Learn what the controversial Travel Rule is, the difficulties countries may face with its incorporation, why you need to get ready for its widespread implementation, and how it’s different from the US FinCEN’s Travel Rule.
In 2019, the Financial Action Task Force (FATF), a global anti-money laundering watchdog, published updated recommendations, one of which requires VASPs and financial institutions engaged in the virtual asset (VA) transfers to collect and share the personal data senders and recipients in transactions. This is stated in Recommendation 16, commonly referred to as the “Travel Rule” in relation to VAs transfers.
Initially, the Travel Rule only applied to financial institutions; however, in 2019, the FATF expanded its recommendation to include VASPs. A VASP is a term used by the FATF to include any natural or legal person who as a business conducts one or more of the following activities for or on behalf of another natural or legal person:
At the same time, different countries use different terms to define crypto service providers. Some alternative terms to VASPs include CASP (Crypto Asset Service Providers), MSB (money services businesses), DPT Service Providers, etc.
Members of the FATF and FATF-style regional bodies are already beginning to incorporate the Travel Rule into their respective anti-money laundering (AML) laws. According to an FATF Survey, 35 out of 135 responding jurisdictions reported having passed Travel Rule legislation as of April 2023, while 27 jurisdictions have begun implementing enforcement and supervisory measures. In the UK, Regulation 5 (on cryptoasset transfers) of the Money Laundering and Terrorist Financing Regulations came into force on September 1, 2023. Similar measures are expected across the European Union beginning from December 30, 2024.
This regulatory shift has jolted the crypto sector, resulting in confusion over how to implement and comply with the new FATF recommendation. In this article, we’ll go over the crypto Travel Rule’s requirements and provide some tips on how businesses can ensure compliance effectively.
The Travel Rule is a term used to refer to FATF Recommendation 16, which covers measures to combat money laundering and terrorism financing (ML/TF).
It requires financial institutions engaged in VA transfers and crypto companies—collectively referred to as VASPs—to obtain “required and accurate originator information, and required beneficiary information” and share it with counterparty VASPs or financial institutions during or before the transaction.
Because the personal data of the transacting parties ‘travels’ with their transfers, the regulation was dubbed the “Travel Rule”.
The FATF recommends that countries adopt a de minimis threshold of 1,000 USD/EUR for VA transfers, while keeping in mind that there would be comparatively fewer requirements for VA transfers below the threshold compared to those above the threshold.
For VA transfers under the threshold, VASPs must collect:
Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified.
For transfers exceeding the threshold, VASPs must collect:
Recommendation 16 applies to VASPs whenever their transactions, whether in fiat currency or virtual assets (VA), involve either:
While the transfer of personal data between financial institutions has been a long-established process, it is still a relatively new requirement for the crypto industry—one that entails building an unprecedented communication network between crypto platforms.
Implementation of the Travel Rule has been slow because of the many questions it raises. Some of these issues include:
The FATF requires all jurisdictions to impose the Travel Rule on:
According to the FATF, a company is considered a VASP if it provides the following services:
Under certain conditions, decentralized services (DeFi) and other P2P platforms may also be considered VASPs and are therefore obliged to comply with the FATF Travel Rule.
The definition of VASP may also differ depending on the jurisdiction, since the FATF’s definitions and recommendations are not mandated. However, many FATF member states—including the US, South Korea, and Singapore, among others—have implemented the crypto Travel Rule in their national legislation in one form or another.
Sanctions: If a business operating in a jurisdiction where the Travel Rule is implemented fails to comply, it could face local regulatory sanctions. For example, in Estonia “the penalty for failure by an executive or employee of a provider of virtual currency service to ascertain or verify any information relating to a payer, or for providing the service outside of a business relationship (…) is a fine of up to 300 fine units. The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.”
The Travel Rule’s main requirements are:
In short, a company needs to introduce two solutions to stay compliant: one for collecting data and another for sharing it. Luckily, the FATF does not dictate the specific method or technology companies can use for sharing data—it is up to the discretion of each individual company.
Here is our take on the most efficient approach to Travel Rule compliance.
In most cases, companies already have a client’s personal data by the time a transaction occurs, thanks to previous KYC processes.
But, if a company doesn’t conduct KYC checks, it should consider a regular KYC process to remain compliant with the crypto Travel Rule. And when doing the transfer, the company must remember to collect additional data about its clients (e.g., customer identification number, or date and place of birth).
