Skip to content
In the news TRM Labs × Finray — audit-ready crypto transaction monitoring for banking
Finray
Book a briefing

The Travel Rule is not a compliance bolt-on. It is an identity routing problem.

CASPs and dual-rail Payment Institutions under TFR Articles 14-17, MiCA Article 82, EBA/GL/2024/11 and FATF R.15/R.16 must route identity, wallet, sanctions and monitoring evidence into transfer decisions. The radar maps 70 nodes and 183 edges across 16 controls, 12 vendors and 12 product artefacts; no CASP enforcement case is named. XZiel recused; TRM Labs disclosed.

Cluster
XZiel
Published
Updated
Version
1.0.0

Last reviewed   ·  Version 1.0.0  ·  Evidence cutoff 

The Travel Rule is usually bought as a messaging problem. That is the wrong architecture.

For a MiCA-authorised CASP, a payment institution bridging fiat and crypto rails, or a bank operating crypto-asset services during the MiCA transition, the hard question is not whether a Travel Rule message can be sent. The hard question is whether the firm can prove why a transfer was allowed, paused, returned, rejected, escalated or reported when identity, wallet, counterparty, sanctions and transaction-monitoring evidence did not line up cleanly.

That is an identity routing problem.

The EU Transfer of Funds Regulation creates the information-accompanying-transfer duties for crypto-asset transfers. For this radar, the corrected legal map is simple: Article 14 is the core information-accompanying-transfer model for crypto-asset transfers, Article 15 is the batch-file transfer provision, Article 16 is beneficiary-side missing-information detection, and Article 17 is the beneficiary-side procedure for missing or incomplete information. MiCA sits beside that framework. The transfer-services provision is MiCA Article 82, which is why the MiCA overlay belongs in the architecture discussion but should not be confused with the TFR Travel Rule itself.

FATF terminology matters for the same reason. Recommendation 16 is now framed as Payment transparency. Crypto-asset service-provider expectations come through Recommendation 15 and its virtual-asset interpretive material. A CASP that describes Recommendation 16 as if it were only a crypto Travel Rule source is signalling that its policy architecture is probably being copied from vendor copy rather than from the rulebook.

The failure mode

The typical failed design has four silos.

The KYC system knows the customer. The blockchain-intelligence system knows the wallet or exposure risk. The Travel Rule network knows whether a counterparty message has been exchanged. The case-management system knows that an analyst overrode, rejected or escalated something. In a clean demo, those systems appear connected. In a real transfer, they often are not.

The failure only becomes visible when a beneficiary CASP receives incomplete information, when an originator CASP cannot resolve the counterparty, when a self-hosted address triggers an ownership-or-control assessment, when a sanctions hit appears after a message exchange, or when the same counterparty repeatedly fails to provide required information. At that point the question is no longer “did we integrate a Travel Rule provider?” The question is: “Can we reconstruct the evidence that existed before the transfer decision?”

If the answer is no, the implementation is not audit-ready. It may be able to send messages, but it cannot prove controlled transfer decisioning.

What the radar maps

This radar separates the stack into legal instruments, supervisory guidance, control layers, vendors and product artefacts.

The legal core is Regulation (EU) 2023/1113. The MiCA transfer-services overlay is Regulation (EU) 2023/1114 Article 82. The broader perimeter is the AML package: AMLR, AMLD6 and the AMLA Regulation. AMLA is included as a watch item because direct supervision is a future activation point, not a current replacement for NCA supervision.

The guidance layer is deliberately conservative. It includes the EBA Travel Rule Guidelines, the EBA final report, ESMA transfer-services guidance under MiCA Article 82, ESMA’s CASP authorisation supervisory briefing, FATF material, and concrete NCA examples from AMF and CySEC. AMF DOC-2024-08 and CySEC Circular C675 are sufficient to show how NCAs can turn EBA guidance into implementation expectations. They are not a basis for saying that every NCA has published the same document or uses the same operational language.

The control layer is where most buyer diligence should focus. A serious Travel Rule architecture needs counterparty resolution, customer and wallet linkage, route policy, protocol-agnostic transport, exception evidence, repeated-failure handling, management information, sanctions screening, transaction monitoring, case management and pre-transfer evidence reconstruction. These controls are more important than the logo of the messaging network.

