Travel Rule Weaponized? Malta Rulings Redefine CASP Duty

Alejandro Martínez · 2026-06-11

Recent rulings by Malta’s Arbiter for Financial Services signal a significant shift in how Crypto-Asset Service Providers (CASPs) must approach Travel Rule compliance. While historically viewed as a technical anti-money laundering (AML) requirement, the Travel Rule (Regulation (EU) 2023/1113) is increasingly being repurposed by the Arbiter as a core benchmark for a CASP’s duty of care and fiduciary obligations toward retail consumers. ### What the Crypto.com Cases Reveal In recent cases involving Crypto.com, the Arbiter established that relying on automated “tick-box” self-declarations for transfers exceeding $1,100 to self-hosted wallets is legally insufficient. Under the EBA Guidelines, firms are expected to demonstrate “adequate measures” to verify wallet ownership. This means you need robust technical verification—like test transactions or cryptographic proofs—not just customer input. Think about it this way: if a customer says “yeah, that’s my wallet,” that’s not enough anymore. You have to prove it. The bar has moved, and it’s a lot higher now.  ### A New Layer of Civil Liability The Arbiter has clarified that while he cannot sanction firms for AML breaches (a power reserved for the FIAU), he is fully competent to adjudicate whether a failure to implement Travel Rule standards prejudices a consumer. This distinction creates a new layer of civil liability. Even if a CASP like Crypto.com is not fined by a regulator, it may still be ordered to compensate clients if its failure to apply rigorous Travel Rule controls is causally linked to a loss. Here’s the key point: compliance failures now have direct financial consequences. It’s not just about avoiding fines anymore—it’s about protecting your bottom line from lawsuits. ### Why Contractual Disclaimers Fall Short These decisions demonstrate that contractual disclaimers and standard in-app warnings are insufficient shields when internal controls are structurally weak. As the industry evolves, the bar for “adequate measures” has been raised, requiring firms to integrate dynamic transaction monitoring with their Travel Rule protocols. - **Dynamic monitoring** means tracking transactions in real time, not just checking a box. - **Technical verification** like test transactions or cryptographic proofs is now the standard. - **Customer declarations alone** are no longer enough. ### What This Means for Your Business This jurisprudential shift underscores that compliance is no longer a box-ticking exercise. It is now a critical component of litigation risk management. Structural weaknesses in a CASP’s architecture can lead to substantial financial liability. So, what can you do? Start by reviewing your current Travel Rule procedures. Are you relying on customer self-declarations? If so, you’re likely exposed. Invest in technical solutions that verify wallet ownership. Train your team on the new standards. And remember, this isn’t just about AML anymore—it’s about protecting your clients and your business. > “Compliance is no longer a box-ticking exercise; it’s now a critical component of litigation risk management.” ### The Bottom Line The Travel Rule is being weaponized in a new way. It’s not just a regulatory requirement; it’s a tool for consumers to hold CASPs accountable. If you’re a CASP operating in the EU, or dealing with EU customers, pay attention. The rules have changed, and the stakes are higher than ever. Stay ahead of the curve. Implement robust Travel Rule controls now, before it costs you.