In Berlin in April 2026, a retail user on a licensed EU exchange taps Withdraw, enters a Ledger address, and types in an amount just over a thousand euros. The next screen is not a confirmation. It is a form. The exchange wants the beneficiary's full name. It asks whether the user controls the destination wallet. And it offers two ways to prove it: sign a message with the private key, or send a small, specified amount back from the wallet to an address the exchange provides. Only after one of those steps completes does the withdrawal queue.

That screen is the Travel Rule, made visible.

What the Travel Rule actually is

The Travel Rule began life as Financial Action Task Force (FATF) Recommendation 16, a standard that required originator and beneficiary information to "travel" alongside traditional fiat wire transfers. FATF — the intergovernmental body whose anti-money-laundering standards most developed economies adopt by reference — extended the rule to cover Virtual Asset Service Providers (VASPs) in June 2019. A VASP is any business that custodies, exchanges, or transfers crypto on behalf of customers; in the EU the equivalent licensed term is Crypto-Asset Service Provider (CASP).

The rule is simple in principle and awkward in practice: before or during a crypto transfer between two VASPs, the sending firm must hand the receiving firm a package of identifying data about both parties. FATF's recommended de minimis threshold is USD or EUR 1,000, above which full identifying information is expected. Below it, a lighter data set is still required. Jurisdictions are free to set their own limits, and many have gone lower.

As of January 2026, 85 of 117 FATF-assessed jurisdictions have passed or are passing Travel Rule legislation for virtual assets, up from 65 in 2024. Forty-two have fully implemented it. FATF updated Recommendation 16 itself in June 2025 to further standardise cross-border payment information requirements, and national rollouts of that update are still in progress.

How jurisdictions implement it: a threshold map

The headline number changes dramatically depending on where a user happens to be signing in from, which is why the global regulatory map for 2026 matters so much for day-to-day UX.

The European Union's Transfer of Funds Regulation (TFR), formally Regulation (EU) 2023/1113, sets the tightest bar. It came into force on 30 December 2024 after an 18-month grace period and applies a €0 threshold for VASP-to-VASP transfers, meaning every single transfer between licensed crypto firms must carry Travel Rule data regardless of size. The TFR also introduces a €1,000 trigger for additional proof-of-ownership verification on transfers to or from self-hosted wallets. The United Kingdom, Hong Kong, Japan, and — from 31 July 2026 — Australia operate similar zero-threshold or near-zero regimes, and Brazil joins on 2 February 2027.

The United States remains, by comparison, the loosest developed-world jurisdiction. FinCEN's operative Travel Rule threshold under the Bank Secrecy Act stands at USD 3,000 for cross-border convertible virtual currency transmittals. A 2020 Notice of Proposed Rulemaking (NPRM) — a formal agency proposal opened for public comment — sought to cut that to USD 250 and to require KYC on self-hosted-wallet counterparties above USD 3,000; it has not been finalised and remains pending as of April 2026, which is the regulatory backdrop to the SEC-CFTC jurisdictional split now shaping US enforcement.

Other notable floors include Switzerland's CHF 1,000 under the FINMA AML Ordinance (reduced from CHF 5,000 in February 2020, and applied to transactions linked within any 30-day window), Singapore's SGD 1,500 under MAS Notice PSN02 for full personally identifiable information (with basic name-and-account data required on every transfer regardless of size), Canada's CAD 1,000, South Korea's KRW 1,000,000, and the UAE's AED 3,500 for Dubai firms licensed by VARA. Twelve further jurisdictions — including Mexico, Nigeria, Saudi Arabia, Thailand, and Ukraine — have frameworks in development.

How the data actually moves: the protocol landscape

Knowing that data must travel is one problem. Getting it from exchange A to exchange B in a format both can read is another.

The de facto lingua franca is IVMS 101, an interVASP Messaging Standard that defines a common schema for originator and beneficiary fields. Virtually every major Travel Rule messaging protocol either uses IVMS 101 directly or has committed to supporting it.

On top of that schema, a handful of delivery networks compete. TRUST — the Travel Rule Universal Solution Technology — launched in February 2022, led by Coinbase and a coalition of US exchanges. By early 2025 its membership had grown past 125 VASPs spread across more than twenty jurisdictions, including Coinbase, Kraken, Gemini, Crypto.com, Bybit, OKX, PayPal, and Revolut. It operates a closed, end-to-end encrypted member network. Notabene's TR:Now and the open-specification Travel Rule Protocol (TRP) take a more peer-to-peer, protocol-agnostic approach, and are increasingly positioned as interoperability answers to closed networks. The Travel Rule Information Sharing Alliance (TRISA) is an open-source, TLS-based alternative, and vendors such as Sumsub, 21 Analytics, and VerifyVASP operate bridges that forward messages between otherwise incompatible networks.

