AML/KYC Requirements for Tokenization Platforms: FATF Travel Rule Guide
The FATF Travel Rule is the single most operationally complex AML compliance obligation facing tokenization platforms. Transferring originator and beneficiary information between virtual asset service providers — in real time, across incompatible technical standards, before blockchain settlement — has no clean solution. But regulators have run out of patience with delay.
- The FATF Travel Rule — originally applied to wire transfers under FATF Recommendation 16 — has been extended to virtual asset transfers since FATF's June 2019 guidance update. The rule requires originating VASPs to transmit originator and beneficiary information to receiving VASPs for transfers at or above $1,000/€1,000.
- Technical implementation remains fragmented. The three primary protocols — TRISA, Notabene's OpenVASP, and the IVMS 101 data standard — are interoperable in theory but require bilateral technical integration in practice. No universal Travel Rule network covers the full VASP ecosystem.
- The "sunrise problem" — the asymmetry between VASPs in Travel Rule-implementing jurisdictions and those in non-implementing jurisdictions — has driven many compliant VASPs to adopt risk-based blocking of transfers to/from non-compliant counterparties.
- Unhosted wallet transfers present the hardest compliance challenge. FATF guidance requires VASPs to apply enhanced due diligence to transfers involving unhosted wallets, and some jurisdictions (Singapore, Switzerland) impose specific requirements for collecting and retaining originator information for transfers to/from unhosted wallets.
Anti-money laundering and know-your-customer compliance for tokenization platforms begins with a threshold question that differs from traditional finance: is the activity within the FATF-defined perimeter for virtual asset service providers? If yes, the full AML framework applies — and that framework has grown substantially more demanding since FATF’s 2019 expansion of its VASPs guidance. If the activity falls outside the VASP perimeter (for example, a non-custodial protocol with no service provider intermediary), different considerations apply, though regulatory pressure to bring decentralized finance within the AML perimeter is mounting.
FATF’s Virtual Asset Framework
The Financial Action Task Force updated its Recommendations to cover virtual assets and virtual asset service providers in June 2019, with further guidance published in October 2021 and subsequent Q&As. The foundational document — the FATF Guidance for a Risk-Based Approach to Virtual Assets and VASPs — is available at fatf-gafi.org.
VASP definition: A virtual asset service provider is any natural or legal person who is not covered elsewhere under FATF Recommendations and conducts, as a business, one or more of: exchange between virtual assets and fiat currencies; exchange between one or more forms of virtual assets; transfer of virtual assets; safekeeping and/or administration of virtual assets; and participation in and provision of financial services related to an issuer’s offer and/or sale of virtual assets.
Tokenization platforms that custody assets, facilitate exchanges, or transfer tokens between accounts are VASPs under FATF’s definition. This classification is not discretionary — it is a functional analysis, and a platform cannot escape VASP status by labeling itself as infrastructure rather than a service provider.
Core AML/KYC Obligations for VASPs
FATF Recommendations 10 through 21 apply to VASPs. The core obligations are:
Customer due diligence (CDD): VASPs must identify and verify their customers using reliable, independent source documents, data, or information. For institutional clients, beneficial ownership identification to the natural person level is mandatory. CDD must be conducted before establishing a business relationship and must be updated on an ongoing basis.
Enhanced due diligence (EDD): Higher-risk customers — PEPs, customers from high-risk jurisdictions, customers with unusual transaction patterns, customers who cannot provide adequate documentation — require enhanced scrutiny, including senior management approval for onboarding, enhanced monitoring, and more frequent CDD refresh cycles.
Transaction monitoring: VASPs must monitor transactions on an ongoing basis to detect unusual patterns. This includes blockchain analytics — the use of chain analysis tools to identify wallet addresses associated with sanctioned entities, known illicit activity, or high-risk sources.
Suspicious transaction reporting (STR): VASPs must report suspicious transactions to the national financial intelligence unit (FIU). The reporting threshold and format vary by jurisdiction, but the obligation to report is universal among FATF member countries.
