FinCEN Travel Rule for Crypto: 2026 Compliance Checklist

FinCEN's October 2020 Notice of Proposed Rulemaking on convertible virtual currency—combined with the agency's 2019 interpretive guidance (FIN-2019-A003)—left no ambiguity: the Bank Secrecy Act's Travel Rule applies to crypto transmittals right now, not at some future date. Yet FinCEN's 2025 examination priorities memo flagged Travel Rule deficiencies as a top-three BSA finding at money services businesses, and enforcement referrals to DOJ have accelerated. If your compliance program still treats the $3,000 threshold as aspirational, you're already behind.

TL;DR

• The BSA Travel Rule (31 CFR § 1010.410) applies to virtual asset transmittals ≥ $3,000; no separate crypto-specific rulemaking is required for the obligation to be live.
• FIN-2019-A003 confirmed that CVCs and VASPs are "money transmitters" under the BSA; the Travel Rule follows automatically.
• Transmitting institutions must collect, retain, and pass originator/beneficiary data to the receiving institution—including name, account number, address, and amount.
• FinCEN's 2025 exam findings show widespread failures in counterparty identification and data-passing for unhosted wallet transfers.
• A 2026 compliance program must address FATF Recommendation 16 alignment, unhosted wallet risk tiering, and real-time data transmission protocols.

---

What This Regulation Actually Requires

The Statutory Foundation

The Travel Rule lives in 31 U.S.C. § 5318(g) and its implementing regulation at 31 CFR § 1010.410(f). It was written for wire transfers in 1996, but FinCEN has consistently held that the rule's text—"transmittal of funds"—covers any transfer of value, including virtual assets. FIN-2019-A003, issued May 9, 2019, is the controlling interpretive guidance. It explicitly states that a person who transmits CVC "is a money transmitter subject to BSA regulations."

The $3,000 threshold triggers mandatory data collection and transmission. Below $3,000, recordkeeping obligations still apply under 31 CFR § 1010.410(e), but the pass-along requirement kicks in at the $3,000 mark.

What Data Must Travel With the Transaction

For transmittals at or above $3,000, the originating financial institution (or VASP) must obtain and transmit to the receiving institution:

• Originator name (exactly as it appears in account records)
• Originator account number (or a unique identifier if no account exists)
• Originator address (physical address, or date and place of birth, or customer identification number)
• Amount and execution date
• Beneficiary name and account number (if known at time of transmittal)
• Receiving financial institution identity

The receiving institution must retain this information for five years under 31 CFR § 1010.430.

The Unhosted Wallet Problem

FIN-2019-A003 doesn't carve out unhosted (self-custodied) wallets. When a customer sends funds from an exchange to a private wallet, the exchange is still the originating transmittor. It must collect beneficiary information to the extent reasonably available. FinCEN's 2020 NPRM proposed a $3,000 threshold for CVC transfers to unhosted wallets with enhanced recordkeeping, and a $10,000 threshold for CTR-like reporting. That NPRM was never finalized as of this writing, but the underlying Travel Rule obligation for the originating institution remains.

Practically: if your customer sends $5,000 in ETH to an external address, you must record the beneficiary information you have and make a reasonable effort to obtain what you don't. "We couldn't verify the wallet owner" is not a safe harbor—it's a risk-based judgment that must be documented.

Counterparty VASP Identification

The Travel Rule requires the originating institution to identify the receiving institution. For crypto, that means identifying the receiving VASP. This is harder than it sounds. There's no U.S. equivalent of SWIFT's BIC directory for VASPs. Compliance teams must use a combination of blockchain analytics, VASP directories (TRISA, OpenVASP, Notabene), and direct counterparty agreements.

FinCEN has not mandated a specific technical protocol. The obligation is outcome-based: the data must travel with the transaction. How you get it there is your problem.

---

What This Means for Your Company

If you operate a U.S.-registered money services business that transmits virtual assets—exchange, OTC desk, neo-bank with crypto rails, DeFi front-end with custodial features—you are a covered transmittor. Full stop.

