ARTICLE
18 June 2026

Is The Travel Rule Being Weaponised? What Recent Arbiter Decisions Reveal About CASP’s Duty Of Care

MF
MK Fintech Partners

Contributor

MK Fintech Partners logo
MK Fintech Partners Ltd. is affiliated with the prestigious Michael Kyprianou Group, a leading international legal and advisory entity. Renowned for its diverse legal services, the group has become one of Cyprus' largest law firms, with offices in Nicosia, Limassol, Malta, Ukraine, the United Arab Emirates, and the UK.
Explore Firm Details
Recent Maltese Arbiter decisions against Crypto.com reveal that EU Travel Rule compliance is evolving beyond anti-money laundering enforcement into a consumer-protection standard that can trigger civil liability for crypto-asset service providers.
Malta Finance and Banking
Joeline Barbara and Rodrigo Ellul
Your Author LinkedIn Connections
Joeline Barbara’s articles from MK Fintech Partners are most popular:
  • in European Union
  • in European Union
  • in European Union
  • in European Union
  • in European Union
  • with readers working within the Technology industries
MK Fintech Partners are most popular:
  • within Finance and Banking, Corporate/Commercial Law and Technology topic(s)

Executive Summary

Recent rulings by Malta’s Arbiter for Financial Services signal a significant shift in how Crypto-Asset Service Providers (CASPs) must approach Travel Rule compliance. While historically viewed as a technical anti-money laundering (AML) requirement, the Travel Rule (Regulation (EU) 2023/1113) is increasingly being repurposed by the Arbiter as a core benchmark for a CASPs duty of care and fiduciary obligations toward retail consumers.

In recent cases involving Crypto.com, the Arbiter established that relying on automated“tick-box self-declarations for transfers exceeding €1,000 to self-hosted wallets is legally insufficient. Under the EBA Guidelines, firms are expected to demonstrate“adequate measures”to verify wallet ownership, which necessitates robust technical verification such as test transactions or cryptographic proofs, rather than mere reliance on customer input.

The Arbiter has clarified that while he cannot sanction firms for AML breaches (a power reserved for the FIAU), he is fully competent to adjudicate whether a failure to implement Travel Rule standards prejudices a consumer. This distinction creates a new layer of civil liability: I.e Even if a CASP like Crypto.com is not fined by a regulator, it may still be ordered to compensate clients if its failure to apply rigorous Travel Rule controls is causally linked to a loss.

These decisions demonstrate that contractual disclaimers and standard in-app warnings are insufficient shields when internal controls are structurally weak.

As the industry evolves, the bar for“adequate measures”has been raised, requiring firms to integrate dynamic transaction monitoring with their Travel Rule protocols. This jurisprudential shift underscores that compliance is no longer a box-ticking exercise; it is now a critical component of litigation risk management, where structural weaknesses in a CASP’s architecture can lead to substantial financial liability.

Introduction

The EU’s new “Travel Rule” regime for crypto-assets is primarily marketed as an anti-money laundering and counter-terrorist financing tool, but recent decisions of the Arbiter for Financial Services in Malta show that it is rapidly becoming something more: A consumer-protection and civil-liability benchmark for crypto-asset service providers (CASPs).

In two recent rulings against Foris DAX MT Limited (trading as Crypto.com), cases ASF 062/2025 (KJ) and ASF 076/2025 (YV), the Arbiter treats failures in Travel Rule implementation not merely as supervisory issues for the FIAU, but as breaches of the CASP’s duty of care and fiduciary obligations towards retail clients, capable of grounding compensation orders.

The EU Travel Rule for Crypto

Under Regulation (EU) 2023/1113 (the “TFR Recast”), which became applicable on 30 December 2024, CASPs must ensure that information about the originator and beneficiary “travels” with every crypto-asset transfer. When dealing with “self-hosted” addresses (those not linked to a regulated entity), the rules become significantly more prescriptive. For transfers exceeding €1,000, a CASP is legally required to take “adequate measures” to assess whether that external address is truly owned or controlled by its customer.