Regardless of the data collection/sharing technology it chooses, a company must also ask customers to fill in the name and account number of the individual they want to send money to.
The most efficient way to manage these processes is to find a KYC and crypto transaction monitoring tool that:
So you’ve collected the relevant personal data. How do you securely transfer it to another financial institution or crypto business?
To quickly recap, the Travel Rule requires VASPs to share the personal information of a transaction’s sender and recipient with other financial businesses or VASPs. Since the FATF does not advise the use of any specific data sharing technology, there is no single protocol or network for data transfer. That is why a number of networks for encrypted data transfers already exist, including OpenVASP, Shyft, and Trisa. But there are still issues associated with these networks, like protocol compatibility, which is why combining a data gathering solution and data sharing solution will ensure that businesses can stay compliant with the crypto Travel Rule.
In June 2023, Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (Text with EEA relevance) was entered into force. It will be applied from December 30, 2024, and it will highly impact all Crypto Asset Service Providers (CASPs) in the Union. The goal of the new document is to harmonize the Travel Rule across all EU members.
Some of the highlights of the newly approved regulation include.
De minimis threshold:
1) Information on the originator:
(a) the name of the originator
(b) the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction
(c) the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology
(d) the originator’s address, including the name of the country, official personal document number and customer identification number, or, alternatively, the originator’s date and place of birth
(e) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the originator.
2) Information on the beneficiary:
(a) the name of the beneficiary
(b) the beneficiary’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the beneficiary’s crypto-asset account number, where such an account exists and is used to process the transaction
(c) the beneficiary’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology
(d) subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the beneficiary.
The same rules are applied in case of a transfer of crypto-assets made from a self-hosted address in relation to the crypto-asset service provider of the beneficiary.
Refer to this table for further details on how the Travel Rule will be applied across the European Union.
In Singapore, the Travel Rule was implemented on January 28, 2020.
Some of the highlights of the regulation include:
De minimis threshold
SGD 1,500. Even if the transaction is less than SGD 1,500, certain data must still be transferred as described below.
(a) identify the value transfer originator and take reasonable measures to verify the value transfer originator’s identity, as the case may be (if the payment service provider has not already done so); and
(b) record adequate details of the value transfer so as to permit its reconstruction, including but not limited to, the date of the value transfer, the type and value of digital payment token(s) transferred and the value date.
1. Value transfers below or equal to SGD 1,500
(a) the name of the value transfer originator
(b) the value transfer originator’s account number (or unique transaction reference number where no account number exists)
(c) the name of the value transfer beneficiary; and
(d) the value transfer beneficiary’s account number (or unique transaction reference number where no account number exists).
2. Value transfers exceeding SGD 1,500
(a) the name of the value transfer originator;
(b) the value transfer originator’s account number (or unique transaction reference number where no account number exists);
(c) the name of the value transfer beneficiary; and
(d) the value transfer beneficiary’s account number (or unique transaction reference number where no account number exists).
and any of the following:
(a) the value transfer originator’s residential, r registered, or business address, and if different, principal place of business, as may be appropriate;
(b) the value transfer originator’s unique identification number (such as an identity card number, birth certificate number or passport number, or where the value transfer originator is not a natural person, the incorporation number or business registration number); or
(c) the date and place of birth, incorporation or registration of the value transfer originator (as may be appropriate).
(a) when to execute, reject, or suspend a value transfer lacking required value transfer originator or value transfer beneficiary information; and
(b) the appropriate follow-up action.
Refer to our Travel Rule table on Singapore to learn more
The UK recently has adopted the Travel Rule requirement to its regulation of crypto asset service providers. The requirement came into force on September 1, 2023.
De minimis threshold
In the UK, there is no de minimis threshold. Therefore, information should be transferred regardless of the transaction amount. For certain transactions equal or exceeding 1,000 euros, there are some additional requirements.
As a rule, VASPs (cryptoasset exchange providers and custodian wallet providers in the UK) have to take the following steps to comply with the Travel Rule:
1) In respect of an inter-cryptoasset business transfer, the originating VASP must ensure that it is accompanied by the following information:
If the beneficiary VASP requests additional information about the sender, the originating VASP should also transfer the following information within 3 days, provided each VASP is conducting business in the United Kingdom:
(a) if the originator is a firm—
(b) if the originator is an individual, one of the following:
If a beneficiary VASP is carrying out business outside the United Kingdom and the transaction is equal to or exceeding 1,000 euros in value, the originating VASP should ensure that the transfer is accompanied by all the information specified in paragraph 1.
