iGaming Payment Solutions
Two things every crypto-accepting iGaming operator gets wrong about the FATF Travel Rule. The first is that the rule does not apply to a casino because it covers virtual asset service providers and a casino is not a . The second is that the rule does apply, but the $1,000 baseline puts deposit volume below that line out of scope. Both readings are wrong in different jurisdictions for different reasons, and the wrong reading lands operators in regulator letters they did not budget for.
What actually binds is the operator's license jurisdiction, not FATF guidance, and the threshold that matters is whatever the local CASP regulator wrote down. EU casinos under TFR-supervised crypto PSPs face a zero-threshold environment as of December 30, 2024. UK operators have been at zero since September 1, 2023. US books with crypto rails apply $3,000. Canadian casinos sit at CAD 1,000. The audit below works through what the rule actually requires on the wire, what CoinsPaid and CoinGate are doing on inbound that the operator can rely on, where the five-year retention obligation lives, and which jurisdictions enforce in May 2026 versus which only legislated.
Are you the VASP under FATF, or just a customer of one?
The FATF definition of a virtual asset service provider is whoever conducts one or more of: exchange between virtual assets and fiat, exchange between one VA and another, transfer of VAs, custody or administration of VAs on behalf of clients, or participation in financial services for VA issuance. That definition sits in the FATF Recommendation 15 guidance updated through June 2025. A casino that custodies player crypto in a wallet it controls, even when the only customer-facing services are deposit and withdrawal, fits the "custody or administration of VAs" leg of that definition.
Most iGaming operators do not custody. They route player crypto to a payment service provider (CoinsPaid, CoinGate, BitPay, NOWPayments, Triple-A, or CoinPayments are the names that recur) that holds the wallet, runs the inbound , and settles fiat or stablecoin to the operator's account. In that architecture the PSP is the and the operator is the PSP's customer. The Travel Rule binds the PSP's data flows. The operator inherits AML and KYC obligations through the gambling license rather than through rules.
The line is sharper than it sounds. An operator running its own hot wallet that a player can deposit to and withdraw from has crossed from customer-of-VASP to itself in jurisdictions that read the FATF definition strictly: Lithuania, Estonia, France post-PSAN registration, Germany under BaFin's 2020 guidance. The same operator routing the same player flow through CoinsPaid or CoinGate has not. The PSP arrangement is what keeps the Travel Rule a vendor-side problem instead of an operator-side licensing problem.
Curacao GCB-licensed books and Anjouan-licensed books are the gray zone. Curacao's 2024 LOK reform asks for AML controls comparable to FATF Recommendation 15, but classification for casino-hot-wallet architectures is not enforced at the same intensity as in the EU. An offshore operator with its own hot wallet that has not registered as a under any framework may still be one in the eyes of a regulator that eventually examines it, and routing through a registered PSP is the answer that holds up under audit.
The decision rule for the rest of this audit: if the crypto rail is CoinsPaid, CoinGate, or one of the named PSPs, the Travel Rule sits on the PSP and the operator's job is to make sure the PSP can do its job. If the operator runs its own wallets, the rule sits on the operator and the rest of this article is the bare minimum.
The originator and beneficiary fields, and where your jurisdiction sets the threshold
The Travel Rule data set is short. The originating collects and transmits to the beneficiary : originator full name, originator account or wallet identifier, originator address or unique customer identifier, and the beneficiary's name and account or wallet. The beneficiary retains the same set on the inbound side and screens both ends against sanctions lists. That is the FATF baseline per the June 2025 update to Recommendation 16. It is not a heavy field set on its own. What makes it operationally costly is the threshold above which the rule fires, because the threshold defines whether the data flows on every deposit or only on a subset.
| Jurisdiction | Threshold | Effective | Self-hosted wallet rule |
|---|---|---|---|
| EU (TFR Reg 2023/1113) | €0 (all transfers) | 30 December 2024 | Verified ownership above €1,000 |
| UK (MLR 2017 Part 7A) | £0 (all transfers) | 1 September 2023 | Same scope as VASP transfers |
| US (BSA Travel Rule) | $3,000 | Pre-existing fiat rule extended to crypto | Out of scope (counterparty test) |
| Canada (FINTRAC, PCMLTFA) | CAD 1,000 | 1 June 2021 | Same scope as VASP transfers |
| Singapore (MAS PSN02) | All transfers; expanded data above SGD 1,500 | January 2020 | Out of scope |
| Switzerland (FINMA AMLO) | CHF 1,000 | February 2020 | Strict; verified ownership required |
| Japan (FSA, amended FIEA) | All transfers | June 2023 | Out of scope |
The implication for an iGaming book under any EU license, UK license, or Singapore CASP license is that "below threshold" is not a category. Every crypto deposit in those jurisdictions carries Travel Rule data on the way in, and every withdrawal carries it on the way out. The $1,000 FATF baseline is the default for jurisdictions that have not explicitly chosen tighter or looser, and the only major bookmaking economies that landed at or above the baseline are the United States at $3,000 and Switzerland at CHF 1,000 with strict unhosted-wallet rules.
