Same Rule, Same Problems: Will FATF’s New Travel Rule Fix the Divide?

Today we’re sitting down with Delphine Forma, an experienced compliance, legal and policy officer with a background spanning multiple countries and industries, including seven years at large banks and more than 8 years within the crypto industry, working for major crypto exchanges. She has served as a Board member of the OpenVASP Association and the Crypto Valley Association, and she founded the Crypto Compliance and Legal TG group, with now over 2,400 members. Currently, she is Head of Policy Europe at Solidus Labs. In this conversation, Delphine helps us clarify how timely and important the FATF updates are, what they may be missing, and what to expect in the future.

Just recently, in June 2025, the Financial Action Task Force (FATF) finalized updates to Recommendation 16, which governs payments and value transfers, including key refinements to the crypto Travel Rule.

To summarize for our readers, the updated FATF standards introduce clearer roles in the payment chain, which makes it explicit that responsibility begins with the financial institution receiving the customer’s instruction. The updates also standardize data requirements: for cross-border peer-to-peer payments over USD/EUR 1,000, messages must now include the sender’s name, address, and date of birth as well as the beneficiary’s name and country and town. Financial institutions must adopt technologies that protect against fraud and error, such as verification of recipients’ banking information —giving customers greater confidence that their money reaches the right destination. Last but not least, while card payments for goods and services remain exempt from full R.16 requirements, FATF has clarified what qualifies as a legitimate purchase of goods and services.

THE SUMSUBER: How timely is this measure? Why now? What does this time signal to regulators and VASPs?

DELPHINE FORMA: The FATF update to Recommendation 16 is both timely and necessary. It comes in response to increasing concerns about sanctions evasion, rising fraud typologies, and persistent fragmentation in payment systems. Regulators are pushing to bring more clarity to what qualifies as a legitimate payment for goods and services—especially in a fast-evolving digital economy. These updates reflect that the FATF’s tuned in to these realities, and they intend to make cross-border transactions more transparent.

The revisions signal FATF’s intent to enhance cross-border payment transparency and align with global priorities like the G20 roadmap for faster, cheaper, and more inclusive payments. For regulators and VASPs, this is a strong push toward greater accountability, standardization, and proactive risk mitigation across both traditional and crypto finance.

 It’s a reminder that the regulatory landscape is evolving quickly, and those who act now will be better positioned to manage risk and build trust in both traditional and digital financial ecosystems.

THE SUMSUBER: What do you see as the most significant practical impact of the FATF’s latest updates to Recommendation 16 for VASPs globally?

DELPHINE FORMA: The FATF’s recommendations do provide a global benchmark, but they are not legally binding and must be translated into domestic legislation by each jurisdiction. This process is inherently slow, especially in countries where even earlier recommendations remain only partially implemented (not to mention there are jurisdictions where legally the crypto industry is still in a gray zone).

For VASPs, one of the more immediate changes lies in a seemingly small but impactful detail: the new requirement to collect not just a beneficiary’s name, but also their country and town. It’s straightforward on paper, but complex in reality. Jurisdictions are likely to interpret and implement this rule differently, further fragmenting an already uneven compliance landscape.

This added data point introduces new layers of operational complexity and will definitely affect onboarding flows, data verification protocols, and system integration. In regions with divergent standards and data formats, what should be a standard update risks becoming a source of inconsistency and friction.

Let’s also mention the shift toward more active fraud and error detection obligations.VASPs will need to implement systems for verifying recipient data and monitoring for misdirected transfers, which marks a move from passive compliance to active transaction scrutiny. They will need to match names, country and town.

Although these updates offer clarity in certain areas, they also intensify long-standing challenges—particularly around interoperability, asynchronous implementation timelines (aka the “sunrise issue”), and the persistent difficulty of managing unhosted wallets. In the short term, I believe, cross-border compliance is likely to become more burdensome.

THE SUMSUBER: Could not agree more. The paradox is the same—it’s these long-lasting challenges you just mentioned. Despite the Travel Rule having existed for many years, and with more jurisdictions continuing to adopt it, the same problems still persist, just as they did three or five years ago. However, do you think the clarified data categories will help create a more consistent Travel Rule implementation across jurisdictions?

DELPHINE FORMA: I honestly don’t think so. The FATF’s updated guidance introduces some constructive elements, yet it does not fundamentally resolve many of the key challenges facing the industry. Implementation remains the responsibility of individual jurisdictions, each of which must decide how and to what extent they’ll translate the recommendations into national law. That process will take time, particularly where existing legal frameworks are still catching up.

The update does not address the ongoing issues of interoperability, nor does it provide a unified approach to unhosted wallets, which continue to be treated differently across jurisdictions. Some countries require proof of wallet ownership, others demand identity verification of third parties, and many leave the question open to interpretation under a risk-based model adopted by VASPs themselves.

In the same way, the revised recommendations do not resolve discrepancies around transaction thresholds, data formats, or messaging standards. These differences continue to fragment the landscape, especially in cross-border contexts. The expanded requirement for beneficiary data also makes things more complex. The Standards now require to specify the town and country—details that can introduce friction in onboarding and system integration.

That said, there is a welcome addition, which is the inclusion of structured identifiers where the originator or beneficiary is a legal person. Specifically, the FATF now encourages the use of a Business Identifier Code (BIC), Legal Entity Identifier (LEI), or another unique official identifier, where available. This is a positive step toward greater transparency and traceability in corporate transactions.

