VASP AML Compliance: Travel Rule, Transaction Monitoring, and Regulatory Obligations

Virtual Asset Service Providers (VASPs) operate at the highest-scrutiny end of the regulated financial services spectrum. FATF's inclusion of VASPs within its Recommendations — formalised in the June 2019 update to Recommendation 15 — brought crypto exchanges, custodians, and crypto-to-fiat conversion businesses into the global AML framework. Since then, the regulatory obligations have expanded rapidly: the Travel Rule has been implemented in the UK, EU, Singapore, and a growing number of jurisdictions; blockchain analytics have become an expected component of on-chain risk management; and supervisors have become significantly more sophisticated in their assessment of VASP compliance quality.

The FATF VASP Framework

FATF Recommendation 15 requires countries to ensure that VASPs are regulated for AML/CFT purposes, licensed or registered, and subject to effective implementation and supervision. The Interpretive Note to Recommendation 15 sets out the core obligations: customer due diligence (including simplified and enhanced DD as appropriate), record-keeping, suspicious transaction reporting, and — critically — the Travel Rule.

FATF's October 2021 guidance on virtual assets and VASPs provided significant additional detail on how its Recommendations apply to the crypto context, including guidance on DeFi, stablecoins, peer-to-peer transactions, and the treatment of unhosted wallets. This guidance is highly relevant for VASPs designing their AML programmes, as it sets the benchmark against which national regulators (including the FCA) will assess compliance quality.

UK Implementation: FCA Registration and MLR 2017

In the UK, VASP obligations are implemented through the MLR 2017 registration regime, as discussed in our separate article on FCA crypto asset firm registration. Once registered, VASPs are subject to the full AML/CTF framework under MLR 2017, including the obligation to conduct customer due diligence, maintain records, appoint an MLRO, submit SARs to the UKFIU, and comply with the Travel Rule.

The UK Travel Rule is implemented through amendments to the Funds Transfer Regulation (retained EU law as amended). From September 2023, UK VASPs must collect and transmit originator and beneficiary information for crypto asset transfers. The threshold is £1,000, below which simplified information requirements apply. For transfers to or from unhosted wallets above the threshold, VASPs must conduct additional checks to confirm the unhosted wallet belongs to their customer.

Transaction Monitoring: Off-Chain and On-Chain

Off-Chain Transaction Monitoring

Like other payment firms, VASPs must monitor the fiat-side of their transactions for unusual patterns. For crypto exchanges, this means monitoring deposit and withdrawal patterns, identifying structuring below Travel Rule thresholds, and flagging large or unusual fiat flows for review. The standard transaction monitoring frameworks described elsewhere apply here.

On-Chain Transaction Monitoring (Blockchain Analytics)

What distinguishes VASPs from other payment firms is the additional obligation to monitor on-chain activity. Blockchain analytics tools provide risk scoring for wallet addresses and transaction paths. The FCA expects VASPs to screen wallet addresses at the point of a customer's deposit or withdrawal, not just screen the customer's identity. A customer who passes KYC but deposits from a wallet with links to a sanctioned exchange represents a distinct risk that cannot be captured by KYC alone.

The leading tools — Chainalysis KYT, Elliptic Navigator, TRM Labs — each provide risk categorisation based on the provenance of funds: direct exposure (the wallet directly transacted with a risky counterparty) and indirect exposure (the wallet transacted with intermediaries that themselves have risky exposure). The VASP must decide, and document, what risk thresholds trigger manual review versus automated rejection of a transaction.

Unhosted Wallet Risk

Transfers to and from unhosted wallets (wallets not held at a regulated VASP) present particular challenges. The FATF's 2021 guidance and the EU's Transfer of Funds Regulation (effective June 2023 under MiCA implementation) both impose specific requirements on regulated VASPs when transacting with unhosted wallets. In the UK, the FCA expects VASPs to have a documented risk policy for unhosted wallet interactions, including a process to verify that the unhosted wallet belongs to the customer (self-hosted wallet confirmation) rather than a third party.

Privacy Coins and Mixing Services

The treatment of privacy coins (Monero, Zcash in shielded mode) and mixing services is an area where most regulators have taken an increasingly hard line. The FCA's guidance, and the approach of most reputable VASPs, is to treat transactions involving privacy coins or wallets with mixing service exposure as automatically high-risk, requiring EDD and often declining to process. VASPs that accept deposits from mixer-tainted wallets without adequate controls face significant regulatory and reputational risk.

Practical Implementation Framework

A minimum viable VASP AML programme for a UK-registered firm should include: a risk-based AML policy specific to VASP activities; a named MLRO with crypto experience; blockchain analytics integration (Chainalysis, Elliptic, or TRM); Travel Rule compliance via a VASP-to-VASP messaging protocol (Notabene, Sygna, or equivalent); off-chain transaction monitoring with VASP-specific rules; defined unhosted wallet procedures; and regular AML training covering crypto-specific typologies. This is the baseline; higher-risk operations require correspondingly more sophisticated frameworks.