On June 26th, 2025, the Financial Action Task Force (FATF) released its sixth targeted review of the implementation of FATF Standards on Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs). This targeted review provides an overview of the global progress on implementing anti-money laundering and counter-terrorism financing (AML/CFT) standards for virtual assets (VAs) and virtual asset service providers (VASPs), especially the FATF’s Recommendation 15 (R.15) as well as a section on market developments and emerging risks.

It is worth noting that one of the FATF’s core tools for tackling money laundering and terrorist financing in the virtual asset space is the Travel Rule. As highlighted in FATF’s 2025 update, threats like North Korean state-sponsored hacks, $51 billion in fraud and scam activity, and cross-border laundering networks are thriving partly due to anonymity and fragmented enforcement. Transaction authorization solutions like what we provide at Notabene help VASPs securely exchange the information required by the Travel Rule, identify potentially risky counterparties, and screen wallets linked to scams or sanctions. By making Travel Rule compliance secure and frictionless, Notabene helps regulated financial institutions close off critical pathways used by illicit actors to move and hide funds—whether it’s scam-as-a-service rings, sanctioned regimes, or terror networks exploiting gaps in the system.

As a reminder, Travel Rule applies the FATF’s payment transparency requirements (Recommendation 16) to the Virtual Asset context. The Travel Rule requires VASPs and financial institutions to obtain, hold, and transmit specific originator and beneficiary information immediately and securely before or during the transfer of virtual assets.

Sunrise Issue Narrows as 99 Jurisdictions Advance Travel Rule Legislation

‍‍Jurisdictions have made continued progress on implementing the Travel Rule. In fact, 73% of respondents (85 of 117 jurisdictions, excluding those that prohibit or plan to prohibit VASPs explicitly) have passed legislation implementing the Travel Rule, up from 69% in 2024.

Although the percentage increase from 2024 is small, the number of jurisdictions that have implemented the Travel Rule grew from 65 in 2024 to 85 in 2025. Additionally, another 14 out of 117 jurisdictions said they are currently working on implementation. This would make it a total of 99 out of 117 jurisdictions that have passed or are in the process of passing travel rule legislation which is ultimately closing the gap on the sunrise issue.

What’s the Sunrise Issue?

The “Sunrise Issue” refers to the period when some jurisdictions have implemented the Travel Rule while others haven’t, creating gaps in compliance. This mismatch can make cross-border transactions tricky, as VASPs in compliant countries may struggle to exchange required information with those in non-compliant ones.

However, it's worth to note that 42 of 205 total jurisdictions did not respond to the FATF survey hence indicating that global implementation is still incomplete.

Enforcement Gap: 60% of Jurisdictions with Travel Rule Laws Have Yet to Act

So what does enforcement look like? Of the 85 jurisdictions that have passed legislation on implementing the Travel Rule, only 35 have issued findings or directive or taken enforcement or other supervisory actions against VASPs focused on Travel Rule compliance. That means 50 jurisdictions (nearly 60%) have yet to take formal enforcement steps. This is likely because many jurisdictions have only recently passed Travel Rule laws and are currently focused on establishing supervision frameworks. Jurisdiction may also have ongoing enforcement cases, or working with VASPs to remediate shortcomings.

The effectiveness of the Travel Rule depends on consistent global enforcement. FATF urges jurisdictions that have introduced the Travel Rule to quickly operationalize it, including through effective supervision and enforcement in case of non-compliance. FATF even published a "Best Practice in Travel Rule Supervision" paper to help with this.

The FATF remains committed to working with jurisdictions to facilitate the implementation of Recommendation 15 and mitigate abuse of Virtual Assets and VASPs by illicit actors.

What is Recommendation 15?

Recommendation 15 is FATF’s standard that requires countries to assess and address the risks of virtual assets and VASPs. It’s the foundation for regulating crypto, making sure these businesses follow anti-money laundering and counter-terrorism rules. Strong implementation of R.15 is key to keeping the financial system safer as crypto adoption grows.

Next Steps from FATF:

As part of its ongoing work, the FATF plans to:

• Release short reports on stablecoins, offshore VASPs, and DeFi between October 2025 and June 2026
• Continue helping countries with key challenges, including conducting risk assessments, determining approaches to virtual assets and VASPs, identifying who runs VASP businesses, and putting the Travel Rule into action
• Find better ways to ensure countries are consistently applying, supervising, and enforcing the Travel Rule
• Publish the next major update in 2026, which will show how countries are progressing on Recommendation 15 and responding to new risks in the virtual asset space. This update will also include a revised public table showing which jurisdictions have large VASP activity.

A Closer Look: Which Countries Are Actually Implementing FATF’s Crypto Standards?

In March 2024, the FATF published a table (known as Annex A) showing how FATF members and 20 key countries with materially important VASP activity were doing in applying its standards. The 2025 update adds 9 more non-FATF countries that now meet the criteria. Together, these jurisdictions make up about 98% of the global virtual asset market, making it especially important that they fully follow the FATF rules.

Materially important jurisdictions are based on:

1. Trading volume (over 0.25% of global trading); and/or
2. Jurisdictions with a large virtual asset user base (top 30 jurisdictions with the highest VA ownership and to VA adoption rate).

In total, 9 new non-FATF countries were added: 4 qualified because of high trading volume, and 5 because they have a large number of virtual asset users.

These insights come from countries' responses to FATF’s 2025 self-reported survey. So, what are the key takeaways?

85% of materially relevant jurisdictions have Travel Rule regulation in place or in progress.  Specifically,  from the 67 jurisdictions mentioned in this year's report, a total of 57 have Travel Rule Regulation in place or in progress.

Of the 9 newly added material jurisdictions:

• 3 of them (Bahrain, Czech Republic, El Salvador) have Travel Rule already in place
• 4 of them (Cambodia, Kenya, Pakistan, Saint Vincent and the Grenadines are in process of having TR in place
• 2 of them (Ethiopia and Morocco) explicitly prohibited VAs/VASPs, aligning with similar restrictions reported last year in China, Egypt, and Saudi Arabia.

Additionally, around 94% of the jurisdictions conducted a risk assessment covering VAs and VASPs, while 80% enacted legislation mandating VASPs' registration or licensing and compliance with AML/CTF requirements. Similarly, 79% conducted supervisory inspections on VASPs.

What’s next?

FATF encourages governments to carefully evaluate how virtual assets (VAs) and virtual asset service providers (VASPs) might be used for money laundering or terrorist financing. These assessments can help inform whether to allow or restrict VAs and VASPs, and highlight the importance of clear policies and robust oversight. It’s also crucial to have proper licensing in place, especially for offshore VASPs and those managing stablecoins. As the landscape evolves, authorities are urged to keep pace with new risks—like DeFi platforms, unhosted wallets, and emerging scam tactics such as AI-driven schemes, pig butchering, and address poisoning—by staying informed and proactive.

For more context on FATF’s recent updates to Recommendation 16, check out this related article that breaks down the key changes and what they mean for compliance teams navigating the evolving regulatory landscape.

Read the full FATF Targeted Update here

*Methodology: FATF and the Global Network consist of 205 jurisdictions in total. 163 jurisdictions responded to the 2025 survey. For jurisdictions that did not respond to the FATF’s survey, the FATF has assumed that they have not yet implemented the requirements. For Figure 1.1 on Travel Rule implementation, the data focuses on the 117 jurisdictions that have neither prohibited VASPs nor announced plans to do so.