Still, the broader picture remains one of incremental change, rather than a cohesive solution. For now, what I see is the updated Standards increase the burden on VASPs to navigate divergent national rules, unclear expectations, and uneven timelines.

THE SUMSUBER: Speaking about burdens, let’s dive deeper into the Sunrise Issue. How should VASPs navigate jurisdiction-specific differences until further FATF guidance is issued?

DELPHINE FORMA: The Sunrise Issue—where some jurisdictions enforce the FATF Travel Rule while others do not—remains indeed one of the most difficult challenges for VASPs to navigate. And since the global implementation remains fragmented, VASPs are left to manage these uneven obligations through risk-based approaches tailored to local rules.

Some jurisdictions prohibit interaction with non-compliant counterparties altogether, others delegate the decision to VASPs themselves. This leads to varied responses: some may choose to allow transactions with minimal counterpart information if the risk is deemed acceptable. Others may block them outright.

When sending to a jurisdiction without the Travel Rule, VASPs might collect and verify all necessary data, even if it can’t be transmitted. When receiving funds from such jurisdictions, the bigger challenge is deciding what to do with incomplete data—especially when sanctions or financial crime risks are not apparent. This is because holding, rejecting, or returning funds can each carry operational and legal implications.

Regulators like the UK’s FCA have started to provide clear expectations: they require firms to collect and store originator and beneficiary information, even if transmission isn’t possible. When receiving a cryptoasset transfer from a jurisdiction without the Travel Rule: If the cryptoasset transfer has missing or incomplete information, UK cryptoasset businesses must consider the countries in which the VASP operates and the status of the Travel Rule in those countries. The VASP should take these factors into account when making a risk-based assessment of whether to make the cryptoassets available to the beneficiary. Other countries, however, offer less certainty, which leaves VASPs to make judgment calls based on jurisdiction, counterparty status, and available risk signals.

The FATF, of course, continues to work with public and private stakeholders through its Payment Advisory Group, but businesses and regulators need further guidance. Until then, navigating the Sunrise Issue will require not only compliance, but also careful balancing of risk, practicality, and interoperability in a still-fragmented regulatory landscape.

THE SUMSUBER: …and a provider with multiple protocols, isn’t it? Because only a solution with multiple Travel Rule protocols can mitigate the Sunrise Issue for VASPs. From a technical and operational perspective, what other changes will VASPs need to implement given the clarified payment chain scope?

DELPHINE FORMA: The first immediate step is to collect more granular information—the country and town of the beneficiary—to meet new data requirements under the revised Standards. This will allow more targeted sanctions screening reducing false positives and improve traceability and flag inconsistencies earlier in the transaction lifecycle.

Another thing is the implementation of robust fraud prevention systems, using the growing suite of tools available on the market. Use existing platforms to watch for new crypto scams.

There are platforms that offer automated contract risk analysis by evaluating newly deployed tokens for red flags like rug-pull logic, liquidity traps, or overly concentrated ownership, such as Token Sniffer. 

VASPs would also do well to integrate providers with as many Travel Rule protocols as possible, which you mentioned, as well as anti-fraud and intelligence sources into their risk assessment workflows.

Another critical area is the detection of misdirected or anomalous payments. Under the updated FATF guidance, VASPs are expected to verify that the beneficiary’s name matches the wallet or account details. This can be approached in several ways: through pre-validation tools such as Confirmation of Payee systems, by monitoring post-transfer mismatches, or via ongoing behavioral analytics that identify unusual transaction patterns over time.

These practices are not new. Neither should they be treated as optional. Many VASPs already have the technical foundation to meet these requirements—and now we see the regulatory imperative to formalize and scale these efforts.

THE SUMSUBER: With the deadline for implementation set for the end of 2030, do you believe this timeline is realistic given the scale of changes required?

DELPHINE FORMA: Yes, the required changes are manageable, it’s not a major uplift for most VASPs with mature compliance systems. But framing this as a simple fix risks understating the broader challenge. The real complexity lies in the unresolved issues: regulatory fragmentation, inconsistent implementation timelines, and fundamental questions around counterparty identification and interoperability. Compared to these, the technical adjustments required now are minor. It’s the systemic gaps that still demand serious attention.

THE SUMSUBER: I completely agree. And quite a few areas remain unresolved by the Standards. Which one do you believe is the most urgent to clarify by FATF?

I would say, counterparty due diligence stands out as the most urgent for FATF to clarify. Unlike correspondent banking, the crypto ecosystem lacks harmonized global standards for identifying and assessing counterparties. Clear FATF guidelines could establish a framework for mutual recognition or equivalence, where a VASP licensed under one robust regime (the EU frameworks) is considered trustworthy by another (e.g., Hong Kong), reducing redundant checks and streamlining compliance.

The need for standardized discovery mechanisms is also pressing: VASPs must be able to reliably determine who the counterparty is—whether it’s another VASP or an unhosted wallet. Without clarity on these fronts, the promise of global Travel Rule compliance remains fragmented and difficult to operationalize.

THE SUMSUBER: If you could provide one piece of guidance to the FATF for its next round of clarifications, what would it be?

DELPHINE FORMA: I would say, provide practical, harmonized guidance that goes beyond reiterating compliance expectations. Critically, it should also reassess whether the Travel Rule—designed for traditional finance—truly fits the crypto context and does it efficiently fulfill the goal of fighting financial crime? With blockchain analytics offering real-time visibility into illicit exposure, FATF should ask: are names always necessary, or are there smarter, tech-native tools that serve the same purpose more effectively?