To clarify these obligations, the European Banking Authority (EBA) issued Guidelines adopted by the FIAU in Malta which mandate that CASPs must use at least one verified technical method, such as test transactions or cryptographic proofs, to validate wallet ownership rather than relying solely on customer self-declarations.

Two Scam Victims, One CASP

Both ASF 062/2025 and ASF 076/2025 arise from classic online scam typologies in which retail users are induced to fund crypto accounts and then transfer assets to external wallets under the scammers’ control.

In ASF 062/2025 (KJ) , a 67-year-old customer residing in Spain was groomed via WhatsApp by an individual calling herself “Ellie”, who introduced him to an unregulated trading platform. The complainant opened a Crypto.com account, purchased USDT and, under the scammer’s guidance, transferred large amounts to external wallets believed to belong to the platform.

Crucially, two substantial USDT withdrawals on 1 and 16 January 2025, totalling around €30,000, were executed to “self-hosted” wallets which the complainant had himself whitelisted and declared as his own in Crypto.com’s Travel Rule form, under the scammer’s direction and without understanding the implications. 

In ASF 076/2025 (YV) , a French customer was drawn into a “work-from-home” scheme on an application referred to as “Creative Navy”, where she was promised remuneration for clicking on apps. She was assisted in opening a Crypto.com account and transferred a total of €3,760 from her French bank accounts, converted to USDC and then sent to two external self-hosted wallets.

Here too, the complainant either personally completed or allowed the completion of Crpyto.com’s Travel Rule form through her credentials, indicating that she was the owner of the self-hosted wallets, even though control in reality lay with the scammers to whom she had surrendered her secret access credentials.

The CASP’s Defence: AML is for the FIAU

In both proceedings, Crypto.com’s core defence is structurally similar. The company emphasises that:

  • All blockchain withdrawals were initiated from the complainants’ accounts, through devices and credentials under their control, and are technically irreversible once submitted.
  • Comprehensive AML/CFT and transaction-monitoring procedures are in place and any detailed monitoring outputs are subject to secrecy obligations towards the FIAU.
  • The Travel Rule, as a recast of the funds-transfer regulations, is an AML/CFT instrument designed to prevent and detect money laundering, not to deter or remedy fraud; hence, it should not generate private law causes of action in favour of individual clients.
  • The Arbiter lacks competence to adjudicate alleged breaches of AML or Travel Rule obligations; those issues fall exclusively within the remit of the FIAU under Cap. 373.

On the specific Travel Rule point, Crypto.com argues that it has complied with Articles 14 and 145 by obtaining and holding the required information on originator and beneficiary, including the complainants’ names, customer IDs, the recipient wallet addresses and the self-declaration that these were self-hosted and owned by the customer.

The Arbiter’s Response

The Arbiter accepts that he is not an AML enforcement authority and cannot investigate suspicions of money laundering or terrorist financing, nor impose administrative sanctions for AML breaches. Those powers remain with the FIAU.

However, he draws a careful distinction between AML enforcement and the broader financial-services legislative framework governing the conduct of CASPs vis-à-vis their clients. In both decisions he emphasises that:

  • The Travel Rule obligations “constitute an important part of the financial services legislative framework” applicable to CASPs operating in Malta”.
  • As such, they inform the CASP’s fiduciary duty and duty of care under Article 27 of the VFA Act and the relevant conduct-of-business rules (and now MiCA, notably Article 66 and Recital 79), which require CASPs to act honestly, fairly and professionally in the best interests of clients.
  • It is “within the competence of the Arbiter” to examine whether alleged non-adherence to Travel Rule obligations has prejudiced a financial consumer and causally contributed to their loss, even if the Arbiter cannot pronounce on AML suspicions or penalties as such.