A book licensed in Curacao, Anjouan, or Costa Rica targeting EU players sits in an awkward middle. The book itself is not under EU jurisdiction, but the player's CASP, which is the exchange the player is sending crypto from, often is. That counterparty CASP applies its own Travel Rule logic on the outbound transfer regardless of where the receiving casino is licensed. The data that lands on the operator's inbound wire is therefore the EU-baseline data set, and the operator should be ready to receive and process it even when its own license does not technically require it to.
What CoinsPaid and CoinGate transmit on inbound deposits
The vendor side of the Travel Rule is what most operators see in production. CoinsPaid and CoinGate are the two crypto-native PSPs in our database with EU regulatory licenses that bring the Travel Rule directly to bear on every transfer they touch.
CoinsPaid runs from Tallinn, holds the Estonian FIU virtual currency service provider license renewed in September 2023, and pairs Chainalysis with Crystal Blockchain on the side. The inbound flow on a player deposit: the player's exchange sends a crypto transfer to a CoinsPaid-controlled wallet linked to the operator's merchant account, CoinsPaid runs the source wallet through Chainalysis for sanctions and high-risk-source flags, and if the originator's exchange is a counterparty that supports a Travel Rule protocol, CoinsPaid receives the originator name plus account or wallet identifier on the wire. What lands in the operator's CoinsPaid backoffice is the cleared deposit amount, the source-wallet risk score, and a reference ID to the Travel Rule message if one came through. The originator KYC fields stay inside CoinsPaid's records under its five-year retention obligation, not in the operator's stack.
Vilnius-based CoinGate became the first homegrown Lithuanian company to receive a MiCA CASP license, issued by the Bank of Lithuania on December 16, 2025. Lithuanian Travel Rule rules apply to all CoinGate transfers regardless of amount, in line with the EU TFR baseline at a tighter operational standard than legacy non-MiCA CASPs in the bloc. The inbound flow looks like CoinsPaid's: screening on the source wallet, Travel Rule data exchange with counterparty VASPs that support a compatible protocol, and an operator-facing record showing the cleared amount and risk score without exposing originator KYC fields. The MiCA approval brings CoinGate under direct ESMA-coordinated supervision rather than the older Lithuanian regime, which lapsed January 1, 2026 when the country fully enforced MiCA.
The protocol layer is where compliance stops being theoretical. There is no single Travel Rule wire format. Per Sumsub's Travel Rule protocol overview, production VASPs run multi-protocol gateways that connect to TRISA (open-source), TRP (banking-industry-led), Sygna Bridge (APAC-strong), Notabene's commercial network, Global Travel Rule, and Code, with no single protocol carrying more than a plurality of registered VASPs. The "sunrise" problem (counterparty VASPs in jurisdictions that have not enforced yet) means inbound deposits regularly arrive without a matching Travel Rule message because the player's exchange is not on any protocol the receiving PSP can talk to.
What operators feel in production is two things. Deposits from major exchanges (Binance, Coinbase, Kraken, Bitstamp, OKX, Bitfinex) routinely carry Travel Rule data because those exchanges sit on multiple protocols. Deposits from smaller exchanges, regional platforms, or self-hosted wallets routinely do not. The operator-facing impact is that the risk score and the manual review burden differ between the two flows, and a book running a clean MiCA stack with CoinGate or a tight Estonian stack with CoinsPaid still sees the second flow at the support-ticket layer when manual KYC documents are needed before a deposit settles.
Five-year retention, and a May 2026 enforcement map
The five-year retention clock is the most-misread part of the rule. Under EU TFR Article 26 of Regulation 2023/1113, the originator and beneficiary CASP must retain originator and beneficiary information for five years from the end of the business relationship with the customer, or from the date of the occasional transaction. The US BSA applies five-year retention. UK MLR 2017 sits at five years from the end of the customer relationship. Singapore, Japan, South Korea, Hong Kong, and the UAE apply five-year retention with minor variations. Some EU member states apply longer retention for specific record categories under local law.
The retention obligation lives at the , not at the casino, when the casino is routing through a PSP. CoinsPaid and CoinGate both retain the Travel Rule message and the underlying records for five years against their license. The operator's responsibility is downstream. The operator retains the deposit-side records the gambling regulator requires for AML purposes, typically five years under most gambling AML laws, plus the merchant-side records of the relationship with the PSP itself.
