FATF Travel Rule 2026 — Crypto Global Standard Practitioner Guide

The global standard

FATF Recommendation 16 sets the global standard for wire transfer transparency. The recommendation requires originating financial institutions to obtain, hold, and transmit originator and beneficiary information accompanying wire transfers, and beneficiary institutions to monitor for incoming transfers lacking required information.

The Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs published by FATF in June 2019 applied Recommendation 16 to virtual asset service providers. Through subsequent refinements (October 2021 amendment, March 2024 updates), the framework has stabilised into the operational global standard for crypto-asset transfer transparency.

By 2026 every major crypto-active jurisdiction has implementing legislation:

• European Union — Regulation (EU) 2023/1113 (TFR) operational since December 2024
• United States — FinCEN guidance under Bank Secrecy Act with operational enforcement
• United Kingdom — Money Laundering Regulations 2017 amendments operational September 2023
• Singapore — MAS Notice PSN02 with Travel Rule provisions for DPT service providers
• Switzerland — FINMA framework integrated with broader Swiss AML obligations
• Various Asia-Pacific, MENA, and LATAM frameworks through 2024-2026

The framework is operational. The interoperability between jurisdictions remains uneven. The compliance build for crypto operators is real and ongoing.

What the Travel Rule actually requires

Travel Rule compliance has three operational components:

Information collection at originator side. When a customer initiates a crypto-asset transfer to another VASP, the originating VASP must collect:

• Originator information: Customer name, account or wallet identifier used for the transfer, and at least one of: address, official document number, or date and place of birth
• Beneficiary information: Recipient name and account or wallet identifier at the receiving VASP

The information must be accurate at the moment of transfer. Customer self-attestation without verification is the most common compliance gap.

Information transmission to beneficiary VASP. The originating VASP must transmit the collected information to the beneficiary VASP before or simultaneously with the underlying crypto-asset transfer. The transmission happens through Travel Rule technology protocols — VASP-to-VASP messaging frameworks that handle the data exchange.

Beneficiary VASP screening and retention. The beneficiary VASP must check incoming transfers for required information, screen against sanctions and PEP lists, and retain the data per applicable record-retention requirements (typically five years).

EU Transfer of Funds Regulation (TFR)

The EU TFR (Regulation 2023/1113) is the most demanding Travel Rule implementation globally. The framework operates under several distinctive features.

Zero threshold. Unlike most jurisdictions, EU TFR applies to all crypto-asset transfers between CASPs regardless of value. There is no de minimis exemption. A EUR 50 transfer requires the same Travel Rule information as a EUR 50,000 transfer.

Self-hosted wallet rules under Article 14. Crypto-asset transfers from a CASP to a self-hosted wallet, or from a self-hosted wallet to a CASP, face specific rules. Above EUR 1,000, the CASP must verify that the self-hosted wallet is controlled by the customer or by a defined related person. Below EUR 1,000, monitoring obligations apply but verification is risk-based.

Beneficiary verification. CASPs are expected to take reasonable measures to verify beneficiary information accuracy. Customer-provided beneficiary names without verification produce regulatory concerns where accuracy gaps become apparent.

Interoperability mandate. EU TFR signals expectation of Travel Rule technology interoperability — CASPs are expected to operate across multiple protocols rather than restrict counterparty CASPs based on single-protocol limitations.

The EU framework is also operationally integrated with the broader AMLR (Anti-Money Laundering Regulation) framework operationalising through 2027. The combined EU AML framework is the most demanding globally.

US FinCEN Travel Rule

US Travel Rule operates under FinCEN guidance applying Bank Secrecy Act rules to crypto-asset operators. The framework is structurally similar to EU TFR but with several distinctive features.

USD 3,000 threshold. US Travel Rule applies above USD 3,000 — materially higher than EU zero threshold. Smaller transfers face general BSA AML obligations but not specifically Travel Rule requirements.

Originator and beneficiary information. Comparable to EU requirements — customer name, address, account or wallet identifier, and where available beneficiary information.

Self-hosted wallet expectations. FinCEN expects risk-based monitoring of self-hosted wallet activity without specific verification thresholds equivalent to EU Article 14. Operators implement risk-based programmes.

