VASP AML &
the FINMA Travel Rule

A Swiss crypto business that moves client assets is a financial intermediary, and its AML framework is what defines it in regulation. Switzerland is strict: a CHF 1,000 identification threshold, and a Travel Rule that requires verifying a client’s control of external wallets before transfers, which most jurisdictions do not. We build the framework (KYC, monitoring, Travel Rule, MROS reporting) to pass supervision and keep you banked.

Marcus AltenburgMarcus Altenburg, Managing Partner Published Updated
At a glance

The framework Swiss crypto supervision turns on.

Stricter than the FATF baseline. Built into the product, not bolted on.

Status
Financial intermediary (AMLA)
ID threshold
CHF 1,000 for crypto
Travel Rule
+ external-wallet verification
Reporting
MROS suspicious-activity
Supervised by
SRO now, FINMA ahead
Why Switzerland is stricter
The essentials

What a VASP must run, and why it is strict

A virtual asset service provider that holds, exchanges or transfers crypto for clients is a financial intermediary under the Anti-Money Laundering Act, and must run a full AML framework: client identification, beneficial-ownership checks, transaction monitoring, the Travel Rule, and suspicious-activity reporting to MROS. Switzerland applies this strictly: a low CHF 1,000 identification threshold for crypto, and a Travel Rule that goes beyond the baseline by requiring verification of a client’s control over external wallets.

Who this is for

  • exchanges, brokers and custodial wallet providers;
  • crypto payment and transfer services;
  • token issuers whose payment tokens engage AML rules;
  • any crypto business preparing an SRO or FINMA application.

The substance behind the licence

This framework is what SRO membership supervises and what a licence application turns on. It runs continuously, alongside the wider AML practice.

The Swiss difference

Where Switzerland goes further

Many businesses arrive expecting the FATF baseline and find Switzerland asks for more. Knowing where, before you build, is the difference between passing supervision and rebuilding the product.

Swiss VASP AML requirements versus the FATF baseline (as of June 2026).
RequirementSwitzerlandFATF baseline
Crypto identification thresholdCHF 1,000USD/EUR 1,000 guideline
External-wallet controlMust verify client’s controlNot generally required
Travel Rule dataOriginator + beneficiaryOriginator + beneficiary
Beneficial ownershipIdentify behind the clientIdentify behind the client
ReportingMROS, legal dutyNational FIU

The external-wallet verification line is the one that catches product teams: a model built on free movement to and from unhosted wallets does not survive contact with the Swiss rule. Designing the verification into the user flow from the outset is far cheaper than retrofitting it after an SRO flags it.

How it runs

Building the framework

AML is an operating system, not a document. It is designed into onboarding and the product, then run and supervised continuously.

  1. Stage 1

    Risk assessment

    Mapping the business, its clients, products and geographies to a money-laundering risk profile that drives the controls.

  2. Stage 2

    Onboarding & KYC

    Identification and beneficial-ownership procedures to the CHF 1,000 standard, with enhanced due diligence for higher risk.

  3. Stage 3

    Travel Rule & monitoring

    Originator/beneficiary data exchange, external-wallet verification, and transaction monitoring tuned to the risk profile.

  4. Stage 4

    Reporting & governance

    The MROS reporting and escalation pathway, the compliance-officer function, and the audit arrangements.

  5. Ongoing

    Run & review

    Operating the framework in-house or via structured outsourcing, with periodic review as rules and the reform evolve.

Budget

What it costs

The cost reflects the framework’s scope: onboarding and monitoring tooling, the Travel Rule and external-wallet verification build, the compliance-officer function and the audit. Running it in-house carries one cost profile; structured outsourcing another. Either way it is an ongoing function, not a one-off set-up.

We scope against the business model and risk profile, and can build for in-house operation or supervised outsourcing. Pricing is on request.

Discuss your framework
What you need

What the framework requires

A VASP AML framework that passes supervision and keeps the business banked needs:

  • client identification and beneficial-ownership checks to the CHF 1,000 standard;
  • Travel Rule data exchange and external-wallet control verification;
  • risk-based transaction monitoring across the life of each relationship;
  • a compliance-officer function and a MROS reporting pathway;
  • documentation, records and an audit arrangement that withstand review.

AML is not paperwork you produce for the application

The costly misunderstanding is treating AML as a policy document assembled to win SRO membership, then filed away. Supervisors and banks test whether the framework actually functions: whether monitoring surfaces real alerts, whether external-wallet verification happens, whether suspicious activity reaches MROS. A business with elegant policies and no working controls fails the moment it is examined, and a single banking exit over weak AML can be fatal. The value is in the framework operating day to day, which is what we build, not a binder.

Why Goldblum

How we run the compliance

VASP AML is where financial-crime law, the strict Swiss Travel Rule and live operations meet. Building a framework that passes supervision and keeps a crypto business banked is core financial-regulation work.

Swiss-strict

Built for the harder rule

The framework designed for Switzerland’s external-wallet verification and CHF 1,000 threshold from the start, so the product passes supervision rather than being rebuilt after it.

Working

Controls that function

Monitoring, verification and reporting that actually operate: the difference between a framework that survives an examination and a binder of policies that does not.

Flexible

In-house or outsourced

Built to run internally or through structured, supervised outsourcing depending on the firm’s stage, without responsibility leaking away.

Related

Where AML sits

Start here

Crypto licence Switzerland

The authorisation the AML framework supports: SRO membership now, the crypto-institution licence ahead.

Crypto licence
Custodians · 2027

Crypto custody

The custody activity that, as financial intermediation, must run this AML framework alongside the safekeeping itself.