The Financial Action Task Force (FATF) has finalized revisions to Recommendation 16 (R16), delivering the a substantial overhaul of international payment transparency standards. These changes address two urgent imperatives: modernizing cross-border payment infrastructure to meet G20 objectives of faster, cheaper, and more inclusive transactions, while simultaneously combating an explosive surge in fraud that now represents the dominant proceeds-generating crime worldwide.

The regulatory shift is immediately apparent in the standards' evolution from "wire transfers" to "payment transparency"—a deliberate expansion signaling FATF's intent to capture all payment methods and value transfer mechanisms in our increasingly digital financial ecosystem.

The fraud crisis driving these changes cannot be understated. FATF's own research, including the 2023 report "Illicit Financial Flows from Cyber-Enabled Fraud," reveals staggering growth in both the frequency and monetary impact of fraudulent schemes. This threat has fundamentally rewritten the financial crime playbook, elevating fraud prevention and detection to primary regulatory objective, now standing alongside traditional anti-money laundering efforts as a core pillar of the revised standards.

What Changes? Key Requirements That Will Transform Payment Flows

The revised Recommendation 16 represents a fundamental shift in cross-border payment compliance. This section outlines the key changes introduced by the revision, evaluates how current industry capabilities measure up to the new standards, and demonstrates how the Transaction Authorization Protocol (TAP) is purpose-built to meet the policy objectives behind the update.

Standardized Information Requirements for Cross-Border Transfers and Mandatory Beneficiary Geographic Information

The revised R16 introduces standardized information requirements for cross-border transfers above specified thresholds:

For Originators:

• Name
• Account number (fallback: unique transaction reference)
• Address (fallback: country and town name or nearest option)
• Date of birth (fallback: year of birth)

For Beneficiaries:

• Name
• Account number or unique transaction reference
• Country and town name (or nearest option)

A significant expansion from current requirements, beneficiary geographic information is now mandatory. Previously, there was no obligation to transmit beneficiary geographic information under R16. With the revisions, country and town name are required minimum fields.

FATF's original proposals would have mandated full geographic addresses for both originators and beneficiaries, but extensive industry feedback, including from Notabene, successfully argued that such requirements would create financial exclusion and unnecessary friction, raise data protection concerns, and provide limited anti-money laundering benefit. The final standards reflect significant wins: For originators the year of birth can be provided as a fallback to full date of birth and country and town serve as acceptable alternatives when full addresses aren't available.  For beneficiaries, only country and town are required.

Mandatory Beneficiary Information Verification

One of the most significant changes is the explicit requirement for beneficiary financial institutions to verify information alignment to mitigate the risk of misdirected payments. Combating fraud is now an explicit objective of R16, acknowledged as a key target predicate offense. Institutions must now implement at least one of these approaches:

1. Post-validation checks - Verify name and account number alignment for each transaction
2. Holistic ongoing monitoring - Conduct risk-based monitoring to identify anomalous accounts and misaligned information
3. Pre-validation mechanisms - Use systems like Confirmation of Payee to verify beneficiary information aligment

🔖 Industry benchmark

VASPs in the Notabene network blocked over $696 million in transactions due to incorrect beneficiary information, demonstrating that the industry is leading the way in implementing pre-transaction beneficiary matching procedures that effectively leverage Travel Rule compliance to prevent fraud.

Positive Requirement for Payment Messages to Enable FI Identification

Information in payment messages must now make it possible for all institutions and authorities to identify which financial institution is servicing originator and beneficiary accounts and in which countries these institutions are located. 

🔖 Industry benchmark

Current implementations of R16 by VASPs rely on wallet addresses that provide no institutional identification as account identifiers, forcing VASPs to use imperfect methods like blockchain analytics and customer input to identify counterparties. 

💡 TAP Solution

TAP solves this by replacing address-based transactions with transfer requests that include complete beneficiary institution identification upfront.
Instead of sharing a blockchain address, recipients create secure transfer requests containing full institutional details—eliminating the guesswork and ensuring R16 compliance from the start.

Cross-Border Cash Withdrawal Requirements

R16 extends beyond wire transfers to include requirements for cross-border cash withdrawals. A targeted framework now requires issuing financial institutions to provide cardholder names  within three business days upon request when suspicious transactions are detected through monitoring systems.

This change addresses a significant transparency gap exploited by money launderers who open accounts in foreign countries, obtain payment cards, then return to their home country to make frequent ATM withdrawals—fragmenting their activity across jurisdictions to avoid detection. The new requirements enable acquiring institutions to request cardholder information when suspicious activity is detected, closing this critical intelligence gap.

Upgrades to Purchase of Goods and Services Exemption

The exemption scope has been clarified: when cards are used to fund other types of payment or value transfer (such as person-to-person transfers), the relevant R16 information requirements will apply. Additionally, card networks must now give financial institutions access to directories containing information on card issuing and merchant acquiring financial institutions.

Enhanced Payment Chain Definition

The revised standards clarify that payment chains begin with the financial institution that receives instructions from the customer and end with the institution that services the beneficiary's account or provides cash to the beneficiary. This definition aims to ensure complete information flows throughout complex cross-border payment chains, preventing the fragmentation that has historically hindered effective monitoring.

💡 TAP Solution

TAP's non-deterministic multi-party authorization flow provides full visibility into complex transaction flows, including all intermediaries. The protocol's non-deterministic approach allows any participant to add or replace agents during the discovery process, ensuring complete transparency before authorization.

This non-deterministic multi-party authorization structure enables the inclusion of all agents in the payment chain.

1. Additionally, the local subsidiary (VASP B UK) uses the services of an Institutional Custody provider to secure its customer funds. Therefore, it add the Institutional Custody provider as an agent (Intermediary VASP).
2. The beneficiary customer has an account with a local subsidiary (VASP B UK) and, hence, the parent entity replaces itself with that local subsidiary (the correct beneficiary agent).

   However, in reality:

For example, in the transaction illustrated below, the parent entity of an exchange (VASP B Global) is identified as the beneficiary VASP.

Revised Net Settlement Conditions

New clarification states that where net settlement results from customer transactions, information about underlying transactions is not required to accompany the net settlement. However, R16 requirements still apply to the underlying individual transactions themselves.

Implementation Timeline and Industry Impact

• Late 2026: Publication of comprehensive guidance paper on payment transparency
• Late 2030: Final deadline for R16 implementation across all jurisdictions
• Application to VASPs: Requirements will apply indirectly through R15, with potential updates to maintain alignment. 

The Broader Context: A Platform Shift in Financial Services

The revised FATF R16 signals a recognition that payment transparency must adapt to the realities of modern financial infrastructure. These regulatory changes occur against the backdrop of a fundamental platform shift in financial services - from legacy rails to programmable, real-time, blockchain-enabled networks.

TAP positions itself at the forefront of this transformation, serving as the critical authorization layer that bridges the robust controls of traditional finance with blockchain efficiency.

As the industry progresses toward the 2030 R.16 implementation deadline, TAP is uniquely positioned to help VASPs lead - not lag - in meeting the new standards. Unlike legacy institutions constrained by decades-old systems, TAP is building from a greenfield. This allows us to innovate without compromise, designing solutions purpose-built for today’s regulatory and technological realities. 

The platform shift is underway. The regulatory framework is evolving. TAP bridges both: meeting compliance demands while unlocking the full potential of blockchains as payment rails.

US lawmakers have introduced long-awaited market structure legislation in the form of the “Digital Asset Market Clarity Act of 2025” or “CLARITY Act of 2025”, for short. US Representative French Hill announced the bi-partisan market structure bill for digital assets on May 29, 2025.

