EU TFR: What It Requires and Who It Applies To

What is EU TFR?

The EU Transfer of Funds Regulation 2023 (Regulation (EU) 2023/1113) is a directly applicable EU law requiring payment service providers (PSPs), electronic money institutions (EMIs), and crypto-asset service providers (CASPs) to include originator and beneficiary data with every fund transfer they process. The European Parliament and Council adopted it in May 2023. The Official Journal published it on 9 June 2023, with most provisions taking effect on 30 December 2024.

It replaced Regulation (EU) 2015/847, which covered conventional wire transfers but left crypto assets entirely outside the transfer-tracing regime. That was a deliberate policy choice in 2015, when crypto was a fringe market. By 2023 it wasn't. The Chainalysis 2024 Crypto Crime Report estimated illicit on-chain transaction volume at $24.2 billion in 2023. Leaving CASPs outside the travel rule meant investigators couldn't follow the money once it reached an exchange. That's the gap EU TFR closes.

The regulation implements FATF Recommendation 16, the international standard requiring originator and beneficiary information to travel with every wire transfer. The FATF updated its virtual assets guidance in 2021, extending Recommendation 16 to crypto. EU TFR made that extension binding for EU-licensed entities three years later.

EU TFR is one piece of a larger reform package. It sits alongside the EU AMLR 2024, which harmonises customer due diligence and beneficial ownership rules across member states into a single directly applicable regulation, and the new EU Anti-Money Laundering Authority (AMLA), which will directly supervise the largest cross-border financial institutions from 2026 onward.

Who does EU TFR apply to?

EU TFR applies to every PSP, EMI, and CASP that processes a fund transfer where at least one party is located in the EU. There's no minimum asset size threshold and no volume exemption. A newly licensed two-person crypto startup has the same obligations as a major clearing bank.

Covered entity types include:

• Banks and credit institutions processing SEPA credit transfers, SWIFT cross-border payments, and transfers between accounts at different institutions.
• Electronic money institutions (EMIs) such as Wise, Revolut, and Payoneer, where payment processing is a core product feature.
• Payment institutions licensed under PSD2 that initiate or receive fund transfers on behalf of customers.
• Crypto-asset service providers (CASPs) authorised under MiCA, including centralised exchanges, crypto custodians, OTC brokers, and any other licensed entity that processes transfers for clients.
• Intermediary PSPs that route transfers through their infrastructure without being the originating or receiving institution. They can't strip or suppress transfer data; they must pass it through intact.

The regulation assigns three distinct compliance roles: the PSP of the payer (responsible for collecting and attaching originator data), the PSP of the payee (responsible for receiving, screening, and acting on the data), and intermediary PSPs (responsible for transmitting intact). Most enforcement findings occur at the receiving institution, where controls for detecting and acting on missing data tend to be weaker.

Carve-outs exist for purely intrabank transfers, ATM withdrawals, currency exchange transactions, and certain transfers on EU-regulated payment schemes with equivalent traceability. These carve-outs are narrow. Compliance teams should verify a transaction type against the regulation text before assuming it's out of scope.

What does EU TFR require?

Seven core obligations apply. Each one has a direct operational implication for your systems and procedures.

1. Originator data must accompany all transfers. The PSP of the payer must include the payer's full name, account number or unique transaction identifier, and at least one additional identifier: address, national identity number, customer identification number, or date and place of birth.

2. Beneficiary data must accompany all transfers. The PSP of the payee must ensure the beneficiary's full name and account number, or crypto wallet address, travels with every payment.

3. Crypto transfers have no de minimis floor. Conventional wire transfers within the EU under €1,000 can use simplified information: name and account number only. Crypto-asset transfers have no threshold at all. Full originator and beneficiary data is required for every crypto transfer regardless of value. This is a harder standard than the wire transfer rule.

4. Missing data must trigger action. When a PSP or CASP receives a transfer with incomplete or missing originator or beneficiary information, it must take one of three steps: request the missing data, reject the transfer, or freeze the funds and file a suspicious transaction report. Passive acceptance is non-compliant.

5. Records must be retained for five years. All transfer data and associated documentation must be stored for a minimum of five years from the transaction date. Member states may extend this to ten years in defined circumstances.

6. CASPs must verify unhosted wallet ownership. Before processing a transfer to or from a self-hosted (unhosted) wallet, a CASP must collect and verify information about the wallet's beneficial ownership. This obligation has no equivalent in the 2015 predecessor regulation.

7. High-risk third-country transfers require enhanced scrutiny. Transfers involving PSPs or CASPs in jurisdictions on the EU's high-risk third countries list trigger Enhanced Due Diligence requirements for both originator and beneficiary before the transfer is processed.

What evidence do regulators expect?

National competent authorities examining for TFR compliance will look for the following. This is what an audit-ready institution has ready before the examiner arrives.

