As digital asset usage continues to grow, regulators worldwide are pushing for stronger transparency requirements. The Travel Rule – the FATF’s Recommendation 16 extended to virtual assets – obliges Virtual Asset Service Providers (VASPs) to obtain, hold, and transmit identifying information about both the sender and the recipient whenever digital assets move between regulated entities.

This article explains what the Travel Rule requires, how VASPs must handle customer data, when the rule applies, and the key implementation changes coming into effect in 2025.

What is the Travel Rule?

What is the Travel Rule?

The Travel Rule is part of the FATF (Financial Action Task Force) standards and is defined in Recommendation 16, which sets transparency requirements for fund transfers. It was originally designed for traditional wire transfers and, starting in 2019, FATF clarified that the same principle also applies to virtual assets and Virtual Asset Service Providers (VASPs).

In the virtual asset sector, the Travel Rule requires financial intermediaries, including VASPs, to collect and transmit identifying information about the sender and the receiver when a qualifying transaction is executed (typically above a set threshold and between obliged entities). The goal is that this identity data “travels with” the transaction so regulatory agencies can trace and, in theory, help prevent activities such as money laundering or terrorism financing

When a transaction occurs between two VASPs, the sending VASP is required to transmit key information such as:

  • The names of the originator and beneficiary
  • The account numbers or wallet identifiers used
  • And the transaction details

In simple terms, the Travel Rule makes transfers between regulated crypto intermediaries behave more like traditional bank transfers: each transfer carries the necessary identity information to increase transparency and accountability within the formal financial system.

FATF continues to refine this framework. In June 2025, members agreed on changes to Recommendation 16 to further clarify responsibilities along the payment chain and to standardise the information that must accompany payments and value transfers, including those involving virtual assets. The exact obligations for VASPs, however, depend on how each jurisdiction writes these changes into its local laws.

Travel ruler

Who does the Travel Rule apply to?

The Travel Rule primarily applies to Virtual Asset Service Providers (VASPs). This category includes licensed crypto exchanges, custodial wallet providers, brokerages, payment processors, and other businesses that execute or facilitate transfers of digital assets on behalf of customers.

In addition, some jurisdictions extend certain Travel Rule obligations to transactions that involve a self-hosted (non-custodial) wallet. The exact requirements differ by country. In these cases, a VASP may be required to collect or verify information about the owner of the self-hosted wallet when a transfer is sent to or received from that wallet, typically above a defined threshold.

The scope of application therefore depends on local regulation: while the Travel Rule consistently applies to VASP-to-VASP transfers, obligations involving self-hosted wallets vary across jurisdictions.

Required information for digital asset transfers

When transferring digital assets between regulated entities, the Travel Rule requires VASPs to collect and exchange specific information about both the sender (originator) and the receiver (beneficiary). The exact data fields depend on each jurisdiction’s implementation, but FATF sets the following minimum baseline:

For the Sender (Originator):

The sending VASP must have:

  • Full name
  • Account number or wallet identifier
  • One of the following:

    • Residential address
    • National ID number
    • Customer identification number
    • Date and place of birth

For the Receiver (Beneficiary):

The receiving VASP must have:

  • Full name
  • Account number or receiving wallet identifier

FATF guidance expects VASPs to transmit this information securely and immediately to the receiving VASP.
Retention requirements (such as storing the data for five years) are also recommended, but the legal obligation varies by jurisdiction.

It is important to note that FATF does not require all data fields simultaneously – regulators decide which subset becomes mandatory locally. Implementations therefore differ widely across countries.

To note:

For individual users, it is important to understand the personal-security implications of these requirements. Any service that collects detailed identifying information alongside your digital-asset activity may, by necessity, hold data that could make you or your family a target if it is exposed. 

High-value KYC and transaction-mapping datasets are under continuous attack from organised cybercrime groups, who use such information to compile target lists for digital fraud, social-engineering attacks, and – in rare but documented cases – real-world threats. Maintaining strong operational security and being selective about which services – if any –  you entrust with sensitive data remains essential.

