regulation as a flat de minimis rather than a tiered data rule. The €1,000 threshold triggers a step-up to full payer and payee data. It isn't a blanket exemption below that amount.
• Crypto de minimis assumption: CASPs that previously operated under a de minimis (common in some non-EU FATF jurisdictions) fail to collect Travel Rule data for small crypto transfers. Under EU TFR, there's no threshold at all for crypto. The failure mode is structural: the system never asks for the data below a certain value because no one built that logic in.
• No incoming transfer controls: The regulation requires PSPs and CASPs to act on transfers received without required originator information. Firms that receive non-compliant transfers and process them anyway are in direct violation.
• Unhosted wallet gaps: CASPs don't conduct any assessment of self-hosted wallet ownership for transfers over €1,000, or they conduct assessments but don't document them in a form that survives an audit.
• Non-machine-readable data formats: Travel Rule data in free-text memo or reference fields rather than structured ISO 20022 or validated API parameters. The receiving PSP can't run automated completeness checks on that data.
• Retention failures: Payment data is retained, but the specific Travel Rule originator and beneficiary fields aren't stored in a way that supports rapid retrieval when a competent authority requests them.

The EBA's 2022 peer review of Regulation (EU) 2015/847 supervision found deficiencies in 14 out of 27 member states' oversight of wire transfer compliance. These gaps were widespread before the 2023 recast. (EBA Peer Review Report, February 2022) The 2023 recast was partly a response to that finding.

Penalties for non-compliance

Article 36 of EU TFR sets minimum floors for administrative penalties on serious and systematic violations.

For credit institutions and other large financial institutions:

• Fines up to 10% of total annual turnover in the preceding business year
• Alternatively, fines up to twice the benefit derived from the violation, if that figure is determinable and exceeds the turnover-based cap

For other PSPs and CASPs (typically smaller payment institutions and crypto firms):

• Fines up to €5 million
• Or twice the benefit derived from the violation

Member states can set higher ceilings under national law, and several do. Competent authorities can also withdraw operating licences, impose temporary bans on senior management, and publish statements of censure. For CASPs building institutional client relationships, a published censure for Travel Rule failure often carries more commercial damage than the monetary penalty.

Enforcement under EU TFR itself is in early stages given the December 2024 application date, but national supervisors have been explicit that Travel Rule compliance is a priority. In the UK, where equivalent obligations under the Money Laundering Regulations 2017 have been enforced for longer, the FCA fined Metro Bank £16.7 million in October 2023 for systemic failures in its automated transaction monitoring controls. (FCA Final Notice, October 2023) That precedent signals the enforcement direction: supervisors will pursue systemic failures, not isolated transaction errors.

The EBA and ESMA are both expected to conduct supervisory convergence exercises on Travel Rule compliance for CASPs in 2025 and 2026, with national competent authorities taking on MiCA supervision coordinated into that process.

Related regulations and frameworks

EU TFR doesn't operate in isolation. It sits within a broader compliance architecture:

FATF Recommendation 16: FATF Rec 16 is the Travel Rule's origin, requiring originator and beneficiary information to accompany wire transfers since 2003 and extended to virtual assets in 2019. EU TFR is the EU's binding implementation of that extension. The FATF's 2021 Virtual Assets Guidance remains the authoritative international reference for interpreting the crypto-specific provisions.

EU AMLR 2024 and AMLA: The EU Anti-Money Laundering Regulation sets the CDD and beneficial ownership obligations that produce the customer identity data EU TFR requires PSPs and CASPs to transmit. You can't comply with EU TFR if your CDD programme doesn't capture the required originator fields at onboarding. The new EU Anti-Money Laundering Authority will have direct supervisory powers over high-risk CASPs and certain cross-border credit institutions from 2025, with Travel Rule compliance in scope.

MiCA: For CASPs, EU TFR is operationally bound to MiCA licensing. The MiCA licence is what brings a crypto-asset service provider within EU TFR's scope for crypto transfers. Operating without MiCA authorisation and conducting crypto transfers in the EU is itself illegal, separate from any Travel Rule question.

6AMLD: 6AMLD harmonised predicate offences and extended criminal liability for AML across the EU. A Travel Rule failure that contributes to a money laundering transaction can trigger criminal liability under 6AMLD's extended offence list, in addition to the administrative penalties under EU TFR itself.

FATF Recommendation 15: Rec 15 on new technologies and virtual assets underpins the policy extension to crypto. FATF's guidance provided the conceptual framework that EU legislators translated into binding text in the 2023 recast.

US BSA Travel Rule: The Bank Secrecy Act's equivalent Travel Rule for US wire transfers uses a $3,000 threshold and doesn't have a comprehensive crypto equivalent yet. Firms operating cross-border manage both rule sets simultaneously. EU TFR is stricter on crypto: any amount, no exceptions.

How FluxForce supports EU TFR compliance

FluxForce's AI agents automate the data completeness checks, hold-queue workflows, and unhosted wallet risk assessments that EU TFR requires at scale. Nova Sentinel screens transfers in real time, flags incomplete originator or beneficiary fields before processing, and generates outbound information requests automatically when incoming data is missing. For CASPs, Aiden Flux runs risk-based assessments on self-hosted wallet transfers and produces auditable records that map directly to EBA RTS requirements. Every decision carries a full evidence trail for examiner review. Request a demo to see Travel Rule automation in action.