Travel Rule compliance tooling for self-custodial stablecoin transfers is ready
The Travel Rule requires financial institutions to exchange information about their respective customers on either side of a funds wire transfer. The Travel Rule is adopted across the globe and was premised on transfers involving two regulated institutions, one as the sender and one as the receiver. But new challenges arise when applying the Travel Rule to stablecoin transfers. Stablecoin transfers can appear analogous to wire transfers when a regulated crypto firm is on either side of the transfer. Stablecoins, however, can be held by self-custodial wallets, meaning that one side of a stablecoin transfer may not involve a regulated firm.
How can a regulated crypto service provider on one side of the stablecoin transfer fulfill its Travel Rule compliance obligations when the counterparty is a private individual using a digital wallet?
Many compliance teams at regulated crypto firms have responded in one of three ways:
(1) refuse to support transfers involving self-custodial wallets
(2) require a separate KYC process for the non-customer counterparty,
(3) quietly assume the risk of non-compliance.
None of those options is desirable or necessary. Tools exist that solve this challenge.
Where The Travel Rule Came From, And Where It Poses Unique Challenges For Stablecoin Payments
The Financial Action Task Force (FATF) is an intergovernmental organization that releases standards and recommendations designed to shape countries’ laws and regulations regarding anti-money laundering and counter terrorism financing. FATF Recommendation 16, which describes what is known as the Travel Rule, recommends that countries require financial institutions to exchange originator and beneficiary information at the time of a wire transfer above a suggested EUR/USD 1,000 threshold.
When the rule was first applied to virtual asset service providers (VASPs) through FATF's 2019 guidance, it felt achievable when both sides of any transfer would involve a regulated institution: a VASP on one end, a VASP on the other. Each VASP would have onboarded its respective customer and, therefore, collected the requisite information to share with the other VASP at the time of transfer.
But a meaningful share of crypto payments do not have a VASP on both sides of a stablecoin transfer. When one of the sending or receiving parties is a non-regulated, self-custodial wallet, meaning, no regulated exchange, no custodian, no regulated intermediary onboarded the wallet user, the conventional VASP-to-VASP message exchange is missing the second regulated counterparty with which to exchange information.
Countries modelled laws and regulations after FATF’s recommendations, but some have done so in a stricter manner. The EU's Transfer of Funds Regulation (TFR), which came into force alongside the MiCA Regulation in December 2024, is an example of a stricter approach. Under Article 14, CASPs (the MiCA analogue to the FATF’s term, VASP) must collect originator and beneficiary information for all transfers, including those that interact with self-custodial wallets — not just those above the standard threshold — and for transfers above EUR 1,000, must take measures to verify that the customer actually owns or controls the wallet they're using.
EU TFR Article 14 in plain terms: CASPs must collect information on originators and beneficiaries for all unhosted wallet transfers. Above EUR 1,000, they must additionally verify that the customer owns or controls the self-custodial wallet. The EBA has confirmed that having the customer sign a message with the wallet's private key satisfies that verification requirement.
Three Approaches: And Why A Better Method Is Necessary
Lacking tools and confidence in how to satisfy the TFR's ownership verification requirement, regulated firms defaulted to a handful of practical responses. None is optimal.
A fourth approach has also been used: the “Satoshi test,” in which a regulated VASP instructs the user to send a small on-chain transaction from the self-custodial wallet address as proof of control. This works when the sender and receiver are the same person — a first-party transfer where the customer owns both ends. This approach, however, is not helpful for third-party payments, retail transactions, and any commercial use case where the person initiating the payment and the wallet holder are different parties. As a basis for Travel Rule compliance in the broader stablecoin payment economy, it does not scale. All approaches suggest the same conclusion: that satisfying the Travel Rule for self-custodial wallet transfers requires either excluding those wallets from the regulated ecosystem or creating a compliance process that adds more friction to the payment flow. Neither is true.
Guidance From The Eba
The European Banking Authority (EBA) is the EU’s independent regulatory authority responsible for prudential regulation and supervision of banks and financial institutions across the EU. The EBA holds interpretive authority over anti-money laundering and Travel Rule obligations applicable to crypto-asset service providers — making its guidance a relevant regulatory signal for CASPs operating within the European market. On the ownership or controllership verification question — the part of TFR Article 14 that has generated substantial uncertainty — the EBA answered explicitly: a CASP can satisfy the ownership or control verification requirement by having the customer digitally sign a specific message using the private key corresponding to the claimed wallet address.