The EUR 1,000 trap

The EUR 1,000 point is often misdescribed.

It should not be treated as a general Travel Rule de minimis threshold. In this architecture, it is a threshold relevant to ownership-or-control assessment for self-hosted addresses. That is a narrower and more operationally demanding statement. It means the firm needs evidence that can link a customer, an address, a transfer instruction and the transfer decision. A static wallet-screening result is not enough.

A CASP that cannot explain how self-hosted address evidence is captured, refreshed, challenged, escalated and retained is not ready for serious supervisory questioning. The weakness is not legal interpretation alone. It is data lineage.

Protocols are not convergence

TRP, IVMS-101 and Notabene-supported messaging are useful artefacts. They are not proof that the market has solved Travel Rule interoperability.

TRP is OpenVASP Association-developed. IVMS-101 is a data standard. Notabene SafeTransact and the Notabene Network are product and network capabilities. These artefacts can support information exchange, but this radar does not claim protocol-bridge convergence because a vendor blog is not enough evidence for that claim. The bar would be an EBA, NCA or equivalent primary-source acknowledgement that such convergence has become a supervisory expectation or accepted operating model.

Until that exists, the prudent architecture is protocol-agnostic. The CASP should be able to route evidence through supported channels, document why that route was selected, and still make a controlled transfer decision when a counterparty or channel fails.

Vendor diligence: what to ask

The wrong diligence question is: “Which Travel Rule vendor do you use?”

The better questions are:

  1. Can the platform resolve the counterparty before route selection?
  2. Can it bind customer identity, wallet evidence and transfer instruction evidence?
  3. Can it distinguish Article 14 information duties from Article 15 batch-file handling?
  4. Can the beneficiary side detect missing or incomplete information under Article 16?
  5. Can Article 17 handling be evidenced, not merely configured?
  6. Can self-hosted address ownership-or-control evidence be reconstructed?
  7. Can sanctions and transaction-monitoring outcomes change the route decision?
  8. Can repeated failures be identified, escalated and reported?
  9. Can the MLRO see management information across counterparties, assets, corridors and exception types?
  10. Can internal audit reconstruct the pre-transfer decision without asking engineering to rebuild the data path?

If a vendor cannot answer those questions with evidence, its product may still be useful, but it should not be treated as the Travel Rule architecture.

What this means for authorisation and vendor due diligence

This radar does not claim that a stronger Travel Rule architecture automatically makes a MiCA application faster. That would be the wrong evidential claim. The better claim is narrower: weak evidence architecture creates avoidable friction during vendor due diligence, authorisation preparation and supervisory review.

A pre-application team should assume that the reviewer will not be impressed by a diagram showing a Travel Rule provider connected to a blockchain-intelligence provider. The reviewer will ask for procedures, decision logic, controls, evidence retention, exception handling and management oversight. A buyer that waits until after vendor selection to design those layers has already lost leverage.

This is why the graph includes vendors but does not rank them. Vendor ranking belongs in a separate buyer-guide surface. This radar is about architecture. A CASP may use one vendor for counterparty messaging, another for blockchain intelligence, another for identity verification, another for sanctions screening and a platform layer for workflow and evidence reconstruction. The risk is not that multiple systems exist. The risk is that no system owns the decision record.

Disclosure: XZiel is built and operated by Finray Technologies Ltd, the publisher of this radar. XZiel is recused from any qualitative ranking. It appears only to keep the buyer-guide vendor universe complete under the editorial methodology at /intelligence/methodology/.

How to read this alongside other Finray radars

Read this radar with the MiCA CASP compliance buyer guide at /intelligence/casp-mica-compliance/, the authorised-CASP register radar at /intelligence/mica-casp-licensing-success/, the authorisation-withdrawals radar at /intelligence/mica-casp-authorisation-withdrawals/, the AMLR and AMLA implementation tracker at /intelligence/amlr-amla-implementation-tracker/, and the Swiss FINMA GRC and ICS radar at /intelligence/swiss-finma-grc-ics/.

