Transfer of Funds Regulation (TFR)

Background and Objective

Regulation (EU) 2023/1113 (TFR; Transfer of Funds Regulation) is part of a package of legislative proposals for reinforcing EU regulations on preventing money laundering and terrorist financing. The proposal for the Transfer of Funds Regulation was tabled by the European Commission on 20 July 2021 and following the conclusion of the trilogue’s negotiations on 16 May 2023 was accepted by the Council of the European Union. The TFR entered into force on 29 June 2023, and from 30.12.2024 is required to be applied by payment service providers (PSPs), intermediary payment service providers (IPSPs), crypto-asset service providers (CASPs) and intermediary crypto-asset service providers (ICASPs). In the future different obligations will apply, that are required to be observed accordingly, depending on classifications as a provider or intermediary provider in the TFR. Regulation (EU) 2015/847 (Transfer of Funds Regulation) has been repealed, and the TFR will also address crypto-asset transfers of crypto-assets in addition to transfers of funds that were hitherto covered. This step ensures that the revised FATF Recommendations from 2019, especially Recommendation 15 on New Technologies  and Recommendation 16 on Wire Transfers (electronic payment transactions) are applied in a harmonised manner throughout the entire European Union.

In addition the European Banking Authority (EBA) publishes Guidelines, which among other things clarify the provisions and rules under the TFR, and which are required to be observed by obliged entities also during ongoing supervision. The following sets of Guidelines are such examples:

  • The Risk-Based Supervision Guidelines (EBA/GL/2023/07)
  • The ML/TF Risk Factors Guidelines (EBA/GL/2024/01)
  • Travel Rule Guidelines (EBA/GL/2024/11)
  • Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures (EBA/GL/2024/14)

Subject of the Regulation

The TFR defines rules regarding the details that are required to be provided about payers and payees or originators and beneficiaries for preventing money laundering or terrorist financing when conducting transfers of funds or crypto-assets. It is intended to ensure the traceability of such transfers, thereby making an essential contribution to the prevention of money laundering and terrorist financing.

In addition to creating transparency in transfers of funds or transfers of crypto-assets, the TFR also defines the obligation for payment service providers as well as crypto-asset service providers, to have internal policies, procedures and controls in place for guaranteeing that restrictive measures are implemented.

A condition for falling in the scope of application of TFR is that as least one of the providers of payment or crypto-asset services involved in the transfers of funds or crypto-assets is established in the European Union, or has its registered office in the European Union.

The scope of application of the TFR covers

  • Transfers of funds (in any currency) from or to payment service providers (PSPs) established in the European Union or intermediary payment service providers (IPSPs)
  • Transfers of crypto-assets, including transfers of crypto-assets performed using crypto-asset automated teller machines, where the crypto-assets service provider (CASP) or the intermediary crypto-assets service provider (ICASP) of the originator or the beneficiary has its registered office in the European Union.

The following items, among others, do not fall within the scope of the TFR

  • transfers of funds, where both the payer and the payee are payment service providers acting on their own behalf
  • transfers of funds where the payer withdraws cash from their own payment account
  • transfers of crypto-assets, where both the originator as well as the beneficiary are crypto-assets service providers acting on their own behalf
  • transfers of crypto-assets, that are transfers from one person to another, that are processed without involving the crypto-assets service provider

Safeguards in relation to self-hosted wallets

To take into account the high risk of money laundering and terrorist financing that may be associated with self-hosted wallets or self-hosted addresses, special measures apply for transactions from and too self-hosted wallets or addresses. To make transfers from an to self-hosted wallets more transparent, and to guarantee traceability, CASPs or ICASPs are required to determine prior to initiating the transfer or prior to making the crypto-assets available, whether the recipent of a transfer is a self-hosted address or a custodial wallet of a CASPs. This can for example be done using technical means or by means of gathering information directly from the customer.

CASPs or ICASPs must furthermore ensure that the transfers of crypto-assets can be individually identified and are obliged to gather information about the originator and the beneficiary. In the case of a transfer from or to a self-hosted wallet for an amount exceeding EUR 1,000, the CASP or ICASP must check whether this address belongs to the customer or is controlled by them.

Under Article 11a FM-GWG, CASPs as defined in Article 2 no. 22 FM-GwG (in the version amended by Federal Act in Federal Law Gazette I No. 151/2024) are furthermore required to identify and assess the risk of money laundering and terrorist financing and to take necessary risk mitigation measures, such as requesting additional information about the origin and destination of transfers of crypto-assets and/or conducting enhanced ongoing monitoring of relevant transactions.

Is there a transitional period regarding the applicability of the TFR?

No, the TFR is fully applicable from 30.12.2024.

Is there a transitional period regarding the applicability of the Travel Rule Guidelines?

