Travel Rule Implementation Is a Mess - Here's Why Cross-Border Crypto Still Doesn't Work

General
1

85 jurisdictions have now passed Travel Rule legislation. Up from 65 last year. Sounds like progress, right?

It’s not. Cross-border crypto transfers are more broken than ever. Here’s the uncomfortable reality of what compliance actually looks like in 2026.

The Sunrise Problem

The crypto compliance world has a name for this mess: the “sunrise problem.” Different jurisdictions implemented the Travel Rule at different times with different requirements. The result? VASPs in compliant jurisdictions literally cannot transact compliantly with counterparties in non-compliant or differently-compliant jurisdictions.

The Switzerland example is instructive. Swiss VASPs, under FINMA’s early Travel Rule requirements, found themselves unable to execute compliant international transfers. Their counterparty VASPs weren’t obligated to send the required originator/beneficiary data. Solution? Swiss exchanges stopped most international VASP-to-VASP transfers. Users now route through self-hosted wallets as a workaround.

This isn’t compliance. This is compliance theater creating friction that pushes users toward less regulated pathways.

Threshold Chaos

Every jurisdiction picked their own threshold. Here’s what you’re dealing with:

Jurisdiction Threshold
European Union €0 (every transaction)
United States $3,000 (cross-border)
Singapore SGD 1,500
FATF Recommendation $1,000/€1,000
Japan ¥0 (every transaction)
UK £1,000

A $2,500 transfer between two US exchanges? No Travel Rule data required. The same transfer to an EU exchange? Full compliance required on the EU side, creating an asymmetric obligation.

This isn’t a minor inconvenience. Every transaction requires jurisdiction-specific logic to determine what data must be collected and transmitted.

Interoperability Failures

FATF didn’t mandate a specific technical solution. The industry was supposed to figure it out. Instead, we got fragmentation.

Competing protocols:

  • TRUST - Backed by major exchanges (Coinbase, Kraken, etc.)
  • TRISA - Open-source, privacy-preserving approach
  • Sygna Bridge - Popular in Asia-Pacific
  • Various proprietary solutions - Regional and exchange-specific

The problem? These protocols don’t work well together. Some providers won’t accept Travel Rule data from competing protocols. A Coinbase user can send to Kraken (both TRUST members) smoothly. Sending to an exchange using Sygna? Different story.

We’ve essentially recreated the interbank messaging fragmentation that SWIFT solved 50 years ago - except without SWIFT’s market dominance to force standardization.

The Unhosted Wallet Nightmare

This is where it gets really messy. When your user sends to or receives from a self-hosted wallet, what’s required?

Jurisdiction Requirement
EU/UK/Gibraltar Collect wallet info from customer
Singapore/Germany Verify identity of wallet owner
Switzerland Verify identity + proof of ownership
Liechtenstein Enhanced due diligence
Philippines “Stricter rules” + enhanced due diligence

How do you verify someone owns a wallet?

Satoshi test: User sends a small amount from the wallet to your exchange within a time window. Problems: actual money moves, unpredictable confirmation times, accounting headaches.

Message signing: User signs a unique message with their private key. Problems: technical barrier for users, not all wallets support easy signing UX.

Neither solution is great. Both create friction that pushes users toward non-compliant pathways or competitors in less strict jurisdictions.

The GDPR Collision

Here’s a compliance paradox: Travel Rule requires you to collect and transmit personal data. GDPR requires you to minimize data collection and protect data transfers.

When you’re sending Travel Rule data to an exchange in a non-EU jurisdiction, you’re potentially violating GDPR’s cross-border data transfer restrictions. When you’re collecting detailed beneficiary information, you’re potentially violating data minimization principles.

Legal teams are writing elaborate justifications for why Travel Rule compliance constitutes a “legitimate interest” override. It’s legally fragile.

The Enforcement Reality

Here’s the kicker: 59% of jurisdictions that passed Travel Rule laws haven’t issued any enforcement actions. Many haven’t even established supervisory frameworks.

This creates a two-tier world:

  • Exchanges in strictly enforced jurisdictions bear heavy compliance costs
  • Exchanges in lax jurisdictions operate with minimal burden
  • Users migrate to the path of least friction

The Travel Rule is supposed to create a level playing field. Instead, it’s created regulatory arbitrage opportunities.

What Compliance Actually Looks Like

If you’re running an exchange trying to be compliant:

  1. Maintain integrations with 3-4 Travel Rule protocols
  2. Implement jurisdiction-specific threshold logic
  3. Build wallet verification flows (multiple methods)
  4. Create fallback procedures for non-compliant counterparties
  5. Document GDPR justifications for every data transfer
  6. Block transactions to/from jurisdictions where compliance is impossible

All this for a system that the non-compliant half of the industry simply ignores.

