The FATF Travel Rule Explained — And Why Most VASPs Are Still Not Compliant

March 2026·8 min read·For VASPs, exchanges & compliance teams

If you run a crypto exchange, wallet service, or any business that moves digital assets between customers, the FATF Travel Rule almost certainly applies to you. Most people in the industry have heard of it. Far fewer have actually implemented it correctly — and regulators are increasingly taking notice.

This guide covers exactly what the Travel Rule requires, who it applies to, what information you need to collect and transmit, and the practical steps to get compliant. We’ll also explain the common failure points that put VASPs at risk of regulatory action.

The short version: For any crypto transfer at or above $1,000 (or €1,000), you must collect information about the sender and recipient and transmit it to the counterparty VASP — before or at the same time as the transfer. This is FATF Recommendation 16, extended to virtual assets in 2019.

What Is the FATF Travel Rule?

The Travel Rule originally applied to wire transfers in traditional banking. FATF Recommendation 16 required banks to include originator and beneficiary information with every wire transfer above the threshold. The rule got its name because the information “travels” alongside the funds.

In June 2019, FATF updated its guidance to extend Recommendation 16 to Virtual Asset Service Providers (VASPs). This was a significant expansion: for the first time, a global standards body explicitly required crypto businesses to implement the same information-sharing obligations as banks.

FATF doesn’t make law directly — it sets standards that member countries are expected to implement in national legislation. As of 2026, the vast majority of major jurisdictions have enacted Travel Rule requirements, including the EU (via MiCA and the Transfer of Funds Regulation), the UK, the US (FinCEN), Singapore, Japan, and many others.

Who Does It Apply To?

The Travel Rule applies to Virtual Asset Service Providers — broadly, any business that transfers virtual assets on behalf of customers. This includes:

Cryptocurrency exchanges (centralized)
Crypto custodians and wallet providers
OTC desks and institutional trading services
Payment processors that handle crypto
Certain DeFi front-ends and aggregators (increasingly, per FATF 2021 guidance)

If you are moving crypto from one customer’s account to another party — whether on your platform or at another VASP — the Travel Rule applies.

What Information Must Be Collected and Transmitted?

The required information depends on whether you are the originating VASP (sending funds) or the beneficiary VASP (receiving funds).

Originating VASP — Must Transmit

Data Element	Requirement
Originator’s full legal name	Mandatory
Originator’s account number / wallet address	Mandatory
Originator’s physical address, national ID number, customer ID number, OR date and place of birth	One of these — mandatory
Beneficiary’s full legal name	Mandatory
Beneficiary’s account number / wallet address	Mandatory

Beneficiary VASP — Must Receive and Screen

Receive originator information before crediting funds to the beneficiary
Screen originator against sanctions lists
Verify the originating VASP is licensed / registered
Retain all received information for the required period (typically 5 years)
Apply enhanced due diligence where information is incomplete or inconsistent

The Threshold — and Why Some Jurisdictions Set It at Zero

The FATF reference threshold is $1,000 USD (or equivalent in local currency or crypto). Below this, you are not required to transmit originator/beneficiary information under the Travel Rule — though normal AML monitoring still applies.

However, some jurisdictions have gone further:

Jurisdiction	Travel Rule Threshold	Notes
EU (Transfer of Funds Regulation)	€0 (all transfers)	No minimum — applies to every transfer
UK	£0 (all transfers)	FCA aligned with EU approach
US (FinCEN)	$3,000	Proposed rule to lower to $250 for international
Singapore (MAS)	SGD 1,500	Approximately $1,100 USD
Japan (FSA)	¥100,000	Approximately $700 USD
Switzerland (FINMA)	CHF 1,000	Approximately $1,100 USD

Practical implication: If you serve EU or UK customers, the threshold is effectively zero. You need Travel Rule compliance for every single transfer, not just those above $1,000.

What About Unhosted Wallets?

This is where it gets complicated. An unhosted wallet (also called a self-custodied wallet) is a wallet where the private keys are held by the individual — not by any VASP. MetaMask, Ledger, and Trezor are examples.

When a customer sends crypto to an unhosted wallet, there is no beneficiary VASP to transmit information to. Different regulators have taken different approaches:

EU approach: Require the originating VASP to verify that the unhosted wallet is owned or controlled by their own customer (via signed message or micro-transaction)
FATF guidance: Apply enhanced due diligence for unhosted wallet transfers above threshold; assess whether the customer is using the wallet for their own benefit
US approach: Still evolving; proposed rules would require counterparty information for unhosted wallet transfers above $250

At minimum, you should have a documented procedure for unhosted wallet transfers that includes a wallet ownership attestation process and enhanced scrutiny for high-value transfers.

How to Actually Transmit the Information

Here’s where many VASPs fall short. You can’t just email originator information to the beneficiary VASP — the transmission method needs to be secure, verifiable, and interoperable.

Several Travel Rule protocols have emerged to standardize this:

Protocol	Approach	Notable Users
TRP (Travel Rule Protocol)	Open standard; API-based; peer-to-peer	Major exchanges
TRUST (US)	US-focused network; members vouch for each other	Coinbase, Kraken, others
VerifyVASP	API + network; strong in Asia-Pacific	Asian exchanges
OpenVASP	Open-source; decentralized	EU-focused VASPs
Sygna Bridge	Centralized network with compliance tools	Exchanges in 50+ jurisdictions

The challenge is interoperability — counterparty VASPs may be on different protocols. Most compliance teams end up integrating multiple protocols or using an aggregator service that bridges between them.

If a counterparty VASP doesn’t support any interoperable protocol, you should: attempt secure alternative transmission, delay the transfer until compliant exchange is completed, or decline the transfer if compliant information cannot be obtained.

Common Failure Points

Based on regulatory findings and enforcement actions, these are the most common Travel Rule compliance failures:

No VASP-to-VASP protocol implemented at all — many smaller VASPs simply haven’t done it yet
Incomplete originator data — transmitting name and wallet address but missing the required third identifier
No sanctions screening of received originator data — receiving Travel Rule data but not actually checking it against sanctions lists
No procedure for unhosted wallets — treating all withdrawals the same regardless of destination type
No counterparty VASP due diligence — not verifying that the counterparty is actually a licensed VASP in good standing
Poor record keeping — Travel Rule data not retained in a retrievable format for the required period

Implementation Checklist

If you’re starting from scratch, here’s the sequence:

Confirm which jurisdictions’ Travel Rule requirements apply to your business
Determine the applicable threshold(s) — remember the EU/UK zero threshold
Select and implement a Travel Rule protocol (or aggregator)
Build originator data collection into your onboarding and transaction flows
Build beneficiary VASP due diligence into your outbound transfer flow
Build sanctions screening of received originator data into your inbound flow
Document your unhosted wallet procedure
Test end-to-end with counterparty VASPs before go-live
Train your compliance team on the procedures
Document everything — regulators want to see evidence of implementation, not just policies