Regulation (EU) 2023/1113 establishes uniform rules across the European Union for the transmission of information that must accompany transfers of funds and crypto-assets. Its aim is to ensure traceability of payments and prevent the misuse of financial systems for money laundering and terrorist financing. The regulation applies to all payment service providers (PSPs) and crypto-asset service providers (CASPs) established in the EU when executing or facilitating such transfers.

Transfers of Funds

For transfers of funds, PSPs must ensure each transaction includes the payer name, account number (or a unique transaction identifier), address or equivalent personal data, and, where available, a legal entity identifier. The payee name and account number must also accompany the transfer. These requirements apply to both domestic and cross-border payments, with lighter provisions for intra-EU transfers under EUR 1,000, unless risk factors are identified.

Payee PSPs must detect and act on missing or incomplete data and apply verification procedures for higher-risk or high-value transfers. Intermediary PSPs must preserve all payer and payee data throughout the transfer chain and apply similar monitoring procedures.

Transfers of Crypto-Assets

The regulation extends these obligations to crypto-asset transfers, requiring originator and beneficiary information to be collected and transmitted by CASPs. This includes names, distributed ledger addresses or account numbers, and identifying data such as date of birth or official ID. This information must be submitted securely, in advance or at the moment of transfer, and be retained for five years.

Transfers involving self-hosted addresses are included if a CASP is involved. For amounts over EUR 1,000, the CASP must assess whether the self-hosted address is effectively owned or controlled by their customer. Risk-based procedures must be in place to evaluate whether to proceed with such transactions.

Batch Transfers

Both fund and crypto-asset transfers can be processed in batch files, provided that full originator and beneficiary information is included in the batch file and traceable for each individual transfer. The data must be available before or concurrently with the transfer.

Risk Management & Monitoring

PSPs and CASPs must adopt risk-based procedures to assess whether to execute, reject, or suspend transfers that lack required information. They are also obligated to report suspicious activity and repeated non-compliance by counterparties to competent authorities.

Sanctions & Supervision

National authorities must enforce the regulation with administrative sanctions that are effective, proportionate, and dissuasive. Legal persons can be held liable for breaches committed by individuals under their control. Member States are required to monitor compliance, facilitate whistleblowing mechanisms, and cooperate on cross-border enforcement.

Data Protection & Record Retention

The processing of personal data under this regulation must comply with EU data protection laws. PSPs and CASPs are required to retain information on transfers for five years and must delete it afterward unless further retention is legally justified.

Implementation Timeline

The regulation entered into force on 30 December 2024 and repeals Regulation (EU) 2015/847. It includes transitional and review provisions to assess its effectiveness and adjust to emerging technologies and threats.