Crypto custody
Ongoing duty

AML & compliance

The firm-wide KYC, monitoring and audit function every Swiss financial intermediary must run, in-house or outsourced.

AML & compliance
FAQ

VASP AML & Travel Rule: FAQ

01Is a crypto business a financial intermediary under Swiss AML law?
Generally, yes. A virtual asset service provider (an exchange, broker, custodial wallet or transfer service) that holds, exchanges or transfers crypto for clients is a financial intermediary under the Anti-Money Laundering Act, and must run a full AML framework. That means client identification, beneficial-ownership checks, transaction monitoring, the Travel Rule and reporting to the authorities, supervised through an SRO or directly by FINMA. AML is not an optional layer on a crypto business; for most models it is the regulatory obligation that defines the business.
02What is the Travel Rule and how strict is Switzerland?
The Travel Rule, from the FATF standards, requires that information on the originator and beneficiary travels with a virtual-asset transfer, just as it does with a wire transfer. Switzerland implements it strictly. Beyond exchanging originator and beneficiary data between providers, FINMA requires that a VASP verify its client's ownership or power of disposal over an external wallet before transferring assets to or from it, a step many jurisdictions do not impose. Switzerland's Travel Rule is therefore more demanding than the baseline, and building for it is central to operating here.
03What is the external-wallet verification requirement?
It is the distinctively strict Swiss element. When a client wants to send crypto to, or receive it from, a wallet that is not held with the VASP (an unhosted or third-party wallet), FINMA expects the provider to verify that the client actually owns or controls that external wallet, for example by a technical proof such as a small test transaction or a signed message. The aim is to stop the regulated provider being a clean on-ramp to anonymous external addresses. It is operationally demanding, and it has to be designed into the product, not bolted on afterwards.
04At what amount does identification kick in for crypto?
Lower than for ordinary transactions. For occasional transactions in virtual currencies, FINMA set the identification threshold at CHF 1,000 (well below the general threshold for other cash-like dealings), reflecting the higher money-laundering risk it sees in crypto. In practice, a custodial relationship triggers full onboarding regardless, and the low occasional-transaction threshold means there is little room for un-identified activity. We build onboarding and monitoring to the CHF 1,000 standard so the framework is compliant from the first transaction.
05What must a VASP do to identify clients?
Identify the contracting party and establish the beneficial owner behind it, verify identity with reliable documentation, understand the purpose and nature of the relationship, and keep the records. For higher-risk clients or transactions, enhanced due diligence applies. This is the KYC core, and for crypto it extends to understanding the source of the assets and, through the Travel Rule, the counterparties to transfers. A monitoring system then watches the relationship for the life of the account, not just at onboarding.
06What is MROS and when must I report?
MROS is the Money Laundering Reporting Office Switzerland, the national financial intelligence unit. A financial intermediary that knows or has reasonable grounds to suspect that assets are connected to money laundering, a predicate offence, a criminal organisation or terrorist financing must report to MROS. The reporting duty is a serious legal obligation with consequences for failure, and it requires the monitoring and escalation processes to actually surface suspicious activity. We build the reporting and escalation pathway so the obligation is met in practice, not just on paper.
07Does the Travel Rule apply to transfers with unhosted wallets?
Yes, and this is where Switzerland is strictest. Transfers between a regulated VASP and an unhosted (self-custodied) wallet are exactly the case FINMA targets with the external-wallet verification requirement. The provider cannot simply send to or receive from an arbitrary external address; it must establish that its client controls that wallet. A business model that depends on free movement to and from unhosted wallets has to be designed around this requirement from the start, or it will not pass supervision.
08Can I outsource the AML function?
Parts of it, within limits. A VASP can outsource elements of the AML operation (monitoring tooling, certain checks, a compliance officer function) to qualified providers, but the regulatory responsibility remains with the institution and its governing body. Outsourcing has to be properly structured, documented and supervised, and the firm must retain enough internal competence to oversee it. We build the framework to run either in-house or through structured outsourcing, depending on the firm's size and stage, without letting responsibility leak away.
09How does AML connect to SRO membership or a FINMA licence?
The AML framework is what SRO membership supervises. An SRO exists to monitor its members' anti-money-laundering compliance, so the quality of the framework is, in large part, what the membership application turns on. A FINMA-licensed institution is supervised on AML directly. Under the incoming reform, many crypto firms will move from SRO supervision to direct FINMA licensing, but the AML obligations themselves continue. The framework is the substance behind whichever supervisory route applies.
10What are the consequences of weak AML compliance?
Significant. AML failings can cost a VASP its SRO membership or licence, expose the firm and individuals to enforcement and criminal liability, and end banking relationships that the business depends on. FINMA has shown it will act on crypto AML shortcomings. Beyond the legal exposure, a provider with weak controls becomes a target for illicit flows, which compounds the problem. A serious AML framework is not a cost centre to minimise; it is what keeps the business authorised and banked.
11What does Goldblum do on VASP AML?
We design and implement the full framework: onboarding and KYC to the CHF 1,000 standard, beneficial-ownership identification, transaction monitoring, the Travel Rule including the external-wallet verification Switzerland requires, and the MROS reporting and escalation pathway, built to satisfy SRO or FINMA supervision. We set it up to run in-house or through structured outsourcing, and we keep it current as the rules and the incoming reform evolve, so the framework is a living function rather than a launch document.

Building your VASP compliance?

Tell us how the business moves crypto. A partner designs the AML framework (KYC, monitoring, the strict Swiss Travel Rule and MROS reporting) to pass supervision and keep you banked.