Enforcement intensity. FinCEN has actively enforced Travel Rule violations through 2024-2026. Bittrex ($29m), BitMEX ($100m settlement), and Binance ($4.3bn coordinated US action) all included Travel Rule compliance failures among the enforcement grounds.

Singapore MAS Notice PSN02

Singapore’s MAS Notice PSN02 includes detailed Travel Rule provisions for DPT (Digital Payment Token) service providers. The framework operates as part of the broader MAS AML regime.

Originator and beneficiary information comparable to FATF baseline. Threshold varies by transaction type. Self-hosted wallet rules align broadly with international framework.

MAS supervises Travel Rule compliance as part of the broader DPT service provider supervision. Enforcement has been active through 2024-2026 with several public reprimands of Singapore-licensed operators on Travel Rule deficiencies.

UK MLR 2017 Travel Rule

UK Money Laundering Regulations 2017 implementing legislation includes Travel Rule provisions operational since September 2023. The framework brings UK in line with FATF standard and matches EU TFR substantively though with slightly different operational details.

The FCA has supervised Travel Rule compliance as part of broader cryptoasset firm registration supervision. Compliance is one of the standard supervisor focus areas for UK FCA-registered crypto operators.

The Travel Rule technology landscape

Travel Rule compliance operates through technology protocols enabling VASP-to-VASP information exchange. The 2026 landscape includes several competing frameworks:

TRP (Travel Rule Protocol). Open-source protocol with broad industry support. TRP-compatible providers include Notabene, Sumsub Travel Rule, OpenVASP, and various proprietary implementations. Strong North American adoption.

TRUST (Travel Rule Universal Solution Technology). Coinbase-led consortium framework with substantial North American adoption among large CASPs. Less common in EU.

Sumsub Travel Rule. Commercial Travel Rule infrastructure with broad operator adoption and multi-protocol support. Strong EU presence.

Notabene. Independent Travel Rule infrastructure provider with cross-jurisdiction support. Used by various major operators.

Veriscope. Independent platform with focus on EU TFR compliance.

Various proprietary implementations. Major operators (Binance, OKX, others) operate proprietary Travel Rule infrastructure with selective interoperability.

The interoperability is improving through 2024-2026 but remains uneven. Many CASPs operate multi-protocol implementations to maintain counterparty CASP coverage. Single-protocol strategies produce counterparty-exclusion risk.

Operational compliance build

Travel Rule compliance build for a typical EU CASP involves several workstreams:

Customer-side data collection. Onboarding processes capture customer information sufficient for Travel Rule transmission. Account or wallet identifier mapping to customer information. Beneficiary information collection at transfer initiation.

Transmission infrastructure. Integration with one or more Travel Rule technology providers. Multi-protocol support for counterparty CASP coverage. Failover and retry handling.

Incoming transfer screening. Verification of Travel Rule information completeness on incoming transfers. Sanctions and PEP list screening of originator and beneficiary information. Risk-based escalation for missing or incomplete data.

Self-hosted wallet handling. Verification framework for self-hosted wallet transfers under EU TFR Article 14 or equivalent. Risk-based monitoring infrastructure. Customer-initiated verification workflow.

Record retention. Five-year retention of Travel Rule information aligned with broader AML record-retention requirements. Audit-ready data structure for supervisor and law-enforcement requests.

Operational monitoring. Ongoing monitoring of Travel Rule compliance metrics — information completeness rates, transmission failure rates, counterparty CASP coverage, screening alert volumes.

The build is non-trivial. First-year compliance cost for a mid-tier CASP runs EUR 200-500k. Ongoing operational cost runs EUR 100-300k annually. The operational complexity is one of the more demanding aspects of MiCA CASP compliance.

Practical takeaways

The FATF Travel Rule is operational globally and the compliance build is real. Three principles for CASPs in 2026:

Build for multi-protocol Travel Rule support. Single-protocol strategies produce counterparty CASP exclusion risk. Multi-protocol support is the operational norm for substantive CASPs.

Address EU TFR zero threshold operationally. Information collection and transmission must work at every transfer value. Solutions designed for USD 3,000+ thresholds fail EU compliance.

Plan self-hosted wallet handling explicitly. EU Article 14 verification framework and US risk-based monitoring expectations require dedicated infrastructure. Treating unhosted wallet transfers as out-of-scope fails everywhere.

For corrections, updates, or counsel referrals on FATF Travel Rule compliance, email [email protected].