TL;DR: Stablecoin volumes reached close to $1 trillion per month last year, double 2024 levels, while regulators including FATF are pushing VASPs to operationalize the Travel Rule inside fragmented settlement and compliance workflows, according to SumSub. Compliance is shifting from a separate review step to an embedded identity and data-exchange control problem.
At a glance
What this is: This is a partnership announcement about embedding Travel Rule compliance into digital asset transaction workflows, with the core finding that compliance is moving from manual oversight into real-time, workflow-native verification.
Why it matters: It matters because VASPs, financial institutions, and identity teams now have to govern transaction-linked compliance, counterparty verification, and policy execution as one control surface across NHI, platform, and regulatory workflows.
By the numbers:
- Fireblocks says thousands of organizations trust its platform to secure more than $10 trillion in digital asset transactions across 130+ blockchains.
- The partnership reaches over 1,800 VASPs across top protocols including GTR, CODE, and Sygna.
👉 Read SumSub's article on Travel Rule compliance inside Fireblocks workflows
Context
Travel Rule compliance is the identity and data-sharing layer that links a virtual asset sender and receiver so regulated counterparties can exchange the information required for lawful transfer processing. In practice, the control problem is not only whether the rule exists, but whether it is embedded where transaction decisions happen and whether it can operate at speed across multiple counterparties and protocols.
For VASPs, the governance challenge is that digital asset transfers move across fragmented rails while compliance obligations are becoming more explicit. That creates pressure on IAM, operational compliance, and platform teams to treat counterparty verification, policy routing, and auditability as part of the transaction workflow rather than as a separate after-the-fact review.
SumSub's announcement is best read as a workflow integration story, not a product story. The real question for practitioners is whether compliance controls can keep pace with stablecoin-scale transfer volumes without forcing manual exceptions or disconnected checks.
Key questions
Q: How should VASPs embed Travel Rule compliance into transaction workflows?
A: VASPs should place counterparty verification, encrypted data exchange, and policy enforcement directly into the transfer path. That reduces manual handoffs and makes the compliance decision part of the transaction itself. The critical test is whether the workflow can show a defensible decision trail for every allowed, delayed, or rejected transfer.
Q: Why do fragmented settlement rails complicate Travel Rule governance?
A: Fragmented rails create multiple handoff points where identity data can be delayed, transformed, or lost. Each protocol and counterparty may have different operational assumptions, so compliance becomes inconsistent unless policy orchestration is centralised. Practitioners need to govern the workflow boundary, not only the counterparty list.
Q: What do security and compliance teams get wrong about Travel Rule controls?
A: They often treat Travel Rule as a documentation exercise instead of a real-time control embedded in transaction execution. That approach creates gaps between policy intent and operational reality. Effective governance depends on timely verification, encrypted exchange, and audit evidence generated inside the payment flow.
Q: Who is accountable when Travel Rule compliance fails in a VASP workflow?
A: Accountability is shared, but it is not ambiguous. Compliance owns policy intent and regulatory interpretation, while platform and operations teams own execution reliability, protocol support, and evidence retention. If those responsibilities are not separated clearly, failures become hard to audit and harder to remediate.
How it works in practice
Embedded Travel Rule workflows in transaction processing
Travel Rule controls work when the compliance step is part of the transfer path, not a parallel process. Embedded workflows let transaction platforms trigger identity and counterparty data exchange at the moment of transfer, which reduces handoffs and avoids the common gap where a payment can move faster than the compliance review. In this model, the platform remains the execution hub while the compliance layer supplies policy, verification, and routing logic. The key architectural shift is from side-channel compliance to in-band compliance.
Practical implication: map where Travel Rule checks are triggered in the payment flow and remove any separate path that can be bypassed or delayed.
Encrypted real-time data exchange between VASPs
Travel Rule implementation depends on secure exchange of originator and beneficiary information between counterparties. Real-time encrypted exchange reduces exposure during transit, but it also requires protocol interoperability, counterparty trust mapping, and reliable message handling across different VASP networks. The control is less about one protocol and more about whether the system can orchestrate multiple protocols without weakening policy enforcement. That orchestration matters because regulated transfers often traverse different technical and compliance assumptions at each endpoint.
Practical implication: validate encryption, protocol compatibility, and counterparty onboarding before expanding the number of supported transfer rails.
Dynamic compliance logic for risk-based transaction screening
Dynamic verification means policy can vary based on transaction context, counterparty risk, or jurisdiction. That is materially different from static compliance rules because the system must decide what to check, when to check it, and how to record the result for audit. For identity teams, this creates a governance problem around policy versioning, exception handling, and evidence retention. If the workflow cannot show why a transaction was allowed or delayed, the control may be operationally fast but not defensible.
Practical implication: require auditable policy decisions, exception logs, and retention rules for every risk-based Travel Rule outcome.
