The Travel Rule Explained: Your Guide to Crypto Compliance
What Is the Travel Rule?
The Travel Rule (Recommendation 16) was introduced by the FATF, as an effort to thwart money laundering and the financing of terrorism. The Travel Rule applies to wire transfers of funds. It requires the originator and beneficiary financial institution involved in the transaction to collect, store and exchange customer data (securely) before the transaction.
The main goal of the Travel Rule is to ensure that originator and beneficiary information is easily accessible for the following purposes:
Assisting law enforcement in detecting, investigating, and prosecuting terrorists and other criminals, as well as tracing their assets.
Supporting financial intelligence units in analysing suspicious or unusual activities.
Enabling ordering, intermediary, and beneficiary VASPs and financial institutions to identify and report suspicious transactions, freeze funds, and prevent transactions involving sanctioned individuals or entities.
[Source: FATF Recommendations, Interpretive Note to Recommendation 16]
Various jurisdictions have adopted the Travel Rule and amended it to fit their markets. As the Travel Rule is a recommendation by the FATF, jurisdictions can tailor it accordingly.
See Travel Rule breakdowns per jurisdiction, regions include Switzerland, the EU, and the UK, among other countries.
Which Jurisdictions Have Implemented the Travel Rule?
The following jurisdictions have implemented the Travel Rule or a variation thereof.
Austria*
Bahamas
Bahrain
Belgium*
Bermuda
Bulgaria*
Croatia*
Canada
Cayman Islands
Czech Republic*
Denmark*
Estonia*
Finland*
France*
Germany*
Gibraltar
Greece*
Hong Kong SAR
Hungary*
India
Ireland
Italy*
Japan
Latvia*
Liechtenstein
Lithuania*
Luxembourg*
Malta*
Mauritius
The Netherlands*
Poland*
Portugal*
Romania*
Singapore
Slovakia*
Slovenia*
South Korea
Spain*
Sweden*
Switzerland
Taiwan
United Arab Emirates (Dubai)
United States
United Kingdom
*While not live, jurisdictions that will fall under the Transfer of Funds Regulation (TFR) have been included in this list.
See Global Implementation Status of the FATF’s Travel Rule and refer to Global Travel Rule Regulations: What Are the Requirements? for further information.
Please note this is not a non-exhaustive list and is meant as guidance only.
How Long Should a VASP Retain Travel Rule Data?
This varies according to jurisdiction. Usually, VASPs need to retain Travel Rule data for a minimum of 5 years.
The FATF
The FATF’s Recommendation 11, page 15, states that customer data (obtained through customer due diligence measures) be retained for five years for recordkeeping and transaction monitoring. The point is reiterated under Recommendation 16 (the Travel Rule), page 82. The FATF Recommendations
The European Union
According to the Final Draft AMLR & 6th AMLD Framework, Chapter VI Data Protection and Record-Retention, Article 56, the EU requires a period of 5 years. This time frame is reiterated in DIRECTIVE (EU) 2015/849 Chapter V, Article 40 and point (44).
Switzerland
According to Article 958f of the Swiss Code of Obligations, data is to be retained for 10 years.
What Is the Transfer of Funds Regulation (TFR)?
The Transfer of Funds Regulation (TFR) is the EU's counterpart to the FATF's Travel Rule, and is part of the Anti-Money Laundering Package as well as the MiCA Regulation.
The TFR covers the transfer of funds, including banknotes, coins, scriptural money, electronic money, and crypto assets, when at least one of the involved payment service providers or CASPs, is established or registered within the EU. This regulation also applies to intermediary CASPs, which are businesses that handle the transfer of crypto assets on behalf of another CASP or intermediary.
The TFR's scope extends to transfers executed via crypto ATMs and self-hosted wallets when a CASP is involved.
However, the TFR does not apply to:
Cash transactions, paper checks, or electronic money tokens used for payments with cards, electronic money, or mobile phones;
Tax payments, fines, and similar payments to a public authority within an EU Member State;
Payment service providers acting on their own behalf (when both the originator and the beneficiary are CASPs);
Peer-to-peer (P2P) transactions without the involvement of a CASP.
Under the TFR, CASPs are required to collect and share customer information during transactions, including:
The name of the originator
The originator’s distributed ledger address,
The originator’s crypto-asset account number (e.g., account at a CASP),
The originator’s address (including the country, official personal document number, customer ID number, or alternatively, date and place of birth),
The current Legal Entity Identifier (LEI) of the sender, where applicable,
The name of the beneficiary,
The beneficiary’s distributed ledger address,
The beneficiary’s crypto-asset account number, and
The current LEI of the beneficiary, where applicable.
Further reading on the TFR
What Is the Market in Crypto Assets Regulation (MiCA)?
