Crypto Travel Rule Compliance in the UK: A Practical Guide for Firms

The crypto travel rule is the informal name for the requirement that cryptoasset businesses transmit originator and beneficiary information alongside cryptoasset transfers — mirroring the obligations that have applied to traditional wire transfers for decades. The rule implements FATF Recommendation 16 (the 'wire transfer rule') in the context of virtual assets and virtual asset service providers (VASPs). In the UK, the travel rule came into force on 1 September 2023 and applies to all FCA-registered cryptoasset businesses. This article provides a practical guide to compliance, covering the legal framework, data requirements, edge cases and FCA supervisory expectations.

What Is the Crypto Travel Rule?

The crypto travel rule requires cryptoasset businesses to collect, verify and transmit identifying information about the originator (sender) and beneficiary (recipient) of cryptoasset transfers. The purpose is to extend anti-money laundering and counter-terrorist financing (AML/CTF) controls to cryptoasset transactions, which historically allowed pseudonymous or anonymous transfers that made it difficult for law enforcement and compliance teams to trace illicit flows.

The rule derives from FATF Recommendation 16, which has applied to traditional wire transfers since 2012. The FATF extended this recommendation to virtual asset transfers in its updated guidance in 2019 and 2021, and jurisdictions worldwide have been implementing the requirement at different speeds.

UK Legal Framework

In the UK, the travel rule is implemented through the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022, which amend the Money Laundering Regulations 2017 (MLRs). Part 7A of the MLRs sets out the specific requirements for cryptoasset transfers. The regulations came into force on 1 September 2023.

The FCA is the supervisory authority for travel rule compliance by UK-registered cryptoasset businesses. The FCA has published guidance on its expectations, emphasising a risk-based and pragmatic approach while the global implementation landscape matures.

Data Requirements

Originator information. For all cryptoasset transfers, the originating firm must collect and transmit: - Full name of the originator - The originator's account number (which, for cryptoassets, is the wallet address or equivalent identifier) - One of: the originator's address, date of birth, place of birth, or national identity number

Beneficiary information. For all transfers, the originating firm must collect and transmit: - Full name of the beneficiary - The beneficiary's account number (wallet address or equivalent)

Verification. The originator's information must be verified before the transfer is executed. This aligns with standard CDD obligations — firms should already hold verified identity information for their customers.

Transmission timing. The originator information must be transmitted to the beneficiary institution immediately and securely alongside or before the cryptoasset transfer. The beneficiary institution must verify that the required information has been received before making funds available.

Transfers to Unhosted Wallets

Transfers to unhosted (self-hosted or non-custodial) wallets present a particular challenge because there is no receiving institution to transmit information to. The UK regulations do not prohibit transfers to unhosted wallets, but firms must:

1. Collect the same originator and beneficiary information as for hosted-to-hosted transfers.
2. Conduct a risk assessment of the transfer, considering whether the unhosted wallet is associated with higher-risk activity.
3. Apply enhanced due diligence where the risk assessment indicates elevated risk — this may include requesting proof of ownership of the receiving wallet or additional information about the purpose of the transfer.
4. Record the information collected even though it cannot be transmitted to a counterparty institution.

The FCA has emphasised that the travel rule does not require firms to block all transfers to unhosted wallets. A blanket prohibition would be disproportionate. Instead, firms must demonstrate a risk-based approach that balances AML objectives with customer access.

Transfers to Non-Compliant Jurisdictions

Many jurisdictions have not yet implemented the crypto travel rule, creating a 'sunrise issue' where UK firms cannot transmit information to counterparties in non-compliant jurisdictions because those counterparties have no obligation or infrastructure to receive it. The FCA's approach is pragmatic:

• Firms should make reasonable efforts to identify whether the counterparty jurisdiction has implemented the travel rule and whether the counterparty VASP can receive travel rule data.
• Where the counterparty cannot receive the data, the firm must conduct a risk assessment and consider whether the transfer can proceed based on the firm's risk appetite and the specific circumstances.
• Firms should document their decision-making process and the factors considered.
• The FCA does not expect firms to refuse all transfers to non-compliant jurisdictions — but it does expect firms to demonstrate genuine engagement with the risk.

Implementation: Practical Steps

Technology. Firms need a mechanism to transmit and receive travel rule data. Several protocol solutions have emerged, including the IVMS 101 messaging standard, the Travel Rule Protocol (TRP), the Travel Rule Universal Solution Technology (TRUST) network, and Notabene, Chainalysis and Elliptic compliance platforms. The choice of solution depends on the firm's size, transaction volumes and counterparty network.

Counterparty due diligence. Before transmitting customer data to a counterparty VASP, firms must conduct due diligence on that counterparty — confirming its regulatory status, data protection practices and travel rule compliance capabilities. This is both an AML requirement and a data protection obligation under UK GDPR.

Data protection. Travel rule compliance involves transmitting personal data (names, addresses, dates of birth) to counterparty institutions, potentially across borders. Firms must ensure that their data sharing arrangements comply with UK GDPR, including having appropriate legal bases for processing, conducting data protection impact assessments where required and implementing adequate safeguards for international transfers.

Record keeping. All travel rule data — both transmitted and received — must be retained for five years from the date of the transfer, consistent with standard AML record-keeping obligations.

Staff training. Compliance, operations and customer service teams must be trained on travel rule requirements, including how to handle customer queries about why additional information is being requested and how to process transfers involving unhosted wallets or non-compliant jurisdictions.

FCA Supervisory Expectations

The FCA has taken a proportionate and pragmatic approach to travel rule supervision, recognising the challenges of global implementation. Key expectations include:

• Firms must demonstrate a genuine attempt to comply — not perfection, but good-faith implementation.
• Risk-based approaches to edge cases (unhosted wallets, non-compliant jurisdictions) must be documented and defensible.
• Firms should not use implementation challenges as a reason to avoid compliance entirely.
• The FCA will increase supervisory intensity as the global implementation landscape matures.

What Firms Should Do Now

1. Confirm that your travel rule solution is operational and capable of transmitting and receiving IVMS 101-compliant data.
2. Review your counterparty VASP due diligence procedures — ensure you have assessed the regulatory status and travel rule capability of your key counterparties.
3. Document your risk-based approach to unhosted wallet transfers and transfers to non-compliant jurisdictions.
4. Conduct a data protection assessment of your travel rule data flows, including international transfers.
5. Update AML policies and procedures to reflect travel rule requirements explicitly.
6. Train relevant staff on travel rule procedures and customer communication.

Regulatory Context and Outlook

The crypto travel rule is a foundational element of the evolving UK cryptoasset regulatory framework. As the UK transitions from the MLR registration regime to full FSMA-based authorisation for cryptoasset activities (expected 2026–2027), travel rule compliance will become a baseline expectation for all authorised firms. The FATF continues to monitor global implementation and has indicated that jurisdictions with low compliance rates may face increased scrutiny. UK firms that have invested in robust travel rule compliance will be better positioned for the transition to the new authorisation regime.

Regulatory Counsel advises cryptoasset businesses on travel rule compliance, AML framework design and FCA registration. Contact us for a free initial consultation. See our cryptoassets sector page for details.