EU Crypto Travel Rule: How the Regulation Applies to Crypto-Asset Service Providers (CASPs)

Intro

The financial regulatory landscape of the European Union has undergone a transformation with the introduction of the new Anti-Money Laundering (AML) package, specifically targeting the sector of digital assets. Central to this transformation is the implementation of the EU Crypto Travel Rule, codified under Regulation (EU) 2023/1113, also known as the Transfer of Funds Regulation (TFR).

This regulation marks a shift from the previous directive-based approach to a harmonized, directly applicable framework that ensures the traceability of crypto-asset transfers across all twenty-seven Member States. By requiring that information on the originator and beneficiary "travels" with each transaction, the Union aims to eliminate the pseudonymity that has historically made crypto-assets attractive for illicit financial flows.

What Is the EU Crypto Travel Rule?

The EU Crypto Travel Rule is the Union’s specific legal answer to the challenges posed by the adoption of virtual assets and the potential for their misuse in money laundering and terrorist financing.

Legally embodied in Regulation (EU) 2023/1113, it serves as a "recast" of the earlier 2015 regulation which applied strictly to traditional funds like banknotes and electronic money. The expansion of this mandate to include "certain crypto-assets" represents the EU's commitment to the principle of "same activity, same risk, same rules," ensuring that the technological medium of a transfer does not exempt it from the transparency standards expected in the broader financial system.

Unlike the Recommendations issued by the Financial Action Task Force (FATF), which provide a non-binding framework for nations to adapt, the TFR is a "binding regulation." This distinction is critical for any compliance officer or legal counsel; as a regulation, it is directly applicable in every Member State without the need for national transposition into local law. This direct applicability effectively creates a single EU standard, preventing "regulatory arbitrage" where firms might seek to operate from jurisdictions with more lenient interpretations of AML directives.   

The core mechanism of the rule is the mandatory collection and transmission of identity data. When a transfer occurs, the originating service provider must ensure that specific details about the sender accompany the transaction to the beneficiary's service provider. This is not merely a record-keeping exercise but a real-time transparency requirement intended to provide law enforcement and financial intelligence units (FIUs) with a clear "paper trail" on the blockchain. The regulation explicitly states that the soundness and stability of the financial system could be jeopardized if criminals are able to disguise the origin of proceeds through anonymous virtual asset transfers. 

Who Must Comply: CASPs Under EU Law

Identifying the scope of the regulation requires an understanding of the legal entities defined under the broader European digital asset framework.

The TFR applies to "Crypto-Asset Service Providers" (CASPs), a term that is inextricably linked to the Markets in Crypto-Assets (MiCA) Regulation (EU) 2023/1114.

What Qualifies as a Crypto-Asset Service Provider

According to Article 3(1) of MiCA, a CASP is any legal person or undertaking whose professional business is providing one or more crypto-asset services to clients. The definition is purposefully broad to capture the full spectrum of the modern crypto-economy. While basic exchange and custody are the most common services, the EU definition encompasses several categories that go beyond the traditional FATF baseline. For a detailed analysis of the licensing landscape, businesses should consult the expert guide on how MiCA defines crypto-asset service providers to ensure their specific business model is appropriately categorized.

Under MiCA, and by extension the Travel Rule, the following activities fall under the regulated definition of a CASP:

In the European Union, the net is cast much wider than what you might see in other parts of the world. It isn’t just about the big-name exchanges, the regulation is designed to capture almost anyone who handles crypto-assets professionally.

If your business provides Custody and Administration, meaning you’re the one safeguarding private keys or client assets, you’re essentially a digital vault and definitely a CASP. Then there are the Trading Platforms and Exchanges. Whether you’re helping people swap Bitcoin for Euros (fiat-to-crypto) or just trading one token for another (crypto-to-crypto), the EU sees you as a vital link in the chain that needs to be transparent.

What’s interesting is that the EU includes services that are often considered "ancillary" elsewhere. For instance, Providing Advice or Portfolio Management—basically telling people what to buy or managing their "bags" for them—now puts you firmly in the regulated zone.This is part of the EU's "gold-plating" strategy, where they’ve gone beyond international minimums to ensure that crypto-advisors are held to the same high standards as traditional financial planners.

