FATF Travel Rule for Self-Custody Crypto Holders — 2026 Explainer

The Financial Action Task Force (FATF) Travel Rule — formally Recommendation 16 applied to crypto — requires Virtual Asset Service Providers (VASPs) worldwide to collect and exchange originator and beneficiary information for crypto transfers above a defined threshold. By 2026, most jurisdictions implementing FATF guidance have settled on a USD 1,000 threshold. This guide explains what the Travel Rule means for self-custody holders, what data flows between VASPs, why your CEX asks for source-of-funds documentation, and how pre-transfer AML screening fits the picture.

What FATF Recommendation 16 actually requires

Recommendation 16 was originally written for wire transfers in the traditional banking system. In 2019, FATF clarified that it applies to "virtual asset transfers" between VASPs. The core obligation: when a VASP transfers virtual assets above the threshold on behalf of a customer, it must transmit identifying information about the originator (the sender) to the beneficiary's VASP, and the beneficiary's VASP must hold corresponding identifying information about the beneficiary.

The data set typically includes:

• Originator — name, account identifier (wallet address), physical address or national identification number, date and place of birth.
• Beneficiary — name, account identifier (wallet address).

Both VASPs must perform sanctions screening on this data before completing the transfer. This is where AML screening enters the workflow as a Travel Rule prerequisite, not just a separate compliance check.

Implementation thresholds by jurisdiction

FATF sets recommendations; jurisdictions implement. The threshold has converged toward USD 1,000 equivalent but varies:

• United States — USD 3,000 under FinCEN guidance (historically; the Notice of Proposed Rulemaking has discussed lowering this).
• European Union — EUR 1,000 under the EU Transfer of Funds Regulation 2023/1113. Read MiCA EU crypto AML for self-custody.
• United Kingdom — GBP 1,000 under amendments to the Money Laundering Regulations.
• Singapore — SGD 1,500 under MAS guidance.
• Switzerland — CHF 1,000 under FINMA AMLO-FINMA.
• Japan — JPY 100,000 (roughly USD 700) under JFSA guidance.

The practical effect for cross-border transfers: the lowest applicable threshold across the originator and beneficiary jurisdictions tends to apply, because both VASPs must comply with their own regulators.

Self-custody wallet transfers under the Travel Rule

The Travel Rule was written assuming both parties are VASPs. Crypto introduces the self-hosted wallet case, where one side of the transfer is an individual self-custody holder rather than a regulated entity. FATF and jurisdictional implementations address this with varying approaches:

VASP-to-self-custody (you withdrawing to your wallet)

When you withdraw above the threshold from a VASP to your self-custody wallet, the VASP must verify that the destination address belongs to you. This may include screening the address, asking you to confirm ownership via signed message, or applying enhanced due diligence. The level of scrutiny depends on the jurisdiction.

Self-custody-to-VASP (you depositing to a CEX)

When you deposit above the threshold from your self-custody wallet to a VASP, the VASP must collect identifying information about the originating wallet's owner (you), screen the sending address against sanctions lists, and document the source of funds. This is the most common point where self-custody holders encounter Travel Rule effects in practice. Read prevent CEX deposit freezes.

Self-custody-to-self-custody (peer-to-peer)

Direct transfers between self-custody wallets are not subject to Travel Rule data exchange (there is no VASP intermediary). However, sanctions screening obligations may still apply at the individual level depending on jurisdiction. In the US, OFAC sanctions are absolute regardless of intermediary; sending to a sanctioned address is a violation even from a self-hosted wallet. Read OFAC crypto wallet sanctions.

What VASPs actually do at the Travel Rule decision point

1. Receive the transfer request — from the customer (originator) or as inbound to a deposit address.
2. Identify the counterparty side — is it a VASP, a self-hosted wallet, or unclassified?
3. Collect required data — from the customer (sender) or from a Travel Rule data exchange protocol (TRP, OpenVASP, Sumsub Travel Rule, Notabene, etc.) if VASP-to-VASP.
4. Screen all parties — against sanctions, PEP, and risk databases.
5. Risk decision — proceed, request additional documentation, hold, or reject.
6. Execute — or hold pending further review.

