The PO Box Paradox: When Better Data Creates Worse Outcomes for Banks

When the European Union adopted Regulation (EU) 2023/1113 on 31 May 2023, it recast the Transfer of Funds framework with an unambiguous objective. The regulation sought to close long-identified traceability gaps in cross-border payments by tightening payer and payee information requirements and extending expectations around address data. It reinforced the principle that funds transfers must be intelligible from origin to destination. It applied from 30 December 2024, repealing Regulation (EU) 2015/847 and bringing crypto-asset transfers within scope for the first time. In policy terms, it promised clarity, harmonisation and greater resilience against financial crime.

Yet the immediate experience for many European banks has been less about clarity and more about friction. OpusDatum’s recent advisory work with EU-based payment service providers (PSPs) has consistently surfaced the same concern: a marked increase in Requests for Information (RFIs) on inbound and outbound payments since the regulation took effect. The European Banking Authority’s (EBA) Travel Rule Guidelines (EBA/GL/2024/11), published on 4 July 2024, addressed the treatment of PO Boxes and incomplete address data; the industry’s response has been swift and disproportionate.

What was intended as a corrective measure to improve data quality has triggered a surge in defensive querying. That surge strains correspondent relationships and exposes long-standing weaknesses in how proportionality is applied to transaction monitoring.

The recast regulation reflects a decade of supervisory frustration

Regulation (EU) 2023/1113 did not emerge in a vacuum. It reflects persistent supervisory concern with inconsistent application of the original Transfer of Funds Regulation and the quality of originator and beneficiary information in cross-border payments. The Financial Action Task Force (FATF) had repeatedly highlighted address data deficiencies as a material weakness in the global anti-money laundering (AML) framework. The FATF’s June 2025 revision of Recommendation 16, now titled ‘Payment Transparency’, reinforced the expectation that payer and payee information must be meaningful, verifiable and sufficient to support traceability. EU-level supervisors pointed to divergent national interpretations as undermining the very harmonisation the original regulation was designed to achieve.

The recast regulation therefore sought to be explicit. PO Boxes, which obscure physical location and frustrate investigation, were singled out as inadequate where used in isolation. The EBA reinforced this position in EBA/GL/2024/11, making clear that a PO Box or virtual address does not constitute a valid address type for the purposes of compliance with the regulation.

PO Box data has long been problematic for PSPs globally; address fields that lack physical location compromise sanctions screening, customer verification and investigative traceability regardless of jurisdiction. What Regulation (EU) 2023/1113 and the EBA guidelines have done is transform a persistent data quality problem into an acute compliance obligation for EU-based institutions specifically. The question is no longer whether PO Box data is adequate. It is what happens operationally when it is not.

The RFI surge is a behavioural response, not a risk response

Across Europe, banks have responded to the new expectations with a sharp increase in RFIs on inbound and outbound payments. Transactions that would previously have flowed with minimal friction are now routinely paused while additional address clarification is sought. Correspondent banks are issuing repeated queries on long-established counterparties, even where the underlying risk profile has not materially changed. Payment operations teams at EU-based institutions report that RFI volumes on cross-border transfers have increased significantly since December 2024, with PO Box-related queries accounting for a disproportionate share.

This behaviour is not driven by newfound insight into customer risk. It is driven by fear. Compliance teams, acutely aware that Regulation (EU) 2023/1113 carries direct legal force rather than discretionary guidance, have defaulted to a literal interpretation of address sufficiency. Where a PO Box appears anywhere in the payment chain, even alongside other identifying information, it is increasingly treated as a defect requiring remediation. The RFIs have become the control, irrespective of whether they meaningfully enhance understanding of the counterparty or the transaction.

Proportionality has collapsed into binary rule-making

The EBA guidance on PO Boxes was intended to sharpen judgement, not replace it. EBA/GL/2024/11 recognises that PO Boxes are inherently limited as identifiers, but it does not suggest that their mere presence automatically renders a transaction non-compliant. The guidelines are grounded in a risk-based approach. In practice, however, many banks have collapsed this nuance into binary rules.

This collapse is partly technological. Legacy payment screening systems are designed to flag absence, not evaluate adequacy. They struggle to assess address sufficiency qualitatively. Faced with regulatory language that emphasises physical location, banks have embedded hard stops wherever PO Boxes appear, regardless of mitigating information such as customer tenure, transaction history or corroborating identifiers.

