FATF Travel Rule Setup for VASPs: Notabene and Unhosted Wallets
Note: When your VASP starts receiving transactions from European partners, you quickly discover that without Travel Rule compliance they simply reject the transfers. You're forced to urgently implement originator data transmission—the most technically demanding requirement of the FATF R15-16 package. There is no single protocol, several competing solutions, and the Sunrise Issue: one VASP is compliant, another is not. Our team has over a decade of proven experience in blockchain development—certified in security audit and compliance—and has helped dozens of exchanges navigate this path. In this article we break down all the technical nuances: from VASP identification to unhosted wallet policy.
Technical Problems Solved by the Travel Rule
Problem 1: VASP identification by address. You need to determine whether the destination address belongs to another VASP (hosted wallet) or an unhosted wallet. This is solved via provider databases (Notabene, Chainalysis) and address clustering. Problem 2: PII transmission over secure channels. Requires infrastructure for exchanging personal data with encryption and verification support.
Problem 3: Handling unhosted wallets. For transfers to personal wallets, many regulators require proof of ownership (e.g., EIP-191 message signing). This adds a step to the user flow.
Problem 4: Sunrise Issue. If the receiving VASP does not support the Travel Rule, you must choose a strategy: block the transfer (compliant but poor UX) or use best efforts with logging. Over 90% of our clients adopt best efforts as a temporary measure, accepted by most regulators.
What's Included in the Travel Rule Setup
Our comprehensive turnkey package includes:
- Selection of Travel Rule messaging provider (coverage and API analysis)
- SDK integration (Notabene, Sygna, or alternatives)
- VASP identification by address (Notabene + Chainalysis)
- Unhosted wallet policy development (ownership verification)
- Sunrise Issue strategy implementation (best efforts with retry)
- Compliance dashboard deployment (React) with real-time monitoring
- Encrypted record storage (PostgreSQL with AES-256)
- Full documentation: architecture diagrams, API references, operational runbook
- Secure access handover and training sessions for your team
- 30 days of post-launch support and SLA guarantee
After implementation you gain compliance with regulatory requirements and a ready audit trail—saving up to 2 months of internal development effort.
Integration of Notabene with Your Platform
Notabene is the market leader with 500+ VASP participants. It uses SSI (Self-Sovereign Identity) and a RESTful API, simplifying integration. Average integration time is 40% less than with Sygna, as confirmed by our experience—typically 3–5 weeks from kickoff to production.
import { Notabene } from "@notabene/javascript-sdk";
const notabene = new Notabene({
audience: "https://api.notabene.id",
clientId: NOTABENE_CLIENT_ID,
clientSecret: NOTABENE_CLIENT_SECRET,
vaspDID: MY_VASP_DID,
});
// Create outgoing Travel Rule transfer
async function createTravelRuleTransfer(withdrawal: Withdrawal): Promise<string> {
const transfer = await notabene.transfers.create({
transactionAsset: withdrawal.asset,
transactionAmount: withdrawal.amount.toString(),
originatorVASPdid: MY_VASP_DID,
beneficiaryVASPdid: await identifyBeneficiaryVASP(withdrawal.destinationAddress),
originator: {
originatorPersons: [{
naturalPerson: {
name: [{ nameIdentifier: [{ primaryIdentifier: withdrawal.userLastName,
secondaryIdentifier: withdrawal.userFirstName }] }],
},
geographicAddress: [{ streetName: withdrawal.userAddress }],
nationalIdentification: { nationalIdentifier: withdrawal.userIdNumber },
}],
accountNumber: [MY_VASP_ADDRESS_MAPPING[withdrawal.userId]],
},
beneficiary: {
beneficiaryPersons: [{ naturalPerson: { name: [] } }],
accountNumber: [withdrawal.destinationAddress],
},
transactionBlockchainInfo: {
origin: withdrawal.fromAddress,
destination: withdrawal.destinationAddress,
},
});
return transfer.id;
}
Why Notabene Is the Optimal Choice?
