This guide covers the rule's definition and origins, who it applies to, exact data requirements, threshold variations by jurisdiction, compliance challenges, and steps to build a practical compliance program.
TLDR
- The Crypto Travel Rule requires VASPs to collect, verify, and share originator and beneficiary information on transfers above defined thresholds
- Rooted in FATF Recommendation 16, extended to virtual assets and VASPs in 2019
- Thresholds vary: FATF recommends $1,000/€1,000; the US applies $3,000; the EU mandates zero-threshold compliance for all transfers
- Non-compliance risks license revocation, regulatory enforcement actions, and loss of banking access
- June 2025 FATF revisions expanded scope to cover fraud prevention
- ISO 20022 alignment is now mandated for Travel Rule data transmission by 2030
What Is the Crypto Travel Rule and Why Does It Matter?
The Crypto Travel Rule applies FATF Recommendation 16 to virtual asset transfers. It requires that originator and beneficiary information "travel" with every crypto transaction — creating a traceable record that regulators and compliance teams can audit.
Historical Origins
The original Travel Rule was implemented by FinCEN under the Bank Secrecy Act in 1996 for traditional financial institutions. FATF incorporated it as Special Recommendation VII in October 2001 to address terrorist financing, then revised it to Recommendation 16 in 2012.
In June 2019, FATF formally extended the Travel Rule to virtual assets and VASPs through its Interpretive Note to Recommendation 15. That guidance established a risk-based approach to virtual asset oversight — and marked the moment crypto compliance entered the mainstream regulatory agenda.
The June 2025 FATF Recommendation 16 Overhaul
In June 2025, FATF revised Recommendation 16 to reflect changes in the payments landscape. The update expanded the rule's objectives beyond money laundering and terrorist financing to explicitly include fraud prevention and proliferation financing.
Key changes include:
- Confirmation of Payee (CoP) verification mandated for cross-border transfers
- Full integration with ISO 20022 messaging standards for data structuring
- Alignment checks required to detect misdirected payments
- Date of birth now mandatory for individuals (previously optional)
- Implementation deadline set for end of 2030
Why This Matters
These 2025 changes signal that regulators are done treating crypto as a special case — the rules now mirror what traditional banks have managed for decades, with a hard deadline to match.
For VASPs and fintechs, non-compliance isn't a theoretical risk. Firms that fall short face losing market access, sponsor bank relationships, and operating licenses. With the 2030 implementation window already open, building compliant systems now is significantly cheaper than retrofitting under enforcement pressure.
Who Does the Crypto Travel Rule Apply To?
FATF VASP Definition
FATF defines a Virtual Asset Service Provider (VASP) as any entity that, as a business, provides one or more of the following services:
- Exchange between virtual assets and fiat currencies
- Exchange between forms of virtual assets
- Transfer of virtual assets on behalf of customers
- Safekeeping or administration of virtual assets
- Participation in issuing or underwriting virtual assets
Critical point: The activity determines VASP status, not the label a company uses for itself.
Jurisdictional Terminology Differences
Compliance teams must track different terms across jurisdictions:
- FATF: Uses "VASP"
- European Union: Uses "CASP" (Crypto-Asset Service Provider) under MiCA
- United States: Uses "Money Service Business" (MSB) or "money transmitter" under FinCEN guidance
The terminology differs, but the core obligation is consistent: collect counterparty data and transmit it alongside the transfer.
Transfer Scenarios That Trigger Obligations
1. Transfers Between Two VASPs
Both originating and beneficiary institutions must fulfill information-sharing duties. Each VASP collects data from its customer and transmits it to the counterparty.
2. Transfers Involving Unhosted Wallets
The VASP must collect required information from its customer, but no data is transmitted to the self-custodial wallet itself. Unhosted wallet obligations differ materially by jurisdiction:
- EU: Verification required for transfers exceeding €1,000
- UK: Risk-based information requests under Regulation 64G
- Hong Kong: Cryptographic verification of wallet ownership mandatory
Because requirements vary this sharply across jurisdictions, VASPs operating in multiple markets need jurisdiction-specific procedures — a single global policy will leave gaps.
What Information Must VASPs Collect and Transmit?
