What the Travel Rule actually is
The Travel Rule is the crypto-industry name for FATF Recommendation 16, the global anti-money-laundering standard that requires originator and beneficiary information to "travel" alongside a transfer. It started life in traditional finance — the same logic that puts your name and account number on a SWIFT wire. In 2019, FATF extended it to virtual assets, and from that point any regulated exchange, custodian, or broker (a Virtual Asset Service Provider, or VASP) had to attach identity data to crypto transfers the same way a bank does to a wire.
FATF itself sets no laws. It writes standards, and its 200-plus member jurisdictions are expected to legislate them domestically. That gap between recommendation and local law is where most of the practical pain lives.
How it works
When a customer sends crypto from one VASP to another above the threshold — FATF recommends USD/EUR 1,000, though jurisdictions vary — the sending VASP must collect and transmit the originator's name, account/wallet identifier, and usually a physical address or date of birth, plus the beneficiary's name and wallet. The receiving VASP is expected to ingest and screen it. Below the threshold, obligations are lighter: name and wallet, no mandatory verification absent suspicion.
The data itself rides on a separate messaging layer, not the blockchain. The dominant format is IVMS101, the interVASP Messaging Standard, which defines a common schema so two exchanges describe a customer the same way. Transport happens over competing protocols — TRISA, TRP, and others — which, as of 2024, have started to interoperate rather than fragment further.
Why it matters
For a regulated venue, the Travel Rule is non-negotiable plumbing. It's how a MiCA- or FMA-licensed exchange demonstrates it isn't a laundering conduit, and it's increasingly a precondition for banking relationships and cross-border settlement. As of 2025, 85 of 117 jurisdictions with active VASP sectors had passed implementing legislation — up from 65 a year earlier. The direction is one-way: compliant rails are becoming the only rails that institutional capital will touch.
Key risks and tradeoffs
The rule's central weakness is the sunrise problem — jurisdictions switch it on at different times, with different thresholds and different verification rules. A VASP in a strict jurisdiction sending to one in a lax jurisdiction may have no compliant counterparty to receive the data, leaving it holding an obligation it cannot technically fulfill.
Unhosted wallets are the other hard edge. When a customer withdraws to a self-custodied wallet, there is no counterparty VASP to send data to. The standard requires the VASP to collect originator and beneficiary detail from its own customer, but nothing actually transmits to the wallet. In my view this is where the rule strains hardest against how crypto is genuinely used — and where overly broad national implementations risk pushing ordinary self-custody users toward worse options rather than safer ones.
There's also a real privacy cost: a parallel surveillance layer mapping identities to wallet addresses, sitting in the hands of dozens of intermediaries with uneven security.
Current state (2026)
The big recent shift came in June 2025, when FATF agreed a substantial revision of Recommendation 16. It clarified which entity in a multi-party payment chain owns the collection duty, standardized the data fields (name, address, date of birth) for cross-border transfers above the threshold, and introduced mandatory beneficiary-information verification to fight fraud. Global implementation of the revised standard is required by the end of 2030, and FATF has signaled continued public pressure on laggard jurisdictions through 2026.
The interesting open question for builders is whether the next compliance layer gets absorbed into wallets and account-abstraction flows directly — selective, cryptographic identity disclosure at the protocol edge — rather than bolted on as a messaging network between centralized intermediaries.