AML & Travel Rule (USDT / TRC20)
Sanctions screening, transaction monitoring, and FATF Travel Rule data for inbound USDT deposits.
Last Updated: 2026-05-07 | Version: 1.0 (draft — pending counsel and VASP-partner sign-off)
Draft: the named gateway, blockchain-analytics provider, Travel-Rule messaging vendor, and threshold values below must be confirmed by your AML / MLRO function and counsel before this page is treated as a definitive disclosure.
1. Why a Travel Rule statement
CardsFlow accepts only USDT over the TRC20 network for account funding. The Financial Action Task Force (FATF) Recommendation 16 — the “Travel Rule” — requires Virtual Asset Service Providers (VASPs) and obliged financial institutions to collect and transmit identifying information about the originator and beneficiary of qualifying virtual-asset transfers above defined thresholds. This page sets out how CardsFlow and its gateway partner meet that obligation.
2. Programme partner
AML screening, transaction monitoring, and Travel-Rule data exchange for inbound USDT (TRC20) deposits are operated by {{ TODO: e.g., NowPayments }}, our regulated payment gateway partner, as part of their published compliance programme. CardsFlow integrates that programme into the user-funding flow and applies its own additional controls described below.
3. Sanctions screening
Before any USDT deposit is credited to a CardsFlow account balance:
- The originating wallet address is checked against blockchain-analytics risk indicators provided by {{ TODO: e.g., Chainalysis / TRM Labs / Elliptic }}.
- Any address associated with sanctioned jurisdictions, sanctioned persons, OFAC SDN entries, EU consolidated list entries, UK HMT list entries, or other applicable sanctions regimes is rejected.
- Addresses linked to known mixers, darknet markets, ransomware payouts, or high-risk exchanges are rejected or escalated for manual review.
4. Travel-Rule data exchange
For inbound USDT (TRC20) transfers above {{ TODO: USD 1,000 / EUR 1,000 (FATF de minimis) — confirm with MLRO }} that originate from another VASP, CardsFlow (through its gateway partner) participates in Travel-Rule data exchange using {{ TODO: e.g., TRP / IVMS-101 / Sumsub TR / Notabene / VerifyVASP }}. The data exchanged includes:
- Originator name, account / wallet identifier, and (where required) physical address or government identifier.
- Beneficiary name and account / wallet identifier on the CardsFlow side.
- Transaction amount, currency, and on-chain transaction hash.
Where the originating wallet is self-hosted (non-custodial) and not associated with a registered VASP, CardsFlow applies enhanced due diligence proportionate to the amount and risk profile of the deposit, in accordance with the regulator's expectations for self-hosted-wallet transfers.
5. Transaction monitoring
All USDT deposits and onward funding events are subject to ongoing monitoring for patterns indicative of structuring, layering, integration, abuse of card products, or sanctions evasion. Alerts are reviewed by the MLRO function described in our AML & Compliance Policy. Suspicious activity is reported to the relevant Financial Intelligence Unit through Suspicious Activity Reports (SARs / STRs) where required by law.
6. Customer Due Diligence (CDD)
CardsFlow operates a privacy-preserving eligibility model for the account-creation step. Identity attributes required for AML and Travel-Rule compliance are collected at the funding step and at thresholds defined by our gateway partner, including:
- Standard CDD: identity verification, residency confirmation, and source-of-funds attestation.
- Enhanced Due Diligence (EDD): applied to politically exposed persons (PEPs), residents of higher-risk jurisdictions, and deposits above the EDD threshold of {{ TODO: confirm threshold }}.
- Ongoing review: CDD records are refreshed on a risk-based schedule and on every material change in user activity.
7. Prohibited activities
The activities listed in our Prohibited Use policy — including but not limited to use of mixers / tumblers, attempts to fund accounts from sanctioned wallets, structuring, and use of the service for unlicensed money-service activity — are not permitted. Detection of any such activity will result in immediate suspension and, where required, reporting to the relevant authorities.
8. Record-keeping
Travel-Rule data, sanctions-screening evidence, monitoring alerts, and CDD records are retained for a minimum of {{ TODO: 5 / 7 years — confirm with counsel }} from the closure of the user relationship, in line with applicable law.
9. Contact
- MLRO: compliance@cardsflow.net
- Sanctions / Travel-Rule queries: compliance@cardsflow.net
- General support: support@cardsflow.net