Originator Information (Above Threshold)
- Verified full name
- Account number or unique transaction reference (wallet address)
- Full physical address
- Date of birth (mandatory for individuals under June 2025 FATF update)
- For entities: BIC (Business Identifier Code), LEI (Legal Entity Identifier), or unique official identifier
Beneficiary Information (Above Threshold)
- Name
- Account number or unique transaction reference
- Country and town/city name
- For entities: BIC, LEI, or unique official identifier
The 2025 FATF revision tightened these beneficiary requirements — which matters directly for the below-threshold rules that follow.
Below-Threshold Requirements
Even when a transaction falls below the jurisdiction's de minimis threshold, many frameworks still require:
- Name of originator and beneficiary
- Account number (wallet address) for both parties
This information does not need to be verified unless money laundering or terrorist financing is suspected.
The IVMS101 Messaging Standard
The interVASP Messaging Standard 101 (IVMS101) defines a standardized data model for transmitting originator and beneficiary PII. It was developed by the Joint Working Group for interVASP Messaging Standards — a coalition of the Chamber of Digital Commerce, Global Digital Finance, and the International Digital Asset Exchange Association — with regulators including FinCEN, MAS, FCA, and JFSA kept informed throughout.
Today, virtually every Travel Rule protocol uses or plans to support IVMS101. When evaluating compliance solutions, confirming IVMS101 support is a baseline requirement, not an optional feature.
Record-Keeping Obligations
VASPs must typically retain all Travel Rule data for a minimum of five years across major jurisdictions:
| Jurisdiction | Retention Period | Citation |
|---|---|---|
| United States | 5 years | 31 CFR § 1010.410 |
| European Union | 5 years | TFR Article 26 |
| United Kingdom | 5 years | Money Laundering Regulations 2017, Reg 40 |
| Canada | 5 years | FINTRAC requirements |
Records must be accessible and audit-ready for regulatory review. Gaps in documentation represent a significant compliance risk during examinations.
Travel Rule Thresholds and the Global Jurisdictional Landscape
FATF Baseline Threshold Framework
FATF recommends a de minimis threshold of USD/EUR 1,000 for virtual asset transfers. Above this amount, full originator and beneficiary information must be collected and shared.
Thresholds function as either "de minimis" cutoffs or data-volume triggers. Aggregated linked transactions count toward the threshold, meaning multiple small transfers between the same parties may trigger reporting.
United States Framework
FinCEN implements the Travel Rule under the Bank Secrecy Act at a $3,000 threshold for cross-border transfers. The May 9, 2019 guidance (FIN-2019-G001) confirmed this applies to convertible virtual currency (CVC) transactions.
Pending proposals (not yet finalized as of mid-2025):
- $250 threshold for international transfers (Docket FINCEN-2020-0011)
- $10,000 CVC transaction reporting requirement (Docket FINCEN-2020-0020)
Both proposals remain open — but if finalized, the $250 threshold alone would capture the vast majority of retail crypto transfers currently outside FinCEN's Travel Rule scope.
European Union Framework
The EU's Transfer of Funds Regulation (TFR), effective December 30, 2024, establishes a zero threshold — every cryptoasset transfer regardless of amount requires full Travel Rule compliance.
The €1,000 threshold applies specifically to unhosted wallet verification requirements: for transfers exceeding €1,000 sent to or received from a self-hosted address, the CASP must verify whether that wallet is effectively owned or controlled by the client.
TFR operates alongside MiCA, meaning EU-licensed CASPs face both transfer-level data obligations and entity-level licensing requirements simultaneously.
United Kingdom Framework
Implemented September 1, 2023 via amendments to the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017:
- No specified monetary threshold
- FCA's "all reasonable steps" standard provides flexibility while maintaining AML rigor
- Regulation 64G addresses unhosted wallet transactions, requiring additional verification for higher-risk cases based on risk assessment
- VASPs receiving transfers from non-Travel-Rule jurisdictions must conduct risk-based assessment before releasing funds
Other Major Markets and the "Sunrise Problem"
Beyond the major blocs, several additional jurisdictions have enacted their own frameworks — each with distinct thresholds and enforcement approaches:
| Jurisdiction | Threshold | Effective Date | Key Feature |
|---|---|---|---|
| Canada | CAD 1,000 | June 1, 2021 | FINTRAC guidance |
| Singapore | SGD 1,500 | January 28, 2020 | MAS Notice PSN02 |
| Hong Kong | HKD 0 (broader info > HKD 8,000) | June 1, 2023 | Cryptographic wallet verification mandatory |
According to FATF's 2025 Targeted Update, 73% of surveyed jurisdictions (85 of 117) have passed Travel Rule legislation, but enforcement and implementation remain highly uneven. This creates the "sunrise problem" of uneven global adoption that VASPs must strategically manage.
