Jan 08, 2024
22 min read

What is the FATF Travel Rule? The Ultimate Guide to Compliance (2024)

Learn what the controversial Travel Rule is, the difficulties countries may face with its incorporation, why you need to get ready for its widespread implementation, and how it’s different from the US FinCEN’s Travel Rule.

In 2019, the Financial Action Task Force (FATF), a global anti-money laundering watchdog, published updated recommendations, one of which requires VASPs and financial institutions engaged in the virtual asset (VA) transfers to collect and share the personal data senders and recipients in transactions. This is stated in Recommendation 16, commonly referred to as the “Travel Rule” in relation to VAs transfers.

Initially, the Travel Rule only applied to financial institutions; however, in 2019, the FATF expanded its recommendation to include VASPs. A VASP is a term used by the FATF to include any natural or legal person who as a business conducts one or more of the following activities for or on behalf of another natural or legal person:

  • exchange between virtual assets and fiat currencies;
  • exchange between one or more forms of virtual assets;
  • transfer of virtual assets;
  • safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
  • participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

At the same time, different countries use different terms to define crypto service providers. Some alternative terms to VASPs include CASP (Crypto Asset Service Providers), MSB (money services businesses), DPT Service Providers, etc.  

Members of the FATF and FATF-style regional bodies are already beginning to incorporate the Travel Rule into their respective anti-money laundering (AML) laws. According to an FATF Survey, 35 out of 135 responding jurisdictions reported having passed Travel Rule legislation as of April 2023, while 27 jurisdictions have begun implementing enforcement and supervisory measures. In the UK, Regulation 5 (on cryptoasset transfers) of the Money Laundering and Terrorist Financing Regulations came into force on September 1, 2023. Similar measures are expected across the European Union beginning from December 30, 2024.

This regulatory shift has jolted the crypto sector, resulting in confusion over how to implement and comply with the new FATF recommendation. In this article, we’ll go over the crypto Travel Rule’s requirements and provide some tips on how businesses can ensure compliance effectively.

What is the FATF Travel Rule

The Travel Rule is a term used to refer to FATF Recommendation 16, which covers measures to combat money laundering and terrorism financing (ML/TF).

It requires financial institutions engaged in VA transfers and crypto companies—collectively referred to as VASPs—to obtain “required and accurate originator information, and required beneficiary information” and share it with counterparty VASPs or financial institutions during or before the transaction.

Because the personal data of the transacting parties ‘travels’ with their transfers, the regulation was dubbed the “Travel Rule”.

The FATF recommends that countries adopt a de minimis threshold of 1,000 USD/EUR for VA transfers, while keeping in mind that there would be comparatively fewer requirements for VA transfers below the threshold compared to those above the threshold. 

For VA transfers under the threshold, VASPs must collect:

  • The name of the originator (sender) and the beneficiary (recipient)
  • The VA wallet address for each or a unique transaction reference number

Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified.

For transfers exceeding the threshold, VASPs must collect:

  • Originator’s name 
  • Originator’s account number for the account used to process the transaction (e.g., wallet address)
  • Originator’s physical (geographical) address; national identity number; customer identification number (i.e., not a transaction number) that uniquely identifies the originator to the ordering institution; or date and place of birth
  • Beneficiary’s name 
  • Beneficiary’s account number for the account used to process the transaction (e.g., wallet address)
How Travel Rule solution works

Recommendation 16 applies to VASPs whenever their transactions, whether in fiat currency or virtual assets (VA), involve either: 

  • A traditional wire transfer
  • A VA transfer between a VASP and another obliged entity (e.g., between two VASPs or between a VASP and another obliged entity, such as a bank or other financial institution)
  • A VA transfer between a VASP and a non-obliged entity (i.e., an unhosted wallet). This is a special case, as the FATF does not expect that VASPs, when originating a VA transfer, should submit the required information to individuals who are not obliged entities (e.g., to an unhosted wallet).

While the transfer of personal data between financial institutions has been a long-established process, it is still a relatively new requirement for the crypto industry—one that entails building an unprecedented communication network between crypto platforms.

