Here is the whole thing in one sentence: the crypto travel rule requires regulated crypto services to attach verified sender and receiver identity to transfers, the EU version applies with no minimum amount at all, and it is the single biggest reason privacy coins keep getting delisted.

If you have ever hit "withdraw" on an exchange and been stopped by a form asking who owns the destination wallet, congratulations, you have met the travel rule. It is not your exchange being nosy for fun. It is a global anti money laundering standard that got copied from 1990s bank wire regulations and bolted onto crypto, and in 2026 it quietly shapes almost everything about how regulated exchanges behave. Which coins they list. Which withdrawals they question. Which countries they serve.

Most explainers stop at "exchanges have to share your data now." That is true but incomplete. The interesting parts are the ones nobody covers properly: why the EU decided that even a 5 euro transfer needs full identity data, why the rule is mathematically impossible to follow for a coin like Monero, and what happens when one side of a transfer is in a country that enforces the rule and the other side is not. We will get to all of it.

One disclosure before we start. We run a no account instant swap, so we sit outside the identity collection model this rule was built around. Read our takes with that in mind. We will explain exactly where we fit near the end, plainly.

Where the travel rule comes from: a 1990s bank rule with a new passport

The travel rule was not invented for crypto. It is older than most crypto users.

In the mid 1990s, US regulators added a rule under the Bank Secrecy Act requiring financial institutions to pass along originator and beneficiary information on wire transfers of 3,000 USD or more. The information had to "travel" with the payment from bank to bank, hence the name. For decades this was plumbing that nobody outside compliance departments ever thought about.

Then in 2019, the Financial Action Task Force, the intergovernmental body that writes the world's anti money laundering standards, extended its Recommendation 16 to cover virtual assets and the businesses that handle them. FATF calls those businesses VASPs, virtual asset service providers. The EU calls them CASPs. Same idea: exchanges, custodians, brokers, anyone holding or moving crypto for customers.

The 2019 update said, in effect: when a customer of one VASP sends crypto to a customer of another VASP, both services must collect and exchange identifying information about the two people involved. FATF suggested a threshold of 1,000 USD or EUR, below which only lighter data collection applies. FATF recommendations are not law by themselves. But member countries get graded on adopting them, and a bad grade has real financial consequences, so most large economies have been writing FATF's homework into local law ever since.

Different countries did that at different speeds and with different thresholds. Which is where the mess begins.

The EU version: zero threshold, and yes, that includes your 20 euro

The EU implemented the travel rule through the Transfer of Funds Regulation, Regulation (EU) 2023/1113, usually shortened to the TFR. It applies since December 30, 2024, the same day MiCA's exchange rules kicked in. The two are a package deal, and we cover the broader framework in our MiCA explainer.

Two things make the EU version the strictest major implementation on earth.

First, there is no minimum threshold. FATF suggested 1,000. The US wire rule sits at 3,000 USD. The EU chose zero. Every single transfer a CASP processes, whether it is 5 euro or 5 million, must carry identity data. The de minimis exemption that exists in traditional finance was deliberately removed for crypto. Whatever you think of that decision, it means the common belief that "small amounts fly under the radar in Europe" is simply wrong.

Second, self hosted wallets got their own rule. When a customer sends more than 1,000 euro to their own wallet, or receives more than 1,000 euro from one, the CASP has to verify that the wallet actually belongs to that customer. That is the "prove you own this address" step: sign a message, do a Satoshi test deposit, or connect the wallet, depending on the platform. Below 1,000 euro, the transfer is still logged and the data still collected. The extra ownership verification is what the threshold gates, not the recordkeeping.

So what data actually moves with a transfer? For the originator, the sender: full name, account or wallet identifier, address, and either date and place of birth or an official ID number. For the beneficiary: name and account identifier. The receiving CASP is expected to check the incoming data, hold it, and hand it to authorities on request.

Sit with that for a second. Every exchange to exchange transfer in the EU now travels with a packet that says who sent it, where they live, and when they were born. That is a level of attached identity that cash has never had and that even card payments only approximate.

