What is the Travel Rule?
Just a few years ago, the crypto market was built on anonymity and decentralization. Today, it stands on the brink of full compliance almost with banking standards. The Travel Rule is one of the central elements of this transformation. It requires crypto asset service providers (CASPs and existing VASPs) to collect and transmit customer data for every transaction exceeding a certain threshold. According to FATF data, 75% of countries worldwide still do not comply with Travel Rule requirements. This means that crypto companies in those jurisdictions are prone to face regulatory and legal risks. In this article, we explain how the Travel Rule works, what obligations it imposes, and how to ensure compliance to avoid blocked transactions, fines, and license revocation.
What is Travel Rule: key features
The Travel Rule is an international standard developed to prevent the use of virtual assets for money laundering, terrorist financing, and other potentially illicit activities. Although it originates from traditional banking regulations, the rule has been adapted to the crypto industry due to its growing impact and associated risks.
The Travel Rule requires cryptocurrency exchanges, custodial wallets, and payment service providers to transmit the following data for every transaction exceeding a certain threshold ($1,000 / €1,000):
- The sender’s (originator’s) full name;
- The sender’s wallet address or account number;
- One additional identifier (e.g., address, national ID number, or date of birth);
- The recipient’s (beneficiary’s) full name;
- The recipient’s wallet address or account number.
This information must be transmitted either before the transaction or at the moment it is initiated. As a result, anonymous transfers between VASPs within regulated jurisdictions are effectively prohibited. Moreover, the receiving party is required to verify the information and, if there are doubts or inconsistencies, suspend or reject the transaction by local regulatory requirements and the VASP’s internal risk procedures.
History and FATF initiative
The Travel Rule originated from FATF Recommendation 16, which was first extended to virtual assets in 2019. According to this recommendation, Virtual Asset Service Providers (VASPs) are required to transmit identifying data about both the originator and the beneficiary for each transaction that exceeds the designated threshold. This measure aims to align crypto businesses with the AML/CFT standards applied in the traditional financial sector.
How Travel Rule apply to the crypto sector
The Travel Rule applies to digital asset transfers carried out in the following cases:
- Between two VASPs (e.g., between exchanges or custodial service providers);
- Between a VASP and a self-hosted wallet, if permitted or required under applicable regulation (e.g., under EU rules, for transfers exceeding €1,000);
- Within a single VASP, if the transaction is functionally equivalent to an external transfer (e.g., in white-label infrastructure setups).
Under EU Regulation 2023/1113, a threshold of €1,000 has been set, above which transactions must comply with data collection and transmission requirements. Some jurisdictions, such as Switzerland and Singapore, apply a zero threshold, extending the rule to even the smallest transactions.
Importantly, the rule applies regardless of asset type—it covers all virtual assets, including BTC, ETH, stablecoins, and tokenized securities, as long as they are recognized as a medium of exchange, store of value or investment instrument under the relevant legal framework.
Who is required to comply with the Travel Rule?
According to FATF, a Virtual Asset Service Provider (VASP) is any person or entity professionally engaged in:
- Exchange between virtual assets for fiat currencies or other virtual assets;
- Transfer of virtual assets on behalf of clients;
- Safekeeping and/or administration of virtual assets (including custodial wallets);
- Participation in and provision of financial services related to the issuance or sale of virtual assets.
Under the EU's MiCA and Transfer of Funds Regulation (TFR), compliance is mandatory for both EU-registered VASPs (CASPs) and non-EU entities that serve EU-based clients. This means that even offshore exchanges are subject to the rule when interacting with EU residents or operating within the jurisdiction of the European Union.
How is the Crypto Travel Rule implemented in the EU and MiCA?
In the European Union, the Travel Rule has taken a legally binding form through the Transfer of Funds Regulation (TFR), adopted in June 2023. Alongside the Markets in Crypto-Assets Regulation (MiCA), this document forms the foundation of the EU’s regulatory framework for the crypto industry, aimed at combating money laundering and terrorist financing.
Regulation (EU) 2023/1113 entered into force on 29 June 2023 and became mandatory for all EU member states as of 30 December 2024. It extends the same rules previously applied to traditional wire transfers to transfers of virtual assets. Specifically, the regulation requires VASPs (CASPs) to:
- Collect data on the originator and beneficiary for transfers above €1,000;
- Verify the information before transmission;
- Retain the data for a minimum of five years;
- Ensure data protection in line with the General Data Protection Regulation (GDPR).
MiCA and TFR operate in parallel: MiCA sets the licensing and supervisory requirements for CASPs, while TFR establishes obligations for transaction transparency. Together, they create a comprehensive regulatory framework similar to that of the traditional banking sector.
Obligations for EU-based VASPs (CASPs)
Entities subject to TFR are required to:
- Conduct customer verification (KYC) and due diligence (CDD) on both the originator and the beneficiary, including screening against EU sanctions lists;
- Collect and retain key identifying data: name, account number or wallet address, date and place of birth (or another unique identifier such as address or national ID number);
- Monitor transactions on an ongoing basis and report suspicious activity to the relevant Financial Intelligence Unit (FIU), in line with EU AML requirements;
- Use secure communication channels to transmit data to counterparties, ensuring confidentiality and integrity, and confirm that the recipient service provider has received the information.
Below, we explain the consequences of non-compliance with the Travel Rule and how they relate to the MiCA transitional regime.