Sanctions screening: VASPs must screen customers and transactions against sanctions lists — including OFAC (US), UN Security Council, EU consolidated list, and OFSI (UK) — before and during transactions. Blockchain transaction screening against sanctioned addresses (e.g., OFAC SDN list entries for Tornado Cash, SUEX, and others) is a specific operational requirement.
The FATF Travel Rule: Recommendation 16 Applied to VASPs
FATF Recommendation 16 — the “Travel Rule” — originally applied to wire transfers in traditional banking. It requires that originating financial institutions transmit specified information about the originator and beneficiary to the next financial institution in the payment chain, and that receiving institutions verify and retain this information.
FATF’s 2019 guidance extended Recommendation 16 to virtual asset transfers. VASPs must:
Obtain, hold, and transmit the following originator information for virtual asset transfers at or above the threshold:
- Name of originator
- Originator account number (or wallet address used for the transaction)
- Geographic address, national identity number, customer identification number, or date and place of birth
Obtain and hold the following beneficiary information:
- Name of beneficiary
- Beneficiary account number (or wallet address)
Transmit both originator and beneficiary information to the receiving VASP immediately and securely, before or simultaneously with the virtual asset transfer.
The threshold in FATF’s recommendation is USD/EUR 1,000 for a single transaction, or where the transaction is the result of several operations linked to each other, in aggregate. Below this threshold, VASPs must still collect originator and beneficiary account numbers.
The Sunrise Problem
The “sunrise problem” describes the asymmetry that arises when some VASPs are in jurisdictions that have implemented the Travel Rule and others are not. A VASP in Singapore (Travel Rule operative since April 2020) that wishes to transfer assets to a VASP in a non-implementing jurisdiction faces a practical dilemma: it cannot fulfill its Travel Rule obligation if the receiving VASP is not registered in any Travel Rule network and cannot receive Travel Rule messages.
Regulatory responses to the sunrise problem include:
Risk-based blocking: Several major VASPs block transfers to/from VASPs in non-implementing jurisdictions, or apply EDD sufficient to compensate for the inability to transmit Travel Rule information.
Intermediate solutions: Some VASPs use batch or post-transaction Travel Rule transmission where real-time transmission is technically impossible — accepting the compliance gap while documenting reasonable efforts.
FATF’s position: FATF has acknowledged the sunrise problem and asked implementing jurisdictions to be proportionate in enforcement during the implementation transition. However, FATF has signaled that the transition period has effectively ended, and mature VASP ecosystems are expected to demonstrate full Travel Rule compliance.
Technical Implementation: TRISA, Notabene, and IVMS 101
Three primary technical approaches have emerged for Travel Rule compliance:
TRISA (Travel Rule Information Sharing Architecture): An open-source, peer-to-peer protocol for Travel Rule message exchange. VASPs register in the TRISA directory, enabling counterparty discovery and encrypted, authenticated message exchange. TRISA is governed by the TRISA Working Group and has been adopted by several major exchanges and custodians.
Notabene (OpenVASP-compatible): A commercial Travel Rule compliance platform that provides VASP directory services, message exchange infrastructure, and risk scoring for counterparty VASPs. Notabene operates across multiple protocols, providing interoperability between VASPs using different technical standards.
IVMS 101 data standard: The InterVASP Messaging Standard 101 defines the data elements required for Travel Rule compliance in a standardized format. IVMS 101 is the closest thing to a universal data standard for Travel Rule messages, endorsed by FATF and adopted by most major Travel Rule solution providers. It is not itself a communication protocol but provides the message content specification that protocols like TRISA and OpenVASP carry.
Interoperability: TRISA and Notabene can exchange messages with each other via IVMS 101 — but technical integration between any two VASPs requires active effort on both sides. A VASP cannot simply join one network and assume interoperability with all other VASPs. The counterparty discovery problem — finding the Travel Rule endpoint for a given wallet address — remains partially unsolved.