Issues with the Travel Rule

Implementation of the Travel Rule has been slow because of the many questions it raises. Some of these issues include:

  • The “sunrise issue”, an analogy wherein one VASP wants to tell another VASP about a sunrise it’s experiencing, but the second VASP has yet to experience a sunrise at all. This exchange about the sunrise is an analogy for the miscommunication that can arise between VASPs if one hasn’t implemented the Travel Rule.  
  • Different approaches to crypto Travel Rule requirements, such as de minimis thresholds, data privacy issues, approaches to transactions with unlicensed/unregistered and unhosted wallets
  • Determining an appropriate technological solution, or a combination of solutions, to meet FATF and local compliance obligations

Who is affected

The FATF requires all jurisdictions to impose the Travel Rule on:

  1. Financial institutions, such as banks, that are engaged in VA transfers 
  2. VASPs

According to the FATF, a company is considered a VASP if it provides the following services:

  • Exchange between virtual assets and fiat currencies
  • Exchange between one or more forms of virtual assets 
  • Transfer of virtual assets
  • Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets
  • Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset 

Under certain conditions, decentralized services (DeFi) and other P2P platforms may also be considered VASPs and are therefore obliged to comply with the FATF Travel Rule.

The definition of VASP may also differ depending on the jurisdiction, since the FATF’s definitions and recommendations are not mandated. However, many FATF member states—including the US, South Korea, and Singapore, among others—have implemented the crypto Travel Rule in their national legislation in one form or another.

Check Sumsub’s global guide on KYC crypto regulations here:

Cryptocurrency Regulations Around the World

Sanctions: If a business operating in a jurisdiction where the Travel Rule is implemented fails to comply, it could face local regulatory sanctions. For example, in Estonia “the penalty for failure by an executive or employee of a provider of virtual currency service to ascertain or verify any information relating to a payer, or for providing the service outside of a business relationship (…) is a fine of up to 300 fine units. The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.”

Suggested read: The Revised FATF Guidance on Virtual Assets: How Does It Affect DeFi?

How to comply

The Travel Rule’s main requirements are:

  • To conduct due diligence of the counterparty before sharing data
  • For originating VASP:
    • Identify its client (originator)
    • Obtain the necessary information from the originator, retain a record and share the information with the beneficiary VASP after all checks
    • Screen to confirm that the beneficiary is not a sanctioned name
    • Monitor transactions and report when they raise suspicion 
  • For beneficiary VASP:
    • Obtain the necessary information from the originator’s VASP, verify the accuracy and consistency of the necessary information, and retain a record
    • Screen to confirm that the originator is not a sanctioned name
    • Monitor transactions and report when they raise suspicion

In short, a company needs to introduce two solutions to stay compliant: one for collecting data and another for sharing it. Luckily, the FATF does not dictate the specific method or technology companies can use for sharing data—it is up to the discretion of each individual company.

Here is our take on the most efficient approach to Travel Rule compliance.

Obtaining sender and recipient information

In most cases, companies already have a client’s personal data by the time a transaction occurs, thanks to previous KYC processes.

But, if a company doesn’t conduct KYC checks, it should consider a regular KYC process to remain compliant with the crypto Travel Rule. And when doing the transfer, the company must remember to collect additional data about its clients (e.g., customer identification number, or date and place of birth).

Regardless of the data collection/sharing technology it chooses, a company must also ask customers to fill in the name and account number of the individual they want to send money to.

The most efficient way to manage these processes is to find a KYC and crypto transaction monitoring tool that:

  • Ensures comprehensive AML compliance: There are plenty of other AML requirements besides the Travel Rule or which accompany the Travel Rule, such as the requirement to verify customers at onboarding, and to conduct sanctions screenings of both the originator and beneficiary. An automated KYC/AML solution can help with this while reducing costs and the possibility of human error.
  • Conducts transaction checks. Providers can verify that a client’s assets aren’t coming from criminal sources, such as darknet marketplaces, fraudulent exchanges, or mixing services (services that conceal one’s identity).
  • Ensures compliance with data protection laws: Now that crypto companies must collect personal data, they fall under data protection regulations like GDPR, CCPA, and other national and local laws. A GDPR-complaint KYC/AML solution is a safe bet for companies wanting to keep up and remain compliant.

So you’ve collected the relevant personal data. How do you securely transfer it to another financial institution or crypto business?

Data sharing

To quickly recap, the Travel Rule requires VASPs to share the personal information of a transaction’s sender and recipient with other financial businesses or VASPs. Since the FATF does not advise the use of any specific data sharing technology, there is no single protocol or network for data transfer. That is why a number of networks for encrypted data transfers already exist, including OpenVASP, Shyft, and Trisa. But there are still issues associated with these networks, like protocol compatibility, which is why combining a data gathering solution and data sharing solution will ensure that businesses can stay compliant with the crypto Travel Rule.