NHI Mgmt Group analysis
Travel Rule compliance is becoming a transaction identity problem, not a documentation problem. The important shift is that the identity and counterparty checks now sit inside the payment workflow itself. That changes governance because the control is only effective if it executes at transfer speed and across multiple protocols. Practitioners should treat this as a control-plane design issue, not a legal add-on.
Fragmented settlement rails create compliance fragmentation. When virtual asset transfers move across multiple VASPs and protocols, each handoff creates another place where data can be delayed, transformed, or lost. The practical consequence is that teams need to govern the workflow boundary, not just the individual counterparty relationship. This is where policy consistency and audit evidence either hold together or break apart.
Embedded compliance will reshape how digital asset platforms think about governance ownership. Once Travel Rule checks live inside the transaction platform, responsibility is no longer split neatly between compliance and operations. The platform team owns execution reliability, while compliance owns policy intent and evidence. That means operating models must be redesigned so exception handling, protocol support, and audit readiness are all governed as one service.
Stablecoin growth is exposing the limits of manual compliance layering. With transfer volumes scaling sharply, separate review queues and post-transaction checks create a lag that can no longer be absorbed by process. The category is moving toward workflow-native identity controls because the pace of movement is now part of the risk model. Practitioners should expect compliance architecture to converge with transaction architecture.
Travel Rule orchestration: The named concept here is the operational merging of compliance routing, counterparty verification, and encrypted data exchange inside the transaction path. That matters because the value is not just automation, but governable automation across multiple protocols and counterparties. The implication is that identity governance for virtual assets is becoming infrastructure governance.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
- For a related governance lens, see Ultimate Guide to NHIs , Regulatory and Audit Perspectives for how compliance obligations translate into audit-ready controls.
What this signals
Travel Rule orchestration: As transaction compliance moves into the payment workflow, identity and governance teams should expect tighter coupling between policy engines, counterparty registries, and audit evidence. The practical signal is that the next control maturity jump will come from treating compliance execution as infrastructure, not paperwork. For governance teams, this is where NIST Cybersecurity Framework 2.0 style control ownership becomes more operationally useful than periodic review alone.
The reader-level implication is straightforward. If compliance data cannot travel at transaction speed, the organisation will keep paying for manual exception handling and fragmented control evidence. Teams should therefore prioritise workflow-native controls, counterparty lifecycle governance, and protocol-level auditability before expanding transaction volume further. That is the difference between scalable compliance and scalable friction.
For practitioners
- Embed Travel Rule checks in the transfer path Place verification, policy routing, and evidence capture inside the transaction workflow so compliance is evaluated before the transfer is committed, not after settlement begins.
- Standardise counterparty onboarding rules Define how VASPs are approved, how protocol compatibility is tested, and what identity data must be exchanged before counterparties can transact at scale.
- Audit exception handling and retention Require logs for every delayed, rejected, or manually reviewed transfer and retain the policy decision trail long enough to satisfy regulatory review and internal audit.
- Separate policy ownership from platform execution Assign compliance teams ownership of rule intent and evidence, while platform teams own reliability, encryption, and protocol orchestration across transaction flows.
Key takeaways
- Travel Rule compliance is shifting from a separate policy obligation into the transaction workflow itself.
- Stablecoin-scale transfer volumes and multi-protocol settlement rails expose the limits of manual compliance layering.
- Practitioners should govern encrypted counterparty verification, exception handling, and audit evidence as one control surface.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Travel Rule controls depend on governed access and trusted transaction decisions. |
| NIST Zero Trust (SP 800-207) | Zero trust applies to counterpart validation across fragmented transfer rails. | |
| NIST SP 800-63 | Federated identity concepts underpin regulated counterparty verification. |
Map transaction approval and counterpart verification to PR.AC-4 and keep the decision trail auditable.
Key terms
- Travel Rule Compliance: The set of controls that ensure regulated transaction information is exchanged between counterparties in a virtual asset transfer. In practice, it combines policy, identity verification, message exchange, and recordkeeping so the transfer can be defended to regulators and auditors.
- Counterparty Verification: The process of confirming the identity and eligibility of the receiving or sending virtual asset service provider before a transfer is completed. It is a governance control, not just a technical check, because it determines whether the transaction can proceed under the correct regulatory conditions.
- Workflow-native Compliance: A compliance model where policy checks, evidence capture, and exception handling run inside the operational system that moves the asset. This reduces handoffs and makes control execution part of the transaction path rather than a separate manual review layer.
- Protocol Orchestration: The coordination of multiple technical and compliance protocols so transactions can move across different counterparties without breaking policy consistency. It matters when regulated transfers must work across more than one network, rule set, or operational model.
Deepen your knowledge
Travel Rule governance, counterparty verification, and workflow-native compliance are covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If you are aligning transaction controls with regulated identity workflows, it is worth exploring.
This post draws on content published by SumSub: Embedded natively in Fireblocks, Sumsub’s Travel Rule solution for digital asset payments. Read the original.
Published by the NHIMG editorial team on 2026-06-08.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
