FATF Travel Rule: What VASPs Need to Know in 2026

Compliance officers at crypto exchanges often discover their Travel Rule workflows are years out of date when an auditor asks for documentation. The rule itself, grounded in FATF Recommendation 16, has existed since 2019, but a major revision in June 2025 expanded its scope to cover fraud prevention and proliferation financing, and for many VASPs the old compliance checklist no longer holds. What follows explains what the Travel Rule requires, how obligations differ across jurisdictions, and what the 2025 changes mean for your operations this year.

The FATF Travel Rule is a global standard requiring Virtual Asset Service Providers (VASPs) to collect, verify, and transmit identifying information about the originator and beneficiary of a virtual asset transfer to the receiving VASP before or during the transaction.

Your VASP’s home jurisdiction shapes how the rule applies, but the core expectation is consistent across markets. Money should not move without a traceable identity attached to it.

What is the FATF Travel Rule?

FATF Recommendation 16, commonly called the Travel Rule, extends to virtual assets the wire-transfer standards that banks have followed for decades. When a VASP sends virtual assets on behalf of a customer, it must pass originator and beneficiary data to the receiving institution alongside the transaction. The term comes from US financial regulation, where the rule historically required that identifying data “travel” with the funds.

The mechanism for sharing that data across VASP pairs relies on the IVMS101 messaging standard, an interoperability protocol that structures originator and beneficiary fields in a format counterparty systems can validate automatically. Adoption of IVMS101 has grown substantially since 2022, though implementation gaps remain in high-growth markets.

As of June 2025, 73% of responding jurisdictions, specifically 85 out of 117, had passed legislation implementing the Travel Rule, up from 65 jurisdictions the year before. That number keeps climbing, and it matters for any VASP that onboards customers or transacts across borders.

What data must VASPs collect and share?

VASPs on both sides of a transfer must collect specific fields about the originator and beneficiary, though the transaction threshold triggering this obligation differs by jurisdiction. The required fields are largely consistent across most major regimes.

Originator information your VASP must obtain and hold:

• Full legal name

• Account or wallet number

• Physical address, national identity number, or date and place of birth (at least one of these)

• Name and identification of the originating institution

Beneficiary information your VASP must obtain and transmit:

• Full legal name

• Account or wallet number

• Name of the receiving VASP

The originating VASP must transmit this data immediately and securely, and must keep it available for regulatory inspection on request. VASPs must also screen counterparty institutions before transacting with them. Accepting transfers from an unlicensed or sanctioned VASP creates direct regulatory exposure.

How do transaction thresholds differ by jurisdiction?

The FATF standard recommends a threshold of USD/EUR 1,000, but national regulators have drawn the line differently.

The EU threshold is the most demanding. The EU Transfer of Funds Regulation (Regulation 2023/1113) came into force on 30 December 2024 and requires crypto-asset service providers to include full originator and beneficiary details on every transfer, regardless of amount. VASPs operating in the EU or transacting with EU counterparties should have updated their workflows before the end of 2024. Those still running threshold-based logic for EU flows are already out of compliance.

The US applies the Travel Rule through the Bank Secrecy Act, with FinCEN setting the threshold at USD 3,000 for money service businesses processing virtual assets. In the EU, MiCA compliance obligations and Travel Rule requirements now run in parallel for licensed crypto-asset service providers.

What changed with FATF’s June 2025 revision?

The June 2025 revision to Recommendation 16 is the most consequential update since the rule was extended to virtual assets in 2019. Three changes stand out.

Fraud prevention is now an explicit objective

The previous Recommendation 16 focused on money laundering and terrorist financing. The 2025 version adds fraud prevention and proliferation financing to its stated purposes. VASPs can no longer treat the Travel Rule purely as an AML mechanism, and counterparty data-sharing must now be evaluated against fraud risk directly.

Confirmation of Payee is now mandated

The revised standard requires VASPs to verify that beneficiary information provided by the originator matches the records held by the receiving institution. This is an active check, not a passive data relay. Systems that simply forward data without validating it at the receiving end will need to be redesigned.

ISO 20022 alignment is expected

FATF has clarified that originator and beneficiary data should be structured to comply with ISO 20022 messaging standards where possible. VASPs using IVMS101 should confirm their messaging format maps correctly to ISO 20022 data fields.

The revised requirements take effect at the national level by end of 2030. The EU TFR and existing national frameworks already impose stricter conditions, so the 2030 date functions as a global floor, not a ceiling.

How can VASPs implement the Travel Rule in practice?

Travel Rule compliance breaks down into five operational requirements for most VASPs.

1. VASP identification

Before transmitting virtual assets, confirm that the receiving institution is a registered or licensed VASP in its home jurisdiction. Only 33% of assessed jurisdictions satisfactorily require VASP licensing, which means regulatory lists alone are not enough. Counterparty screening against sanctions databases and adverse media sources adds a practical layer of assurance.

2. Data collection at onboarding

The required fields (full name, wallet address, identification data) must be captured from customers before they initiate transactions at or above the applicable threshold. Integrating data collection into the onboarding journey is far more efficient than retrofitting it as a transaction-time check.

3. Secure data transmission

Use IVMS101-compliant messaging to transmit originator and beneficiary data to the receiving VASP. Retain records of every transmission and make them available to your regulator on request.

4. Sanctions screening of counterparties

Screen the receiving VASP and its customers against relevant sanctions lists before completing a transfer. Payment screening for virtual asset transfers should cover both the transaction parties and the counterparty institution itself.

5. Confirmation of Payee checks

VASPs preparing for the 2025 revision should build a validation step that confirms beneficiary data against the receiving institution’s records before releasing the transfer. This is now part of the FATF standard.

Reviewing AML compliance in 2025 alongside this is worth doing, as the two frameworks overlap on sanctions screening, PEP checks, and transaction monitoring.