Regulators leave gaps in crypto ‘Travel Ruleʼ implementation

Global regulators are leaving “considerable gaps” in implementing the so-called Travel Rule in the cryptocurrency sector, according to a report by the Financial Action Task Force (FATF).

The Travel Rule is an international standard designed to combat illicit financing, requiring financial institutions to record information on both the payee and the payer for peer-to-peer cross-border payments above 1,000 US dollars or euros.

According to the June report, 18 out of 117 jurisdictions (15%) surveyed have neither passed, nor are in the process of passing, legislation to implement the Travel Rule for digital asset service providers, while only 14 jurisdictions are processing laws.

The report also highlighted regulators’ “continued struggle” to identify digital assets providers in their jurisdictions.

Rory Doyle, head of financial crime policy at financial software provider Fenergo, told Compliance Corylated that a “global rollout of the Travel Rule” would also be essential to mitigate anti-money laundering and countering the financing of terrorism (AML/CFT) risks emerging from crypto firms.

“For the industry to truly get a handle on money laundering and terrorist financing via crypto, these standards must be applied consistently and globally. Without them, crypto continues to offer gaps in compliance that bad actors can exploit,” he explained.

The crypto sector needs the same level of scrutiny as correspondent banking relationships, Doyle added.

Recommendation 16

While the FATF extended its global standards on AML/CFT to digital assets in 2019, on June 18, 2025, it introduced additional requirements for the Travel Rule under Recommendation 16.

The new requirements seek to clarify responsibilities within the payment chain, standardise the information accompanying payments — such as name, address and date of birth — and introduce tools to protect against fraud and error. Exemptions remain for payments made using credit, debit or prepaid cards for the purchase of goods or services.

The changes will come into effect by the end of 2030.

Cross-border efforts

The report also highlighted the need for “international cooperation” and “public-private initiatives” to address financial crime risks. For example, it found cases of money-laundering networks that collect funds in one jurisdiction, withdraw them in another and reinvest them in illicit businesses.

This highlighted the importance of information sharing and the cross-border ability to freeze and seize assets in other jurisdictions, the FATF said.

Under the Markets in Crypto-Assets Regulation (MiCA), all EU-based organisations are required to comply with the Travel Rule, which includes the obligation to collect and share information on payee and the payer.

However, Fenergo’s Doyle also noted: “A bigger hurdle now is not passing new rules – FATF has set the standard, the EU framework takes effect this December, and the UK has required compliance since September 2023 – but making sure those rules are enforced in tandem across borders so criminals can’t exploit the cracks.

“The issue is much broader; regulations need to keep pace with innovation and apply across borders to be truly effective.”

Automating compliance

Asked about potential solutions, Doyle said the use of artificial intelligence (AI) could ease compliance efforts in smaller firms. “There’s been a huge increase in the volume of [compliance] work, especially as the number of regulated entities has surged in recent years — and all are subjected to client due diligence (CDD) obligations. Yet the number of staff available to meet these obligations has not kept pace.

“The only sustainable way forward is to adopt modern technologies, such as AI-driven analytics, automated transaction monitoring and biometric identity verification, to stay compliant,” he said.

However, the European Banking Authority (EBA) also said in its latest opinion that smaller financial institutions should not adopt regulatory technology (regtech) as “off-the-shelf” solutions, as this could lead to further compliance failures.