Demystifying the Travel Rule for crypto and stablecoins

In 2019, a new regulatory requirement was established that sent the crypto world scrambling to adapt to a new compliance reality. The Financial Action Task Force (FATF) - an intergovernmental body that sets standards to combat global financial crime - introduced the "Travel Rule", so-called because it requires a sender's and recipient's details to "travel" with a transaction. 

‍

The rule was created to prevent money laundering, terrorist financing, and other illicit activity, but it stirred some confusion around implementation and scope. 

‍

This article will outline how the Travel Rule is interpreted and enforced, and answer the most common questions about its scope.  

What exactly is the travel rule?

You can think of the Travel Rule as the "return address" requirement for bank wires but for crypto.

‍

When you send a wire transfer, banks are required to attach sender and receiver information so regulators can trace funds if needed. The Travel Rule extends this same concept to virtual assets: when crypto moves between institutions, identifying information must travel with it.

Where did the Travel Rule come from?

Fun fact: the Travel Rule is older than Bitcoin. The Financial Crimes Enforcement Network (FinCEN), the US Treasury bureau responsible for combating financial crimes, first published this requirement in 1996 under BSA rule 31 CFR 103.33(g) for traditional wire transfers. Banks have been following it for 30 years.

‍

In 2019, the Financial Action Task Force (FATF) said crypto needs to follow the same rules. So they extended the requirement to virtual assets through Recommendations 15 and 16.

Now, when crypto moves between regulated platforms, information about the sender and receiver must "travel" with it.

Why you should care about the Travel Rule

‍

If you're a virtual asset service provider (VASP) or simply someone who wants to build in this space, there are a few reasons why you should care about the Travel Rule: 

‍

85 countries now enforce the Travel Rule. It is no longer just a guideline. 

‍

Regulators have stopped issuing warnings and started issuing fines. $32B in US crypto enforcement settlements since 2019 proves the cost of non-compliance is now substantial.

‍

If you're building, operating, or using crypto payment rails, whether that's on-ramps, off-ramps, or cross-border stablecoin transfers, the Travel Rule isn't optional anymore. It's the difference between operating freely and getting blocked by banking partners, exchanges, or regulators.

What information has to "travel" with your transfer?

For the sender (originator)

Every cross-border transfer above the threshold requires: 

• full legal name
• wallet address or account number
• either physical address, national ID, customer identification number, or date and place of birth

For the receiver (beneficiary)

The receiving side needs: 

• full legal name
• wallet address or account number

For legal entities, a Legal Entity Identifier (LEI) is also required.

When does the Travel Rule kick in?

Different regions have different rules about when the Travel Rule applies, and that's where it gets tricky. 

‍

In the EU, for example, the rule applies to all transfers between crypto service providers, with no minimum amount. In the UK, it applies to all crypto transactions, regardless of size. In the US, the rule only applies to transfers above $3,000. In Singapore, the threshold is SGD 1,500 (about $1,100).

‍

To complicate matters more, the threshold isn't just about single transfers. If multiple smaller transactions appear linked and total above the threshold, Travel Rule requirements still apply. This prevents "structuring" and deliberately splitting large transfers to avoid compliance triggers.

The global landscape: Who's enforcing what?

Europe: the strictest rules on the planet

The EU implemented the world's most stringent Travel Rule through the Transfer of Funds Regulation, effective December 30, 2024. 

‍

Key points:

Zero threshold for CASP-to-CASP* transfers: Every single transaction requires Travel Rule data, regardless of amount. The regulation explicitly states crypto transfers should follow the same requirements "regardless of their amount" due to their speed and global reach.

‍

€1,000 threshold for self-hosted wallets: Above this threshold, you must verify wallet ownership through cryptographic signature or microtransaction testing.

‍

No grace period exemptions: Travel Rule obligations applied from December 30, 2024, even for firms still in MiCA's** grandfathering period.

‍

The European Banking Authority (EBA), which oversees banking regulation across the EU, has been crystal clear: "non-compliance with Regulation (EU) 2023/1113 is not accepted."

*A CASP is a Crypto Asset Service Provider–any business that provides services for crypto assets. It's the EU's preferred term for a VASP (Virtual Asset Service Provider). 

**MiCA (Markets in Crypto-Assets) is the EU's new regulatory regime for crypto firms.

United Kingdom: Early adopter, strict enforcer

The UK implemented its Travel Rule on September 1, 2023. Like the EU, there's no threshold for basic data exchange–all transactions require originator and beneficiary names plus wallet addresses.

‍

For unhosted wallets, UK firms must collect beneficiary information from their customer (they're not required to transmit to the wallet itself). The UK's Joint Money Laundering Steering Group (JMLSG), an industry body that publishes AML guidance for UK financial services firms, specifically cites micro-deposits and cryptographic signatures as acceptable verification methods.

United States: Higher thresholds, aggressive enforcement

The US maintains a $3,000 threshold that is significantly higher than FATF's recommended $1,000. But don't let that fool you into thinking enforcement is lax.