Travel Rule worldwide

European Union 🇪🇺

In June 2023, Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (Text with EEA relevance) was entered into force. It will be applied from December 30, 2024, and it will highly impact all Crypto Asset Service Providers (CASPs) in the Union. The goal of the new document is to harmonize the Travel Rule across all EU members. 

Some of the highlights of the newly approved regulation include.

De minimis threshold:

  • There is no de minimis threshold, as the Travel Rule is applied to all transactions regardless of the amount.

Requirements:

  • The CASP should carry out due diligence of its counterparty.
  • Before transferring crypto-assets, the CASP of the originator must verify the accuracy of the information about the originator on the basis of documents, data, or information obtained from a reliable and independent source.
  • The crypto-asset service provider of the originator shall ensure that transfers of crypto-assets are accompanied by information on the originator and beneficiary: 

1) Information on the originator:

(a) the name of the originator

(b) the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction

(c) the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology

(d) the originator’s address, including the name of the country, official personal document number and customer identification number, or, alternatively, the originator’s date and place of birth

(e) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the originator.

2) Information on the beneficiary:

(a) the name of the beneficiary

(b) the beneficiary’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the beneficiary’s crypto-asset account number, where such an account exists and is used to process the transaction

(c) the beneficiary’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology

(d) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the beneficiary.

  • In the case of a transfer of crypto-assets made to a self-hosted address, the crypto- asset service provider of the originator shall obtain and hold the information specified above and shall ensure that the transfer of crypto-assets can be individually identified.
  • In the case of a transfer of an amount exceeding EUR 1,000 to a self-hosted address, the crypto-asset service provider of the originator shall take adequate measures to assess whether that address is owned or controlled by the originator.

The same rules are applied in case of a transfer of crypto-assets made from a self-hosted address in relation to the crypto-asset service provider of the beneficiary.

  • The crypto-asset service provider of the beneficiary shall implement effective procedures, including, where appropriate, monitoring during or after the transfers, in order to detect whether the information on the originator and the beneficiary is included in, or follows, the transfer or batch file transfer of crypto-assets.
  • Before making crypto-assets available to the beneficiary, the crypto-asset service provider of the beneficiary shall verify the accuracy of the information on the beneficiary, on the basis of documents, data, or information obtained from a reliable and independent source.
  • The crypto-asset service provider of the beneficiary shall implement effective risk-based procedures, including procedures based on the risk-sensitive basis, for determining whether to execute or reject a transfer of crypto-assets lacking the required complete originator and beneficiary information and for taking the appropriate follow-up action. 
  • The crypto-asset service provider of the beneficiary shall take into account missing or incomplete information on the originator or the beneficiary when assessing whether a transfer of crypto-assets, or any related transaction, is suspicious and whether it is to be reported to the FIU in accordance with Directive (EU) 2015/849.

Refer to this table for further details on how the Travel Rule will be applied across the European Union.

Singapore 🇸🇬

In Singapore, the Travel Rule was implemented on January 28, 2020. 

Some of the highlights of the regulation include:

De minimis threshold

SGD 1,500. Even if the transaction is less than SGD 1,500, certain data must still be transferred as described below.

Requirements

  • Before effecting a value transfer, every DPT service provider that is an ordering institution shall:

(a) identify the value transfer originator and take reasonable measures to verify the value transfer originator’s identity, as the case may be (if the payment service provider has not already done so); and

(b) record adequate details of the value transfer so as to permit its reconstruction, including but not limited to, the date of the value transfer, the type and value of digital payment token(s) transferred and the value date.

  • The ordering institution shall transfer the following required information to its counterparty depending on the transaction amount: 

1. Value transfers below or equal to SGD 1,500

(a) the name of the value transfer originator

(b) the value transfer originator’s account number (or unique transaction reference number where no account number exists)

(c) the name of the value transfer beneficiary; and

(d) the value transfer beneficiary’s account number (or unique transaction reference number where no account number exists).