Jurisdiction-by-Jurisdiction Implementation Status
| Jurisdiction | Travel Rule Status | Threshold | Operative Since | Key Requirement |
|---|---|---|---|---|
| Singapore | Implemented | SGD 1,500 (~USD 1,100) | April 2020 (MAS PS Act) | All licensed DPT service providers |
| EU (MiCA/TFR) | Implemented | €0 (no de minimis) | Dec 30, 2024 | Transfer of Funds Regulation extended to crypto |
| United Kingdom | Implemented | £1,000 | September 2023 | FCA registered VASPs |
| United States | Implemented (FinCEN) | $3,000 (current) | 2020 (NPRM to lower to $250 pending) | MSBs including VASPs |
| Switzerland | Implemented | CHF 1,000 | January 2020 | FINMA-supervised intermediaries |
| Japan | Implemented | JPY 100,000 (~USD 670) | 2022 | JFSA registered VASPs |
| Hong Kong | Implemented | HKD 8,000 (~USD 1,000) | January 2024 | SFC-licensed VATPs |
| Dubai (VARA) | Implemented | AED 3,500 (~USD 1,000) | 2023 | VARA-licensed entities |
| South Korea | Implemented | KRW 1,000,000 (~USD 750) | 2022 | FSSC registered VASPs |
EU Note: The EU Transfer of Funds Regulation was extended to crypto-assets in June 2023. Unlike FATF’s $1,000 threshold recommendation, the EU applies the Travel Rule to all crypto-asset transfers regardless of amount — there is no de minimis. This is among the most demanding implementations globally and has required significant systems upgrades by MiCA-regulated CASPs.
Unhosted Wallets: The Hardest Problem
Unhosted (or “self-hosted”) wallets — wallets where the private key is held by the user rather than a VASP — present the most complex AML compliance challenge. When a VASP sends assets to an unhosted wallet, there is no receiving VASP to receive Travel Rule information. When a customer deposits from an unhosted wallet, the VASP cannot verify the source.
Regulatory approaches:
Singapore: Requires VASPs to obtain and record originator information for transfers to/from unhosted wallets, including verifying that the customer controls the unhosted wallet (e.g., through a small test transaction or cryptographic proof of address ownership).
EU (TFR): For transfers to/from unhosted wallets above €1,000, VASPs must collect information about the unhosted wallet owner and assess whether additional verification is needed. CASPs must conduct enhanced monitoring of transactions involving unhosted wallets.
Switzerland: FINMA requires VASPs to collect identification information about the owner of an unhosted wallet for all transfers — not just those above a threshold.
Blockchain analytics: Virtually all compliant VASPs now use on-chain analytics tools (Chainalysis, Elliptic, TRM Labs) to score unhosted wallet addresses for risk before and after transactions. Transfers from high-risk addresses — those associated with dark markets, mixers, or known illicit activity — are typically flagged for manual review or blocked outright.
FATF’s Evolving DeFi Guidance
FATF has published updated guidance on DeFi and has maintained that the “person” operating a DeFi protocol — whether a developer, governance body, or DAO — may be a VASP if they have sufficient control over the protocol. This position remains contested but has been adopted, with varying interpretations, by several national regulators.
For tokenization platforms deploying automated market maker or lending protocols, the question of whether the protocol’s operators are VASPs — and therefore subject to CDD, Travel Rule, and STR obligations — is an active regulatory risk that requires specific legal analysis in each relevant jurisdiction.
For the broader regulatory framework applicable to tokenization platforms, see MiCA regulation and digital asset custody regulation. For the MiCA market abuse rules covering crypto-asset trading platforms, see MiCA market abuse rules.
External references: FATF Guidance on Virtual Assets | ESMA MiCA | MAS Digital Payment Tokens | FSB Crypto-Assets
Subscribe for full access to compliance intelligence across all 7 analytical lenses, including licensing guides, jurisdiction benchmarks, and enforcement trackers.
Subscribe from $29/month →