Breaking

How the FATF Travel Rule sunrise gap splits crypto AML

How the FATF Travel Rule sunrise gap splits crypto AML

The Financial Action Task Force (FATF) Travel Rule for crypto now has legislation in 85 of 117 surveyed jurisdictions, but divergent thresholds and weak enforcement leave a “sunrise gap” that forces Virtual Asset Service Providers (VASPs) to comply with the strictest regime they touch — across the EU, the US, Singapore and Switzerland — or risk the kind of penalty that cost Binance $4.3 billion.

The FATF Travel Rule — Recommendation 16 applied to virtual asset transfers under Recommendation 15 — requires a VASP to collect, verify and transmit originator and beneficiary data to its counterpart on every qualifying transfer. As of the FATF’s sixth targeted update, published June 26, 2025, 85 of 117 surveyed jurisdictions (73%) have passed Travel Rule legislation, up from 65 in 2024, yet 59% have taken no enforcement action to verify compliance. This analysis walks the rule’s mechanics, compares four regimes, sets out the Binance enforcement benchmark, and maps what compliance teams must do before the EU’s July 1, 2026 transition cliff.

Key Facts:

• 85 of 117 surveyed jurisdictions (73%) have Travel Rule legislation, up from 65 in 2024 — FATF sixth targeted update, June 26, 2025
• 59% of jurisdictions with the rule have taken no enforcement action to verify compliance — FATF, 2025
• Stablecoins accounted for 84% of illicit virtual-asset transaction volume in 2025 — Chainalysis, via FATF
• EU Transfer of Funds Regulation (Regulation (EU) 2023/1113) applies a €0 threshold from December 30, 2024 — Official Journal of the EU
• US FinCEN threshold is $3,000, with a proposal to cut it to $250 for international transfers — FinCEN
• Binance paid $4.3 billion in November 2023, including a $3.4 billion FinCEN penalty — the largest in US Treasury history — FinCEN
• EU MiCA transition periods of 5–18 months converge on July 1, 2026 — ESMA

Methodology and sources

This analysis draws on primary FATF documents — the sixth Targeted Update on the Implementation of the FATF Standards on Virtual Assets and VASPs (June 26, 2025) and the accompanying Best Practices on Travel Rule Supervision — alongside the EU Transfer of Funds Regulation, US Financial Crimes Enforcement Network (FinCEN) guidance under the Bank Secrecy Act (BSA), Monetary Authority of Singapore (MAS) notices, and Swiss Financial Market Supervisory Authority (FINMA) guidance. Enforcement figures come from the US Treasury and Department of Justice. The jurisdictional scope covers the EU, US, Singapore and Switzerland; the time window runs from the EU rule’s December 30, 2024 application date to June 2026. Threshold and effective-date details are summaries; primary regulator texts govern.

What the Travel Rule actually requires

The Travel Rule is the crypto application of a banking standard that has existed since the 1990s. FATF Recommendation 16 obliges the originating VASP to obtain and hold required originator information and required beneficiary information, transmit it to the beneficiary VASP, and make it available to authorities on request. Recommendation 15 brings VASPs into the AML/CFT perimeter in the first place. The required data set typically includes the originator’s name, account or wallet reference, and physical address or national identifier, plus the beneficiary’s name and account reference.

The operational difficulty is that crypto rails were not built to carry this data. Unlike the correspondent-banking SWIFT network, there is no single messaging standard, so VASPs rely on competing Travel Rule messaging protocols and counterparty-discovery networks to find and reach each other before a transfer settles on-chain. Three structural gaps follow.

The FATF Travel Rule’s “sunrise problem” is the mismatch created when one jurisdiction’s obligations are live while a counterpart’s are not. When a compliant VASP in the EU sends to a VASP in a jurisdiction that has not operationalised the rule, the required data has nowhere to land, and the transfer either stalls or proceeds without the messaging the standard demands. The FATF’s 2025 update reframes this as more than a timing issue: jurisdictions interpret Recommendation 15 differently, set different thresholds, and enforce inconsistently even after passing legislation. A second gap is the unhosted-wallet carve-out, where peer-to-peer transfers to self-custodied wallets escape VASP-to-VASP messaging entirely. A third is threshold divergence, examined below, which means the same FATF standard produces compliance burdens ranging from zero to thousands of dollars depending on where a transfer originates.

