FATF Travel Rule and the Global AML Architecture

The Financial Action Task Force (FATF) is one of those organizations that most crypto users have never heard of but that has more practical impact on how crypto businesses operate globally than almost any other regulatory body. FATF is an intergovernmental organization that sets standards for anti-money laundering (AML) and counter-terrorism financing (CFT). It doesn't have enforcement authority itself, but countries that aren't FATF-compliant face significant diplomatic and financial pressure.

In June 2019, FATF issued guidance requiring that the Travel Rule — a requirement from traditional banking that obliges financial institutions to transmit customer identifying information alongside transfers — apply to Virtual Asset Service Providers (VASPs). The Crypto Travel Rule requires that when a VASP transfers crypto to another VASP, it must transmit the sender's name, account number, and physical address, along with the recipient's name and account number.

The implementation challenge is significant. Traditional banks have decades of infrastructure for transmitting this data through SWIFT and similar systems. Crypto exchanges had no equivalent infrastructure in 2019. Building compliant Travel Rule protocols required coordination across hundreds of VASPs worldwide, operating different software systems, dealing with different legal requirements in different jurisdictions.

Several protocols emerged to facilitate Travel Rule compliance: VerifyVASP, Sygna, TRP (Travel Rule Protocol), and others. Adoption has been uneven — exchanges in FATF-compliant jurisdictions (US, EU, Singapore, Japan) have largely implemented Travel Rule solutions, while exchanges in jurisdictions with weaker FATF compliance haven't.

The more fundamental tension with Travel Rule compliance involves transfers to non-custodial wallets — wallets where the user controls their own private keys rather than a service holding them. When a user withdraws crypto from an exchange to their own non-custodial wallet, who is the "receiving VASP"? There isn't one. FATF's guidance has evolved to suggest that exchanges implement risk-based approaches for transfers to non-custodial wallets, potentially including enhanced due diligence or travel rule-equivalent information collection from their customers.

This creates a direct tension with self-custody as a fundamental value proposition of crypto. The "be your own bank" model explicitly involves holding your own keys, which means interacting with on-chain infrastructure without a custodial intermediary. If regulatory requirements progressively make self-custody harder to access from regulated exchanges, the regulatory architecture is functionally discouraging one of crypto's distinguishing features.

How this tension resolves will significantly shape what "compliant crypto" looks like. The EU's implementation in MiCA and its Travel Rule regulation is among the more aggressive frameworks, requiring exchanges to collect information about unhosted wallet owners in certain cases. This is being challenged in court by privacy advocates. The outcome will be a meaningful data point for how other jurisdictions calibrate the self-custody question.

FATF Travel Rule and the Global AML Architecture

// COMMENTS

ON THIS PAGE