H1 2025 Web3 Security Report$3.1B in losses, DeFi hit hardest, AI threats on the rise
Read the full report
  • Hacken
  • Blog
  • Discover
  • Crypto Travel Rule: Global VASP Requirements in 2025

Crypto Travel Rule: Global VASP Requirements in 2025

11 min read

As of September 2025, regulators in the U.S., EU, UK, and APAC enforce versions of the Travel Rule, requiring VASPs to attach basic sender and recipient data to qualifying transfers. Understanding these requirements is essential to keep licenses, earn institutional trust, and avoid penalties.

What Is the Travel Rule?

The Travel Rule is an anti-money laundering standard that obliges financial institutions and regulated crypto providers — exchanges, custodial wallet providers, and other VASPs — to send, receive, and retain basic originator (sender) and beneficiary (recipient) details alongside qualifying transfers. This data is exchanged off-chain between providers to enable sanctions screening, recordkeeping, and, where required, identity verification.

In 2019, the Financial Action Task Force (FATF), the international body that sets anti-money laundering standards, extended the Travel Rule to cover crypto transactions. This update introduced the Crypto Travel Rule (FATF Recommendation 16), which applies to exchanges, wallets, and other businesses that handle digital assets.

These businesses have strong compliance obligations to prevent penalties or loss of license. Regular crypto users must share their identifying information with exchanges and other service providers.

Why Crypto Needed a Travel Rule

The Travel Rule brings the same safeguards from traditional finance into the crypto world. It’s built on a simple but powerful idea from FATF: same risk, same rules. This means activities with similar risks must follow the same standards, no matter what technology they use.

Crypto’s pseudonymity can make it attractive for illicit activities like money laundering, terrorist financing, sanctions breaches, and other financial crimes. The Travel Rule tackles this by ensuring personal data “travels” with every transaction.

Beyond fighting financial crime, the Travel Rule also strengthens trust across the industry. Greater transparency makes crypto more acceptable to financial institutions and regulators by effectively:

  • Increasing traceability of flows.
  • Helping law enforcement track illicit funds.
  • Reducing the anonymity associated with crypto transfers.

Who Is Covered by the Crypto Travel Rule?

The Crypto Travel Rule applies to all financial institutions and crypto service providers involved in transfers, exchange, or management of virtual assets, or financial services related to an issuer’s offer or sale of a virtual asset.

Covered entities include crypto exchanges, custodial wallet providers, OTC trading desks, crypto payment processors, and regulated financial institutions that handle digital assets.

Different laws use different labels (e.g., VASPs, CASPs, MSBs), but the obligations are similar: if you accept and transmit customer value, you’re in scope.

While the Travel Rule does not cover individuals using self-hosted wallets, regulators are exploring ways to extend rules to DeFi protocols and peer-to-peer services.

The Travel Rule applies to businesses in three key situations:

  • Transfers to unhosted wallets: Businesses must collect the required information for compliance, though they don't need to send it directly to the individual's wallet.
  • Traditional wire transfers: The rule covers all standard wire transfers involving virtual assets.
  • Transfers between regulated entities: This includes virtual asset transfers between VASPs or between a VASP and a financial institution.

FATF Travel Rule Requirements

The FATF is an international body that sets global standards to combat money laundering and terrorist financing. The FATF Recommendations provide a full framework to help countries fight financial crimes, promote financial transparency, identify emerging criminal financial trends, and evaluate how well member countries implement these standards through regular reviews.

When a qualified transfer, exchange, or issuance of virtual assets takes place, various obligations are triggered for the respective businesses providing services to the sender and beneficiary. 

Originating Entity

Receiving Entity

Identify the sender (originator) and obtain the necessary information

Obtain the necessary information from the sender’s VASP

Retain a record and share the information with the beneficiary VASP after all checks

Verify the accuracy and consistency of the necessary information, and retain a record

Screen to confirm that the beneficiary is not a sanctioned party

Screen to confirm that the sender is not a sanctioned party

Thresholds and Data Fields

The FATF recommends a standard threshold of USD/EUR 1,000. Transactions below the Travel Rule threshold have fewer requirements than those above it. Smaller transactions that appear linked may also fall within scope.

Transfer Amount (USD/EUR)

Required Information

< 1,000 

  • Name of the sender (originator) and recipient (beneficiary)

  • A wallet address or unique transaction identifier for each party

  • Verification of this information is only required if money laundering or terrorist financing risks are detected


> 1,000

  • All of the above information

  • Sender’s physical address, government-issued ID number, or date and place of birth

  • Recipient’s full name and wallet address

In addition, the originating entity and receiving entity are expected to monitor transactions and report any red flags to the appropriate authorities.

