FATF Travel Rule for Crypto: Implementation Challenges

The FATF Travel Rule — Recommendation 16 — has applied to wire transfers since 1996, requiring financial institutions to include originator and beneficiary information with payment instructions. FATF's extension of this requirement to virtual asset service providers (VASPs) via its revised Recommendation 15 guidance in 2019 created one of the most complex technical compliance challenges in the history of financial regulation. Five years on, implementation remains fragmented, technical solutions are proliferating without convergence on a single standard, and the "sunrise problem" continues to complicate compliance for exchanges operating globally.

What the Travel Rule Requires for Crypto

FATF's guidance on Recommendation 16 requires VASPs to collect, verify, and transmit originator and beneficiary information alongside virtual asset transfers above a threshold of USD/EUR 1,000. Specifically:

• Originating VASP obligations: Collect originator name, account number (wallet address), geographic address or date and place of birth and national identity number, and collect and transmit beneficiary information (name and account number at minimum)
• Beneficiary VASP obligations: Screen incoming transfer information against sanctions lists, verify that beneficiary information corresponds to the actual recipient, apply the risk-based approach to decide whether to proceed with transactions where required information is incomplete or suspect
• Both VASPs: Retain records for five years and make them available to competent authorities on request

The core technical challenge is that traditional payment systems like SWIFT or Faster Payments have built-in messaging infrastructure to carry this information alongside the payment. Blockchain transactions — the native format for crypto transfers — do not natively carry originator/beneficiary data. The Travel Rule requires VASPs to create a separate, off-chain channel to transmit the required information in synchronisation with the on-chain transfer.

Technical Solutions: TRISA, TRP, and Others

The absence of a mandated technical standard has led to the emergence of multiple competing protocols for Travel Rule data transmission, creating an interoperability problem that continues to complicate compliance:

TRISA (Travel Rule Information Sharing Architecture)

Developed by the TRISA working group (now CipherTrace Messenger), TRISA is an open-source, peer-to-peer protocol for secure Travel Rule data exchange between VASPs. It uses a directory service to identify registered VASPs by their wallet addresses and transmits encrypted Travel Rule messages directly between the originating and beneficiary VASPs. TRISA has significant global adoption particularly among compliance-focused exchanges.

TRP (Travel Rule Protocol)

TRP is an open, lightweight protocol developed by a group of exchanges including BitGo, Coinbase, and others. It is designed for simplicity and uses existing secure communication standards rather than bespoke crypto-specific messaging. TRP focuses on the information exchange layer without specifying the identity verification methodology, leaving this to each VASP's own CDD framework.

Commercial Solutions

Multiple commercial Travel Rule solution providers have entered the market, including Notabene, Sygna Bridge, 21 Analytics, and VerifyVASP. These platforms typically offer VASP directory services (to identify counterparty VASPs from wallet addresses), Travel Rule message routing (often supporting multiple underlying protocols), and unhosted wallet assessment tools. Most exchanges integrate with two or more solutions to maximise counterparty coverage.

The Sunrise Problem

The "sunrise problem" refers to the challenge created by the uneven pace of national Travel Rule implementation. A VASP in a jurisdiction that has implemented the Travel Rule (such as the UK, EU, Switzerland, or Singapore) is legally required to transmit Travel Rule data for all qualifying transfers. However, if the receiving VASP is in a jurisdiction that has not yet implemented the rule, they may not have the technical capability or legal obligation to receive and process this data.

The practical consequences are significant: a compliant originating VASP that transmits Travel Rule data to a non-compliant beneficiary VASP may find that data is ignored, mishandled, or never acknowledged. Worse, if the originating VASP decides not to process the transfer because it cannot confirm receipt of compliant Travel Rule data, the customer's transaction is blocked — even though no law has been broken.

FATF's 2021 and 2023 guidance on the sunrise problem acknowledges this tension and recommends that jurisdictions implement the rule as quickly as possible, while allowing VASPs in implemented jurisdictions to apply a risk-based approach to transactions with non-compliant counterparties. In practice, this means maintaining records of attempts to transmit Travel Rule data and the response (or non-response) received, and applying enhanced monitoring to transfers where compliance cannot be confirmed.

UK Implementation

The UK implemented the Travel Rule through amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, effective September 2023. The UK rules apply to crypto asset transfers of £1,000 or more, and require UK-registered cryptoasset businesses (registered with the FCA under the MLRs) to comply with equivalent obligations to those that apply to wire transfers.

The FCA's guidance on the Travel Rule implementation emphasises a risk-based approach for transactions involving unhosted wallets (wallets not held at a registered VASP). Where a customer wishes to send funds to an unhosted wallet, the UK-registered VASP must collect information about the wallet's owner, assess the risk, and decide whether to proceed — it cannot simply refuse all unhosted wallet transactions, as this would constitute disproportionate de-risking.

EU Implementation

The EU implemented the Travel Rule through the revised Transfer of Funds Regulation (TFR), which entered into application in December 2024. The EU approach is notable for its inclusion of a €0 threshold — meaning the Travel Rule applies to all crypto transfers between VASPs, regardless of amount, unlike the USD/EUR 1,000 threshold in FATF's Recommendation. This is a stricter implementation than required by the FATF standard, and creates compliance challenges for high-frequency, low-value transfer use cases.

The TFR also includes specific provisions for transfers to and from unhosted wallets where the transfer exceeds €1,000, requiring VASPs to verify that the unhosted wallet is actually owned by the customer conducting the transfer — a step that requires blockchain analytics or signed message verification in addition to the standard Travel Rule data collection.

Best Practice for VASP Travel Rule Compliance

• Integrate with at least two Travel Rule solution providers to maximise counterparty VASP coverage
• Maintain a documented policy for handling incoming transfers from non-Travel-Rule-compliant VASPs, including risk-based decision criteria
• Implement unhosted wallet assessment procedures that are proportionate to transaction value and customer risk profile
• Document all Travel Rule transmission attempts, responses, and decisions — regulators will expect to see this audit trail
• Monitor FATF and national regulatory updates on Travel Rule guidance, as the standards continue to evolve