What is the Travel Rule? Crypto KYC, AML, and what exchanges must share

Every time you send crypto from one exchange to another above a certain amount, your identifying information may travel with it, shared between the platforms behind the scenes. That is the Travel Rule, a decades-old banking standard now reshaping crypto. This guide explains what it requires, why it exists, and what it means for your privacy.

The Travel Rule is an anti-money-laundering requirement that obliges financial institutions and crypto service providers to collect, share, and retain identifying information about both the sender and the recipient of a transfer above a certain value, so that the data effectively travels alongside the transaction. In the crypto context, this means that when you send digital assets above a threshold from one regulated platform to another, your platform may be required to transmit details about you, and to receive details about the recipient, behind the scenes.

The name comes from this idea of information traveling with the transfer, and the concept is not new: it has governed bank wire transfers for decades. What is new, and what makes it one of the most consequential pieces of crypto regulation in 2026, is that the same standard now applies to virtual assets, bringing crypto transfers under the kind of anti-money-laundering scrutiny long applied to traditional bank wires

For users accustomed to thinking of crypto as private or pseudonymous, the Travel Rule represents a significant shift, because it weaves identity and traceability into transfers that once felt anonymous.

Understanding the Travel Rule matters because it sits at the intersection of three related concepts that often get confused: know-your-customer checks, anti-money-laundering frameworks, and the specific obligation to share counterparty information on transfers. It also has real, practical consequences for how exchanges operate, what information they must gather from you, and how much privacy you can expect when moving crypto between regulated platforms.

This guide explains where the Travel Rule came from, how it was extended to crypto, exactly what information must be shared and how, who is covered and who is not, the wide variation in thresholds across countries, how the rule fits together with know-your-customer and anti-money-laundering obligations, a concrete worked example, and the genuine limits and privacy questions the rule raises.

The goal is to give you a clear picture of a regulation that increasingly shapes the everyday experience of using crypto, without either downplaying its reach or exaggerating its grip.

Where the Travel Rule came from

The Travel Rule did not begin with crypto; it began with banks, and its history explains both its logic and its name. In the United States, the rule traces back to the Bank Secrecy Act, the long-standing law designed to combat money laundering, and to guidance issued by the Financial Crimes Enforcement Network in the 1990s.

For decades, banks have been required to include identifying information, such as names and account numbers, when they pass funds from one institution to another in a wire transfer above a certain amount. The purpose was straightforward: by making identifying information travel with the money, regulators gained the ability to trace funds and flag suspicious activity, creating an auditable trail that makes it harder for illicit money to move undetected through the financial system. This original Travel Rule applied to traditional financial institutions and the wires they sent between one another.

When cryptocurrency emerged, and transactions began happening globally and at scale, regulators recognized that the same money-laundering risks applied, and that crypto’s pseudonymity could make it attractive for moving illicit funds.

The body that drove the extension to crypto is the Financial Action Task Force, an international organization that sets anti-money-laundering standards that countries around the world adopt into their own laws. In 2019, the Financial Action Task Force updated its guidance, specifically a provision known as Recommendation 16, to make clear that the Travel Rule should apply to virtual assets and to the businesses that handle them.

This extension meant that crypto exchanges, custodians, and similar providers would need to follow rules similar to those long applied to banks, collecting and sharing sender and recipient information on qualifying transfers. The guiding principle the Financial Action Task Force articulated was same risk, same rules: activities that carry similar money-laundering risks should face similar standards regardless of the technology involved.

Since 2019, countries have been writing their own versions of the crypto Travel Rule into national law, which is why the rule now exists worldwide but with meaningful variations from one jurisdiction to the next.

What information must be shared, and how

The substance of the Travel Rule is the specific information that must accompany a qualifying transfer, and understanding it clarifies what the rule actually does. When a transfer crosses the relevant threshold, the service provider of the sender, often called the originator, must share identifying details about that sender with the service provider of the recipient, often called the beneficiary, and in turn receive the beneficiary’s details. The information typically includes the names of both parties, their account or wallet identifiers, and, in some cases, additional details such as a physical address or an identification number. The aim is to attach a verifiable identity to both ends of the transfer so that, if needed, authorities can trace who sent value to whom.

A point that often surprises people is where this information goes, and the answer is that it does not go on the blockchain. The Travel Rule data is shared off-chain, through secure messaging channels directly between the two service providers, rather than being written into the public ledger. This design preserves the efficiency and privacy characteristics of the blockchain transaction itself while still meeting the compliance requirements, since the sensitive personal information moves through a separate, private channel between the regulated institutions. To make this work across a global industry, the sector has developed standardized messaging formats and protocols that let different providers exchange the required data reliably, along with services that help a provider verify the identity of the counterparty institution before sending personal information to it.