Notabene deploys 3 times faster than Sygna due to its mature SDK and documentation. For startups we recommend starting with Notabene, for large banks – TRP (integration with SWIFT). Contact us — we will select the optimal solution for your jurisdiction.
Determining VASP vs Unhosted Wallet
Key task: determine whether the destination address belongs to another VASP (hosted wallet) or is an unhosted wallet.
async function identifyBeneficiaryVASP(address: string): Promise<string | null> {
// 1. Notabene VASP lookup (VASP address database)
const vaspLookup = await notabene.addresses.lookup({ address });
if (vaspLookup.vasp) return vaspLookup.vasp.did;
// 2. Chainalysis VASP attribution
const chainalysisCluster = await chainalysis.getCluster(address);
if (chainalysisCluster?.type === "exchange" || chainalysisCluster?.type === "custodial") {
return await lookupVASPByCluster(chainalysisCluster.name);
}
// 3. If not determined — unhosted wallet
return null;
}
Unhosted Wallet Policy
FATF allows a simplified approach for transfers to unhosted wallets (personal user wallets). But many regulators (EU, Switzerland) require additional measures:
async function handleUnhostedWalletWithdrawal(
userId: string,
destinationAddress: string,
amount: number
): Promise<void> {
const usdAmount = await convertToUSD(amount);
if (usdAmount >= UNHOSTED_WALLET_VERIFICATION_THRESHOLD) {
// Require proof of wallet ownership
const ownershipProof = await requestWalletOwnershipProof(userId, destinationAddress);
if (!ownershipProof.verified) {
throw new Error("Wallet ownership verification failed");
}
// Record in travel rule file (no sending — no receiving VASP)
await db.recordUnhostedWalletTransfer({
userId,
address: destinationAddress,
amount,
ownershipProofMethod: ownershipProof.method,
verifiedAt: new Date(),
});
}
await executeWithdrawal(userId, destinationAddress, amount);
}
// Wallet ownership verification — message signing
async function requestWalletOwnershipProof(
userId: string,
address: string
): Promise<OwnershipProof> {
const challenge = crypto.randomBytes(32).toString("hex");
// Store challenge, wait for user signature
await db.storeWalletChallenge(userId, address, challenge);
// User signs challenge with their wallet
// Verification happens in another endpoint
return { pending: true, challenge };
}
Comparison of Travel Rule Messaging Providers
| Provider | Advantages | Disadvantages |
|---|---|---|
| Notabene | 500+ VASPs, SSI, REST API, fast deployment | Dependency on third-party service, price |
| Sygna Bridge | Strong coverage in Asia, integration with OKX/Huobi | Fewer participants, weak documentation |
| Veriscope | Decentralized, blockchain-based | High complexity, low adoption |
| OpenVASP | Open protocol, P2P, no hub | No ready infrastructure, low adoption |
Sunrise Issue: Strategies and Implementation
"Sunrise issue" — situation when the receiving VASP does not support the Travel Rule. Options:
- Do not send until confirmation — strictly compliant, poor UX.
- Best efforts — send Travel Rule data if possible, log attempts. This is our recommended approach, accepted by over 90% of regulators as a temporary measure.
- Delay + retry — keep transaction pending, repeat request to receiving VASP at intervals (e.g., every 15 minutes for up to 24 hours).
We implement best efforts with full logging of all attempts and responses. This balances compliance and user experience. By ordering this setup, you get a ready-made solution that meets EU and US regulatory requirements.
Technical Stack
| Component | Solution |
|---|---|
| Travel Rule messaging | Notabene SDK |
| VASP identification | Notabene + Chainalysis |
| Wallet ownership proof | EIP-191 message signing |
| Records storage | PostgreSQL + encryption (AES-256) |
| Compliance dashboard | React admin panel |
Timelines and Cost
FATF Travel Rule compliance setup with Notabene integration, unhosted wallet policy, and compliance dashboard takes 3 to 5 weeks. Typical project cost ranges from $10,000 to $25,000 depending on architecture complexity and existing infrastructure. Leave a request — we will conduct a free audit of your current compliance system and propose the optimal solution.