Jurisdiction / Regulator Effective date Threshold / scope Key requirement Penalty / sanction
EU (national CAs, Transfer of Funds Regulation + MiCA) December 30, 2024 €0 — all CASP-to-CASP transfers Full originator and beneficiary data on every transfer (Reg (EU) 2023/1113) AML penalties under national law; MiCA fines up to €5 million or 12.5% of turnover
US (FinCEN, Bank Secrecy Act) BSA rule since 1996; VA guidance 2019 $3,000 (proposed $250 for cross-border) Transmit originator/beneficiary info (31 CFR 1010.410(f)) Civil money penalties; $3.4 billion FinCEN penalty (Binance, 2023)
Singapore (MAS, Notice PSN02) January 2020 (Payment Services Act) No de minimis — any amount Originator and beneficiary data regardless of value Penalties under the Payment Services Act
Switzerland (FINMA) Guidance from 2019 Strict — includes unhosted-wallet verification Verify counterparty ownership before transfer FINMA supervisory and enforcement measures

Sources: FATF, EU Official Journal, FinCEN, MAS, FINMA. Last updated: June 9, 2026.

How four jurisdictions diverge

The comparison exposes the core problem: the same FATF recommendation produces four materially different rulebooks. The EU runs the strictest threshold — €0, meaning every Crypto-Asset Service Provider (CASP) transfer in or out must carry full data — and folds Travel Rule failures into the MiCA penalty regime. The US sits at the loosest end with a $3,000 threshold, though FinCEN’s proposal to cut the international threshold to $250 would move it from one of the highest among major economies to one of the lowest. Singapore and Switzerland apply no de minimis and add verification duties that reach toward unhosted wallets, which the EU and US largely do not.

Regulatory-arbitrage risk follows directly from this spread. A transfer that triggers full data collection in Frankfurt may legally carry nothing in parts of the US below $3,000, and a VASP operating across both must build to the stricter standard or fragment its compliance by corridor. The FATF’s own data underlines why the gap matters now: stablecoins accounted for 84% of illicit virtual-asset transaction volume in 2025, and most on-chain illicit activity now involves them, concentrating risk in exactly the instruments whose cross-border transfers the Travel Rule is meant to make transparent. The EU’s MiCA transition periods, ranging from five to 18 months, all converge on July 1, 2026, while Brazil applies the rule to domestic transfers from February 2026 and cross-border only in 2027 — a live example of the sunrise gap in motion. The same divergence-by-design runs through our coverage of AMLA’s single AML rulebook and the MiCA and GENIUS Act stablecoin deadlines.

“It’s not only the virtual assets that we traditionally think of, but also stablecoins that are increasing in volume. It’s a big challenge because it becomes a loophole to the extent that jurisdictions will not implement the standards of the FATF and in particular, the travel rules.”

Elisa de Anda Madrazo, President, Financial Action Task Force (AML Intelligence)

The enforcement benchmark: Binance

The Travel Rule rarely produces standalone penalties; it surfaces inside broader AML failures, and the benchmark case is Binance. On November 21, 2023, Binance entered a $4.3 billion resolution with the US Department of Justice, FinCEN and the Office of Foreign Assets Control (OFAC), pleading guilty to Bank Secrecy Act and sanctions violations, with founder Changpeng Zhao pleading guilty individually. FinCEN’s component — a $3.4 billion civil money penalty plus a five-year monitorship — was the largest settlement in US Treasury history. Regulators found that Binance processed transactions without the controls the BSA requires, including the originator and beneficiary information the Travel Rule mandates.

The case is precedent for every in-scope firm because it priced AML failure at a scale that dwarfs the cost of compliance. The five-year monitorship — still running in 2026, with a Sullivan & Cromwell partner serving as FinCEN’s monitor — signals that resolution does not end supervision. For VASPs, the lesson is that a missing Travel Rule message is not a technicality; it is evidence in a money-laundering case. The action also shows the cross-agency reach of US enforcement, where FinCEN, OFAC and the DOJ can stack penalties on a single set of facts, and where “complete exit from the United States” can be part of the price.

What this means for brokers, exchanges and compliance teams

For CASPs and exchanges, the operational mandate is to build to the strictest regime they touch and to treat counterparty reachability as a gating control. That means integrating a Travel Rule messaging protocol, maintaining a counterparty VASP directory, and setting policy for what happens when a beneficiary VASP cannot receive data — hold, return, or proceed with documented risk acceptance. EU-facing firms must assume a €0 threshold and full data on every transfer from the July 1, 2026 convergence date.

For brokers and payment firms moving into virtual assets, the Bank Secrecy Act analysis applies the moment they touch transfers: the $3,000 US threshold is a floor, not a safe harbour, and FinCEN’s proposed $250 cross-border threshold should be priced into systems now. For custodians and fund managers, the unhosted-wallet gap is the live risk — transfers to self-custodied wallets demand enhanced due diligence even where messaging is not technically required. Legal and compliance teams should document a jurisdiction-by-jurisdiction threshold matrix, log every transfer where the sunrise gap forced a deviation, and retain that record for examiners. The same operational-resilience logic that drives our analysis of DORA’s cloud-oversight divergence applies here: supervisors increasingly expect documented controls, not best efforts.

