The Travel Rule, applied in the context of crypto-assets, establishes strict obligations for identification, verification, and data retention for VASPs (Virtual Asset Service Providers). This rule, already in force within the European framework, aims to strengthen the traceability of cryptocurrency transfers in line with the traditional financial system’s regulation.
In this article, we explain what the Travel Rule entails, what obligations it imposes on service providers, and how it is applied in Spain.
The Travel Rule originates from the recommendations of the Financial Action Task Force (FATF/GAFI) and has been incorporated into European law through the Regulation on Funds Transfers (Regulation (EU) 2023/1113), in force since 2023.
Its purpose is to ensure that every crypto-asset transfer contains sufficient information about both the originator and the beneficiary, allowing authorities to trace potential transactions related to money laundering or terrorist financing.
Article 14 of the Regulation establishes that the VASP initiating the transfer must ensure that it includes the following data of the originator:
- Full name
- Crypto-asset wallet address or account number (if DLT is not used)
- Physical address of the client
- Official identity document number
- Client identifier or
- Date and place of birth
This information must be verified through reliable and independent sources. The transfer cannot be initiated or executed until this obligation has been fulfilled.
When the recipient of the funds is a self-hosted wallet (without intermediaries), the provider must:
- Retain the identifying information of the originator associated with that transaction.
- Verify ownership or control over the wallet if the transfer exceeds 1,000 euros.
---
Article 16 imposes the following responsibilities on the provider receiving the transfer:
It must implement procedures to detect if mandatory information from the originator or the beneficiary is missing.
- For transfers exceeding 1,000 euros: the information of the beneficiary must be verified using independent sources.
- For transfers below 1,000 euros: a more flexible regime may apply, requiring verification only in specific circumstances (for example, if there are signs of suspicious activity).
Verification is deemed complete if the procedures established under anti–money laundering (AML) legislation have been correctly applied.
---
Both the originator’s and beneficiary’s service providers must retain transfer information and related personal data for at least 5 years, with Member States allowed to extend this period to 10 years.
This includes:
- Information about the originator and the beneficiary
- Transaction data and supporting documentation
- Evidence of verification
---
Failure to comply with the Travel Rule carries significant legal consequences. Under both European and Spanish law, violations may result in:
- Administrative sanctions, with fines proportional to the size of the operation or entity.
- Financial penalties, under the sanctioning regime of Law 10/2010 on the Prevention of Money Laundering.
- Criminal liability, if collaboration or concealment of illicit activities is proven.
---
In the national context, the Travel Rule applies to all crypto-asset service providers registered with the CNMV or the Bank of Spain, including:
- Cryptocurrency exchanges
- Custodial wallet providers
- Intermediated P2P trading platforms
- Other entities involved in crypto-asset transfers, even if part of the service is provided from outside the EU
---
The Travel Rule is now fully in force in the crypto environment and represents a binding legal obligation for VASPs in Spain and throughout the European Union.
This regulation seeks to align the treatment of crypto-asset transfers with that of traditional bank transfers, ensuring greater traceability, security, and regulatory oversight.
To avoid penalties and operate lawfully, VASPs must:
- Adapt their systems to collect and verify the required information.
- Establish internal procedures to detect and report irregularities.
- Train staff in the compliance of these obligations.
Guide for startups in Spain on shareholders’ agreements: contractual nature, alignment with bylaws, key clauses (vesting, drag, tag, deadlock, non-compete), other common provisions, and dispute resolution routes
Read more →
Outsourcing technology brings efficiency, but also legal risks. We explain the critical aspects your outsourcing contract in Spain must cover (data, IP, SLAs, liability, labor) and how to reduce them with a solid legal strategy.
Read more →
Launching an app without terms of use exposes you to lawsuits, content copying, and legal liability. Find out what you should include.
Read more →