The FATF Recommendation 16, otherwise known as the “Travel Rule,” mandates that Virtual Asset Service Providers (VASPs) gather, verify and pass on the information of the originator and the beneficiary of any transactions involving virtual asset transfers exceeding the threshold. Since FATF’s 2019 guidance, the requirement has been in effect in its crypto-applicable form, and several jurisdictions have adopted it into their national law, such as the US, EU, Singapore, the UK, Japan and South Korea.
However, a 2024 FATF mutual evaluation cycle identified ongoing compliance gaps in the Travel Rule at various jurisdictions including inadequate identification of counterparty VASPs, unclear thresholds that were being violated by splitting transactions, and the lack of procedures for the unhosted wallet segment of the cryptocurrency industry during the ‘sunrise’ period, and poor quality data transmission for cross-border payments.
The regulatory climate has become much harsher. The successful enforcement of OFAC’s $24 million settlement with Bittrex in 2023, the 2024 FinCEN and DOJ action against Binance, and the ongoing daily regulatory consideration of crypto businesses around the world as compliance or non-compliance with the Travel Rule demonstrates a regulatory approach that considers failures to comply with the Travel Rule to be significant compliance failures.
The article does not attempt to list every failure to comply with the Travel Rule that has been involved in enforcement actions and regulatory findings – it is only meant to give VASPs a practical checklist that they can use to assess how well their current Travel Rule program is doing.
What FATF Recommendation 16 Actually Requires for VASPs
The primary requirement is simple: If a virtual asset transfer occurs in an amount exceeding USD/EUR 1,000 (the limit used by most implementing jurisdictions), the originating VASP is tasked with providing the VASP of the beneficiary with certain information on the originator and beneficiary of the transfer. Both parties should keep this information and it should be made available to the relevant authorities if requested.
The information that is required to be provided by the originator shall consist of the following: full name, account number (wallet address), physical address or national identity number or date and place of birth, or customer identification number. Beneficiary details required: Name, account number (wallet address).
Verification is also crucial as the originating VASP must verify information from the originator prior to the transfer being processed. The KYC system of the beneficiatory VASP must check the incoming information with its own KYC system and the sanctions lists before allowing the funds to be made available to the beneficiary.
The Six Most Common Travel Rule Compliance Failures
VASP Counterparty Identification
A VASP shall only provide a Travel Rule data to another VASP if it has identified and verified that the recipient VASP is a legitimate VASP that is subject to AML/CFT regulation. Many compliance programs consider this a one time due diligence exercise on counterparty onboarding, and then forget to monitor it for a regulatory status change. If a VASP counterparty loses its license or sanctions, they are not automatically deleted from a trusted counterparty list unless they are actively monitored.
Unhosted Wallet Protocols
The FATF guidance on transfers to unhosted wallets (those not under the control of a regulated VASP) calls for VASPs to take action. Usually, these involve source of funds verification, documentation of transaction purpose and better monitoring. Many VASPs offer an unhosted wallet protocol but only if funds are below a certain amount or if risk is not a factor in the transaction.
Passing the Thresholds – Transaction
A documented evasion technique is transaction splitting, which is splitting a transaction over the threshold into a number of smaller transactions under the threshold. The FATF Travel Rule is also applicable to structured transfers that are designed to fall below the threshold and individual transfers that exceed the threshold. If a transaction monitoring program cannot identify patterns of structured splitting below the Travel Rule threshold, then it is missing an important pattern.
Complete cross-border data transmission.
The data sent in the Travel Rule must be authentic, complete and in a format that the receiving VASP can utilize. One of the most reported compliance issues is that of partial data transfer, which can include missing beneficiary data, the originator data or being in an incompatible data format with the receiving VASP system. The implementation issue of the sunrise with different jurisdictions resulted in a window in which VASPs could claim that their counterparty’s jurisdiction did not implement the requirement at that time. As implementation has expanded, this argument has become much weaker.
