Travel Rule in Cryptocurrencies: Obligations for Service Providers in Spain
Legal

Travel Rule in Cryptocurrencies: Obligations for Service Providers in Spain

Travel Rule in Cryptocurrencies: Obligations for Service Providers in Spain

The Travel Rule, applied in the context of crypto-assets, establishes strict obligations for identification, verification, and data retention for VASPs (Virtual Asset Service Providers). This rule, already in force within the European framework, aims to strengthen the traceability of cryptocurrency transfers in line with the traditional financial system’s regulation.

In this article, we explain what the Travel Rule entails, what obligations it imposes on service providers, and how it is applied in Spain.

What is the Travel Rule in the crypto context?

The Travel Rule originates from the recommendations of the Financial Action Task Force (FATF/GAFI) and has been incorporated into European law through the Regulation on Funds Transfers (Regulation (EU) 2023/1113), in force since 2023.

Its purpose is to ensure that every crypto-asset transfer contains sufficient information about both the originator and the beneficiary, allowing authorities to trace potential transactions related to money laundering or terrorist financing.

Obligations of the originator’s service provider (sending VASP)

1. Mandatory information of the originator

Article 14 of the Regulation establishes that the VASP initiating the transfer must ensure that it includes the following data of the originator:

  • Full name
  • Crypto-asset wallet address or account number (if DLT is not used)
  • Physical address of the client
  • Official identity document number
  • Client identifier or
  • Date and place of birth

This information must be verified through reliable and independent sources. The transfer cannot be initiated or executed until this obligation has been fulfilled.

2. Transfers to self-hosted wallets

When the recipient of the funds is a self-hosted wallet (without intermediaries), the provider must:

  • Retain the identifying information of the originator associated with that transaction.
  • Verify ownership or control over the wallet if the transfer exceeds 1,000 euros.

Obligations of the beneficiary’s service provider (receiving VASP)

Article 16 imposes the following responsibilities on the provider receiving the transfer:

1. Verification of received information

It must implement procedures to detect if mandatory information from the originator or the beneficiary is missing.

2. Verification based on amount

  • For transfers exceeding 1,000 euros: the information of the beneficiary must be verified using independent sources.
  • For transfers below 1,000 euros: a more flexible regime may apply, requiring verification only in specific circumstances (for example, if there are signs of suspicious activity).

3. Compliance with anti–money laundering regulation

Verification is deemed complete if the procedures established under anti–money laundering (AML) legislation have been correctly applied.

Record-keeping obligations

Both the originator’s and beneficiary’s service providers must retain transfer information and related personal data for at least 5 years, with Member States allowed to extend this period to 10 years.

This includes:

  • Information about the originator and the beneficiary
  • Transaction data and supporting documentation
  • Evidence of verification

Penalties for non-compliance

Failure to comply with the Travel Rule carries significant legal consequences. Under both European and Spanish law, violations may result in:

  • Administrative sanctions, with fines proportional to the size of the operation or entity.
  • Financial penalties, under the sanctioning regime of Law 10/2010 on the Prevention of Money Laundering.
  • Criminal liability, if collaboration or concealment of illicit activities is proven.

Who is affected by this obligation in Spain?

In the national context, the Travel Rule applies to all crypto-asset service providers registered with the CNMV or the Bank of Spain, including:

  • Cryptocurrency exchanges
  • Custodial wallet providers
  • Intermediated P2P trading platforms
  • Other entities involved in crypto-asset transfers, even if part of the service is provided from outside the EU

Conclusion: compliance with the Travel Rule is no longer optional

The Travel Rule is now fully in force in the crypto environment and represents a binding legal obligation for VASPs in Spain and throughout the European Union.

This regulation seeks to align the treatment of crypto-asset transfers with that of traditional bank transfers, ensuring greater traceability, security, and regulatory oversight.

To avoid penalties and operate lawfully, VASPs must:

  • Adapt their systems to collect and verify the required information.
  • Establish internal procedures to detect and report irregularities.
  • Train staff in the compliance of these obligations.

Related Articles

How to Launch Your Business Project with Legal Security from Day One
Legal

How to Launch Your Business Project with Legal Security from Day One

Discover how to launch your business project on a solid legal foundation. We analyze taxes, licenses, contracts, and legal structures to avoid errors and grow safely.

Read more →
Cookies, consent and user control: AEPD updates in 2025
Legal

Cookies, consent and user control: AEPD updates in 2025

practical guide for startups in Spain: reminder of prior obligations, 2025 criteria on banners, granular consent, personalization, consentless audience measurement, the “pay or okay” model, and effective withdrawal of consent.

Read more →
Types of Tokens under MICA: How European Regulation Classifies Them and Their Effects in Spain
Legal

Types of Tokens under MICA: How European Regulation Classifies Them and Their Effects in Spain

What types of tokens does the MICA Regulation regulate? Learn about the official classification, key differences, and legal implications of each category in Spain.

Read more →