Written by: A Spinach from Web3.
Spinach recently read the latest briefing paper released by the Bank for International Settlements (BIS) - (Anti-Money Laundering Compliance Solutions for Crypto Assets). As the central bank of central banks, every report from the BIS becomes a weather vane for financial regulation in various countries. So when I saw the title, my first reaction was: finally, someone has figured out a way to control cryptocurrency?
However, after reading the entire text, I realized that this paper is not a usable solution; to me, it seems more like a decent surrender document.
The BIS, in academic language, gently acknowledges a brutal fact: the KYC/AML system of traditional finance has completely failed in the face of a decentralized crypto world.
What is the 'innovative' solution they proposed?
Scoring wallets, advocating for users to check whether their counterparties are compliant, and doing final checks at the deposit and withdrawal points.
It's like a martial arts master, who has practiced the Dragon Subduing Eighteen Palms for a lifetime, suddenly finds his opponent arriving in a tank and suggests putting up a sign at the city gate: 'Tanks prohibited.'
Not to mention how high the implementation and coordination costs of scoring are, even if implemented, what if others send some poison to high-value wallet accounts?
Advocating for users to check for themselves is like requiring you to check if a dollar bill has ever been used to buy drugs when you receive it. Theoretically feasible, practically absurd.
Conducting KYC/AML at the deposit and withdrawal stages might be the last dignity left for these traditional institutions, at least you can verify identity and source of funds.
Why do we say that the traditional regulatory system has almost completely failed on-chain? Let us take a look at a ridiculous regulatory rule that regulatory agencies around the world still continue to implement—the Travel Rule.
Travel Rule: A farce from traditional finance to the crypto world.
To understand the absurdity of the Travel Rule, we must first understand its past and present.
In 1996, during the era when the internet was still dial-up, the Financial Crimes Enforcement Network (FinCEN) first introduced the Travel Rule as part of the Bank Secrecy Act. The requirement at that time was simple: banks must transmit the sender's information to the next financial institution when processing wire transfers exceeding $3,000.
This works well in the traditional banking system; why?
Because banks are centralized, with complete customer information and standardized information transmission systems like SWIFT. ICBC knows everything about Zhang San, and China Construction Bank knows everything about Li Si, and when transferring money, the information exchange flows naturally.
But by 2019, the Financial Action Task Force (FATF) made a game-changing decision: to extend the Travel Rule to cryptocurrencies.
What is the FATF? An intergovernmental organization established in 1989, originally aimed at combating drug money laundering. Its '40 Recommendations' are regarded as the global gold standard for anti-money laundering. When the FATF speaks, regulatory agencies worldwide must listen.
On June 21, 2019, the FATF passed the interpretative note (INR.15) on Recommendation 15 in Orlando, extending the originally applicable Recommendation 16 (Travel Rule) for traditional financial institution wire transfers to the virtual asset domain. It requires virtual asset service providers (VASP) to collect and transmit the identity information of the sender and recipient when processing transactions exceeding $1,000/€1,000, including:
Name
Account Number (Wallet Address)
Geographical Location or ID Number
If necessary, more details
Their logic is: since the Travel Rule has been in operation in traditional finance for over 20 years, it should be fine in the crypto world as well.
The problem with this logic is that they completely misunderstand how blockchain works.
The global chaos of the Travel Rule.
Let’s take a look at the current implementation status of the Travel Rule. According to the FATF report from June 2025, 99 jurisdictions claim to have passed or are in the process of passing Travel Rule legislation. Sounds impressive, right?
But the devil is in the details. 75% of jurisdictions are still only partially compliant or non-compliant, and this proportion is exactly the same as in April 2023—75% of 73 countries, no progress.
Why is this happening? Because each country is implementing its own set of rules.
The US maintained the old rule from 1996: a threshold of $3,000. But the FATF suggested $1,000, leading to the first split.
Singapore was one of the first countries to respond, starting implementation on January 28, 2020, with a threshold of 1,500 SGD. South Korea implemented it on March 25, 2022, with a threshold of 1 million KRW (about $821). Japan said all transactions must comply, regardless of the amount.
