FATF Travel Rule: Key Differences Between the EU & Australia?

Understanding the differences between the EU and Australia's adoption of the FATF Recommendation 16's Travel Rule is essential for businesses, financial institutions, and compliance professionals operating in both jurisdictions. While both regions align with the FATF’s goal of enhancing transparency in financial transactions, their regulatory frameworks, enforcement mechanisms, and compliance requirements vary significantly. These differences have direct implications for cross-border transactions, business operations, and financial crime risk management.

Overview of Regulatory Frameworks

The FATF Travel Rule under Recommendation 16

Recommendation 16 is part of the Financial Action Task Force  (FATF) Recommendations, which are international standards for combating money laundering, terrorist financing, and other related threats to the integrity of the international financial system. Recommendation 16 specifically addresses the 'Travel Rule' and focuses on the requirements for wire transfers and virtual asset transactions. It requires financial institutions and Virtual Asset Service Providers (VASPs) to obtain, hold, and transmit required originator and beneficiary information in all cross-border wire transfers and virtual asset transactions. The main objective is to ensure transparency and traceability, helping authorities detect and investigate money laundering and terrorist financing activities.

European Union: Regulation (EU) 2023/1113

The EU has implemented the Travel Rule through Regulation (EU) 2023/1113, which recasts the previous Regulation (EU) 2015/847. This regulation mandates that information about the originator and beneficiary accompanies transfers of funds and crypto assets, bringing the EU's legal framework in line with FATF standards. The EU's regulation came into force in June 2023, with the European Banking Authority (EBA) issuing final guidelines in July 2024. These guidelines aim to ensure consistent application across member states, with enforcement beginning in December 2024.

Australia: The Anti-Money Laundering & Counter-Terrorist Financing Act 2006

Australia adopted the Travel Rule earlier by integrating it into the  Anti-Money Laundering & Counter-Terrorism Financing Act 2006 (AML/CTF Act 2006). Banks, remittance service providers, and digital currency exchanges are required to collect, verify, and share information relating to payments. This includes obtaining details like the full name, account number, and address of both the originator and beneficiary. Non-compliance can result in significant penalties, emphasising the importance for businesses to stay updated with regulatory changes and maintain effective compliance programmes. The Australian Transaction Reports & Analysis Centre (AUSTRAC) released guidance for digital currency exchange providers in 2018. This proactive approach positioned Australia among the first countries to regulate crypto assets under AML and CTF laws.

Compliance for Cross-Border Transactions

Companies handling financial transfers between the EU and Australia must navigate two distinct regulatory environments. The EU’s Regulation (EU) 2023/1113 applies to all transactions, ensuring that payment service providers (PSPs) and crypto-asset service providers (CASPs) include originator and beneficiary information for every fund or crypto transfer. In contrast, Australia’s AML/CTF Act 2006 enforces the Travel Rule with specific threshold-based requirements of AUD 1,000 for crypto transactions and AUD 10,000 for fiat transfers.

For businesses facilitating international transfers, these differences affect how compliance teams collect and transmit transaction data. A European financial institution sending funds to an Australian counterpart must always include full Travel Rule information, whereas an Australian institution might not require full details for smaller transactions. Without clear internal policies to manage these variations, businesses risk regulatory breaches in one or both jurisdictions.

Regulatory Differences Affect Business Operations

Financial institutions, fintech companies, and crypto exchanges operating in both Australia and the EU must adopt region-specific compliance programmes. The EU mandates full data disclosure for all transactions, regardless of amount, whereas Australia exempts lower-value domestic transfers from certain reporting obligations. This distinction means businesses cannot apply a uniform compliance policy across their operations.

For example, a European crypto exchange must ensure that every crypto transaction, even those worth a few euros, includes full originator and beneficiary details. However, an Australian exchange dealing with domestic transactions below AUD 1,000 may not need to collect the same level of detail. Companies must implement adaptable compliance frameworks that account for both stringent and risk-based approaches to financial crime prevention.

Implementation Timelines & Enforcement Risks

A major difference between the two jurisdictions is the speed and manner of implementation. The EU’s Regulation (EU) 2023/1113 became fully enforceable on 30 December 2024, meaning that all financial and crypto service providers must be compliant from this date. The EBA has issued clear binding guidelines to ensure consistency across all 27 EU member states.

