COREDO – EU Legal & Compliance Services Expert legal consulting, financial licensing (EMI, PSP, CASP under MiCA), and AML/CFT compliance across the European Union. Headquartered in Prague, we provide seamless regulatory solutions in Germany, Poland, Lithuania, and all 27 EU member states.
Nikita Veremeev
08.03.2026 | 6 min read
Updated: 08.03.2026
Since 2016 I have been developing COREDO as a partner for international business: company formation, financial licensing, AML consulting and operational support in the EU, the Czech Republic, Slovakia, Cyprus, Estonia, the United Kingdom, Singapore and Dubai. Over these years I have seen digital finance mature: from the first payment licenses to large VASPs that operate on equal terms with correspondent banks. Today the key agenda is preparation for the Travel Rule for fintechs and the implementation of the Travel Rule in crypto projects. From 2024 through 2026 requirements will consolidate, tighten and become a condition for access to traditional financial infrastructure and global markets.
I wrote this article as a practical guide for executives, CTOs and CCOs who are responsible for strategy and day-to-day execution. The COREDO team has implemented dozens of licensing projects (crypto, payments, forex), regulatory readiness and AML transformations in the EU and Asia, and I have compiled proven solutions here — without theory for theory’s sake. COREDO’s practice confirms: a properly implemented Travel Rule does not turn into a “compliance brake”, but accelerates entry into new markets and simplifies access to banking rails.
Why the Travel Rule is important by 2026
Travel Rule, это regulatory requirements Travel Rule for transmitting identifying data of the sender and recipient between virtual asset service providers (Travel Rule for VASP) and other regulated entities during transfers. In essence, it is the transposition of the banking principle “originator and beneficiary information” into crypto and fintech infrastructure. By 2026, regulators expect a mature, scalable and secure implementation that is interoperable across regions and protocols.
Threshold amounts are gradually aligning and exemptions are narrowing. Correspondent banks handling crypto payments already include Travel Rule questions in their Due Diligence questionnaires, and without a clear implementation VASP loses the ability to work with reliable fiat partners. Our experience at COREDO has shown: if you build the Travel Rule into the KYC/AML architecture rather than tacking it on, the project’s ROI becomes positive in the first year due to reduced false positives and faster investigations.
FATF Recommendation 16: key provisions
FATF Recommendation 16 / FATF Recommendation 16 requires that VASPs (virtual asset service providers) and the classification of transactions take into account identification of the sender and recipient, the transmission of the minimum required data and their validation at the moment the transfer is initiated. Requirements for the data to be transmitted about the sender and recipient include name, account identifiers, address/nationality or equivalent, as well as information sufficient for subsequent investigation of suspicious transactions. The principle of “immediate and secure sharing” is important: data are transmitted securely and in sync with the payment flow or before crediting the recipient.
EU and Asia standards: MiCA, DAC8, AMLA
In the EU, the impact of MiCA and DAC8 on Travel Rule implementation increases the need for data reconciliation: MiCA sets the framework for crypto service providers, and DAC8 sets requirements for the exchange of crypto-asset data for tax authorities. The EU AMLA’s impact on crypto compliance will manifest in the harmonization of supervision and investigative practices. In the UK, the FCA and regional Travel Rule guidance detail oversight of VASPs and expect documented procedures. In the US, FinCEN guidance on the Travel Rule focuses on counterparty identification and reporting, including SAR/STR. In Singapore, MAS (Singapore) the approach to the Travel Rule and AML is systemic and pragmatic: emphasis on risk management, technical compatibility and protection of PII. Regional Travel Rule standards in the EU and Asia are moving toward interoperability, and this simplifies international operations when implemented correctly.
Travel Rule for VASPs: realities
VASP (virtual asset service provider) and the classification cover exchanges, custodial wallets, brokers and some payment operators if they process crypto-assets. Requirements include KYC procedures under the Travel Rule, sanctions and PEP screening, as well as embedding mechanisms for sending and receiving information into transactional pipelines. Regulators separately emphasize control over beneficial ownership (UBO) and the Travel Rule: linking UBO data to entities helps reduce the risk of circumvention through nominee recipients.