‍

Travel Rule violations are, according to FinCEN, "the most commonly cited violation by the IRS against Money Services Businesses (MSBs) engaged in Convertible Virtual Currency (CVC) money transmission."

‍

Recent enforcement actions tell the story:

• Binance settled for $4.3B in 2023 for willful violations of the Bank Secrecy Act and sanctions laws, making it the largest crypto enforcement action in history.
• BitMEX paid $100M in penalties across 2021-2022 for operating an unregistered trading platform and failing to implement basic AML controls. 
• Bittrex settled for $53M in 2022 in the first parallel FinCEN and OFAC enforcement against a crypto firm, for processing transactions with sanctioned jurisdictions including Iran, Cuba, and Crimea. 
• Paxos paid $48.5M in 2025 for due diligence failures related to its stablecoin partnership with Binance, where inadequate transaction monitoring allowed $1.6B in suspicious activity.

Asia-Pacific: A patchwork of timelines

Singapore was among the earliest adopters (January 2020), with a SGD 1,500 threshold triggering expanded identity requirements.

‍

Japan claims to be the "first major developed country" to fully implement the Travel Rule (June 2023).

‍

Hong Kong achieved full compliance on January 1, 2024, with an HKD 8,000 (~$1,025) threshold.

‍

Australia is still transitioning, with full implementation scheduled for March 31, 2026.

The "sunrise problem": What happens when rules don't match?

Here's a compliance headache that doesn't get enough attention: what happens when a VASP in a compliant jurisdiction (like the EU) transacts with one in a non-compliant jurisdiction?

‍

This "sunrise problem" creates operational dilemmas: should the compliant VASP refuse the transaction, attempt to collect information from non-compliant VASPs (often impossible), or risk penalties?

Counterparty VASP due diligence: The often-overlooked requirement

The Financial Action Task Force (FATF) explicitly recommends treating counterparty VASP relationships like correspondent banking relationships, applying the same rigorous due diligence traditional banks apply to each other.

Questions to ask before transacting with a new VASP

Before establishing a relationship with a counterparty VASP, you should verify:

• Where are they incorporated and regulated? Know their licensing status with local financial regulators.
• Who are the real individuals who ultimately own or control the company? Ultimate Beneficial Owners (UBOs) should be screened for individuals holding prominent public positions who pose higher corruption risk, aka Politically Exposed Persons (PEPs).
• What are their KYC/AML processes? Investigate and approve their customer verification standards.
• What third-party services do they use? Understand their compliance technology stack.
• What are their data privacy standards? Ensure alignment with your obligations.
• How do you verify their identity? Establish authentication to prevent imposters intercepting transfers.

This due diligence should be continuously integrated into your AML process for approving or denying transactions and not just a one-time checkbox.

Below-threshold transactions

Even transactions below the threshold require due diligence if there's any suspicion of money laundering or illicit activity. The threshold isn't a compliance safe harbor but it's a trigger for additional requirements.

‍

Suspicious transactions, regardless of size, must be reported to relevant authorities. Travel Rule compliance connects to broader AML obligations that apply at every transaction level.

How do VASPs actually share this information?

IVMS101: The universal language

The InterVASP Messaging Standard 101 (IVMS101) provides standardized terminology and message formats for communicating originator and beneficiary information. Think of it as the common language that all Travel Rule solutions speak.

‍

Developed by 130+ technical experts with input from the Financial Action Task Force (FATF), the Financial Crimes Enforcement Network (FinCEN), the Monetary Authority of Singapore (MAS), the Financial Conduct Authority (FCA), and the Japan Financial Services Agency (JFSA), IVMS101 was formally adopted on May 6, 2020. It's modeled after ISO 20022 messaging standards used in traditional finance. 

‍

Today, virtually every Travel Rule solution either uses IVMS101 or has announced plans to support it.

Two protocols dominate: TRISA and TRP

‍

Once VASPs have standardized their data using IVMS101, they need a way to actually transmit it to counterparties. Two messaging protocols have emerged as the primary infrastructure for this exchange.

‍

Travel Rule Information Sharing Architecture (TRISA) uses a peer-to-peer architecture with certificate-based authentication. VASPs register, receive certificates, and use encrypted "secure envelopes" to transmit data.

‍

Travel rule protocol (TRP) offers a decentralized, royalty-free approach built on familiar web technologies. It uses "Travel Addresses" - similar to IBANs - that encode VASP identifiers and enable automatic counterparty discovery.

‍

In 2024, TRISA and TRP achieved interoperability, allowing VASPs using either protocol to exchange Travel Rule data seamlessly.

How do you prove someone owns a wallet?

When transfers involve self-hosted wallets, VASPs must verify that the customer actually controls that wallet. Two methods dominate:

Where does the Travel Rule apply in real payment flows?

‍

Understanding the theory is one thing, but compliance teams need to know exactly where Travel Rule obligations arise in day-to-day operations. Here's how requirements map to common transaction types.

On-ramps (fiat → crypto)

Exchanges must complete KYC on the customer, collect and verify originator information, and screen against sanctions. If crypto is sent externally to another VASP, Travel Rule data must be transmitted. For self-hosted wallets, beneficiary information must be collected from the customer.

