The Big Focus

TBW - Travel Rule: how crypto platforms share their customers' personal data

The Big Whale

7 min read
TBW - Travel Rule: how crypto platforms share their customers' personal data

Travel Rule: a new framework in force since 2025

The "Travel Rule" is an anti-money laundering and anti-terrorist financing measure introduced by the FATF (Financial Action Task Force). Recommendation 16 of the FATF requires financial institutions to transmit information on the sender and beneficiary when transferring funds. Originally designed for traditional finance, this rule now also applies to digital asset service providers (DASPs).

In plain English: as soon as a user sends crypto-assets from one platform to another, the two must exchange the identifying data of the customers involved. This includes, as a minimum, the name of the sender and recipient, as well as the address of the wallet used, as soon as the amount exceeds $1,000 or €1,000.

For European players, this means verifying counterparties, collecting information, transmitting it securely, filtering transactions via sanction lists, and ensuring ongoing monitoring. All this while complying with strict personal data protection standards and trying to limit operational frictions.

This framework therefore requires specific infrastructures to be put in place, capable of verifying identities, automating certain regulatory checks and keeping evidence of data exchange. It also creates new risks, whether in terms of information leaks, internal flaws or technical incompatibilities.

>> Crypto regulation in 2025 : the year of all change

A multitude of different tools for transmitting this data

To meet the requirements of the Travel Rule, platforms for exchanging digital assets have had to implement systems capable of exchanging their users' sensitive data securely. Several communication protocols coexist today, each offering a different approach to confidentiality, interoperability and governance.

TRUST (Travel Rule Universal Solution Technology) is one of the most widely adopted protocols. Developed by Coinbase and supported by several major platforms, it enables the secure exchange of data between verified VASPs via encrypted channels. The protocol is based on a closed model: only recognised players can participate.

TRP (Travel Rule Protocol) takes the opposite tack with an open source approach. Created by a consortium including Standard Chartered, ING and BitGo, it focuses on simplicity and interoperability, with the aim of facilitating adoption by a greater number of players.

Sygna Bridge offers a messaging API designed for VASPs. The tool focuses on the protection of personal data and the accuracy of information transmitted, while ensuring regulatory compliance.

TRISA (Travel Rule Information Sharing Architecture) is based on a decentralised peer-to-peer protocol. It enables platforms to exchange the required information without going through a central player, while incorporating privacy-preserving mechanisms.

CodeVASP Bridge, meanwhile, is a proprietary protocol used by Sumsub, a compliance player. It integrates directly with their platform to ensure the transmission and verification of data required by the Travel Rule.

GTR (Global Travel Rule) and Email Notification tools complete the ecosystem.

The latter is used when the counterparty cannot be reached via conventional protocols. In this case, an automatic email is sent (without sensitive data) inviting the VASP to register on the Sumsub platform. Each attempt is recorded for traceability purposes.

Zoom on TRUST (Coinbase)

Among the communication protocols adopted to comply with the Travel Rule, TRUST occupies a central place, particularly in the United States. Launched at the initiative of Coinbase and a group of partner exchanges, it aims to establish a common framework for secure data sharing between platforms. Several European VASPs are already using it, such as France's Meria.

The way it works is based on a simple principle: the information required by the Travel Rule is transmitted directly between platforms, in encrypted form, without being stored on a central server. Before any transmission, the receiving platform must prove that it has checked the receiving address, thus guaranteeing the accuracy of the exchanges.

TRUST relies on end-to-end encrypted channels, and requires all its members to go through independent security, data protection and compliance audits. This creates a closed circle of trusted players, able to exchange regulatory data while preserving customer confidentiality.

The solution is based on an infrastructure called TRUSThub, which acts as a compliance layer that can be integrated into the platforms' technical infrastructure. TRUSThub enables the data required by the Travel Rule to be packaged, transmitted and received in a standardised way.

Among the features highlighted:

  • Interoperability, which enables dialogue with other VASPs, even if they do not use the same technology
  • Easy integration, thanks to an open network designed to facilitate the arrival of new members, including in new jurisdictions
  • Scalability, with an architecture capable of adapting to growing volumes of transactions
  • Participative governance, as key decisions are put to a vote by network members

>> By offering Deribit, Coinbase signs the biggest acquisition in crypto history

The grey areas of TRUST

Despite its growing adoption, TRUST still raises many questions.

According to a manager of a European exchange platform, "the fact that a giant like Coinbase is spinning off to retrieve all the data of Europeans and forcing its competitors to communicate sensitive data is not something positive".

Behind a promise of efficiency and compliance with the Travel Rule, several grey areas remain, particularly on a technical, legal and organisational level.

