FATF Travel Rule Explained

What it is, when it applies, self-custody implications, EU TFR.

Reviewed by Stephan Kulik · Last updated: 2026-04-21 · How we rank

Short answer

FATF Recommendation 16 (Travel Rule) extended to virtual assets in 2019. When regulated crypto platforms send crypto above a threshold (typically $/€1,000) on behalf of a customer, they must share originator and beneficiary data with the receiving platform. EU TFR (effective December 2024) is stricter — any-value threshold for VASP-to-VASP, plus verification requirements for self-custody destinations above €1,000. Pure self-custody-to-self-custody transfers are outside the Rule.

What is FATF?

The Financial Action Task Force (FATF) is an intergovernmental body that sets global AML/CFT standards. It issues Recommendations which are implemented by over 200 jurisdictions (either FATF members or FATF-Style Regional Bodies). Recommendation 16 is the Travel Rule — originating from SWIFT-era wire transfer regulation in the 1990s.

Extension to crypto (2019)

In June 2019, FATF updated its guidance to apply Recommendation 16 to virtual assets. This required Virtual Asset Service Providers (VASPs) — exchanges, custodians, wallet providers with customer relationships — to:

Obtain required originator information for transfers of virtual assets
Maintain that information
Submit it to the beneficiary VASP (or equivalent) when transfers exceed threshold
Verify originator information where the transfer exceeds specified thresholds

EU implementation (TFR)

The EU Transfer of Funds Regulation (Regulation (EU) 2023/1113) applies from December 30, 2024. Key differences from FATF baseline:

No threshold — all VASP-to-VASP transfers require Travel Rule data
Self-custody verification required for CASP → self-custody transfers above €1,000
Self-custody verification typically via transaction-signature, Know-Your-Wallet-Owner (KYWO) attestation, or similar proof
CASPs must screen against EU sanctions lists

US implementation (BSA Travel Rule)

The US FinCEN Travel Rule has existed since 1996 for wire transfers. Application to crypto: VASPs (Money Services Businesses under FinCEN) must comply. Threshold: $3,000 for individual transfers. FinCEN\'s 2020 proposal to lower to $250 or require record-keeping on self-custody recipients faced industry pushback and is still under regulatory development.

What this means for users

Exchange-to-exchange transfers

When sending crypto from Coinbase to Binance, Kraken to Bitstamp, etc., you\'ll be asked for recipient identity data at send time. If the receiving exchange is FATF-compliant, the transfer includes Travel Rule metadata.

Exchange-to-self-custody

Sending from Coinbase to your Ledger wallet: the exchange will record the destination address. EU TFR (post-Dec 2024) may require additional verification for amounts above €1,000 — typically by asking you to sign a message from the destination wallet or provide other proof of control.

Self-custody-to-self-custody

Moving crypto from one of your own hardware wallets to another: no VASPs involved, Travel Rule doesn\'t apply. This is the most privacy-preserving flow for compliant users.

Self-custody-to-exchange (deposit)

When depositing from your wallet to an exchange: the exchange may ask about the origin of funds and screen the source address. Under EU TFR, additional verification may be required.

Sunrise issue

Not all jurisdictions have implemented the Travel Rule at the same pace. When a compliant VASP (EU, UK, Singapore, etc.) receives from a non-compliant VASP (some offshore exchanges), the compliant VASP may not receive Travel Rule data — creating compliance risk. Industry solutions include Sumsub Travel Rule, Notabene, VerifyVASP, TRP messaging — protocols for cross-VASP data exchange.

DeFi uncertainty

FATF 2021 guidance acknowledged that fully decentralised DeFi protocols may fall outside VASP definition if there is no identifiable operator. But the definition of "decentralised" is contested — front-end operators (Uniswap Labs, which hosts app.uniswap.org) may be caught even if underlying smart contracts are not. Regulators globally are pushing for broader DeFi coverage.

Implications for crypto-bank users

Expect more identity verification friction on transfers
Whitelist your self-custody addresses in advance at each platform
Self-custody-to-self-custody flows are unaffected — a reason to self-custody if compliance friction is painful
Offshore unregulated exchanges with no Travel Rule may have their transfers held or rejected by compliant receiving VASPs

Frequently asked questions

What is the FATF Travel Rule? +

The FATF Travel Rule (Recommendation 16) requires financial institutions to collect and share originator and beneficiary information when executing transfers above a threshold (typically $1,000 or €1,000, varies by jurisdiction). Originally applied to wire transfers, FATF extended it to virtual-asset transfers in 2019. In crypto: when VASP A sends crypto to VASP B on behalf of a customer, VASP A must send customer identity data to VASP B, and vice versa. This is why regulated exchanges increasingly ask you to identify the recipient/sender when transferring crypto.

When does the Travel Rule apply to me as a user? +

Whenever you transfer crypto between two regulated platforms above the threshold. Example: sending 0.5 BTC from Coinbase (US) to Binance (EU) may trigger Travel Rule compliance on both sides. You'll be asked for: your name, the recipient's name, potentially recipient's address, and whether the receiving wallet is at a regulated institution or a self-custody wallet. If self-custody, some jurisdictions require additional attestation.

What about self-custody wallet transfers? +

This is the most contested area. Pure self-custody-to-self-custody transfers (your hardware wallet to your other hardware wallet) are outside the Travel Rule — no VASPs involved. Regulated-platform-to-self-custody: varies by jurisdiction. EU TFR (effective Dec 2024) requires additional verification for self-custody destinations for transfers over €1,000. US BSA Travel Rule: requires VASP to record destination data but self-custody receipt itself is not prohibited. Some platforms have implemented "allow-list" or "whitelist" approaches where you pre-register your self-custody addresses.

What is the EU Transfer of Funds Regulation (TFR)? +

The EU TFR (Regulation (EU) 2023/1113) is the EU's Travel Rule implementation. Applied from December 30, 2024. It removes the FATF de minimis threshold — all VASP-to-VASP transfers of any value require Travel Rule data. Transfers to/from self-custody wallets above €1,000 require the VASP to verify the self-custody ownership, typically via transaction-signature or Know-Your-Wallet-Owner (KYWO) attestation. This is stricter than FATF baseline.

Does the Travel Rule apply to DeFi? +

Ambiguous. FATF guidance treats DeFi protocols with identifiable issuer/operator as VASPs subject to Travel Rule. Fully decentralised protocols without an identifiable operator fall outside the VASP definition in FATF's 2021 updated guidance — but regulators are increasingly scrutinising whether a protocol is "truly" decentralised. Front-end operators (e.g., Uniswap Labs) may be caught even if the underlying smart contracts are not.

What if a platform doesn't comply? +

Non-compliance consequences: regulatory enforcement (fines, loss of licence), loss of banking relationships (many banks refuse non-Travel-Rule-compliant VASPs), delisting from institutional relationships, customer-withdrawal restrictions. Many VASPs in non-FATF-aligned jurisdictions still don't fully comply — leading to "sunrise issue" (receiving VASP compliant, sending VASP not). Some jurisdictions effectively require receiving VASPs to hold transfers from non-compliant senders pending verification.