2. Value transfers exceeding SGD 1,500

(a) the name of the value transfer originator;

(b) the value transfer originator’s account number (or unique transaction reference number where no account number exists);

(c) the name of the value transfer beneficiary; and

(d) the value transfer beneficiary’s account number (or unique transaction reference number where no account number exists).

and any of the following:

(a) the value transfer originator’s residential, r registered, or business address, and if different, principal place of business, as may be appropriate;

(b) the value transfer originator’s unique identification number (such as an identity card number, birth certificate number or passport number, or where the value transfer originator is not a natural person, the incorporation number or business registration number); or

(c) the date and place of birth, incorporation or registration of the value transfer originator (as may be appropriate).

  • A payment service provider (DPT service provider) should monitor payment messages to and from higher risk countries or jurisdictions, as well as transactions with higher risk countries or jurisdictions, and suspend or reject payment messages or transactions with sanctioned parties or countries or jurisdictions. 
  • A payment service provider (DPT service provider)  that is a beneficiary institution shall take reasonable measures, including post-event monitoring or real-time monitoring where feasible, to identify value transfers that lack the required value transfer originator or required value transfer beneficiary information.
  • A payment service provider (DPT service provider)  that is a beneficiary institution shall implement appropriate internal risk-based policies, procedures, and controls for determining:

(a) when to execute, reject, or suspend a value transfer lacking required value transfer originator or value transfer beneficiary information; and

(b) the appropriate follow-up action.

  • The DPT service provider should apply appropriate enhanced risk mitigation measures when the counterparty does not fall within the definition of an “ordering institution” or a “beneficiary institution”.

Refer to our Travel Rule table on Singapore to learn more

UK 🇬🇧

The UK recently has adopted the Travel Rule requirement to its regulation of crypto asset service providers. The requirement came into force on September 1, 2023.

De minimis threshold

In the UK, there is no de minimis threshold. Therefore, information should be transferred regardless of the transaction amount. For certain transactions equal or exceeding 1,000 euros, there are some additional requirements.

Requirements

As a rule, VASPs (cryptoasset exchange providers and custodian wallet providers in the UK) have to take the following steps to comply with the Travel Rule:

1) In respect of an inter-cryptoasset business transfer, the originating VASP must ensure that it is accompanied by the following information: 

  1. the name of the originator and the beneficiary
  2. if the originator or beneficiary is a firm, the registered name of the originator or beneficiary or, if there is no registered name, the trading name
  3. the account number of the originator and the beneficiary, or if there is no account number, the unique transaction identifier.

If the beneficiary VASP requests additional information about the sender, the originating VASP should also transfer the following information within 3 days, provided each VASP is conducting business in the United Kingdom:

(a) if the originator is a firm—

  • the customer identification number or
  • the address of the originator’s registered office or, if there is none, its principal place of business

(b) if the originator is an individual, one of the following:

  • the customer identification number
  • the individual’s address
  • the individual’s birth certificate number, passport number, or national identity card number
  • the individual’s date and place of birth.

If a beneficiary VASP is carrying out business outside the United Kingdom and the transaction is equal to or exceeding 1,000 euros in value, the originating VASP should ensure that the transfer is accompanied by all the information specified in paragraph 1.  

2) Information relating to the originator must be verified by the originating VASP using documents or a reliable source independent of the person whose identity is being verified. 

3) When a beneficiary VASP receives a crypto-asset as part of an inter-cryptoasset business transfer, it must, before making the crypto-asset available to the beneficiary, check whether:

(a) it has received the information required by regulation to be provided; and

(b) the information relating to the beneficiary corresponds with information verified by it during customer due diligence.

4) A cryptoasset business involved in an unhosted wallet transfer may request from its customer (whether the originator or the beneficiary):

(a) the information specified in clauses A, B, C from paragraph 1 if not already collected ; and

(b) where the unhosted wallet transfer is equal to or exceeds the equivalent in cryptoassets of 1,000 euros in value (taken together with any other cryptoasset transfer which appears to be linked), and where its customer is the beneficiary, the information specified in clauses A and B above in respect of the originator.

4) Where the beneficiary VASP becomes aware that any information required  to be provided by the regulations is missing or does not correspond, it must:

  • request that the originating VASP provides the missing information;
  • consider whether to make enquiries as to any discrepancy between information received and information verified during the CDD process.

(i) to delay making the cryptoasset available to the beneficiary until the information is received or any discrepancy is resolved; and

(ii) if the information is not received or if any discrepancy is not resolved within a reasonable time, to return the cryptoasset to the cryptoasset business of the originator.

