TL;DR: The FATF Travel Rule has matured globally, but major implementation gaps still remain across jurisdictions, vendor choices, and compliance workflows, according to SumSub’s 2023 guide. The practical issue is not policy awareness but operational readiness, because identity, data-sharing, and counterpart verification controls have to work across fragmented crypto rails.
NHIMG editorial — based on content published by Sumsub: Complete Guide to the Crypto Travel Rule (2023)
Questions worth separating out
Q: How should crypto compliance teams implement the Travel Rule across multiple jurisdictions?
A: They should start with a jurisdiction-by-jurisdiction rule matrix, then map each requirement to onboarding, transaction screening, data exchange, and retention workflows.
Q: Why do Travel Rule programmes fail in practice?
A: They usually fail because the policy is written faster than the workflow is built.
Q: How can organisations tell whether their Travel Rule controls are working?
A: A working programme can prove that required identity data was collected, transmitted, acknowledged, and retained for each qualifying transfer.
Practitioner guidance
- Build a jurisdiction matrix for Travel Rule obligations Document sender, receiver, threshold, and retention requirements by country and update the matrix whenever regulations or supervisory guidance change.
- Test counterparty data exchange before production rollout Validate how your workflow handles missing beneficiary fields, delayed acknowledgements, and incompatible formats across real counterparties and vendor integrations.
- Define exception handling for incomplete transfers Create escalation paths for cases where required identity data cannot be collected, verified, or transmitted within the required transaction flow.
What's in the full article
Sumsub's full guide covers the operational detail this post intentionally leaves for the source:
- A practical breakdown of Travel Rule requirements and how they vary across countries
- Implementation challenges teams are likely to hit when integrating compliance into live crypto workflows
- Guidance on choosing the right Travel Rule solution for your operating model
- A compliance-focused overview of how businesses can align policy, process, and evidence
👉 Read Sumsub's complete guide to the crypto Travel Rule and compliance challenges →
Crypto travel rule gaps: what compliance teams still miss?
Explore further
The Travel Rule is an identity governance problem, not just a compliance checklist. The rule only works when organisations can reliably identify counterparties, transmit required attributes, and preserve auditability across transaction paths. That makes it closer to cross-domain identity governance than to a static policy obligation. Compliance teams should treat it as a control plane for regulated data exchange, not a one-time legal interpretation exercise.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: Who is accountable when a Travel Rule transfer cannot be completed correctly?
A: Accountability sits with the compliance owner, the operational workflow owner, and any third party that processes regulated identity data on the organisation’s behalf. The question is not only who caused the failure, but who can evidence the control, explain the exception, and demonstrate that the transfer was handled under the correct rule set.
👉 Read our full editorial: Crypto travel rule implementation gaps still challenge compliance teams