One Constellation
Book a Demo
AML & Financial Crime

Crypto AML Compliance and the FATF Travel Rule for VASPs

Crypto AML compliance is increasingly converging with traditional financial-services compliance, but the FATF Travel Rule, the technical realities of on-chain transfers, and a fragmented global regulatory landscape make implementation genuinely different. This guide explains what VASPs must do, how the Travel Rule actually works, and how compliance differs across MAS, MiCA, FinCEN, and other major regimes.

Published: May 2026 Category: AML & Financial Crime Read time: ~11 minutes
Quick Answer
The FATF Travel Rule (FATF Recommendation 16, extended to virtual assets in 2019) requires Virtual Asset Service Providers (VASPs) to obtain, hold, and transmit originator and beneficiary information for virtual asset transfers above a defined threshold (typically USD/EUR 1,000). VASPs include crypto exchanges, custodial wallets, brokers, and certain DeFi front-ends — defined in FATF guidance and implemented by national regulators. Travel Rule compliance requires (1) collecting originator KYC and beneficiary information for outbound transfers, (2) transmitting that information securely to the receiving VASP via an interoperable Travel Rule protocol (TRP, TRISA, OpenVASP, Sygna Bridge), (3) screening counterparty VASPs and beneficiary information against sanctions and risk lists, and (4) declining transfers that fail Travel Rule checks. Beyond the Travel Rule, VASPs must operate a complete AML programme: KYC at customer onboarding, transaction monitoring tuned to crypto-specific typologies, sanctions screening against blockchain-address watchlists, and SAR filing under the relevant national FIU.

Crypto AML compliance has moved decisively from optional to mandatory across every major jurisdiction. Singapore licenses VASPs under the Payment Services Act; the EU has rolled out MiCA and the funds-transfer regulation as a coordinated package; the US treats crypto exchanges as money services businesses under FinCEN and prosecutes failures vigorously; the UK has registered crypto firms with the FCA since 2020. Operating an unregulated crypto business that touches any of these jurisdictions is no longer a viable strategy.

What makes crypto compliance harder than traditional finance is not the regulatory expectation — which has converged toward FATF norms — but the technical reality. Transfers happen on public blockchains in seconds, addresses are pseudonymous, counterparty VASPs may not have implemented Travel Rule protocols, and DeFi protocols sit in a category that regulation has not fully resolved. Building a VASP that is genuinely compliant is a different operational problem from building a compliant bank.

Who Counts as a VASP

FATF defines a Virtual Asset Service Provider through five activities. Any natural or legal person conducting any of them as a business is a VASP and is subject to AML/CFT regulation in every FATF member jurisdiction.

The five VASP activities under FATF Recommendation 15:

  • Exchange between virtual assets and fiat currencies.
  • Exchange between one or more forms of virtual assets.
  • Transfer of virtual assets — moving virtual assets from one address or account to another.
  • Safekeeping or administration of virtual assets or instruments enabling control over virtual assets.
  • Participation in and provision of financial services related to an issuer's offer or sale of a virtual asset (including ICOs).

National implementations vary at the edges. MAS's definition of "Digital Payment Token Service" under the Payment Services Act covers the FATF VASP activities and adds DPT exchange and certain custodial activities. MiCA introduces "Crypto-Asset Service Providers" (CASPs) with broadly equivalent scope. FinCEN treats most crypto exchanges as Money Services Businesses. The vocabularies differ; the substantive scope is similar.

How the Travel Rule Actually Works

The Travel Rule is straightforward in concept and operationally complex in practice. Conceptually: when a VASP transfers crypto on behalf of a customer to another VASP, the originator VASP must transmit identifying information about the originator (and obtain it about the beneficiary) so that the destination VASP receives a transfer with the same level of identifying information that would accompany a wire transfer in traditional banking.

Operationally: this requires solving five problems simultaneously.

The five Travel Rule operational challenges:

  • VASP identification — determining whether the destination address belongs to a VASP at all (most addresses do not), and if so, which VASP.
  • Counterparty due diligence — assessing the destination VASP's AML controls before transmitting customer information to them.
  • Information transmission — sending originator and beneficiary information securely to the destination VASP via an interoperable protocol the receiving VASP also implements.
  • Threshold logic — applying the right threshold (USD/EUR 1,000 in most regimes; lower in some) including aggregation rules for related transfers.
  • Self-hosted wallet handling — different jurisdictions take different approaches when the counterparty is not a VASP at all but an individual's self-custodied wallet.

Several Travel Rule protocols compete for VASP adoption: TRP (Travel Rule Protocol, the IVMS 101 data standard's most-used implementation), TRISA, OpenVASP, Sygna Bridge, Notabene, and Veriscope, among others. Most major VASPs implement multiple protocols to maximise counterparty coverage. Interoperability between protocols remains imperfect.