2) Information relating to the originator must be verified by the originating VASP using documents or a reliable source independent of the person whose identity is being verified.
3) When a beneficiary VASP receives a crypto-asset as part of an inter-cryptoasset business transfer, it must, before making the crypto-asset available to the beneficiary, check whether:
(a) it has received the information required by regulation to be provided; and
(b) the information relating to the beneficiary corresponds with information verified by it during customer due diligence.
4) A cryptoasset business involved in an unhosted wallet transfer may request from its customer (whether the originator or the beneficiary):
(a) the information specified in clauses A, B, C from paragraph 1 if not already collected ; and
(b) where the unhosted wallet transfer is equal to or exceeds the equivalent in cryptoassets of 1,000 euros in value (taken together with any other cryptoasset transfer which appears to be linked), and where its customer is the beneficiary, the information specified in clauses A and B above in respect of the originator.
4) Where the beneficiary VASP becomes aware that any information required to be provided by the regulations is missing or does not correspond, it must:
(i) to delay making the cryptoasset available to the beneficiary until the information is received or any discrepancy is resolved; and
(ii) if the information is not received or if any discrepancy is not resolved within a reasonable time, to return the cryptoasset to the cryptoasset business of the originator.
5) The beneficiary VASP must report repeated failure by a crypto-asset business to provide any information required as well as any steps the crypto-asset business of the beneficiary has taken in respect of such failures to the FCA.
6) A crypto-asset business must respond fully and without delay to a request in writing from a law enforcement authority for any information in connection to these requirements.
Refer to the UK crypto regulations guide to get further details on how to comply with the Travel Rule in the UK
In Canada, the Travel Rule was implemented on June 1, 2021.
De minimis threshold
1) Financial entities, money service businesses, and foreign money service businesses must include Travel Rule information when they send virtual currency (VC) transfers, and must take reasonable measures to ensure that this information is included when they receive VC transfers which require a VC record to be kept.
Required Travel Rule information for VC transfers:
2) If the entity receives a VC transfer that should include Travel Rule information but does not, it must take reasonable measures to obtain that information. These reasonable measures should be outlined in the policies and procedures.
Each entity must also develop in writing and apply risk-based policies and procedures for determining what to do when, after taking reasonable measures, it was unable to obtain Travel Rule information. Its policies and procedures must address under which circumstances it allows, suspends, or rejects the transaction, and outline any follow-up measures it will take.
Refer to this table for details on how to comply with the Travel Rule in Canada
The Crypto Travel Rule is not yet mandated in the Netherlands. However, the European Union is planning to harmonize the Travel Rule across all its members by the end of 2024.
However, at the moment, crypto companies in the Netherlands have to comply with other AML requirements implied by the Money Laundering and Terrorist Financing Prevention Act (Wwft). In 2020, the Wwft was amended to introduce rules arising from the European law—the 5th Anti-Money Laundering Directive (AMLD5).
Moreover, according to the Wwft, anyone who offers professional or commercial services in or from the Netherlands for the exchange between virtual currencies and fiat currencies or custodian wallets must register with the Dutch National Bank (DNB).
In Switzerland, the Travel Rule was implemented on January 1, 2020.
De minimis threshold
1) The originator’s financial intermediary must share the following data.
Data about the originator:
Data about the beneficiary:
2) The financial intermediary shall ensure that the details of the originator are accurate and complete and that the details of the beneficiary are complete.
3) The financial intermediary must identify the contracting party (client) if a transaction with a virtual currency (or several such transactions that appear to be linked to each other) reach or exceed the amount of 1000 francs, provided that these transactions do not constitute transfers of money and value and there is no permanent business relationship associated with these transactions.
In the case of cash payments or the acceptance of other anonymous means of payment for the sale or purchase of virtual currencies, it takes technical precautions to avoid exceeding the threshold referred to in paragraph 1 by interconnected transactions within 30 days.
It may waive the identification of the contracting party if it has carried out further transactions for the same contracting party and has ensured that the contracting party is the person who has already been identified in the first transaction.
It must identify the contracting party in any case if there are suspicions of possible money laundering or terrorist financing. According to FINMA Guidance, the financial intermediary receiving this information then has the opportunity to check the name of the sender against sanction lists.