The practical exposure breaks into three categories:

Regulatory examination risk. FinCEN examiners (often working through IRS-CI's BSA examination program) are actively testing Travel Rule compliance. The 2025 exam findings memo identified failure to pass originator/beneficiary data as a "systemic" deficiency. Exam findings can trigger civil money penalties, cease-and-desist orders, or referrals.

Criminal referral risk. Willful BSA violations carry penalties up to $250,000 per violation and 5 years imprisonment under 31 U.S.C. § 5322. The DOJ's 2023 action against Binance—which included Travel Rule failures as part of a broader BSA violation pattern—resulted in a $3.4 billion criminal fine. That case is the clearest signal that Travel Rule non-compliance isn't a technical footnote; it's a predicate for criminal exposure.

Counterparty risk. Regulated VASPs in FATF member jurisdictions (EU under MiCA/TFR, Singapore under MAS Notice PSN02, UK under the MLRs) are increasingly refusing to process inbound transfers from U.S. counterparties that can't demonstrate Travel Rule compliance. Your non-compliance becomes a business continuity problem.

---

How to Operationalize

This checklist is sequenced by priority. Work through it in order.

Step 1: Confirm your MSB registration is current. FinCEN MSB registration (FinCEN Form 107) must be renewed every two years. Lapsed registration is an independent BSA violation and will surface in any examination.

Step 2: Map every transmittal flow. Document each product or feature that moves virtual assets on behalf of customers. Include fiat on/off ramps, internal transfers between sub-accounts, and any API-based transfer functionality. Each flow needs a Travel Rule data collection point.

Step 3: Set your $3,000 threshold controls. Your transaction monitoring system must flag transmittals at or above $3,000 for Travel Rule data collection. Test this with your TMS vendor. Aggregation rules matter: multiple transfers that together exceed $3,000 within a 24-hour window may require aggregation analysis under your BSA policy.

Step 4: Build or buy a Travel Rule data-passing solution. Options include:

• Direct bilateral agreements with counterparty VASPs (workable for a small counterparty set)
• Protocol-based solutions: TRISA (Travel Rule Information Sharing Architecture), Notabene, Sygna Bridge, or VerifyVASP
• Blockchain analytics integration to identify receiving VASPs by on-chain address clustering

Document your chosen protocol in your BSA/AML policy. Examiners will ask.

Step 5: Establish an unhosted wallet risk framework. Tier unhosted wallet transfers by risk. At minimum:

• Transfers ≥ $3,000 to unhosted wallets: collect and document all available beneficiary information; apply enhanced due diligence for high-risk jurisdictions
• Transfers ≥ $10,000: consider voluntary SAR filing if beneficiary identity cannot be confirmed
• Transfers to OFAC-sanctioned addresses: block and file SAR immediately

Step 6: Train your compliance and operations staff. Travel Rule obligations apply at the point of transaction initiation. Customer-facing staff need to understand why they're collecting address information and what happens when a customer refuses. Document refusal procedures.

Step 7: Test and audit annually. Run a transaction sample (minimum 50 transmittals above $3,000) and verify that Travel Rule data was collected, retained, and passed. Document findings and remediation. This is your evidence of a functioning compliance program.

Step 8: Update your BSA/AML policy and procedures. Your written program must specifically address virtual asset transmittals, the $3,000 threshold, unhosted wallet procedures, and your chosen data-passing protocol. Generic "we comply with the BSA" language won't satisfy an examiner.

---

Common Mistakes and How to Avoid Them

Mistake 1: Treating the Travel Rule as a future obligation. Some compliance teams are still waiting for FinCEN to finalize the 2020 NPRM before building Travel Rule controls. The NPRM would add new requirements; it doesn't create the existing ones. FIN-2019-A003 and 31 CFR § 1010.410 are already in force.

Mistake 2: Collecting data but not passing it. Collecting originator/beneficiary information at account opening is necessary but not sufficient. The data must be transmitted to the receiving institution at the time of the transmittal. Storing it in your KYC file and never sending it downstream is a Travel Rule violation.

