The Travel Rule is the single most operationally complex AML requirement facing crypto businesses in 2026. Unlike KYC (which you implement once per customer) or transaction monitoring (which runs automatically), the Travel Rule requires real-time data exchange with counterparty VASPs for every qualifying transfer — and the counterparty may be in a different jurisdiction, using a different compliance solution, or operating without any Travel Rule capability at all.
This guide covers what the Travel Rule actually requires, how it operates under MiCA and the EU Transfer of Funds Regulation, the practical challenges of implementation, and a compliance checklist for VASPs navigating 2026.
The Travel Rule: Origins and Application to Crypto
The Travel Rule originates from FATF Recommendation 16 (originally adopted for traditional wire transfers in the 1990s). In June 2019, FATF extended it to cover virtual assets and VASPs through its updated Interpretive Note to Recommendation 15, requiring countries to ensure that originating VASPs obtain and transmit originator and beneficiary information with virtual asset transfers, and that beneficiary VASPs obtain beneficiary information.
What Data Must Travel
For every qualifying crypto-asset transfer, the originating VASP must collect and transmit:
- Originator information: Full name, account number (or unique transaction reference), and one of: address, national identity number, customer identification number, or date and place of birth
- Beneficiary information: Full name and account number (or unique transaction reference)
Under the EU's Transfer of Funds Regulation (Regulation 2023/1113), which entered into force alongside MiCA, additional requirements apply: the beneficiary VASP must verify that the beneficiary information matches its own records, and where discrepancies are found, the VASP must reject or return the transfer or obtain clarification.
Threshold Differences by Jurisdiction
| Jurisdiction | Threshold | Key Requirements |
|---|---|---|
| EU (TFR/MiCA) | No threshold — all CASP-to-CASP transfers | Full originator + beneficiary data for every transfer. EDD for unhosted wallets >€1,000 |
| FATF standard | USD/EUR 1,000 (recommended) | Full data above threshold; basic data below |
| United States | $3,000 (FinCEN) | Applies to money transmitters handling virtual currency |
| Singapore (MAS) | SGD 1,500 | PSN02 notice; applies to licensed DPT service providers |
| Japan (JFSA) | No threshold | All transfers; Japan was the first country to implement |
| UK (FCA) | No threshold (MLR amendments) | Aligned with EU approach post-2023 MLR updates |
Track Travel Rule implementation across jurisdictions — regulatory deadlines, enforcement actions, and guidance updates monitored automatically.
Start free trial →The Sunrise Problem
The "sunrise problem" is the core operational challenge of Travel Rule compliance: not all jurisdictions have implemented the Travel Rule at the same pace, and not all VASPs within implementing jurisdictions have deployed compliant solutions. When an EU CASP sends a transfer to a VASP in a jurisdiction without Travel Rule requirements, the originating CASP must still collect the required data — but has no counterparty to send it to.
In practice, this means CASPs must maintain a counterparty risk assessment framework that categorises receiving VASPs by their Travel Rule compliance capability and jurisdiction, apply enhanced due diligence for transfers to VASPs in non-compliant jurisdictions, and in some cases refuse transfers to counterparties that cannot receive Travel Rule data.
FATF's mutual evaluation process tracks jurisdictional implementation. As of early 2026, approximately 75% of FATF member jurisdictions have some form of Travel Rule legislation in place, but operational compliance (actual data exchange between VASPs) lags significantly — estimated at 50–60% of global VASP-to-VASP transfer volume.
VASP Discovery: Finding Your Counterparty
Before you can send Travel Rule data, you need to know who the counterparty VASP is — and how to reach them. In traditional finance, this is solved by SWIFT (every bank has a BIC code, and SWIFT routes messages). Crypto has no equivalent universal messaging infrastructure.
Travel Rule Solutions
Several technical solutions have emerged to address VASP discovery and data exchange:
- Notabene: The largest Travel Rule compliance platform, supporting 200+ VASPs. Provides VASP discovery, data exchange, and compliance workflow management. Uses an open protocol approach with integrations across multiple messaging networks.
