The Crypto Travel Rule Guide for 2026

Regulatory walls have quickly closed in on the crypto industry over the past few years. One of the most consequential and misunderstood changes is the Travel Rule. If you operate a crypto exchange, custody service, or any platform that moves digital assets between parties, this rule affects you directly. Here is a thorough breakdown of what it is, where it came from, and how different jurisdictions are applying it now.

What is the Travel Rule in crypto?

The Travel Rule requires Virtual Asset Service Providers (VASPs) and financial institutions to collect, retain, and transmit specific identifying information about the sender and recipient whenever a virtual asset transfer occurs. The name comes from the idea that personal data must "travel" with the transaction, making every crypto transfer more traceable and transparent.

This concept did not originate in crypto. Travel Rule was already standard practice in traditional finance long before blockchain existed. What has changed is that regulators have extended the same logic to digital asset transfers, requiring crypto businesses to provide the same level of transparency that banks have long been expected to provide.

Who established the crypto Travel Rule and why

The Financial Action Task Force (FATF), an intergovernmental body founded in 1989, is the organization behind the Travel Rule as it applies to crypto. FATF develops the international standards for combating money laundering and terrorist financing, and in June 2019, it expanded its Recommendation 15 to cover virtual assets and VASPs specifically. The core mandate behind the rule comes from FATF Recommendation 16, which addresses wire transfers and was later extended to virtual asset transfers through an interpretative note updated in 2021.

The reasoning is straightforward: criminal actors had identified crypto transfers as a relatively opaque channel for moving illicit funds. Law enforcement agencies had repeatedly flagged incomplete or missing records as a major obstacle in financial crime investigations. The Travel Rule was designed to close that gap by ensuring that every transfer involving a regulated entity carries a verifiable information trail.

Before FATF's global push, the United States had already operated a version of this rule under theBank Secrecy Act. The BSA's "Travel" regulation, issued by FinCEN and effective from May 1996, required all financial institutions to pass certain information to the next institution in funds transmittals above $3,000. That framework laid the conceptual groundwork for what eventually became the global crypto standard.

Who must comply with the crypto Travel Rule?

The rule applies to any VASP engaged in virtual asset transfers. FATF defines a VASP as any business that provides at least one of the following: exchanging virtual assets for fiat currencies, exchanging one virtual asset for another, transferring virtual assets, safekeeping or administering virtual assets, or participating in financial services related to an issuer's sale of a virtual asset.

In practical terms, this covers crypto exchanges, custodians, broker-dealers, and similar platforms. Peer-to-peer transfers between individuals using self-hosted (unhosted) wallets generally fall outside direct VASP-to-VASP obligations, though many jurisdictions require VASPs to still collect and retain counterparty information when a transfer involves such a wallet on one end. Financial institutions processing wire transfers that intersect with virtual assets are also brought into scope.

The rule also applies to intermediary VASPs, meaning businesses that are not the originator's or beneficiary's service provider but receive and transmit transfers on behalf of other parties. They must pass along the travel rule data they receive without removing or altering it.

Crypto Travel Rule thresholds

This is where it gets complicated and messy from a compliance standpoint. FATF recommends a de minimis threshold of $1,000 or €1,000, below which reduced data requirements apply. But individual countries set their own thresholds, and the variation is significant.

The United States applies a $3,000 threshold under the BSA's Travel Rule, which is higher than the FATF recommendation. Canada requires compliance for electronic funds and virtual currency transfers of CAD 1,000 or more. The European Union has no specified threshold under its Transfer of Funds Regulation, meaning the rule applies to all transfers regardless of size. Switzerland similarly has no minimum threshold and requires compliance on every transaction where a regulated entity is involved.

Some jurisdictions set thresholds in their local currencies. South Korea applies the rule to transactions equivalent to KRW 1,000,000. The UAE mainland uses AED 3,500. South Africa set its threshold at R5,000. The result is a patchwork of minimums that a globally operating VASP has to map carefully against each jurisdiction it touches.

What FATF actually requires in terms of data

For transfers above the $1,000/€1,000 threshold, originating VASPs must collect and transmit the following details:

• Originator's full name
• Account number (such as a wallet address)
• Physical address
• National identification or tax number
• Date and place of birth
• Beneficiary's full name
• Beneficiary's account number

For transfers below that threshold, FATF still requires the names of both parties and a wallet address or unique transaction reference number, though verification is only triggered when money laundering or terrorist financing risks are present.

On the receiving side, the beneficiary VASP must obtain and verify the accuracy of the information, retain records, screen both parties against sanctions lists, monitor transactions for suspicious patterns, and report when concerns arise. Both originating and beneficiary VASPs are expected to conduct due diligence on their counterparties before sharing data, particularly when dealing with VASPs outside their own jurisdiction.

How Travel Rule data actually gets transferred

FATF does not prescribe a specific technology or protocol for transmitting travel rule information between VASPs, creating a fragmentation problem in the industry. There is no single universal messaging network like SWIFT for traditional wire transfers. Instead, several competing protocols and networks have emerged, including TRISA, OpenVASP, Sygna Bridge, and others, and not all are interoperable.

The information must be transmitted before or at the same time as the transaction, not afterward. When a VASP receives a transfer lacking the required information, it must take reasonable steps to obtain it and have written, risk-based policies to decide whether to allow, suspend, or reject the transaction. Canada's FINTRAC guidance is clear that information received under the travel rule cannot be removed once included.

