Identity Matters: How VASPs Verify Customers to Meet UK MLR & Travel Rule Requirements

As the cryptoasset sector continues to evolve, regulation is rapidly catching up with technological innovation. In the UK, Virtual Asset Service Providers (VASPs) must ensure that robust customer identification processes are embedded into their operations. These requirements are driven by the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, as amended, and reinforced by the Financial Action Task Force (FATF) Travel Rule, as applied to cryptoasset transfers. These frameworks are designed to impede the misuse of digital assets for money laundering, terrorism financing, and sanctions evasion. Yet meeting these requirements in practice presents significant operational and technological challenges for firms.

This article examines how VASPs are required to verify customer identity under UK law, the tools and practices they use to achieve compliance, and the broader shift needed toward an intelligence-led approach to financial crime prevention.

The Regulatory Backbone: MLRs & the Travel Rule

Since January 2020, UK-based cryptoasset exchange providers and custodian wallet providers have fallen within the scope of the Money Laundering Regulations (MLRs). As a result, they are subject to oversight by the Financial Conduct Authority (FCA) for anti-money laundering and counter-terrorist financing compliance. Regulation 27 of the MLRs mandates the application of customer due diligence (CDD) at onboarding, when conducting occasional transactions above £1,000 or equivalent, and whenever there is suspicion of financial crime or doubt over previously gathered identification data.

The CDD process obliges firms to identify the customer, verify that identity using independent and reliable sources, and understand the intended purpose of the business relationship. Further obligations arise under the UK's implementation of the Travel Rule, which took effect in September 2023 and stems from amendments to the WTR. These rules require that VASPs collect, verify, and transmit originator and beneficiary information for cryptoasset transfers, mirroring obligations long in place for fiat wire transfers.

Building a Verification Framework: From Onboarding to Monitoring

In practice, identity verification for VASPs typically involves three stages: gathering customer data, verifying it against trustworthy sources, and maintaining ongoing vigilance through transaction monitoring.

At the onboarding stage, individual customers are required to provide their full name, date of birth, residential address, and a government-issued form of photo identification. Corporate clients must provide their registration details, information on beneficial ownership, and verification of authorised representatives. These processes are increasingly facilitated through electronic Know Your Customer (eKYC) platforms which support document uploads and biometric authentication.

Verification involves cross-checking this information with government databases, trusted commercial data providers, and public registers such as Companies House. Biometric tools match photographs or video selfies to the official ID provided. Address verification may be supported through credit reference agencies or recent utility bills. Where digital identity systems are used, they must meet standards endorsed by the UK Government Digital Service and offer high assurance levels.

Once a business relationship is established, firms must conduct ongoing monitoring of customer activity. This includes refreshing identity documentation, conducting transaction monitoring to identify anomalous patterns, and applying enhanced due diligence when higher-risk scenarios emerge. The FCA expects monitoring to be dynamic, risk-based, and underpinned by clear governance and escalation procedures.

Enhanced Due Diligence: Scrutiny for Higher-Risk Relationships

Where a customer or transaction presents higher risk, VASPs are required to perform Enhanced Due Diligence (EDD). Common triggers include links to high-risk third countries, involvement of politically exposed persons (PEPs), non-face-to-face onboarding, or complex company structures designed to obscure ownership.

EDD involves gathering additional information on the customer’s source of funds and wealth, obtaining approval from senior management before entering into a business relationship, and conducting more frequent or granular transaction monitoring. In some cases, site visits or independent verification of legal arrangements may be required. Non-compliance with these heightened requirements can lead to regulatory sanction or revocation of registration.

FCA Supervision & the Cryptoasset Registration Regime

The FCA does not regulate cryptoassets for investor protection purposes but acts as the supervisory authority for AML/CTF compliance. As part of the cryptoasset registration regime, firms must demonstrate that they have adequate AML controls, qualified personnel, and systems for CDD, record keeping, and reporting of suspicious activity. The regulator has refused or withdrawn registration from dozens of firms that failed to meet these standards, including high-profile applicants. Public statements by the FCA frequently stress the importance of aligning cryptoasset firms with the wider expectations applied to the financial services sector.