5) The beneficiary VASP must report repeated failure by a crypto-asset business to provide any information required as well as any steps the crypto-asset business of the beneficiary has taken in respect of such failures to the FCA.

6) A crypto-asset business must respond fully and without delay to a request in writing from a law enforcement authority for any information in connection to these requirements.

Refer to the UK crypto regulations guide to get further details on how to comply with the Travel Rule in the UK

Canada 🇨🇦

In Canada, the Travel Rule was implemented on June 1, 2021.

De minimis threshold

CAD 1,000

Requirements

1) Financial entities, money service businesses, and foreign money service businesses must include Travel Rule information when they send virtual currency (VC) transfers, and must take reasonable measures to ensure that this information is included when they receive VC transfers which require a VC record to be kept.

Required Travel Rule information for VC transfers:

  • the name, address and the account number or other reference number (if any) of the person or entity who requested the transfer (originator information); and
  • the name, address and the account number or other reference number (if any) of the beneficiary.

2) If the entity receives a VC transfer that should include Travel Rule information but does not, it must take reasonable measures to obtain that information. These reasonable measures should be outlined in the policies and procedures.

Each entity must also develop in writing and apply risk-based policies and procedures for determining what to do when, after taking reasonable measures, it was unable to obtain  Travel Rule information. Its policies and procedures must address under which circumstances it allows, suspends, or rejects the transaction, and outline any follow-up measures it will take.

Refer to this table for details on how to comply with the Travel Rule in Canada

The Netherlands 🇳🇱 

The Crypto Travel Rule is not yet mandated in the Netherlands. However, the European Union is planning to harmonize the Travel Rule across all its members by the end of 2024. 

However, at the moment, crypto companies in the Netherlands have to comply with other  AML requirements implied by the Money Laundering and Terrorist Financing Prevention Act (Wwft). In 2020, the Wwft was amended to introduce rules arising from the European law—the 5th Anti-Money Laundering Directive (AMLD5).

Moreover, according to the Wwft, anyone who offers professional or commercial services in or from the Netherlands for the exchange between virtual currencies and fiat currencies or custodian wallets must register with the Dutch National Bank (DNB).

Refer to the guide on crypto regulations in the Netherlands for details
You can also check out the guide on AML requirements in the Netherlands for information on how to stay AML compliant

Switzerland 🇨🇭

In Switzerland, the Travel Rule was implemented on January 1, 2020.

De minimis threshold

No threshold 

Requirements

1) The originator’s financial intermediary must share the following data.

Data about the originator:

  • Name
  • Account number (transaction-related reference number, if no account number is available)
  • Address (can be replaced by the date and place of birth, the client number or the national identity number of the client).

Data about the beneficiary:

  • Name
  • Account number (transaction-related reference number, if there is no account number).

2) The financial intermediary shall ensure that the details of the originator are accurate and complete and that the details of the beneficiary are complete.

3) The financial intermediary must identify the contracting party (client) if a transaction with a virtual currency (or several such transactions that appear to be linked to each other) reach or exceed the amount of 1000 francs, provided that these transactions do not constitute transfers of money and value and there is no permanent business relationship associated with these transactions.

In the case of cash payments or the acceptance of other anonymous means of payment for the sale or purchase of virtual currencies, it takes technical precautions to avoid exceeding the threshold referred to in paragraph 1 by interconnected transactions within 30 days.

It may waive the identification of the contracting party if it has carried out further transactions for the same contracting party and has ensured that the contracting party is the person who has already been identified in the first transaction.

It must identify the contracting party in any case if there are suspicions of possible money laundering or terrorist financing. According to FINMA Guidance, the financial intermediary receiving this information then has the opportunity to check the name of the sender against sanction lists.

4) The financial intermediary informs the client in an appropriate manner about the disclosure of his or her details in payment transactions.

5) As long as an institution supervised by FINMA is not able to send and receive the information required in payment transactions, such transactions are only permitted from and to external wallets if these belong to one of the institution’s own customers. Their ownership of the external wallet must be proven using suitable technical means. Transactions between customers of the same institution are permissible. A transfer from or to an external wallet belonging to a third party is only possible if the supervised institution has first verified the identity of the third party, established the identity of the beneficial owner, and proven the third party’s ownership of the external wallet using suitable technical means.

If the customer is conducting an exchange (fiat-to-virtual currency, virtual-to-fiat currency, or virtual-to-virtual currency) and an external wallet is involved in the transaction, the customer’s ownership of the external wallet must also be proven using suitable technical means. If such proof is not available, the above rules for payment transactions apply.