Crypto-Specific Money Laundering Typologies

Transaction monitoring scenarios for VASPs need to address typologies that do not exist in traditional banking. A monitoring system designed for fiat banking will miss crypto-specific patterns that are genuinely diagnostic of illicit activity.

The crypto-specific typologies a VASP's transaction monitoring should detect:

  • Mixer and tumbler exposure — funds traced to or from anonymising services (Tornado Cash and successors, traditional mixers).
  • Darknet market exposure — funds with on-chain provenance from sanctioned darknet markets or known illicit clusters.
  • Sanctioned address exposure — direct or indirect transactions with blockchain addresses on the OFAC SDN list (which has included crypto addresses since 2018).
  • Chain-hopping — rapid conversion between assets across multiple chains designed to obscure origin.
  • Peel chain patterns — large amounts split into small transfers across many addresses, typically associated with laundering ransomware proceeds.
  • Unhosted-wallet velocity — large or frequent flows to/from self-custodied wallets without clear economic rationale.
  • Front-running and wash trading — manipulative trading patterns that may not be money laundering per se but are typically subject to STR obligations.

See our broader transaction monitoring guide for the underlying framework these crypto-specific scenarios extend.

Sanctions Screening for Crypto

Sanctions enforcement is where crypto compliance has historically been weakest and where regulatory action has been most aggressive. OFAC has designated specific crypto addresses since 2018, including the headline-grabbing November 2018 Iranian ransomware addresses, the August 2022 Tornado Cash designation, and an expanding list of Russia-related addresses since 2022. Sanctions screening for VASPs has therefore become a discipline distinct from traditional name-based screening.

Address-level screening tests every crypto address the VASP interacts with against sanctions lists and against blockchain-analytics-derived risk lists (Chainalysis, TRM Labs, Elliptic). Cluster-level screening tests not just the immediate counterparty address but the broader cluster of addresses associated with the same entity. Indirect exposure screening traces funds backward to identify exposure to sanctioned addresses through one or more hops. All three are required for a defensible programme. See our broader sanctions screening guide for the underlying framework.

OFAC 50% Rule for Crypto
OFAC's 50% Rule applies to crypto in the same way it applies to traditional finance: an entity owned 50% or more by sanctioned persons is itself sanctioned, even if not on the SDN list. Translated to crypto, this means addresses controlled by sanctioned persons through intermediate entities are themselves sanctioned, and screening must extend through ownership and control relationships. Blockchain analytics that identify clusters and entity attribution are essential to operationalising this.

The Major VASP Regimes Compared

While the substantive standards converge toward FATF norms, the licensing, supervisory, and operational requirements diverge substantially between jurisdictions. A VASP operating cross-border must comply with the highest applicable standard — which is rarely the same in any two jurisdictions.

The four largest VASP regimes a global crypto firm typically encounters:

  • Singapore — MAS Payment Services Act: Licence required for DPT services; full AML/CFT obligations under MAS Notice PSN02; Travel Rule applies to transfers above S$1,500.
  • EU — MiCA + Transfer of Funds Regulation: CASP authorisation under MiCA; Travel Rule under TFR with no de minimis threshold (applies to all transfers); harmonised across all 27 member states.
  • US — FinCEN MSB registration + state Money Transmitter Licences: Federal MSB registration with FinCEN; state-by-state money transmitter licensing in most states; Travel Rule threshold of USD 3,000; OFAC sanctions enforcement particularly aggressive.
  • UK — FCA Cryptoasset Registration: Registration with the FCA under MLR 2017; Travel Rule applies above GBP 1,000; FCA has been notably stringent on registration approvals.

Building a Defensible VASP Compliance Programme

A VASP compliance programme is not fundamentally different from a traditional AML programme in its structural elements — KYC, transaction monitoring, sanctions screening, SAR filing, governance, training. What differs is the technical implementation of each element to handle the specific characteristics of virtual assets.

One Constellation provides the full traditional-finance compliance stack — KYC, KYB, sanctions and PEP screening, transaction monitoring, compliance portal — built on a platform that integrates with blockchain-analytics providers for crypto-specific risk data. For VASPs operating in Singapore and other major jurisdictions, the same platform handles fiat onboarding, DPT customer onboarding, and Travel Rule message handling on a unified case-management workflow.

Compliance Built for VASPs Operating Globally

One Constellation provides FATF-aligned KYC, transaction monitoring, and sanctions screening for crypto businesses, with native MAS Payment Services Act mapping and integrations to leading blockchain-analytics providers.

Book a Demo Crypto Industry Solutions
← Sanctions Screening Transaction Monitoring → All Articles
Scroll to Top