Five years after the Financial Action Task Force pushed Recommendation 16 — the so-called Travel Rule — into the virtual asset world, the gap between the rule on paper and the rule in practice is still embarrassing. In 2026, the global crypto economy moves trillions of dollars in value every quarter, yet a meaningful share of those flows still settle without complete originator and beneficiary information attached. For criminal networks running stablecoin-denominated pig-butchering, sanctions evasion, and trade-based laundering rings, that gap is not an inconvenience. It is the business model.
The Travel Rule is not new — banks and Money Service Businesses have lived with it under 31 CFR §1010.410 for three decades. What is new is the messy, fragmented way it has been bolted onto Virtual Asset Service Providers. As FinCheck advises crypto exchanges, payment processors, MSBs, and sponsor banks across the United States and globally, we see the same diagnostic finding again and again: written policies exist, vendor solutions are licensed, but counterparty data quality, identification, and risk-based exception handling are nowhere near where regulators now expect them to be.
The State of Play in 2026
Three regulatory currents have collapsed onto the Travel Rule simultaneously this year, and any VASP, MSB, or sponsor bank that treats them as separate workstreams is already behind.
- FATF’s February 2026 Targeted Update on virtual assets sharpened the language on Recommendation 16 — jurisdictions that have not effectively implemented the Travel Rule are now being explicitly named in mutual evaluations, with practical consequences for their VASPs’ correspondent relationships.
- FinCEN’s 2024 cross-border Convertible Virtual Currency proposal, finalized in late 2025, brought a Travel-Rule-equivalent expectation to U.S. MSBs handling CVC transfers — and lowered the threshold to $250 for cross-border activity.
- The EU’s MiCA Travel Rule provisions, fully applicable since December 2024, are now into their first wave of supervisory inspections, and early enforcement letters from BaFin, the AMF, and the Central Bank of Ireland are showing teeth.
None of this is hypothetical. In Q1 2026 alone, three Tier-2 VASPs in the EU received public statements of deficiency tied directly to Travel Rule data completeness, and a U.S. money transmitter consent order in March 2026 cited inadequate originator information on more than 60 percent of sampled cross-border CVC transactions. The age of polite supervisory letters on this topic is closing.
Why So Many VASPs Are Still Failing
Most VASP compliance teams know what Recommendation 16 requires on paper: originator and beneficiary names, account or wallet identifiers, addresses (or substitutes), and — above a threshold — verification. The failure mode is not awareness. It is operationalization. From our work across exchanges, broker-dealers, and crypto-friendly sponsor banks, the pattern is consistent.
1. Counterparty due diligence is treated as a checkbox. Many VASPs onboard counterparty exchanges into their Travel Rule messaging protocol and stop there. They do not perform a meaningful risk assessment of the counterparty’s own KYC, sanctions screening, or jurisdictional exposure. A counterparty in a permissive offshore jurisdiction is a sanctions and laundering bridge whether it is in your address book or not.
2. The “sunrise problem” has become an excuse. The original argument — that VASPs in non-implementing jurisdictions cannot reciprocate — is now five years old. Regulators no longer accept it as an open-ended exemption. The expectation in 2026 is that VASPs will adopt risk-based mitigation when counterparty data cannot be obtained: enhanced transaction monitoring, lower thresholds, blockchain analytics enrichment, and, where appropriate, restriction or refusal.
3. Self-hosted wallet transfers are still a blind spot. Transfers to and from unhosted wallets are the single biggest data-quality hole on most exchanges. Many compliance programs either treat them as out of scope or rely on a self-attested name and address that is never verified. MiCA, MAS, and FinCEN have all signaled that risk-based controls — wallet ownership proofs, address attribution scoring, exposure analytics — are now expected, not optional.
4. Stablecoin rails have outrun the controls. USDC, USDT, PYUSD, and the newer bank-issued tokens are now used routinely for cross-border settlement at speeds and volumes that legacy Travel Rule messaging protocols were not designed for. Many VASPs are still operating with batch-style off-chain messaging that does not keep pace with on-chain settlement, leaving a window in which beneficiary data arrives well after the funds have moved.
5. Sanctions and Travel Rule data live in different systems. It is still common to see Travel Rule message ingestion and OFAC / EU consolidated sanctions screening sitting in different vendors, with no real-time hand-off. The result is screening that runs against an incomplete record — exactly the configuration that surfaces in supervisory findings.
Use Case: A Mid-Sized U.S. VASP — Anatomy of a Findings Letter
Consider a composite based on engagements FinCheck has supported in the past nine months. A U.S.-registered MSB operating as a crypto-to-fiat off-ramp had licensed a leading Travel Rule messaging vendor, written a fifty-page policy, and trained staff annually. On examination, the deficiencies were familiar: forty-three percent of outbound transfers above the $1,000 threshold had originator addresses that were not verified or were free-text city-only entries; counterparty risk assessments existed for nineteen of seventy-two active counterparty VASPs; and self-hosted-wallet inbound transfers above $10,000 were processed without any wallet-ownership control. None of these are policy failures. All of them are operational failures dressed up as policy compliance — and all of them are now first-look items for examiners.
FinCheck’s Perspective and the Way Forward
Travel Rule compliance has matured past the “adopt a vendor” phase. The next eighteen months will separate VASPs and MSBs that treat it as a compliance discipline from those that still treat it as IT integration. Five priorities should be on every Chief Compliance Officer’s agenda before the next examination cycle.
- Re-baseline your counterparty universe. Run a risk-tiered review of every counterparty VASP, score them on jurisdiction, supervision, KYC standards, and Travel Rule data quality, and document the rationale for continued, restricted, or terminated relationships.
- Close the data-quality loop. Measure originator and beneficiary completeness and accuracy as a monthly metric — not just whether a message was sent, but whether the content survives verification. Set tolerances and act on breaches.
- Bring self-hosted wallet flows into scope. Implement risk-based controls: ownership proofs, address attribution, transaction exposure scoring, and clear thresholds for enhanced due diligence or refusal.
- Integrate Travel Rule data with sanctions and transaction monitoring. The message, the screening result, and the monitoring alert should sit in one investigatory record — not three disconnected systems.
- Build a defensible exception regime. Where counterparty data cannot be obtained, document the risk-based mitigation, monitor exception volumes, and review them at the BSA/AML committee. Examiners do not expect zero exceptions. They expect a governed exception process.
For sponsor banks, fintechs, and MSBs that touch the crypto economy without being VASPs themselves, the implication is the same: your indirect Travel Rule exposure travels with every transaction your client originates. Your third-party risk management framework must explicitly test it.
Closing — Where FinCheck Helps
FinCheck LLC partners with VASPs, MSBs, fintechs, sponsor banks, and gaming and sweepstakes operators on the work the Travel Rule actually demands: BSA/AML program design, independent AML audit, sanctions and OFAC program review, counterparty VASP risk assessments, Travel Rule data-quality remediation, and fractional Chief Compliance Officer support that scales with your stage. If your last examination raised Recommendation 16, CVC, or cross-border data-completeness findings — or if you would rather not find out at the next one — we should talk.