Supervision by the FCA includes periodic information requests, inspections, and the ability to take enforcement action where serious breaches are identified. Cryptoasset businesses must also comply with the Proceeds of Crime Act 2002 and the Terrorism Act 2000, reinforcing the need to escalate suspected criminal activity through Suspicious Activity Reports (SARs).

Interoperability Challenges: Complying with the Travel Rule Across Borders

Compliance with the WTR within the UK is relatively straightforward where both parties are regulated by the FCA. However, the implementation of the Travel Rule globally is fragmented. Some jurisdictions have not adopted the rule at all, while others follow divergent models.

Several private-sector initiatives have emerged to support Travel Rule data exchange, including the Travel Rule Information Sharing Alliance (TRISA), the Travel Rule Protocol, and OpenVASP. These systems differ in their technical architecture, messaging formats, and verification methods. Lack of standardisation presents real challenges for VASPs who must interact with multiple counterparties using incompatible platforms.

UK VASPs are expected to perform a risk-based assessment when dealing with firms in jurisdictions that do not implement the Travel Rule. If the originator or beneficiary information cannot be reliably transmitted and verified, the FCA recommends that the transaction be suspended. These decisions require strong internal governance, documentation of risk assessments, and regular review of counterpart exposure.

Data Protection & Identity: Navigating UK GDPR Obligations

In verifying identity, VASPs process sensitive personal data. They must therefore comply not only with AML laws but also with the UK General Data Protection Regulation(GDPR). Firms must collect only the data necessary for the specified purpose, retain it for a proportionate period, and protect it against unauthorised access or loss.

Where biometric technologies such as facial recognition are used, a Data Protection Impact Assessment (DPIA) is generally required. VASPs must also ensure that customers understand how their data will be used, shared, and stored, and must provide clear mechanisms for exercising data rights such as access and correction. There is growing regulatory scrutiny of firms that over-collect data or fail to apply privacy-by-design principles to their compliance tools.

Sanctions Screening & Geo-Intelligence

Identity verification also underpins effective sanctions compliance. VASPs must screen customer details against sanctions lists maintained by the UK’s Office of Financial Sanctions Implementation (OFSI), the United Nations, and international partners such as the United States and European Union. Firms are also expected to deploy geolocation tools to prevent onboarding or servicing of customers located in sanctioned jurisdictions.

More sophisticated VASPs integrate geo-IP tracking, device fingerprinting, and transaction heuristics to flag attempts to circumvent controls, such as through the use of VPNs or proxy servers. Sanctions evasion through cryptoassets remains a critical area of concern for global regulators, particularly in relation to Russian energy exports, Iranian manufacturing inputs, and North Korean cybercrime.

The Future of Digital Identity & Global Coordination

Looking ahead, the identity landscape for VASPs is likely to shift further as governments and industry explore new digital identity models. In the UK, the government’s One Login programme aims to provide a universal and secure means of accessing public services, potentially setting a benchmark for private sector ID assurance. Meanwhile, innovations such as self-sovereign identity (SSI) and decentralised ID are attracting interest from privacy advocates and fintechs seeking alternatives to traditional documentation-based KYC.

At the international level, the FATF continues to urge jurisdictions to adopt consistent standards for identity verification and Travel Rule implementation. Greater interoperability, mutual recognition of digital IDs, and public-private data sharing frameworks are expected to play a pivotal role in enabling both compliance and innovation.

Conclusion: Identity as a Strategic Pillar of Financial Crime Compliance

Virtual Asset Service Providers in the UK are subject to stringent obligations under the MLRs and the WTR, requiring them to verify customer identity with diligence and rigour. Effective compliance goes beyond technical box-ticking; it demands strategic investment in risk-based frameworks, intelligent technology adoption, and a proactive culture of financial crime prevention.

The identity of a customer is no longer just a gatekeeping requirement at onboarding. It is the cornerstone of effective wire transfer and sanctions compliance, fraud prevention, and transaction monitoring. As regulatory expectations rise and illicit tactics evolve, the most resilient VASPs will be those who understand that customer identity is not a barrier to growth, but the foundation of a sustainable, secure digital asset economy.