KYB for Crypto Exchanges: How to Verify Businesses Under the FATF Travel Rule

Crypto money laundering topped $82 billion in 2025, the highest figure on record, and regulators have responded in a way many exchanges did not anticipate. Active inspections, not just new laws. According to FATF’s 2025 Targeted Update, 85 of 117 surveyed jurisdictions have Travel Rule legislation in place, up from 65 the year before. Supervisors in the EU, UK, and Singapore are now showing up at exchanges and asking to see counterparty verification records.

Most exchanges have done the work on retail customer onboarding. Identity checks, liveness detection, and document verification are table stakes at this point. The compliance gap that lands exchanges in front of regulators sits one layer up, in the business-to-business layer. Other exchanges, OTC desks, custodians, and payment processors that qualify as virtual asset service providers (VASPs) make up that layer. Manual verification of these counterparties worked when transfer volumes were low and regulators were few. Neither condition holds now.

This article covers what the Travel Rule requires from exchanges at the business-verification level, how FATF’s three-phase due diligence framework maps to real business verification checks, and where automated KYB separates a defensible program from an audit exposure.

What the Travel Rule requires beyond transaction data sharing

FATF Recommendation 16 is where most exchanges focus their compliance effort. Exchanges must collect originator and beneficiary information for transfers above USD 1,000 and transmit it securely to the receiving VASP. That is the transaction-data obligation, and it is addressed by most Travel Rule tools on the market.

What receives far less attention is the counterparty VASP due diligence standard FATF introduced in its 2021 Updated Guidance for Virtual Assets. Before sharing customer data with any other VASP, an exchange must confirm that the counterparty is a legitimate, licensed entity and not a sanctioned operator routing illicit funds. That confirmation is a business verification check, distinct from any transaction scan, and it must be completed before the first transfer in any new corridor.

The FATF 2025 Targeted Update found that only 57% of jurisdictions with Travel Rule legislation have measures in place to confirm that domestic VASPs transact only with licensed or registered counterparts. Supervisors are actively targeting that enforcement gap.

The three phases of VASP counterparty due diligence

FATF’s 2021 Updated Guidance sets out a three-phase counterparty due diligence framework that applies before any new VASP transfer corridor opens.

Phase 1: Determine the counterparty type

Not every wallet address belongs to a VASP. Unhosted wallets, retail users, and smart contracts receive different regulatory treatment. The first step is confirming whether the counterparty qualifies as a regulated VASP at all, because the answer determines whether Travel Rule obligations apply and what information must be collected before any transfer proceeds.

Phase 2: Identify and verify the VASP entity

Once the counterparty is confirmed as a VASP, the exchange must verify who that entity actually is. That means confirming the legal entity name, registration number, jurisdiction of incorporation, and regulatory status. The goal is a verifiable licence or registration. A FinCEN Money Services Business registration, an FCA registration under the UK’s crypto asset regime, or a MAS licence all qualify, as does any equivalent from the counterparty’s regulated jurisdiction. Any VASP that cannot demonstrate licensed status anywhere represents counterparty risk that most compliance programs cannot accept.

Phase 3: Assess eligibility before the corridor opens

The third phase covers sanctions screening and beneficial ownership checks. Does this counterparty appear on any sanctions list? Who are the ultimate beneficial owners, and do any of those individuals carry adverse regulatory or enforcement history? FATF expects this assessment before the first transaction and periodic refreshes as part of an ongoing monitoring program.

A compliance team running these checks manually across multiple registries, sanctions databases, and adverse media sources for each new VASP relationship, and then scheduling regular rechecks, cannot sustain that operational load without automation once transfer volumes grow.

What a KYB check on a VASP actually covers

A VASP KYB workflow draws on three verification layers that go beyond standard retail identity checks.

Entity verification starts with corporate registry data. This means confirming the legal entity exists in the jurisdiction it claims, that its regulatory licence covers the activities it conducts, and that its corporate status is active. For EU-connected corridors, this includes confirming alignment with the Transfer of Funds Regulation, fully applicable from December 2024. The standard is direct registry lookup against national VASP registers and regulator databases, not a review of self-reported documents from the counterparty.

UBO mapping is where manual programs struggle most. A VASP may be incorporated in one jurisdiction, licensed in a second, and controlled by individuals based in a third. Where ownership chains run through holding companies or nominee structures, surfacing the actual beneficial owners requires registry lookups across multiple jurisdictions. Each identified UBO at or above the applicable ownership threshold then needs individual-level screening against sanctions lists and PEP databases.

AML screening at the entity level runs the VASP itself, its directors, and its UBOs against global sanctions regimes, PEP databases, and adverse media sources. Business AML screening covers the ongoing monitoring obligation. Sanctions lists change, enforcement actions happen, and ownership structures shift after onboarding. A transaction screening layer can surface anomalies in live transfer patterns once the corridor is operational.

Which jurisdictions are moving fastest on enforcement

The EU is furthest along. The Transfer of Funds Regulation applies to all crypto-asset transfers from December 2024, and non-EU VASPs seeking access to EU-licensed exchanges must meet equivalent information standards. EU-connected corridors that cannot produce verified counterparty data do not open.

Singapore’s MAS, the UK, and the UAE’s CBUAE have all implemented Travel Rule requirements tied directly to licensing obligations. Published in June 2025, the FATF Best Practices on Travel Rule Supervision gives supervisors across implementing jurisdictions a checklist for determining whether exchanges are running counterparty checks in practice and not just on paper.

How Shufti handles VASP KYB for crypto exchanges

The most common problem crypto compliance teams describe is a fragmented stack. Entity checks run through one vendor, UBO research through another, and AML screening through a third. That fragmentation slows counterparty onboarding and makes consistent ongoing monitoring almost impossible to sustain across a growing corridor network.

Shufti’s Know Your Business solution covers entity verification, UBO mapping, and business AML screening through a single API. Coverage spans 250+ countries, which matters for exchanges building transfer corridors in jurisdictions where manual registry access is limited. The workflow pulls corporate data, licensing status, and sanctions screening into a single structured output that feeds directly into the exchange’s onboarding decision. Ongoing monitoring alerts update the risk picture as a VASP’s profile changes after onboarding.

The crypto compliance covers the full verification stack for virtual asset businesses. For further reading on VASP AML obligations, see AML Compliance for the Crypto Sector and the KYC, KYB, and KYT overview.

When your exchange cannot confirm that a counterparty VASP is licensed, owned by screened principals, and free of sanctions exposure, you are holding counterparty risk that EU, UK, Singapore, and UAE supervisors are now specifically examining for. Shufti’s KYB solution runs entity verification, UBO mapping, and business AML screening through one API across 250+ countries, with ongoing monitoring built into the same workflow. Request a demo to see how VASP due diligence runs on your own counterparty pipeline.