21/07/25
With the enforcement of the Travel Rule across the EU, CASPs and VASPs are now under a binding obligation to verify both the originator and the beneficiary of crypto transactions exceeding €1000 – involving self-hosted wallets.
The European Banking Authority (EBA) has issued binding guidelines on the implementation of the Transfer of Funds Regulation (EU) 2015/847, as amended under the MiCA framework. These guidelines require all crypto-asset service providers (CASPs) and virtual asset service providers (VASPs) to comply with the so-called Travel Rule – mirroring standards already well-known in the traditional financial sector. The key legal obligation: for any single crypto transaction or linked series of transactions exceeding €1,000, the identity of both the sender and the recipient must be verified and recorded. This applies not only to transactions between two CASPs but also when one party uses a self-hosted wallet.
📘 Legal Framework and Binding Obligations Under the Travel Rule
Under the revised EU regime, including Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets, the Travel Rule is fully applicable to crypto transfers as of 30 December 2024. CASPs and VASPs must collect, verify, and transmit detailed identifying information with every transfer that meets or exceeds the €1,000 threshold.
The scope of the obligation includes:
Identifying the originator (name, wallet address, legal identifier or unique customer number).
Identifying the beneficiary (same details as above).
Recording and transmitting this information to the receiving CASP or competent authority upon request.
The obligation extends even where a user is sending funds to a self-hosted (unhosted) wallet. In such cases, the Travel Rule does not disappear – instead, the originating CASP must apply enhanced due diligence to confirm ownership of the self-hosted address. The EBA provides examples of acceptable verification methods, including small-value test transfers (commonly referred to as the “Satoshi test”), digital screenshots verifying wallet control, or contractual confirmations within an integrated wallet application.
Failure to comply with the Travel Rule constitutes a breach of anti-money laundering and counter-terrorism financing (AML/CFT) obligations, potentially subjecting CASPs to regulatory sanctions, licence suspension, and reputational damage. The Travel Rule is also enforceable cross-border, and compliance is expected regardless of whether the counterparty is subject to equivalent obligations.
🔍 Practical Implications, Compliance Burdens and Comparative View
The key legal and operational challenge lies in verifying self-hosted wallets. While the regulation provides the legal baseline, the EBA guidelines clarify that it is not sufficient to assume wallet ownership. Verification must be risk-sensitive and documented in each case. Solutions like the Satoshi test – where a small transaction is sent to the wallet to confirm access – are technically straightforward, but may not always meet the evidentiary threshold without supporting data.
Contractual acknowledgements signed via wallet interfaces and timestamped screenshots are also accepted, provided they are linked to the customer’s KYC profile. However, each method must be evaluated on a case-by-case basis. The burden of proof remains with the CASP, not the client. From a comparative perspective, other jurisdictions like Switzerland and Singapore have implemented similar rules, but often allow a more practical margin of discretion regarding self-hosted wallets. The EU, via the EBA, appears to be adopting a strict, uniform approach, prioritising traceability over flexibility.
Critically, this regulation does not only apply to EU-domiciled CASPs but to any entity facilitating a crypto transfer involving an EU recipient or originator. This extraterritorial element may present conflict-of-law concerns for global exchanges and decentralised platforms. At the same time, it creates a new compliance perimeter for all crypto services targeting the EU market.
🧾 Verification Methods in Practice – Legal Proof and Operational Cases
In practice, a CASP serving a user who wishes to send €2,500 in BTC to a self-hosted wallet must first verify that the wallet indeed belongs to the intended beneficiary. This may involve:
Sending a 0.0001 BTC test amount and requesting a confirmation response (the “Satoshi test”).
Requiring a timestamped screenshot of the wallet interface, matching the user’s account data.
Incorporating a digital confirmation mechanism directly within the CASP’s user interface, allowing users to cryptographically sign ownership declarations.
Such evidence must be stored securely, linked to the user’s profile, and be made available to competent authorities upon request. Legal departments within CASPs should prepare a documented procedure outlining how wallet ownership is verified, how evidence is retained, and how false positives or risk signals are addressed.
For instance, a user attempting to withdraw funds to a third-party wallet not linked to their profile could trigger a red flag and require manual review or escalation. In complex cases, such as withdrawals to multisig wallets or smart contracts, the verification process becomes even more nuanced and must be supported by legal and technical analysis.
The EBA’s approach reflects a growing convergence between traditional AML practices and crypto asset operations. Legal teams must ensure that internal controls, user agreements, and technical solutions are all aligned to satisfy both the letter and the spirit of the Travel Rule requirements.
✅ Summary and Legal Recommendations
The Travel Rule now applies to crypto transactions across the EU, with immediate implications for CASPs and VASPs. Any transfer of €1,000 or more must include verified identity data for both the sender and the recipient – including when interacting with self-hosted wallets. Verification methods must be risk-based, documented, and legally defensible.
Solutions like the Satoshi test or wallet screenshots are acceptable under EBA Guidelines, but only when integrated into a broader compliance programme. Failure to comply exposes firms to regulatory penalties and AML enforcement.
NUR Legal supports CASPs with Travel Rule compliance, including drafting internal policies, verification procedures, and audit documentation. We also assist in designing wallet-ownership confirmation workflows that meet EU standards.
📩 Check out NUR-Legal.com and contact us for expert assistance in implementing Travel Rule compliance, or for a tailored legal audit of your existing crypto transaction procedures.
#TravelRule #CASPCompliance #VASPRegulations #CryptoAML #SelfHostedWallet #EBAguidelines #EUcrypto #CryptoTransfers #KYC #MiCA2025
Nurlan Mamedov