The bill was drafted by the House Committee on Financial Services, who previously penned the FIT21 Act, which passed in the House of Representatives but ultimately failed to clear the Senate. The CLARITY Act follows months of hearings on the matter within the Subcommittee on Digital Assets, Financial Technology, and Artificial Intelligence.

The bill aims to remove longstanding ambiguity related to digital assets oversight by clarifying the roles of both the United States Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC). While much can change from the point of introduction to the ultimate passage of legislation, a comprehensive framework like the CLARITY Act has the potential to reshape crypto regulation entirely by enabling clear pathways for institutional and retail adoption to scale in a legal and compliant way across the entire US market.

The bill gained momentum following a June 4th House Committee hearing titled "American Innovation and the Future of Digital Assets: From Blueprint to a Functional Framework," where industry experts and former regulators debated the legislation's merits and challenges.

“How decentralized is it?” is the new “Is it a security?”

One of the principal innovations of the proposed legislation is that instead of asking "Is crypto a security?" the CLARITY Act asks “How decentralized is this system?”. This is key because the level of decentralization would ultimately determine jurisdiction underneath either the SEC (for early-stage tokens with centralized control designated as "Investment Contract Assets."), or the CFTC (for more mature and fully decentralized blockchain network tokens designated as "Digital Commodities.")

In other words: As assets become more decentralized, they transition from SEC to CFTC jurisdiction. 

Stablecoins are singled out

The emergence of stablecoins as crypto’s killer use case warrants special consideration, as we can see recognized by the creation of a third tier of assets called Permitted Payment Stablecoins. This class of digital asset is subject to light regulation due to the asset being adopted widely by consumers warranting some level of protection.

This creates a three-tier framework for digital asset regulation:

TradFi players can get in the game

One of the biggest unlocks of such a comprehensive market structure bill is a regulatory framework for traditional finance players to get into the crypto game without exposing themselves to unnecessary regulatory and compliance risk.

Under the proposed CLARITY Act, banks would be able to custody crypto without balance sheet liability, as well as trade more complex crypto financial instruments.

Clear pathway for crypto-native companies

The bill provides concrete guidance for crypto companies that have been operating in regulatory limbo. Key provisions include:

• $75 million fundraising exemption with a 4-year maturity timeline
• Founder trading restrictions until networks reach maturity
• Provisional registration pathways allowing companies to operate while agencies develop detailed regulations

For VASPs already operating in our compliance network, these provisions validate the approach we've been advocating for: building robust compliance frameworks from day one, even when regulations are still evolving.

DeFi is clearly addressed

Decentralized finance protocols receive explicit recognition and protection under the CLARITY Act. The bill includes self-custody rights and anti-fraud enforcement while acknowledging that truly decentralized protocols operate differently from traditional financial entities. This recognition is crucial for the DeFi ecosystem's maturation and integration with traditional finance systems.

Hearing insights

Support and skepticism

During the June 4th hearing, we saw both strong support and pointed criticism:

Former SEC Commissioner Elad Roisman called the bill a "significant step forward to providing the needed clarity" to digital markets.

Former CFTC Chairman Rostin Behnam agreed that current federal law has left regulatory gaps, urging Congress to address this void with "targeted legislation."

However, former CFTC Chairman Timothy Massad raised significant concerns, particularly around anti-money laundering provisions. When directly asked if the bill addresses AML adequately, Massad responded "not sufficiently," pointing to critical gaps:

• The bill only applies Bank Secrecy Act requirements to centralized intermediaries
• Crypto assets can be transferred without going through intermediaries, creating enforcement gaps
• Treasury needs more authority over decentralized protocols and foreign platforms
• Stablecoin issuers should be required to monitor suspicious wallet activity

"We've got to give the Treasury Department and other regulators adequate tools to deal with those risks. And I don't think we've done that yet," Massad emphasized, citing examples of Russian smugglers using Tether and Hamas using crypto funding.

The AML challenge: Where traditional frameworks meet DeFi

One of the most contentious aspects of the June 4th hearing centered on anti-money laundering provisions. Democratic members pressed witnesses on whether the CLARITY Act provides adequate safeguards against illicit finance, particularly in decentralized systems.

The Core Challenge: Traditional AML frameworks rely on intermediaries like banks to monitor and report suspicious activity. DeFi protocols, by design, operate without centralized intermediaries, creating what critics see as regulatory blind spots.

Representative Lynch directly asked: "Does this bill address anti-money laundering adequately?" The responses revealed a fundamental split in thinking about crypto compliance.

Industry Perspective: UniSwap's Katherine Minarik argued that blockchain analytics provide superior tools for tracking illicit activity in real-time, claiming traditional BSA requirements are "broken and in many ways dying." She emphasized that sanctions screening requirements still apply to all US companies, and blockchain's transparency offers better visibility than traditional finance.

Regulatory Skepticism: Former regulators expressed doubt that existing frameworks adequately address decentralized systems. The concern isn't just about tracking funds after the fact, it's about preventing illicit activity before it happens.

For institutions operating in our compliance network, this debate highlights why robust Travel Rule implementation is crucial. While regulatory frameworks evolve, institutions with comprehensive compliance programs, including pre-transaction screening and counterparty verification, position themselves ahead of whatever requirements emerge.

Balanced priorities: Innovation, consumer protection, and law enforcement

The CLARITY Act aims to achieve a critical balance of three important priorities:

• Market Innovation: Providing clear pathways for crypto-native businesses to grow and thrive
• Consumer Protection: Establishing safeguards without stifling legitimate innovation
• Law Enforcement Authority: Ensuring regulators have tools to combat illicit activity

However, the hearing revealed this balance remains contentious. Critics argue the bill creates enforcement gaps in DeFi, while supporters contend it improves on the status quo by bringing centralized crypto activities under Bank Secrecy Act coverage.

A critical week ahead: June 10 committee markups

The CLARITY Act faces a pivotal moment on June 10, when both the House Financial Services Committee and House Agriculture Committee are scheduled to hold markups of the legislation. This dual committee approach reflects the bill's comprehensive scope where the Financial Services handling securities and market structure issues, while Agriculture addresses commodity futures aspects.

These markups represent the first major procedural hurdle for the legislation. Success in both committees would provide significant momentum for floor votes and eventual Senate consideration.

What to expect next

While the June 10 markups represent crucial first steps, this is only the beginning of the CLARITY Act's legislative journey. With many procedural hurdles ahead, expect the bill's contents to evolve as it moves through Congress. The June 4th hearing revealed both strong bipartisan support and areas where compromise will be necessary. Expect to see the contents of the bill change shape as it makes its way through Congress, as the finer details and subsequent implementation of the bill will be critical for its long-term potential to reshape the industry in a positive way. 

For years, the US crypto industry has bemoaned the lack of clarity from regulators and displayed an appetite for following the rules if only they existed. This is our collective chance to put those rules in place for an important market in the global crypto economy, and provide the long-awaited opportunity for American crypto companies to remain competitive while ensuring that the regulatory clarity also allows international crypto firms to tap into the growing US market.

The bill's success could provide the long awaited opportunity for American crypto companies to remain competitive while ensuring regulatory clarity allows international firms to tap into the growing US market with confidence.

For institutions already building compliant crypto operations, the CLARITY Act validates the approach of implementing robust compliance frameworks before they're required. Those who've invested in comprehensive Travel Rule compliance, counterparty due diligence, and risk management systems will find themselves ahead of the curve as these requirements become standardized.