4) The financial intermediary informs the client in an appropriate manner about the disclosure of his or her details in payment transactions.
5) As long as an institution supervised by FINMA is not able to send and receive the information required in payment transactions, such transactions are only permitted from and to external wallets if these belong to one of the institution’s own customers. Their ownership of the external wallet must be proven using suitable technical means. Transactions between customers of the same institution are permissible. A transfer from or to an external wallet belonging to a third party is only possible if the supervised institution has first verified the identity of the third party, established the identity of the beneficial owner, and proven the third party’s ownership of the external wallet using suitable technical means.
If the customer is conducting an exchange (fiat-to-virtual currency, virtual-to-fiat currency, or virtual-to-virtual currency) and an external wallet is involved in the transaction, the customer’s ownership of the external wallet must also be proven using suitable technical means. If such proof is not available, the above rules for payment transactions apply.
6) The beneficiary’s financial intermediary decides whether it should return the payment in the event of discrepancies.
The beneficiary’s financial intermediary shall define how to proceed upon reception of payment orders containing incomplete information of the client (originator) or beneficiary. The financial intermediary shall take a risk-based approach.
The Travel Rule is not yet mandated in Australia.
Under the current regime, only financial institutions such as banks are required to include payer information for electronic transfers of fiat currency, and they are not required to include payee information.
Reforms could implement the Travel Rule for remitters and digital currency exchange providers, requiring payer and payee information for transfers on behalf of customers to other businesses.
Recently, Australia held a public consultation regarding changes in regulations, including the Travel Rule. A change in legislation may be expected after the consultation.
However, digital currency exchange (DCE) providers have to comply with the country’s AML/CTF regulations, including the Anti-Money Laundering and Counter-Terrorism Financing Amendment Act 2017.
Also, crypto exchange providers must register with the Australian Transaction Reports and Analysis Centre (AUSTRAC).
In Estonia, the Travel Rule was implemented on March 15, 2022.
The rule applies to transactions, exchanges or transfers of virtual currency.
De minimis threshold
No de minimis threshold
1) The initiator’s VASP ascertains the identity of each customer and collects the following data in relation to the initiator:
About the initiator:
1) For a natural person:
2) For a legal person:
The initiator’s VASP also collects the following data in respect of the virtual currency or recipient of the transfer:
About the recipient:
– the transaction initiator’s VASP ensures the monitoring of the transactions in real time and risk analysis in respect of each transaction using an appropriate technical solution, and
– the provider preserves the particulars by a method that allows them to be produced without delay when a corresponding request is made by a regulatory enforcement, supervisory, oversight, or investigative authority.
Refer to this table for further details on how to comply with the Travel Rule in Estonia
In South Korea, the Travel Rule was implemented on March 25, 2022.
De minimis threshold
KRW 1 million or more
In case of a request by the commissioner of the Korea Financial Intelligence Unit (KoFIU) or a virtual asset business operator to whom virtual assets are transferred, the customer’s resident registration number (referring to the corporate registration number in the case of a corporation) or passport number/foreigner registration number (applicable only to foreigners) should be provided.
According to an FSC press release, unlike domestic VASPs, overseas VASPs are not bound by or prepared to implement the Travel Rule. Thus, after consulting with the virtual asset industry, transfers of virtual assets to overseas VASPs will take place only after confirming that the sender and receiver are the same person and when there are low risks of money laundering via overseas VASPs.
Please refer to this table for details on how to comply with the Travel Rule in South Korea
You can also check out The New Crypto Regulations in South Korea: How to Prepare for the Changes [Updated October 2021]
In 1996, the US Financial Crimes Enforcement Network (FinCEN), under the Bank Secrecy Act (BSA), introduced a rule similar to FATF Recommendation 16 for financial institutions operating within its jurisdiction.
Initially, this rule applied to traditional money only, but in 2019 FinCEN confirmed that the BSA Travel Rule would also apply to VASPs, which in the US are called money-services businesses (MSBs) or money transmittors.
Therefore, the FinCEN rule served as the foundation for the FATF Travel Rule. Although both Travel Rules appeared at different times, the FATF recommendation can be applied by any country worldwide. The US Travel Rule is a national interpretation of this requirement and has its own specifics.