Data security matters here too. VASPs handle sensitive personal information, and transmitting that data must comply with privacy laws, including GDPR in Europe. This creates tension between the obligation to share and the obligation to protect.

Crypto Travel Rule application in the US

The United States was ahead of most countries on the Travel Rule concept, though its application to crypto has evolved gradually. Under the BSA framework administered by FinCEN, the rule applies to fund transmittals of $3,000 or more. Banks, securities brokers, money transmitters, and similar financial institutions have been subject to this since 1996.

FinCEN confirmed in 2019 that convertible virtual currency transactions fall under existing BSA obligations, meaning exchanges and money services businesses dealing in crypto must apply the same travel rule requirements as traditional financial institutions. The $3,000 threshold remains, which is higher than the FATF-recommended $1,000. There is no federal requirement for self-hosted wallet verification, and VASP due diligence is not mandated federally.

EU crypto Travel Rule implementation

The European Union took a different and frankly more aggressive position. The Transfer of Funds Regulation (TFR), formally Regulation (EU) 2023/1113, came into force across all EU member states on 30 December 2024. It extends the existing wire transfer framework to cover crypto-asset transfers and applies to all Crypto-Asset Service Providers (CASPs), which is the EU's terminology for what FATF calls VASPs.

There is no minimum transaction threshold under the EU TFR. Every transfer involving a CASP is in scope. For transfers to or from self-hosted wallets exceeding €1,000, CASPs must verify ownership or control of the wallet. When a CASP is establishing a correspondent relationship with a CASP registered outside the EU, VASP due diligence is required. The European Banking Authority (EBA) published detailed guidelines in July 2024 that clarify how firms should handle incomplete information, assess counterparty risk, and manage transfers involving jurisdictions that have not yet implemented the Travel Rule.

Crypto Travel Rule in Switzerland

Switzerland had the Travel Rule in force from 1 January 2020, well before many other major financial centers acted. The framework sits within the Swiss Anti-Money Laundering Act (GwG), the Money Laundering Ordinance (GwV), and FINMA's own ordinance (GwV-FINMA), alongside FINMA's supervisory communication 02/2019, which specifically addressed blockchain-based payments.

There is no minimum transaction threshold in Switzerland. The rule applies to every transfer where a regulated entity is involved, and FINMA has made clear that there are no exceptions for payments involving unregulated wallet providers. For self-hosted wallet transfers, Swiss VASPs are required to verify ownership on all transactions, not just those above a certain amount. This makes Switzerland's regime one of the strictest in the world in terms of scope, which honestly reflects the country's broader positioning as a rigorous but crypto-friendly financial hub.

Crypto Travel Rule in Germany

Germany's implementation story is a bit of a two-chapter situation. The country introduced its own national Travel Rule in October 2021 through the Kryptowertetransferverordnung (KryptoWTransferV), which was built on the German Money Laundering Act (GwG). It required VASPs to collect and transmit originator and beneficiary data for all VASP-to-VASP transfers, with reduced requirements for transactions below €1,000.

The KryptoWTransferV was updated in May 2023, and it included a grace period mechanism allowing obligated entities up to 24 months to meet their obligations where compliance was not yet technically feasible. From 30 December 2024, the national regulation was effectively superseded by the EU TFR, which now governs all crypto-asset transfers for German CASPs. BaFin, the Federal Financial Supervisory Authority, serves as the supervisory body under both frameworks. Under the EU TFR, transactions with self-hosted wallets now also fall into scope when a CASP is involved, and proof of wallet ownership is required for transfers exceeding €1,000.

How the Travel Rule is implemented in other key jurisdictions

The global picture is uneven, and keeping track is a real operational challenge for internationally active VASPs.

Canada has had the rule in force since June 2021 under FINTRAC's guidance. It applies to financial entities, money services businesses, and casinos for both electronic funds transfers and virtual currency transfers at or above CAD 1,000. The required information for virtual currency transfers includes the originator's name, address, and account number, as well as the same details for the beneficiary. If a transfer arrives without the required information, the receiving firm must take reasonable steps to obtain it and must have policies that specify what happens if those steps fail.

The United Kingdom brought the Travel Rule into force on 1 September 2023 under amendments to the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017. The FCA set out clear expectations for cryptoasset businesses, noting that firms must take all reasonable steps and exercise due diligence to comply, even when using third-party suppliers for compliance infrastructure. UK firms must fully comply when transacting with other UK-based firms or firms in jurisdictions where the rule is active. When sending to jurisdictions that have not yet implemented it, UK firms must still collect and verify the information and retain it before proceeding.

Singapore was among the earliest adopters, with the rule in force from January 2020 underMAS Notice PSN02 and the Payment Services Act 2019. There is no threshold, and self-hosted wallet verification is required for all transactions.

Japan has had the rule in force under its Act on Prevention of Transfer of Criminal Proceeds, with the Japan Virtual and Crypto Assets Exchange Association (JVCEA) introducing a self-regulatory version from April 2022 and formal amendments entering force in June 2023.

Australia is one of the jurisdictions still preparing for implementation, with its Travel Rule taking effect on 31 March 2026 under new AUSTRAC rules.