Finally, we have the "movers and shakers": Execution of Orders, Placing, Reception and Transmission of Orders, and Transfer Services. In plain English, if your platform is the one making sure a trade actually happens or is responsible for moving those assets from Point A to Point B, you are on the hook for the Travel Rule.

For crypto businesses, this means you can’t just be a "tech layer" anymore. If you touch the transaction or the decision-making process, you're a regulated financial entity with specific data-sharing duties.

CASPs vs VASPs — Terminology Differences

In the global regulatory arena, the Financial Action Task Force uses the term "Virtual Asset Service Provider" (VASP). While many industry participants use VASP and CASP interchangeably in informal settings, the legal distinction is vital for compliance in Europe. VASP is the global, standards-based term, whereas CASP is the specific, legally defined entity under EU law.   

The EU's CASP designation is significantly more comprehensive than the FATF's VASP definition. For example, the FATF definition does not explicitly cover "Advice" or "Portfolio Management" in the same prescriptive manner as MiCA. Furthermore, the move to a CASP framework represents a transition from simple "registration" (common under the old national regimes like France's PSAN) to "authorization" (a full license). Entities operating in the EU that previously held VASP status under national laws must transition to the MiCA CASP authorization by July 1, 2026, or risk severe administrative penalties, including the cessation of their activities.

Key Travel Rule Obligations for CASPs

The TFR imposes a dual responsibility on CASPs depending on their role in the transaction chain. An entity may act as the "Originating CASP" (sending the transfer) or the "Beneficiary CASP" (receiving the transfer), and in some instances, as an "Intermediary CASP".   

Required Originator and Beneficiary Information

Articles 14, 15, and 16 of Regulation (EU) 2023/1113 specify the precise data fields that must accompany every crypto-asset transfer. The regulation differentiates between transfers where all service providers are established within the Union and those involving a party outside the EU.   

For a standard transfer, the following information must be collected and transmitted:

1. Originator (Sender) Information:
   • Full Name (Natural or Legal Person).   
   • Distributed Ledger (Wallet) address and/or the crypto-asset account number.   
   • One of the Following: residential address, official personal document number, customer identification number, or date and place of birth.   
   • The Legal Entity Identifier (LEI) of the originator, where available.   
2. Beneficiary (Recipient) Information:
   • Full Name.   
   • Distributed ledger address and/or account number.   
   • The LEI of the beneficiary, where available.   

Responsibility for Data Accuracy and Transmission

The Originating CASP bears the primary burden of verification. Before initiating the transfer, it must verify the accuracy of the originator’s information based on documents or data obtained from reliable and independent sources, essentially fulfilling the KYC requirements of the AML framework. This information must be transmitted to the Beneficiary CASP "securely" and "simultaneously or concurrently" with the transfer on the blockchain.   

The Beneficiary CASP, upon receiving the transfer, must implement effective risk-based procedures to detect if the required information is missing or incomplete. If the incoming data is deficient, the Beneficiary CASP must decide—based on the assessed risk—whether to execute, reject, return, or suspend the transfer. Furthermore, repeated failures by a counterparty to provide required information must be reported to the relevant national authority and may necessitate the termination of the business relationship with that non-compliant counterparty.

Thresholds and Scope of Application in the EU

Perhaps the most significant divergence from international norms is the EU's decision regarding transaction thresholds. While the FATF recommends a $1,000 threshold below which data requirements are less stringent, the European Union has adopted a "Zero-Threshold" policy for transfers between CASPs.   

This means that for every crypto-asset transfer facilitated by a CASP in the EU—regardless of whether the amount is ten euros or ten thousand euros—the Travel Rule obligations apply in full. The rationale for this strict stance is that the inherent nature of crypto-assets allows for "smurfing"—breaking down large transactions into many small ones to evade detection. By removing the threshold, the EU closes a loophole that has traditionally been exploited by illicit actors.   

There is one limited exception: for transfers where all service providers involved in the chain are established within the Union, the transmitted information may be restricted to the account numbers or unique transaction identifiers, provided the full information can be made available to authorities within three working days upon request. This "reduced information" rule is designed to facilitate efficiency within the single market while maintaining the capability for full investigative transparency.   