Implementation of data transfer protocols
To ensure international compatibility and reliability, it is critical to choose data transfer protocols for the Travel Rule and provide inter-operator gateways and inter-network principles. The market is moving toward several dominant standards, and a well-designed architecture should support two to three at once to minimize operational gaps.
OpenVASP, TRISA and InterVASP Messaging
The OpenVASP specification and practical integration are convenient for hybrid scenarios and peer-to-peer trust establishment. The TRISA architecture and trust scheme between VASPs rely on PKI, simplifying mutual authentication and membership verification. Inter-VASP messaging protocols, including IVMS101, define a common data vocabulary for compatibility. A solution developed by COREDO for a client in Estonia implemented a dual-stack: OpenVASP integration and TRISA integration and compatibility cases provided coverage of over 80% of counterparties in the EU and Asia through inter-operator gateways.
Message formats and on-chain metadata
Message formats: JSON, protobuf, ISO 20022 mapping allow aligning data structures with adjacent systems. ISO 20022 mapping eases integration patterns with core banking and payment gateways, especially when a VASP interacts with an EMI or PSP. A separate issue is the memo field and standards for on-chain metadata: some networks support transmitting links or hashes to off-chain data; it is important not to place PII on the blockchain, using links and hash-based proofs. International compatibility and mapping of transaction fields speed up processing and reduce manual post-processing.
Scaling and performance
I always ask the architecture team to start from the perimeter: API Gateway, webhooks and transport security, strict authentication between VASPs, as well as rate limiting, throughput, TPS for mass transfers. Scaling metadata transmission under high load requires batch processing and message aggregation to optimize without losing compliance synchronicity. SLAs, delays and transmission latency requirements should be agreed in the MoU and SLA: for retail transfers we target <300 ms for metadata exchange over cached trusted channels; for institutional transfers: up to 1–2 seconds is acceptable if there is prior pre-validation.
PII Data Protection
Security is the foundation of trust. I adhere to the principle “privacy by design”: the infrastructure encrypts, minimizes and controls access to data by default, not as an option.
Key Management in Cryptography
Encryption and protection of PII when transmitting metadata are based on end-to-end encryption and TLS requirements version 1.2+ with modern cipher suites. HSM, KMS and key management for Travel Rule messages provide hardware protection and key rotation. PKI and certificates for VASP authentication create a trust environment between participants; periodic rotation and OCSP statuses are part of the mandatory regimen. The COREDO team implemented E2E encryption with mutual authentication, which reduced the risk of MITM and simplified external audits.
Modern Hashing and Privacy
Hashing of personal data (PII) for compliance is applicable in pre-matching scenarios without disclosure. We use hashing PII: SHA-256, salt and the principles of dynamic salting to eliminate rainbow-table risks. Privacy-preserving hashing and data matching are supplemented with zero-knowledge proofs for selective KYC disclosure, where the counterparty proves an attribute without transferring the original document.
A promising direction: decentralized identifiers (DID) and Verifiable Credentials; DIDComm and WACI for exchanging credentials accelerate counterparty onboarding. In complex cases we apply secure multi-party computation (MPC) in KYC pipelines, as well as pseudonymisation and tokenization of personal data to reduce the PII footprint in production.
GDPR and Data Lifecycle
GDPR compliance when implementing the Travel Rule requires clear justification: GDPR: legal basis, data minimisation, cross-border transfer and purpose limitation. Data storage and retention policies in the context of the Travel Rule define retention periods and deletion conditions; data retention policies and regulator requirements in the EU recommend storing operational logs for 5–7 years, while deletion and minimisation of personal data (data minimisation) remain mandatory. COREDO’s practice confirms that segmentation, role-based access and controlled cross-border transfers via standard contractual clauses protect the business during audits.
Integration with AML and transaction monitoring
The Travel Rule does not exist separately from AML. Its strength is revealed when data automatically feed monitoring scenarios, case management, and reporting.
