FATF's Travel Rule for Crypto: The Global Data-Sharing Standard for Virtual Asset Transfers

The Travel Rule has an unglamorous origin. It was created in 1996 by the US Treasury’s Financial Crimes Enforcement Network as a domestic bank wire transfer requirement: when a bank sends money on behalf of a customer, it must pass along the customer’s name, account number, and address to the receiving bank. The logic was simple — if law enforcement later identified a wire transfer as part of a criminal scheme, the data trail should make it possible to trace the transaction back to its origin and identify the parties involved.

In 2019, FATF extended this logic to crypto. When a virtual asset service provider transmits crypto assets on behalf of a customer to another VASP, it must share the originator’s name, account number (or crypto wallet address), and other identifying information with the receiving VASP. The threshold is $1,000 or its equivalent in any currency. The receiving VASP must be able to verify that the beneficiary information it receives corresponds to an actual customer in its systems.

The technical and operational requirements involved in applying a 1996 wire transfer rule to a global, decentralised, pseudonymous payment network account for why the Travel Rule has been the hardest crypto compliance standard to implement.

The Sunrise Problem

The most fundamental implementation challenge is known as the sunrise problem. The Travel Rule only generates useful compliance outcomes when both the sending and receiving VASP are in jurisdictions that have implemented the rule. If a customer of a US exchange sends crypto to a customer of an exchange in a jurisdiction without the Travel Rule, the US exchange must collect and transmit data that the receiving exchange has no regulatory obligation to receive, process, or retain.

This creates a compliance asymmetry. The US exchange has incurred compliance cost. The receiving exchange has not. The data the US exchange transmitted may be stored insecurely, ignored, or simply not received because the receiving exchange’s systems were not built to accept Travel Rule data. The law enforcement trail that the Travel Rule was designed to create does not materialise.

The sunrise problem is not a temporary transitional issue that will resolve when all jurisdictions have implemented the rule. By the time full global implementation is achieved — if it is — the technology landscape will have evolved further. And for transactions involving jurisdictions that choose not to implement the Travel Rule (or that implement it in forms incompatible with major trading partners), the problem is structural rather than transitional.

Technical Solutions: TRISA, OpenVASP, and Sygna Bridge

The crypto compliance industry has developed several technical solutions for VASP-to-VASP Travel Rule data transmission. The three most widely adopted are TRISA, OpenVASP, and Sygna Bridge.

TRISA (Travel Rule Information Sharing Architecture) is a peer-to-peer protocol developed by the Global Digital Finance industry body. It allows VASPs to verify counterparty VASPs’ regulatory status and exchange Travel Rule data through an encrypted channel before completing a transaction. TRISA uses a directory of registered VASPs — equivalent to a trusted counterparty registry — to allow sending VASPs to identify and communicate with receiving VASPs before transmitting funds.

OpenVASP is a decentralised open-source protocol developed by the Swiss VASP industry that takes a different approach: rather than relying on a central directory, it uses the Ethereum blockchain as an identity registry, allowing VASPs to publish their compliance information on-chain and communicate through peer-to-peer messaging. The decentralised approach has philosophical appeal in a crypto context but has seen less adoption than TRISA.

Sygna Bridge is a centralised, commercial solution developed by CoolBitX. It operates as a hub through which VASPs route Travel Rule data, providing a consistent interface even when the sending and receiving VASPs use different underlying protocols. Sygna has been particularly adopted in Asian markets.

The multiplicity of solutions creates an interoperability problem: a VASP using TRISA may not be able to communicate directly with a VASP using Sygna Bridge without translation infrastructure. Industry bodies have worked on protocol interoperability standards, but universal interoperability has not yet been achieved.

The Legislation vs. Implementation Gap

The June 2025 FATF targeted update found that 73% of jurisdictions have passed Travel Rule legislation. This is significant progress. But the gap between legislation and operational implementation is where the compliance system is currently most fragile.

Passing a law requires a legislative process and, in many jurisdictions, a subsequent regulatory rulemaking process. Building the compliance infrastructure to actually implement the rule — VASP registry access, counterparty identification systems, secure data transmission infrastructure, beneficiary verification capacity — requires technology investment, staff training, and operational process changes. Many VASPs in jurisdictions that have passed the Travel Rule have not completed this infrastructure build.

Even where VASPs have built Travel Rule infrastructure, supervisory follow-through varies dramatically. Regulators in some jurisdictions actively supervise Travel Rule compliance, examining whether VASPs are correctly identifying counterparty VASPs, whether data transmission is actually occurring, and whether beneficiary verification is functional. In others, the legislation exists but supervisory capacity to monitor compliance has not been developed. FATF’s mutual evaluation process has identified this gap as a systemic weakness.

The Unhosted Wallet Challenge

The Travel Rule applies to VASP-to-VASP transactions. When crypto moves from a VASP to an unhosted wallet — a wallet controlled by the customer themselves, without a VASP intermediary — the receiving side of the transaction has no entity to receive Travel Rule data. The regulatory question of how to handle such transactions has produced divergent answers.

The EU’s Transfer of Funds Regulation, which implements the Travel Rule for EU crypto service providers, requires that when a CASP (crypto asset service provider) sends to or receives from an unhosted wallet above the threshold, it must collect information about the wallet owner and assess the risk of the transaction. For amounts above €1,000, the CASP must be able to verify that the unhosted wallet is controlled by its own customer.

Switzerland requires VASPs to identify unhosted wallet owners above threshold and to apply enhanced due diligence when unhosted wallet transactions are involved. The FINMA guidance treats unhosted wallets as higher-risk by default.

The United States has not implemented the Travel Rule for crypto in federal legislation, leaving the patchwork of FinCEN guidance and state-level money transmitter regulations as the primary framework. The proposed FinCEN unhosted wallet rule — which would have required financial institutions to collect and report certain information on unhosted wallet transactions — generated significant industry opposition and has not advanced to final rulemaking.

The fundamental tension is between financial privacy (unhosted wallets are the primary mechanism through which crypto users exercise financial autonomy) and AML effectiveness (unhosted wallets are also the primary mechanism through which illicit actors move crypto out of the regulated system). Resolving this tension in ways that are technically workable, legally sound, and politically sustainable remains one of the hardest open problems in global crypto policy.