Travel Rule and Unhosted Wallets

The interaction between regulated CASPs and "unhosted wallets" (also known as self-hosted or private wallets) represents a complex regulatory frontier. An unhosted wallet is one where the user maintains sole control over the private keys.

When Unhosted Wallet Transactions Trigger Obligations

The TFR imposes mandates on CASPs when they are involved in a transaction with an unhosted address. When an EU CASP initiates a transfer to or receives one from an unhosted wallet, it must collect and hold information about both the originator and the beneficiary.

Risk-Based Controls for Interactions With Unhosted Wallets

The TFR introduces a mandatory verification step for transfers involving unhosted wallets when the amount exceeds €1,000. In these cases, the CASP must verify whether its customer actually owns or controls the unhosted address.

According to the EBA Guidelines (EBA/GL/2024/11), acceptable technical verification methods include:

• Cryptographic Signature: The customer signs a unique message using the private key.
• Micro-transaction (Satoshi Test): The customer sends a small, predefined amount from the unhosted wallet to the CASP.
• Digital Signature: Utilizing qualified electronic certificates under EU law.

If the transaction is below the €1,000 threshold, the CASP must still collect the data but is not legally mandated to perform technical verification unless there is a suspicion of money laundering.

How the EU Approach Goes Beyond the FATF Standard

The European Union's implementation of the Travel Rule imposes requirements that go significantly beyond the FATF minimums:

1. Zero-Threshold Policy. Data is required for all transfers between CASPs, unlike the FATF's $1,000 "de minimis" threshold.
2. Prescriptive Unhosted Wallet Verification. The EU mandate for technical verification at the €1,000 level is much more stringent than the general "risk-based approach" suggested by the FATF.
3. Directly Applicable Regulation. By choosing a Regulation (TFR) over a Directive, the EU ensures a unified "Single Rulebook" across all Member States.

Travel Rule vs Other EU AML Obligations

The Travel Rule is one of three essential pillars that form the EU's regulatory perimeter for crypto-assets.

Travel Rule, AMLR, and KYC — Different but Connected Duties

These three frameworks apply in parallel to form a comprehensive "compliance contour":

• MiCA (Markets in Crypto-Assets). Governs the entities. It covers licensing, capital reserves, and governance.
• TFR (Travel Rule). Governs the transactions. It focuses on real-time identity data transmission during transfers.
• AMLR (Anti-Money Laundering Regulation). Governs the risks. It covers broad Customer Due Diligence (CDD) and ongoing monitoring.

These obligations work together: a CASP uses KYC (under AMLR) to identify a client at onboarding. Then, when that client sends a transfer, the CASP uses TFR protocols to share that verified identity.

What EU CASPs Should Focus on From a Compliance Perspective

CASPs must ensure that their internal compliance processes support the accurate collection, verification, and timely transmission of required originator and beneficiary information in accordance with EU regulatory obligations. Supervisory authorities expect compliance procedures to function consistently across all applicable crypto transfers, including those involving higher-risk scenarios. From a regulatory perspective, CASPs should focus on ensuring that Travel Rule obligations are consistently fulfilled across all relevant crypto transfers. Key compliance priorities include:

(a) Ensuring accurate collection and transmission of originator and beneficiary information in line with Transfer of Funds Regulation requirements.

(b) Maintaining procedures that allow timely and reliable information exchange between service providers when transfers occur.

(c) Applying appropriate compliance controls and transaction monitoring processes in line with EU AML obligations, particularly for higher-risk scenarios.

Failure to comply can lead to administrative fines, license revocation, and criminal charges against executives for systemic AML failures.

Conclusion

The implementation of the EU Crypto Travel Rule establishes a global benchmark for transparency. For CASPs, compliance is a core operational requirement linked to their MiCA authorization. As the Union moves toward the 2026 unified AML framework under the supervision of the AMLA, the ability to seamlessly transmit and verify transaction data will determine the longevity of crypto businesses in the EU market.

Note: None of this information should be considered as legal, tax, or investment advice. While we’ve done our best to ensure this information is accurate at the time of publication, laws and practices may change, so please double-check it.  

FAQ