Travel Rule in Cryptocurrency

The Travel Rule is a well-known regulatory requirement from the traditional financial sector. It mandates that financial institutions track, record, and transmit identifying information about both the sender and recipient for every transaction.

Contents

• What is the Travel Rule?
• Key Principles of the Travel Rule
• Scope and Application of the Travel Rule
• Key Definitions in the Travel Rule
• Responsibilities of the Originator’s Service Provider
• Responsibilities of the Beneficiary’s Service Provider
• Transfers Outside the EU
• Travel Rule & Data Protection
• Penalties & Compliance Measures
• Summary

What is the Travel Rule?

In June 2019, the Financial Action Task Force (FATF) introduced updates to Recommendation 15, requiring cryptocurrency service providers to obtain, store, and share transaction details of both senders and recipients. These updates align with existing anti-money laundering (AML) and counter-terrorist financing (CFT) measures applicable to traditional financial institutions.
‍

A Travel Rule requirement ensures that all crypto transactions, like those in the banking sector, must contain identifying information that enables authorities to monitor financial activities and trace transactions.

In December 2020, in the EU the AMLD6 came into effect: this Anti Money Laundering Directive made cryptocurrency compliance more stringent by adding cybercrime to the list of money laundering predicate offences. EU Member States must transpose the AMLD 6 in their national legislation by 10 July 2027.  AMLD5, its predecessor, has already brought crypto exchanges under the scope of EU anti-money laundering legislation, subjecting crypto exchanges to similar compliance obligations to financial institutions, in order to fight against financial crime, terrorist funding, trafficking and other organised crime.

In June 2022, the bodies of the EU came to an agreement on the implementation of the Transfer of Funds Regulation (TFR). This Regulation aims to implement the Financial Action Task Force’s (FATF’s) Recommendation 16 (Travel Rule) - which previously only applied to traditional wire transfers - to virtual asset transfers involving CASPs in Europe. This TFR is the EU introduction of a Travel Rule Requirement.

Key Principles of the Travel Rule

The Travel Rule introduces new EU regulatory requirements obligating crypto service providers to collect and share information about transaction participants.

Regulatory Background

This rule is part of the Financial Action Task Force (FATF) AML/CFT framework and has been included in the European Commission’s Action Plan (published in May 2020) to strengthen AML/CFT measures.

Six Core Priorities of the EU AML/CFT Plan:

1. Enhancing the effectiveness of current AML/CFT regulations.
2. Harmonizing AML/CFT rules across the EU.
3. Introducing centralized AML supervision at the EU level.
4. Improving cooperation mechanisms for Financial Intelligence Units (FIUs).
5. Strengthening criminal law enforcement in the EU.
6. Enhancing international cooperation on AML/CFT efforts.

The Travel Rule expands the scope of Regulation 2015/847, by including cryptocurrency transactions.

It should be noted that the scope of The Travel Rule extends beyond the EU and applies globally to FATF member countries. Many countries now have active Travel Rule Requirements, including, bbut not limited to, Switzerland, the UK, Singapore, South Korea, Indonesia, Taiwan, India and Venezuela. Many more are introducing them. An international transaction is subject to the stricter requirements between the originator and Beneficiary countries.

Scope and Application of the Travel Rule

This regulation defines and enforces rules for tracking transaction data. It applies to crypto transfers where at least one service provider involved is registered in the EU or another Travel Rule compliant region or country.

Transactions Covered:

• Transfers of fiat or crypto-assets via regulated financial institutions.
• Crypto-asset transfers between crypto service providers (e.g., exchanges, custodial wallets).
• Crypto transfers between service providers and banks/financial institutions.

Excluded Transactions:

• Payments made to government agencies (e.g., taxes, fines).
• Internal transfers within the same crypto-asset service provider.
• Direct peer-to-peer (P2P) transactions between individuals.