In contrast, Australia has taken a staggered approach to Travel Rule enforcement. While AUSTRAC introduced initial Travel Rule compliance for crypto exchanges in 2018, further amendments, such as those in 2024, are being phased in gradually until 2026. There is no fixed enforcement deadline for some industry sectors, allowing for a risk-based approach where compliance obligations may vary based on an entity’s risk exposure.

The impact on businesses is significant. A fintech company operating in both the EU and Australia must ensure that by December 2024, all EU transactions comply with the strict new regulation. In Australia, however, the same company may still have some regulatory discretion, particularly for lower-value transactions. Misjudging these timelines can lead to penalties, enforcement actions, or reputational damage.

Penalties & Compliance Risks

The EU enforces Travel Rule violations uniformly across all member states, meaning non-compliant entities face harmonised penalties, which can include hefty fines or operational restrictions. The EBA plays a supervisory role, ensuring that member states apply consistent penalties.

In contrast, AUSTRAC has more discretionary enforcement power, applying case-by-case penalties based on a risk assessment. Businesses in Australia may receive warnings or remediation notices before facing severe penalties. However, entities that deliberately evade compliance -particularly those involved in high-risk transactions - can still be subject to significant fines and license revocations.

For compliance teams, these differences mean that regulatory risk assessments must be tailored by jurisdiction. In the EU, uniform, proactive compliance is necessary, as enforcement is strict and predictable. In Australia, a more flexible, risk-based approach is required, focusing on high-risk transactions first.

Data Protection & Privacy Considerations

The EU’s Travel Rule implementation is subject to the General Data Protection Regulation (GDPR), which imposes strict privacy requirements on financial institutions. Any transaction data shared under the Travel Rule must comply with GDPR’s stringent data security and retention policies. This means that banks and crypto exchanges must encrypt, store, and handle customer information securely, with clear limitations on how long the data can be retained.

In Australia, data handling falls under the Privacy Act 1988, which, while robust, is less restrictive than GDPR. Financial institutions and crypto providers have more flexibility in how they manage and store transaction data. However, AUSTRAC still requires firms to keep records for seven years, ensuring that financial crime investigations can be conducted when necessary.

For multinational companies, this means different approaches to data security and privacy must be applied. A company operating in the EU must ensure GDPR-compliant storage and transmission of transaction data, while in Australia, national privacy laws provide more flexibility. Mismanaging this difference could result in data protection violations in the EU, where non-compliance with GDPR carries severe financial penalties.

The Future of FATF Travel Rule Harmonisation

While the original AML/CTF Act 2006 did not specifically address crypto-assets, the Australian government has since passed the Anti-Money Laundering & Counter-Terrorism Financing Amendment Bill 2024. The amendment, passed on 29 November 2024, regulates digital currency exchange providers and other virtual asset service providers (VASPs) as well as "tranche-two entities" like lawyers, accountants, real estate agents, and dealers in precious metals and stones, subjecting them to AML/CTF obligations, including compliance with the FATF's Travel Rule. The amendment is set to take effect for existing reporting entities on 31 March 2026, and for tranche-two entities on 1 July 2026.

While differences exist today, Australia and the EU are likely to converge toward stricter, global standards. The EU’s comprehensive approach could influence future Australian regulations, leading to lower transaction thresholds, increased data-sharing obligations, and stronger enforcement mechanisms.

In Conclusion

Understanding the differences between the EU and Australia’s implementation of the FATF Travel Rule is critical for financial institutions, fintech companies, and compliance professionals. The EU’s stricter, harmonised regulation applies to all transactions, whereas Australia’s risk-based model includes transaction thresholds and discretionary enforcement. These differences impact cross-border transactions, compliance programmes, enforcement risk, and data protection policies.

Businesses operating across both jurisdictions must ensure they comply with the strict EU regulations while also adapting to Australia’s evolving risk-based framework. Failure to do so could lead to regulatory penalties, operational challenges, and reputational damage. As financial crime regulations continue to evolve globally, companies should prepare for increasing convergence toward stricter compliance obligations worldwide.