At Notabene, we've been building the infrastructure that will support this regulatory future. Our open-loop Transaction Authorization Protocol (TAP) and comprehensive compliance platform are designed for exactly the kind of regulated, interoperable crypto ecosystem that the CLARITY Act envisions.

The CLARITY Act isn't just about providing regulatory certainty, it's about building the foundation for crypto's integration into the broader financial system. For institutions ready to operate in this environment, the opportunity is enormous.

Read the full bill here

New milestone underscores widespread adoption of Notabene's transaction authorization network and the power of network effects in our rapidly growing ecosytem.

NEW YORK, May 22, 2025 — Notabene, the trust layer for global money movement, today announced it has surpassed $1 trillion in transaction volume on its platform. This significant milestone highlights the accelerating adoption of Notabene's transaction authorization infrastructure due to compounding network effects and increasing regulatory clarity across the globe.

The achievement comes as Notabene continues to power the largest Travel Rule-compliant network of regulated crypto institutions worldwide, with transaction volumes growing at an accelerating rate. The company's unique open network, powered by the TAP (Transaction Authorization Protocol) that it helped develop, creates powerful network effects, where each new financial institution that joins the platform increases the value for all participants.

"Reaching $1 trillion in transaction volume isn't just a number—it's a testament to the network effects we've built into our business model," said Alice Nawfal, Co-founder and President of Notabene. "What's most exciting is the acceleration we're seeing. The trust infrastructure we've created becomes exponentially more valuable with each new participant, which is why we're seeing volumes grow at an increasingly rapid pace. While the first $500 billion took took three and a half years, the second happened in just 6 months."

“…the first $500 billion took took three and a half years, the second happened in just 6 months."

Notabene's platform enables financial institutions to verify counterparties, confirm address ownership, and authorize transactions before execution and blockchain settlement. As regulatory requirements for crypto transactions continue to evolve globally, Notabene's pre-transaction verification approach has become essential infrastructure for VASPs and financial institutions engaging with digital assets.

The milestone comes amid growing regulatory focus on cross-border transactions, particularly with the implementation of the European Union's Transfer of Funds Regulation (TFR) and similar frameworks worldwide highlighted in the recently released 2025 State of Crypto Travel Rule Report. Notabene's unique open protocol approach to verifying counterparty trust across all regulated entities and their intermediary parties has positioned it as critical infrastructure for both crypto-native and traditional financial institutions building out their crypto strategies as demand for stablecoin services surges. 

"What makes this milestone particularly meaningful is that it represents real growth in economic activity moving across borders with confidence and trust," added Nawfal. "Each transaction flowing through our platform represents financial institutions that can now facilitate crypto transactions with certainty, unlocking new ways of orchestrating the flow of digital assets - particularly in the stablecoin space."

Notabene continues to expand its capabilities, including enhanced self-hosted wallet verification, multi-protocol support, and automated policy engine technology that enables compliant cross-border transactions at scale.

About Notabene

New York, London, April 23, 2025 — Notabene, a leading provider of Travel Rule compliance infrastructure, today released its annual State of Crypto Travel Rule: 2025 Report, revealing a decisive industry shift: compliance is no longer optional, it is the cost of doing business.

Based on survey data from 91 Virtual Asset Service Providers (VASPs) and 10 regulatory bodies, the report shows that 100% of firms plan to be Travel Rule compliant by the end of 2025. Nearly 9 in 10 expect to meet requirements in the first half of the year, reflecting a broad and urgent move toward regulatory alignment.

Compliance is now directly tied to reaching your counterparties. In the past year, VASPs have become significantly more assertive in their counterparty requirements. The report found a 431% year-over-year increase in VASPs blocking withdrawals until beneficiary information is confirmed, jumping from 2.9% in 2024 to 15.4% today. Additionally, 19.8% of VASPs now return deposits if the originator fails to provide the required Travel Rule data.

In the lead-up to the EU Transfer of Funds Regulation (TFR) enforcement date of December 30, 2024, the Notabene network saw a dramatic surge in activity from EU-based firms. Transaction volumes originating from EU Crypto Asset Service Providers increased by 200x, compared to an 8x increase in non-EU-originated volume during the same period. While 71% of EU Crypto Asset Service Providers missed this deadline, many are catching up fast. One third have implemented processes to identify and report repeat non-compliant counterparties to regulators, creating spillover pressure on global peers.

“This isn’t about checking a regulatory box. It’s about securing your place in the future of crypto finance,” said Pelle Brændgaard, CEO of Notabene. “The network of compliant institutions is growing, and those who aren’t part of it are already being left behind.”

The message from this year’s report is clear: Compliance is no longer a future requirement or a regulatory checkbox. It is now a gatekeeper for business. Firms that fail to meet expectations are being excluded from transactions, losing counterparties, and watching volumes slip away. 

Download the full report here.

ENDS

Media Contact: sacha@notabene.id

About Notabene:

Notabene is the trust layer for global money movement, powering the largest Travel Rule-compliant network of regulated crypto institutions. Our mission is to make crypto transactions a part of the everyday economy. We provide a nuanced view of the regulatory landscape by leveraging industry expertise, insights from our annual survey, and extensive research on public sector data. We aim to equip businesses and other industry stakeholders with the knowledge and tools necessary for success in a dynamic environment.

Our platform enables businesses to securely and seamlessly verify counterparties, authorize transactions, identify self-hosted wallets, and comply with global regulations. With SOC-2 certification, ISO27001 compliance, and a strong focus on privacy and user experience, Notabene ensures trust in every transaction.

Headquartered in New York, Notabene operates globally, with a presence in Switzerland, Singapore, Germany, and the United Kingdom. Trusted by over 200 companies, including Copper, Luno, Crypto.com, and Bitstamp, Notabene helps institutions build trust into every transaction while ensuring compliance with evolving regulatory frameworks.

Start for free with the world’s largest transaction authorization network at Notabene.id.

Connect with us: LinkedIn | Twitter

Five years ago today, we began our journey with the founding of Notabene.

At the time, FATF had just introduced the Travel Rule for crypto – the first globally coordinated regulatory framework for digital asset transactions. We immediately realized that the Travel Rule wasn’t just a compliance requirement, but rather the first step in achieving global regulatory clarity. Our experience in crypto gave us the foresight to see that this regulatory clarity would one day be a turning point for the entire industry, allowing crypto to truly scale and become a part of the everyday economy. We knew that for digital assets to move beyond speculation and into real-world utility, they needed the same infrastructure and safeguards that traditional global finance relies on – without losing the openness that makes crypto transformative.

In response to FATF’s Travel Rule, a fragmented ecosystem emerged. Implementation of the Travel Rule was made difficult by multiple competing closed protocols, lack of clarity from various jurisdictions, and mismatched timeframes for the rollout of regional rules – often referred to as the Sunrise Period. While most saw it as an impossible challenge, we saw it for what it was: the unlock for integrating crypto into the global economy. So we leaned in.

Our key innovation in solving the Travel Rule problem was to build open infrastructure to facilitate counterparty trust at scale. We did this with an open protocol (TAP) and a best-in-class pre-transaction authorization platform. By embedding trust into every transaction for our customers, we created the largest active network of regulated crypto institutions in the world, trusted by leading financial institutions at the forefront of crypto, from retail exchanges and on/off ramps, to custody infrastructure providers, and payment service providers across more than 95 jurisdictions across the globe. We’ve supported nearly $1 trillion in Travel-Rule compliant transaction volume and helped define the industry standard for secure, trusted, scalable compliance.

