🇪🇺 EU Travel Rule Compliance: Where Are the Gaps — and Why Businesses Must Pay Attention

📝 Regulatory Framework and Official Standards

Regulation (EU) 2023/1113, adopted on 31 May 2023, recasts Regulation (EU) 2015/847 and extends the Travel Rule to crypto-asset transfers. From 30 December 2024, obliged entities – including payment service providers (PSPs), crypto-asset service providers (CASPs) and their intermediaries – must ensure that originator and beneficiary information accompanies each transfer.

The European Banking Authority (EBA) issued detailed Travel Rule Guidelines on 4 July 2024, specifying how firms should detect missing or incomplete information and how to manage such transfers. These Guidelines are legally applicable from 30 December 2024. Importantly, the EBA recognised that some CASPs and intermediary CASPs may face technical or interoperability limitations; therefore, a transitional allowance until 31 July 2025 applies. However, this is not a deferral of obligations — firms must still comply and implement compensatory measures where systems are incomplete.

Key requirements include:

• Collecting and transmitting payer and payee data (name, address or ID, account or wallet address, or equivalent identifier).

• Rejecting, suspending, or remediating transfers missing required data.

• Applying enhanced due diligence to self-hosted wallets, with procedures to verify ownership or control.

• Ensuring appropriate risk-based monitoring and record-keeping.

The Markets in Crypto-Assets Regulation (MiCA – Regulation (EU) 2023/1114) complements the TFR by creating an authorisation and governance framework for CASPs, but Travel Rule obligations apply independently of MiCA licensing.

📝 Analysis: Implementation Gaps and Business Impact

While the law is clear, interpretative and practical gaps are causing challenges. Some firms mistakenly believed the transitional period meant obligations could be postponed, but regulators have confirmed this is incorrect: the TFR applies in full from 30 December 2024, and the transitional window is limited to technical shortfalls.

A second gap lies in fragmented national enforcement. Member States are responsible for supervising compliance, and supervisory intensity differs significantly. Larger financial centres, such as France and Germany, are more advanced in issuing guidance and oversight, whereas smaller jurisdictions show slower progress. This uneven pace creates legal uncertainty and competitive distortion.

Self-hosted wallets present one of the thorniest issues. The EBA requires verification of customer ownership, but industry stakeholders highlight that reliable verification tools are not universally available. Many CASPs fear liability if verification fails, and some have suspended or restricted services involving self-hosted wallets.

The business impact is significant. Compliance requires investment in new IT infrastructure, transaction-monitoring systems, and secure data storage, as well as staff training and enhanced legal review. Smaller CASPs are disproportionately burdened, facing steep costs compared with larger, better-resourced firms. Operational risks also increase: when counterparties outside the EU fail to provide required information, firms may need to reject transfers, causing customer friction and reputational harm.

Finally, the consequences of non-compliance are serious. Administrative fines, sanctions from competent authorities, exclusion from banking services, and reputational damage can undermine business viability.

📊 Evidence, Case Examples, and Current Developments

Recent surveys confirm that many EU-based CASPs are still not fully compliant. A Notabene study (2025) found that implementation gaps remain months after 30 December 2024, especially in cross-border transfers and where self-hosted wallets are involved.

A joint report (July 2025) by ADAN, GDF, and CryptoUK highlighted persistent challenges: interoperability between different CASP systems, counterparty due diligence, and difficulties in verifying ownership of self-hosted addresses. The report urged regulators to provide clearer supervisory guidance and, where justified, to consider limited transitional flexibility beyond July 2025.

Furthermore, industry cases illustrate how misinterpretation of the transitional provisions has led some CASPs to under-invest in compliance, leaving them exposed to supervisory action in early 2025. Regulators have already stressed that “technical limitations are no excuse for non-compliance” - compensatory measures must be in place.

Smaller firms in particular are struggling with cost and technical integration, often relying on third-party compliance tools that do not yet fully align with EBA requirements. This raises legal questions about liability for reliance on vendors and the adequacy of due diligence on outsourced solutions.

🤝 Conclusion

The EU Travel Rule regime is in full legal effect as of 30 December 2024. While the EBA has provided limited transitional allowances until 31 July 2025, this does not reduce the scope or seriousness of compliance obligations. Firms must adapt now to avoid regulatory, financial, and reputational risks.

The key takeaways are clear:

• The TFR and the EBA Guidelines set binding obligations, not optional standards.

• Misinterpretation of the transitional period is one of the most serious risks for businesses.

• National enforcement gaps and technical limitations continue to create uneven compliance across the EU.

• Operational, financial and reputational risks are material — especially for smaller CASPs.

If your organisation transfers crypto-assets within or into the EU, it is essential to assess compliance systems immediately. NUR Legal advises clients on Travel Rule obligations, assists in implementation, and represents firms before competent authorities. Contact us for expert guidance in this evolving regulatory field.

#TravelRule #EURegulation #CryptoCompliance #AML #MiCA #TFR #CASP #Cryptolaw #RegulatoryRisk #AntiMoneyLaundering