What the Travel Rule requires
Originating from FATF Recommendation 16, the Travel Rule requires Virtual Asset Service Providers to collect and transmit sender and beneficiary information alongside qualifying transactions between regulated entities. The information set typically includes:
- Originator name and account identifier (wallet address).
- Originator physical address, official personal number, or date and place of birth.
- Beneficiary name and account identifier.
- Beneficiary physical address or equivalent identifier in some jurisdictions.
The rule exists to bring virtual asset transfers to parity with the wire transfer regime that has long been in place under the Bank Secrecy Act and equivalents.
Jurisdictional variation that matters
| Jurisdiction | Threshold | Authority | Key specifics |
|---|---|---|---|
| United States | $3,000 (FinCEN); $250 proposed | FinCEN | Applies to MSBs; stricter proposals under review |
| EU (MiCA + TFR) | No de minimis (all amounts) | EBA / national regulators | Strictest regime; applies from first euro |
| Brazil | Aligned with FATF guidance | BaCen / COAF | VASP framework operational 2026 |
| Hong Kong | HKD 8,000 (~$1,000) | SFC | Binding on licensed VASPs |
| UAE | AED 3,500 (~$950) | VARA / ADGM | Specific data set prescribed |
| Singapore | SGD 1,500 (~$1,100) | MAS | Under PS Act |
Any cross-border flow that touches multiple jurisdictions defaults to the stricter regime. An EU-outbound transaction to the US must meet EU requirements even if below the US threshold.
The messaging problem
The legal requirement is to exchange information. The practical requirement is to do so securely, reliably, and in a standardized format across counterparty VASPs that may be using different systems. Three dominant messaging protocols have emerged:
- TRUST (Travel Rule Universal Solution Technology). Coordinated by Coinbase, Anchorage, and others. Centralized membership model.
- OpenVASP / IVMS 101. Open protocol standard aligned to an ISO data model. Strong adoption in Europe.
- TRP (Travel Rule Protocol). A third widely adopted alternative, supported by Fireblocks and several other infrastructure providers.
Most institutional VASPs support at least two of these. The operational reality is that your chosen protocol must intersect with your counterparty VASP's chosen protocol, which drives many routing decisions.
The three edge cases that break flows in production
1. Unhosted wallet transactions
A counterparty wallet not controlled by a VASP. The Travel Rule still requires the originating VASP to collect beneficiary information, but there is no counterparty VASP to transmit to. Typical approaches:
- Self-declaration by the sender of beneficiary identity (with ongoing verification).
- Proof-of-ownership checks (e.g., Satoshi test, message signing).
- Jurisdiction-specific thresholds for when unhosted transfers are permitted at all.
Some jurisdictions (notably parts of the EU) have proposed outright limits on transfers to unhosted wallets above certain amounts. Compliance teams must maintain current policy by jurisdiction.
2. Inbound from a non-compliant VASP
Your VASP receives a transfer from a counterparty that has not transmitted Travel Rule information, or has transmitted incomplete information. The receiving VASP cannot always reject in real time (the transaction is already on-chain), so the operational question is:
- Does your policy permit receipt with quarantine until information is obtained?
- Does your policy require rejection or return of funds?
- Do you escalate to a suspicious activity review?
Strong VASPs maintain active counterparty VASP whitelists and engage directly with non-compliant counterparties to obtain information before releasing to the client.
3. VASP-to-VASP KYB
Under most Travel Rule regimes, VASPs must not only transmit data, but also verify that the counterparty is a legitimate VASP. That means counterparty due diligence on every VASP you message with. In practice this produces an operational challenge: the counterparty VASP ecosystem is large, evolving, and regionally fragmented. Working patterns:
- Tiered counterparty risk rating.
- Shared KYB utilities (Notabene, Sumsub VASP directory, etc.).
- Reliance on the messaging protocol's own counterparty verification layer.
Operational patterns that work
- Consolidated Travel Rule service. Rather than building protocol support in-house, most institutions now use a specialist (Notabene, Sumsub, or similar) integrated once, abstracting multiple protocols behind a single API.
- Pre-transaction compliance. Move the Travel Rule check upstream: verify counterparty VASP and collect required information before the on-chain transaction, not after. This prevents quarantine events.
- Data minimization by jurisdiction. Collect only what each jurisdiction requires; do not over-collect.
- Real-time sanctions overlay. Travel Rule data feeds directly into sanctions screening. If the originator is on an OFAC list, the information collection is what flags it.
- Quarterly reconciliation. Review Travel Rule data completeness, missing-information rates, and counterparty VASP coverage each quarter.
A well-run institutional VASP maintains >98% Travel Rule completeness on outbound transactions and resolves 100% of inbound missing-information cases within 10 business days. Teams that track these metrics consistently find and close gaps faster.
Bottom line
Travel Rule compliance is less about passing an audit and more about running a production flow that does not stall. The strongest operations treat it as an integrated piece of customer experience: pre-transaction, protocol-abstracted, and tightly linked to sanctions and counterparty risk.