99 Jurisdictions & Counting: The Supervision Gap

When the Financial Action Task Force (FATF) published its 2025 Targeted Update on Implementation of the FATF Standards on Virtual Assets and Virtual Asset Service Providers (VASPs), the headline figure was striking. Eighty-five jurisdictions have now passed Travel Rule legislation, up from 65 the previous year. A further 14 are in the process of doing so, bringing the total to 99. The number suggests convergence, momentum and shared purpose.

Yet the data beneath the headline tells a different story. Of the 85 jurisdictions that have formally passed Travel Rule legislation, approximately 59 per cent have yet to issue a single supervisory finding, directive or enforcement action. Legislation without supervision is not regulation. It is performance.

The gap between statute and supervision is not incidental

The distinction between passing a law and enforcing it is not merely procedural; it is structural. A jurisdiction that has enacted Travel Rule legislation but has neither licensed VASPs nor conducted a supervisory inspection has not implemented the standard in any meaningful sense. The FATF itself acknowledges this.

Its 2025 update notes that only 33 per cent of jurisdictions require VASP licensing in practice. Recommendation 15 (R15) is the broader FATF standard governing virtual asset regulation, encompassing licensing, risk assessment and supervision; the Travel Rule under Recommendation 16 (R16) is one component of that framework. Only one jurisdiction globally is rated fully compliant with R15. Approximately 29 per cent are largely compliant. Roughly half remain partially compliant. Twenty-one per cent are not compliant at all. These figures do not describe a functioning global regime. They describe one in formation.

The enforcement gap is not simply a matter of timing. The FATF extended its recommendations to cover virtual assets in 2019. Six years later, most jurisdictions with laws on the books have taken no enforcement action. That is not administrative delay. It is a deficit in supervisory capacity, political will, or both.

The sunrise issue is a structural vulnerability, not a transitional phase

The FATF uses the term ‘sunrise issue’ to describe uneven adoption of the Travel Rule across jurisdictions. The metaphor implies a temporary condition: some jurisdictions are simply earlier in the day than others. In practice, it is not transitional. It is a persistent structural vulnerability.

When a VASP in a compliant jurisdiction transmits originator and beneficiary data to a counterpart that has enacted legislation but not operationalised it, the exchange fails or becomes one-directional. The compliant firm bears the cost. The non-compliant counterpart faces no consequence. This asymmetry does not incentivise compliance. It penalises it.

The FATF’s June 2025 Best Practices on Travel Rule Supervision report acknowledged further challenges. Some protocols lack interoperability. Others have gaps that complicate compliance. Supervisors in many jurisdictions do not know what level of Travel Rule understanding exists among the firms they oversee. Legislative ambition without supervisory capacity is a dangerous combination.

Legislation is necessary but it is not sufficient

The pattern is familiar. Legislation is the visible, politically achievable step. It allows governments to report progress to the FATF, satisfy mutual evaluation criteria and signal intent. Supervision requires something harder: trained examiners, licensing regimes, inspection frameworks and the institutional authority to sanction non-compliance.

These are expensive, complex and slow to build. The result is a global landscape in which statutory coverage has expanded rapidly while operational effectiveness remains thin.

Japan offers an instructive counterexample. The Financial Services Agency (JFSA) publishes summaries of its supervisory actions, including business suspensions and licence revocations. The FATF’s Best Practices report cited Japan’s approach as a model. Findings from the JFSA’s monitoring are shared with the private sector through annual reports, creating a feedback loop in which firms can see what constitutes non-compliance and supervisors demonstrate the standard carries consequences.

The revised Recommendation 16 raises the stakes further

In June 2025, the FATF agreed revisions to R16, now explicitly reframed as the standard on ‘Payment Transparency’. The changes take effect by the end of 2030. They clarify responsibilities within the payment chain, standardise the information required in payment messages and introduce new obligations around beneficiary verification and fraud prevention.