BSA Travel Rule Requirements

The Financial Crimes Enforcement Network (FinCEN) administers the Bank Secrecy Act (BSA) for financial institutions (including money services businesses, or MSBs) and enforces the Travel Rule at 31 CFR 1010.410(f). The Travel Rule (originally adopted for wire transfers in the 1990s) requires specific originator/beneficiary information to accompany certain transmittals of funds.

In 2013, FinCEN explained that persons who administer or exchange virtual currency are MSBs (money transmitters) under the BSA.

​​A money transmitter is a person that accepts and transmits currency, funds, or other value that substitutes for currency — a phrase that covers convertible virtual currency (CVC) (e.g., bitcoin, ether, stablecoins).

In 2019, FinCEN issued consolidated guidance clarifying how existing rules apply to P2P exchangers, hosted vs. unhosted wallets, CVC kiosks, and certain DApps when they accept and transmit value.

The rule does not apply to digital assets issued as legal tender, such as a Central Bank Digital Currency (CBDC).

Note: CBDC is not CVC, but the Travel Rule applies to all transmittals of funds (banks and non-banks), regardless of technology.

How the U.S. Applies the Travel Rule to Crypto

MSBs (including administrators/exchangers of CVC) must comply with the BSA when they accept and transmit value. This includes hosted wallet providers, P2P exchangers operating as a business, and CVC kiosks. Unhosted wallet software providers that do not accept or transmit value are not MSBs. Payment processors can be exempt if they meet the processor-exemption criteria.

Administrators and exchangers of convertible virtual currencies (CVCs) qualify as money transmitters if they accept, transmit, buy, or sell CVCs. In 2019, FinCEN expanded the rule to include certain activities carried out by peer-to-peer exchanges or decentralized applications, regardless of their structure.

MSBs must maintain a risk-based AML program that is in writing and, at minimum: (1) has policies, procedures, and internal controls (including customer identification where applicable); (2) designates a compliance officer; (3) provides ongoing training; and (4) undergoes independent review.

Recordkeeping & “Travel” information

For transmittals of funds of $3,000 or more, MSBs (and other covered institutions) must retain specific records and ensure required information travels to the next financial institution. A 2020 proposal to lower the cross-border threshold to $250 has not been finalized.

What must be included in the transmittal order (≥$3,000):

Originator (transmittor) name and, if ordered from an account, account number; address; amount; execution date; identity of the recipient’s financial institution; as available, the recipient’s name and address and account (or other specific identifier); plus the name and address or numerical identifier of the originator’s financial institution.

For non-established customers, additional identity-verification/recordkeeping applies. (A wallet address typically serves as the “account number or other specific identifier” in a CVC context.)

For transfers below $3,000: 

The Travel Rule/Recordkeeping Rule at 31 CFR 1010.410(e)–(f) do not apply; however, MSBs still must follow their risk-based AML program and other BSA reporting/recordkeeping duties (e.g., SARs).

The transaction amount and execution date must always be recorded. The sender’s physical address is required; the receiver’s physical address may be optional if unavailable.

Activity examples (quick reference):

Hosted wallet provider: MSB → register, AML program, SAR/CTR, recordkeeping/Travel Rule when triggered.

Unhosted wallet software: Not an MSB if it never accepts/transmits value.

Payment processor: Often exempt if meeting FinCEN’s processor-exemption conditions.

CVC kiosk (ATM) operator: MSB obligations apply.

P2P exchanger (for profit): MSB.

Issuer/administrator of a token: May be an MSB when issuing/redeeming a CVC; securities issuance implicates separate SEC rules.

Non-custodial trading front-end / DApp: Likely not an MSB if it only provides software/communications and does not accept/transmit value; facts & circumstances control.

Travel Rule Compliance Checklist for U.S. Operators

To align with the U.S. BSA and the Travel Rule:

  1. Determine if you are an MSB (money transmitter).Use the definition at 31 CFR 1010.100(ff) (accepting/transmitting currency, funds, or other value that substitutes for currency, incl. CVC).
  2. Register with FinCEN and keep it current.File the MSB registration (Form per 31 CFR 1022.380) and renew every two calendar years; maintain and update the agent list.
  3. Build a written, risk-based AML program (four pillars).
    1. Policies, procedures, and internal controls.
    2. Designated BSA/AML compliance officer.
    3. Ongoing training for relevant staff.
    4. Independent review of the program at a risk-commensurate frequency.
  4. Implement Travel Rule + recordkeeping controls (≥ $3,000).Ensure required information travels and is retained for transmittals of funds of $3,000 or more
  5. File required reports.
    1. SARs for suspicious activity.
    2. CTRs for transactions in currency > $10,000.
  6. Screen for sanctions.Establish OFAC screening and blocking/reject procedures (separate from the BSA but required for all U.S. persons).
  7. Document governance.Have senior management oversee the program; keep policies, reviews, and corrective actions on file.
  8. Mind state licensing.Obtain/maintain state money-transmitter licenses where required (separate from federal MSB registration).