Travel rule by region: who requires what

Region / regime Threshold for identity data Self hosted wallet step Status as of July 2026
EU (TFR, Reg 2023/1113) None. Every CASP transfer, any amount Ownership verification above 1,000 euro In force since December 30, 2024
United States (BSA) 3,000 USD recordkeeping threshold for money transmitters No blanket federal rule Longstanding; proposals to tighten it have surfaced and stalled, so treat US specifics as unsettled
FATF baseline (Rec 16) Suggested 1,000 USD/EUR Left to each jurisdiction Guidance since 2019; adoption uneven country by country
Non implementing jurisdictions No rule in force yet None The "sunrise problem": data sent there has no compliant counterpart to receive it

Sources: Regulation (EU) 2023/1113, FinCEN BSA recordkeeping rules, FATF Recommendation 16 guidance. Read July 2026. Jurisdictions keep moving; check the primary text before relying on any row.

The table hides one important nuance: the US number is a recordkeeping threshold under decades old money transmitter rules, and how it maps onto crypto transfers has been argued about for years. Proposals to lower it or to extend explicit crypto travel rule requirements have repeatedly stalled. If you operate in the US, assume the details are unsettled and get real advice.

What this means in practice for a normal user

Enough regulation text. Here is what the travel rule actually changes for someone who just holds and moves crypto.

Withdrawals to your own wallet get logged. When you pull coins off a regulated exchange to your hardware wallet, that withdrawal is a recorded compliance event. In the EU, if it is over 1,000 euro, expect the "is this your wallet?" step before the withdrawal clears.

"Who owns this address?" is now a standard question. Kraken, Coinbase, and most other regulated venues ask users to declare whether a withdrawal address is their own wallet or belongs to someone else, and often which service it belongs to. That form is travel rule compliance, not customer service curiosity.

Exchange to exchange transfers carry your identity. Send from your account on exchange A to a friend's account on exchange B, and your name, address, and date of birth travel to exchange B alongside the coins. Your friend's exchange now has your identity on file, attached to that deposit, indefinitely.

Small amounts are not exempt in the EU. Worth repeating because it is the single most common misconception. Zero threshold means zero. The 1,000 euro figure people quote is only the self hosted wallet verification trigger.

Deposits from unknown sources get friction. Receiving CASPs are supposed to check incoming transfers for the required data. A deposit that arrives without it, from a jurisdiction that has no rule, or from a service that cannot send the data, can get flagged, held, or bounced. If you have ever had a deposit sit in limbo while an exchange asked where the funds came from, that machinery is why. It is also a cousin of shotgun KYC, where a service takes your coins first and demands documents second.

The Monero problem: why a compliant exchange literally cannot carry it

Now the part most travel rule explainers skip, and the part that explains years of delisting headlines.

The travel rule assumes the service can see the transfer. For Bitcoin or Ethereum that holds: addresses and amounts sit on a public ledger, so a CASP can attach identity data to a visible transaction and an analytics firm can trace the flow. The rule and the ledger fit together.

Monero breaks every one of those assumptions on purpose. Ring signatures hide the true sender among decoys, currently 16 per ring since the August 2022 hard fork. Stealth addresses mean the receiving address on chain is a one time key that outside observers cannot link to anyone. Confidential amounts hide how much moved. The mechanics are worth understanding and we walk through them in our on chain privacy tech explainer, but the compliance summary is short: for a shielded transfer, there is no visible sender, no visible receiver, and no visible amount.

So picture a compliance officer at a regulated CASP handling an incoming Monero deposit. The rule says: verify the originator information against the transaction. Against what, exactly? There is nothing on chain to check it against. The exchange cannot demonstrate where funds came from, cannot meaningfully screen the deposit against sanctions lists at the chain level, and cannot promise a regulator any of the traceability the framework presumes. Zcash shielded transfers pose the same problem, which is why exchanges that keep ZEC often force transparent addresses for deposits and withdrawals.

Faced with an asset they cannot square with the rule, exchanges do not petition for an exemption. They delist. It is the rational move: one asset versus the license that covers the whole business. Binance dropped XMR globally in February 2024. OKX removed its privacy pairs in early 2024. Kraken pulled XMR for EEA and UK users in 2024. Japan pushed privacy coins off licensed exchanges back in 2018, and South Korea followed in 2021 under explicit travel rule pressure. According to ByteTree's May 2026 analysis, 73 exchanges had delisted at least one privacy coin by late 2025. We keep a running list in the Monero delisting tracker.