The Path Forward

What needs to happen:

  • Protocol consolidation around 1-2 standards
  • Harmonized thresholds (ideally FATF’s $1,000 recommendation)
  • Clear unhosted wallet guidance that’s technically feasible
  • GDPR carve-outs for Travel Rule compliance
  • Actual enforcement to level the playing field

What will probably happen:

  • Continued fragmentation
  • More jurisdictions adding more requirements
  • Compliant exchanges losing volume to non-compliant competitors
  • Self-hosted wallets becoming the de facto workaround

How is your exchange handling Travel Rule compliance? What’s your experience with cross-border transfers?

compliance_charlie

2

Running compliance for an exchange operating across EU, UK, Singapore, and US jurisdictions. The Travel Rule is my daily nightmare. Let me paint the picture.

The Protocol Fragmentation Reality

We currently maintain integrations with:

  • TRUST (for US/EU major exchange counterparties)
  • Sygna Bridge (for APAC counterparties)
  • Notabene (as a fallback aggregator)
  • Direct API integrations with 4 regional exchanges that use proprietary solutions

Annual cost for these integrations: approximately $180,000 in licensing and $250,000 in engineering maintenance.

Each protocol has different:

  • Data field requirements
  • Authentication mechanisms
  • Response time expectations
  • Error handling procedures

When a user initiates a withdrawal to an external exchange, our system has to:

  1. Identify the counterparty exchange
  2. Determine which protocol(s) they support
  3. Check if we have an active connection
  4. Format the Travel Rule message appropriately
  5. Handle the response (or lack thereof)

Failure rate on first attempt: 23%. Usually because the counterparty doesn’t respond in time, uses an incompatible data format, or isn’t registered in any protocol we support.

Transactions That Fail

Here’s what happens to transactions that fail Travel Rule compliance checks:

  • 40% eventually complete after manual intervention
  • 35% get returned to the user with “unable to complete” message
  • 25% get stuck in limbo requiring customer support escalation

Average resolution time for stuck transactions: 4.7 days.

User complaints about Travel Rule friction have increased 340% since we implemented full compliance in 2024. Many users don’t understand why sending crypto has become so complicated.

The Threshold Logic Hell

Our transaction processing engine now includes this logic:

This continues for 40+ jurisdiction combinations. Each update to any country’s rules requires code changes, testing, and deployment. Last year we had 17 threshold-related updates.

What I Wish Regulators Understood

  1. You can’t comply with contradictory rules. When EU says “collect everything” and another jurisdiction says “minimize data collection,” there’s no compliant path.

  2. Uneven enforcement punishes the compliant. We lose volume to exchanges that don’t bother with Travel Rule. Our users see higher fees (to cover compliance costs) and more friction.

  3. Self-hosted wallets are the escape hatch. Every time we add friction to VASP-to-VASP transfers, more users route through self-hosted wallets. This defeats the purpose.

  4. Technology can’t solve policy fragmentation. No amount of protocol improvement helps if jurisdictions have incompatible requirements.

We need harmonization, not more protocols. Until then, we’re building increasingly complex systems to comply with an increasingly incoherent regulatory framework.

exchange_emma

3

I work on Travel Rule compliance infrastructure - specifically building the pipes that let VASPs exchange originator/beneficiary data. Let me explain why interoperability is so hard and what it would take to fix it.

Why Interoperability Is Technically Hard

The Travel Rule seems simple: send customer data with the transaction. The devil is in the details.

Problem 1: Counterparty Discovery

Before you can send Travel Rule data, you need to know:

  • Is the destination address controlled by a VASP?
  • Which VASP?
  • What protocol do they support?
  • What’s their endpoint?

There’s no universal directory. TRUST members know each other. TRISA members know each other. But cross-protocol discovery? Mostly manual onboarding.

We’ve built address attribution databases, but they’re incomplete. Maybe 60% coverage for major exchanges. The long tail of regional exchanges? Much worse.

Problem 2: Data Schema Differences

FATF specifies what data to collect but not exactly how to format it. Result:

  • Some protocols use JSON, some use Protocol Buffers
  • Field names differ (“originator_name” vs “senderName” vs “from.fullName”)
  • Required vs optional fields vary
  • Date formats, address formats, country codes all differ

We spend enormous effort on translation layers between protocols.

Problem 3: Trust and Authentication

When Exchange A sends Travel Rule data to Exchange B, how does B verify it’s actually from A? Each protocol has different:

  • Certificate authorities
  • Authentication mechanisms
  • Key management approaches
  • Revocation procedures

No universal PKI for crypto. We’ve proposed standards, but adoption is slow.

