FATF Travel Rule for Crypto VASPs: KYC Compliance Guide 2026

The FATF Travel Rule — Recommendation 16 applied to virtual assets — became mandatory across the EU on 30 December 2024 under Regulation (EU) 2023/1113, known as the Transfer of Funds Regulation (TFR). Every crypto-asset service provider (CASP) operating in the EU must now collect, verify, and transmit originator and beneficiary data on every transfer between hosted wallets, with no minimum threshold. Understanding these obligations is essential for UK-based virtual asset firms — both those operating in the EU market and those aligned with the FCA's own Travel Rule framework which took effect in September 2023. This guide covers what data must be collected, which documents are required, and how to build a compliant workflow.

This article is provided for informational purposes only and does not constitute legal, financial, or regulatory advice. Regulatory references are accurate as of the publication date. Consult a qualified professional for advice specific to your situation.

What Is the FATF Travel Rule and Why Does It Matter?

The Travel Rule requires that when a virtual asset is transferred between two financial intermediaries — specifically between VASPs or CASPs — the originator's and beneficiary's identifying information must travel with the transaction. As of early 2026, 85 of 117 FATF member jurisdictions (73%) have enacted Travel Rule legislation, up from 65 in 2024 (FATF 2025 Virtual Assets Targeted Update).

FATF Recommendation 16 has applied to traditional wire transfers since 1996. The 2019 FATF Guidance extended it explicitly to virtual assets. The rationale: pseudonymous crypto transactions create the same money laundering risks as anonymous wire transfers — the Travel Rule closes that gap by requiring identity data to accompany the funds.

Data Required Under the Travel Rule

The following information must be collected from the originator CASP and transmitted to the beneficiary CASP before or simultaneously with the transfer:

UK Framework: FCA and HMRC Requirements

In the United Kingdom, the Financial Conduct Authority (FCA) implemented the Travel Rule through amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, effective 1 September 2023. The FCA's threshold is £0 for transfers between registered CASPs — identical to the EU's zero threshold — with the same verification requirements for unhosted wallets above £1,000.

The FCA confirmed in its 2024 Cryptoasset Roadmap that firms failing to implement Travel Rule systems by the 2023 deadline risk supervisory action, including variation or cancellation of their cryptoasset registration (FCA Cryptoassets Roadmap). HMRC separately requires cryptoasset businesses to maintain records for five years under the Money Laundering Regulations 2017.

EU Regulatory Framework: TFR 2023/1113 and EBA Guidelines

Regulation (EU) 2023/1113 replaced the earlier Wire Transfer Regulation (Regulation (EU) 2015/847) and extended its scope to include crypto-asset transfers. It came into force on 29 June 2023 and became directly applicable from 30 December 2024.

The EBA published Guidelines EBA/GL/2024/11 in July 2024, providing detailed technical specifications on the information requirements, the format for data transmission, and the treatment of incomplete data.

EU Thresholds at a Glance

These thresholds are stricter than the FATF baseline of USD 1,000 and match the UK's zero-threshold approach for inter-CASP transfers.

KYC Document Verification Obligations for CASPs

The Travel Rule is only as reliable as the underlying KYC data. CASPs must verify customer identity before processing any transfer — and that verification must meet the standard required by the Sixth Anti-Money Laundering Directive (AMLD6) and the UK Money Laundering Regulations.

Documents Required for Natural Persons

For individual customers, CASPs must collect and verify:

• Valid government-issued photo ID: UK passport, driving licence, or biometric residence permit
• Proof of address (for enhanced due diligence cases): utility bill or bank statement less than three months old
• Source of funds documentation for transactions above risk thresholds

Documents Required for Legal Entities

For corporate customers, the following must be verified:

• Certificate of incorporation (Companies House extract in the UK, or equivalent)
• Articles of association
• Proof of registered address
• Identity documents for all beneficial owners (25% threshold under AMLD6; firms with higher risk profiles may apply a 15% threshold)
• Identity documents for directors and authorised signatories

CheckFile processes over 3,200 document types across 32 jurisdictions with 24-language OCR support, enabling compliance teams to handle cross-border onboarding — from UK passports to EU identity cards — within a single verification workflow. Explore CheckFile's KYC solutions for financial services.