KYC and sanctions in shared utilities
KYC procedures under the Travel Rule include continuous updating of customer data, sanctions screenings, and PEP lists during the Travel Rule process before crediting the recipient. To reduce costs we consider the KYC-utility / shared KYC practice; shared services in the EU and Singapore are already showing good results while complying with DPA. Regulators require clear runbooks in case of failed data exchange: blocking of crediting, escalation, and SAR/STR.
ML monitoring and KPIs
The integration of the Travel Rule with existing AML/Transaction Monitoring is done via streaming connectors. Machine learning algorithms to reduce false positives help filter triggers by taking into account counterparty context and geography. Important performance metrics include false positive rate, time-to-investigate and KPIs: cost per alert, alerts per 1000 tx, MTTR; these are tracked by case management systems and AML workflow orchestration. In one project in the UK the solution developed at COREDO reduced the FP-rate by 28% thanks to additional features from the Travel Rule and segmentation of counterparties by reliability.
Reporting, audit and security
SAR/STR — the mechanics and automation of filing notifications are embedded into case management to avoid missing deadlines. We ensure audit trail immutability and proof of continuous control through hash-based proofs and log hashing; for regulatory demonstrations we use blockchain anchoring to prove compliance without disclosing PII. SOC 2, ISO 27001 and other security certifications increase trust from correspondent banks; regular penetration testing and red-team reviews of integrations confirm the maturity of protection.
Operational implementation model
I always recommend counting the money before starting. It’s fair to the business and the team.
What are CAPEX, OPEX and ROI?
The cost of implementing the Travel Rule (CAPEX and OPEX) depends on the scale of operations and the number of counterparties. SaaS solutions versus on-premise implementations of the Travel Rule differ in TCO: SaaS reduces CAPEX and speeds up launch, while on-premise provides control over data and flexible customization. The ROI model for investments in the Travel Rule takes into account reduced manual checks, decreased SLAs for incidents, increased likelihood of approval by banks, and higher conversion of international transfers. In COREDO cases, positive ROI was achieved within 9–14 months at a volume of >50k transactions per month.
Bank requirements and partnerships
A partner integration strategy of VASP-to-VASP builds a trust network and reduces exchange latency. Correspondent bank requirements for crypto payments include Travel Rule confirmation, independent audits, sanctions screening, and UBO management. The COREDO team helped coordinate such dossiers in Singapore and Cyprus; the result was account openings in reputable institutions and expanded limits.
Vendor and contract risks
Vendor selection checklist для SaaS-поставщиков Travel Rule включает протоколы (OpenVASP/TRISA/IVMS101), сертификации, latency, географию хостинга, DPA соответствия и возможности кастомизации. risk management of suppliers and third-party risk assessment records source code escrow, migration plan and the procedure for regular independent tests. Legal agreements between VASPs — MoU, DPA, SLA — are mandatory; we separately stipulate liability for incidents, regulator notifications and resolution mechanisms.
Continuity and incidents
Resilience and disaster recovery scenarios for metadata exchange should cover degradation to alternative channels, retries, cache of trust statuses and fallback to manual review. The incident response plan and runbook for a VASP include incident classification, RACI, communication with the counterparty, regulatory notifications and interaction with supervisory authorities within the prescribed timeframes. I see how such runbooks reduce stress for teams and simplify external audits.
International compatibility and mapping
Global business relies on standards and precise data mapping. It’s not about “looks”, it’s about speed and quality.
Mapping: standards and regional differences
International compatibility and mapping of transaction fields are based on IVMS101 and ISO 20022; message formats: JSON, protobuf, ISO 20022 mapping provide flexibility. Regional differences — EU, Asia, CIS — are reflected in the details of address and identifier validation and in cross-border transmission restrictions. The COREDO team configured country-profiles to automatically populate the necessary fields for MAS, FCA or local supervisory authorities in the CIS.
Regulatory communications: MiCA and DAC8
The impact of MiCA and DAC8 on Travel Rule enforcement strengthens the link between tax and AML requirements, which requires early data consolidation. Regulatory notifications and interaction with supervisors become predictable if systems are ready to compile complete transaction dossiers with added Travel Rule information. This speeds up request resolution and reduces the resources needed for advocacy.