6) The beneficiary’s financial intermediary decides whether it should return the payment in the event of discrepancies.

The beneficiary’s financial intermediary shall define how to proceed upon reception of payment orders containing incomplete information of the client (originator) or beneficiary. The financial intermediary shall take a risk-based approach.

Check out this table for information on record retention and other details on how to comply with the Travel Rule in Switzerland
Suggested read: Switzerland Crypto Regulation Guide—2023

Australia 🇦🇺 

The Travel Rule is not yet mandated in Australia. 

Under the current regime, only financial institutions such as banks are required to include payer information for electronic transfers of fiat currency, and they are not required to include payee information.

Reforms could implement the Travel Rule for remitters and digital currency exchange providers, requiring payer and payee information for transfers on behalf of customers to other businesses.

Recently, Australia held a public consultation regarding changes in regulations, including the Travel Rule. A change in legislation may be expected after the consultation.

However, digital currency exchange (DCE) providers have to comply with the country’s AML/CTF regulations, including the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2017.

Also, crypto exchange providers must register with the Australian Transaction Reports and Analysis Centre (AUSTRAC).

Estonia 🇪🇪

In Estonia, the Travel Rule was implemented on March 15, 2022.

The rule applies to transactions, exchanges or transfers of virtual currency.

De minimis threshold

No de minimis threshold 

Requirements

1) The initiator’s VASP ascertains the identity of each customer and collects the following data in relation to the initiator: 

About the initiator:

1) For a natural person:

  • the person’s name
  • unique identifier of the transaction
  • identifier of the payment account or virtual currency wallet
  • the title and number of the identity document and personal identification code or date and place of birth
  • residential address.

2) For a legal person:

  • the person’s name
  • unique identifier of the transaction
  • identifier of the payment account or virtual currency wallet
  • the person’s registry code or, where it does not have one, the relevant identifier in the country of its seat (a combination of numbers or letters equivalent to a registration number);
  • the address of the seat.

The initiator’s VASP also collects the following data in respect of the virtual currency or recipient of the transfer:

About the recipient:

  1. The transaction’s unique identifier and the particulars of the payment account(s) or virtual currency wallet(s) involved in the transaction. 
  2. The transaction initiator’s virtual currency service provider transmits the particulars mentioned above to the recipient’s virtual currency service provider without delay and securely.
  3. A provider of virtual currency service must, in accordance with internal procedures established following risk analysis, lay down rules that regulate when virtual currency amounts are to be transferred back to the transaction initiator and when they are not to be made available to the transaction recipient.
  4. Where the recipient’s virtual currency wallet does not have a provider of virtual currency, or the recipient’s provider is unable to receive or process the data, the obligation of data transmission is deemed to be fulfilled if:

–  the transaction initiator’s VASP ensures the monitoring of the transactions in real time and risk analysis in respect of each transaction using an appropriate technical solution, and

– the provider preserves the particulars by a method that allows them to be produced without delay when a corresponding request is made by a regulatory enforcement, supervisory,  oversight, or investigative authority.

  1. A provider of virtual currency service must, when it recognizes the presence of increased risk and considers whether to notify the FIU of a suspicious transaction, take into account the completeness and sufficiency of the particulars concerning the transaction initiator and the recipient.

Refer to this table for further details on how to comply with the Travel Rule in Estonia

South Korea 🇰🇷

In South Korea, the Travel Rule was implemented on March 25, 2022.

De minimis threshold

KRW 1 million or more 

Requirements

  1. A virtual asset business entity that transfers virtual assets shall provide the following information to the virtual asset business entity to which the virtual asset is transferred:
  • The name of the customer sending the virtual asset and the customer receiving the virtual asset (in the case of a corporation or organization, the name of the corporation or organization and the name of the representative).
  • Virtual asset addresses of customers who send virtual assets and customers who receive virtual assets.

In case of a request by the commissioner of the Korea Financial Intelligence Unit (KoFIU) or a virtual asset business operator to whom virtual assets are transferred, the customer’s resident registration number (referring to the corporate registration number in the case of a corporation) or passport number/foreigner registration number (applicable only to foreigners) should be provided.

According to an FSC press release, unlike domestic VASPs, overseas VASPs are not bound by or prepared to implement the Travel Rule. Thus, after consulting with the virtual asset industry, transfers of virtual assets to overseas VASPs will take place only after confirming that the sender and receiver are the same person and when there are  low risks of money laundering via overseas VASPs.