The payment landscape has changed fundamentally since the original Travel Rule was adopted in 2001. Non-bank financial institutions, fintechs and digital payment systems now perform functions once exclusive to traditional banks. The principle of ‘same activity, same risk, same rules’ is no longer aspirational. It is embedded in the standard itself.

The implications are significant. The revised standard requires more detailed information for both originators and beneficiaries, including address, date of birth and Legal Entity Identifier (LEI) numbers for legal persons, aligned with the data capacity of ISO 20022. For jurisdictions that have not operationalised the existing Travel Rule, this is a compounding obligation. They must build supervisory capacity for a significantly expanded framework less than five years away.

Cross-border fragmentation is the real compliance risk

The supervision deficit does not stay within borders. It creates systemic cross-border risk. Money-laundering networks exploit jurisdictional asymmetries, collecting funds in one jurisdiction, withdrawing them in another and reinvesting them elsewhere.

The FATF’s 2025 update noted the increasing misuse of stablecoins across all crime types. Virtual assets are being used to launder fraud proceeds, fund terrorism and finance weapons proliferation. In the single largest virtual asset theft in history, Democratic People’s Republic of Korea (DPRK)-linked actors stole approximately 1.5 billion US dollars from the exchange ByBit in February 2025, as confirmed by the Federal Bureau of Investigation (FBI). These are not hypothetical risks. They are operational realities.

The jurisdictional patchwork compounds the challenge. The European Union’s recast Transfer of Funds Regulation 2023/1113 (TFR), effective since December 2024, requires compliance for all crypto transfers regardless of amount. The UK has enforced its version since September 2023 under Financial Conduct Authority (FCA) guidance. In the US, the Financial Crimes Enforcement Network (FinCEN) applies a threshold of 3,000 US dollars. The Monetary Authority of Singapore (MAS) requires compliance above 1,500 Singapore dollars. Switzerland, through the Swiss Financial Market Supervisory Authority (FINMA), has adopted one of the most stringent frameworks globally.

These jurisdictions have moved beyond legislation to active supervision. The question is what happens when their regulated firms transact with counterparts in the 50 jurisdictions that have passed laws but taken no supervisory action.

Firms cannot wait for supervisory regimes to mature

The compliance implications are immediate. Legislative status alone is a wholly insufficient indicator of counterparty risk. Firms must assess supervisory effectiveness, not merely statutory coverage, when managing cross-border Travel Rule obligations.

In practice, this means determining whether a counterpart is a regulated VASP, an unregistered entity or an unhosted wallet, often without reliable guidance. The FATF has urged jurisdictions to operationalise the Travel Rule swiftly. Whether this translates into action where it is most needed remains to be seen.

The illusion of compliance is more dangerous than non-compliance

There is a deeper risk than the enforcement gap itself: the risk of mistaking legislative activity for regulatory effectiveness. Ninety-nine jurisdictions have passed or are passing Travel Rule legislation. The number is impressive. Yet if success is measured by supervisory actions taken, non-compliant entities identified and illicit finance disrupted, the picture is far less reassuring.

The FATF’s own data confirms this: one jurisdiction globally is rated fully compliant with Recommendation 15. One.

The currency of the Travel Rule is not legislation. It is supervision. Until the jurisdictions that have enacted laws begin to enforce them, through licensing, inspection, published findings and visible sanctions, the global regime will remain a framework of rules observed by the willing and ignored by the rest. That is not a compliance regime. It is a compliance illusion.

Is your firm confident that its counterparty risk framework reflects the reality of Travel Rule enforcement?

At OpusDatum, we help firms navigate cross-border compliance by providing independent, data-led intelligence on regulatory effectiveness, supervisory capacity and enforcement trends. Our analysis goes beyond legislative coverage to assess whether the regimes firms rely upon are operationally credible.

Contact us to find out how our regulatory intelligence can strengthen your WTR compliance position.