First point: the lack of transparency. Little public information is available on the technical foundations of the protocol.

Interviewed by The Big Whale and despite our repeated reminders, Coinbase did not wish to answer our questions.

The detailed specifications, encryption mechanisms, or even internal procedures are not openly documented. This deficit limits the possibilities for independent audit and prevents external players from fully judging the robustness of the system.

Second point: the unclear differentiation of TRUST from the other protocols mentioned above. While TRUST claims certain characteristics such as interoperability and participatory governance, it remains difficult to understand what fundamentally distinguishes it from alternatives such as TRISA or TRP.

The issue of governance also remains unclear. We know that the entry of new members requires a vote by the existing members, but the terms of this vote (simple majority, right of veto, technical committee) are not specified. This lack of clarity raises the question of potential control by a small circle of players.

This risk is all the more present as the network is largely made up of large platforms, fuelling fears of a form of oligopolistic concentration. The compulsory sharing of personal data between these players also raises questions of compliance with the RGPD, particularly with regard to the location of data, the right to erasure and the explicit consent of users.

Another problematic point: access to the protocol for new entrants. Membership criteria are not public, and the integration process remains opaque for smaller or less institutionalised players. This limits the protocol's ability to adapt to a crypto ecosystem based on decentralised innovation.

Finally, security risks remain. If one of the member VASPs is compromised, the data it receives or transmits via TRUST may be exposed, with serious consequences: identity theft, financial fraud, or leakage of sensitive information.

Coinbase itself was the victim of a data leak affecting nearly 1% of the platform's users including names, addresses, phones, emails, passport photos, and financial data... It is not yet known whether TRUST data was affected by this hack.

The problem is exacerbated by the heterogeneity of data protection standards in different jurisdictions, which increases the risk of mismanagement or abuse.

Despite its rise to prominence, TRUST is therefore not unanimously supported. Its model, although operational in some countries, continues to arouse reservations in an ecosystem where trust relies as much on transparency as on regulatory compliance.

Technological avenues to better reconcile compliance and privacy

Faced with the challenges posed by the Travel Rule (particularly in terms of personal data protection) several technological solutions are emerging to try and reconcile regulatory requirements and respect for user privacy.

Among the most promising: advanced cryptographic techniques. These tools allow platforms to exchange or verify information without exposing the raw data.

  • Zero knowledge disclosure proofs (zero-knowledge proofs or ZKPs) allow proof that a condition is met (for example, that a customer is correctly identified) without revealing the underlying data.
  • Secure multi-party computation (secure multi-party computation, or MPC) allows several players to collaborate on an operation (such as a compliance check) without revealing their respective information.
  • Homomorphic encryption, finally, allows data to be processed directly in encrypted form, avoiding the need to decrypt it at any point in the process.

Used together, these techniques could enable digital asset platforms to meet Travel Rule obligations while minimising the risks associated with the circulation of sensitive data.

Another complementary avenue: decentralised identity systems (Decentralised Identity, or DID). The idea is to give users back control over their identity data, by allowing them to manage it via a private cryptographic key.

In this model, users do not directly share their personal information with platforms. Instead, they can provide a cryptographic proof validated by a trusted entity. This allows VASPs to verify a user's identity without having to store, or even access, their data.

The concept of selective disclosure is central: only information that is strictly necessary to meet obligations is shared. This operation considerably reduces the risks of data leakage or misuse.

While these technologies are still in the experimental phase in the sector, they represent a promising way of building compliance that is more respectful of users' rights. In a context of increasing regulatory scrutiny, they could emerge as a strategic lever for players seeking to reconcile innovation and legal requirements.

The Big Whale's opinion

The implementation of the Travel Rule in the crypto world is not limited to a simple technical compliance exercise. It crystallises a wider dilemma: how far can the industry go to meet regulators' demands without betraying the principles on which cryptocurrencies were founded (individual sovereignty, pseudonymity, decentralisation)?

Protocols such as TRUST, TRP or TRISA are the first milestones in a compromise that is still unstable. They seek to reassure the authorities and professionalise exchanges between platforms, but at the cost of increasing standardisation, often driven by the major players.

Behind the promises of interoperability and open governance lies the risk of a closed architecture, in which only players with the means to comply with the rules can participate. A form of centralisation, this time under the guise of compliance.

More fundamentally, this trend raises a strategic question: is the crypto industry in the process of institutionalising itself through absorption, or is it capable of imposing its own standards of trust and transparency? Advanced cryptographic tools and decentralised identities offer ways out of this impasse, but they are still struggling to gain traction in practical deployments.

>> Coinbase wins historic victory against the SEC: a turning point for the crypto industry

Read more