Travel Rule Weaponized? CASP Duty of Care Risks

Alejandro Martínez · 2026-06-11

Recent decisions from the Maltese Arbiter against Crypto.com are sending shockwaves through the crypto-asset service provider (CASP) world. The EU Travel Rule isn't just an anti-money laundering (AML) checkbox anymore. It's increasingly being treated as a consumer-protection standard. That shift can create real civil liability for CASPs, especially when transfers over $1,100 (converted from €1,000) to self-hosted wallets are involved. ### What the Arbiter Actually Said The Arbiter made it crystal clear: customer self-declarations aren't enough. He ruled that firms must use stronger verification methods to confirm wallet ownership. This isn't about being overly cautious. It's about meeting a basic duty of care that regulators and courts now expect. Here's the key distinction he drew: he can't impose AML sanctions himself. But he can decide whether weak Travel Rule controls breached a provider's duty of care and contributed to a client's loss. That means a CASP might face compensation orders even without a separate regulatory penalty. Think about that for a second. No fine from a financial watchdog, but still on the hook for a client's stolen funds. ### The Scam Victim Reality Check In the cases discussed, scam victims were tricked into transferring crypto to external wallets. The provider relied on simple in-app declarations. The Arbiter saw that as insufficient protection. His message was blunt: disclaimers and warnings can't compensate for weak internal controls, especially when scam risk is visible. This is where things get real for CASPs. If your system flags suspicious behavior but you still let the transaction go through with just a pop-up warning, you might be liable. The Arbiter's logic suggests that visible risk requires active intervention, not just passive notifications. ### Practical Implications for CASPs So what does this mean for your compliance team? Travel Rule compliance now needs to be operationally robust, not merely formal. You can't just have a policy on paper. Your controls need to actually work in practice. - Wallet verification must go beyond self-declarations. Consider using blockchain analytics or third-party verification tools. - Monitoring systems should flag unusual patterns, not just check boxes. If a customer suddenly sends large amounts to unknown wallets, that's a red flag. - Fraud response controls need to be proactive. Don't just warn users. Consider holding transactions for manual review when risk indicators are high. The broader lesson is that duty of care is becoming a real liability driver. Regulators and arbiters are looking at what you could have done, not just what you did. If a reasonable CASP would have caught the scam, you might be on the line. ### What This Means for Your Business This isn't just about Europe. US-based CASPs should pay attention too. The Travel Rule is global, and consumer-protection expectations are converging. If you serve EU customers or handle cross-border transfers, these decisions set a precedent that could influence US courts. Here's the bottom line: your compliance framework needs to evolve. Treat Travel Rule requirements as a consumer-safeguard tool, not just an AML formality. Invest in verification technology. Train your fraud team to look for scam indicators. And document everything, because if a dispute arises, you'll need to show you took reasonable steps. The Arbiter's decisions are a wake-up call. The old days of relying on disclaimers are over. CASPs that adapt quickly will build trust and avoid costly liability. Those that don't? They'll learn the hard way that duty of care is more than a legal term. It's a business imperative.