Who Owns the Travel Rule in DeFi?

Decentralised finance (DeFi) was built to remove intermediaries. The Travel Rule was built to hold intermediaries to account. That tension now sits at the centre of global supervision. The FATF expects originator and beneficiary information to accompany transfers involving virtual assets and for an accountable party to exist wherever a financial service is provided. Its updated guidance is explicit that so-called DeFi arrangements are not outside scope if there are natural or legal persons who control or operate a service, and jurisdictions should identify those owners or operators for compliance purposes. The same guidance reinforces the Travel Rule’s application to virtual asset service providers (VASPs) and the expectation of interoperability across networks.

The FATF’s targeted updates since 2023 have underlined a persistent implementation deficit. Many jurisdictions still lack fully operational Travel Rule regimes for crypto transfers, and supervisors continue to flag gaps around DeFi, unhosted wallets and peer-to-peer activity. The direction of travel is nevertheless clear. The FATF’s work programme calls for progress tracking and further clarification on DeFi and related risks.

What Regulators Actually Require

In the European Union, Regulation 2023/1113 extends the Travel Rule to “crypto-asset transfers,” with the European Banking Authority (EBA) issuing binding guidelines to harmonise information requirements and close practical loopholes. The EBA’s final guidelines, applicable from 30 December 2024, set out concrete data fields, verification expectations and handling of transfers involving non-obliged entities, creating an operational baseline for VASPs that interact with DeFi.

In the UK, the Financial Conduct Authority (FCA) has made clear that from 1 September 2023 UK cryptoasset businesses must collect, verify and share required originator and beneficiary information before permitting relevant transfers. The FCA’s statement aligns domestic expectations with FATF and anticipates cross-border frictions where counterparties operate in non-aligned regimes, urging firms to develop risk-based controls for those scenarios.

In the United States, the Financial Crimes Enforcement Network (FinCEN) continues to emphasise transparency around high-risk anonymity services such as mixers, signalling that activity design can trigger obligations even where decentralised components are involved. Its proposal to designate certain international convertible virtual currency (CVC) mixing activity as a class of transactions of primary money-laundering concern illustrates how functional analysis, not branding, is driving policy.

The Decentralisation Test Meets the Court of Law

Enforcement and litigation have started to define the limits of decentralisation as a shield from accountability. OFAC’s 2022 designation of Tornado Cash framed a sanctions case around the use of mixing smart contracts by DPRK threat actors and others, forcing a debate about whether immutable code can be designated as an entity.

A significant turn came in November 2024 when the Fifth Circuit held that Tornado Cash’s smart contracts did not constitute sanctionable “property” under IEEPA, curtailing OFAC’s theory of designation and signalling that code alone may not be a proper sanctions target. In March 2025, OFAC removed Tornado Cash from the SDN list, while related proceedings and individual accountability questions persisted. Together these developments mark an inflection point for how the law attributes responsibility within decentralised architectures.

Criminal liability theories are also being tested. In August 2025 a New York jury convicted Roman Storm on one count of conspiring to operate an unlicensed money transmitting business, while deadlocking or acquitting on the more serious counts. Earlier, Dutch courts convicted developer Alexey Pertsev on money-laundering charges. These mixed outcomes show that personal culpability can attach where a prosecutable service relationship is proven, but that courts are cautious about collapsing software authorship into strict liability for third-party criminal use.

The Practical Limits of the Travel Rule in DeFi

Even where legal accountability is clarified, decentralised architecture imposes practical limits. Smart contracts can route value without a hosted intermediary. User interfaces may be thin wrappers over on-chain functions. Liquidity can be provided by pseudonymous market participants with no central controller. The Travel Rule presumes an obliged entity that can collect, verify and transmit identity data at the point of initiation or receipt. In a protocol-only interaction, no such entity may exist in the traditional sense. FATF anticipated this challenge by directing authorities to look for persons with sufficient influence over a DeFi arrangement. That test captures governance token concentrations, admin-key holders, core team multisigs, or entities operating front ends that curate access, set fees or apply controls.

EU guidance goes further by prescribing how obliged VASPs must handle interactions when the counterparty is not an obliged entity, including scenarios involving unhosted wallets. This creates a compliance perimeter around the regulated side of a DeFi transfer, while leaving genuine protocol-to-protocol flows largely outside practical Travel Rule reach unless an accountable operator can be identified.

So Who Should Carry the Can?

Three models now compete for primacy.

The first places responsibility on protocol developers or operators. Where a team deploys, upgrades, promotes and profits from a service, regulators can argue there is an “owner or operator” capable of embedding Travel Rule-compatible controls, or of restricting access through monitored interfaces. FATF points supervisors in this direction, and courts have accepted variants of this logic when a service relationship is proven. The risk is over-attribution that chills open-source publication and research.

The second shifts accountability to access layers and liquidity providers. If an interface operator curates pools, sets fees, embeds compliance tooling and markets to retail users, it looks and behaves like a VASP and should meet Travel Rule obligations. Large liquidity providers that act professionally and repeatedly could be treated as financial service providers where they intermediate value rather than merely deploy capital. EU implementation already nudges in this direction by focusing obligations on the regulated VASP side of a transfer. The benefit is operational feasibility. The drawback is uneven coverage when users route around regulated gateways.

The third is a regulatory design model. Legislatures can create new perimeter concepts for decentralised financial services, defining when a protocol becomes an obliged entity by virtue of governance, fee capture or control over upgradability. FinCEN’s activity-based approach to mixers sketches the outline of such functional triggers, even if not addressed to Travel Rule duties. This model demands careful line-drawing to avoid criminalising architecture.

Towards Proportionate Answers

A workable settlement is emerging. Supervisors will expect Travel Rule compliance wherever there is a human-operated service layer, including custodial bridges, fiat on- and off-ramps, centralised front ends, wallet providers and professionalised liquidity operations. Where protocols are genuinely autonomous, the law will look for choke points that benefit from use and can therefore embed controls or deny access to known bad actors. The EU’s 2023/1113 framework and EBA guidelines give firms the operational grammar to do this in practice, while the UK’s expectations translate the same logic into a principles-based regime. The United States is signalling that design choices that market anonymity at scale will invite heightened obligations even when decentralised components are present.

The unsettled question is ethical as much as technical. The Travel Rule is an instrument of public trust. If DeFi is to claim a place in regulated finance, it must accept that privacy cannot be weaponised against traceability. Equally, regulators should resist the temptation to punish code where no service relationship exists. The test should be operational: who can embed proportionate controls without breaking the protocol’s legitimate utility, and who profits from providing access to value transfer at scale.

Conclusion: Where Accountability Should Rest

Accountability should sit where agency is real and controls are feasible. Protocol developers who retain upgradability, capture fees or operate curated front ends should be responsible for Travel Rule outcomes to the extent of that control. Interface operators and professional liquidity providers that intermediate user flows should meet full VASP-level obligations. Where neither condition applies, regulators should refine the perimeter rather than stretch existing powers to fit decentralised code. That balance aligns with FATF’s expectations, respects recent jurisprudence and gives DeFi a clear path to demonstrate integrity in practice.