In other words, while the Travel Rule’s primary objective remains AML/CFT, its concrete operational duties are repurposed as part of a civil standard of care: a CASP that falls materially below these duties may be ordered to compensate clients where that failure is causally linked to their loss.

What Adequate Measures Mean in Practice

A key point in both cases is whether Crypto.com’s Travel Rule implementation for withdrawals to self-hosted wallets meets the “adequate measures” test.

The company relied on a process whereby, when a customer whitelists a new withdrawal address, they are presented with a form asking them to indicate whether the wallet is self-hosted or provided by a third party and, if self-hosted, to tick that they are the owner of the wallet address. The system stores the wallet address and the Travel Rule recipient information (first name, last name, country) as provided.

The Arbiter finds this insufficient for transfers above €1,000 to self-hosted wallets, in light of the TFR Recast and the EBA Guidelines:

  • He stresses that paragraph 78 of the Guidelines, which the company itself cites, allows CASPs to obtain information on whether a wallet is self-hosted directly from the customer only where this information cannot be retrieved via technical means; it does not relieve the CASP from applying a verification method when amounts exceed €1,000.
  • He notes that the company failed to produce any evidence of additional verification measures (such as test transfers or technical checks) and even declined to provide its full internal Travel Rule policies and procedures despite being requested to do so. This allows him to infer that no adequate verification measures were in place.

Who bears the ultimate burden of loss?

In both rulings, the Arbiter found that the complainants were guilty of significant contributory negligence, having shared credentials, trusted unregulated platforms, and signed false ownership declarations. Consequently, he split the liability, holding the CASP responsible for 40% of the relevant losses.

The message for the industry is stark : contractual disclaimers and in-app warnings cannot insulate a firm, if its internal controls are structurally incapable of meeting the statutory threshold of the Travel Rule.

What do we learn from these decisions?

These early Maltese decisions carry several practical lessons for CASPs operating under MiCA and the TFR Recast.

  1. Travel Rule implementation for self-hosted wallets must move beyond simple self-declaration. CASPs will need to adopt at least one robust verification method for transfers above €1,000 to or from self-hosted addresses and be able to demonstrate its consistent application and effectiveness.
  2. Travel Rule obligations will not be ring-fenced as a purely AML topic. Breaches may be re-characterised as failures of conduct-of-business and fiduciary duties, with direct financial consequences through the Arbiter’s compensation powers, irrespective of whether the FIAU has taken action.
  3. The interaction between dynamic transaction monitoring and Travel Rule processes is critical. Once a CASP is alerted to potential scam activity, the Arbiter expects a re-assessment of the risk profile and appropriate controls (including suspending or refusing further transfers to self-hosted wallets) rather than business-as-usual execution.
  4. Standard terms and pop-up warnings about irreversibility and client responsibility remain relevant to contributory negligence but cannot neutralise statutory obligations. The Arbiter is prepared to pierce generic disclaimers where structural control weaknesses are evident.

Conclusion

ASF 062/2025 and ASF 076/2025 mark the opening of a jurisprudential line in Malta where the Travel Rule, born as an AML/CFT instrument, is being “weaponised” as a civil-law standard of care in disputes between retail clients and CASPs.

For CASPs, the message is clear: Travel Rule compliance cannot be treated as an obscure back-office formality for the benefit of regulators alone. Inadequate implementation, especially in relation to self-hosted wallets, now carries a very real risk of consumer claims, adverse Arbiter decisions and supervisory follow-up!

Links to the Arbiter’s decisions:

https://financialarbiter.org.mt/sites/default/files/oafs/decisions/2750/ASF%20076-202 5%20-%20YV%20vs%20Foris%20Dax%20MT%20Limited.pdf

https://financialarbiter.org.mt/sites/default/files/oafs/decisions/2706/ASF%20062-202 5%20-%20KJ%20vs%20Foris%20DAX%20MT%20Limited.pdf

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Joeline Barbara
Joeline Barbara
Photo of Rodrigo Ellul
Rodrigo Ellul
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More