The Financial Action Task Force (FATF) Travel Rule is an important piece of anti-money laundering and countering the financing of terrorism (AML/CFT) guidance. It states that virtual asset service providers (VASPs) should collect information on transaction senders and receivers.
As part of its role as the global AML/CFT standard-setter, the FATF maintains a list of measures – the 40 Recommendations – that individual jurisdictions are encouraged to translate into domestic legislation. The Travel Rule was introduced in 2019 as an update to Recommendation 16, which specifies that financial institutions (FIs) should include identifying data on the originators and beneficiaries of cross-border and domestic wire transfers throughout the payment chain. This data is said to ‘travel’ with the payments, hence the name of the rule. The recommendation also states that firms should monitor transactions to detect any lacking information and take appropriate action.
Implementation of the Travel Rule has not been straightforward: in a 2024 notice, the FATF criticized the slowness of some jurisdictions to achieve this and the enforcement rates in countries that had.
Why was the Travel Rule created?
The FATF Travel Rule addresses the AML/CFT challenges associated with the increasing global use of cryptocurrency and virtual assets (VAs). While the anonymity of crypto and VA transactions has attracted a wide range of customers to these technologies, it has left them open to exploitation by criminals who use them to launder money and evade detection. The rapid growth of the VA sector has led to regulatory gaps, a situation which the Travel Rule is intended to address.
The Travel Rule enhances AML/CFT efforts by increasing the traceability of VA transfers, allowing FIs and law enforcement agencies to detect criminal activity more effectively. Given this importance, all VASPs and other regulated entities should be familiar with the Travel Rule and its requirements.
What does the FATF Travel Rule require?
The Travel Rule applies to all VASPS, whether they are ordering, intermediary, or beneficiary institutions in a transaction. This includes:
- Crypto exchanges
- Wallet providers and custodians
- Brokerage firms
- Crypto hedge funds
- Crypto ATMs
- Mining pools
The FATF recommends a $1000 (or €1000) minimum threshold for transactions subject to the full Travel Rule. For transactions below this amount, VASPS should collect the names and VA wallet addresses of the originator and beneficiary. For transactions above the threshold, the following data should also be collected:
- The originator’s name, physical address, VA wallet or account number, national identity or customer identification number, and date and place of birth.
- The beneficiary’s name and VA wallet or account number.
AML regulations and the FATF Travel Rule
Since the FATF is not a regulator, firms are not legally required to follow its Recommendations directly. Instead, it is up to individual member states to implement them via domestic laws. Despite the FATF’s 2024 admission that global implementation of the Travel Rule was “lagging,” some jurisdictions have made progress. These include:
- United States: The Bank Secrecy Act, the most important piece of AML legislation in the US, has included a section known as the “Travel” rule since 1996. Like the FATF rule, this requires FIs to include information such as names, addresses, and account numbers with money transfers. In 2019, the Financial Crimes Enforcement Network (FinCEN), the country’s primary AML regulator, issued a notice confirming this applied to all VASPs.
- United Kingdom: Since September 2023, the Financial Conduct Authority (FCA) has compelled crypto firms to collect, verify, and share information per FATF guidance. This applies even when sending funds to a jurisdiction that does not have a version of the Travel Rule.
- European Union: In June 2023, Regulation (EU) 2023/1113 came into effect, which is, in effect, the EU’s version of the Travel Rule and extends existing information-gathering requirements to VASPs. In 2024, the European Banking Authority (EBA) released guidance specifying the information firms had to effect – including names, identity document numbers, and account numbers – and how to proceed in cases where information is missing.
- Singapore: Singapore’s version of the Travel Rule is known as MAS (Monetary Authority of Singapore) Notice PSN02, which has been in effect since 2020. This rule’s requirements are similar to equivalents in other jurisdictions, although less stringent demands apply for transfers under $1500.
A Guide to Anti-Money Laundering for Crypto Firms
Our hands-on guide outlines crypto firms' biggest compliance challenges and how they should respond. Read it to find out how to scale a crypto AML program, how to navigate regulatory change, and the threats to look out for.
Download your copy
The challenges of implementing the Travel Rule
Compliance with the Travel Rule and its variants worldwide places significant demands on firms regarding data collection, verification, sharing, and privacy. Specifically, these include:
- Regulatory inconsistency: As the FATF has made clear, the global rollout of the Travel Rule has been fragmented, although many major financial centers do have versions of it in place. This means firms operating internationally must consider all relevant regulations and not assume compliance in one jurisdiction means compliance in all.