And the pressure is still tightening. The EU's new AML regulation bars CASPs from servicing anonymity enhancing coins outright from July 10, 2027, which turns today's risk decision into tomorrow's legal requirement. That deserves its own article, and it has one: the EU privacy coin ban of 2027.

Notice what is not happening here. Nobody has made Monero illegal to own in the EU or the US. The travel rule regulates intermediaries, not assets or individuals. The coin gets squeezed out of regulated venues not by prohibition but by incompatibility. Whether you find that a clever regulatory design or a quiet ban with extra steps probably depends on your priors. We lean toward the second reading, and we run a Monero pair, so weigh that.

The sunrise problem, and what compliance actually looks like

Even between two fully transparent chains and two willing exchanges, the travel rule has an awkward engineering reality.

First, the sunrise problem. The rule only works when both ends have implemented it, and the sun has not risen everywhere at once. An EU CASP is legally required to send originator data with a transfer. If the receiving service sits in a country with no travel rule, there may be nobody legally able, or willing, to receive and safeguard that packet of personal data. Regulators mostly tell their supervised firms to do risk assessments on such counterparties, which in practice means more friction, more holds, and sometimes refusal to send to certain services at all. Until adoption is global, every travel rule transfer is a handshake where one hand might not be there.

Second, the plumbing. When both sides do comply, the data does not ride the blockchain itself. It moves through separate messaging channels between the two services, and the industry has largely standardized on a format called IVMS 101, a common data model so that one provider's "originator name" field means the same thing as another's. Several competing networks carry those messages, they do not all interoperate cleanly, and matching an on chain transaction to the right off chain identity packet remains genuinely fiddly. None of this is visible to you as a user. All of it explains why a simple withdrawal sometimes takes a strangely bureaucratic path.

What the travel rule does not cover

This part matters just as much as what it does cover, and it is where the honest gray zones live.

Self custody to self custody transfers. You sending coins from your own wallet to a friend's own wallet, peer to peer, with no service in the middle, is not a travel rule event anywhere we know of. The rule binds intermediaries. No intermediary, no rule. This is the clean, uncontested case.

DEXs, for now. Decentralized exchanges without a custodial operator do not fit the VASP definition as written, and as of July 2026 they broadly sit outside travel rule enforcement. We would not bet on that lasting forever. FATF has been circling DeFi in its guidance for years, and "sufficiently decentralized" is a line regulators get to draw later, in hindsight. Treat DEX exemption as a current fact, not a permanent one.

Non custodial instant swaps operating outside licensing regimes. Services like ours take a deposit, swap it, and send the output without creating accounts or collecting identities. Whether and where such services fall under VASP style registration depends entirely on jurisdiction, corporate structure, and which regulator you ask, and anyone who tells you this zone is settled law is selling something. It is a gray zone. We have written about the legality question honestly in are no KYC exchanges legal, and the short version is: generally legal to use in most places, contested terrain for operators, always check your local rules.

Where CoinVast sits, stated plainly

Since we just described the category we operate in, here is our position without the fog.

CoinVast is a no account instant swap. No registration, no email, no identity collection, which means there is no originator name, address, or date of birth for us to attach to anything. We are not a MiCA authorized CASP and we do not transmit IVMS 101 packets.

What we do instead is screen before the swap. When an order is created, both the deposit address and the payout address are checked against sanctions lists and risk data before you send anything. Pass, and the swap runs and is final. Fail, and it never starts; coins that arrive anyway auto return minus the network fee. It is a different model from the travel rule's identity attachment: we screen the addresses, not the people. We think pre send screening honestly addresses the sanctions and illicit finance risk the rule aims at, without building a database of who sent what to whom. Regulators may eventually disagree, and we will not pretend otherwise. The full policy, including what we log and what we cannot see, is on our trust page.

We will also state the trade offs, because that is the house style: we launched in 2026, we charge a flat 2% spread over mid market printed on the quote, we are not a fiat on ramp, and we have no insurance fund. What you get for that is a swap with no identity attached and no surprise document demands after your coins are already in someone else's custody.

So what should you actually do?

Different situations, different sensible moves.

