The Travel Rule is a set of international standards and recommendations regulating the transfer of data when transferring financial assets. In traditional banking, this concept refers to the requirement to transfer customer and payment information between financial institutions when making cross-border payments or international bank transfers.
The Travel Rule was first introduced in 1997 by the Financial Crimes Enforcement Network (FinCEN) as part of an initiative to combat money laundering and terrorism financing. Initially, only interbank transactions over $3,000 were subject to the Travel Rule. In 2012, electronic money transfers were added to the list of tracked transactions, and the threshold amount was lowered to $1,000.
Key Travel Rule Requirements for Crypto Payments
In 2019, the Financial Action Task Force (FATF) adapted the Travel Rule by requiring virtual asset service providers (VASP) to report on their transactions.
According to the FATF standards, all companies that interact with digital assets in any way are required to comply with the rules for controlling crypto transfers. In particular, VASPs are obliged to collect, store, and provide regulators with the following information upon request:
- data of the transfer initiator (sender);
- the crypto address from which the assets are transferred and the recipient’s address;
- the assets used and the nominal value of the transfer;
- the blockchain network on which the transaction is conducted.
The Travel Rule conditions may vary depending on the jurisdiction. For example, the amount of transfers subject to the Travel Rule may differ from region to region. The list of crypto companies required to comply with it remains unchanged.
The Travel Rule applies to:
- crypto ATMs;
- crypto exchanges;
- centralized crypto exchanges (CEX);
- payment systems working with digital assets;
- crypto token issuers;
- custodial crypto wallets;
- crypto funds.
Essentially, any individual or legal entity providing services for the exchange, transfer, receipt, or custody of cryptocurrencies falls under the definition of a VASP.
Travel Rule in Different Jurisdictions
As mentioned above, requirements for VASPs can vary across jurisdictions. The FATF data shows that in 2023, only 35 out of 135 jurisdictions adopted the Travel Rule compliance practices, with another 27 countries beginning to develop and implement it.
However, the growing global popularity of cryptocurrencies is forcing various countries to accelerate the process of adopting legislative acts aimed at digital asset market regulation. Quite often, the Travel Rule becomes part of such legislative initiatives.
European Union
In 2023, the European Parliament passed the MiCA bill that regulates the cryptocurrency market in the EU. It’s expected to come into force by the end of 2024. Among other things, the legislative act also includes the Travel Rule that requires VASPs to report transactions over €1,000.
Besides, according to MiCA, only transfers involving crypto wallet addresses managed by virtual asset service providers will be subject to scrutiny. In other words, the Travel Rule won’t apply to P2P transfers without VASP involvement or internal transactions between addresses owned by a single crypto service provider.
However, EU officials have also made amendments to tax reporting rules, known as the “common approach.” Thus, the eighth version of the Directive on Administrative Cooperation (DAC8) implies that VASPs must report on any transaction regardless of its amount and source. That is, the DAC8 contradicts the Travel Rule regulations described in MiCA.
United Kingdom
In September 2023, the U.K. authorities introduced new Travel Rules for digital assets. According to the new directive, the country’s residents are no longer allowed to transfer crypto from centralized platforms to non-custodial wallets if the market value of the transferred assets exceeds $1,000.
The Travel Rule in the U.K. requires the sender and recipient of a crypto transaction that exceeds $1,000 to undergo KYC and provide their personal data to the service provider. Otherwise, if participating in the transaction through a centralized platform, its representatives will be forced to block the transfer.
Switzerland
The Swiss Financial Market Supervisory Authority (FINMA) implemented the FATF requirements in 2019 by updating the Anti-Money Laundering Ordinance (AMLO). The regulator requires VASPs to record and retain data on the initiators and recipients of all crypto transactions over 1,000 CHF.
However, Swiss authorities make no concessions for P2P transfers or internal transactions. All unregulated wallets and service providers in the country are banned. All VASPs operating in the region are required to confirm wallet ownership rights before initiating transfers using digital assets and retain information about their owners, including personal data.
Travel Rule Compliance Protocols for VASPs
From a technical perspective, cryptocurrency companies are required to use specialized protocols to comply with the Travel Rule, which enable the exchange of information. Such protocols must allow for secure storage of customer data and fast and uninterrupted operation.
There are several popular compliance protocols for VASPs to meet the Travel Rule:
- Travel Rule Protocol (TRP) is a technology developed by Standard Chartered, ING Bank, and BitGo, supported by a working group of major industry organizations. The protocol consists of a set of technical specifications and standards and operates on the principle of mutual authentication. Basic message exchange is performed using HTTP requests, and customer information is stored within the VASP’s infrastructure.
- OpenVASP is an open standard for secure and reliable information exchange. The protocol uses standardized smart contracts on the Ethereum network containing VASP account data as an identifier. For information exchange, the protocol can utilize any open-source messaging infrastructure, such as Whisper.
- Travel Rule Information Sharing Architecture (TRISA) is a protocol based on service provider certification. To start using TRISA, each VASP must undergo the Know Your VASP (KYV) procedure, confirming the legality of its operation in the chosen jurisdiction. Then, mutually authenticated connections are established using SSL/TLS protocols, and encrypted identifiers are exchanged.
Despite the diversity, compliance with the Travel Rule for VASPs remains a challenge from a technical standpoint, as all developed protocols lack direct interoperability. Therefore, VASPs operating in different jurisdictions and using various protocols can’t exchange information and consequently process transactions in accordance with the Travel Rule.
Moreover, such requirements can’t be applied to non-custodial solutions for asset custody, P2P transactions, trading on DEXs, and other decentralized methods of conducting transfers.