Europeans are increasingly alarmed by the mass collection of sensitive financial data, frequent leaks, and the expanding reach of organised crime exploiting these vulnerabilities
Europeans are increasingly alarmed by the mass collection of sensitive financial data, frequent leaks, and the expanding reach of organised crime exploiting these vulnerabilities

Threshold and application level of the Travel Rule

Initially, FATF proposed a threshold of around $1,000 USD or €1,000 EUR to determine which transactions the Travel Rule must apply to.

In the 2025 update to R.16, the requirements were made clearer. For example, information about the receiver’s address now only needs to include the country and city, instead of the full address.

Additionally, FATF also requires the receiving VASP to verify the receiver’s data. This means they must check if the information they received matches the account details of the actual receiver.

Why is the Travel Rule considered important?

Regulators view the Travel Rule as a way to support Anti-Money Laundering (AML) and Counter-Financing of Terrorism (CFT) frameworks. In theory, it introduces more structure around how digital asset transfers are monitored. Key arguments include:

  • Creating a traceable path: The Travel Rule attaches sender and receiver information to a transaction, giving authorities a clearer audit trail for regulated transfers.
  • Increasing transparency: By requiring VASPs to exchange identity information, regulators aim to reduce the use of intermediaries to obscure fund flows. This is intended to make it more difficult to hide illicit activity within regulated platforms.
  • Aligning crypto with traditional finance: The framework mirrors long-standing international wire-transfer rules, treating VASPs more like banks in how they must handle customer information.
  • Preventing basic fraud: Verifying counterparties can help reduce low-level fraud or misdirected transactions within the regulated sector.

Challenges in implementing the Travel Rule

The implementation of the Travel Rule faces several challenges.

  • Identifying the partner: It is often difficult to determine if the counterparty is a VASP or not. Because the blockchain is decentralized, the sending VASP is not always sure if the receiver is a VASP or a personal wallet, making it hard to know who to share information with.
  • Privacy concerns: Collecting names, addresses, and IDs relates to high privacy issues. VASPs must balance AML compliance with the need to protect personal data.
  • Lack of standardization: Currently, there is no single standard protocol for exchanging Travel Rule data. This makes it challenging for different VASPs to interact and share information with each other smoothly.
  • High compliance cost: The cost of compliance is a major challenge. Building systems to store, verify, and exchange Travel Rule data can be expensive, especially for smaller VASPs.

Effectiveness and Practical Concerns

In practice, the effectiveness of the Travel Rule remains an open question.

The rule increases cost and compliance complexity for businesses and startups, while criminal groups typically adapt to new controls quickly – often within days – by analysing the new requirements and identifying alternative pathways that allow them to continue operating without any lasting disruption.

At the same time, extensive data-collection requirements introduce significant exposure risks for ordinary users.

Personal information tied to digital-asset holdings is regularly misused in:

  • cybercrime and data-broker markets
  • targeted scams and account-takeover attempts
  • operational-security attacks
  • and – in the most severe cases – physical threats, including home invasions or kidnappings

In an ecosystem built around digital bearer assets, minimising data collection remains a prudent approach to reduce systemic risk and avoid exposing legitimate users to unnecessary financial or physical harm.

Travel Rule – considerations in 2025

Implementing the Travel Rule faces several challenges. 

First, it is hard to know if the counterparty is a VASP because blockchain is decentralized, so the sending VASP cannot always be sure if the receiver is a VASP or a personal wallet. This makes it difficult to know who to share information with. 

Second, collecting names, addresses, and IDs involves high privacy risks, so VASPs need to balance AML compliance with personal data protection. 

Third, there is no single standard for Travel Rule data exchange, making it hard for many VASPs to interact and share information with each other. 

Finally, compliance costs are also a big challenge because building systems to store, verify, and exchange Travel Rule data can be expensive, especially for small VASPs.

RELATED ARTICLESMORE FROM AUTHOR