What an operator should be storing for five years against an AML audit:
- The player's KYC pack at deposit time
- The deposit amount, time, and credited crypto amount
- The risk-score reference ID returned by CoinsPaid or CoinGate on each deposit
- Any manual-review-resolution notes if the deposit triggered enhanced due diligence
- The data processing agreement with the PSP and any amendments
The originator-side data (the player's exchange, the originator name on the Travel Rule message) sits at the PSP, and the operator can call for it under the data processing agreement if a regulator asks. Operators that built crypto rails before 2024 sometimes did not negotiate Travel Rule data retrieval into the DPA, and the cleanest fix on contract renewal is an explicit clause requiring the PSP to surface Travel Rule data within a defined SLA on regulator-led requests.
The enforcement map is where the compliance budget actually lands. Per the FATF June 2025 targeted update on virtual assets, 99 jurisdictions have passed or are advancing Travel Rule legislation, but only 21 percent of the 138 assessed jurisdictions are fully compliant with FATF Recommendation 15, and around 26 percent still allow VASPs to transact regardless of licensing or Travel Rule status. The split below sorts the jurisdictions iGaming operators actually live under.
| License posture | Travel Rule reality at May 2026 | Where compliance lands |
|---|---|---|
| EU CASP-supervised (MiCA, MGA-with-EU-CASP-PSP) | Enforced in full, zero threshold | PSP DPA carries the rule; operator audits inbound data quality |
| UK FCA-registered cryptoasset business | Enforced since September 2023, zero threshold | Same as EU; FCA inspects on Travel Rule data quality |
| US-licensed (state-licensed iGaming) with crypto rail | FinCEN-enforced at $3,000 threshold | Sub-threshold volume technically out of scope but most operators screen anyway |
| Canada (AGCO + Bank of Canada RPAA) | Enforced since June 2021, CAD 1,000 | FINTRAC inspects PSP integration and operator-side AML logging |
| Singapore (MAS DPT) | Enforced, all transfers | Tighter expanded-data set above SGD 1,500 |
| Curacao GCB (post-2024 LOK) | Legislated, lightly enforced | PSP layer carries the rule; operator-side compliance is gambling-license-driven |
| Anjouan, Costa Rica, gray jurisdictions | Not enforced at the gambling-license layer | Compliance lives entirely at the PSP if the operator routes through one |
The June 18, 2025 FATF update to Recommendation 16 expands the rule to cover fraud prevention and proliferation financing in addition to money laundering and terrorist financing, with financial institutions required to comply by 2030. That is a roadmap item, not a 2026 implementation problem. Operators planning multi-year crypto stack moves should expect their PSP to push for richer originator data fields between 2027 and 2029 as the deadline approaches.
The structural answer for an iGaming book in May 2026 is that the Travel Rule is a PSP-side compliance problem in well-architected stacks and a license-jurisdiction-side problem when the operator runs its own wallets. The treasury-side overlay (USDC vs USDT counterparty risk, perimeter, bank concentration) sits in the iGaming treasury 2026 audit and the GENIUS Act analysis. The operator's job in either case is two-line: confirm the PSP DPA covers Travel Rule data retrieval and five-year retention, and confirm the gambling-AML deposit logging in the backoffice can survive a regulator audit five years out. Operators that pass both lines in jurisdictions that enforce can defer the rest until the FATF June 2025 changes near their 2030 compliance deadline.
Sources (16)
- 01FATF: Targeted Update on Implementation of FATF Standards on Virtual Assets and VASPs (June 2025)
- 02FATF: Recommendation 16 update on payment transparency (June 2025)
- 03EU: Regulation (EU) 2023/1113 on transfers of funds and crypto-assets (TFR)
- 04EBA: Travel Rule Guidelines under Regulation (EU) 2023/1113
- 05FCA: Expectations for UK cryptoasset businesses complying with the Travel Rule
- 06FINTRAC: Travel rule for electronic funds and virtual currency transfers
- 07Sumsub: FATF Travel Rule, Crypto Compliance in 2026
- 08Sumsub: Protocols in the Travel Rule Solution (2025)
- 09Sumsub: Estonian AML Law and Travel Rule
- 10InnReg: Crypto Travel Rule Guide (Updated 2026)
- 11Hacken: Crypto Travel Rule, Global VASP Requirements
- 1221Analytics: Singapore Travel Rule MAS Requirements
- 1321Analytics: Switzerland Travel Rule FINMA Requirements
- 14CoinsPaid: Estonian FIU crypto licence renewal
- 15CYBER ERA: CoinGate becomes first homegrown Lithuanian company to receive a MiCA licence
- 16TRM Labs: FATF updates on Recommendation 15 implementation