These solutions address a genuine technical challenge: a provider must confirm that the receiving institution is who it claims to be and can handle the data securely before transmitting a customer’s personal details, because sending such information to the wrong party would itself be a serious problem. The result is an off-chain layer of identity infrastructure running alongside the on-chain transactions, invisible to most users but increasingly central to how regulated crypto transfers work.

Who is covered and who is not

A crucial question for any user is whether the Travel Rule applies to them, and the answer depends on whether a regulated intermediary is involved. The rule applies to the businesses that handle crypto on behalf of customers, known in the relevant frameworks by various labels: virtual asset service providers, crypto-asset service providers, or money services businesses, depending on the jurisdiction. The covered entities include crypto exchanges, custodial wallet providers, over-the-counter trading desks, crypto payment processors, and regulated financial institutions that deal in digital assets. The common thread is that these are intermediaries that accept and transmit customer value, and the obligation falls on them, not on individual users directly, though the practical effect is that users of these services must provide the identifying information the providers are required to collect and share.

Equally important is what the Travel Rule does not cover. It generally does not apply to direct peer-to-peer transfers between two private, self-hosted wallets, sometimes called unhosted wallets, where no regulated intermediary is involved, because there is no service provider in the middle to collect and transmit the data. That said, the picture is more nuanced at the edges: when a regulated provider sends funds to or receives funds from an unhosted wallet, the provider may still be required to collect information about the transfer even if it cannot share it with a counterparty institution that does not exist.

Decentralized finance protocols and other non-custodial services occupy a genuinely ambiguous space because they often lack a clear intermediary to bear the obligation, and regulators are actively exploring how, or whether, to extend the rules to them. For most ordinary users, the practical takeaway is that transfers between regulated exchanges and custodial services are squarely within the rule’s scope and will involve information sharing, while transfers between two wallets you control personally generally are not, even as the boundaries around decentralized and self-custodied activity remain unsettled and under regulatory review.

How thresholds vary around the world

One of the most important practical features of the Travel Rule is that there is no single global threshold or authority; instead, each jurisdiction sets its own rules, and the variation is substantial. In the United States, the Travel Rule derives from the Bank Secrecy Act and is enforced by the Financial Crimes Enforcement Network, with a long-standing threshold of three thousand dollars for the obligation to attach identifying information, although proposals have circulated to lower that figure significantly for international transfers.

The European Union has taken the strictest approach through its Transfer of Funds Regulation, which took effect at the end of 2024 and applies a zero threshold to crypto transfers, meaning that every single crypto transfer between providers, regardless of amount, requires full Travel Rule compliance. This regulation operates alongside the broader Markets in Crypto-Assets framework, together forming Europe’s comprehensive crypto compliance regime across all member states.

Other major jurisdictions fall at various points along this spectrum. The United Kingdom introduced its own Travel Rule requirements in 2023, applying them to all transfers regardless of amount. Canada enforces the rule through its financial intelligence agency with a threshold of around 1,000 Canadian dollars, making it relatively strict. Switzerland has adopted one of the toughest versions, requiring firms to identify both parties even for amounts below the thresholds used elsewhere, reflecting its emphasis on strict financial oversight. 

Several Asian financial centers, including South Korea, Singapore, and Hong Kong, have implemented firm Travel Rule obligations, often pushing the industry toward standardized compliance technology, while other regions are still developing their frameworks. For users and businesses operating across borders, this patchwork is a genuine challenge, because the same transfer might be subject to full compliance in one jurisdiction and none in another, and a provider serving customers in multiple countries must navigate the strictest applicable requirements. The variation is not a sign of confusion so much as a reflection of how recently and unevenly the global standard has been adopted into national law.

How the Travel Rule fits with KYC and AML

The Travel Rule is often mentioned alongside know-your-customer and anti-money-laundering obligations, and clarifying how the three relate helps make sense of the broader compliance picture. Anti-money-laundering, usually shortened to AML, is the umbrella framework, the overall body of laws and practices designed to prevent the financial system from being used to launder the proceeds of crime or finance illicit activity. Within that framework sit specific obligations, and two of the most important are know-your-customer checks and the Travel Rule, which address different points in the lifecycle of a customer relationship and a transaction.

Know-your-customer, or KYC, refers to the process by which a service provider verifies the identity of its own customers, typically at the point of onboarding, by collecting documents and information to confirm who they are. It answers the question of whether the provider knows who its customer is. The Travel Rule addresses a different moment: it governs what happens when that customer makes a transfer, requiring the provider to share the customer’s identifying information with the counterparty provider on the other end of a qualifying transaction.