But our ambition was never limited to innovating in the compliance and RegTech space. From the start, we saw the Travel Rule as a gateway — the first step toward the regulatory clarity needed to drive crypto adoption across the entire financial ecosystem.

Fast-forward to today, and our prediction is coming true. Regulatory clarity is finally arriving. In the EU, APAC, Latin America, and now the US, we are seeing true clarity and support emerge from governments and regulators. As predicted, this is building momentum in the industry as traditional financial institutions mature their digital asset strategies, core infrastructure is built, and consumer adoption of stablecoins continues to skyrocket. The building blocks are nearly all in place: regulation, infrastructure, product-market fit. 

Trust is the final missing piece. 

Regulatory compliance is key, but isn’t enough on its own. Counterparties don’t exchange value with each other simply because they are allowed to, they do it because they want to. They do it when they have the confidence to transact with each other in a safe and secure manner. Without real trust between counterparties, nothing scales – not institutional adoption, and not consumer adoption.

The next generation of financial infrastructure isn’t just about speed or scale. It’s about trust.

And so we will continue to evolve — expanding our work beyond compliance to help build the trust layer for global money movement. This will be the core financial infrastructure that enables institutions to verify counterparties, authorize transactions, and unlock new markets — with trust embedded from the start. It’s the foundation that will make our vision a reality.

The building blocks are in place. The opportunity is enormous. And we’re just getting started.

We’re proud of what we’ve built, and even more excited to keep building it alongside our customers and partners.

To everyone who’s helped us get here, thank you.

Here’s to the first five years of Notabene — and to everything ahead.

–Pelle and Alice, Co-Founders, Notabene

At Notabene, we believe compliance shouldn’t come at the expense of innovation. That’s why we’re working closely with global regulators to help shape smarter rules for the future of finance.

Recently, the Financial Action Task Force (FATF) solicited a second round of feedback on proposed revisions to its Recommendation 16 (R16) and the corresponding interpretive note, which covers how financial institutions share information to prevent illicit activity.

On April 15, Notabene’s Regulatory and Compliance team responded with insights based on years of experience helping VASPs comply with the Travel Rule across jurisdictions.

Read our full response here

Here’s a quick breakdown of what’s changing, what it means for the crypto industry, and what we think needs more attention.

Why Requiring Geographic Address is Ineffective 

The FATF wants cross-border payments or value transfers above the applicable threshold to always include the originator's and beneficiary's geographic addresses. Notabene raised concerns in both FATF consultations about mandating geographic addresses in originator and beneficiary data.

In our first response, Notabene argued that addresses are unreliable identifiers, difficult to verify, and not useful for sanction screening. Their inclusion raises privacy concerns and could harm financial inclusion, especially in regions without standardized address systems. Notabene proposed removing the address requirement and instead allowing a risk-based approach to selecting identifiers.

In the second feedback round, the FATF introduced flexibility by allowing country and town as alternatives when full addresses aren't available. While this has been seen as an improvement, Notabene maintained that addresses are still problematic, and suggested that the FATF provide further guidance for cases where even town-level data is unavailable. We also recommended considering more reliable, standardized alternatives like phone numbers.

Virtual Account Numbers Can’t Hide the Source

In response to the FATF’s concerns about virtual IBANs and account identifiers, Notabene initially recommended enforcing accurate country designation. The FATF’s revised proposal improves on this by clarifying that account numbers should not obscure the country of fund origin, placing responsibility on the issuing institution.

In our response, Notabene supported this shift, but pushed for a bigger rethink: it’s time to move away from relying solely on account numbers to track money and promote more transparent models like transfer requests. We recommended recognizing solutions like the Transaction Authorization Protocol (TAP), which enables better counterparty identification—especially critical in complex virtual asset transactions. TAP is a decentralized, pre-transaction messaging system that helps identify counterparties before money moves. TAP gives everyone in the payment chain the information they need before a transaction is finalized, reducing fraud and improving transparency.

Pre-Validation is a Must in Crypto Transfers

Once a transaction hits the blockchain, it’s permanent. That’s why we support the FATF’s emphasis on pre-validation measures like verifying beneficiary info before a transfer goes through.

We also recommended that when a receiving institution detects a mismatch, they should notify their counterparty right away. This small change could go a long way in stopping fraudulent or misdirected transactions before they happen.

Defining the Payment Chain from Start to Finish

The FATF’s new definition of a “payment chain” is clearer than before, but we flagged one potential issue: what happens when the first institution receiving a payment instruction isn’t directly connected to the originator?

To mitigate this, Notabene recommended that the FATF provide guidance for complex scenarios, proposing principles to ensure complete information flow. These include requiring message originators to identify all known parties, and for each agent to add any missing identifiers and resolve compliance gaps through collaboration. This would strengthen the integrity of the payment chain across varied transaction structures.

Roadmap to Full Compliance by 2030

We appreciated the FATF’s proposal for a multi-year rollout of the new standards, with a target end date of 2030.

We recommended a phased approach for the crypto industry, focused first on the highest-risk areas (like verifying beneficiary info), and allowing time for organizations to adapt and improve throughout a learning period where good-faith compliance efforts are recognized before enforcing strict technical requirements.

How do FATF Recommendations Affect You?

Notabene welcomed the FATF’s decision to keep VASPs under the existing Regulation 15 framework while updating its interpretive note to reflect R16’s evolving information requirements. This approach ensures continuity while allowing tailored Travel Rule implementation through the Virtual Assets Contact Group (VACG).

To support this process, Notabene recommended using TAP as a testing ground for R16 application in the virtual asset space.

Leading the Future of Compliant Payments

The FATF’s proposed updates to R16 mark a turning point in global financial compliance. While traditional financial institutions may struggle with the transition due to entrenched systems, VASPs and stablecoin PSPs have a clear advantage. Operating on modern, programmable infrastructure, they are not only better equipped to meet evolving regulatory standards, but also to redefine what compliant, cross-border payments can look like in the digital age. By embracing these changes early and building compliance into their core operations, VASPs and stablecoin PSPs can lead the charge toward a more transparent, efficient, and secure global financial system.

At Notabene, we believe that regulation and innovation can go hand in hand, and that compliance tools should make financial services more accessible, not less.

Schedule time for a free consultation with our regulatory experts to learn more about the FATF’s proposed revision to R16, or about Notabene’s TAP solution for counterparty identification.

AOPP: Constraints, Limitations, and Adoption Challenges

The Address Ownership Proof Protocol (AOPP) emerged as a technical solution for cryptocurrency users to demonstrate wallet address ownership, primarily in response to regulatory requirements. Despite its promising premise, AOPP has struggled to gain widespread adoption across the cryptocurrency wallet ecosystem. This analysis examines why AOPP remains a niche protocol, which wallets have implemented it, and the fundamental limitations that have prevented it from becoming an industry standard.

A Compliance Solution for Self-Hosted Wallets

AOPP emerged as a technical solution designed to automate the process of proving ownership of self-hosted cryptocurrency wallets. By generating cryptographically signed messages without manual intervention, the protocol aimed to streamline compliance with regulations like the Financial Action Task Force's (FATF) Travel Rule. Swiss financial authorities, particularly FINMA, served as the catalyst for AOPP's development, creating a protocol that would theoretically bridge the gap between regulatory demands and cryptocurrency's decentralized nature.

Selective Adoption in a Growing Market

Years after its introduction, AOPP remains implemented in only a small segment of cryptocurrency wallets. Its current footprint in the ecosystem reveals both its niche utility and broader market hesitation:

BitBox02 is one of the protocol’s consistent supporters. This Swiss-developed hardware wallet integrated AOPP early, reflecting geographical alignment with the protocol's origins and the company's compliance-oriented approach.