- Achieving compliance while keeping customers satisfied: Many customers are attracted to the virtual assets market because of its speed, simplicity, and streamlined onboarding relative to the demands of traditional FIs. Suppose a firm’s onboarding and screening processes add unnecessary complexity or delays to the customer journey. In that case, many will take their business elsewhere, which means firms must look for a solution that reduces friction without compromising on effectiveness.
- Balancing AML and data security concerns: VASPs and financial institutions must develop AML solutions that allow them to share the necessary data while following existing privacy laws, such as the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act. In a 2024 update on information-sharing, the UK government acknowledged firms’ concerns about liability for confidentiality breaches.
- Rising compliance costs: While traditional FIs are often well-versed in regulatory compliance, VASPs have only fallen under regulatory scrutiny relatively recently, with the Travel Rule only applying to them since 2019. Some firms, therefore, may not be set up to handle the additional work and investment in hiring and tools that compliance requires. These firms should consider the range of available AML software solutions and choose one that is suited to their needs and is highly cost-effective.
How can firms comply with the FATF Travel Rule?
Aided by specialist AML software solutions, FIs can meet their compliance challenges efficiently and turn compliance into a business asset. Firms dealing in virtual assets should capitalize on their technological capabilities and appetite for innovation to meet and exceed regulatory expectations by:
- Conducting risk-based due diligence at onboarding: All FIs, including crypto firms and other VASPs, must collect certain information to verify the identities of new customers and screen them for AML risks. Depending on the level of risk a customer represents, enhanced due diligence (EDD) may be required, which could involve asking for further identifying materials or source of funds (SOF) and source of wealth (SOW) checks.
- Having a data-sharing mechanism in place: The demands of the Travel Rule mean firms should, in practice, implement information-sharing measures alongside collecting customer data. This allows the necessary data to be easily sent to intermediary or beneficiary institutions when processing transactions. Firms should ensure their solution meets data security standards, including GDPR and ISO27001.
- Using an API-based solution: An Application Programming Interface (API) allows different software components to communicate and transfer information with a set of tools and protocols. This means AML workflows can be integrated automatically with customer and risk data. In its guidance on implementing the Travel Rule, the FATF advises firms to make use of API technology.
- Screening payments in real-time: The purpose of the Travel Rule is to allow FIs to detect any red flags associated with payments and reduce the possibility of virtual assets being misused. To optimize their defenses against financial crime, firms should implement a payment screening solution that uses real-time sanctions and watchlist data, minimizing their risk exposure.
- Reporting suspicious transactions: If any information attached to payments may indicate a customer’s involvement in money laundering, terrorist financing, or another kind of financial crime, firms must investigate further and report any suspicious activity to their local financial intelligence unit (FIU) if necessary.
AI-powered compliance tools for crypto firms
ComplyAdvantage’s global customer base includes firms providing services around cryptocurrency and virtual assets. With tailored compliance solutions enhanced by artificial intelligence (AI) and machine learning (ML), these companies have been able to upgrade their protections against financial crime and demonstrate compliance with regulations like the Travel Rule.
ComplyAdvantage’s advanced AML solutions come with:
- Real-time data: Our proprietary risk data covers sanctions, watchlists, politically exposed persons (PEPs), and adverse media. Information is sourced straight from regulators and other reliable sources, refreshed with automated systems to reduce delays in updates, and verified by expert teams.
- Payment screening with high straight-through processing: Firms using ComplyAdvantage payment screening have experienced up to 60 percent reductions in false positives, and 99 percent of transactions processed instantly, ensuring compliance and business growth go hand in hand.
- API-based integration: ComplyAdvantage customers go from using old, siloed data split across multiple systems to workflows dynamically integrated with all the latest information they need.
- Full compliance with data security measures: Firms can rest assured their compliance solution keeps their customers’ personal data safe. ComplyAdvantage software fulfills data protection requirements alongside AML regulations and meets the standards for GDPR compliance and ISO27001 certification.
Speed up your onboarding and boost customer satisfaction
Get a fully automated screening and monitoring solution tailored to your organization’s needs. Grow your business while meeting regulatory requirements with scaleable compliance solutions.
Get a demo