In other words, know-your-customer confirms identity at the door, while the Travel Rule makes that identity information move with transfers between institutions. The two interlock, because the provider can only share accurate sender information under the Travel Rule if it has properly verified that sender through know-your-customer in the first place. Sanctions screening adds a further layer, since providers must also check the parties to a transfer against sanctions lists to avoid processing transactions for prohibited persons.

Together, these obligations form a connected compliance system: know-your-customer identifies the customer, the Travel Rule shares that identity across transfers, sanctions screening checks it against prohibited lists, and the whole apparatus serves the overarching anti-money-laundering goal of keeping illicit funds out of the system.

A worked example: a transfer between two exchanges

A simple example makes the mechanics tangible. Suppose you hold Bitcoin on one regulated exchange, call it Exchange A, and you want to send an amount worth more than the applicable threshold, say more than $3,000  in a jurisdiction using that figure, to your account on another regulated exchange, Exchange B. When you initiate the transfer, the Bitcoin itself moves on the blockchain from Exchange A’s systems toward Exchange B’s, exactly as any Bitcoin transaction would. That part is visible on the public ledger, as Bitcoin transactions always are. What happens alongside it, invisibly to you, is the Travel Rule compliance.

Because the transfer exceeds the threshold and both ends involve regulated service providers, Exchange A is required to transmit your identifying information, as the originator, to Exchange B, and Exchange B, in turn, provides information about the beneficiary account. This exchange of data happens off-chain, through a secure messaging channel between the two exchanges, using a standardized format so that each can reliably read the other’s data. Before sending your personal details, Exchange A verifies that Exchange B is a legitimate, identifiable institution capable of receiving the information securely. Exchange B, on receiving both the Bitcoin and your information, can match the incoming transfer to the data and complete its own compliance checks, including screening against sanctions lists. From your perspective, you simply sent Bitcoin from one exchange to another, perhaps noticing only that both required your identity to be verified when you signed up.

Behind that ordinary experience, however, your identifying information traveled with the transfer between the two regulated institutions, which is the Travel Rule working exactly as intended. Had you instead sent the same Bitcoin from one personal wallet you control to another, with no exchange involved, the Travel Rule would generally not have applied, because there would have been no regulated intermediary to carry the obligation. 

Limits, gaps, and privacy considerations

For all its expanding reach, the Travel Rule has genuine limits and raises real questions, and an honest account should address them directly. The most discussed structural limit is what experts call the sunrise problem, which describes the uneven pace at which jurisdictions have adopted Travel Rule requirements. Because some countries enforce the rule fully while others have not yet implemented it, providers in jurisdictions without requirements may delay building compliance systems, creating gaps in the global information-sharing network the rule is meant to build. This patchwork reduces the incentive for universal adoption and means the rule’s effectiveness depends on how widely and consistently it is enforced, which remains a work in progress.

A determined bad actor can still seek out jurisdictions or services where the rule does not yet bite, which is precisely the kind of gap a global standard is supposed to close but has not fully closed.

The most significant concern for ordinary users, however, is privacy. The Travel Rule, by design, reduces the anonymity once associated with crypto, requiring that identifying information be collected, shared between institutions, and retained. This raises legitimate questions about data security, because personal information that is collected and transmitted can be exposed if a provider suffers a breach or if the data is mishandled, and the more institutions hold and share such data, the larger the potential attack surface.

Some users see the loss of financial privacy as a genuine drawback, while supporters argue that the same information sharing builds trust in platforms and aligns crypto with established financial standards, making it safer and more acceptable to mainstream institutions and regulators. There is also the unresolved tension around decentralized finance and self-custody, where applying a rule built for intermediaries to systems designed to operate without them remains genuinely difficult, and where overly aggressive extension could undermine the permissionless qualities that give those systems their value.

The honest summary is that the Travel Rule is a serious, expanding compliance obligation that brings real benefits in combating illicit finance and real costs in privacy and complexity, and that its boundaries, particularly around unhosted wallets and decentralized protocols, are still being worked out. For users, the practical reality is that moving crypto between regulated platforms now comes with identity sharing attached, and that is unlikely to reverse.

Frequently Asked Questions

This article is educational information, not legal or financial advice. Travel Rule requirements, thresholds, and enforcement vary by jurisdiction and reflect information available as of June 26, 2026, and can change. The treatment of self-hosted wallets and decentralized finance in particular remains unsettled. Verify the current rules in your jurisdiction from primary sources, and consult a qualified professional for guidance on your specific situation.