Everyone says you must outsource travel rule compliance to Notabene or Sygna Bridge. The conventional wisdom is that building it in-house is too complex, too expensive, and too risky. That wisdom is approximately correct for a two-person startup. For a company with five people in legal and operations, it is backwards.
The economic reality involves Notabene and similar VASP networks charging per transaction. At scale, these fees exceed the cost of in-house infrastructure. More importantly, when you outsource travel rule compliance, you outsource control. You are dependent on a third party's uptime, API reliability, and regulatory interpretation. If Notabene goes down, your transactions are delayed. If Notabene changes their API, your integration breaks. If Notabene's regulatory interpretation differs from yours, you are caught in the middle.
Building in-house gives you control, lower costs at scale, and the ability to integrate travel rule data into your own compliance stack.
When Travel Rule Triggers
The Travel Rule applies to Virtual Asset Service Providers (VASPs) in the US (FinCEN), EU (AMLD6), and most other jurisdictions. In simplified terms, if a VASP transfers crypto to another VASP, the originating VASP must send originator information (name, address, account number) to the receiving VASP. The receiving VASP must verify the information against sanctions lists and PEP databases.
But "triggers" is the key word. Travel rule does NOT apply to all transactions.
Intra-business transfers happen when you are sending crypto from one of your own wallets to another of your own wallets. Travel rule does not apply. The originator and beneficiary are the same entity (you).
Small transactions may not trigger travel rule in some jurisdictions. In some countries, travel rule does not apply below a threshold (for example, under USD 3,000 in the US or under EUR 1,000 in the EU). Check your local rules.
Transfers to non-VASPs occur when the receiving address is a personal wallet (not a VASP). Travel rule does not apply. You cannot send transaction information to an address; addresses do not receive information. This is where most confusion arises. You must determine whether the receiving address is hosted at a VASP or is a self-hosted wallet.
Transfers between customers of the same VASP don't trigger travel rule. If both originator and beneficiary are your customers, travel rule does not apply (intra-VASP transfers). You are both the originator and beneficiary VASP.
Most payments businesses get 60% of their transfer volume wrong on travel rule classification. They over-comply (sending information for transactions that do not trigger) and then assume they need a third-party network.
Determining VASP Status of a Receiving Address
Check if the receiving address is a known exchange (VASP) or personal wallet. Use these heuristics in order. First, check against known exchanges like Kraken or Coinbase (fast, high confidence). Second, check VASP registries via services like Chainalysis (requires subscription). Third, apply cluster analysis (addresses funneling to a single point are likely VASP deposit addresses). Fourth, monitor behavior (high transaction velocity with forwarding suggests VASP; idle behavior suggests personal wallet).
Counterparty Discovery
Many VASPs have not published travel rule endpoints, creating a counterparty discovery problem. Most jurisdictions allow good-faith efforts. Try three times to locate the VASP endpoint. If all fail, document the attempts and send the transaction with a flag indicating travel rule unavailability. This protects you during regulatory examination.
Building In-House Architecture
An in-house travel rule system has four components.
Counterparty Registry is a database of known VASPs, their contact information, their travel rule endpoints, and their preferred data format (Sygna Bridge protocol, custom API, SFTP).
This is not something you build from scratch. Use the FATF Travel Rule working group's registry, or subscribe to Chainalysis. Refresh the registry quarterly.
Originator Data Collection happens when a customer initiates a transfer. Collect the originator information including legal name, address, customer ID, account number, transaction ID, and amount.
In your existing KYC flow, you already have the customer's legal name and address. Store these in a structured format you can retrieve easily.
Address Classification runs the receiving address through your classification pipeline when a transaction is initiated. Use cluster analysis and registry lookup to determine if it is a VASP.
If it is a VASP, proceed to the next step. If it is not (or if status is unknown), mark it as non-VASP and complete the transaction without sending travel rule information.
Counterparty Integration happens if the receiving address is a VASP. Identify the VASP's travel rule endpoint and send the originator information. Handle the response (ACK, error, request for additional information).
Store the entire exchange (request, response, timestamp) for audit purposes.
In-House vs. Outsourced Economics
Outsourced (Notabene) costs USD 0.01 to 0.05 per transaction triggering travel rule. At 1 million transactions per month (100,000 triggering travel rule), that is USD 1,000 to 5,000 per month, or USD 12,000 to 60,000 per year.
In-house infrastructure has several components. VASP registry subscription (Chainalysis) costs USD 5,000 to 10,000 per year. Engineering effort to build costs 400 hours (10 weeks for a senior engineer). Ongoing operations and maintenance costs 10 to 20 hours per month.
Total first-year cost is USD 30,000 to 50,000 (mostly engineering). Second-year and beyond costs USD 5,000 to 15,000 per year.
At 10 million transactions per month (1 million triggering travel rule), the outsourced option costs USD 120,000 to 600,000 per year. The in-house option costs USD 5,000 to 15,000 per year.
Breakeven is approximately 500,000 to 1,000,000 triggered transactions per year, depending on Notabene's exact pricing and your engineering cost.
For a growing payments business, breakeven is likely within 18 to 24 months.
Jurisdiction-by-Jurisdiction Differences
Travel rule is not universal. US (FinCEN) requires it for all VASPs above $3,000. EU (AMLD6, adopted 2023) requires it above €1,000. Singapore (MAS) exempts low-value transactions (under SGD 5,000). Japan (FSA) requires it for all cross-VASP transfers. Switzerland (FCA) requires it above CHF 10,000. If you operate in multiple jurisdictions, build a jurisdiction-specific configuration file and apply the appropriate rules at transaction initiation time.
Implementation Path
Month 1 involves defining transaction classification logic and building a test suite (25 triggering, 25 non-triggering transactions). Month 2 integrates the VASP registry and tests counterparty lookup. Month 3 builds the data collection flow. Month 4 builds counterparty integration (connect to at least one VASP's API). Month 5 extends to additional endpoints with error handling. Month 6 goes live, monitors performance, and iterates.
This is a six-month effort for a team with compliance and engineering capability. Only do this if you expect 100,000+ triggered transactions per year. Below that, outsource to Notabene. Above that threshold, build it yourself for better control, integration, and dramatically lower costs.