• Written policies and procedures covering how your institution collects, attaches, screens, and stores transfer data for every payment rail you operate: SEPA, SWIFT, on-chain, internal.
• System-level controls evidence. A policy document saying "we reject incomplete transfers" isn't sufficient on its own. Examiners want to see the system logic: configuration evidence, workflow diagrams, or test outputs showing what actually happens when a required data field is blank.
• Unhosted wallet procedures (CASPs only). What's the documented process for verifying wallet ownership before processing a withdrawal? Which data fields are required? What verification method is used? Is there an escalation path for high-risk wallets or high-value transfers?
• Sampling and testing records. Regular testing of transfer data completeness across processed transactions. Many institutions run quarterly samples to verify field population rates. Examiners ask to see those results, including how deficiencies were tracked and remediated.
• Staff training records. Evidence that compliance, operations, and technology teams have been trained on TFR obligations, including the unhosted wallet requirements and the specific procedure for handling incomplete or suspicious transfers.
• STR filing records. When a transfer can't be completed due to missing data, a suspicious transaction report is required alongside the rejection. Examiners check whether those filings are happening and whether they're timely.
• Third-party vendor documentation. If you use a blockchain analytics firm or identity verification provider for unhosted wallet checks, examiners expect to see the contract scope, data flows, and evidence of ongoing vendor performance monitoring.
• Five-year retention evidence. Proof the programme is running: where transfer data is stored, who has access, how it's protected, and what the deletion process looks like at the end of the retention period.

Common failure modes

Most TFR enforcement findings cluster around the same handful of issues.

• Straight-through processing without field validation. The payment system processes transfers even when originator or beneficiary fields are missing. The policy says "reject incomplete transfers," but the system was never configured to enforce it. This is the most consistent finding across supervisory reviews and on-site examinations across member states.

• Crypto withdrawal gaps. A CASP processes client withdrawals to self-hosted wallets without collecting ownership verification information. The EBA's supervisory work on VASP compliance has flagged material inconsistencies in how national authorities enforce these requirements. Their AML and counter-terrorist financing work programme includes specific outputs on crypto-asset supervision that signal where examination focus is heading.

• Incorrect application of the €1,000 simplified-information threshold. This rule applies only to intra-EU wire transfers under €1,000. Institutions that apply it to cross-border transfers outside the EU, or to any crypto transfer, are non-compliant. It comes up regularly in examination correspondence.

• No STR filing after transfer rejection. Article 10 of EU TFR is explicit: when a PSP receives a transfer it cannot complete due to missing data, it must also assess whether to file a suspicious transaction report. Many institutions reject the transfer and stop there. The filing obligation is separate and additive to the rejection.

• Correspondent banking pass-through exposure. Banks accepting SWIFT transfers from non-EU correspondents in jurisdictions where equivalent travel rule requirements don't apply, without compensating controls, break the traceability chain at the EU border. This sits directly at the intersection of TFR and FATF Rec 20 obligations on suspicious transaction reporting.

Penalties for non-compliance

EU TFR requires member states to set penalties that are "effective, proportionate and dissuasive." The EU AML framework sets a floor: for systemic failures by credit institutions, maximum administrative fines must reach at least €5 million or twice the benefit obtained from the breach, whichever is higher. For serious or repeated violations, the ceiling rises to 10% of annual group turnover.

National supervisors have established enforcement precedents under the predecessor regulation, and those patterns carry directly into TFR:

• France's ACPR has fined payment institutions in the €1 million to €3 million range for persistent transfer data failures under the 2015 regulation.
• Germany's BaFin maintains an active enforcement register for AML violations; systemic PSP failures have resulted in multi-million euro fines in recent years.
• The EBA maintains a public penalty register under Article 62 of 4AMLD, listing administrative penalties imposed across member states. This register is publicly searchable.

For CASPs, TFR non-compliance carries a second layer of risk. MiCA Article 63 allows national competent authorities to withdraw a CASP's authorisation where the provider persistently fails AML/CFT obligations. A withdrawn MiCA license means the entity cannot legally operate a crypto-asset service anywhere in the EU.

The FATF Virtual Assets Guidance notes that jurisdictions with material travel rule implementation gaps risk adverse mutual evaluation findings. Those findings affect every institution in that jurisdiction's access to correspondent banking. TFR non-compliance is a market access risk, not just a fine risk.

Related regulations and frameworks

EU TFR operates within a set of overlapping EU and international instruments.

International foundation. The regulation implements FATF Recommendation 16 on wire transfers. The FATF extended that standard to virtual assets in 2021; EU TFR operationalised the extension for EU-licensed entities. The US equivalent is FinCEN's Travel Rule under the Bank Secrecy Act, which applies to US banks and money services businesses for transfers above $3,000. Different thresholds, the same principle: originator and beneficiary information must travel with the money.

EU AML reform package. 6AMLD extended criminal liability for money laundering to legal persons, increasing individual and institutional exposure for systemic AML failures. The EU AMLR 2024 consolidates customer due diligence, beneficial ownership, and PEP screening requirements into a single directly applicable regulation. AMLA, the new EU-level supervisor, will directly oversee the 40 largest cross-border financial institutions, including the biggest CASPs, once it's fully operational.

Crypto licensing linkage. TFR and MiCA are inseparable for crypto firms. MiCA defines who is a CASP and what they're authorised to do. TFR defines what those CASPs must do with transfer data. A firm can't be MiCA-compliant while ignoring TFR; the obligations stack.

Payments infrastructure. PSD2 and the forthcoming PSD3 establish the licensing and operational framework for PSPs and EMIs. TFR sits on top of that foundation, adding the specific transfer-data requirement that PSD2 doesn't contain.

How FluxForce supports EU TFR compliance

FluxForce's AI agents automate the collection, validation, and screening of originator and beneficiary data across every payment rail. Aiden Flux generates a full audit trail for each transfer decision, covering the five-year retention requirement without manual record-keeping. For CASPs handling unhosted wallets, FluxForce's identity verification and KYC/AML automation supports the ownership verification workflow EU TFR requires. Nova Sentinel flags incomplete or suspicious transfer data before transactions settle, reducing passive-acceptance risk. Talk to our team to see how FluxForce maps to your specific TFR obligations.