No, the Travel Rule Guidelines generally apply from 30.12.2024. The transitional period until 31 July 2025 stated in the Travel Rule Guidelines relates exclusively to the infrastructures in relation to transfers of crypto-assets, where technical limitations exist in relation to the completeness of the information. Such limitations must be outset by means of additional technical measures, in order to fully comply with the Guidelines. This transitional period does not however apply either to other requirements set out in the Travel Rule Guidelines or to the TFR.

How must PSPs or IPSPs proceed in the event of missing or incomplete information about the payer or the payee?

Failings regarding the repeated and incomplete submission of details about the payer or payee are required to be reported by the PSP or the IPSP together with the measures taken pursuant to Article 8 (2) and Art 12 (2) TFR, to the competent authority for the monitoring of compliance with the regulations on the prevention of money laundering and terrorist financing.

When assessing whether a transfer of funds or crypto-assets or an associated transaction is suspicious and whether it requires reporting to the Financial Intelligence Unit pursuant to Directive (EU) 2015/849, the PSP or IPSP consist as one factor whether information about the payer or payee are missing.

To which authority should a report be made if there are missing or incomplete details about the payer or payee?

The notification pursuant to Article 8 (2) and Article 12 (2) TFR is required to be made to the FMA as the competent authority for monitoring compliance with the rules on preventing money laundering and terrorist financing.

As a PSP or an IPSP, how do I fulfil my notification obligation pursuant to Article 8 (2) and Article 12 para. 2 TFR?

Fill out the Excel sheet form for PSPs and IPSPs, taking into account the submission help and submit it to the FMA in pdf format (e-mail: [email protected]).

The following e-mail subject line is to be used: Meldeverpflichtung gemäß Art. [8 Abs. 2/ 12 Abs. 2] TFR, name of the institution making the notification, whether it is a PSP/IPSP.

Are entities that are VASPs under the FM-GwG but that have not yet received an authorisation as a CASP also obliged to comply with the TFR?

Yes. The provision in Article 43a para. 1 FM-GwG, most recently amended in Federal Law Gazette I No. 151/2024, stipulates that for the purposes of the FM-GwG, registered virtual asset service providers pursuant to Article 32a FM-GwG are to be treated as crypto-asset service providers pursuant to Article 2 no. 22 FM-GwG from 30 December 2024 until 31 December 2025 (at the latest). Providers that were already active as VASPs prior to 30.12.2024, are therefore obliged to comply with the TFR from 30.12.2024.

Are CASPs that perform services in their own name for the account of customers excluded from the scope of application of the TFR?

No. CASPs or transfers of crypto-assets are only excluded from the scope of application of the TFR, in the case that both the originator as well as the beneficiary are crypto-asset service providers and are acting in their own name.

Are ICASPs also obliged to comply with due diligence obligations for the prevention of money laundering and terrorist financing (under FM-GwG, WiEReG etc.)?

Qualifying as an ICASP in an individual transfers of crypto-assets does not change anything regarding its characteristics as a CASP under Article 2 no. 22 FM-GwG, that as an obliged entity under the FM-GwG is required to guarantee the observance of due diligence obligations with regard to the prevention of money laundering, terrorist financing and financing of proliferation.

How must PSPs or IPSPs proceed in the event of missing or incomplete information about the originator or the beneficiary?

Failings regarding the repeared and incomplete submission of details about the originator or beneficiary are required to be reported by the CASP or the ICASP together with the measures taken pursuant to Article 17 (2) and Art 21 (2) TFR, to the competent authority for the monitoring of compliance with the regulations on the prevention of money laundering and terrorist financing.

When assessing whether a transfer of funds or crypto-assets or an associated transaction is suspicious and whether it requires reporting to the Financial Intelligence Unit pursuant to Directive (EU) 2015/849, the PSP or IPSP consist as one factor whether information about the payer or payee are missing.

To which authority should a report be made if there are missing or incomplete details about the originator or beneficiary?

The notification pursuant to Article 17 (2) and Article 21 (2) TFR is required to be made to the FMA as the competent authority for monitoring compliance with the rules on preventing money laundering and terrorist financing.

As a CASP or an ICASP, how do I fulfil my notification obligation pursuant to Article 17 (2) and Article 21 para. 2 TFR?

Fill out the Excel sheet form for CASPs and ICASPs, taking into account the submission help and submit it to the FMA in pdf format (e-mail: [email protected]).

The following e-mail subject line is to be used: Meldeverpflichtung gemäß Art. [17 Abs. 2/ 21 Abs. 2] TFR, name of the institution making the notification, whether it is a CASP/ICASP.

Reporting Forms

Reporting Form - TFR CASPs, ICASPs (Format: xlsx, Size: 21,1 KB, Language: English) Reporting Form - TFR - PSPs, IPSPs (Format: xlsx, Size: 19,6 KB, Language: English)