- Sygna (by CoolBitX): Popular in Asia-Pacific markets. Provides API-based Travel Rule compliance with a focus on cross-network interoperability.
- Shyft Network: Decentralised identity and Travel Rule compliance infrastructure. Offers Veriscope, an open-source Travel Rule protocol.
- TRP (Travel Rule Protocol): Developed by a consortium including Coinbase and other major exchanges. Peer-to-peer messaging protocol for Travel Rule data exchange.
- OpenVASP: Open-source protocol developed by Bitcoin Suisse. Provides decentralised VASP-to-VASP messaging.
The interoperability challenge is real: if your VASP uses Notabene and the counterparty uses TRP, can you exchange data? The industry has made progress on cross-protocol interoperability through the Universal Solution for Travel Rule Interoperability (USTR) initiative, but seamless cross-platform exchange is not yet universal.
Unhosted Wallets: The Enhanced Due Diligence Challenge
Transfers to and from unhosted wallets (self-custodied wallets not controlled by a VASP) present a particular compliance challenge. Under the EU TFR:
- Transfers above €1,000 to/from unhosted wallets: The CASP must collect the name of the person controlling the unhosted wallet and verify their identity. This effectively means treating the unhosted wallet holder as a counterparty and performing KYC-equivalent verification.
- Wallet ownership verification: CASPs must verify that the customer actually controls the unhosted wallet — typically through a micro-transaction test, cryptographic signature verification, or address-based verification through blockchain analytics.
- Risk-based approach: For transfers below €1,000, CASPs must still apply a risk-based approach. If there are suspicion indicators (known sanctions addresses, mixing service interaction, unusual patterns), enhanced measures apply regardless of the amount.
Compliance Checklist for VASPs in 2026
- Travel Rule solution implementation: Select and integrate a Travel Rule compliance solution. Ensure it supports the messaging protocols used by your most common counterparty VASPs.
- Counterparty VASP registry: Maintain a registry of counterparty VASPs with their Travel Rule capabilities, jurisdictional status, and preferred messaging protocols.
- Data collection workflows: Update your onboarding and transaction workflows to collect all required originator and beneficiary data before initiating transfers.
- Unhosted wallet procedures: Implement wallet ownership verification procedures for transfers above €1,000.
- Sanctions screening integration: Travel Rule data should flow into your sanctions screening process.
- Record-keeping: Retain all Travel Rule data for a minimum of 5 years (per AMLD requirements).
- Counterparty risk policy: Define your approach to transfers involving VASPs in non-compliant jurisdictions.
- Staff training: Ensure compliance and operations staff understand Travel Rule requirements.
- Transaction monitoring integration: Feed Travel Rule data into your transaction monitoring system.
- Regulatory change monitoring: Travel Rule requirements are evolving across jurisdictions. Monitor FATF mutual evaluations and national updates.
"The Travel Rule isn't a future compliance challenge — it's a current one. EU CASPs that haven't implemented Travel Rule compliance are already in breach of the TFR."
Enforcement Trends in 2026
Regulators are moving from guidance to enforcement on Travel Rule compliance. In 2025, the Netherlands' DNB fined a major exchange €3.3 million for inadequate Travel Rule implementation. The FCA issued supervisory warnings to multiple UK-registered crypto ATM operators for failing to collect Travel Rule data. Singapore's MAS revoked a licence partially based on Travel Rule non-compliance.
The pattern is clear: regulators have given VASPs multiple years to implement. The grace period is over. For broader context on crypto AML compliance, see our guides on crypto AML in 2026, FATF Travel Rule compliance, MiCA compliance, and crypto exchange compliance.
Stop tracking regulatory changes manually
RegPulse monitors 200+ sources so you don't have to. Stay ahead of Travel Rule requirements, FATF guidance, and jurisdictional implementation updates.
Request a Demo →