Specter Wallet, with its focus on privacy and multi-signature implementations, has maintained AOPP support, positioning it as an option for users navigating both security and regulatory requirements.

What's particularly noteworthy is the pattern of reconsideration among several wallet providers. Trezor, a significant player in hardware wallets, initially implemented the protocol but subsequently removed it after user feedback. Blue Wallet and Sparrow Wallet similarly stepped back from AOPP support after community response. These adjustments highlight the complex balance wallet providers must strike between regulatory compliance tools and user preferences.

Self-Hosted Wallet Market Context

Self-hosted (non-custodial) wallets continue to gain popularity as cryptocurrency users prioritize direct control over their assets. The market for these wallets reached approximately $2.5 billion in 2024 and is projected to grow to $15 billion by 2033. Major players in this space include:

• MetaMask: Over 30 million users
• Trust Wallet: More than 60 million downloads
• Ledger: Approximately 6 million devices sold
• Trezor: A significant player in the hardware wallet segment

Notably, none of the market leaders currently support AOPP, significantly limiting its practical utility in the broader ecosystem.

A Solution Without an Audience

AOPP's limited adoption appears to stem from several structural factors that collectively explain its position in the wallet ecosystem.

Regional Orientation in a Global Market

Developed primarily for Switzerland's regulatory environment, AOPP addresses compliance frameworks that aren't universally applicable. For wallet developers serving diverse international jurisdictions, implementing a protocol designed specifically for Swiss compliance presents a challenging value proposition. This regional specificity naturally constrains AOPP's relevance for wallet providers with global user bases operating under different regulatory structures.

Development Resource Considerations

For wallet development teams, AOPP implementation requires specialized message signing and verification processes that introduce additional complexity. This technical requirement creates resource allocation questions, particularly for smaller teams and open-source projects. With limited development bandwidth, many providers have prioritized features with broader user demand over specialized compliance protocols.

User Experience Tradeoffs

Most cryptocurrency wallets already support standard message signing for Web3 interactions, a flexible approach serving multiple purposes beyond compliance. AOPP, while streamlining compliance-related verification, introduces a more structured but less common process. Wallets may prioritize flexibility and user familiarity over integrating a niche compliance-focused protocol.

The Inherent Limitations of AOPP

AOPP's trajectory reveals structural challenges that extend beyond simple market preferences to more fundamental design considerations.

The Adoption Challenge

AOPP faces a circular implementation challenge: its utility as a standard depends significantly on widespread adoption, yet achieving that adoption requires demonstrating consistent utility across use cases. With major wallet providers like MetaMask, Trust Wallet, and Ledger not implementing the protocol, AOPP lacks the critical mass necessary to function as a universal verification standard. This creates practical limitations for users, regulators, and exchanges seeking standardized verification methods.

Technical Scope Considerations

Even where AOPP is implemented, questions remain about its comprehensive effectiveness. The protocol cannot prevent all potential verification workarounds, which leads to questions about its practicality as a compliance tool. These limitations have factored into wallet providers' implementation decisions, particularly when weighing development resources against potential benefits.

Alternative Approaches in the Ecosystem

While AOPP has found limited implementation, the cryptocurrency ecosystem has naturally evolved toward verification approaches that align with both compliance needs and user expectations:

Standard Cryptographic Signatures have emerged as a widely implemented solution. Protocols like EIP-191, BIP-137, and Ed25519 provide similar proof-of-ownership capabilities with broader compatibility across wallet types. Their flexibility allows them to serve multiple purposes beyond regulatory compliance, creating natural incentives for both developers and users.

Extended Public Key Verification offers another approach that addresses regulatory goals through different technical means. By verifying xPubs, platforms can confirm wallet control while maintaining a seamless user experience—a balance that has gained traction across the ecosystem.

Micro-Transaction Verification, also known as the Satoshi Test, has emerged as another alternative that confirms wallet control by having users send specific amounts within designated time windows. This method works with virtually any wallet that can send transactions, providing broader coverage than protocol-specific approaches like AOPP.

Multi-Method Verification Systems have also gained traction, with companies like Notabene offering comprehensive solutions that combine several verification methods. These systems typically include cryptographic signature proofs similar to AOPP's approach, but complement them with alternative verification methods such as micro-transactions, visual verification through screenshots, and self-declaration options. This layered approach provides flexibility for users across different wallet types and technical expertise levels.

The Path Forward: Beyond AOPP

AOPP represents a thoughtful attempt to address the regulatory challenges facing cryptocurrency users and exchanges. However, its limited adoption reflects not just technical considerations but deeper questions about how compliance mechanisms integrate with cryptocurrency's core principles and user expectations.

As the cryptocurrency industry continues to mature, verification solutions will likely evolve along paths that balance regulatory requirements with user experience priorities. While AOPP may maintain relevance in specific regulatory contexts, particularly in Switzerland, the industry appears to be moving swiftly toward more flexible, multi-method approaches to wallet verification.

Companies like Notabene have recognized this need for flexibility by developing verification systems that work across virtually any wallet type, including popular hardware wallets like Ledger and Trezor that don't support AOPP. Their approach demonstrates that compliance and security don't necessarily come at the expense of user experience, particularly when various verification methods are available depending on the specific wallet technology.

The experience with AOPP provides valuable lessons for future protocol development. It demonstrates that successful compliance tools must consider not only regulatory requirements but also technical implementation costs, user experience impacts, and alignment with the diverse expectations of the cryptocurrency community. Looking ahead, the most successful verification approaches will likely be those that provide multiple options rather than requiring wallets to implement specific protocols, ensuring that Travel Rule compliance remains accessible regardless of which wallet technology users prefer.

Notabene, a leading provider of crypto compliance solutions, today announced a new partnership with Mastercard to bring simplicity and enhanced safety to their powerful crypto compliance tools. Through a pilot program with M2, a prominent Abu Dhabi-based virtual assets service provider (VASP) regulated by the Financial Services Regulatory Authority (FSRA) within the Abu Dhabi Global Market (ADGM), Notabene will integrate Mastercard Crypto Credential into its SafeTransact platform, facilitating the secure and privacy-preserving exchange of transaction metadata for M2’s digital asset trading services.

Mastercard Crypto Credential verifies transactions among consumers and businesses using blockchain networks, providing the assurance that a user has met a set of verification standards and confirming that the recipient’s wallet supports the transferred asset. The solution simplifies the consumer experience by allowing crypto exchange users to send and receive digital assets – such as stablecoins being leveraged for remittances, a growing use case – using simple aliases, instead of the typically long and complex blockchain addresses. This empowers people to enjoy peace of mind knowing they are transacting with verified users, while reducing the risk of losing assets due to typos or incompatible assets. It also brings greater trust and certainty to crypto transactions through the exchange of metadata and Travel Rule information.

This integration between Notabene, M2 and Mastercard aims to significantly improve counterparty identification rates, ensuring compliance with the Travel Rule while reducing friction in VASP-to-VASP and cross-border transactions. By employing advanced encryption and data minimization practices, the integration will help ensure that sensitive information is protected while also enabling convenient and compliant transactions. The pilot aims to showcase how VASPs and traditional financial institutions can come together to mitigate risks associated with digital asset transfers while maintaining operational simplicity for institutions and their retail customers.