Possible Exceptions:

Some states with Travel Rule requirements may exempt low-value crypto transfers (such as microtransactions for everyday purchases of goods and services) from Travel Rule obligations, or require a lower level of information to be disclosed. 

Key Definitions in the Travel Rule

Crypto-Asset Transfer:

Any electronic transaction involving crypto-assets that is conducted via a crypto service provider to facilitate a transfer between two parties.

Person-to-Person Transfer:

A non-commercial transaction between two individuals, without the involvement of a financial service provider.

Crypto-Asset:

As defined in the Markets in Crypto-Assets (MiCA) Regulation, this refers to a digital representation of value or rights that can be electronically transferred and stored using blockchain or other distributed ledger technologies (DLT).

Crypto-Asset Service Provider (CASP):

An entity providing crypto-related services as defined in MiCA.

Originator:

The sender of a transaction who holds an account with a crypto service provider or initiates a crypto transfer.

Beneficiary:

The intended recipient of a crypto transaction.

Legal Entity Identifier (LEI):

A unique alphanumeric identifier (defined under ISO 17442), which is assigned to legal entities engaged in financial transactions.

Bulk Transfer:

A batch of multiple transactions bundled together for processing.

Responsibilities of the Originator’s Service Provider

In the EU, To combat financial crime, any crypto transfers must include detailed sender and recipient information. The crypto service provider processing the transfer must ensure that the following details are included in the transaction record for all transactions:
‍

• Originator’s Name
• Originator’s Account number
• Originator’s Address
• Originator's LEI (where applicable, or an equivalent official identifier). 
• Originator’s Wallet Address
• National ID number, tax ID, or date/place of birth
• Beneficiary’s Name
• Beneficiary’s Account Number
• Beneficiary’s Wallet Address
• Beneficiery’s LEI (Where applicable, or an equivalent official identifier

Service providers must reject or delay processing transactions if required data is missing.

Responsibilities of the Beneficiary’s Service Provider

Beneficiary CASPs are required to collect and store the above information and should implement effective risk-based procedures to determine whether to execute, reject, return or suspend a transfer lacking information and to take the appropriate follow-up action. Crypto service providers handling incoming transactions must have monitoring mechanisms to ensure that complete originator and beneficiary details are included.
‍

• Before making funds available to the beneficiary, providers must take reasonable steps to verify the transaction details and information.
• If data is missing, the service provider must reject, return, or delay processing until compliance requirements are met.

If required details are not provided, the service provider must either hold funds for further verification or return the transaction to the sender.

Travel Rule & Data Protection

Ensuring Data Privacy

Crypto service providers must not use personal data for purposes beyond regulatory compliance. They must also implement robust security measures to prevent unauthorized access to sensitive data.

Informing Users About Data Processing

Before initiating transactions, providers must notify users about:
‍

• The regulatory requirement to collect data.
• How data will be used and stored.

Data Retention Policies

• Transaction records must be stored for a minimum of five years, If necessary and proportionate for the purpose of preventing, detecting, investigating or prosecuting suspected money laundering or terrorist financing, the retention period extends by an additional five years
• After the period required by national or EU laws, all personal data must be erased.

Penalties & Compliance Measures

If a crypto service provider violates the Travel Rule, EU Member States can:
‍

• Impose financial penalties.
• Hold company directors or compliance officers legally accountable.
• Revoke licences.

Other countries with active Travel Rule requirements have similar Penalty measures in place to ensure compliance..

Summary

The Travel Rule introduces strict regulatory requirements for tracking and reporting crypto transactions.

Key Implications:

1. Service providers must develop new technological solutions to comply with data-sharing obligations.
2. Internal AML/CFT policies must be updated to align with EU standards.
3. Personal data protection measures must be reinforced to prevent misuse.
4. Cross-border transactions will be subject to enhanced scrutiny to ensure global compliance.

The Travel Rule applies traditional banking AML/CFT regulations to cryptocurrency transactions, requiring service providers to enhance their compliance frameworks and technological solutions to meet new regulatory demands.

‍