COREDO cases and pilots 2024–2026
I value specifics. Here’s how we progressed toward operational maturity across different jurisdictions.
OpenVASP integration: use cases
For a European VASP licensed in Estonia, the COREDO team implemented an OpenVASP integration supporting IVMS101 and mutual authentication. We deployed inter-operator gateways and inter-network principles to work with Asian counterparties via adapters. The result – coverage >65% of recipients in the EU and Asia and compliance with the latency SLA <400 ms.
TRISA integration and compatibility
In Singapore we connected TRISA with local hosting of key infrastructure and PKI, aligned the DPA with GDPR and the local PDPA. Compatibility with OpenVASP was ensured through a universal field mapping and a routing broker that selected the protocol based on the counterparty’s domain. COREDO’s practice confirms: dual-stack reduces message non-delivery and saves on manual reprocessing.
Proof-of-concept testing and pilots
We base Travel Rule testing, PoCs and pilots on PoC criteria: security, latency, interoperability, cost. We use synthetic data, TPS emulators, fault injection and independent pentests. In one PoC we achieved a stable throughput 1200 msg/s with batch processing and message aggregation for optimization, without exceeding the latency SLO.
Compliance cases 2024–2026
During 2024–2026 COREDO’s clients included exchanges from the EU, custodians from Dubai, and fintechs from the UK. They achieved audit readiness and proof of Travel Rule compliance, aligned data storage and retention policies, and agreed SLAs with key counterparties. This helped them open access to new banking channels and reduce the share of blocked transfers.
Steps for CTO and CCO
To move from intent to launch, I recommend proceeding iteratively but systematically.
Checklists for executives
- Regulatory framework: FATF 16, MiCA, DAC8, FinCEN, FCA, MAS; local requirements of the jurisdiction of incorporation.
- Architecture: choice of protocols (OpenVASP/TRISA), IVMS101, ISO 20022 mapping, API Gateway, webhooks.
- Security: HSM/KMS, PKI, TLS, end-to-end encryption, SOC 2/ISO 27001, penetration testing and red-team testing of integrations.
- Data: GDPR legal basis, data minimisation, cross-border transfer, data retention policies and requirements of EU regulators.
- Operations: case management, AML workflow orchestration, SAR/STR automation, incident runbook.
- Performance: TPS targets, rate limiting, batch processing, SLA and SLO for latency.
- Legal frameworks: MoU, DPA, SLA, vendor selection checklist and third-party risk assessment.
- Finance: CAPEX/OPEX, ROI model, scaling strategy and UBO control.
Partnerships and operations strategy to 2026
Build a core of trusted counterparties and sign inter-operator SLAs. Set up a partner integration strategy VASP-to-VASP with prior exchange of test profiles and hashes of sanctions reference lists. Discuss with correspondent banks the expected reporting formats, integration patterns with core banking and payment gateways, and escalation policy for alerts.
How to reduce operational costs
Strategies to reduce operational costs while complying with the Travel Rule include shared KYC utilities, consolidation of logging and hashing of logs with cheap long-term storage, and automation of case routines with ML. Use privacy-preserving hashing to reduce costly manual PII reconciliations. For peak loads, scale using queues and batch processing rather than through constant overprovisioning.
Conclusion
Travel Rule 2026 is not just another checkbox in compliance. It’s a way to speak to banks and regulators in the same language, expand international presence, and reduce operational risks. I see how COREDO’s clients gain a strategic advantage when they implement the Travel Rule deliberately: based on standards, with respect for client privacy, and with clear economics.
If you are planning to register a legal entity in the EU, Asia or the CIS, obtaining a financial license or building an AML function, incorporate the Travel Rule from day one. The COREDO team has gone this route many times and knows how to reconcile regulatory expectations with the realities of business – from selecting protocols to audit and negotiations with correspondent banks. I’m ready to discuss your plans and help build a roadmap that will withstand the 2024–2026 requirements and give your business a foundation for scaling.