Mistake 3: Ignoring the receiving institution's obligations. If you're the receiving VASP, you must retain the Travel Rule data you receive for five years. You also have an obligation to identify the originating institution. Receiving-side compliance is frequently under-resourced.

Mistake 4: Assuming blockchain analytics replaces Travel Rule compliance. Chainalysis, Elliptic, and similar tools help identify counterparty VASPs and flag high-risk addresses. They don't satisfy the data collection and transmission requirements. Analytics is a supplement, not a substitute.

Mistake 5: No documented unhosted wallet policy. Examiners specifically ask about unhosted wallet procedures. "We assess it case by case" without written criteria is not a policy. Write it down, get it approved by your BSA officer, and train to it.

---

FAQ

Q: Does the Travel Rule apply to DeFi protocols? A: FinCEN's position, consistent with FIN-2019-A003, is that the BSA applies to the "person" conducting the transmittal, not the protocol. If a business operates a front-end that facilitates transmittals and exercises control or custody over customer funds at any point, it's likely a money transmitter. Pure, non-custodial DeFi protocols with no controlling person present a harder question FinCEN hasn't fully resolved. If your product has any custodial feature, assume coverage.

Q: What's the penalty for a single Travel Rule violation? A: Civil penalties under 31 U.S.C. § 5321 can reach $1,000 per day for negligent violations and up to the greater of $100,000 or the amount of the transaction for willful violations. Criminal penalties under § 5322 go up to $250,000 per violation and 5 years imprisonment. In practice, FinCEN aggregates violations and negotiates consent orders; the Binance case shows that systemic failures produce nine-figure outcomes.

Q: Do I need to comply with FATF Recommendation 16 separately from the BSA Travel Rule? A: FATF R.16 is the international standard; the BSA Travel Rule is U.S. domestic law. They overlap substantially but aren't identical. The BSA threshold is $3,000; FATF R.16 sets $1,000/€1,000. If you transact with counterparties in FATF member jurisdictions, their local rules (MiCA Transfer of Funds Regulation in the EU, MAS PSN02 in Singapore) may impose the lower threshold on the receiving end. Build your program to the lower threshold if you have significant international volume.

Q: What if the receiving VASP isn't registered or can't receive Travel Rule data? A: This is the "sunrise issue" that has plagued Travel Rule implementation globally. FinCEN's guidance doesn't provide a safe harbor for inability to transmit. Document your attempts to pass data, apply enhanced due diligence to the transaction, and consider whether the counterparty relationship presents unacceptable BSA risk. Some VASPs have adopted a policy of blocking transfers to unresponsive counterparties above threshold.

Q: How does the Travel Rule interact with OFAC sanctions screening? A: They're parallel obligations. OFAC screening must happen before or simultaneously with Travel Rule data collection. If a transmittal hits an OFAC match, block it and file a report with OFAC—Travel Rule data collection is moot. If the transmittal clears OFAC screening, Travel Rule obligations apply normally. Your transaction monitoring workflow should sequence OFAC screening first.

---

Sources

• FinCEN Interpretive Guidance, FIN-2019-A003, "Application of FinCEN's Regulations to Certain Business Models Involving Convertible Virtual Currencies" (May 9, 2019) — fincen.gov
• 31 CFR § 1010.410, "Records to be made and retained by financial institutions" — ecfr.gov
• FinCEN Notice of Proposed Rulemaking, "Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets" (December 2020) — fincen.gov
• 31 U.S.C. § 5318, "Compliance, exemptions, and summons authority" — uscode.house.gov

---

Disclaimer

This article is provided for general informational and educational purposes only. It does not constitute legal advice, regulatory guidance, or a compliance opinion. The information reflects publicly available sources as of the date of publication and may not account for subsequent regulatory changes, enforcement actions, or judicial decisions. Readers should consult qualified legal counsel and compliance professionals before making decisions based on this content. BizLegal-AI makes no representations regarding the completeness or accuracy of this information and accepts no liability for actions taken in reliance on it.