Global Regulatory Adoption of the Crypto Travel Rule

The Crypto Travel Rule appears in different forms under U.S., EU, UK, Singapore, Japan, and South Korean regulations, but the core requirement is the same: VASPs must collect and share sender and recipient information to improve transparency and reduce financial crime.

Jurisdiction

Threshold (if any)

Key Travel Rule points

EU

None for CASP↔CASP; 


> €1,000 triggers ownership/control checks for self-hosted address transfers

Originator & beneficiary info must accompany all CASP↔CASP transfers; detect/handle missing info; apply risk-based measures, incl. for self-hosted.

UK

None for inter-cryptoasset business transfers;


for cross-border transfers ≥ €1,000, include the additional originator fields

Collect, verify, and share required info; risk-based handling of unhosted wallets.

Singapore

SGD 1,500 for additional fields (basic info still required below)

Required data must accompany all DPT value transfers; above SGD 1,500 include address/ID, DOB/POB, etc.

Japan

None

Data exchange required.

South Korea

KRW 1 million

VASP↔VASP transfers at/above threshold must include originator/beneficiary info; additional IDs may be provided on request.

UAE

AED 3,500

For transfers ≥ AED 3,500, VASPs must obtain/hold required originator/beneficiary info and provide it to authorities on request.

EU Travel Rule

The EU regulates crypto-assets through two complementary instruments: MiCA, which harmonizes licensing, conduct and market rules for CASPs, and the Transfer of Funds Regulation (TFR), which implements FATF Recommendation 16 for transfers of funds and certain crypto-assets. In July 2024, the EBA issued final Travel Rule Guidelines to clarify how required originator/beneficiary information must accompany crypto-asset transfers; these guidelines apply from December 30, 2024.

Under the TFR, when a CASP is involved in a transfer (as originator CASP, intermediary CASP, or beneficiary CASP), the required information must accompany all CASP↔CASP transfers (no minimum threshold).

For transfers to or from self-hosted addresses, CASPs must collect originator/beneficiary information and, for transfers over €1,000, assess whether the customer owns or controls the self-hosted wallet before making assets available.

AMLA, the new EU Anti-Money Laundering Authority, coordinates national supervisors to ensure consistent AML/CFT application and is ramping up towards targeted direct supervision of selected high-risk obliged entities. It began initial operations on July 1, 2025.

As more jurisdictions adopt similar frameworks, the EU’s approach is increasingly viewed as a global blueprint. However, the EU Travel Rule does not cover peer-to-peer transfers between self-hosted wallets unless a CASP is involved.

UK Travel Rule

In July 2022, HM Treasury amended the Money Laundering Regulations to implement the Travel Rule for cryptoasset transfers, with rules in force from September 1, 2023. The FCA set out supervisory expectations and refers firms to JMLSG guidance.

The sender’s and beneficiary’s names and wallet addresses must be recorded for all transactions, regardless of value. For transfers above €1,000, firms must collect additional information depending on whether the sender is a firm or an individual.

For inter-cryptoasset business transfers, basic info must always accompany the transfer (no de-minimis).

€1,000 trigger applies to cross-border cases (where not all firms are carrying on business in the UK) and governs additional fields that must also accompany the transfer.

Status of Sender

Additional Information

Firm

Customer identification number or registered office/principal place of business address

Individual

Customer identification number or address or birth-certificate/passport/national-ID number or date and place of birth

If all firms are in the UK, those extra fields need to be available on request within 3 working days, not sent by default.

The FCA also established key compliance guidelines for businesses covered by the UK Travel Rule:

  • Conduct due diligence to ensure compliance.
  • Maintain responsibility for compliance even when using third-party providers.
  • Ensure full compliance when sending or receiving transfers with firms in the UK or in jurisdictions that have adopted the Travel Rule.
  • Monitor global implementation and adjust processes as needed.

The UK Travel Rule does not apply to peer-to-peer transfers where no custodian is involved.

