AML Compliance in the Crypto Industry: FATF Travel Rule Explained
| Quick Answer | The FATF Travel Rule — derived from Recommendation 16 and updated in 2019 to cover virtual assets — requires virtual asset service providers (VASPs) to obtain, verify, and transmit originator and beneficiary information alongside virtual asset transfers above a specified threshold. In practical terms, this means that when a customer at one crypto exchange sends funds to a wallet at another exchange, both exchanges must share structured identity data about the sending and receiving parties. The rule is now law in the UK, EU, US, Singapore, and most FATF member jurisdictions. Non-compliance exposes VASPs to regulatory sanctions, de-risking by banking partners, and in some jurisdictions criminal liability. |
The Travel Rule is the most technically demanding AML obligation facing the crypto industry. Unlike KYC, which a VASP controls entirely within its own systems, Travel Rule compliance requires two separate regulated entities — the originating VASP and the beneficiary VASP — to exchange structured identity data for every qualifying transaction. This requires both parties to be Travel Rule-compliant, using compatible data exchange protocols, in real time.
This guide explains what the Travel Rule requires, how it has been implemented across key jurisdictions, the technical infrastructure that makes compliance possible, and the specific operational challenges that remain unresolved in the current implementation landscape.
1. The Origin of the Travel Rule
The Travel Rule has its origins in the traditional financial sector. FATF Recommendation 16 — first adopted in the 1990s — requires banks and financial institutions to include originator and beneficiary information in international wire transfers. The rule takes its name from the US FinCEN Travel Rule of 1996, which required financial institutions to "travel" this information alongside funds transfers.
In 2019, FATF updated its guidance to explicitly apply Recommendation 16 to virtual asset service providers and virtual asset transfers. This was a landmark development — it established the international consensus that crypto transfers should be subject to the same counterparty transparency requirements as traditional wire transfers, regardless of the pseudonymous nature of the underlying blockchain technology.
2. What the Travel Rule Requires: The Data Elements
| DEFINITION | The Travel Rule requires the originating VASP to obtain and transmit, and the beneficiary VASP to receive and retain, the following information for qualifying virtual asset transfers: originator's name, originator's account number (wallet address), originator's physical address or national identity number or date of birth and place of birth, and beneficiary's name and account number. The beneficiary VASP must also make reasonable efforts to identify transfers that lack required information. |
The threshold above which the Travel Rule applies varies by jurisdiction. FATF guidance sets $1,000/€1,000 as the standard threshold, but jurisdictions have implemented different thresholds. In the US, the FinCEN Travel Rule applies to transfers of $3,000 or more. In the EU, the Transfer of Funds Regulation (TFR) applies to all crypto-asset transfers with no de minimis threshold. In the UK, the FCA has applied a threshold of £1,000.
3. Jurisdiction-by-Jurisdiction Implementation
| Jurisdiction | Legal Instrument | Threshold | Key Requirements |
|---|---|---|---|
| EU | Transfer of Funds Regulation (TFR), effective December 2024 | No threshold — applies to all transfers | Applies to all crypto-asset transfers, including unhosted wallet transfers above €1,000. CASPs must collect and transmit full originator and beneficiary data. |
| UK | MLR 2017 (as amended); FCA guidance on cryptoasset businesses | £1,000 | UK-registered VASPs must comply from September 2023. FCA registration is mandatory; non-registered firms cannot operate in the UK market. |
| US | Bank Secrecy Act; FinCEN Travel Rule (31 CFR 103.33) | $3,000 | VASPs regulated as MSBs. FinCEN has proposed extending Travel Rule requirements to crypto. Current application based on FinCEN guidance from 2019. |
| Singapore | Payment Services Act; MAS Notice PSN02 | SGD 1,500 | MAS has issued detailed Travel Rule guidance for Digital Payment Token service providers. One of the most detailed regulatory frameworks globally. |
| Switzerland | AMLA; FINMA guidance | CHF 1,000 | FINMA issued Travel Rule guidance in 2019. VASPs must use an approved Travel Rule solution for qualifying transfers. |
4. The Technical Challenge: How Travel Rule Data Exchange Works
Blockchain transactions do not natively carry structured counterparty data. A bitcoin transfer on-chain contains the sending and receiving addresses — but no originator name, no date of birth, no physical address. The Travel Rule requires this data to travel alongside the transfer, but the blockchain itself cannot carry it.
The solution is off-chain data exchange: a separate messaging layer through which the originating VASP sends the required Travel Rule data to the beneficiary VASP in parallel with the on-chain transfer. Several competing protocols and solutions have emerged to provide this infrastructure, including TRISA, OpenVASP, and commercial solutions from providers such as Notabene, Sygna, and Chainalysis. There is not yet a single universal protocol — VASPs must often connect to multiple solutions to achieve coverage across the global VASP ecosystem.
The Sunrise Problem
A significant practical challenge is what the industry calls the "sunrise problem": the Travel Rule can only work if both the originating and beneficiary VASP are compliant. In jurisdictions where Travel Rule implementation has been staggered — coming into force at different dates in different countries — a VASP may be obligated to transmit Travel Rule data but unable to do so because the counterpart VASP has not yet implemented a compatible solution. Most jurisdictions have published guidance on how VASPs should handle these situations, generally requiring documentation of attempted compliance and enhanced monitoring of transactions where Travel Rule data cannot be obtained.
5. Unhosted Wallets: The Unsolved Problem
The most unresolved compliance challenge in Travel Rule implementation is the treatment of transfers to and from unhosted wallets — self-custody wallets not held at any regulated VASP. By definition, there is no counterpart VASP to exchange Travel Rule data with. The EU's Transfer of Funds Regulation requires CASPs to collect and verify information about the owner of the unhosted wallet for transfers above €1,000 — but the mechanism for doing so relies on the customer self-attesting ownership, which creates obvious verification challenges.
VASPs serving customers who regularly interact with unhosted wallets must build processes for customer attestation, blockchain analytics assessment of the wallet's risk profile, and enhanced monitoring of flows involving unhosted wallets. This is an area where regulatory guidance continues to evolve and where compliance programme design requires careful legal and operational analysis.
6. KYC as the Foundation for Travel Rule Compliance
Travel Rule compliance depends on having accurate, complete KYC data for every customer — because the Travel Rule data transmitted to the beneficiary VASP is drawn from the customer's KYC record. A VASP with incomplete KYC data cannot transmit accurate Travel Rule information. Poor customer onboarding quality directly undermines Travel Rule compliance quality.
This creates a compliance dependency that VASPs must manage systematically: the KYC process must collect all Travel Rule data fields at onboarding, the data must be kept current throughout the customer relationship, and the Travel Rule data transmission system must be able to access and use the KYC record in real time when a qualifying transfer is initiated.
Travel Rule and AML Compliance for Crypto Firms
One Constellation provides KYC onboarding, sanctions screening, and transaction monitoring for VASPs and crypto exchanges — built to support FCA, EU TFR, and FinCEN Travel Rule compliance requirements at scale.