Key Compliance Challenges for Crypto Businesses
The "Sunrise Problem" Operationally
When a VASP in a Travel-Rule-compliant jurisdiction receives a transfer from a VASP in a non-compliant jurisdiction, it must conduct a risk-based assessment before releasing funds.
What this assessment should include:
- Counterparty jurisdiction regulatory status
- Counterparty VASP registration and licensing
- Ability of counterparty to securely handle PII
- Transaction risk indicators (amount, frequency, pattern)
- Enhanced monitoring or restrictions if risks cannot be mitigated
The scale of the gap: While 73% of jurisdictions have passed legislation, 59% of those 85 jurisdictions have not yet taken enforcement or supervisory actions focused on Travel Rule compliance. This creates workflow complexity and potential transaction delays for compliant VASPs.
Counterparty and Unhosted Wallet Identification Challenges
Unlike traditional banking where counterparties are known institutions using SWIFT, crypto VASPs face a critical identification problem: determining whether a destination wallet belongs to another VASP or a private individual.
Technical solutions that have emerged:
| Protocol/Network | Description |
|---|---|
| TRUST | Travel Rule Universal Solution Technology; industry alliance (including Coinbase) using end-to-end encrypted channels with no central PII storage |
| TRISA | Travel Rule Information Sharing Architecture; decentralized, open-source, peer-to-peer protocol using Certificate Authority model |
| OpenVASP (TRP) | Travel Rule Protocol; free, open standard for permissionless communications between VASPs |
VASP due diligence frameworks: FATF's 2021 VASP Guidance notes that tools like the Wolfsberg Correspondent Banking Due Diligence Questionnaire (CBDDQ) provide a "starting-point for a potential framework in the VASP counterparty due diligence context." While not mandated, this framework helps standardize counterparty trust establishment.
Data Privacy Versus Compliance Tension and Interoperability Gaps
Transmitting PII between VASPs raises data protection concerns, particularly under GDPR in the EU.
Key tensions:
- EDPB Guidelines 02/2024 clarify that a request from a foreign authority does not automatically constitute a legal basis for processing or transfer
- Any transfer of personal data to a third country must comply with GDPR Chapter V safeguards
- UK ICO emphasizes organizations must ensure transfers are covered by adequacy regulations, appropriate safeguards, or exceptions
These privacy obligations don't exist in isolation — they interact directly with a second operational problem. Multiple competing Travel Rule protocols lack universal interoperability, meaning a VASP must often support several simultaneously to avoid failed transfers. When evaluating solutions, VASPs should assess not just protocol coverage but also whether the vendor's data handling model is compatible with GDPR transfer requirements.