Risks and consequences of non-compliance with the Travel Rule
Companies that fail to comply with the Travel Rule may face fines, license revocation, or even removal from the official VASP(CASP) register. National supervisory authorities in the EU have already been granted powers to impose administrative measures under Regulation (EU) 2023/1113. For example, in France, violators may be sanctioned by the AMF with penalties of up to €5 million or 10% of annual turnover. In Germany, BaFin has the authority to suspend operations and demand AML process restructuring. In addition, repeated or intentional non-compliance may be treated as a violation of anti-money laundering laws, potentially leading to criminal prosecution of company executives.
Beyond legal consequences, failure to comply with the Travel Rule can severely damage a company’s reputation. Banks and payment systems increasingly require VASPs to adhere to international KYC/AML standards. Refusing to implement the Travel Rule may lead to disconnection from SWIFT or SEPA, freezing of crypto wallets, and termination of banking relationships. According to Notabene, the number of VASPs blocking withdrawals until recipient information is confirmed has increased by 431% year-on-year.
How companies can ensure compliance with the Travel Rule
Adapting to the Travel Rule requirements demands more than just technical solutions—it requires a deep transformation of internal processes. To minimize risks and remain compliant with regulations, Virtual Asset Service Providers (VASPs) must implement both RegTech tools and a resilient compliance framework.
Many solutions are already available on the market to simplify adherence to the Travel Rule and ensure secure data transmission between VASPs. The most widely used include:
- Notabene – a platform that enables automated data exchange with counterparties and verification via decentralized identity schemes;
- TRISA (Travel Rule Information Sharing Alliance) – an open-source protocol that facilitates standardized data sharing between participants;
- Sumsub, Shyft Network, and Sygna Bridge – integrated tools that provide KYC/KYT modules and sanctions screening capabilities.
These tools help ensure compliance with the Transfer of Funds Regulation (TFR), FATF recommendations, and MiCA, while also addressing data protection requirements under GDPR.
The role of the compliance department and internal policies
Technical tools alone are not sufficient without the support of a strong internal compliance policy. To effectively comply with the Travel Rule, companies must:
- Adapt KYC/KYT/CDD/EDD procedures based on transaction risk and national regulations;
- Train employees on updated data processing and disclosure requirements;
- Implement internal + external audit mechanisms and conduct regular compliance reviews;
- Integrate the Travel Rule into the overall AML/CFT program and reporting structure.
Regulators in the EU and the UK increasingly consider the absence of an internal Travel Rule policy to be a ground for sanctions, even when technical solutions are in place. For this reason, legal and operational infrastructures must work together in a coordinated manner.
Basic Crypto Travel Rule requirements
The Travel Rule requires VASPs to collect and transmit accurate information about the originator and beneficiary of virtual asset transfers to the counterparty, whether it is another VASP or a financial institution. This information must be transmitted either before or simultaneously with the transaction.
Obligations of the originating VASP:
- Conduct due diligence on the counterparty before transmitting any data;
- Identify the customer (the originator);
- Collect, retain, and transmit the required information after completing all necessary checks;
- Screen the beneficiary against relevant sanctions lists;
- Monitor transactions and report any suspicious activity.
Obligations of the beneficiary VASP:
- Receive and verify the accuracy and completeness of the information received from the originating VASP;
- Screen the originator against sanctions databases;
- Monitor transactions and report suspicious behavior.
The core goal of the Travel Rule is to align the virtual asset sector with the AML/CFT standards applied in traditional financial services. By gathering and exchanging such data, authorities can better detect potentially illicit activity and prevent the misuse of digital assets for criminal purposes.
Information disclosure requirements
According to FATF recommendations, jurisdictions may set a threshold for the application of the Travel Rule, typically $1,000 or €1,000. Simplified requirements apply to transactions below the threshold, while those exceeding it are subject to extended data collection.
For transactions below the threshold, VASPs must collect:
- The wallet address or a unique transaction reference number;
- The names of the originator and the beneficiary.
For transactions above the threshold, VASPs are required to collect:
- The originator’s full name;
- The originator’s account number or wallet address;
- The originator’s address, national ID number, tax identification number, or date and place of birth (to enable unique identification);
- The beneficiary’s full name;
- The beneficiary’s account number or wallet address.
FATF does not mandate a specific method of data transmission (e.g., APIі, P2P protocols, or blockchain-based solutions), allowing companies the flexibility to adopt infrastructure of their choice, provided it meets the standards of security and transparency.
How Key2Law can help your company ensure Travel Rule compliance
Implementing the Travel Rule requires a clear understanding of obligations, adaptation of internal policies, and integration of technical solutions. Errors in data transmission, improperly drafted documentation, or a lack of due diligence on counterparties can result in fines and transaction suspensions. The Key2Law team assists crypto companies in achieving compliance with the Travel Rule under the requirements of FATF, MiCA, and EU Regulation 2023/1113, covering every stage from risk assessment to full support during regulatory audits.
We develop and tailor AML/Travel Rule internal policies, advise on the selection of Travel Rule Data Exchange solutions, and assist in the legal structuring of relationships with counterparties and clients. In addition, our experts provide defense and representation before national and European regulators, including the preparation of explanations, justifications, and responses to supervisory inquiries.
By working with Key2Law, you gain more than advice, you gain a strategic partner committed to guiding your company through the compliance process with minimal risk. Contact us today to receive personalized guidance on implementing the Travel Rule in your organization.