The Crypto Travel Rule: What Accountants and CASPs Need to Know

The Crypto Travel Rule: What Accountants and CASPs Need to Know

The crypto Travel Rule requires firms that transfer crypto-assets to collect, verify and transmit information about the originator and beneficiary of each transfer, mirroring the rules that have long applied to wire payments. It stems from the Financial Action Task Force's Recommendation 16 and is now law on both sides of the Irish Sea: in the EU through the recast Transfer of Funds Regulation (Regulation (EU) 2023/1113), and in the UK through amendments to the Money Laundering Regulations that took effect on 1 September 2023. For accountants, auditors and advisers working with crypto-asset service providers (CASPs), the Travel Rule is no longer a future compliance project – it is a live operational obligation that shapes onboarding, transaction monitoring and audit risk.

Where does the Travel Rule come from?

The Travel Rule originates in FATF Recommendation 16, which requires that identifying information about the payer and payee 'travels' with a funds transfer through the payment chain. In 2019 FATF extended this expectation to virtual assets and virtual asset service providers, and jurisdictions have been implementing it at different speeds ever since.

In the European Union, the recast Transfer of Funds Regulation (TFR) was adopted alongside the Markets in Crypto-Assets Regulation as part of the same legislative package. The TFR entered into force on 29 June 2023 and became fully applicable on 30 December 2024 – the same date MiCA's CASP provisions began to apply. The two regimes are deliberately interlocking: the TFR uses MiCA's definition of a crypto-asset service provider, so any firm authorised as a CASP under MiCA is automatically within scope of the EU Travel Rule. If you are still getting to grips with the authorisation side, our guide to MiCA for finance professionals covers the licensing framework in detail.

In the UK, the Travel Rule was implemented through Part 7A of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, with obligations applying to registered cryptoasset businesses from 1 September 2023. The Financial Conduct Authority published expectations alongside the start date, including that firms remain responsible for compliance even where they outsource Travel Rule messaging to third-party providers.

What information must travel with a crypto transfer?

Under the EU TFR, the CASP of the originator must ensure that transfers of crypto-assets are accompanied by information including:

• the originator's name, distributed ledger address (where applicable) and crypto-asset account number;
• the originator's address, official personal document number, customer identification number or date and place of birth; and
• the beneficiary's name, distributed ledger address and account number.

The beneficiary's CASP must implement procedures to detect whether the required information is missing or incomplete, and must have risk-based policies for deciding whether to execute, reject, return or suspend a transfer that arrives without it. Crucially, the EU regime applies with no de minimis threshold for transfers between CASPs – the information obligations bite on every crypto-asset transfer, regardless of value. This is stricter than the treatment of traditional wire transfers and is a point that frequently surprises clients moving into the sector.

What about self-hosted wallets?

Transfers to and from self-hosted (unhosted) wallets attract their own rules. CASPs must collect and hold originator and beneficiary information for all such transfers. Where a transfer of more than EUR 1,000 is made to or from a self-hosted wallet belonging to the CASP's own customer, the CASP must verify that the customer actually owns or controls that wallet – for example through cryptographic ownership-proof methods. The European Banking Authority's 2024 'travel rule' guidelines set out how firms should approach these checks, and supervisors have made clear that simple customer self-declaration is not, on its own, an adequate verification method.

How does the UK regime differ from the EU's?

The UK rules are conceptually similar but not identical, and advisers with clients operating in both markets need to map the differences carefully:

• Scope of firms: the UK regime applies to cryptoasset businesses registered with the FCA under the MLRs, whereas the EU regime applies to MiCA-authorised CASPs.
• The 'sunrise' problem: not every jurisdiction has implemented the Travel Rule. The FCA expects UK firms to take all reasonable steps when sending transfers to jurisdictions without the rule, including collecting and storing the required information even where the counterparty cannot receive it.
• Third-party reliance: both regimes allow firms to use compliance technology vendors for Travel Rule messaging, but responsibility for compliance cannot be outsourced.

Why does the Travel Rule matter to accountants and auditors?

Even practitioners who never touch a blockchain will encounter the Travel Rule through three channels.

1. Client advisory and AML risk

Firms providing accountancy services are themselves supervised for anti-money laundering purposes, and understanding how a crypto client's Travel Rule controls operate feeds directly into the practitioner's own client risk assessment. A CASP that cannot evidence Travel Rule compliance is a red flag for the engagement as a whole.

2. Audit and assurance

Where a CASP is an audit client, Travel Rule compliance touches several assertions: completeness of transaction records, the design and operation of financial crime controls, and contingent liabilities arising from potential regulatory breach. Auditors should expect to see documented policies for missing-information transfers, evidence of counterparty due diligence on other CASPs, and records retained in line with the regulation.

3. Data for tax and reporting

Travel Rule data sits alongside the new tax transparency regimes – DAC8 in the EU and the OECD's Crypto-Asset Reporting Framework – which require service providers to report user and transaction data to tax authorities from 2026. Firms that have built robust Travel Rule data pipelines are finding the overlap reduces the marginal cost of tax reporting compliance. For the tax side of the picture, see our guide to crypto tax for UK and Irish accountants.

What should advisers be checking in 2026?

For practitioners with CASP or crypto-exposed clients, a practical review in 2026 should cover:

• Authorisation status: is the client a MiCA-authorised CASP, an FCA-registered cryptoasset business, or both – and do its Travel Rule procedures match the regime(s) it is actually subject to?
• Messaging solution: which Travel Rule protocol or vendor is used, and how are failures, timeouts and incomplete messages handled and logged?
• Self-hosted wallet controls: how does the firm identify self-hosted wallet transfers, and what verification is performed above the EUR 1,000 threshold in the EU?
• Counterparty due diligence: how does the firm assess whether a counterparty CASP can safeguard transmitted personal data?
• Record keeping: are originator and beneficiary records retained for the required period and retrievable for supervisors and auditors?

The Travel Rule is also a useful early-warning indicator: weaknesses here usually signal broader deficiencies in a firm's financial crime framework, which matters for everything from going-concern assessments to professional risk on the engagement.

Common pitfalls to watch for

Three failure modes come up repeatedly in practice. First, firms assume a value threshold exists in the EU and apply Travel Rule checks only to larger transfers – when the inter-CASP obligations apply to every transfer. Second, firms treat their messaging vendor's confirmation as the end of the matter, without testing whether the data actually transmitted is complete and accurate; the regulatory responsibility never leaves the CASP. Third, self-hosted wallet flows are under-identified, because customers withdraw to addresses the firm has not classified. Each of these is straightforward to test in an internal audit or assurance engagement, and each is the kind of finding supervisors increasingly expect firms to have caught themselves.

Study with Learnsignal

Crypto compliance is now a core competency for accountants in practice, not a niche specialism. Learnsignal's verifiable CPD courses help qualified accountants, auditors and tax advisers build practical knowledge of AML, digital assets and financial crime regulation. Explore the catalogue and keep your advisory skills ahead of the regulatory curve.