If you use regulated exchanges and do not much care about privacy: nothing changes for you except paperwork. Answer the wallet ownership questions truthfully, keep records of your own addresses, and expect withdrawals to self custody to occasionally need a verification step. Lying on an ownership declaration to dodge friction is the one genuinely dumb move here.

If you are an EU user who values privacy: understand that every transfer through a CASP now carries your identity, at any amount. Move long term holdings to self custody, know that the move itself gets logged, and do your peer to peer transfers wallet to wallet where the rule does not reach. Do not structure transactions to duck thresholds; that is its own offense.

If you hold Monero or other privacy coins: the regulated exchange route is closing, not closed, and in the EU it has a 2027 end date. Plan your entry and exit routes around venues that do not need travel rule compatibility: DEXs, atomic swaps, and instant swap services. Our Monero exchange pair exists precisely because of this squeeze.

If you just got a scary sounding email from your exchange: it is almost certainly a travel rule questionnaire, not an accusation. Answer it, or move to self custody first and then answer it. Ignoring it is what gets accounts restricted.

Frequently Asked Questions

Does the travel rule apply to my hardware wallet?

Not to the wallet itself. Holding crypto in self custody and sending peer to peer between self custody wallets is outside the rule everywhere we know of. The rule kicks in when a regulated service touches the transfer: withdrawing from an exchange to your hardware wallet is a logged event, and in the EU a transfer over 1,000 euro triggers a wallet ownership verification step.

Is there a minimum amount for the travel rule in the EU?

No. The EU's Transfer of Funds Regulation (2023/1113) applies to every CASP transfer with no minimum threshold, so a 5 euro transfer carries the same identity data requirements as a 50,000 euro one. The 1,000 euro figure people cite is a separate trigger: above it, transfers to or from self hosted wallets require the CASP to verify you own the wallet.

Why did Coinbase or Kraken ask me who owns the wallet I am withdrawing to?

That question is travel rule compliance. Regulated exchanges must record whether a withdrawal goes to your own self hosted wallet or to a third party, and in the EU they must verify your ownership claim above 1,000 euro. Answering truthfully is the right move; false declarations create real problems if the account is ever reviewed.

What is the FATF travel rule for crypto?

It is the 2019 extension of FATF Recommendation 16, a global standard requiring virtual asset service providers to collect and exchange sender and receiver identity information on crypto transfers, with a suggested 1,000 USD/EUR threshold. FATF standards are not directly law, but member countries implement them locally, which is how the EU, US, and dozens of other jurisdictions ended up with their own versions.

What information does my exchange share when I send crypto to another exchange?

Under the EU rules, the sending CASP transmits your full name, your account or wallet identifier, your address, and your date and place of birth or an ID number, plus the recipient's name and account identifier. The data moves through separate compliance messaging channels, commonly in the IVMS 101 format, not on the blockchain itself.

Why do exchanges delist privacy coins like Monero?

Because the travel rule presumes visible senders, receivers, and amounts, and Monero's shielded transfers have none of those, a regulated exchange cannot demonstrate compliance for XMR transfers. Rather than carry that licensing risk, exchanges delist: Binance in February 2024, OKX and Kraken (for EEA/UK) the same year, and per ByteTree's May 2026 analysis some 73 exchanges had dropped at least one privacy coin by late 2025.

Does the travel rule apply to DEXs and peer to peer trades?

As of July 2026, genuinely non custodial DEXs and direct wallet to wallet trades sit outside the rule, which only binds intermediaries that qualify as VASPs or CASPs. FATF guidance has been inching toward DeFi for years, so treat that as the current state rather than a guarantee. The moment a custodial service enters the transaction path, the rule applies to that leg.

Is it illegal for me, as a user, to receive crypto without travel rule data?

No. The obligations fall on the service providers, not on individuals sending or receiving. What you will feel as a user is friction: deposits arriving without the expected data can be held or questioned by the receiving exchange, and services in non implementing countries face growing pressure from counterparties that must comply.

The travel rule is the pipe through which crypto is being fitted into the traditional financial surveillance system, one jurisdiction at a time, and the EU has built the tightest fitting so far. Know what it covers, know what it does not, and pick your venues with both lists in mind. We built CoinVast for the second list: a no account instant swap with pre send address screening, a flat 2% spread printed on the quote, and native Monero support on our own node. It is one honest answer to the rule, not the only one, and now you know exactly what it is an answer to.