It is also cultural. For years, supervisory messaging across the EU has prioritised demonstrability over discretion. Firms have learned that the ability to evidence action matters more than the ability to articulate judgement. In that environment, issuing an RFI feels safer than allowing a payment to proceed on the basis of a contextual risk assessment. The result is a compliance posture that treats all uncertainty as unacceptable, even where the regulation itself is grounded in proportionality.

Correspondent banking relationships are bearing the cost

One of the least examined consequences of the RFI surge has been its impact on correspondent banking relationships. European banks are increasingly perceived as operationally burdensome counterparts, generating repeated queries that delay settlement and erode trust. For smaller institutions and banks in emerging markets, the volume and tone of these requests can feel disproportionate. Demands for physical address confirmation on legacy accounts, or for information that is not readily available under local regulatory norms, create friction that goes beyond compliance. They signal a lack of confidence in the relationship itself.

This dynamic risks reinforcing the very de-risking trends that regulators have sought to reverse. The FATF, the Financial Stability Board and the Committee on Payments and Market Infrastructures have all cautioned that disproportionate compliance requirements contribute to the withdrawal of correspondent banking services. When relationships become operationally costly, banks rationalise their networks. The cumulative effect is reduced access to the formal financial system, particularly for jurisdictions already struggling with financial inclusion.

Regulatory intent is sound; operational translation is not

It would be a mistake to characterise this outcome as regulatory failure. The intent behind Regulation (EU) 2023/1113 is sound. Traceability matters. Address data matters. PO Boxes should not serve as a convenient substitute for meaningful location information.

The issue lies in translation. Regulation sets expectations, but institutions operationalise those expectations through systems, policies and behaviours shaped by years of supervisory pressure. When guidance is absorbed into an environment that equates deviation with exposure, nuance is the first casualty.

The EBA has been clear that institutions should apply proportionality. The risk-based approach set out in EBA/GL/2024/11 leaves room for informed judgement on whether available data is sufficient in context. Proportionality, however, requires confidence, and confidence requires regulators to reward judgement rather than merely process.

The institutional landscape has added a further complication. On 1 January 2026, the EBA formally transferred all AML and countering the financing of terrorism mandates to the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA). Existing EBA guidelines, including the Travel Rule Guidelines, remain in force until AMLA replaces them, but the transition itself has introduced supervisory uncertainty. Banks navigating a new institutional relationship are unlikely to loosen their compliance posture while the expectations of a newly operational authority remain undefined. Until that clarity emerges, RFIs will continue to function as a protective reflex rather than a risk management tool.

Compliance maturity means moving beyond defensive querying

There are early signs that some institutions are beginning to recalibrate. A minority of European banks are refining their address logic, distinguishing between scenarios where PO Boxes genuinely undermine traceability and those where they are incidental to an otherwise well-documented counterparty. Others are investing in upstream data quality improvements, reducing the need for reactive querying at the point of transaction execution.

These approaches are not shortcuts. They are examples of compliance maturity: the recognition that the purpose of Regulation (EU) 2023/1113 is not to maximise friction but to enhance understanding. For regulators, the challenge is to reinforce this message through supervision. Enforcement that focuses solely on procedural gaps will entrench defensive behaviour. Supervision that interrogates decision-making, rationale and outcome will gradually restore the balance between rigour and proportionality that the regulation requires.

Better data was never meant to produce worse outcomes

The paradox at the heart of this regulatory moment is that a regulation designed to improve data quality has, in its early application, degraded the efficiency of the very system it was intended to strengthen. Legal certainty does not automatically translate into effective control. In some cases, it amplifies risk aversion to the point where controls become performative rather than purposeful.

If the recast Transfer of Funds framework is to achieve its aims, banks must move beyond binary interpretations and rediscover proportionality as an operational discipline. Regulators, in turn, must signal that informed judgement is not only permitted but expected. The paradox will persist for as long as institutions treat better data as a reason to ask more questions rather than a basis for making better decisions.

Are PO Boxes driving more RFIs than insight in your payments pipeline?

OpusDatum works directly with EU-based banks and payment service providers on the operational challenges arising from Regulation (EU) 2023/1113. Our wire transfer regulation risk assessment framework addresses address data sufficiency, PO Box remediation strategies, RFI governance and correspondent banking exposure. We support institutions in calibrating proportionate monitoring controls and moving from defensive compliance to risk-informed decision-making.

If your institution is navigating the practical implications of Regulation (EU) 2023/1113, struggling with address data quality or seeking to embed proportionality into your decision frameworks, OpusDatum can help. Contact us now to explore how we can support your compliance strategy and build confidence in your controls.