Like the FATF Travel Rule, the FinCEN Travel Rule requires financial institutions and VASPs to collect and exchange information on a transaction’s originator and beneficiary. VASPs are also required by the US to confirm that crypto transactions do not originate from or are sent to sanctioned countries or companies.
However, the FinCEN Travel Rule has a different threshold. Only transfers equal to or greater than 3,000 USD—including any foreign equivalent and VA—are subject to this rule, regardless of whether currency is involved. In 2020, financial regulators in the US—the Board of Governors of the Federal Reserve System, FinCEN, and the Treasury—proposed that the BSA be modified to reduce the general Travel Rule threshold from $3,000 to $250 for international transfers; however, the amendments have yet to be enacted.
As many of the following items as are received with the transmittal order:
This is a requirement forVASPs to identify whether they are transacting with another VASP (rather than a private wallet), as well as confirm whether this VASP counterparty is registered or licensed in its jurisdiction and has sufficient AML/CFT supervision. There is still no specified approach to this check, which is why only a few countries (including Liechtenstein and Mauritius) explicitly prescribe the requirement to verify and evaluate counterparties.
Recommendation 16 does not apply in full to VA transfers between a VASP and a non-obliged entity (i.e., an unhosted wallet). Many jurisdictions are still deciding what approach to take in such cases. Most countries have decided to follow the approach outlined in the FATF’s Updated Guidance, requiring VASPs to collect relevant beneficiary information on unhosted wallets from their own customers.
The FATF summarizes the main challenges that obstruct Travel rule implementation:
The FATF takes a technology-neutral approach and doesn’t prescribe a particular technology or software that providers should deploy to comply with Recommendation 16. Many Travel Rule solutions are currently implemented only within specific countries, rather than globally or across regions. In addition, some solutions are compatible only with certain virtual assets, or require approval of participating VASPs and their counterparties—by solution providers or a third party—in order to transmit Travel Rule information.
In 2020, the FATF underscored the need for various technical solutions to be interoperable, with sufficient control mechanisms to take care of data sharing, storage, and security. The first step in this interoperability process is to create global messaging standards, which may be fragmented by different jurisdictional rules for data privacy and protection (such as the EU’s problematic GDPR legislation), online security, and AML/CFT requirements.
The Travel Rule requirements are enforced at a different pace across jurisdictions. This means that one VASP may be Travel Rule-obligated while its cross-border counterparty may not be. Therefore, some jurisdictions introduce temporary flexibility for domestic requirements or provide guidance to domestic VASPs on dealing with situations where counterparties are unlicensed, unregistered, or unable to share Travel Rule data.
VASPs should be able to identify whether they are transacting with another VASP rather than a private wallet. They also need to confirm whether their VASP counterparty is registered or licensed in its jurisdiction and has sufficient AML/CFT supervision. However, there is no single approach to this issue.
One of the main challenges for Travel Rule implementation is choosing a suitable solution. Here’s what a proper solution should cover::
To ease compliance with FATF and local requirements, our experts have prepared a checklist of things to take into account when choosing a Travel Rule solution:
To learn more about the FATF Travel Rule, download our complete guide prepared by Sumsub’s Compliance Team. It provides an overview of the current regulatory landscape and implementation challenges.Download the report
The Travel Rule is a key AML/CFT measure which mandates that VASPs obtain, hold, and exchange information about the originators and beneficiaries of virtual asset transfers. This enables financial institutions and VASPs to conduct sanctions screening and detect suspicious transactions so that any necessary measures can be taken.
The application of the FATF’s wire transfer requirements (Recommendation 16) in the VA context is called the “Travel Rule” because the personal data of the transacting parties ‘travels’ along with their transfers.
The FATF Travel Rule requires financial institutions engaged in VA transfers and crypto companies—collectively referred to as VASPs—to obtain “required and accurate originator information, and required beneficiary information” and share it with counterparty VASPs or financial institutions during or before transactions. The details depend on the jurisdiction.
The FATF’s Travel Rule requires VASPs, along with other financial institutions, to share relevant originator and beneficiary information from virtual asset transactions, with the aim of preventing money laundering, terrorist financing, and other fraud activity. The Travel Rule applies to VASPs whenever their transactions, whether in fiat currency or virtual asset, involve either:
The Travel Rule threshold is a transaction threshold. The FATF recommends a de minimis threshold of 1,000 USD/ EUR. However, it should be noted that countries can establish their own threshold or forego one altogether. Therefore, there can be different cases: