FATF Recommendation 16 — the Travel Rule — has existed in wire transfer contexts since the 1990s. Its extension to virtual asset service providers (VASPs) in FATF's 2019 updated guidance created a compliance obligation that the crypto industry has spent the subsequent years wrestling with. As of 2025, most major jurisdictions have implemented some version of Travel Rule requirements for VASPs, but the specific thresholds, data elements, and technical messaging standards differ significantly by jurisdiction. For a US-licensed crypto exchange serving both domestic and international users, this creates a compliance architecture challenge that goes well beyond simply collecting counterparty information.
This article covers what the FATF Travel Rule requires, how US FinCEN regulations implement it, what the key jurisdictional differences are, and where crypto compliance programs most commonly fall short.
What FATF Recommendation 16 Actually Requires
FATF Recommendation 16, as updated in 2019 to include VASPs, requires that "countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers, and submit the information to beneficiary VASPs or financial institutions, if any, immediately and securely." The recommendation further specifies that beneficiary VASPs must obtain and hold required originator information, and that both originating and beneficiary VASPs screen the information they receive against sanctions lists.
The required information elements for transactions above the threshold (USD/EUR 1,000 under the FATF standard) include: originator's name, originator's account number, originator's physical address or national identity number or customer identification number, and the beneficiary's name and account number.
FATF's guidance emphasizes that the information must "travel with" the transaction — it cannot simply be collected and retained. The beneficiary VASP must receive the originator information at the time of the transaction, not on request after the fact.
US Implementation: FinCEN's Existing Rules and the Proposed VASP Framework
In the United States, FinCEN's existing Travel Rule regulations under 31 CFR 1010.410 apply to financial institutions, which FinCEN has long interpreted to include money services businesses. Crypto exchanges operating as MSBs — meaning they transmit value, including virtual currency — are covered by these regulations. The existing FinCEN Travel Rule threshold for domestic transmittals is $3,000 (not the $1,000 FATF threshold), and the required information elements are slightly different from the FATF standard.
This creates a gap: the US $3,000 threshold means that transactions between $1,000 and $3,000 are subject to Travel Rule obligations in most other jurisdictions but not domestically. A US-licensed crypto exchange serving international users who send to VASPs in FATF-compliant jurisdictions (the UK's FCA requires Travel Rule compliance at £1,000; Singapore's MAS requirement is SGD 1,500) must decide how to handle transactions in that threshold gap. The operationally simplest approach is to apply the more restrictive threshold globally, rather than maintaining separate threshold logic by counterparty jurisdiction. Most compliance-mature exchanges have moved to a global $1,000 threshold for that reason.
The "Sunrise Problem" and Counterparty VASP Identification
The practical challenge that has occupied crypto compliance teams most is not data collection — it is counterparty identification and messaging. Travel Rule compliance requires sending originator data to the beneficiary VASP. To do that, the originating VASP must: (1) determine that the beneficiary wallet address is custodied by a VASP, not an unhosted wallet; (2) identify which VASP controls that address; and (3) transmit the required data to that VASP using a messaging protocol both parties support.
The "sunrise problem" refers to the period during which not all VASPs in a given transaction chain have implemented Travel Rule messaging capability. If the originating VASP's counterparty has not implemented a compliant protocol, the information cannot be transmitted in the required form. FATF's guidance acknowledges this challenge and suggests that VASPs should reject or delay transactions where they cannot transmit Travel Rule information to a non-compliant counterparty — a position that creates friction for users and operational complexity for compliance teams.
Travel Rule messaging protocols that have emerged in the market include TRP (Travel Rule Protocol, an open standard), VerifyVASP, OpenVASP, and Sygna Bridge. None has achieved universal adoption. A US-licensed crypto exchange in the consumer-facing segment handling roughly 15,000 cross-VASP transactions per month in 2024 found that approximately 18% of those transactions involved counterparty VASPs whose Travel Rule messaging capability was unknown or unconfirmed. That 18% required manual counterparty outreach or transaction delay pending protocol confirmation — a significant operational overhead.
Unhosted Wallet Transactions: The Unsettled Question
FATF guidance on unhosted wallets — wallets not controlled by any VASP — is that originating VASPs should collect beneficiary information for transactions above the threshold, even if the beneficiary is an unhosted wallet. The information cannot be "transmitted" to another institution, but should be collected and retained by the originating VASP. In practice, collecting accurate information for unhosted wallet transfers is genuinely difficult: the customer declares the beneficiary's name, but there is no institutional counterparty to confirm or cross-reference it.
We are not saying that unhosted wallet transactions are inherently high-risk or that fintechs should block them categorically — that position would be both operationally unsustainable and inconsistent with the legitimate use cases for self-custody. What we are saying is that the Travel Rule obligation for unhosted wallet transactions requires a documented policy position: what information is collected, how it is verified (or acknowledged as unverifiable), and how unhosted wallet transaction risk is reflected in the customer's overall risk profile and ongoing monitoring parameters.
Blockchain analytics tools from Chainalysis, TRM Labs, and Elliptic provide on-chain behavioral data that supports the risk assessment of unhosted wallet counterparties — wallet exposure to high-risk or illicit sources, transaction clustering patterns, and exchange-vs-self-custody attribution. These tools are an essential complement to the identity and Travel Rule data layer for crypto compliance programs operating at scale.
Jurisdictional Variation: EU MiCA, UK FCA, and MAS Singapore
MiCA (Markets in Crypto-Assets Regulation), the EU's comprehensive crypto framework, incorporates Travel Rule requirements through the Transfer of Funds Regulation (TFR) extension to crypto-assets. The EU TFR requires Travel Rule compliance at zero threshold for transactions between VASPs (the EUR 1,000 threshold applies only to unhosted wallet transactions). This is stricter than both the FATF standard and the US FinCEN framework.
The UK FCA's cryptoasset Travel Rule, which took effect September 2023, aligns closely with FATF — £1,000 threshold, required information elements consistent with the FATF standard. FCA's implementation guidance emphasizes that UK firms must make reasonable efforts to obtain Travel Rule information from counterparties and must have documented policies for handling non-compliant counterparties.
Singapore's MAS Travel Rule requirements, effective January 2024, apply to all VASPs licensed under the Payment Services Act. The MAS threshold is SGD 1,500. MAS has taken an active enforcement posture on Travel Rule compliance — including inspection findings against VASPs with inadequate counterparty identification procedures.
For a VASP with customers in multiple jurisdictions, maintaining a Travel Rule compliance program that correctly applies the right threshold and data requirements for each transaction pair is not trivial. AML screening infrastructure designed for crypto must handle this jurisdictional matrix as a first-class requirement. KYC programs for crypto platforms must also be designed with Travel Rule data collection integrated into the onboarding and transaction flows — not bolted on as an afterthought after the core product is built.
What Examiners Look for in Travel Rule Programs
Examiners reviewing a VASP's Travel Rule compliance focus on several specific areas: whether the VASP has a written Travel Rule policy that correctly identifies the applicable threshold(s); whether the required data elements are being collected at the transaction level; whether there is a documented process for handling transactions with non-compliant or unidentified counterparty VASPs; and whether the records retention requirements (five years under FinCEN's BSA recordkeeping rules) are met for all Travel Rule data.
Programs that struggle in examination are typically those that implemented Travel Rule compliance as a technical protocol integration without corresponding written policies, or that relied on a third-party protocol vendor's implementation without independently documenting what data is collected, transmitted, and retained at each transaction stage. The protocol handles the messaging; the compliance program documents the obligation, the policy, and the gap handling. Both are required.