Pelle Braendgaard, CEO of Notabene, commented on the partnership: "Our collaboration with Mastercard represents a significant leap forward in making crypto transactions as safe and straightforward as traditional financial operations. By combining our expertise in crypto compliance with Mastercard's global reach and digital assets capabilities, we're setting a new standard for consumer trust in crypto payments. This partnership is not just about solving today’s compliance challenges but also lays the groundwork for supporting innovations such as self-hosted wallet integrations, further expanding the scope of secure and trusted crypto transactions."

"As the digital assets ecosystem matures, Mastercard is continuing to innovate to stay ahead while ensuring safe, compliant, and trusted interactions,” said Raj Dhamodharan, executive vice president, Blockchain & Digital Assets at Mastercard. “By integrating Mastercard Crypto Credential with Notabene’s industry-leading compliance solutions, we're enhancing connectivity and trust to foster the adoption and integration of a range of digital assets – from Bitcoin to stablecoins – into the global financial ecosystem. This partnership with Notabene and M2 expands our reach and interoperability across the crypto landscape."

In collaboration with M2, Mastercard and Notabene are demonstrating practical applications of this joint solution. Deepak Garg, Chief Compliance Officer at M2, adds: "As a leading virtual assets service provider, we are committed to staying aligned with global regulatory standards while enhancing the user experience for our customers. By partnering with Notabene and Mastercard, we can bring even more secure and compliant digital asset transactions to a global audience. This approach not only strengthens trust with our customers, but also opens new opportunities for growth by expanding the network of reliable counterparties for safe and secure transactions."

The pilot program is currently limited to select regions, including the United States, Brazil, Mexico, Argentina, and several European countries, with plans for expansion in the near future.

Interested in integrating Mastercard Crypto Credential into your transaction authorization workflow? Visit notabene.id/mastercard to learn more.

Media Contact
Clay Fain, Notabene
clay@notabene.id

About Notabene
Notabene is the crypto industry’s premier platform for pre-transaction authorization and decision-making, empowering customers to detect and prevent high-risk activities before they occur. With SOC-2 and ISO27001 security certification and a strong focus on privacy and user experience, Notabene’s flagship product, SafeTransact, offers a comprehensive suite of features, including real-time authorization, decision-making, counterparty sanctions screening, and self-hosted wallet identification. Headquartered in New York, Notabene operates globally and has a presence in Switzerland, Singapore, Germany, and the United Kingdom.

Trusted by over 200 companies, including Copper, Luno, Crypto.com, and Bitstamp, Notabene offers a full suite of Travel Rule compliance tools to ensure compliance with global and local regulations.
www.notabene.id

About M2
Headquartered in Abu Dhabi, M2 has a mission to drive virtual asset adoption within the UAE by delivering a secure and transparent trading environment for investors. The platform provides investors with a growing suite of virtual asset products while ensuring strict regulatory compliance. Regulated by the Financial Services Regulatory Authority (FSRA) located in the Abu Dhabi Global Market (ADGM), M2 Limited and M2 Custody Limited are committed to ensuring a safe trading experience, upholding the highest standards of regulatory compliance.

www.m2.com

About Mastercard

Mastercard powers economies and empowers people in 200+ countries and territories worldwide. Together with our customers, we’re building a sustainable economy where everyone can prosper. We support a wide range of digital payments choices, making transactions secure, simple, smart and accessible. Our technology and innovation, partnerships and networks combine to deliver a unique set of products and services that help people, businesses and governments realize their greatest potential.

www.mastercard.com

‍

DORA and the Future of Digital Resilience: What It Means for ICT Providers Like Notabene

As the financial sector becomes increasingly digital, its dependency on resilient infrastructure is under the microscope. Cyber threats are rising, and regulators are responding. The EU’s Digital Operational Resilience Act (DORA), which took effect on January 17, 2025, establishes a new, binding standard for operational security across 20 categories of financial institutions and their third-party ICT (Information and Communications Technology) service providers.

What sets DORA apart is its shift from guidance to obligation. Operational resilience is no longer a best practice—it’s a legal requirement. Systems must be secure, regularly tested, and prepared to withstand real-world attacks and disruptions.

For ICT providers like Notabene, which supports financial institutions and VASPs with compliance infrastructure, the message is clear: trust begins with security, and resilience is now essential.

What DORA Means for ICT Providers

DORA introduces a unified framework that ensures every link in the financial services supply chain is built for resilience. Key requirements include:

• Resilience testing by default: ICT vendors must undergo penetration testing, simulated threat scenarios, and security assessments to demonstrate that they can handle operational disruption.
• Faster, clearer incident reporting: When incidents occur, financial institutions are required to report them promptly. Their ICT partners must support these disclosures with detailed technical input.
• Stricter oversight of third-party vendors: Institutions are expected to evaluate and continuously monitor their ICT providers to ensure alignment with both regulatory and contractual standards.

For companies serving banks, VASPs, and other regulated institutions, meeting these expectations signals more than compliance. It shows preparedness and earns trust.

Notabene’s Security-First Mindset

At Notabene, security isn’t an afterthought or a reactive measure—it has always been foundational. Long before DORA came into effect, we invested in the infrastructure, policies, and safeguards that operational resilience requires.

Here’s how we go beyond the baseline:

Bank-grade due diligence

Our infrastructure undergoes rigorous reviews by global financial institutions. We align with the same standards they apply to their own systems.

Third-party audits and continuous testing

We work with independent security firms to conduct regular penetration tests, vulnerability scans, and compliance checks. These audits help us proactively identify and mitigate risk.

Global compliance alignment

We maintain SOC 2 and ISO 27001 certifications, and follow industry-leading practices in encryption, access controls, and system integrity.

Resilient by design

Our incident response protocols are structured for speed and transparency:

• Real-time threat detection to identify anomalies early
• Streamlined escalation processes to coordinate responses internally and externally
• Client-facing communication tools to share timely updates and mitigation plans

We’ve built these systems not because regulations demanded it, but because our clients do.

Why DORA Compliance Matters for Financial Institutions & VASPs

With DORA now in force, regulated institutions are reevaluating their partnerships. Compliance checklists are no longer enough—they need demonstrable resilience, backed by action and transparency.

This shift will raise expectations across the board. Financial institutions will gravitate toward ICT providers who can prove operational readiness through certifications, audits, and clear governance.

At Notabene, we’re already there. Security and trust are embedded in everything we do. And as compliance becomes a foundational layer of financial infrastructure, we’re proud to support our clients in meeting and exceeding evolving standards.

DORA is reshaping how financial institutions and technology partners think about operational resilience. ICT providers that fail to meet its expectations will be left behind. But for those who embrace it, there’s an opportunity to lead with trust, security, and readiness.

For Notabene, DORA is not a challenge—it’s validation. The systems we’ve built were designed with this level of scrutiny in mind from the very beginning.

Let’s talk about how we can help your institution stay ahead of these expectations and build resilience that lasts.

As crypto compliance reaches its tipping point due to key jurisdictions enforcing Travel Rule regulations such as the European Union, Turkey, Seychelles, South Africa, and others – the Travel Rule has become a critical focus for Virtual Asset Service Providers (VASPs). The requirement to securely share and verify sender and recipient information along with crypto transactions is a foundational step toward fostering trust in the ecosystem. However, the methods employed to meet these requirements vary widely—and not all are sustainable.

One approach, the email-based method for data exchange, has gained traction among some platforms and VASPs. While this method might seem efficient on the surface, it faces significant scalability, security, and operational challenges that limit its effectiveness in the long term. 

Why do email-based solutions fall short? And what critical decisions should VASPs make in order to future-proof their compliance operations? 

Let's explore.