As part of its digital finance strategy, the EU Commission introduced a proposal to regulate the markets in crypto assets; enter MiCA. The Market in Crypto-assets Regulation's (MiCA) objective is to establish a balanced environment for financial institutions and CASPs throughout the EU. MiCA intends to:
Protect consumers, investors, and market integrity,
Ensure financial stability,
Provide legal certainty for crypto assets,
Support fair competition and innovation.
MiCA differs from the Transfer of Funds Regulation (TFR), which is the European Union's implementation of the Travel Rule as
It does not set a minimum threshold for transfers between accounts,
It excludes transfers involving self-hosted wallets from its scope,
Neither does it address activities related to DeFi and DAOs,
It doesn’t include the lending and borrowing of crypto assets,
Or cover NFTs.
MiCA applies to natural and legal persons who issue, offer, and trade crypto assets or provide services related to crypto assets within the EU.
To read more about MiCA, see the below blog posts
What Is the Difference Between the TFR and MiCA?
The difference between the Transfer of Funds Regulation (TFR) and the Market in Crypto Assets (MiCA) is that MiCA builds the legal framework for crypto, including CASPs, licensing regimes and definitions, while the TFR only brings crypto Travel Rule into the European Union.
The TFR covers the transfer of funds, including banknotes, coins, scriptural money, electronic money, and crypto assets, when at least one of the involved payment service providers or CASPs, is established or registered within the EU. This regulation also applies to intermediary CASPs and transfers executed via crypto ATMs and self-hosted wallets when a CASP is involved.
MiCA differs from the TFR as
It does not set a minimum threshold for transfers between accounts,
It excludes transfers involving self-hosted wallets from its scope,
Neither does it address activities related to DeFi and DAOs,
It doesn’t include the lending and borrowing of crypto assets,
Or cover NFTs.
MiCA applies to natural and legal persons who issue, offer, and trade crypto assets or provide services related to crypto assets within the EU.
Read more about the TFR and MiCA below
Does MiCA Apply to Foreign VASPs?
Yes, the Market in Crypto Assets Regulation (MiCA) applies to foreign VASPs offering their services in the European Union.
MiCA is a European framework that applies to all entities offering crypto assets or services within Europe. For a foreign VASP to provide services within Europe, it will need to be established in the EU to obtain the relevant authorisation and comply with MiCA regulation.
Non-European VASPs must comply with MiCA's regulations to offer their services within the EU. This includes obtaining authorisation from relevant EU authorities and adhering to MiCA’s standards, including consumer protection, transparency, operational resilience, and anti-market abuse measures.
Moreover, foreign VASPs must establish a legal presence in the EU, such as a registered office, to apply for authorisation and operate under MiCA, which involves meeting specific requirements and undergoing supervision by EU regulators.
If foreign VASPs issue “stablecoins”, they must meet MiCA’s specific requirements for stablecoin issuers, such as maintaining adequate reserves and adhering to caps on non-EU currency-pegged stablecoin.
See Does MiCA Impact Crypto Asset Service Providers (CASPs)? for additional clarification.
Read more about stablecoins in the EU
Which Jurisdictions Include Self-hosted Wallets in Their Regulatory Frameworks?
Nearly every jurisdiction that has implemented the Travel Rule includes self-hosted wallets within its scope, minus the USA, Bermuda, Canada and South Korea.
Jurisdictions that Include Self-hosted Wallets in Their Regulatory Frameworks
Please note this is not a non-exhaustive list and is meant as guidance only.
Austria*
Belgium*
Bulgaria*
Croatia*
Czech Republic*
Denmark*
Estonia*
Finland*
France*
Germany*
Greece*
Hong Kong SAR
Hungary*
Italy*
Latvia*
Liechtenstein
Lithuania*
Luxembourg*
Malta*
The Netherlands*
Poland*
Portugal*
Romania*
Singapore
Slovakia*
Slovenia*
Spain*
Sweden*
Switzerland
United Kingdom
*While not live, jurisdictions that will fall under the Transfer of Funds Regulation (TFR) have been included in this list.
See Regulatory Frameworks that Include Self-hosted Wallets and refer to Global Travel Rule Regulations: What Are the Requirements? for further information.
How Should VASPs Transact with Self-hosted Wallets?
The first thing a VASP should do is ascertain if the jurisdiction’s implementation of the Travel Rule covers self-hosted wallets. For example, the USA does not include self-hosted wallets in its Travel Rule scope. Therefore, no data collection is required.
If self-hosted wallets are included, check the jurisdiction’s Travel Rule data collection prerequisites; some regions require more extensive data points.
