What the Transfer of Funds Regulation Is — and What Changed for CASPs
Regulation (EU) 2023/1113 — commonly called the Transfer of Funds Regulation (TFR) — is a directly applicable EU regulation. It requires no national transposition: it took effect across all Member States simultaneously, published in the Official Journal at OJ L 150, 9 June 2023, entering into force on 29 June 2023, and becoming fully applicable on 30 December 2024. That application date was deliberate — it aligns with the point at which crypto-asset service providers (CASPs) began operating under the MiCA licensing regime. The TFR recasts the 2015 Wire Transfer Regulation (Regulation (EU) 2015/847) and, critically, extends Travel Rule obligations — previously limited to traditional fund transfers — to cover crypto-asset transfers in full. In scope: payment service providers (PSPs), intermediary payment service providers (IPSPs), CASPs, and intermediary CASPs (ICASPs).
The TFR and MiCA (Regulation (EU) 2023/1114) are companion instruments with distinct functions. MiCA is the licensing and market-integrity framework governing who can operate as a CASP and under what conditions. The TFR is an AML/CFT transaction-traceability instrument — it governs what information must travel with every crypto-asset transfer and what CASPs must do when that information is missing or incomplete. The two regulations reference each other, but conflating them creates compliance gaps. The TFR also amended Directive (EU) 2015/849 (AMLD4) by inserting Article 19a, which subjects CASPs authorised under MiCA to the same AML/CFT supervisory framework as credit institutions and financial institutions — a significant elevation of the compliance baseline for the sector. Note that Article 19a of AMLD4 will be superseded by Article 40 of Regulation (EU) 2024/1624 (the new AMLR) once that regulation applies fully.
On the question of phased readiness: EBA/GL/2024/11 acknowledges that certain legacy systems faced technical limitations at go-live and provides a transitional window to 31 July 2025 for CASPs operating under documented constraints — but only where additional compensating controls are implemented in parallel. The EBA made the baseline position unambiguous: non-compliance with Regulation (EU) 2023/1113 is not accepted. The transitional arrangement is a risk-managed implementation path, not a grace period permitting non-compliance. CASPs that missed the 30 December 2024 application date without compensating controls in place are already exposed. For the broader MiCA compliance timeline context, the interaction between TFR application and CASP authorisation windows matters — CASPs operating under national transitional exemptions are still subject to TFR obligations from the application date.
The Zero-Threshold Rule: Why Every Crypto Transfer Is in Scope
The single most common compliance gap among EU CASPs is the assumption that a minimum transaction value triggers the Travel Rule. There is no threshold. Under Regulation (EU) 2023/1113 (TFR), every crypto-asset transfer between CASPs — from the first cent — must be accompanied by complete originator and beneficiary information. This is a deliberate departure from two frameworks that compliance teams often mistakenly carry forward: FATF Recommendation 16, which applies only to transfers above USD 1,000, and the pre-TFR EU fiat wire transfer regime, which contained a €1,000 de minimis. Neither of those thresholds exists in the TFR. If your compliance system was designed around either, it is under-compliant by design.
The data requirements are set out in Articles 14 and 16 TFR. The originator's CASP must transmit — and the beneficiary's CASP must receive and verify — the full name of the originator and beneficiary, the distributed ledger address or crypto-asset account number, a residential address or official personal identifier, and, for legal persons, a Legal Entity Identifier or equivalent. Critically, this data does not need to be embedded on-chain; it must accompany the transfer before, simultaneously with, or immediately after execution. EBA/GL/2024/11 introduces a tiered detail requirement: below €1,000, a simplified set of fields is acceptable; at or above €1,000, the full dataset is mandatory, including the LEI or equivalent identifier for legal entities. The threshold affects data granularity only — it never removes the obligation to transmit information at all.
Compliance teams building or auditing their Travel Rule stack must verify two things: first, that their systems capture and transmit data on every transfer regardless of value; second, that the €1,000 cut-off is applied correctly to determine which fields are required, not as a trigger for whether the rule applies. Firms that completed their TFR implementation before EBA/GL/2024/11 came into effect should re-audit against the tiered-data specifications in those guidelines. For a broader view of how TFR obligations interact with your MiCA authorisation programme, see our CASP licence requirements guide and the MiCA compliance deadlines tracker.
