Travel Rule: As Surveillance Increases, EU Not Off To A Great 2025
The EU is ringing in 2025 with a truly remarkable shitshow for your financial privacy and security.
- On 01.01.2025, FATF's Travel Rule extension to digital assets took effect in the EU
- VASPs are required to verify self-custodial wallets for transactions exceeding €1.000 and required to collect, store, and share information on transactions with beneficiaries
- The effectiveness of the Travel Rule to combat money laundering remains unknown
The Travel Rule is an anti-money laundering measure first proposed by the Financial Action Task Force (FATF), which requires financial institutions to transfer a sender's identifying information, such as name and address, to the receiver's financial institution.
In the EU, the Travel Rule was first applied in 2008 and again refined in 2012 in the traditional financial sector. In 2019, FATF updated its recommendation to include Virtual Asset Service Providers (VASPs), which took effect with the Transfer of Funds Regulation (to be distinguished from the Markets in Crypto Assets Regulation (MiCAR)) this January.
The EU's updated Travel Rule now requires VASPs to verify transfers to and from self-custodial wallets, require proof of ownership for transfers exceeding €1.000, and collect and share information on monetary transfers made by customers.
As the European Banking Authority's (EBA) Travel Rule Guidelines state, VASPs are required to "obtain and hold the information on the self-hosted address," "ensure that the transfer of crypto-assets can be individually identified," and "assess whether that address is owned or controlled by the CASP customer where the transfer amount exceeds EUR 1 000."
"To address the practical challenges arising from the application of these requirements" the EBA's guidelines state that VASPs should "individually identify a transfer," "identify a transfer from or to self-hosted addresses," "identify the originator and beneficiary," "prove the ownership or controllership," and "put in place mitigating measures, where applicable."
This week, the bitcoin service provider Strike announced the implementation of Travel Rule measures to its users. As Strike writes, "if you’re based in the EU or UK and send bitcoin (or other crypto-assets) from your account at a crypto-asset service provider, certain information such as name, address, and identification details is required to be shared."
As Strike explains to its users, "if you’re sending or receiving using external addresses or wallets via the Bitcoin or Lightning Networks, you’ll need to provide information about the source or destination of your funds, whether it’s your personal wallet or someone else’s."
"If you’re sending or receiving bitcoin from Strike to your cold storage wallet, you may be asked to verify that you are the owner of this wallet. Similarly, if you’re sending or receiving from another crypto-asset service provider, such as a crypto-exchange, you may be asked to confirm which entity this is and whether you are the owner of the account at that entity," the company adds.
The EU is not the first governing bodies to apply the Travel Rule to VASPs, as FATF Recommendations are translated into law globally. In Switzerland, the Travel Rule has been in effect for VASPs since 2020 and was originally introduced at an even stricter threshold of 0 CHF, and then adapted to 1.000 CHF.
To verify non-custodial addresses, VASPs can require users to submit screenshots, use third-party services, use protocols such as the Address Ownership Proof Protocol (AOPP) developed by BitBox Swiss with which users sign messages from their non-custodial wallets, or employ what has been termed the "Satoshi Test" , in which users are required to make a micro-transaction to the VASP before initializing a transfer of funds.
In the US, FinCEN issued a Notice of Proposed Rule Making (NPRM) in 2021, establishing similar record keeping requirements for VASPs regulating transfers from $3.000 USD.
The Travel Rule raises obvious safety concerns for users, as information collected via the know-your-customer (KYC) process is not only shared with the customer's financial institution, but also with any financial institution the customer transacts with, increasing the risks of potential hacks and consequent identity theft.
While the Travel Rule has a fairly long history to look back on, the success of the Travel Rule's implementation to combat money laundering remains largely unknown.
To date, the global effectiveness rate of anti-money laundering and counter-terrorist financing measures is estimated to lie around 0.02%, while we are spending 507x as much money on compliance programs than we are able to recover through them.
To assess the effectiveness of the Travel Rule, The Rage has filed a Freedom of Information Request with German authorities, requesting data on money-laundering convictions from 2008 onwards. If the Travel Rule is indeed an effective tool to combat money laundering, the data should show an increase in convictions beginning with the Travel Rule's strict application in 2012.
Interestingly, the German Ministry of the Interior, responsible for overseeing national security and German law enforcement, responded that it had no such data available – instead asking me to file my FOIA request with the German Ministry of Finance, the German Tax Authority, as well as individual federal prosecutors offices.
Extending FATF's Travel Rule to digital assets without sufficient data on its effectiveness would be questionable, to say the least.
*This article was updated on January 3rd 2025 at 3:50am ET to include the German Ministry of the Interior's FOIA response.
Independent journalism does not finance itself. If you enjoyed this article, please consider donating to our Geyser Fund.