The EU is even more extreme, delaying the implementation of the (Transfer of Funds Regulation) (TFR) until December 30, 2024, then saying: We have no threshold; even 1 cent must follow the Travel Rule.
What is the result? A $1,500 transfer from the US to the EU, the US says no need for the Travel Rule, while the EU says it must be followed. Both sides are 'compliant,' but the transaction is stuck.
This is not the most chaotic situation. Israel implemented the Travel Rule in 2021 with no threshold, but almost no other countries connected with it. Canada also has a zero threshold, but its rules are incompatible with others.
What is the result of this piecemeal approach?
According to Notabene's 2024 industry survey, despite some improvement from the previous year (from 52% to 29%), 29% of VASPs continue to send Travel Rule information indiscriminately to all counterparties without conducting any due diligence assessments.
This 'broad net' approach actually reflects an awkward reality: most VASPs are only going through the motions, as there is no way to verify whether the counterparties are really using this information or are compliant.
DeFi: The blind spot of the Travel Rule.
While regulators are still entangled in the Travel Rule for centralized exchanges, DeFi has already completely bypassed this issue.
The premise of the Travel Rule is that there are VASPs (intermediaries) to enforce it.
I directly exchange tokens on Uniswap using MetaMask, may I ask:
Is MetaMask a VASP? It's just a browser plugin.
Is Uniswap a VASP? It's just a piece of code.
Are Ethereum miners VASPs? They are just validating transactions.
When both parties trade directly in a peer-to-peer manner, there is no intermediary to enforce the Travel Rule.
It's as absurd as requiring air to enforce the law.
Who is required to enforce the Travel Rule? Is the code required to provide KYC information?
The FATF's response is that developers of DeFi protocols should be regarded as VASPs.
The absurdity of this logic is equivalent to saying that the inventor of the TCP/IP protocol should be responsible for all internet crimes. Vitalik Buterin created Ethereum, so should he be responsible for all illegal transactions on Ethereum? If Satoshi Nakamoto were still alive, should he be sentenced to life imprisonment?
Criminals' response: The art of Smurfing.
How do real criminals view the Travel Rule? Probably as a comedy.
Criminals use traditional Smurfing tactics to evade the Travel Rule, splitting large transactions into smaller ones. Want to transfer $18,000? Split it into 20 transactions of $900 sent from different wallets at different times. Each transaction is below the threshold, and the Travel Rule cannot manage it.
North Korean hackers stole $1.46 billion from ByBit this year—the largest cryptocurrency theft in history. Did they use the Travel Rule? Of course not.
In 2024, the amount of cryptocurrency used for illegal activities reached billions of dollars. None of these criminals were caught by the Travel Rule.
Another consequence of the Travel Rule is to exacerbate regulatory arbitrage; every tightening of regulation is like squeezing toothpaste—you squeeze it here, it pops out there.
Compliance costs: An expensive performance
The Travel Rule brings not solutions, but astronomical compliance bills.
According to estimates, the cost for a medium-sized exchange to implement the Travel Rule includes:
Technical solution procurement: Annual fee of $100,000 to $500,000
System integration transformation: One-time cost of $500,000 to $2 million (requires transforming the entire trading system)
Compliance team expansion: Annual salary cost of $200,000 to $1 million (requires a dedicated Travel Rule compliance officer)
Legal consulting fees: Annual fee of $100,000 to $500,000 (different rules in different countries, requiring local legal support)
Audit and reporting: Annual fee of $50,000 to $200,000.
This is just the visible cost; what about the invisible ones?
These high compliance costs are accelerating market concentration, and the giants naturally support the Travel Rule—they can afford compliance costs, while competitors cannot. This is not regulation; it is market cleansing through regulatory costs.
What is the biggest hidden cost? The death of innovation.
For a startup team, their first consideration is not technological innovation, but:
Does this comply with the Travel Rule?
Can we afford compliance costs?
What if we are deemed a VASP?