The TRUST vs TRISA Debate

TRUST (Travel Rule Universal Solution Technology):

  • Backed by Coinbase, Kraken, Gemini, Circle
  • Permissioned network with verified members
  • Centralized directory and governance
  • Faster time-to-integration for new members
  • Criticism: walled garden, controlled by major players

TRISA (Travel Rule Information Sharing Architecture):

  • Open-source, decentralized approach
  • Privacy-preserving using secure enclaves
  • No central authority
  • Harder to implement, more flexible
  • Criticism: slower adoption, fragmented implementations

My view: Both have merit. TRUST is pragmatic and works today. TRISA is more aligned with crypto’s decentralization ethos but needs more maturity.

The real problem isn’t choosing a winner - it’s that neither side has incentive to build bridges to the other.

What Universal Compliance Would Require

To actually solve this:

  1. Global VASP registry - Universal directory of all licensed VASPs with their supported protocols and endpoints

  2. Standard data schema - IVMS 101 exists but isn’t universally adopted. Need mandatory adoption.

  3. Protocol bridges - Middleware that translates between TRUST, TRISA, Sygna, and proprietary systems

  4. Shared address attribution - Collaborative database identifying which addresses belong to which VASPs

  5. Mutual authentication framework - Cross-protocol certificate recognition

This is technically achievable. The barrier is coordination, not technology.

Regulatory Harmonization Matters More

Here’s the uncomfortable truth: even if we solved all the technical problems, the Travel Rule would still be broken.

Why? Because jurisdictions have incompatible requirements. No protocol can make an exchange simultaneously comply with:

  • EU’s zero threshold
  • US’s $3,000 threshold
  • Singapore’s different data requirements
  • Switzerland’s proof-of-ownership mandate

The technology layer can only paper over so much policy divergence. Until FATF gets jurisdictions aligned on thresholds and requirements, we’re building bridges between islands that keep moving.

protocol_paul

4

I run a small exchange - about 50,000 active users, focused on Southeast Asia. Reading this thread, I want to share the view from down here.

The Cost Burden Is Crushing

The major exchanges can absorb compliance costs across millions of users. We cannot.

Our Travel Rule compliance spending:

  • Protocol licensing (Sygna Bridge): $45,000/year
  • Compliance software: $30,000/year
  • Additional legal counsel: $25,000/year
  • Engineering time: roughly 2 FTE months annually

Total: ~$150,000/year

Our annual revenue: ~$2M.

That’s 7.5% of revenue just for Travel Rule - before we talk about AML, KYC, licensing fees, and other compliance costs.

For Coinbase or Binance, this is a rounding error. For us, it’s the difference between profitability and burning through runway.

Why We Geofence

We made a hard decision: geofence EU and Switzerland.

The calculus was simple:

  • EU users = ~3% of our user base
  • EU compliance cost = ~30% of Travel Rule spending (zero threshold = every transaction)
  • Swiss compliance = impossible without proof-of-ownership infrastructure we can’t afford

So we block EU and Swiss IPs, reject EU identity documents during KYC, and display a “service not available in your region” message.

We lose some users. But we’d lose more to bankruptcy if we tried full global compliance.

The Unhosted Wallet Workaround

Here’s what actually happens with our users:

  1. User wants to send to an exchange we don’t have Travel Rule integration with
  2. We explain the transaction will require additional verification and delays
  3. User withdraws to their own MetaMask first
  4. User sends from MetaMask to destination exchange
  5. Everyone pretends this solves the AML problem

For unhosted wallet withdrawals, we collect the user’s attestation that they control the wallet. That’s what our jurisdiction requires. It’s checkbox compliance - we know the wallet might not actually be theirs, but we’ve met the letter of the law.

This is the “compliance” the Travel Rule has created: pushing transactions through self-custody as a bypass.

Whether Compliance Is Even Possible

At our scale? Honestly, no. Not full compliance.

We’d need:

  • Integrations with every Travel Rule protocol (4-5 different systems)
  • Engineering capacity to maintain all of them
  • Legal expertise in 20+ jurisdictions
  • Customer support for failed transactions
  • Manual review processes for edge cases

We have 12 employees. Seven are engineers. Two are compliance/legal. The math doesn’t work.

So we do partial compliance:

  • Full Travel Rule for counterparties we’re integrated with (~15 major exchanges)
  • Self-custody attestation for everyone else
  • Geofencing for jurisdictions we can’t handle

Is this compliant? Probably not fully. But it’s what’s achievable.

The Frustration

What kills me: we’re trying to be legitimate. We have licenses. We do KYC. We file SARs. We cooperate with law enforcement.

But Travel Rule compliance at global scale is designed for Coinbase, not for us. The rules assume infinite resources. The protocols assume you can integrate with everyone.

One-size-fits-all regulation doesn’t work. Small exchanges serve underbanked communities, provide competition, enable local fiat rails. Killing us with compliance costs doesn’t help AML - it just concentrates the market in a few giant players.

I wish regulators would consider scale-appropriate requirements. A $1,000 threshold for small exchanges. Simplified protocols for regional players. Something.

Until then, we’ll keep geofencing and hoping the enforcement gap means we don’t get noticed.

operator_oscar