Those radars answer different questions. The CASP buyer guide maps the vendor universe. The licensing-success radar maps authorised CASP population evidence. The withdrawals radar maps named regulatory outcomes, without converting those outcomes into unsupported Travel Rule failure stories. The AMLR and AMLA tracker maps the wider AML perimeter. The Swiss GRC and ICS radar provides a useful control-governance comparator for firms operating across EU and Swiss supervisory expectations.

The deeper point is simple: the Travel Rule is not an isolated crypto compliance task. It is a transfer-decision evidence problem. If the architecture cannot route identity, counterparty, wallet, sanctions, monitoring and exception evidence into one defensible decision record, the firm has not solved the problem. It has only installed another message rail.

Layout
cose-radar
Nodes
70
Edges
183
Last reviewed
2026-05-09
Evidence cutoff
2026-05-09
Pending outreach
0
  • firm-segment
  • regulator
  • regulation
  • standard
  • control
  • vendor
  • product
  • finray product (COI)

Reference index

The interactive decision graph above and the tables below cover the same data. The graph is for visual exploration; the tables index every regulation, standard, control, vendor and product in plain text with primary-source links — for search engines, citation tools and readers who prefer linear reading.

Regulators (12)

National Competent Authorities, supervisory authorities, and pan-EU European Supervisory Authorities indexed in this radar. Each row links to the regulator's primary-source URL with the date the source was last accessed. Listing is alphabetical by jurisdiction code; inclusion is editorial, not a directive. Volume of regulators per jurisdiction reflects the local supervisory architecture (single-supervisor vs sectoral split) and is not a quality signal.

Regulators indexed in this radar with their jurisdiction and primary-source URLs.
Regulator Jurisdiction Scope Primary source
AMLA eu-aml-authority AMLA is the EU anti-money-laundering authority established by Regulation (EU) 2024/1620. View source
Autorité des marchés financiers national-competent-authority AMF is the French market authority applying the EBA Travel Rule Guidelines to crypto-asset service providers under its jurisdiction. View source
BaFin national-competent-authority BaFin is Germany’s federal financial supervisory authority and is included for TFR and MiCA perimeter context. View source
Council of the European Union eu-legislator Council of the European Union is one of the EU co-legislators adopting MiCA, TFR and the AML package. View source
Cyprus Securities and Exchange Commission national-competent-authority CySEC is the Cyprus NCA that issued Circular C675 on the TFR and EBA Travel Rule Guidelines for CASPs. View source
De Nederlandsche Bank national-competent-authority DNB is included as a Dutch authority publishing a compliance overview for ESA guidelines and recommendations. View source
European Banking Authority eu-supervisory-authority EBA is the EU supervisory authority issuing Travel Rule Guidelines under the TFR perimeter. View source
European Commission eu-institution European Commission is the EU institution responsible for proposing and maintaining the digital-finance and AML legislative framework. View source
European Parliament eu-legislator European Parliament is one of the EU co-legislators adopting MiCA, TFR and the AML package. View source
European Securities and Markets Authority eu-supervisory-authority ESMA is the EU securities markets authority responsible for MiCA supervisory convergence and transfer-services guidance under Article 82. View source
Financial Action Task Force international-standard-setter FATF is the international AML/CFT standard-setter for Recommendation 16 Payment transparency and Recommendation 15 virtual-assets expectations. View source
Malta Financial Services Authority national-competent-authority MFSA is included as a Maltese authority relevant to MiCA authorisation and crypto-asset service supervision. View source

Regulatory anchors and supervisory standards

The legal instruments and supervisory standards an institution in this segment must satisfy. Each row links to the primary source — official journal page, supervisor circular, or standards body — with the date the source was last accessed.