Asia Travel Rule

While Asian regulators generally follow FATF’s Travel Rule baseline, implementation varies on thresholds, verification expectations, and messaging standards.

Singapore:

The Monetary Authority of Singapore (MAS) requires all Digital Payment Token (DPT) service providers to comply with the Travel Rule. This includes businesses involved in:

  • Buying or selling cryptocurrencies
  • Operating platforms that allow people to exchange DPTs
  • Transmitting or arranging the transmission of DPTs
  • Providing custodian wallet services
  • Facilitating DPT transactions without holding the funds or tokens directly

Transaction Threshold

Required Information

Below SGD 1,500

Sender’s and beneficiary’s name, account number/wallet address

Above SGD 1,500

All the basic information, in addition to the sender’s residential address/business or registered address, unique identification number (e.g., NRIC, passport, or business registration number), date and place of birth (for individuals) or incorporation/registration (for entities)

Japan:

Japan implements the Travel Rule under the Act on Prevention of Transfer of Criminal Proceeds (APTCP). In 2022, the Japan Virtual Currency Exchange Association (JVCEA) introduced the Crypto Travel Rule, which applies where member exchanges handle crypto asset transactions requested by end customers.

The Japan Travel Rule applies to all transactions, with no minimum threshold. There is no requirement for exchanges to verify self-hosted wallets.

For each transfer, the sender’s name, wallet address, and either a physical address or customer identification number must be collected, along with the beneficiary’s name and wallet address.

South Korea:

In 2022, South Korea implemented the Travel Rule under the supervision of the Financial Services Commission (FSC). Under South Korean law, VASPs are defined as entities that buy, sell, transfer, store, manage, or broker virtual assets.

Both domestic and foreign VASPs must register with the Korea Financial Intelligence Unit (KoFIU) before operating.

International transfers over KRW 1 million are subject to stricter requirements. These transfers are limited to wallets verified by users and must be flagged by exchanges. VASPs must also verify customer identities and report any suspicious activity to the authorities.

The sender’s and beneficiary’s names and wallet addresses must be collected. In addition, the sender’s customer identification number, personal document ID number, or foreigner registration number must be provided within three days if requested by the beneficiary VASP or regulators.

UAE Travel Rule

In the United Arab Emirates, oversight of virtual assets is divided between various regulators. The Financial Services Regulatory Authority (FSRA) supervises activities within the Abu Dhabi Global Market (ADGM), while the Virtual Assets Regulatory Authority (VARA) regulates onshore Dubai.

In Dubai, for transfers above AED 3,500, both the sending and receiving VASPs must collect and hold key information about the sender and beneficiary, including:

  • Name
  • Account number or wallet address
  • Residential or business address (for the sender)

The same Travel Rule requirements apply in Abu Dhabi, with no minimum threshold.

VASPs are also expected to implement strong risk management measures, covering:

  • Transactions involving self-hosted wallets and other non-obliged entities
  • All transactions, even if technically compliant with the Travel Rule
  • Anonymity-enhanced transactions
  • Any transaction, or series of transactions, designed to bypass the Travel Rule

What Does the Travel Rule Mean for VASPs?

By implementing the Travel Rule, regulators gain greater visibility into transactions related to buying, selling, transferring, storing, managing, or brokering virtual assets. With standardized data collection, authorities can more easily monitor activity, trace suspicious transfers, and enforce anti-money laundering and counter-terrorist financing rules.

For exchanges and custodians, compliance means investing in new infrastructure to collect, verify, and transmit data securely. Failing to comply risks regulatory penalties or even loss of licenses.

Users may experience less of the anonymity often associated with crypto. While some may see this as a drawback, it also builds greater trust in platforms by aligning them with established financial standards.

For DeFi projects, compliance poses a unique challenge of collecting or sharing customer data without compromising their decentralized nature. In most jurisdictions, non-custodial services face less ambiguity under the Travel Rule.

Key Takeaways

  • The Crypto Travel Rule brings traditional financial safeguards into crypto by requiring VASPs to share sender and recipient information.
  • For VASPs, compliance means new infrastructure, ongoing monitoring, and higher costs, but failure to comply could lead to penalties or loss of license.
  • For users, the rule reduces anonymity but increases trust, transparency, and institutional acceptance of crypto.
  • For regulators, it improves visibility into crypto transactions and strengthens AML/CFT enforcement.

Table of contents

  • What Is the Travel Rule?
  • Who Is Covered by the Crypto Travel Rule?
  • FATF Travel Rule Requirements
  • BSA Travel Rule Requirements

Tell us about your project

Follow Us

Read next:

More related