No term generates more debate in cryptocurrency compliance circles than “unhosted wallets.”
Unhosted wallets are subject to scrutiny by Anti-Money Laundering and Terrorist Financing (AML/CFT) regulators, who worry that they pose an increased risk of financial crime in crypto-asset transactions. However, several related policy proposals have met with significant pushback from the crypto industry.
For compliance professionals, understanding regulatory trends regarding unhosted wallets is critical to staying ahead of the rapidly evolving cryptocurrency compliance requirements.
FATF
Non-hosted wallets – also called “self-hosted” wallets – are crypto-asset wallets that allow private users to exercise full control over their funds. They contrast with hosted wallets, which are crypto wallets held by third parties – usually regulated virtual asset service providers (VASPs) or financial institutions – that can access and control user funds.
Unhosted wallets are part of a key cryptocurrency innovation: they allow individuals to conduct digital transactions without relying on a regulated financial institution. Accordingly, users of unhosted wallets do not go through a Know Your Customer (KYC) check. They can simply transact in Bitcoin or other cryptoassets with other users located anywhere in the world.
This ability to undertake cross-border digital transactions outside the regulated financial sector naturally attracted the attention of AML/CFT regulators. In its guidance on virtual assets, the Financial Action Task Force (FATF) elaborated on the potential risks and articulated appropriate guidelines.
According to the FATF, transactions involving non-hosted wallets “may be attractive to illegal actors due to anonymity, lack of portability restrictions, mobility, transaction speed and usability.” An additional source of risk is that peer-to-peer (P2P) transactions – that is, transactions between two unhosted wallets – operate entirely outside the regulatory perimeter.
Since neither party to the transaction is a regulated VASP, “illegal actors can take advantage […] P2P transactions to hide the proceeds of crime because there is no obligee to perform the basic functions of FATF standards, such as CDD [customer due diligence] and filing a Suspicious Transaction Report (STR)”.
The FATF therefore proposes that the responsibility for risk management related to non-hosted wallets should fall mainly on regulated VASPs such as cryptocurrency exchange platforms, whose customers may transact with non-hosted wallets.
According to the FATF, countries should assess the risks they face in relation to unhosted wallets and P2P transactions. They should then implement regulations to mitigate those risks. This may include:
- requiring VASPs to keep records and/or report on transactions they facilitate with non-hosted wallets;
- enforcing increased oversight of VASPs that transact with hostless wallets;
- issuing guidance to VASPs highlighting the risks associated with hostless wallets;
- prohibiting VASPs from transacting with non-hosted wallets involving blacklisted addresses or unacceptable sources of funds; and
- banning VASPs from transacting with unhosted wallets.
The FATF guidelines also describe the information that VASPs should collect about the individuals behind the non-hosted wallets with which their customers transact.
Under the Travel Rule, VASPs must collect and share personally identifiable information about payment originators and beneficiaries with their counterparty VASPs, just as banks share customer information when they send wire transfers through the SWIFT messaging system. However, when one party to a crypto transaction uses a non-hosted wallet, the relevant customer data cannot be transmitted, as there is only one regulated party involved in the transaction that sends or receives it.
The FATF therefore states that when VASPs transact with non-hosted wallets, they should collect and retain the name and wallet address of the counterparty, but clarifies that VASPs do not need to transmit or verify that information.
Divergent approaches in the country
FATF guidelines shape how regulators respond, although different approaches have emerged.
The first major action came from the United States, where in December 2020 the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a proposed rule on hostless wallets. The agency said that US money services companies and financial institutions that enable transactions with non-hosted wallets should first obtain the identities of the parties behind the non-hosted wallets with which their customers transact more than $3,000. Second, they should file Currency Transaction Reports (CTRs) on transactions with non-hosted wallets that are greater than $10,000.
The proposal drew loud criticism from the crypto-asset industry, which opposed the requirement to identify users of unhosted wallets on the grounds that VASPs should not be expected to verify the identities of partners who are not their clients.
Upon taking office in early 2021, President Joe Biden’s administration paused the proposed rulemaking, which remains stalled. The Treasury, however, is “working to address the unique risks associated with hostless wallets,” Deputy Finance Minister Wally Adeyemo said in a speech to the crypto industry in June 2022.
Further action by the United States may therefore be on the horizon. Indeed, US regulators remain actively focused on this issue. In a consent order issued against Anchorage Digital Bank in April 2022, the US Office of the Comptroller of the Currency (OCC) clarified that it expects banks that handle cryptocurrencies to have “processes to effectively identify transactions involving non-hosted wallets”.
On June 29, European Union policymakers agreed on changes to the EU Funds Transfer Regulation that will require VASPs to verify non-hosted wallet users for transactions above €1,000 ($1,000) — a requirement that mirrors FinCEN’s delayed proposal. Under EU regulations, VASPs must also assess the risks for all transfers with non-hosted wallets, which includes assessing the source of funds for signs of sanctions and the risk of illicit financing, regardless of value.
Great Britain also announced its plans in June. Unlike the EU, the UK will not require VASPs to verify non-hosted wallet users. Instead, VASPs will only require the collection, but not verification, of the names of non-hosted wallet users for transactions they deem to pose increased risks of illicit financing. In other words, the UK has decided to allow a flexible risk-based approach, while the EU proposal is one-size-fits-all.
Next, the Philippines took a drastic approach. In January 2021, the Central Bank of the Philippines banned VASPs from transacting with hostless wallets. According to the bank, VASPs can only transact with VASPs or other regulated financial institutions, limiting them to executing transactions where both the originator and beneficiary are subject to full AML/CFT checks.
Risk management
Approaches may vary, but the trend is clear: regulators expect risk management related to hostless wallets. Three vital components form the basis of an effective compliance response to these evolving requirements.
First, compliance teams at regulated firms must be able to distinguish between transactions involving hosted and non-hosted wallets, so they can establish separate workflows to manage the respective risks. Existing solutions that combine blockchain analytics and travel compliance capabilities can help businesses do this.
Second, compliance teams must be able to assess the risks associated with unhosted wallets. Again, blockchain analytics solutions can help by providing insight into counterparty wallets that pose risks associated with money laundering, terrorist financing or sanctions violations.
Finally, the compliance team should have written policies and procedures that state how they will review, evaluate and, where necessary, report information related to non-hosted wallets.
Unhosted wallets will certainly remain a hotly debated topic, but compliance teams should take steps today to prepare for new regulatory requirements taking shape.
Compliance Financial Services Global