Off-ramps (crypto → fiat)

When receiving crypto from a VASP, Travel Rule data must be received and verified. From self-hosted wallets, originator information must be collected and ownership assessed. All incoming funds require blockchain analytics screening.

Cross-border B2B stablecoin payments

This is where it all comes together. The sending VASP must collect full originator and beneficiary details, transmit Travel Rule data "immediately and securely," and screen both parties against sanctions. The receiving VASP must verify incoming data accuracy and assess transaction risk.

Record keeping: The five-year rule

VASPs must retain Travel Rule records for a minimum of five years and be able to produce transaction-level audit trails on demand. This includes:

• All originator and beneficiary information collected
• Travel Rule data transmitted and received
• Counterparty VASP due diligence documentation
• Wallet ownership verification records
• Any suspicious activity assessments

Regulators expect you to reconstruct any transaction's compliance history across chains, intermediaries, and counterparties.

Choosing a travel rule compliance partner

Building Travel Rule compliance in-house is possible, but cross-jurisdictional complexity makes partnering with specialized providers more practical for most teams.

Capabilities that matter

Jurisdiction-aware automation. A $2,500 transfer is below threshold in the US but requires full compliance in the EU. The right solution applies different rules automatically with no manual lookups or missed obligations.

‍

Protocol interoperability. Your counterparties use different messaging protocols. Look for support across IVMS101 (the standard data format), TRISA (a peer-to-peer network using certificate-based encryption and "secure envelopes"), and TRP (a decentralized protocol using unique "Travel Addresses" for counterparty discovery). Since 2024, TRISA and TRP are interoperable, but your solution still needs to speak both.

‍

Counterparty discovery. You can't transmit Travel Rule data if you don't know who you're transacting with. VASP directories and automatic wallet-to-platform identification are essential.

‍

Unified screening. Sanctions checks and blockchain analytics should happen in one workflow, not bolted together from separate vendors.

How Mesh fits in

Mesh operates at the connectivity layer, the point where your platform interacts with external wallets, exchanges, and counterparties. This is where Travel Rule compliance either happens smoothly or breaks down.

‍

Rather than replacing your compliance stack, Mesh provides the infrastructure that makes Travel Rule execution practical at scale.

‍

‍

Who owns what

Travel Rule compliance spans multiple teams. Define ownership before an audit forces the conversation:

‍

‍

‍

What about DeFi and AI agents?

DeFi

The Travel Rule applies at every regulated touchpoint. When users move funds from a VASP to a DeFi protocol (or vice versa), the VASP has Travel Rule obligations.

FATF's 2025 findings reveal a significant gap between regulatory intent and enforcement reality for DeFi. Only four jurisdictions worldwide have formally registered any DeFi entities. And while 75% of surveyed jurisdictions claim that DeFi falls under their existing VASP regulations, none of those jurisdictions have actually identified or registered a single DeFi platform in practice.

AI agents

Google's Agent Payments Protocol and Coinbase's x402 Protocol enable AI agents to initiate autonomous crypto payments. But who is the "originator" when an AI agent sends funds? How do VASPs perform KYC on autonomous systems?

No explicit regulatory guidance exists yet. Industry concepts like "Know Your Agent" (KYA) are emerging, but frameworks haven't caught up.

Quick reference: Key terms decoded

VASP (Virtual Asset Service Provider): FATF's global term for entities conducting exchange, transfer, or custody of virtual assets.

‍

CASP (Crypto-Asset Service Provider): The EU's version of VASP under their MiCA regulation. Same concept, different acronym.

‍

Note: Throughout this article, we use VASP when discussing global standards and CASP specifically in EU regulatory contexts.

‍

Originator: The sender or the person ordering the transfer.

‍

Beneficiary: The receiver or the intended recipient.

‍

Hosted wallet: A custodial wallet where a third party (like Coinbase or Binance) holds your keys. Full Travel Rule obligations apply.

‍

Unhosted wallet (self-hosted): A wallet where you control your own keys (Ledger, MetaMask). The VASP counterparty must collect information from their customer.

‍

Travel Rule data transfer: The customer information that must accompany a regulated transaction between VASPs.

The bottom line

The Travel Rule has evolved from regulatory aspiration to operational reality. With 85 jurisdictions enforcing legislation, major grace periods ended, and billions in enforcement settlements, compliance is now table stakes.

‍

The technical infrastructure - IVMS101, interoperable protocols, and automated wallet verification - has matured. The remaining challenges are operational: navigating threshold divergence, managing cross-border complexity, conducting proper counterparty due diligence, and preparing for emerging requirements around DeFi and AI payments.

‍

Ultimately, it will be firms that treat Travel Rule compliance as a core operational capability that will be best positioned to manage risk and support the continued growth of regulated digital asset markets. With enforcement accelerating, you'll want to be counted among them.

‍

Building crypto payment infrastructure? Mesh provides enterprise-grade connectivity across 300+ exchanges and wallets, with built-in wallet ownership verification and compliance infrastructure designed for scale.

‍