That's not a workaround. That's a cryptographic proof of control that is robust and more privacy-preserving. The user doesn't share their private key; they simply sign a structured message with it. The resulting confirmatory message can be verified by any party needed to check the corresponding public wallet address.
EBA Guidelines on Travel Rule (2024): "A CASP may verify ownership or control over a self-custodial wallet by having the customer digitally sign a specific message into the account and wallet software with the key corresponding to that address."
The practical question is how to operationalize this at scale, inside a payment flow, without creating the kind of friction that drives users to less regulated alternatives. That's the problem WalletConnect Pay solves.
The Information Collection Challenge
Ownership verification is one part of the TFR Article 14 obligation, which is triggered only above the EUR 1,000 threshold. In all cases, the EU requires information collection and sharing — the originator and beneficiary data that needs to travel. This is where the structural gap between the VASP-to-VASP model and the self-custodial wallet reality becomes most acute.
In a standard VASP-to-VASP transfer, both institutions already hold verified identity data for their customers. The Travel Rule message is an exchange of that data — automated, encrypted, and formatted. When one party is a self-custodial wallet, there's no custodian on that side holding the data. It has to be collected from the user at the point of the transaction, in a structured format, before the on-chain transfer settles. In practice, that means either interrupting the payment flow with a separate data collection step — which most users abandon — or building the collection into the payment UI itself.
The real implementation challenge: Until recently, there was no clean mechanism to collect owner information from a self-custodial wallet user within a payment flow, transmit it to the receiving VASP before on-chain settlement, and simultaneously obtain the ownership proof Article 14 requires.
WalletConnect Pay integrates both requirements — data collection and ownership verification — into the payment approval flow within the self-custodial wallet application itself. The Travel Rule data collection prompt and the SIWX signature request happen inside the wallet UI, as part of the payment journey, before the transaction is broadcast. The user experience is a payment. The output is a Travel Rule-ready record.
How It Works End-To-End
Walletconnect Pay · Travel Rule + SIWX Flow · In Production
What This Means For Your Compliance Programme
"Policymakers may have an instinct that self-custody wallets are inherently untrustworthy, and some would ban them outright if they could. The binary framing of 'unhosted bad, hosted good' is simplistic and increasingly obsolete. Solutions like this align wallet architectures with regulatory expectations."
Tony McLaughlin
Founder & CEO, Ubyx · Co-author, Self-Custodial Wallets in a Regulated World
The Broader Position
It's worth stepping back from the technical specifics to note what the Travel Rule case study actually demonstrates. The regulatory instinct in many jurisdictions has been to treat self-custodial wallets as an oversight problem — entities that exist outside the regulatory perimeter and therefore outside meaningful compliance controls. The implication of this Travel Rule solution points in the other direction.
A framework that excludes self-custodial wallets from regulated payment rails doesn't eliminate the risk those wallets represent — it relocates that activity to venues where the compliance controls that do exist for blockchain transactions (analytics, sanctions screening, on-chain audit trails) no longer apply in the same way. You lose the visibility advantage that public blockchains actually provide without gaining any additional control.
The better approach is what the Travel Rule actually envisions: robust compliance obligations on regulated intermediaries at the point of interaction with self-custodial wallets, using technical mechanisms that can satisfy those obligations without requiring custody. The tools to do that exist. The only remaining question is whether regulated firms will recognise them — and build them into their payment flows before the next compliance deadline lands.
This piece is part of a six-part series drawing on the case studies in Self-Custodial Wallets in a Regulated World, in collaboration with Ubyx and other ecosystem partners. Stay tuned: how ERC-3009 gives blockchain payments an auth/capture model that compliance officers in traditional payments already understand.
Both capabilities referenced are in production: Travel Rule data collection within the wallet UI (standardized format, transmitted pre-broadcast) and SIWX-based ownership verification. The full paper — Self-Custodial Wallets in a Regulated World: A Practical Framework for Compliance and Co-existence — is available by filling out this form.