Virtual Assets, Crypto & the Travel Rule

A virtual asset is a digital representation of value that can be traded or transferred and used for payment or investment, think cryptocurrencies like Bitcoin, stablecoins pegged to a fiat currency, and many tokens; note that purely in-game currencies and a country's own central-bank digital currency generally fall outside the definition. The businesses that exchange, transfer, or custody them are virtual asset service providers, or VASPs, exchanges, hosted-wallet providers, and similar firms. The key regulatory development to know is that FATF brought virtual assets and VASPs squarely within its standards under Recommendation 15, meaning VASPs are expected to register or be licensed, perform customer due diligence, keep records, and report suspicious activity, just like banks and other financial institutions.

In the U.S., FinCEN's 2019 guidance, FIN-2019-G001, treats most as money transmitters.

Here's a distinction the exam tests and the public usually gets wrong. Most crypto is pseudonymous, not anonymous. Public blockchains record every transaction permanently and openly in an immutable ledger anyone can read, but against wallet addresses, long strings of characters, rather than names.

The real identity behind a wallet typically surfaces at the on-ramp or off-ramp, the regulated exchange where crypto is bought with, or cashed out to, real-world fiat money, because that exchange must do customer due diligence and know-your-customer checks. Combine that choke point with blockchain analytics, which cluster related addresses and follow funds across the ledger, and crypto can actually be more traceable than cash once an identity is attached at the ramp. That's why exchanges are the front line, and why investigators target the fiat off-ramp.

FATF extended its long-standing Travel Rule, part of Recommendation 16, to virtual assets. Just as banks must pass originator and beneficiary information along a wire, VASPs must transmit identifying information about the sender and receiver, name and account or wallet details, when virtual assets move between them above a threshold FATF sets at around one thousand dollars or euros. The intent is to strip crypto of its supposed anonymity within regulated channels.

The challenge is implementation: VASPs operate across many countries that adopted the rule at different speeds, with no single agreed messaging standard, so compliance is uneven, the so-called sunrise problem, and launderers exploit the gaps, especially transfers to unhosted or self-custody wallets that no institution controls. Expect the exam to probe both the rule and its practical limits, and to reward you for naming the unhosted-wallet gap as the weak point launderers head for. A useful frame is that the Travel Rule works best precisely where two compliant VASPs face each other, and weakest the moment value steps outside that regulated corridor.

The crypto launderer's playbook layers value much like a cash launderer's. Mixers and tumblers, some of them OFAC-sanctioned, pool and shuffle many users' coins to break the link between source and destination. Chain-hopping moves value across different cryptocurrencies and through cross-chain bridges and decentralized exchanges to shake off analytics.

Privacy coins like Monero are designed to obscure amounts and addresses, and peer-to-peer or over-the-counter trades avoid regulated venues entirely. The endgame is cashing out, often through exchanges with weak controls, nested or shell exchanges riding on a larger one, jurisdictions with light supervision, or complicit insiders, sometimes layering in crypto ATMs, NFTs, or online gambling. Recognizing these patterns, and the choke points where they touch a regulated VASP, is exactly the skill the content area rewards.

Don't forget sanctions: OFAC has added specific wallet addresses, mixers like Tornado Cash, and entire exchanges to the SDN List, so a VASP must screen not just customer names but the blockchain addresses funds come from and go to, and dealing with a sanctioned wallet is a strict-liability violation just like any other sanctions breach. The control set mirrors traditional finance, risk-based customer due diligence, transaction monitoring, and suspicious-activity reporting, augmented by blockchain analytics and address-risk scoring suited to the technology. So, recap: virtual assets and VASPs are now within the FATF standards; crypto is pseudonymous, not anonymous, and traceable at the exchange; the Travel Rule applies but is unevenly implemented; and launderers use mixers, chain-hopping, and weak off-ramps that analytics can often follow.

The core exam instinct to carry away is that crypto is not the lawless void the headlines suggest, the public ledger plus the regulated ramp give investigators leverage that cash never offered, so look for the moment value touches a VASP. Next, we begin the investigations block. Test yourself first.