FATF Travel Rule for VASPs: where global implementation actually stands

The Financial Action Task Force ("FATF") Recommendation 15 and its 2019 Interpretive Note extend the long-standing wire-transfer "Travel Rule" (FATF R.16) to virtual assets and virtual asset service providers ("VASPs"). At its core: any VASP-to-VASP transfer above the de minimis threshold (USD/EUR 1,000 in most adopting jurisdictions) must carry originator and beneficiary identity information.

What must travel

For each in-scope transfer, the originating VASP must obtain, verify (originator only), and transmit to the beneficiary VASP:

• Originator: name, account number / wallet identifier, and one of: physical address, national ID, customer ID, or date+place of birth.
• Beneficiary: name and account number / wallet identifier.

The beneficiary VASP must keep records and take risk-based action when information is missing or incomplete.

Implementation status by major jurisdiction

• EU: the recast Transfer of Funds Regulation (TFR, Regulation (EU) 2023/1113) implements the Travel Rule with no de minimis threshold — all VASP-to-VASP transfers, including those involving self-hosted wallets above EUR 1,000, are in scope. Enforcement began alongside MiCA.
• Singapore: MAS implemented the rule for DPT service providers via Notice PSN02 — threshold SGD 1,500.
• United Kingdom: HMT applied the Travel Rule to cryptoasset transfers from 1 September 2023; FCA supervises.
• United States: FinCEN historically applied the rule to wires above USD 3,000, and a 2020 NPRM proposed extending it to convertible virtual currencies above USD 250 — the rulemaking is unfinalised, but BSA recordkeeping under 31 CFR 1010.410 already imposes substantively similar requirements for MSBs handling CVCs.
• Switzerland (FINMA): requires Travel Rule data on all VASP-to-VASP transfers regardless of amount, and additional verification for transfers to unhosted wallets.
• South Korea, Japan: in force via FSC and FSA respectively, thresholds aligned to FATF.

Self-hosted ("unhosted") wallets

The hardest practical question is what to do when one side of the transfer is a self-hosted wallet with no counterparty VASP. FATF guidance permits jurisdictions to choose. The EU TFR requires verification of self-hosted wallet ownership above EUR 1,000 (e.g. via Satoshi-test signature). FinCEN's 2020 proposal would require recordkeeping but stopped short of ownership verification.

Protocol-level implementations

Three protocols carry the bulk of compliant Travel Rule traffic between VASPs:

• TRP (Travel Rule Protocol) — bank-led specification.
• IVMS 101 — InterVASP messaging standard for the data payload (adopted across protocols).
• TRUST — US-led network operated by a consortium of exchanges.

Most enterprise VASPs subscribe to a vendor (Notabene, Sumsub, Veriscope, etc.) that brokers between these networks.

What this means in practice

• Exchanges: pre-screen each outbound transfer for VASP recipient identification; have a fallback flow for self-hosted destinations consistent with local rules.
• DeFi front-ends: any front-end that custodies user funds or initiates VASP-to-VASP transfers on the user's behalf may itself be a VASP under local law — Travel Rule compliance is then in scope.
• Compliance teams: track FATF mutual evaluation reports for your home jurisdiction — they identify Travel Rule implementation gaps and drive subsequent enforcement priorities.

Primary Sources

• FATF Updated Guidance on VAs and VASPs (2021)
• EU Transfer of Funds Regulation (2023/1113)
• FinCEN 2020 NPRM on convertible virtual currency transactions
• interVASP Messaging Standard (IVMS 101)

Get the briefing in your inbox

One concise email when there's something worth reading. No spam.