Scope and Exclusions: P2P Transfers and CASP-Own-Account Operations
Regulation (EU) 2023/1113 applies to CASPs facilitating crypto-asset transfers on behalf of clients — but two structural exclusions in Article 2 carve out specific transaction types entirely. The first is the person-to-person (P2P) exclusion: under Article 2(4), transfers conducted directly between natural persons acting as consumers for non-commercial purposes, without the use or involvement of a CASP on either side, fall outside TFR scope. The clearest example is two individuals transacting wallet-to-wallet using self-hosted addresses with no intermediary CASP involved. The second exclusion covers transfers where both the originator and beneficiary are CASPs (or PSPs) acting entirely on their own behalf — not on behalf of any customer. In that scenario no client-facing service is being performed, so the data-transmission obligations do not apply.
Both exclusions are deliberately narrow. The moment a CASP is involved on either side serving a client, TFR applies in full — including the zero-threshold data requirements that have applied since Regulation (EU) 2023/1113 came into force. Internal transfers between two accounts held at the same CASP are also out of scope: no inter-CASP data transmission is required because the information never leaves a single obliged entity's control. Practitioners should not treat this as a general intra-firm exemption, however — the exclusion is strictly limited to same-entity account-to-account movements and does not extend to affiliated group transfers across separate legal entities.
The most operationally dangerous compliance risk sits at the boundary between hosted and self-hosted wallets. Wrongly classifying a hosted wallet as self-hosted — or vice versa — directly causes a TFR breach, either by failing to transmit required originator and beneficiary data or by applying self-hosted wallet risk procedures where full CASP-to-CASP obligations should have applied. Guideline 3 of EBA/GL/2024/11 addresses the address-type determination challenge explicitly, including the particular difficulty posed by newly created addresses with no on-chain transaction history. CASPs must build address-classification logic — and document it — before any transfer is processed, not as a post-hoc remediation step. See also our CASP licence requirements guide for how address-classification controls feed into broader authorisation readiness under Article 62 of MiCA.
Self-Hosted Wallets: EBA Guideline 8 of EBA/GL/2024/11 and the €1,000 Threshold
Self-hosted wallets represent the sharpest compliance edge in Regulation (EU) 2023/1113. Recital 58 of TFR explicitly acknowledges that transfers to self-hosted addresses "entail inherently higher risks," and the two-tier framework in Guideline 8 of EBA/GL/2024/11 translates that risk acknowledgment into concrete operational obligations. The threshold that separates the two tiers is €1,000, calculated per transfer, not per customer relationship.
Below €1,000, a CASP must collect and retain originator and beneficiary information for the transfer — but no enhanced verification of wallet ownership is required. Notably, the EBA removed any blockchain analytics obligation for sub-threshold transfers during the consultation process; the final Guideline 8 does not mandate analytics at this level. Above €1,000 involving the CASP's own customer's self-hosted wallet, the CASP must verify that the customer actually owns or controls that wallet before the transfer proceeds. Paragraph 83 of Guideline 8 sets out the permitted verification methods:
- Cryptographic proof of ownership — a signed message generated from the wallet's private key;
- Micro-transaction confirmation — a small incoming transaction from the wallet used to confirm control;
- "Other suitable technical means" — where the CASP can demonstrate equivalence.
Self-declaration by the customer alone does not qualify as sufficient verification — a position confirmed by the Austrian FMA in published Q&A guidance. The EBA also dropped the two-method requirement that appeared in the consultation paper; CASPs are required to apply one verified method by default. For third-party self-hosted wallets — where the wallet belongs to someone other than the CASP's own customer — the requirements under Article 19a(1)(a) of Directive (EU) 2015/849 (as amended by TFR) apply, imposing a risk-based assessment of ML/TF exposure before the transfer is executed. CASPs should note the legislative trajectory: Article 19a of AMLD4 will be superseded by Article 40 of Regulation (EU) 2024/1624 (the new AMLR) once that regulation applies fully, so compliance frameworks should be built with that transition in view. See also our CASP licence requirements guide for how wallet-related AML controls interact with broader authorisation obligations.