“Binance turned a blind eye to its legal obligations in the pursuit of profit. Its willful failures allowed money to flow to terrorists, cybercriminals, and child abusers through its platform.”

Janet L. Yellen, then US Secretary of the Treasury, on the Binance settlement (US Department of the Treasury)

What’s next: the forward view

Three tracks will define the next 12 months. First, enforcement catch-up: with 59% of jurisdictions yet to act, the FATF’s Best Practices on Travel Rule Supervision pushes supervisors from legislation to examination, and the 2026 plenary cycle will name laggards. Expect the first wave of Travel-Rule-specific penalties in jurisdictions that have had the rule on the books since 2020. Second, threshold convergence: FinCEN’s proposed cut to $250 for cross-border transfers, if finalised, narrows the gap with the EU and Singapore and removes a large slice of the US carve-out. Third, the unhosted-wallet question, where the EU, FATF and US are each weighing how far verification duties should extend to self-custody — the most contested issue, and the one most likely to draw industry pushback. Jurisdictions still phasing in, including Brazil’s 2027 cross-border start and the parts of Asia tracked in our coverage of Japan’s FIEA securities-law shift, will keep the sunrise gap open well into 2027.

TL;DR

The FATF Travel Rule (Recommendation 16) now has legislation in 85 of 117 surveyed jurisdictions, but 59% have not enforced it and thresholds range from €0 in the EU to $3,000 in the US, creating a “sunrise gap” for cross-border virtual-asset transfers. With stablecoins behind 84% of illicit on-chain volume in 2025 (Chainalysis, via FATF) and the EU’s transition converging on July 1, 2026, VASPs must build to the strictest regime they touch. The Binance $4.3 billion settlement — including a $3.4 billion FinCEN penalty — sets the price of failure. Expect Travel-Rule-specific enforcement and a possible US threshold cut to $250.

FAQ

What is the FATF Travel Rule for crypto?

It is FATF Recommendation 16 applied to virtual-asset transfers: the originating VASP must collect, verify and transmit originator and beneficiary information to the beneficiary VASP and make it available to authorities. Recommendation 15 brings VASPs into the AML/CFT framework. It mirrors a banking rule that has existed since the 1990s.

What is the Travel Rule sunrise problem?

The sunrise problem is the gap created when one jurisdiction’s Travel Rule is live while a counterpart’s is not, so required data has nowhere to land. The FATF’s 2025 update reframes it as uneven operationalisation — different thresholds, interpretations and enforcement — not merely a timing mismatch.

What are the Travel Rule thresholds by jurisdiction?

The EU applies a €0 threshold under the Transfer of Funds Regulation from December 30, 2024; the US FinCEN threshold is $3,000, with a proposal to cut it to $250 for cross-border transfers; Singapore’s MAS applies no de minimis; and Switzerland’s FINMA adds counterparty-verification duties. The same FATF standard produces four different rulebooks.

How big was the Binance AML penalty?

Binance agreed to a $4.3 billion resolution in November 2023, including a $3.4 billion FinCEN civil money penalty — the largest in US Treasury history — plus a five-year monitorship and OFAC and DOJ components. Founder Changpeng Zhao pleaded guilty individually.

Does the Travel Rule cover unhosted wallets?

Largely not in the EU and US, where peer-to-peer transfers to self-custodied wallets fall outside VASP-to-VASP messaging, though Switzerland’s FINMA reaches further with verification duties. The unhosted-wallet carve-out is the most contested gap and a live policy question for 2026 and 2027.

What should VASPs do before July 1, 2026?

Build to the strictest regime they touch: assume a €0 EU threshold, integrate a Travel Rule messaging protocol, maintain a counterparty VASP directory, set policy for unreachable counterparties, and document every deviation forced by the sunrise gap for examiners.

This article is informational analysis only and does not constitute legal, regulatory, tax, or investment advice. Regulatory frameworks change frequently and interpretation depends on facts and circumstances; primary documents and official regulator guidance always supersede summaries. Firms should consult qualified legal counsel and their relevant supervisory authority before taking any action based on the analysis above.

Rick Steves has seen business and economics through many lenses. He joined the financial services industry in 2009, and has been a financial journalist since 2011. He holds a degree in Business Administration and has experience producing real-time news, from both buy-side and sell-side, as well as for retail traders, brokers and service providers. Steves' work has appeared in a variety of online publications including FX Street, NewsBTC, FinanceFeeds, and The Industry Spread. Rick has great interest in the dynamics of the trading industry. The never-ending clash between technology, economics, regulation, and more importantly, the people.

Most Read

Related Posts

Imdustry insights

Stay Ahead

Get the latest news, insights, and market updates delivered to your inbox every day.

Enter your email address