Please refer to this table for details on how to comply with the Travel Rule in South Korea
You can also check out The New Crypto Regulations in South Korea: How to Prepare for the Changes [Updated October 2021]

What is the Bank Secrecy Act Travel Rule?

In 1996, the US Financial Crimes Enforcement Network (FinCEN), under the Bank Secrecy Act (BSA), introduced a rule similar to FATF Recommendation 16 for financial institutions operating within its jurisdiction.

Initially, this rule applied to traditional money only, but in 2019 FinCEN confirmed that the BSA Travel Rule would also apply to VASPs, which in the US are called money-services businesses (MSBs) or money transmittors. 

Therefore, the FinCEN rule served as the foundation for the FATF Travel Rule. Although both Travel Rules appeared at different times, the FATF recommendation can be applied by any country worldwide. The US Travel Rule is a national interpretation of this requirement and has its own specifics.

Like the FATF Travel Rule, the FinCEN Travel Rule requires financial institutions and VASPs to collect and exchange information on a transaction’s originator and beneficiary. VASPs are also required by the US to confirm that crypto transactions do not originate from or are sent to sanctioned countries or companies.

However, the FinCEN Travel Rule has a different threshold. Only transfers equal to or greater than 3,000 USD—including any foreign equivalent and VA—are subject to this rule, regardless of whether currency is involved. In 2020, financial regulators in the US—the Board of Governors of the Federal Reserve System, FinCEN, and the Treasury—proposed that the BSA be modified to reduce the general Travel Rule threshold from $3,000 to $250 for international transfers; however, the amendments have yet to be enacted.

All transmittor’s financial institutions must include and send the following in the transmittal order:

  • The name and, if the payment is ordered from an account, the account number of the transmittor
  • The address of the transmittor
  • The amount of the transmittal order
  • The execution date of the transmittal order
  • The identity of the recipient’s financial institution

As many of the following items as are received with the transmittal order:

  • The name and address of the recipient
  • The account number of the recipient
  • Any other specific identifier of the recipient
  • Either the name and address or numerical identifier of the transmittor’s financial institution.

FATF vs BSA Travel Rule

Crypto Travel rule requirements

Regional Differences in Implementation and Enforcement of the Travel Rule 

Regional Travel Rule Differences + Solution Checklist 

Counterparty VASP check 

This is a requirement forVASPs to identify whether they are transacting with another VASP (rather than a private wallet), as well as confirm whether this VASP counterparty is registered or licensed in its jurisdiction and has sufficient AML/CFT supervision. There is still no specified approach to this check, which is why only a few countries (including Liechtenstein and Mauritius) explicitly prescribe the requirement to verify and evaluate counterparties. 


VA transfers with unhosted wallets or persons other than a VASP

Recommendation 16 does not apply in full to VA transfers between a VASP and a non-obliged entity (i.e., an unhosted wallet). Many jurisdictions are still deciding what approach to take in such cases. Most countries have decided to follow the approach outlined in the FATF’s Updated Guidance, requiring VASPs to collect relevant beneficiary information on unhosted wallets from their own customers.

Travel Rule compliance challenges 

The FATF summarizes the main challenges that obstruct Travel rule implementation:

Suitability of technology solutions 

The FATF takes a technology-neutral approach and doesn’t prescribe a particular technology or software that providers should deploy to comply with Recommendation 16. Many Travel Rule solutions are currently implemented only within specific countries, rather than globally or across regions. In addition, some solutions are compatible only with certain virtual assets, or require approval of participating VASPs and their counterparties—by solution providers or a third party—in order to transmit Travel Rule information. 

Interoperability of systems 

In 2020, the FATF underscored the need for various technical solutions to be interoperable, with sufficient control mechanisms to take care of data sharing, storage, and security. The first step in this interoperability process is to create global messaging standards, which may be fragmented by different jurisdictional rules for data privacy and protection (such as the EU’s problematic GDPR legislation), online security, and AML/CFT requirements. 

“Sunrise issue” 

The Travel Rule requirements are enforced at a different pace across jurisdictions. This means that one VASP may be Travel Rule-obligated while its cross-border counterparty may not be. Therefore, some jurisdictions introduce temporary flexibility for domestic requirements or provide guidance to domestic VASPs on dealing with situations where counterparties are unlicensed, unregistered, or unable to share Travel Rule data. 

