The FATF Travel Rule has become one of the defining regulatory requirements for Virtual Asset Service Providers (VASPs) operating globally. Originally introduced in 2019, the rule has seen significant adoption over the past five years, with most major jurisdictions now incorporating it into their legislative frameworks.
This article provides an overview of the Travel Rule, examines current implementation data, and outlines the practical compliance requirements that crypto firms need to address.
What Is the FATF Travel Rule?
In June 2019, the Financial Action Task Force (FATF) published its Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers, extending AML/CTF obligations to the crypto sector. Recommendation 16, known as the "Travel Rule," was central to this guidance.
The Travel Rule Defined: The obligation for VASPs to obtain, hold, and transmit required originator and beneficiary information during virtual asset transfers, in order to identify and report suspicious transactions, take freezing actions, and prohibit transactions with designated persons and entities.
The term "Travel Rule" comes from the 1997 FinCEN Advisory that imposed similar requirements on traditional financial institutions. The underlying principle is that when funds move between institutions, identifying information about the sender and receiver should accompany the transfer.
In practice, this means that when a customer sends cryptocurrency from one exchange to another, both exchanges must collect, verify, and share personally identifiable information (PII) about their respective customers before or at the time of the transaction.
Current State of Global Implementation
Since 2019, the Travel Rule has moved from guidance to enforceable regulation across most major jurisdictions. The following data from FATF's 2024 reports illustrates the current landscape:
The EU's Transfer of Funds Regulation (TFR), effective December 30, 2024, has had a notable impact. Data from the Notabene network shows that EU-originated Travel Rule message volumes increased by approximately 200x between January 2024 and January 2025.
While 70% of jurisdictions have enacted Travel Rule legislation, only about a quarter are actively examining VASPs for compliance. According to FATF's July 2024 report, only 17 of the 65 jurisdictions with Travel Rule laws have taken supervisory or enforcement actions against VASPs. This discrepancy between legislation and enforcement is worth monitoring, as enforcement activity is likely to increase as regulators build capacity.
Key Regulatory Updates (2021-2025)
The FATF's October 2021 guidance update introduced several clarifications that remain relevant:
Self-Hosted Wallet Requirements
Travel Rule requirements now explicitly include transactions involving self-hosted (unhosted) wallets. VASPs must collect and retain originator and beneficiary information when conducting transfers with self-hosted wallets. Additional controls may be applied based on the VASP's risk assessment.
De Minimis Threshold
Countries may set de minimis thresholds for Travel Rule applicability. However, VASPs are expected to collect information for all VA transfers regardless of amount. The threshold determines when information must be transmitted, not when it must be collected.
Function-Based Regulation
The 2021 update emphasised regulating crypto businesses based on their function and business model rather than their underlying technology or self-described category. This approach has implications for DeFi protocols, stablecoin issuers, and various custodial arrangements.
How the Travel Rule Fits into AML/CTF Frameworks
Most VASPs already have customer identification and sanctions screening processes in place. These controls can prevent sanctioned individuals from initiating transactions. However, without Travel Rule compliance, a VASP may still process transactions where the beneficiary is a sanctioned party.
The Travel Rule addresses this gap by requiring counterparty identification at the transaction level. This allows VASPs to screen beneficiaries and counterparty institutions before a transaction is broadcast to the blockchain.
| Without Travel Rule | With Travel Rule |
|---|---|
| Beneficiary VASP and customer unknown | Counterparty identity verified before transfer |
| Only funds are transferred between VASPs | PII accompanies the transaction |
| Sanctions screening limited to originator | Pre-transaction screening includes beneficiary |
| Risk identified after settlement | Risk assessed before settlement |
Compliance Requirements: Practical Steps
When engaging in transactions with counterparty VASPs, the Travel Rule requires a specific workflow. The following steps outline the core compliance process:
Verify Your Customer
Before initiating any transfer, verify your own customer's information through existing KYC processes. This serves as the foundation for subsequent steps.
Identify the Counterparty VASP
Determine the entity controlling the beneficiary wallet. The classification (regulated VASP, self-hosted wallet, etc.) determines which requirements apply.
Perform Counterparty Due Diligence
Assess the counterparty institution's regulatory status, AML controls, and jurisdictional risk. This establishes whether the counterparty can be trusted to handle Travel Rule data appropriately.
Collect Beneficiary Information
Gather required beneficiary details from your customer. At minimum: name, account number, and an additional identifier (such as address or national ID, depending on jurisdiction).
Sanctions Screening
Screen both the counterparty customer and the counterparty VASP against relevant sanctions lists. This step is where Travel Rule compliance provides the most value in terms of risk mitigation.
Transmit Travel Rule Data
Exchange the required information with the counterparty VASP using an interoperable protocol. Both parties then accept or reject the transfer based on their respective risk assessments.
Implementation Challenges
Protocol Interoperability
Multiple Travel Rule solutions exist in the market, including TRISA, OpenVASP, and Notabene, among others. Not all VASPs use the same protocol, which creates friction in data exchange. The industry is developing interoperability bridges, but this remains an ongoing challenge. Firms evaluating Travel Rule solutions should consider multi-protocol support.
Self-Hosted Wallet Transactions
Transactions involving self-hosted wallets present additional complexity. Without a counterparty institution to exchange data with, VASPs must implement alternative verification methods. These may include proof of wallet ownership, enhanced due diligence on the customer, or transaction limits. Requirements vary significantly by jurisdiction.
Cross-Border Asymmetry
When one jurisdiction enforces the Travel Rule and another does not, cross-border transactions become more complex. VASPs in compliant jurisdictions may face difficulties transacting with counterparties in non-compliant regions. This has led some firms to prioritise building networks of verified, compliant counterparties.
Expected Developments
Based on FATF communications and industry trends, the following developments are anticipated:
- Increased enforcement activity: As more jurisdictions build supervisory capacity, the gap between legislation and enforcement is expected to narrow.
- Real-time verification requirements: Pre-transaction checks are likely to become standard expectations rather than optional best practices.
- Stablecoin-specific guidance: Given the growth of stablecoin usage in cross-border payments, more prescriptive requirements for stablecoin service providers are expected.
- ISO 20022 alignment: Proposed updates to Recommendation 16 indicate a move toward alignment with traditional financial messaging standards.
Conclusion
The FATF Travel Rule has evolved from initial guidance in 2019 to enforceable regulation across most major crypto markets. For VASPs, compliance requires investment in technology, processes, and counterparty relationships. The core requirement of exchanging originator and beneficiary information aligns crypto with obligations that have existed in traditional finance for decades.
As implementation continues to mature, the Travel Rule is becoming an integral part of the crypto compliance stack, alongside KYC, sanctions screening, and transaction monitoring.
Sources: FATF Guidance for a Risk-Based Approach to VAs and VASPs (2019, 2021); FATF Targeted Update on Virtual Assets/VASPs (July 2024); Notabene State of Crypto Travel Rule 2025.