Portugal’s Travel Rule: What CASPs Need to Know
In December 2025, Portugal adopted Law No. 69/2025 and Law No. 70/2025, implementing Regulation (EU) 2023/1114 (MiCA) and Regulation (EU) 2023/1113 (TFR). These measures align Portugal’s AML framework with EU standards for fund and crypto-asset transfers, as well as the FATF’s recommendations.
Supervisory responsibilities are shared between the national authorities. In broad terms, the Banco de Portugal (BdP), Portugal’s national bank, is responsible for supervising the issuance of stablecoins, including asset-referenced tokens and e-money tokens, and for authorising crypto-asset service providers (CASPs). The Comissão do Mercado de Valores Mobiliários (CMVM), Portugal’s securities market regulator, oversees the issuance of crypto assets other than stablecoins as well as market abuse.
Understanding the Regulatory Obligations for Crypto Asset Service Providers
Scope of the Travel Rule in Portugal
Portuguese regulators have aligned their framework with the requirements of the Transfer of Funds Regulation (TFR), including the amendments introduced by Article 38, which update the EU’s existing anti-money laundering rules under the Fifth AML Directive.
As a result, the Portuguese Travel Rule applies to transfers of funds and crypto-asset transfers that are sent or received by payment service providers, CASPs, or intermediary service providers (such as brokers and custodians) established in the European Union. [TFR, Chapter I, Article 1]
The regulation also covers transactions involving self-hosted wallets whenever at least one registered entity, such as a CASP, participates in the transfer.
Compliance Obligations for Originator CASPs
Under Article 14 of the TFR, originator CASPs must ensure every crypto-asset transfer includes full and accurate information about both the originator and the beneficiary (listed under Required Travel Rule Data).
The required information must be submitted securely in advance of, or at the same time as, the transfer and does not need to be embedded directly in the transaction itself. CASPs must verify the accuracy of the originator’s information using reliable and independent sources before executing any transfer and must not initiate or process a transaction until all requirements are met.
In all cases, where a transfer is not linked to a crypto-asset account or DLT-registered address, a unique transaction identifier must accompany the transfer. [Section 2. Article 14]
Required Travel Rule Data
Like the rest of the EU, the Portuguese Travel Rule is applicable irrespective of the transaction’s value. For every transaction, originator CASPs must ensure that the following data is communicated with each transaction:
- originator's name,
- originator's distributed ledger address,
- originator's crypto asset account number,
- originator's address, which must include the name of the country, official personal document number and customer identification number, or alternatively, date and place of birth,
- originator's LEI (where applicable, or an equivalent official identifier).
- beneficiary's name,
- beneficiary's distributed ledger address,
- beneficiary's crypto asset account number,
- beneficiary's LEI (where applicable, or an equivalent official identifier).
Compliance Obligations for Beneficiary CASPs
Beneficiary CASPs must have effective procedures in place to ensure that the required information on both the originator and the beneficiary accompanies, or is received with, crypto-asset transfers, including thorough ongoing or post-transaction monitoring where appropriate.
Before making crypto-assets available, beneficiary CASPs must verify beneficiary information using reliable, independent sources. Verification is met if the beneficiary has already been identified under EU AML customer due diligence rules.
How Beneficiary CASPs Must Handle Missing Travel Rule Information
The beneficiary’s CASP must apply risk-based procedures to decide whether to execute, suspend, reject, or return crypto-asset transfers that lack complete originator or beneficiary information, and take appropriate follow-up action without delay.
Where information is missing or incomplete, the CASP must either request the required details before releasing the assets, or reject or return the transfer.
In cases of repeated failures by another CASP, the receiving CASP may restrict, terminate, or refuse future transactions and report the issue to the competent authority. Missing or incomplete information must also be considered when assessing whether a transfer is suspicious and should be reported to the Financial Intelligence Unit (FIU). [Section 2. Article 16 - 18]
Self-hosted Wallets
Self-hosted wallets fall under the scope of the Portuguese Travel Rule when at least 1 regulated entity is involved.
To comply, the originating CASP must collect and retain the required Travel Rule information, ensuring that each transfer can be uniquely identified.
For transactions of EUR 1,000 or more, CASPs are also required to request proof that the self-hosted wallet is owned or controlled by the originator or beneficiary. [TFR, Chapter III, Section 1, Article 1(5)]
In addition, Article 19(a) requires Member States to assess and identify the risks associated with transfers involving self-hosted wallets. As a result, CASPs must apply controls that are proportionate to the risks identified.
These controls may include one or more of the following measures:
(a) applying a risk-based approach to identify and verify the identity of the sender or recipient of a transfer involving a self-hosted wallet, or their beneficiary owner, including where the information is obtained from third parties;
(b) requesting additional information on the source and destination of the crypto assets involved;
(c) conducting enhanced and ongoing monitoring of such transactions; and
(d) implementing any other measures necessary to mitigate and manage money laundering, terrorist financing, and sanctions-related risks.
Authorisation for CASPs
Under Portugal’s framework, any entity intending to provide crypto-asset services must obtain prior authorisation from the BdP.
The CMVM is also involved in this process. When an application is submitted to the BdP, the CMVM is notified by the BdP.
Once notified, the CMVM is required to issue an opinion on the completeness of the application, with particular focus on the applicant’s internal policies, business plan, and compliance with Title V of MiCA.
The CMVM has between 10 and 15 business days to provide its opinion; if no opinion is issued within this timeframe, it is deemed that the CMVM raises no objection to the granting of authorisation by the BdP.
Following authorisation, the BdP must keep the CMVM informed of any changes to the business activities of CASPs, including the cross-border provision of services, and may request information from the CMVM regarding the market conduct of authorised entities.
In line with MiCA’s transitional arrangements, CASPs already registered with the BdP may continue operating while seeking full MiCA authorisation, provided they obtain a licence by 1 July 2026.
In Conclusion
Portugal’s implementation of the Travel Rule establishes a firm compliance framework for CASPs, ensuring transparency and accountability in every transfer.
By imposing strict requirements for data collection, verification, recordkeeping, and security measures, including additional obligations for transactions involving self-hosted wallets, the Portuguese regime aligns closely with EU standards under the TFR.
Together, these measures are designed to strengthen AML/CFT safeguards, promote trust in digital asset transactions, and support the integrity of the financial system.
21 Travel Rule and the Portuguese Travel Rule
21 Travel Rule offers Portuguese CASPs a secure Travel Rule solution that meets all BdB, CMVM and TFR requirements.
The solution streamlines counterparty identification using automated discovery and due diligence features, reducing the risk of non-compliant transfers or returned assets.
Combining automated self-hosted wallet verification, global interoperability, and secure data management, 21 Travel Rule delivers faster, safer transactions while maintaining full compliance with local and international regulations.
Become Travel Rule Compliant with 21 Analytics
Further Reading
Lei n.º 69/2025, de 22 de dezembro
Lei n.º 70/2025, de 22 de dezembro
Portuguese AML/CFT framework (Lei n.º 83/2017, de 18 de agosto)
Portugal’s Travel Rule Summary
Disclaimer
This material is provided for educational and informational purposes only and is not intended to be a substitute for professional advice or detailed research.
