FATF Crypto Guidance: Travel Rule, VASP Rules, and Global AML Standards Explained

When you send crypto from one exchange to another, you might not think about who’s tracking that transaction. But behind the scenes, a global rule called the FATF Travel Rule is forcing companies to collect and share your personal info. This isn’t just about big exchanges like Coinbase or Binance-it affects every platform handling crypto, even if you’re sending $50. The Financial Action Task Force (FATF), a group of 207 countries, created this framework to stop criminals from using digital money to hide illegal cash. And since 2025, those rules have gotten sharper, clearer, and harder to ignore.

What Exactly Is a VASP?

You’ve probably heard the term VASP-Virtual Asset Service Provider-but what does it actually mean? FATF defines it simply: any company or person that runs a business involving crypto. That includes exchanges, wallet providers, crypto ATMs, and even some DeFi platforms. If you’re swapping Bitcoin for Ethereum, holding someone’s private keys, or helping someone sell a new token, you’re likely a VASP. It doesn’t matter if you’re a startup in Berlin or a hedge fund in Singapore. If you’re facilitating crypto transactions as a service, FATF says you’re in the game.

The 2025 update made this even clearer. Before, there was confusion around decentralized protocols-like Uniswap or Aave-where no single company runs the platform. But FATF now says: if there’s a team, a foundation, or even a single person who can change the code or collect fees, that entity counts as a VASP. Only truly decentralized systems with no controlling party are exempt. And even then, FATF suggests regulators step in and assign a legal entity to handle compliance.

The Travel Rule: It’s Not Optional

The heart of FATF’s crypto rules is Recommendation 16-the Travel Rule. It’s not new, but it’s now being enforced worldwide. Here’s how it works: if you send more than $1,000 in crypto, the sending VASP must collect and send specific details about you (the originator) and the person you’re sending to (the beneficiary). That includes:

• Your full name
• Your physical address or date of birth
• Your account number (like a wallet ID)

For the recipient, they only need:

• Their full name
• Their account number

This is the same rule banks have followed for wire transfers for decades. But applying it to crypto is messy. Unlike banks, crypto wallets don’t have standardized account numbers. So VASPs have to build systems that can translate wallet addresses into compliant data formats. And here’s the kicker: 68 countries use the $1,000 threshold, but 32 have raised it to $3,000. That means if you’re sending $2,500 from the U.S. to Japan, your transaction might be blocked because one side requires $1,000 and the other allows $3,000. Cross-border transfers are where compliance breaks down.

How Different Countries Are Handling It

FATF sets the rules, but each country writes its own law. That’s why compliance feels like a patchwork quilt.

In the U.S., FinCEN enforced the Travel Rule in 2020. Exchanges must collect and transmit data using the InterVASP Messaging Standard (IVMS) or a similar protocol. The EU went further with its Transfer of Funds Regulation (TFR), which took effect in 2023. It not only enforces the Travel Rule but also requires VASPs to verify whether a recipient wallet is self-hosted (non-custodial). If it is, the sender must do extra checks-like asking for proof of ownership-before sending.

Japan takes a hard line: any transaction over ¥100,000 (about $650) triggers the rule. Switzerland’s FINMA is more flexible, letting VASPs set their own risk-based thresholds. That means a Swiss exchange might only apply the rule to transfers over $5,000 if they’ve proven low risk.

As of January 2026, 42 countries have fully implemented the rule. Another 28 are on track to do so by year-end. But 17 still haven’t started. That creates blind spots. Criminals exploit those gaps-sending funds from a regulated exchange in Germany to an unregulated one in a non-compliant country, then cashing out.

The Real Cost of Compliance

For small exchanges, the Travel Rule isn’t just a policy-it’s a financial burden.

CoinDesk’s December 2025 survey found 83% of VASPs struggled with cross-border data transmission. Why? Because there are 14 different technical protocols in use globally. One exchange might use IVMS 101, another uses a proprietary API, and a third relies on a blockchain-based solution like VerifyVASP. Integrating all of them? That’s expensive. Crypto.com spent $4.2 million and 18 months just to get compliant across 47 jurisdictions. Monthly costs? $185,000.

Smaller players are hit harder. Exchanges under $50 million in annual volume report 15-25% higher operational costs due to compliance. Many can’t afford the software, the staff, or the legal advice. Some have shut down. Others are outsourcing to third-party providers like Chainalysis or Elliptic.

And training? It’s not simple. Chainalysis says staff need an average of 87 hours of specialized training to understand the rules, interpret data, and respond to regulators. That’s over two full weeks of work-just to get up to speed.

What Happens When It Doesn’t Work?

There are real consequences when the system fails.

Chainalysis found that when VASPs properly implement the Travel Rule and use blockchain analytics, they can trace 98.7% of illicit funds. But only 37% of law enforcement agencies globally have staff trained to use those tools. That means even if data is collected, it often sits unused.

Then there’s the problem of unhosted wallets. If you send crypto to a wallet you control-like MetaMask-your exchange has to flag it as high risk. Some platforms block those transfers entirely. Others require users to upload screenshots of wallet ownership. That’s not just inconvenient-it’s a privacy nightmare.

And what about DeFi? The 2025 guidance tried to clarify: if a DeFi protocol has a team, a website, or a treasury, it’s a VASP. But critics say that’s too broad. The Center for a New American Security found only 12% of DeFi protocols actually have identifiable controllers. The rest? They’re truly decentralized. Yet regulators still treat them like centralized exchanges. That’s creating friction for innovation.

What’s Next? The Road to 2027

FATF isn’t done. By December 2026, they expect 100% of member countries to implement the Travel Rule. After that, they’ll start gray-listing non-compliant nations-making it harder for them to do business with global banks and exchanges.

The EU’s MiCA regulation, effective since mid-2024, is becoming the gold standard for stablecoins. It requires issuers to hold reserves, disclose risks, and comply with AML rules. Twenty-seven countries are now copying it.

In the U.S., the Presidential Working Group on Stablecoins is expected to release its final report in Q2 2026. Analysts believe it will split oversight: the SEC handles token sales, while banking regulators manage stablecoin issuance. That could mean two sets of rules for the same asset.

And don’t forget the Crypto-Asset Reporting Framework (CARF), endorsed by the G20. Starting in October 2027, VASPs will have to report user transaction data to tax authorities-just like banks report to the IRS. That’s the next layer.

What Should You Do?

If you’re a user: expect more friction. Sending crypto might take longer. You might be asked to verify your identity more often. Don’t be surprised if your transaction gets delayed or blocked because the receiving side isn’t compliant.

If you run a crypto business: you have three choices. Build your own compliance system (expensive). Use a third-party provider like TrustChain or VerifyVASP (easier, but still costly). Or exit the market. There’s no middle ground anymore.

And if you’re watching from the sidelines? Pay attention. The world is moving toward a single, global crypto compliance standard. It’s not perfect. It’s not fair to small players. But it’s here to stay.