Counterparty identification requirements 

VASPs should be able to identify whether they are transacting with another VASP rather than a private wallet. They also need to confirm whether their VASP counterparty is registered or licensed in its jurisdiction and has sufficient AML/CFT supervision. However, there is no single approach to this issue.

Checklist for choosing the right Travel Rule solution 

One of the main challenges for Travel Rule implementation is choosing a suitable solution. Here’s what a proper solution should cover:: 

  • Identifying counterparty VASPs 
  • KYC, transaction monitoring, sanctions screening 
  • Sending and receiving customer PII to and from VASPs using various blockchain messaging protocols 
  • Storing data

To ease compliance with FATF and local requirements, our experts have prepared a checklist of things to take into account when choosing a Travel Rule solution: 

  • Compliance with regulatory requirements. The solution should meet all requirements (including verification of counterparty VASPs) and have documentation to support your compliance plan for regulators.
  • AML + Ongoing AML. The solution should help you conduct AML screening and ongoing AML monitoring to make sure you don’t miss any new sanction list appearances.
  • Transaction monitoring. The solution can verify that a client’s assets aren’t coming from criminal sources, such as darknet marketplaces, fraudulent exchanges, and more.
  • Recordkeeping. The solution should pay special attention to the integrity and availability of required information to facilitate record-keeping.
  • Data privacy. The solution securely transfers and stores data, while protecting it from unauthorized disclosure in line with national data protection laws.
  • Interoperability. The solution should be able to communicate and exchange data with counterparty VASPs using multiple messaging protocols or other tools.
  • Convenient and fast integration. The integration is convenient, time-efficient, and causes minimal friction with your existing system 
  • Capacity and scalability The solution enables submitting a large volume of transactions to multiple destinations without interruptions.

To learn more about the FATF Travel Rule, download our complete guide prepared by Sumsub’s Compliance Team. It provides an overview of the current regulatory landscape and implementation challenges.

Download the report

FAQ

  • What is the Travel Rule in AML?

    The Travel Rule is a key AML/CFT measure which mandates that VASPs obtain, hold, and exchange information about the originators and beneficiaries of virtual asset transfers. This enables financial institutions and VASPs to conduct sanctions screening and detect suspicious transactions so that any necessary measures can be taken.

  • Why is the FATF Recommendation 16 called “the Travel Rule”?

    The application of the FATF’s wire transfer requirements (Recommendation 16) in the VA context is called the “Travel Rule” because the personal data of the transacting parties ‘travels’ along with their transfers.

  • What are the Travel Rule requirements?

    The FATF Travel Rule requires financial institutions engaged in VA transfers and crypto companies—collectively referred to as VASPs—to obtain “required and accurate originator information, and required beneficiary information” and share it with counterparty VASPs or financial institutions during or before transactions. The details depend on the jurisdiction.

  • What is the Travel Rule for VASPs?

    The FATF’s Travel Rule requires VASPs, along with other financial institutions, to share relevant originator and beneficiary information from virtual asset transactions, with the aim of preventing money laundering, terrorist financing, and other fraud activity. The Travel Rule applies to VASPs whenever their transactions, whether in fiat currency or virtual asset, involve either:

    • A traditional wire transfer

    • A VA transfer between a VASP and another obliged entity (e.g., between two VASPs or between a VASP and another obliged entity, such as a bank or other FI)

    • A VA transfer between a VASP and a non-obliged entity (i.e., an unhosted wallet).

  • What is the Travel Rule threshold?

    The Travel Rule threshold is a transaction threshold. The FATF recommends a de minimis threshold of 1,000 USD/ EUR. However, it should be noted that countries can establish their own threshold or forego one altogether. Therefore, there can be different cases:

    • Information should be transferred only when the transaction exceeds the threshold

    • A different scope of information or less stringent requirements can apply if the transaction does not exceed the threshold

    • A country has no threshold and requires exchanging information for any amount. For instance, in the US, the BSA Travel Rule has a threshold of 3,000 USD.

Subscribe to continue reading

Enter your email address to get access to the full article

By providing your email you consent to receiving our newsletter. For further information please see ourPrivacy Notice

Adverse MediaAMLFATFFinancial InstitutionsKYCRegulatory ComplianceRisk-Based ApproachSanctionsTravel RuleVideo