Unhosted Wallets: Specific Verification Requirements

Unhosted (or self-hosted) wallets present the most complex compliance challenge because there is no intermediary holding the wallet — only the customer controls the private key.

Article 19 of Regulation (EU) 2023/1113 requires CASPs to verify that a self-hosted wallet address belongs to their customer when the transfer exceeds €1,000 (or £1,000 under UK rules). Accepted verification methods include:

1. Small test transaction (micropayment round-trip that proves wallet control)
2. Cryptographic signature proving possession of the private key
3. Sworn declaration combined with additional corroborating evidence

EBA/GL/2024/11 specifies that the chosen verification method must be proportionate to the risk level of the transaction. A higher-risk transfer — to a wallet associated with a high-risk jurisdiction or a newly added address — warrants stronger verification than a routine transfer to a customer's own long-established wallet.

Technical Implementation: Travel Rule Messaging Protocols

The technical layer of Travel Rule compliance requires a messaging protocol to transmit data securely between CASPs. Three dominant solutions exist in 2026:

Selecting a protocol is a strategic decision: CASPs using different protocols need bridging solutions. The FATF's 2025 update noted that fragmentation at the protocol level remains a practical barrier to full implementation, particularly for cross-border transfers between regions where different protocols have dominant adoption.

Building a Compliant Travel Rule Programme: Checklist

Compliance teams should address the following before processing any inter-CASP transfer:

• Integrate Travel Rule data collection into the customer onboarding flow
• Select and connect to a Travel Rule messaging protocol (TRISA, OpenVASP, or Notabene)
• Implement wallet ownership verification for unhosted wallet transfers above £1,000/€1,000
• Define a policy for transfers from or to non-compliant CASPs (hold, freeze, or reject)
• Map Travel Rule risks into your AML risk assessment and transaction monitoring framework
• Train compliance staff on data collection requirements and red-flag indicators
• Establish a record-retention policy (minimum five years per AMLD6 / UK MLRs)
• Review the policy for stablecoin transfers — the same rules apply under TFR

For a structured overview of the broader compliance landscape for crypto firms, see our compliance guide for obliged entities.

Frequently Asked Questions

Does the Travel Rule apply to peer-to-peer (P2P) transfers between private wallets?

No. The Travel Rule applies only when a licensed CASP or VASP is involved — either as originator or beneficiary. Direct transfers between two unhosted wallets with no CASP involvement fall outside the scope of Regulation (EU) 2023/1113 and the FCA's Money Laundering Regulations, as amended.

What happens if the beneficiary CASP does not support a Travel Rule protocol?

The originator CASP must retain the Travel Rule data and assess the risk before releasing the transfer. EBA/GL/2024/11 recommends applying risk-based mitigation measures — such as requesting additional information or introducing a processing delay — rather than automatically rejecting the transfer. Some major CASPs have adopted a policy of refusing inbound transfers not accompanied by compliant Travel Rule data.

Does the Travel Rule apply to stablecoin transfers?

Yes. Regulation (EU) 2023/1113 covers all crypto-assets as defined by MiCA, including e-money tokens (EMT) and asset-referenced tokens (ART). A CASP that issues or transfers stablecoins on behalf of customers is subject to identical Travel Rule obligations as a cryptocurrency exchange.

How long must Travel Rule records be kept?

Under the EU AML framework (AMLD6) and the UK Money Laundering Regulations 2017, CASPs must retain Travel Rule data — including originator and beneficiary information and verification evidence — for at least five years from the date of the transaction or the end of the business relationship, whichever is later.

Is a crypto exchange registered with the FCA subject to the EU Travel Rule?

Only if it operates in the EU. UK-registered cryptoasset firms subject solely to the FCA's regime must comply with the UK's version of the Travel Rule (MLR 2017 as amended), not the EU's TFR 2023/1113. However, any UK firm that also offers services to EU customers through an EU-registered entity will need to comply with both frameworks.