Operational Scalability: The Breaking Point

At the heart of the Travel Rule is the exchange of information between originating and beneficiary VASPs. Email-based systems satisfy this basic minimum requirement and typically follow a process like this:

1. The originator VASP sends a notification email to the beneficiary VASP.
2. The beneficiary receives the email, verifies their identity (often through a code or similar mechanism), and accesses the shared information.
3. The information is presented in a downloadable file, such as a JSON object.

While this process may work for VASPs with low transaction volumes, its scalability crumbles under the real-world demands that come with substantial daily transaction volume:

• Manual Verification: Each transaction requires individual attention, from opening emails to entering verification codes. For VASPs handling hundreds or thousands of transactions daily, this approach is operationally infeasible.
• File Processing Overload: Beneficiaries often receive raw data files, leaving them responsible for integrating the information into their systems. This creates additional friction and inefficiency.
• Lack of Automation: Without robust integration options, email-based solutions force compliance teams into repetitive manual workflows, increasing the risk of human error and missed deadlines.

In today’s fast-paced crypto environment, these limitations make it clear that email-based methods cannot support the industry’s growing needs.

Security and Privacy Risks

Another critical challenge for email-based solutions is ensuring data security and privacy—an area of increasing scrutiny in jurisdictions like the EU, where compliance is non-negotiable. Key concerns include:

• Data Exposure: Email, while widely used, is not inherently secure. Even with encrypted attachments, the transmission of sensitive customer information via email introduces vulnerabilities.
• PII Handling: Downloading and storing Personally Identifiable Information (PII) on local machines can lead to unintended breaches. Once the data leaves the secure confines of a system, it’s much harder to track and control.
• End-to-End Encryption: True end-to-end encryption, where data is encrypted from the point of origin to its final destination, is often missing in email-based systems. This leaves a critical gap in protecting sensitive information.

In fact, email-based systems are particularly vulnerable to cyberattacks, making them a less secure option for handling sensitive information. According to a Forbes article, in 2023, more than 94% of organizations reported email security incidents.

Poor User Experience for Beneficiaries

While many email-based systems focus on the needs of the originating VASP, they often neglect the beneficiary’s experience. This creates friction and decreases the likelihood of successful data exchange:

• Cumbersome Processes: Beneficiaries are required to open emails, verify their identity, and process files manually. For smaller VASPs with limited resources, this process can be overwhelming.
• No Response Mechanism: Many email-based systems lack a way for beneficiaries to confirm or reject transactions, leaving originating VASPs in the dark about the status of their requests.
• No process for handling missing information: These systems often fail to address scenarios where information is incomplete or inaccurate. Beneficiaries have no standardized way to request corrections or additional details, further complicating the process and risking regulatory non-compliance. This lack of flexibility increases frustration for compliance teams and hampers successful collaboration between VASPs.

The Path Forward: Scalable Alternatives

To overcome these challenges, VASPs need to embrace solutions designed for scalability, security, and efficiency. Key features of a robust Travel Rule compliance system include:

• Automation: Eliminating manual processes through API integrations and automated workflows reduces friction and increases scalability.
• Real-Time Verification: Direct communication between VASPs enables faster responses and better alignment with regulatory requirements.
• End-to-End Encryption: Protecting data at every stage of the process ensures compliance with GDPR and other privacy regulations.
• Feedback Mechanisms: Allowing beneficiaries to confirm or reject transactions creates a complete compliance loop, enhancing trust and transparency.

The Bottom Line

The crypto industry is at a crossroads. As compliance requirements become more stringent, the need for scalable, secure, and user-friendly solutions is greater than ever. 

Email-based Travel Rule solutions, while functional in limited scenarios, cannot support the industry’s growth or the regulatory demands of tomorrow. 

VASPs must prioritize modern, scalable platforms that address the full range of operational, security, and compliance needs. Now is not a time to settle for the bare minimum in terms of Travel Rule compliance, because security and scalability are not things you settle on. 

By considering needs beyond the most basic check-the-box requirements, VASPs can not only meet today’s compliance obligations but also build a foundation for a more efficient, secure, and compliant future for their business.

It’s official—Turkey has introduced FATF-aligned Travel Rule regulations to its cryptocurrency framework! These updates mark a major milestone for the crypto industry in the region, strengthening transparency and security for digital asset transactions. As leaders in this space, we're here to help you navigate what this means for your organization.

What You Need to Know

Travel Rule in Turkey will be in effect as of February 25, 2025.

Note: This is a summary of the new guidelines. For a full picture of Travel Rule compliance in Turkey, please visit our comprehensive Turkey jurisdiction page, or schedule time for a free consultation with our regulatory experts.

Regulating Body and Regulated Entities

The Financial Crimes Investigation Board (MASAK), under the Ministry of Treasury and Finance, is the primary regulatory authority overseeing cryptocurrency in Turkey. MASAK is responsible for implementing anti-money laundering (AML) and counter-terrorism financing (CTF) regulations, including the enforcement of the FATF-aligned Travel Rule. As such, Virtual Asset Service Providers (VASPs) in Turkey are required to register with MASAK and comply with its AML and CTF framework. Notably, MASAK has expanded the definition of regulated entities to include certain financial transactions and service providers, including e-commerce platforms and large-scale intermediary service providers.

What is the minimum threshold for the Crypto Travel Rule in Turkey?

While the Crypto Travel Rule in Turkey applies to all transfers, there is a wider scope of information that needs to be transmitted for transfers of 15,000 TL or above. Additionally, no information verification is required for transfers below 15,000 TL.

What personally identifiable information is required to be shared for the Crypto Travel Rule in Turkey?

Transfers ≥15,000 TL must include:

Originator:

• Name or entity name
• Wallet address or transaction reference number
• One of the following identifiers:
  • Address
  • Date and place of birth
  • Customer number
  • National identification number (e.g., citizenship number, passport number, or tax identification number)

Beneficiary:

• Name or entity name
• Wallet address or transaction reference number

Transfers <15,000 TL must include:

Originator and Beneficiary:

• Name or entity name
• Wallet address or a transaction reference number

Handling Missing Information

Crypto service providers must request missing details. Transfers with unresolved deficiencies will be returned or rejected, and persistent non-compliance could result in business restrictions.

Risk-Based Measures

VASPs must perform enhanced due diligence for high-risk transactions, collecting additional information and restricting transfers if necessary.

Unregistered Wallets

Transfers to and from unregistered wallets now require a customer declaration, ensuring all transactions comply with AML measures.

Implications for Compliance Teams

Businesses operating in Turkey must prepare for operational changes, such as:

✅ Updating systems to verify sender details for qualifying transactions.

✅ Implementing enhanced due diligence for high-risk transfers.

✅ Collecting declarations for unregistered wallet transactions.

What about VASPs outside of Turkey?

When dealing with foreign providers not obligated to share sender/recipient details, obtain customer declarations with similar identifiers. This means that non-Turkish VASPs will need to be prepared to respond to Travel Rule requests from any customers of Turkish VASPs, even if they are not operating in a regulated jurisdiction, or else face the potential of returned transfers, the rejection of future transactions or termination of business relationships.

Why It Matters

MASAK’s proactive measures create a more transparent and secure ecosystem for virtual assets, enabling trust between service providers and users. But with stricter requirements comes the need for robust compliance solutions.

💡 That’s where Notabene comes in. Our platform offers seamless compliance management, helping VASPs navigate these changes while reducing operational friction.

How is your team preparing for these changes?

To discuss how Notabene can support your compliance journey, schedule time for a free consultation with our regulatory experts