Regulatory anchors and supervisory standards covered in this radar, with primary-source links.
Anchor Scope Primary source
Regulation (EU) 2023/1113 (TFR) Regulation The EU Transfer of Funds Regulation recast creates information-accompanying-transfer obligations for funds and certain crypto-asset transfers. View source
Regulation (EU) 2023/1114 (MiCA) Regulation MiCA is the EU crypto-asset markets regulation. Article 82 covers CASPs providing transfer services for crypto-assets on behalf of clients. View source
Regulation (EU) 2024/1624 (AMLR) Regulation AMLR is the directly applicable EU AML/CFT regulation forming part of the new AML package. View source
Directive (EU) 2024/1640 (AMLD6) Regulation AMLD6 is the EU directive on AML/CFT institutional mechanisms and supervisory architecture. View source
Regulation (EU) 2024/1620 (AMLA Regulation) Regulation The AMLA Regulation establishes the EU Authority for Anti-Money Laundering and Countering the Financing of Terrorism. View source
FATF Recommendations, October 2025 operative version Regulation The FATF Recommendations are the international AML/CFT standards, last updated in October 2025, including Recommendation 16 Payment transparency and Recommendation 15 virtual-asset expectations. View source
EBA Guidelines EBA/GL/2024/11 Standard EBA Guidelines on information requirements in relation to transfers of funds and certain crypto-assets transfers. View source
EBA Final Report on Travel Rule Guidelines Standard The EBA final report supporting EBA/GL/2024/11 explains the policy objectives and implementation rationale for the Travel Rule Guidelines. View source
ESMA Guidelines on transfer services for crypto-assets under MiCA Standard ESMA guidelines under MiCA Article 82 for CASPs providing transfer services for crypto-assets on behalf of clients. View source
ESMA Supervisory Briefing on Authorisation of CASPs Standard ESMA supervisory briefing for NCAs on authorisation of CASPs under MiCA. View source
FATF Targeted Report on Stablecoins and Unhosted Wallets, March 2026 Standard FATF March 2026 targeted report on stablecoins, unhosted wallets and peer-to-peer transactions. View source
FATF Best Practices on Travel Rule Supervision Standard FATF best-practices paper for supervising Travel Rule implementation. View source
AMF DOC-2024-08 Standard AMF position incorporating the EBA Travel Rule Guidelines for crypto-asset transfers in France. View source
AMF announcement applying EBA Travel Rule Guidelines Standard AMF public announcement that it applies the EBA Travel Rule Guidelines from 30 December 2024. View source
CySEC Circular C675 Standard CySEC Circular C675 on Regulation (EU) 2023/1113, the EBA Travel Rule Guidelines and reporting obligations for CASPs. View source
DNB ESA Guidelines compliance overview Standard DNB’s compliance overview for European Supervisory Authority guidelines and recommendations. View source

Controls

The control domains those regulatory anchors require. Each control sits at the intersection of one or more regulations and one or more vendor products that implement it.

Control domains required by the regulatory anchors above.
Control What it covers
Information accompanying transfer: originator side Originator-side collection and transmission of required information accompanying crypto-asset transfers under TFR Article 14.
Batch-file transfer handling Handling of batch-file transfers under TFR Article 15.
Beneficiary-side missing-information detection Detection by beneficiary CASPs of missing or incomplete required information under TFR Article 16.
Beneficiary-side handling procedures Procedures for transfers with missing or incomplete information under TFR Article 17.
Self-hosted address ownership-or-control assessment Ownership-or-control assessment for self-hosted addresses when the relevant EUR 1,000 threshold is met.
Counterparty resolution layer Resolution of the sending or receiving counterparty before selecting a Travel Rule transmission path.
Customer and wallet control layer Linkage between verified customer identity, wallet/address evidence and transfer instruction evidence.
Route-policy layer Policy rules selecting whether a transfer can be sent, delayed, rejected, returned or routed through a supported messaging path.
Protocol-agnostic transport Ability to exchange required Travel Rule information without making one network protocol the compliance control.
Exception and evidence layer Operational evidence for exceptions, missing data, rejected transfers, returned transfers and escalation decisions.
Repeated-failure reporting Identification and reporting/escalation of repeated failures to provide required Travel Rule information.
Management information layer MI for Travel Rule exceptions, unresolved counterparties, self-hosted checks and repeated failures.
Sanctions screening linked to TFR information Sanctions screening using Travel Rule identity, wallet and counterparty data where relevant.
Transaction monitoring coupled to TFR data Transaction monitoring that uses Travel Rule identity, counterparty, asset and transfer context as risk inputs.
Case management Workflow for investigation, escalation, remediation and evidence closure of Travel Rule exceptions.
Evidence reconstruction before transfer decision Ability to reconstruct the evidence available before the transfer decision was made.