The Travel Rule's friction points for self-custody holders

Identity verification on first deposit

Most VASPs require KYC at account opening, which satisfies the originator/beneficiary identification requirement for the holder's own account. The friction emerges when the self-hosted wallet sending to or receiving from the VASP cannot be cleanly tied to a verified identity.

Pre-deposit sanctions screening

VASPs run the sanctions screen before crediting the deposit. A flagged sending address leads to a hold. The hold lasts until source-of-funds documentation is provided and the screen is cleared. Pre-deposit screening on your side catches the same flags 3 to 14 business days earlier.

Withdrawal address verification

Withdrawing crypto to a new self-custody address may require a small-amount test transaction first, plus signed-message verification of ownership. This is increasingly standard at EU and Singapore-licensed CASPs.

OTC and B2B settlements

OTC desks operating as VASPs must perform Travel Rule data exchange with the counterparty VASP. For B2B settlements between two VASP customers, the data exchange happens VASP-to-VASP. For settlements involving a self-custody operator, additional documentation is requested.

What the Travel Rule does NOT do

The Travel Rule is not a transaction ban. It does not require disclosure of every wallet you hold to the government. It does not give VASPs unlimited authority to deny transactions. What it requires is information collection and screening at the VASP layer for transfers above the threshold.

For self-custody-to-self-custody transfers, the Travel Rule does not apply directly (no VASP). For below-threshold transfers, the Travel Rule does not apply (though some VASPs implement stricter internal policies). For above-threshold transfers involving at least one VASP, Travel Rule data flows. None of this changes the underlying transaction.

How AegisAML fits a self-custody Travel Rule workflow

AegisAML is not a Travel Rule data-exchange tool. It is a pre-transfer AML screening tool. The categorical screening it performs — sanctions match, mixer proximity, hack-cluster exposure — is the same screening VASPs run as part of their Travel Rule compliance. By running the screen yourself before the transfer, you:

• Catch flags before they trigger a VASP hold.
• Generate timestamped documentation to provide to the VASP if asked.
• Make informed decisions about whether to proceed with the transfer.
• Avoid sending to sanctioned destinations regardless of VASP screening.

For VASPs themselves, AegisAML is not a replacement for institutional infrastructure (Chainalysis KYT, Notabene Travel Rule, Sumsub). For self-custody holders interacting with VASPs, it is the missing pre-transfer screen that the VASPs do not extend to non-customers.

Frequently asked questions

Does the Travel Rule apply to me as an individual self-custody holder?

Not directly. The Travel Rule binds VASPs, not individuals. But when you interact with a VASP (CEX deposit, withdrawal, OTC settlement through a VASP), the VASP applies the Travel Rule to your transfer. You are not exempt by being a self-custody holder; you simply are not the regulated party.

What happens if I deposit slightly under the threshold?

Below-threshold transfers do not trigger Travel Rule data exchange. However, VASPs typically apply some level of screening on all deposits regardless of threshold, and structuring (splitting transfers to evade the threshold) is treated as a separate risk indicator. Repeated sub-threshold transfers from the same source may aggregate at the VASP's discretion.

Can I withdraw to a non-KYC exchange?

VASPs increasingly maintain lists of "high-risk counterparty exchanges" and decline transfers to them. The list is not publicly published but converges around exchanges with weak KYC and historical association with laundering. Read prevent CEX deposit freezes for context.

Does the Travel Rule require my wallet address to be public?

No. The Travel Rule requires data exchange between VASPs, not public disclosure. The originator and beneficiary information is held by the respective VASPs and shared only between them and with relevant authorities upon legal request.

Related regulatory and compliance guides

For EU-specific Travel Rule implementation, read MiCA EU crypto AML for self-custody. For OFAC sanctions which apply globally for US persons, read OFAC crypto wallet sanctions check. For the practical operational outcome of these regulations on your deposits, read prevent CEX deposit freezes.