Protocol Interoperability: Guideline 3.1 of EBA/GL/2024/11 and the Sunrise Problem
Unlike SWIFT in traditional wire transfers, there is no single mandated messaging protocol for crypto Travel Rule compliance. The market has fragmented across competing vendor solutions — TRISA, TravelRule Protocol, OpenVASP, Sygna, and Notabene/TAP among others — with no guarantee that any two CASPs use compatible systems. Guideline 3.1 of EBA/GL/2024/11 directly addresses this fragmentation. When selecting a technical Travel Rule solution, CASPs and ICASPs must evaluate: (a) interoperability with the systems used by counterparty CASPs; (b) compatibility with relevant industry standards, protocols, and blockchain networks; (c) the ability to detect transfers carrying missing or incomplete originator/beneficiary information; (d) counterparty reachability rates and protocol success metrics; and (e) data security and integrity controls throughout transmission. No single protocol is mandated, but a solution that cannot communicate with the majority of counterparties is functionally inadequate under this framework.
EBA/GL/2024/11 permitted a technical transition period expiring 31 July 2025, during which CASPs could operate systems with known interoperability limitations provided they applied compensating measures that achieved practical compliance in each transfer. That window has now closed. From 1 August 2025 onward, technical limitations are no longer a mitigating factor — CASPs must have functional, interoperable infrastructure in place or face the full weight of the sanctions framework under Articles 28–29 of Regulation (EU) 2023/1113. Firms still relying on manual workarounds or single-protocol solutions with limited reach should treat this as an urgent remediation priority. For broader context on MiCA-era compliance timelines, see our MiCA compliance deadlines guide.
The practical consequence of protocol fragmentation is the Sunrise Problem: when a receiving CASP has no Travel Rule infrastructure, the sending CASP faces a genuine regulatory dilemma. Proceeding without transmitting the required data breaches Regulation (EU) 2023/1113; refusing the transfer is compliant but commercially costly and may disadvantage customers. There is no clean legal escape. The defensible approach is to document every attempt to transmit required information, record the receiving-side failure with timestamps and error logs, and retain that evidence as a demonstration of good-faith effort. Paras 22–24 of EBA/GL/2024/11 add a further obligation: systems must maintain data integrity during any format conversion between protocols, and ICT security requirements apply throughout. A Travel Rule solution that accurately transmits data in its native format but corrupts fields during cross-protocol translation is non-compliant regardless of intent. CASPs should include format-conversion integrity testing in their periodic technology assessments and cross-reference obligations under their DORA ICT risk framework.
Sanctions and Enforcement: Articles 28–29 TFR and Article 36's True Role
The sanctions framework for TFR violations sits in Articles 28–29 of Regulation (EU) 2023/1113 — not Article 36. This distinction matters. Article 36 (first and second subparagraphs) is the EBA guidelines-mandate provision: it requires the EBA to issue guidelines to competent authorities, PSPs and CASPs on Travel Rule compliance. It is a supervisory coordination tool, not an enforcement lever. Practitioners who cite Article 36 as the sanctions article in compliance files or regulatory responses will be pointing supervisors to the wrong provision. The correct articles are Articles 28–29, which require Member States to ensure that competent authorities can impose effective, proportionate and dissuasive administrative sanctions for systemic or serious TFR breaches.
Three categories of measure are available under the framework: monetary penalties, licence withdrawal, and temporary bans on senior management. Publication of decisions follows the cross-referenced regime under Article 60(1)–(3) of Directive (EU) 2015/849: sanctions must be published without undue delay, and the factors governing type and level are set out in Article 60(4) of that Directive as applied via Article 28 TFR. The EU Travel Rule has applied since December 2024, so the enforcement cycle is still forming — but national supervisors across several Member States have already signalled Travel Rule compliance as a top priority in their supervisory programmes for 2025–2026. Two Commission reporting milestones are worth tracking: a self-hosted address risk report was due by 1 July 2026 (CASPs should monitor whether findings have been published), and a broader application and enforcement report is due by 30 June 2027 under Article 37(3) TFR.
The clearest enforcement analogy available is the FCA's action against Metro Bank, fined approximately £16.7 million (FCA Final Notice, October 2023) for systemic failures in automated transaction monitoring. UK law is not EU law, but the supervisory logic transfers directly: regulators target repeated, systemic failures in screening and data completeness — not isolated transaction errors. For CASPs building institutional counterparty relationships or seeking banking rails, a published censure frequently causes more commercial damage than any monetary penalty. The reputational risk of a public supervisory decision should therefore sit at the centre of your Travel Rule compliance business case, not at the margins. See also CASP licence requirements for how supervisory history feeds into authorisation assessments under MiCA.