The largest operational headache is the so-called sunrise issue: jurisdictions bringing the rule into force at different times. A fully regulated VASP in the EU often has no compliant counterparty to send data to when a user withdraws to an exchange in a pre-sunrise jurisdiction, forcing it to hold, pause, or refuse the transfer.

The unhosted-wallet question

A self-hosted — or unhosted — wallet is any wallet where the user, not an intermediary, holds the private keys. Hardware wallets, most mobile wallets, and desktop wallets such as Zelcore fall into this category. FATF's 2021 updated guidance classified transfers involving such wallets as out of scope of the Travel Rule itself, but recommended VASPs still collect and retain counterparty information.

The EU TFR went further. For transfers above €1,000, CASPs must verify that their customer "owns or controls" the self-hosted address involved — not merely note it. This is where the proof-of-ownership gate emerges. FinCEN's pending 2020 NPRM would, if finalised, impose a conceptually similar obligation in the US for transfers above USD 3,000 and trigger currency-transaction-style reports above USD 10,000, though none of that is yet in force. Switzerland's FINMA rules require proof of control above CHF 1,000, with linked transactions within 30 days aggregated toward the threshold. Singapore's PSN02 and Hong Kong's SFC framework, by contrast, do not currently impose an equivalent proof-of-ownership gate, leaving parts of Asia under a lighter-touch regime on this specific point.

What a self-custody user actually sees at the gate

In practice, the theory condenses into a handful of flows.

On an EU CASP, a withdrawal above €1,000 to a Ledger or Trezor address triggers a proof-of-ownership request. Two mechanisms dominate: the Satoshi Test — sending a small, specified amount from the self-hosted wallet back to an exchange-provided address — and a signed message produced by the wallet's private key, in the pattern popularised by the older Address Ownership Proof Protocol (AOPP). Sumsub, Mesh, 21 Analytics, and exchange-native flows have automated these for common wallets; users of less widely integrated wallets may need to copy and paste a signed string manually. For a repeated withdrawal to the same address, verification is typically required once per year per address.

Deposits from a self-hosted wallet above the threshold go through a comparable attestation on first use, a flow whose security trade-offs tie directly into the hardware wallet threat model — because the signed message, like any off-chain signature, is one more thing a careful user should inspect before approving.

Withdrawals to a third party's self-hosted wallet are the awkward middle case. The sending exchange typically asks for the beneficiary's full name and, on many EU CASPs, an address or ID. That data then travels with the transfer even though the counterparty has no compliance obligation of their own.

VASP-to-VASP withdrawals look different again. The sending exchange asks for the receiving exchange's name, which is sometimes auto-detected from the address. If both venues are on the same Travel Rule network — TRUST, TRP, or a shared bridge — the data flows silently in the background. If they are not, the transfer may be paused, manually reviewed, or rejected outright, which is one of the visible surfaces of MiCA's year two of full enforcement.

US retail users below the USD 3,000 threshold typically see no friction at all. Above it, the exchange collects the beneficiary's name and institution but — under current, as-yet-unfinalised rules — does not demand proof of control for self-hosted destinations.

What to watch next

Several threads will determine whether 2026's patchwork converges or fragments further. National rollouts of FATF's June 2025 Recommendation 16 update are expected to introduce new data fields and stricter cross-border attribution through 2026 and 2027. Australia's 31 July 2026 effective date and Brazil's 2 February 2027 effective date will close two of the largest remaining gaps on the map. In the US, whether FinCEN revives, narrows, or withdraws its 2020 NPRM would be the single most consequential change for American self-custody users. On the protocol side, the open question is whether bridging deals between closed networks such as TRUST and more open architectures such as TRP and Notabene produce genuine interoperability, or whether the sunrise issue simply migrates from jurisdictional mismatches into protocol mismatches. European supervisors, meanwhile, face a live privacy-versus-transparency fight over whether CASPs may continue serving customers who cannot or will not complete proof-of-ownership checks.

For a self-custody holder, the practical lesson is modest but real: the Travel Rule is now a feature of the exchange gate, not a back-office abstraction, and the specific gate a user meets depends heavily on where their venue is licensed. That closes out this series, which has traced how the 2026 rulebook reshapes each stage of the path between fiat, exchanges, and a private key — ending, as most journeys do, at the moment the user clicks Withdraw.