Vendors and products

Named vendors active in this control space and the specific products each ships. Listing is alphabetical within the graph's evidence set; inclusion is editorial, not commercial, and is not a recommendation. Finray Technologies Ltd ships products in this space and is recused from any ranking — see the methodology page for the conflict-of-interest framework.

Vendors and the specific products each ships into this control space.
Vendor Products Vendor source
Finray Technologies Finray Technologies is the publisher and operator of XZiel. Finray Technologies — recused from ranking
  • XZiel — XZiel is Finray’s fiat and crypto transaction risk, sanctions, investigations and case-management platform. ( product page )
Vendor site
TRM Labs TRM Labs provides blockchain-intelligence tooling used for wallet screening, transaction monitoring and investigations.
  • TRM Transaction Monitoring and Wallet Screening — TRM transaction-monitoring and wallet-screening capabilities support wallet risk, transaction monitoring and investigation evidence. ( product page )
Vendor site
Chainalysis Chainalysis provides blockchain data, investigations and KYT tooling for crypto transaction monitoring.
  • Chainalysis KYT — Chainalysis KYT supports crypto transaction monitoring and risk detection. ( product page )
Vendor site
Elliptic Elliptic provides blockchain-intelligence products including wallet and transaction risk analysis.
  • Elliptic Lens — Elliptic Lens supports wallet screening and address risk analysis. ( product page )
Vendor site
Notabene Notabene provides Travel Rule compliance infrastructure and SafeTransact/Network capabilities.
  • Notabene SafeTransact / Network — Notabene SafeTransact and Network capabilities support counterparty identification, screening and Travel Rule information exchange. ( product page )
Vendor site
Sumsub Sumsub provides identity verification and Travel Rule compliance tooling.
  • Sumsub Travel Rule — Sumsub Travel Rule supports Travel Rule compliance workflows and counterparty data exchange. ( product page )
Vendor site
Onfido (Entrust) Onfido, now part of Entrust, provides identity verification capabilities.
  • Entrust Onfido Identity Verification — Entrust Onfido identity verification supports customer identity evidence. ( product page )
Vendor site
ComplyAdvantage ComplyAdvantage provides sanctions, watchlist and financial-crime risk intelligence.
  • ComplyAdvantage Screening Platform — ComplyAdvantage screening supports sanctions and watchlist screening. ( product page )
Vendor site
Sardine Sardine provides fraud, AML and transaction monitoring capabilities.
  • Sardine Agentic Financial Crime Platform — Sardine’s financial-crime platform supports fraud prevention, AML and transaction monitoring. ( product page )
Vendor site
ComplyCube ComplyCube provides KYC, AML screening, sanctions and compliance automation tooling.
  • ComplyCube KYC/AML Platform — ComplyCube supports identity verification, sanctions screening, fraud detection and compliance automation. ( product page )
Vendor site
OpenVASP Association OpenVASP Association develops the Travel Rule Protocol standard.
  • Travel Rule Protocol (TRP) — TRP is an open Travel Rule Protocol standard developed by the OpenVASP Association. ( product page )
Vendor site
InterVASP Standards Working Group InterVASP Standards Working Group is the standards group associated with IVMS-101 Travel Rule data-model work.
  • IVMS-101 data model — IVMS-101 is a data model for communicating Travel Rule information between VASPs. ( product page )
Vendor site
Certificate of Registration NQA · UKAS Management Systems
ISO/IEC 27001:2022 Certificate of Registration issued by NQA to Finray Technologies Ltd, certificate number 215646, valid 21 October 2025 to 21 October 2028
Search
Type to search across Finray, products, company, and journal.

    Press Esc to close · to open the highlighted result.

    Book a briefing 01 / 03

    Step 01

    Identify the institution

    Who is requesting the briefing.