TFR, MiCA and the Wider AML Package: How the Frameworks Interlock
TFR and MiCA were published together in Official Journal L 150 on 9 June 2023, but they serve distinct regulatory functions that compliance teams must map separately. MiCA (Regulation (EU) 2023/1114) establishes the CASP authorisation framework — capital requirements, governance, disclosure, and market conduct. The Transfer of Funds Regulation (Regulation (EU) 2023/1113) mandates the AML/CFT transaction data layer that sits on top of every crypto-asset transfer. Neither framework makes the other optional: a fully authorised CASP that cannot demonstrate TFR compliance has an incomplete compliance architecture. ESMA's Supervisory Briefing on CASP Authorisation (31 January 2025) made this explicit, confirming that authorisation applications must include TFR compliance policies, self-hosted wallet verification procedures, and functioning transaction monitoring systems. No CASP category is treated as inherently low-risk for AML/CFT assessment purposes under that briefing.
The legal basis for EBA/GL/2024/11 flows from two provisions read together: Article 36 of Regulation (EU) 2023/1113 and Article 19a(2) of Directive (EU) 2015/849 (AMLD4, as amended by the TFR). Article 19a of AMLD4 — inserted by the TFR — requires CASPs to identify and assess ML/TF risks from transfers to and from self-hosted addresses. These two articles jointly mandate EBA to issue guidelines to competent authorities and CASPs, which is precisely the authority EBA/GL/2024/11 exercises. Compliance teams should note that Article 36 TFR is the EBA guidelines-mandate provision, not a sanctions article; the sanctions framework sits in Articles 28–33 of Regulation (EU) 2023/1113.
A structural transition is approaching. Article 40 of Regulation (EU) 2024/1624 (the new AMLR) will supersede Article 19a of AMLD4 once AMLR fully applies in 2027. CASPs must therefore track obligations under both the current TFR-amended AMLD4 and the forthcoming AMLR, ensuring internal policies are updated before the transition date rather than after. Separately, TFR systems — Travel Rule messaging infrastructure, data integrity controls, and counterparty verification tooling — are also in scope for DORA ICT risk management requirements: operational resilience obligations apply to the same systems that carry Travel Rule data, so these workstreams should be coordinated rather than siloed.
CASP TFR Compliance Checklist: Eight Operational Controls to Implement
The eight controls below represent the minimum operational baseline a CASP must implement to satisfy Regulation (EU) 2023/1113 and the accompanying EBA/GL/2024/11 guidelines. Each control maps directly to a regulatory obligation — this is not a best-practice wishlist. Internal audit and competent authority supervisory reviews will assess exactly these areas. Firms that treat Travel Rule compliance as a checkbox rather than an operational programme routinely fail on points 3, 5, and 6 below.
- Zero-threshold data collection. Capture full originator and beneficiary information on every crypto-asset transfer regardless of amount. There is no de minimis exemption under TFR — the €1,000 figure governs enhanced self-hosted wallet verification, not data collection itself.
- Data field completeness and structure. Required fields under
Article 14(1) TFRinclude full name, distributed ledger address or account number, and residential address or official personal identifier. For legal persons, a Legal Entity Identifier (LEI) is preferred underArticle 14(1)(e). Fields must be structured and machine-readable — free-text memo fields do not satisfy the requirement and will not survive a supervisory review. ISO 20022 or validated API parameters are the practical standard. - Self-hosted wallet verification workflow. For all transfers of €1,000 or more involving a self-hosted address, CASPs must apply a wallet ownership verification protocol using one of the EBA-approved technical methods: cryptographic signature, micro-transaction, or other equally robust technical means. A self-declaration from the customer alone is insufficient under EBA/GL/2024/11 Guideline 8.
- Address-type classification procedure. Maintain a documented, consistently applied procedure for determining whether a source or destination address is CASP-hosted or self-hosted. Record the classification rationale, particularly for addresses with no transaction history. Misclassification of self-hosted addresses as CASP-hosted is an immediate compliance gap.
- Protocol interoperability. Evaluate your chosen Travel Rule messaging protocol against the criteria in Guideline 3.1 of EBA/GL/2024/11. The system must be able to reach counterparty CASPs across different protocol implementations and handle data conversion without any loss of field integrity. An interoperability gap is a structural failure, not a technical inconvenience.
- Non-compliant counterparty procedure. Document a clear escalation policy for situations where a receiving CASP cannot accept Travel Rule data. This must include defined rejection and return-of-funds protocols, and good-faith documentation demonstrating the sending CASP's attempt to transmit the required data. Absence of this procedure is a standalone supervisory finding.
