
EBA Guidelines (EBA/GL/2024/11)
The EBA issued these Guidelines to clarify how payment service providers (PSPs), intermediary PSPs (IPSPs), crypto-asset service providers (CASPs), and intermediary CASPs (ICASPs) should comply with Regulation (EU) 2023/1113. The Regulation sets out rules for the traceability of transfers of funds and certain crypto-assets, but leaves detailed operational aspects to these EBA Guidelines. The Guidelines apply from 30 December 2024 and repeal the earlier 2017 ESA Guidelines on similar requirements.
Core Obligations & Risk-Based Framework
The Guidelines specify how institutions should detect missing or incomplete payer and payee information, define appropriate policies and procedures, and take decisions on whether to execute, reject, or suspend a transfer. A risk-based approach is at the core of these requirements, allowing firms to calibrate their efforts in proportion to the scale and complexity of their operations and the associated money laundering or terrorist financing (ML/TF) risks.
Transfers of Funds & Crypto-Assets
Firms must ensure that specific data points such as name, account or wallet address, and identifying information accompany every transfer. For crypto-asset transfers, the Guidelines clarify how information can be transmitted via blockchain or off-chain messaging tools, with fallback options where technical limitations exist. The information must be transmitted immediately and securely.
Self-Hosted Wallets
For transfers involving self-hosted wallets above EUR 1,000, CASPs must verify ownership or control using technical means such as digital signatures, transaction verification, or customer attestations. These addresses must be risk-assessed and whitelisted only after sufficient verification. CASPs are also required to monitor transactions involving such wallets and report suspicions to relevant authorities.
Monitoring, Detection & Action
Institutions must implement both pre-transfer and post-transfer monitoring mechanisms to detect missing, incomplete, or meaningless data. Transfers lacking sufficient information must be assessed for risk. If the risk is low and the parties can be identified, a transfer may proceed; otherwise, it must be rejected or suspended. Firms must document decisions and notify counterparties of non-compliance.
Repeated Failures & Reporting
If a PSP, IPSP, CASP, or ICASP repeatedly fails to provide required information, they must be flagged, warned, and, if necessary, reported to the competent authority. Quantitative and qualitative criteria are provided to guide this process, including thresholds for repeated omissions and cooperation history.
Batch Transfers & Direct Debits
Special provisions exist for batch file transfers and direct debits, ensuring that all required information is retained or transmitted, even if not embedded in each transaction. For direct debits, responsibility is split between the PSPs of the payer and payee depending on the stage and role in the payment flow.
Technical Systems & Interoperability
PSPs and CASPs must use secure, interoperable messaging or settlement systems that preserve data integrity. Where full compliance is not technically feasible, CASPs have a transitional period until 31 July 2025 to implement compliant systems. Systems must support clear error handling, message validation, and compatibility with AML/CFT controls.
Conclusion: WTR Compliance Integration
These Guidelines provide detailed, practical steps for ensuring that both fiat and crypto transactions meet traceability standards under Regulation (EU) 2023/1113. They clarify expectations, promote regulatory consistency across the EU, and establish technical and procedural safeguards to strengthen the financial system against misuse.