Compare firms
Knowledge / aml-travel-rule

AML, the Travel Rule and DORA: the compliance stack for a CASP

By Editorial Team · Reviewed by Editorial Team · 2026-07-15
In short

A CASP must build three pillars: an AML/CFT programme led by an MLRO, Travel Rule and TFR compliance for transfers, and DORA operational resilience. All three are assessed before a licence is granted.

Quick facts
  • The three pillars are AML/CFT (with an MLRO), the FATF Travel Rule / EU TFR, and DORA operational resilience.
  • An MLRO is the named, accountable officer responsible for the AML/CFT programme and suspicious-activity reporting.
  • The Travel Rule requires originator and beneficiary information to travel with a crypto transfer, mirrored in the EU by the TFR.
  • DORA sets ICT risk-management, incident-reporting, resilience-testing and third-party oversight duties.
  • Regulators assess all three at authorisation, not after launch; a thin programme is a common reason applications stall.

What is the compliance stack a CASP has to build?

A licensed crypto-asset service provider has to stand up three compliance pillars at the same time: an AML/CFT programme, transfer-level Travel Rule and TFR compliance, and DORA operational resilience. These are not sequential nice-to-haves. A regulator reviewing an authorisation application expects to see all three designed, documented, and staffed before it grants a licence, and a thin showing on any one of them is a common reason applications stall.

It helps to think of them as answering three different questions. AML/CFT asks: do you know who your customers are and can you spot and report financial crime? The Travel Rule asks: does the right information travel with each transfer? DORA asks: can your systems keep running and recover when something breaks? A firm that is strong on one and weak on the others is not ready.

Pillar one: the AML/CFT programme and the MLRO

The first pillar is a written AML/CFT programme owned by a named Money Laundering Reporting Officer. The MLRO is the accountable individual — not a committee — responsible for the anti-money-laundering and counter-terrorist-financing controls, and regulators want to see a real person with authority, seniority, and time for the role.

At a high level the programme has to cover customer due diligence and identity verification, ongoing transaction monitoring, a risk-based approach that treats higher-risk customers and products differently, sanctions screening, record-keeping, staff training, and a clear route for filing suspicious-activity reports. It also needs governance: policies that are actually approved, tested, and updated, not a template sitting in a drawer. The standards trace back to FATF recommendations and, in the EU, to the anti-money-laundering framework applied to CASPs. Specific thresholds and formats depend on jurisdiction and change, so confirm current local rules with your regulator.

Pillar two: the Travel Rule and the EU TFR

The second pillar is making sure required information travels with each crypto-asset transfer. The FATF Travel Rule is the global standard: when value moves between service providers, originator and beneficiary details have to accompany the transaction so it can be traced. In the EU this is implemented through the Transfer of Funds Regulation, which extends the same logic to crypto-asset transfers.

In practice a CASP has to collect and verify the right data on both sides of a transfer, transmit it securely to the counterparty provider, and handle cases where the counterparty is unknown or non-compliant — including so-called unhosted or self-hosted wallets, which carry their own checks. This usually means adopting a Travel Rule messaging solution and building procedures for missing or inconsistent information. It sits on top of the AML pillar rather than replacing it: the Travel Rule governs the transfer, while CDD and monitoring govern the relationship. The exact data fields and de-minimis treatment depend on jurisdiction and change, so verify the current text.

Pillar three: DORA and operational resilience

The third pillar is operational resilience under the Digital Operational Resilience Act. DORA addresses a different risk from money laundering — it asks whether a firm’s technology can withstand and recover from disruption, whether that is an outage, a cyber-attack, or a failed provider. For an EU CASP it is now part of the same authorisation conversation as AML.

At a high level DORA sets duties across five areas: ICT risk management with clear internal ownership; incident classification and reporting to authorities; digital operational resilience testing; oversight and contractual control of third-party technology providers, including critical cloud services; and information-sharing on cyber threats. Because crypto businesses run on outsourced infrastructure, the third-party oversight requirements matter a great deal, and mapping every critical provider is often the heaviest lift. As with the other pillars, precise reporting timelines and testing expectations depend on the applicable rules and change, so confirm the current requirements.

Attribution

The framing above draws on public commentary from practitioners who advise regulated firms on crypto, AML, and payments compliance. Among them, Arun Srivastava, a partner at Paul Hastings in London, writes and speaks on UK and EU crypto authorisation, money-laundering compliance, and payment-services regulation. See his firm profile in the sources and expert references for his published work; this box cites his public expertise and does not represent an endorsement of this index.

Expert perspective

For a practitioner view on this topic, follow Arun Srivastava (Partner, Paul Hastings (London)) — Advises regulated firms on crypto, EMI authorisation, payment services and money-laundering compliance across the UK and Europe, with an FCA secondment behind him.

Cited as an independent authority, not affiliated with this index. View profile → · more experts

Frequently asked

What are the three compliance pillars a CASP must build?

An AML/CFT programme led by an MLRO, Travel Rule and EU TFR compliance for crypto transfers, and DORA operational resilience covering ICT risk, incident reporting and third-party oversight. All three are assessed at authorisation.

What does an MLRO do?

The Money Laundering Reporting Officer is the named, accountable person who owns the AML/CFT programme, oversees monitoring and customer due diligence, and files suspicious-activity reports with the relevant authority.

What is the Travel Rule for crypto?

It requires that originator and beneficiary information travel with a crypto-asset transfer between providers, so transactions can be traced. The FATF sets the standard; the EU implements it through the Transfer of Funds Regulation.

Does DORA apply to crypto firms?

Yes. DORA covers CASPs among other EU financial entities, setting requirements for ICT risk management, incident reporting, resilience testing and oversight of technology providers. It is checked alongside AML at authorisation.

Sources

Editorial explainer, not legal advice. Confirm current rules with the named regulator or a qualified firm. See the CLBR ranking and methodology.