Building a Practical Travel Rule Compliance Program
Core Program Elements Every VASP Needs
1. Written Travel Rule Policy
Document the Travel Rule policy in your AML/BSA program, covering:
- Threshold triggers for your jurisdictions
- Data collection requirements (above and below threshold)
- Transmission protocols and technical standards
- Below-threshold screening and verification triggers
- Record retention procedures (minimum 5 years)
2. KYC Baseline
Capture required originator/beneficiary fields at onboarding:
- Full name (verified)
- Date of birth for individuals
- Physical address
- BIC, LEI, or official identifier for entities
- Unique transaction reference capability (wallet address)
3. Counterparty VASP Due Diligence Framework
Develop a VASP DDQ aligned with FATF guidance and the Wolfsberg CBDDQ covering:
- Legal entity verification and licensing status
- AML/CFT program adequacy assessment
- Data protection and security capabilities
- Jurisdiction risk assessment
- Ongoing monitoring and re-evaluation triggers
4. Ongoing Sanctions Screening
Screen counterparty customers against:
- OFAC SDN list
- EU sanctions lists
- UK HM Treasury sanctions
- Jurisdictional sanctions relevant to your operations
5. Process for Handling Transfers from Non-Compliant Jurisdictions
Define risk-based assessment criteria and document decision-making for:
- Accepting, rejecting, or delaying transfers
- Enhanced due diligence requirements
- Escalation procedures for high-risk scenarios
Technology and Operations Requirements
Selecting a Travel Rule Solution
Prioritize broad protocol interoperability to minimize failed transfers. Evaluate:
- Support for IVMS101 data standard
- Compatibility with TRUST, TRISA, and OpenVASP protocols
- Secure PII transmission and storage
- ISO 20022 alignment (critical for 2030 deadline)
- Integration capability with existing systems
Integration with Existing Systems
Connect your Travel Rule solution with:
- Transaction monitoring systems
- KYC/CDD platforms
- Sanctions screening tools
- Blockchain analytics providers
- Record-keeping and audit databases
Audit-Ready Documentation Workflows
Build workflows that ensure:
- 5-year retention of all Travel Rule data
- Audit trail of data collection, verification, and transmission
- Exception documentation for rejected or delayed transfers
- Regulatory reporting capability
Staff Training
Ensure staff understand:
- Travel Rule obligations for each jurisdiction you operate in
- Data collection and verification procedures
- Protocol operation and troubleshooting
- Escalation procedures for compliance concerns
6. Ongoing Program Updates
Monitor and update your program as the regulatory landscape shifts:
- Track FATF guidance and jurisdictional rule changes
- Stay current on protocol updates (TRISA, TRUST, OpenVASP)
- Schedule periodic reviews when new jurisdictions go live
Expert Leadership for Multi-Jurisdictional Travel Rule Compliance
Building and maintaining this program across multiple jurisdictions requires compliance expertise most crypto firms and fintechs don't have in-house full-time. That's where Fraxtional's fractional BSA Officer, CAMLO, and MLRO services come in.
Fraxtional's global team covers US, Canada, UK, and EU requirements, with direct experience navigating multi-jurisdictional Travel Rule obligations, sponsor bank relationships, and regulatory examinations. The firm is recognized by the T100 Finance Award as a leader in compliance.
Engagements range from short-term Travel Rule implementation advisory to ongoing fractional leadership — director-level oversight at a fraction of the cost of a full-time hire.
Frequently Asked Questions
What is the travel rule in crypto compliance?
The Crypto Travel Rule is the application of FATF Recommendation 16 to virtual asset transfers, requiring VASPs to collect, verify, and transmit originator and beneficiary information above defined thresholds to prevent financial crime.
What is the FinCEN travel rule?
The FinCEN Travel Rule is the US implementation under the Bank Secrecy Act. It requires financial institutions and VASPs to share specified customer information on transfers above $3,000, and FinCEN's 2019 guidance confirmed it applies to convertible virtual currency transactions.
What is the travel rule for ISO 20022?
The June 2025 FATF revision to Recommendation 16 integrated Travel Rule data requirements with ISO 20022 messaging standards. VASPs and financial institutions must align their data fields and transmission formats with ISO 20022 to ensure interoperability by 2030.
What information must VASPs collect under the Travel Rule?
Above threshold, VASPs must collect: originator name, account number, address, and date of birth (or BIC/LEI for entities); plus beneficiary name, account number, and country and town of residence. Below threshold, most jurisdictions require only basic name and account number for both parties.
What is the "sunrise problem" in Travel Rule compliance?
The "sunrise problem" refers to the uneven, staggered global implementation of Travel Rule requirements. VASPs in compliant jurisdictions regularly receive transfers from counterparts where the rule is not yet in force, requiring risk-based decisions on whether to process, hold, or reject those inbound transfers.
Does the Travel Rule apply to unhosted wallets?
Yes. Travel Rule obligations still apply when a VASP's customer transfers to or from an unhosted (self-custodial) wallet—the VASP must collect required information from its own customer, but no data is transmitted to the wallet itself. Some jurisdictions (Hong Kong, Singapore, EU) require additional verification steps such as cryptographic proof of wallet ownership.