As a result, innovation either shifts to regulatory-friendly places or simply gets abandoned. We are stifling 21st-century innovation with 19th-century thinking.
This is the truth about the Travel Rule: a huge investment has created a useless system that, apart from increasing costs, reducing efficiency, and stifling innovation, has solved nothing. Ordinary users have to foot the bill for this regulatory farce—endless forms, interminable reviews, and unending fees.
Participants in the regulatory theater.
Current cryptocurrency regulation is a carefully staged drama, with everyone having their own script:
Regulatory agencies: 'Look, we are enforcing the Travel Rule! We are protecting investors!' (They actually know it's useless, but need political achievements)
Large institutions: 'We are fully compliant!' (Actually just going through the motions, asking you 'Is this your wallet?')
Small institutions: 'We are working hard to comply!' (Actually thinking about how to move to a more lenient regulatory place)
User: 'I comply with the Travel Rule!' (Actually already learned how to bypass it)
Criminals: 'What Travel Rule?' (Continue doing what they were doing)
Recognize reality, but do not give up thinking.
Having written this, you may ask: what should we do?
First, it must be clarified: this article is not criticizing regulation itself but pointing out the current situation. The original intention of regulation is good—preventing money laundering, protecting investors, maintaining financial stability. These goals are unquestionable and indeed necessary.
What we criticize is using the wrong tools to achieve the right goals, like using a hammer to screw in a screw—if the tool is wrong, no matter how hard you try, it’s futile.
We need to acknowledge a fact: in a decentralized world, traditional regulatory tools have failed. This is not a technological issue, but a paradigm issue. Just as you cannot manage a car with horse-and-carriage methods, you cannot manage DeFi with bank management methods.
But this does not mean giving up all regulatory efforts. On the contrary, we need new ways of thinking. Good regulation should be like traffic rules—not to stop people from driving, but to make the roads safer.
Perhaps what we need is not a globally unified standard, but healthy competition among different jurisdictions. Regulatory innovation and technological innovation should run parallel, not in opposition.
This requires strong on-chain data analysis capabilities. Companies like Chainalysis have already proven that suspicious transactions can be effectively identified through behavioral analysis without needing to know everyone's ID number. In a future where the regulatory framework is gradually clarified, compliance infrastructure will become the key infrastructure of the cryptocurrency industry.
What we should call for is not anarchism, but wiser governance. Regulators and practitioners should sit down for sincere dialogue, understand each other's concerns, and explore regulatory paths suitable for the characteristics of new technology together.
After all, the real enemy is not regulation, nor cryptocurrency, but those who engage in crime by exploiting technological loopholes. On this point, the goals of regulators and practitioners align.
In conclusion.
Back to the initial BIS report.
On the surface, it proposes solutions. In reality, it records the end of an era—the jurisdiction of traditional financial orders over crypto assets is irreversibly waning.
This is the state of cryptocurrency regulation in 2025: an expensive game that all participants know is a joke, but everyone has to keep performing.
The Travel Rule, from the bank wire rules of 1996 to its forced transplantation into the crypto world in 2019, reflects regulatory inertia—using old bottles to package new wine, managing highways with horse-and-carriage era traffic rules.
As Hayek said: 'The road to hell is paved with good intentions.' The current cryptocurrency regulation may be such a road. The original intention is good—preventing money laundering, protecting investors, maintaining financial stability. But the result of its execution has been increased friction, stifled innovation, and pushed activities underground.
Pandora's box has been opened, and the decentralized genie will not return to the bottle.
Instead of continuing this doomed war, it's better to think about how to find balance in the new world. What is needed is not stricter rules, but entirely new wisdom.
And this wisdom, clearly, will not come from regulatory agencies still managing 21st-century technology with 20th-century thinking.
The future is not a place we are going to, but a place we are creating.
I just hope that when history looks back at this era, it will not record it as: humans once had the opportunity to establish a more open, transparent, and efficient financial system, but ultimately messed it up due to a group of bureaucrats who did not understand technology.
That would be a bigger joke than any regulatory failure.