Thereafter, confirm the threshold. For example, in the EU, wallet proofs are only required for amounts over EUR 1000*, whereas Switzerland requires wallet proofs for all self-hosted wallet transactions. If a wallet proof is required, there are four ways to do it.
*unless the CASP suspects ML/TF activities or any other associated risk.
For further clarification on self-hosted wallet requirements per region, see Global Travel Rule Regulations: What Are the Requirements?
How Can VASPs Verify Self-hosted Wallets?
Depending on the jurisdiction’s implementation of the Travel Rule, self-hosted wallet verification is required.
There are 4 ways that this can be done, namely through:
Address Ownership Proof Protocol (AOPP),
Satoshi Tests (also known as a micro deposit or a Penny Test)
Visual Proofs, which can include a video or image showing the wallet address.
It's important to keep in mind that one method does not exclude the other. A VASP can offer its users just one, several, or all methods, depending on their needs or preferences.
Most Travel Rule regulations, like the UK’s implementation of the Travel Rule, require verification through a Satoshi Test or digital signature, avoiding visual proofs due to their lack of trust. Many VASPs opt for a fully automated solution, like AOPP, as it is secure for both VASPs and their customers and prevents address reuse.
What Is a VASP?
The FATF defines a VASP as “any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities (stated below) or operations for or on behalf of another natural or legal person.”
As defined by the FATF, VASP activities include:
Exchange between virtual assets (crypto assets) and fiat currencies,
Exchange between one or more forms of virtual assets,
Transfer of virtual assets,
Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets,
Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.
Is a VASP a CASP?
A VASP and a are very similar in function except for two differences: the FATF’s definition of a VASP is not as explicit as MiCA’s CASP, nor does it extend to cover crypto advisory services. MiCA defines a CASP as “any person whose occupation or business is the provision of one or more crypto-asset services - as mentioned above - to third parties on a professional basis.”
See Article 3 Definitions and read Is A VASP a CASP? for further information on the topic.
Jurisdiction-dependent, a VASP Can Also Be Known As:
Australia: Digital Currency Exchange Provider (DCEP)
Canada: Crypto Asset Trading Platform (CTP)
Estonia: Virtual Currency Service Provider (VCSP)
EU: Crypto asset service provider (CASP)
France: Digital Asset Service Provider (DASP)
Japan: Crypto Asset Exchange Service Provider (CESP)
Liechtenstein: Trusted Technology Service Provider (TT Service Provider)
Singapore: Digital Payment Token Providers (DPT Providers)
UK: Cryptoasset Business (CB)
USA: Money Service Business (MSB)
What Is a CASP?
As per the Markets in Crypto Assets Regulation (MiCA), CASP activities include:
The custody and administration of crypto assets (virtual assets) on behalf of third parties,
The operation of a trading platform for crypto assets,
The exchange of crypto assets for fiat currency that is legal tender,
The exchange of crypto assets for other crypto assets,
The execution of orders for crypto assets on behalf of third parties,
The placing of crypto assets,
The reception and transmission of orders for crypto assets on behalf of third parties,
Providing advice on crypto assets.
In summary, if a business provides any of the below services to citizens in Europe, it is deemed a CASP:
Offering custody and administration of crypto assets on behalf of a third party,
Offering a crypto exchange service or running an exchange,
Offering crypto advisory services, or information defined as advice on investing in crypto assets. This does not include portfolio management services.
Is a VASP a CASP?
A VASP and a are very similar in function except for two differences: the FATF’s definition of a VASP is not as explicit as MiCA’s CASP, nor does it extend to cover crypto advisory services. MiCA defines a CASP as “any person whose occupation or business is the provision of one or more crypto-asset services - as mentioned above - to third parties on a professional basis.”
See Article 3 Definitions and read Is A VASP a CASP? for further information on the topic.
Jurisdiction-dependent, a VASP Can Also Be Known As:
Australia: Digital Currency Exchange Provider (DCEP)
Canada: Crypto Asset Trading Platform (CTP)
Estonia: Virtual Currency Service Provider (VCSP)
EU: Crypto asset service provider (CASP)
France: Digital Asset Service Provider (DASP)
Japan: Crypto Asset Exchange Service Provider (CESP)
Liechtenstein: Trusted Technology Service Provider (TT Service Provider)
Singapore: Digital Payment Token Providers (DPT Providers)
UK: Cryptoasset Business (CB)
USA: Money Service Business (MSB)
What Is a Virtual Asset?
The FATF defines a virtual asset as a “digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes”. The FATF generally does not consider non-fungible tokens (NFT) as virtual assets, but this depends on their characteristics. They may fall under the definition if they are used for “payment or investment purposes”.
Examples of virtual assets include specific currencies like bitcoin and Ether, as well as stablecoins, and the MiCA equivalents asset referenced tokens and electronic money tokens.