FATF Travel Rule Explained
The global AML/CFT rule that forces VASPs to share sender + receiver data on every transfer. What it is, thresholds per jurisdiction, and how XRPL handles it.
What the Travel Rule is
The Financial Action Task Force (FATF) is the inter-governmental body that sets global anti-money-laundering and counter-terrorist-financing standards. The 'Travel Rule' is Recommendation 16: every financial institution transferring value above a jurisdiction-specific threshold must transmit sender and receiver identity data along with the transfer.
The rule predates crypto β it was written for bank wires in 1996. In June 2019, FATF extended it to Virtual Asset Service Providers (VASPs). All 200+ FATF-aligned jurisdictions were expected to transpose it into their national AML laws. By 2026, roughly 80% of the global crypto market operates under a Travel-Rule obligation.
If you're a VASP β exchange, custody provider, on/off-ramp, cross-border payment β the Travel Rule is not optional. Non-compliance is one of the easiest enforcement actions for regulators to pursue because it is binary: either the transfer carried the data, or it didn't.
Who is a VASP under the Travel Rule
FATF defines a VASP as any person/entity that performs one or more of these activities for or on behalf of a customer:
- Exchange between virtual assets and fiat currencies
- Exchange between one or more forms of virtual assets
- Transfer of virtual assets (moving value from one address to another)
- Safekeeping / administration of virtual assets (custody)
- Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset
Pure protocol operators (miners, validators), non-custodial wallet software providers where the user controls their own keys, and most DeFi protocols without an identifiable operator are NOT VASPs under FATF guidance. The grey zone is large and juri-specific β always check local transposition.
Thresholds β the part that trips everyone up
FATF recommends a threshold of USD/EUR 1,000 above which the Travel Rule kicks in. Each jurisdiction picks its own threshold, and they differ significantly.
When two jurisdictions have different thresholds, compliance becomes asymmetric. If I'm an EU VASP (β¬1K threshold) sending $2K to a US VASP (USD 3K threshold), I need to send Travel Rule data, but the US VASP has no obligation to receive it. Meanwhile if they send $4K back to me, they must transmit, but if they send $2K back, the data will not arrive on a formal channel β even though my β¬1K obligation would apply to the EU side. This mismatch is the 'sunrise issue' and it is unsolved.
What data must travel
The data set is defined by FATF and standardised as IVMS 101 (InterVASP Messaging Standard). Every Travel Rule message contains:
Originator (sender)
- Full legal name
- Account / wallet identifier (the address involved)
- Physical address OR national identity number OR customer ID OR date and place of birth
Beneficiary (receiver)
- Full legal name
- Account / wallet identifier
For institutional senders, additional fields apply β registered office, LEI code. Some jurisdictions require extra fields (e.g., Singapore MAS requires date-of-birth for all non-institutional originators above SGD 1,500).
IVMS 101 is the JSON schema that virtually every Travel Rule vendor supports. If you build or buy a compliance stack, insist on IVMS 101 output β it is the lingua franca between VASPs globally.
Practical tools β the Travel Rule vendor market
You will almost never build this yourself. The interconnection challenge is too big. The market is dominated by a few specialised vendors:
- Notabene β IVMS 101 messaging, VASP directory, counterparty risk scoring. Dominant in the EU and US institutional segment.
- Sumsub Travel Rule β integrated with Sumsub's broader KYC/AML stack. Popular in EU retail-facing exchanges.
- Chainalysis KYT + Travel Rule β combines sanctions screening with Travel Rule messaging.
- TRP (Travel Rule Protocol) β open standard championed by Sygna, Ciphertrace/Mastercard.
- OpenVASP β open-source alternative designed to avoid vendor lock-in.
Integration cost: USD 30K-150K/year in vendor fees + engineering time for the API integration (typically 4-8 weeks for a first launch).
How XRPL handles the Travel Rule
XRPL poses specific operational questions for Travel Rule compliance that are worth understanding:
Destination Tag β the account identifier
A classical pain-point: centralized XRPL wallets (exchanges, custodians) pool customers into a single XRPL account and use the Destination Tag (32-bit integer) to disambiguate internal customers. The XRPL address alone does NOT identify the beneficiary. VASPs must resolve the address + tag combination to a specific customer when providing beneficiary data.
Memo fields β where the data could ride
XRPL transactions support Memo objects (up to 1 KB each, up to 3 memos per transaction). Technically, Travel Rule data could be carried on-chain. In practice, nobody does this for privacy reasons β the data is off-chain, transmitted via IVMS 101 vendor channels. On-chain memo is used only for transaction references, not PII.
Trust Line / IOU transfers
Transfers of issued tokens (IOUs) via Trust Lines trigger the Travel Rule when the transfer meets the threshold. The issuer (the gateway) is always a VASP. The relevant beneficiary can be identified by the account holding the Trust Line. RLUSD, for example, applies Travel Rule messaging through Ripple's licensed entities.
Payment Channels
Payment Channels (off-ledger micropayments) aggregate value between two counterparties. The Travel Rule applies at channel open (funding) and close (settlement) β not at each off-chain claim. This makes XRPL Payment Channels very practical for streaming payments: one Travel Rule event per session, not per micro-transaction.
If you operate an XRPL-native exchange or custody service, budget for a Travel Rule vendor from day one. Notabene and Sumsub both have IVMS 101 modules that handle Destination Tag resolution.
Explore further
Related terms
General information only. Not legal advice. For your specific situation, consult a qualified lawyer.