Sanctions Screening of Travel Rule Data
Receiving VASPs must conduct a screening process of incoming Travel Rule data on sanctions lists before funds should be made available. This will establish a live sanctions screening requirement in addition to the VASP’s “normal” account-level screening requirements. Numerous compliance programs have not customized their sanctions screening workflow to take incoming Travel Rule data as a unique screening input.
Screening Crypto Wallets by Risk Categories.
VASPs have a more general responsibility to assess and monitor virtual asset transactions and wallet addresses for AML risk, in addition to meeting the data transmission criteria outlined in the Travel Rule. Darknet markets, ransomware payments, mixing services, known fraud schemes and entities identified by the OFAC designation all have a wallet address and need to be detected beyond name-based screening.
The Complementary Obligation is Crypto Wallet Screening.
Information flows are subject to the Travel Rule. Crypto wallet screening is in charge of the risk evaluation of wallets and transactions. The two obligations are complementary and in a compliant VASP programme, they provide mutual feed.
When a Travel Rule data packet with a wallet address for the originator comes in, the wallet address is checked to see if it’s linked to a wallet risk category: OFAC has a list of specific crypto wallet addresses of entities sanctioned. In addition to OFAC’s list, wallets can also be spotted by transaction history analysis if they have documented connections to sanctioned services, darknet markets, mixing protocols, and ransomware payment addresses.
There are 415+ crypto risk categories that cover all of the risks at the wallet level. Not only the OFAC-listed wallets, but screening coverage for this entire category set is necessary to ensure effective crypto AML compliance, since the highest operational risk (mixing services, ransomware infrastructure, darknet market proceeds) are often not formally sanctioned but are clear and obvious financial crime risk.
| Travel Rule Obligation | Implementation Status in Most VASPs | Risk If Unaddressed |
| VASP counterparty ID and monitoring | Often one-time, not ongoing | Exposure to sanctioned or delicensed counterparties |
| Unhosted wallet EDD | Inconsistently applied | Regulatory finding; missed money laundering channels |
| Structuring detection | Rarely specifically configured | Missed evasion; potential Suspicious Activity Report (SAR) failure |
| Complete data transmission | Variable by corridor | Cross-border enforcement; correspondent banking risk |
| Incoming data sanctions screening | Often not separately configured | OFAC exposure for processed sanctioned-origin transfers |
| Full-category wallet screening | Typically OFAC-only | Darknet/ransomware proceeds missed |
How AML Watcher Supports VASP Travel Rule and Crypto Compliance
AML Watcher’s crypto compliance solution is tailored to meet the unique compliance requirements of VASPs under the Travel Rule in the FATF framework and the constantly changing international framework for crypto compliance generally. Beyond the OFAC-list-only screening capability, the crypto wallet screening capability screens for 415+ risk categories such as sanctions, darknet market exposure, ransomware payment addresses, mixing services and known fraud wallets.
The data screening for sanctions will be updated every 15 minutes for 215+ regimes, which is the near real-time refresh rate that incoming Travel Rule data screening requires. Crypto travel rule compliance capability helps VASPs establish the data transmission and counterparty verification steps mandated by the travel rule.
AML Watcher is the platform that will enable crypto compliance officers and VASP compliance leads to determine if their existing crypto compliance program covers the six failure modes described above – with integrated wallet screening, sanctions coverage, and continuous monitoring, all in a single compliance infrastructure, accessible via API.
VASP Travel Rule Compliance Self-Assessment
In your program, is counterparty identification a one-time process or continuous process?
Do you have an unhosted wallet protocol that is documented and has transaction value limits?
Does your transaction monitoring identify structured splitting patterns at lower than the Travel Rule levels?
Are funds released after screening incoming Travel Rule data against sanctions lists?
Are there other types of risks which are not covered by the crypto wallet screening of OFAC address lists?
Are the data formats you’re using suitable for your main counterparty VASPs?
Does your Travel Rule compliance program exist in writing and is it examinable?
The FATF Travel Rule no longer represents an obligation in the ‘sunrise period’ that VASPs can regard as ‘work-in-progress’. It is being enforced, and enforcement measures in response to Travel Rule gaps have been substantial. The regulatory environment requires a compliance program that addresses the 6 points mentioned above.