- Data retention. Travel Rule originator and beneficiary data fields must be stored in a retrievable format for competent authority requests — not merely as part of general transaction records. Confirm your data architecture distinguishes and preserves these specific fields.
- Correct sanctions article in internal documents. Sanctions for serious and systematic violations sit under
Articles 28–29 of Regulation (EU) 2023/1113, not Article 36. Article 36 is solely the EBA guideline-mandate provision. Any internal compliance policy, board paper, or regulatory response that cites Article 36 as the sanctions basis is legally incorrect and must be amended. Review all existing compliance documentation for this error before your next supervisory engagement.
Firms approaching authorisation should also ensure these controls are reflected in the TFR compliance policies submitted as part of the CASP licence application. ESMA's 2025 supervisory briefing treats their presence as a precondition for authorisation, not a post-licence obligation.
Frequently asked questions
Does the EU Travel Rule apply to crypto transfers below €1,000?
Yes — the EU TFR imposes no minimum threshold for crypto-asset transfers between CASPs. Under Articles 14 and 16 of Regulation (EU) 2023/1113, full originator and beneficiary data must accompany every single transfer, from the first euro. This is stricter than FATF Recommendation 16, which only applies above USD 1,000. The €1,000 figure is relevant only for self-hosted wallets: above that threshold, enhanced ownership-verification requirements kick in. Below it, CASPs must still collect and retain information, but the additional verification obligation does not apply.
What verification methods does EBA/GL/2024/11 permit for self-hosted wallets above €1,000?
Guideline 8 of EBA/GL/2024/11 (para. 83) specifies that CASPs must use one of the following methods to verify that a customer owns or controls a self-hosted wallet: (1) a cryptographic proof of ownership — a signed message from the wallet's private key; (2) a micro-transaction confirmation from the wallet; or (3) other suitable technical means. Crucially, the EBA revised this from the original consultation paper, removing the requirement to use two methods — one method is now sufficient by default. Equally important: a customer's self-declaration of ownership does not qualify as a suitable technical means under the guidelines.
Which article of TFR contains the sanctions for non-compliance?
The sanctions framework is in Articles 28 and 29 of Regulation (EU) 2023/1113. Article 28 requires Member States to establish effective, proportionate and dissuasive administrative sanctions and measures for TFR breaches. Publication of decisions is governed by reference to Article 60(1)-(3) of Directive (EU) 2015/849. Article 36 of the TFR is frequently misidentified as a sanctions provision — it is not. Article 36 (first and second subparagraphs), jointly with Article 19a(2) of Directive 2015/849, is the EBA guidelines-mandate provision that empowers the EBA to issue guidelines including EBA/GL/2024/11.
Are P2P crypto transfers between individuals exempt from the Travel Rule?
Yes, with an important caveat. Article 2(4) of Regulation (EU) 2023/1113 excludes person-to-person transfers defined as transactions between natural persons acting as consumers for non-commercial purposes, conducted without any CASP involvement on either side. A second exclusion covers transfers where both the originator and the beneficiary are CASPs (or PSPs) acting on their own behalf — not on behalf of a customer. As soon as a CASP is involved on either side serving a client, TFR obligations apply in full.
When does the Commission have to report on TFR application and enforcement?
There are three distinct Commission reporting deadlines under Article 37 TFR. First, a report on risks from self-hosted addresses was due by 1 July 2026 — that deadline has now passed and CASPs should monitor whether the Commission has published findings. Second, a sanctions and supervisory monitoring report is due by 31 December 2026, with further reports every three years thereafter. Third, the main application and enforcement report — which may be accompanied by a legislative proposal — is due to the European Parliament and Council by 30 June 2027 (Article 37(3) TFR).
How does the new AMLR (Regulation (EU) 2024/1624) affect TFR self-hosted wallet obligations?
Currently, the self-hosted wallet risk-assessment obligations for CASPs are grounded in Article 19a of Directive (EU) 2015/849 (AMLD4), which was inserted by the TFR. Once the new Anti-Money Laundering Regulation (Regulation (EU) 2024/1624) fully applies — expected from 2027 — Article 19a of AMLD4 will be superseded by Article 40 of the AMLR. CASPs should therefore monitor the AMLR implementation timeline and plan for transition, ensuring their self-hosted wallet policies reference the correct legal basis as it shifts from the amended AMLD4 to the new AMLR.