Self-Hosted Wallets and the Travel Rule: Navigating Regulatory Challenges

The integration of the Crypto Travel Rule has presented numerous compliance challenges, particularly for entities interacting with self-hosted wallets. These wallets, controlled by individuals rather than regulated Virtual Asset Service Providers (VASPs), complicate the tracking and reporting requirements set out by AML (Anti-Money Laundering) regulations like the Financial Action Task Force’s (FATF) Recommendation 16. With new regulatory frameworks like MiCA (Markets in Crypto-Assets) and the European Union’s Transfer of Funds Regulation (TFR) extending oversight to crypto-assets, self-hosted wallets are now under greater scrutiny. This blog aims to unravel how the Travel Rule applies to self-hosted wallets and the challenges it brings to Crypto Asset Service Providers (CASPs) across jurisdictions.

Key Point Summary

• Understanding the Role of Self-Hosted Wallets in Crypto Transactions
• MiCA and the Crypto Travel Rule: A Brief Overview
• The Key Challenges with Self-Hosted Wallets
• Self-Hosted Wallets: Obligations Under MiCA and the Travel Rule
• Jurisdiction-Specific Regulations for Self-Hosted Wallets
• Implementing the Travel Rule for Self-Hosted Wallets: Key Strategies for CASPs

Understanding the Role of Self-Hosted Wallets in Crypto Transactions

Self-hosted wallets (also known as unhosted wallets) are digital wallets where the user, rather than a third-party institution like a VASP, holds and manages the private keys. These wallets, such as those provided by Ledger or Trezor, offer full control and ownership of cryptocurrency assets. The user becomes responsible for all transaction security, making these wallets popular for safeguarding crypto from hacks and unauthorized access in centralized exchanges.

However, from a regulatory perspective, self-hosted wallets pose challenges for AML compliance. Unlike transactions between two regulated entities, transactions between a regulated entity and a self-hosted wallet require extra verification measures to ensure that the transaction does not facilitate money laundering or terrorist financing.

MiCA and the Crypto Travel Rule: A Brief Overview

The Markets in Crypto-Assets (MiCA) Regulation and the Travel Rule, outlined in FATF’s Recommendation 16, are intended to create standardized rules for tracking and reporting cryptocurrency transactions. These regulations aim to enforce AML standards and prevent crypto from being misused for illicit activities. They mandate that VASPs and CASPs share detailed information about the originator and beneficiary for transfers exceeding certain thresholds.

MiCA is especially relevant as it extends the scope of EU’s Transfer of Funds Regulation (TFR) to cover crypto-assets and apply the Travel Rule to CASPs operating in the European Union. Under MiCA, CASPs are required to obtain and share information about their clients’ transactions to ensure compliance with AML and counter-terrorism financing (CTF) laws.

The Key Challenges with Self-Hosted Wallets

While the Travel Rule is relatively clear when it comes to transactions between two regulated VASPs, applying it to transactions involving self-hosted wallets is far more complex. Self-hosted wallets are generally outside the direct control of regulated institutions, meaning VASPs must verify ownership of the wallet before approving the transaction. The main challenges include:

• Verifying Ownership: Unlike transactions between VASPs, there is no easy way to verify the identity of the owner of a self-hosted wallet.
• Data Collection: Under the Travel Rule, VASPs must collect and hold detailed information (such as name, address, and account numbers) on the transaction originator and beneficiary. With self-hosted wallets, gathering this data can be problematic.
• Privacy Concerns: Self-hosted wallets offer a high degree of privacy to users, and users often choose them for that very reason. Requiring users to submit personal information and wallet details may raise privacy concerns and drive users away from regulated entities.
• Risk of Non-Compliance: Inadequate verification measures could lead to non-compliance with AML/CTF laws, subjecting VASPs to significant penalties.

Self-Hosted Wallets: Obligations Under MiCA and the Travel Rule

MiCA and the Travel Rule introduce stringent obligations for crypto-asset transfers, including self-hosted wallet transactions. Below, we outline how CASPs must handle self-hosted wallets under different scenarios.

1. Transactions Under €1,000:

   • CASPs must collect and store basic information (such as name, account number, and wallet address) about both the originator and the beneficiary. However, there is no obligation to verify ownership for transfers below this threshold.

2. First-Party Transactions Over €1,000:

   • For transfers where the originator is a customer of the CASP, the CASP must verify ownership of the self-hosted wallet using at least one technical means, such as cryptographic proof (e.g., signing a transaction from the wallet) or sending a micro-transaction from the self-hosted wallet to the CASP.

3. Third-Party Transactions Over €1,000:

   • For transactions involving a third-party self-hosted wallet (i.e., not owned by the CASP’s customer), the CASP must implement risk mitigation measures. This includes enhanced due diligence steps, such as cross-referencing the provided data with blockchain analytics and external verification methods.

Jurisdiction-Specific Regulations for Self-Hosted Wallets

Different jurisdictions apply the Travel Rule to self-hosted wallets in varying ways. Below, we summarize the Travel Rule application across key jurisdictions:

1. Switzerland:

   • FINMA Guidance (02/2019) applies strict standards, requiring VASPs to verify ownership and identity when transacting with self-hosted wallets. This regulation ensures that self-hosted wallets are treated with the same level of scrutiny as wallets hosted by regulated entities.
   • For example, if a customer sends crypto from their self-hosted wallet to a Swiss-regulated entity, the entity must first confirm ownership using technical methods.

2. European Union:

   • Under MiCA’s Transfer of Funds Regulation, CASPs must gather detailed information for transactions involving self-hosted wallets. For transactions above €1,000, CASPs must verify ownership using technical measures.
   • However, the EU’s approach differs slightly from the FATF's guidance by setting no minimum threshold for implementing the Travel Rule. This makes the EU regulations more stringent in some respects.

3. United States:

   • The U.S. Financial Crimes Enforcement Network (FinCEN) has emphasized the risks posed by self-hosted wallets in its Travel Rule guidance. FinCEN requires full reporting for transactions involving self-hosted wallets when the transaction value exceeds $10,000.
   • FinCEN’s rules are also more stringent when dealing with high-risk transactions, requiring verification and enhanced due diligence for wallets suspected of being used for money laundering.

Implementing the Travel Rule for Self-Hosted Wallets: Key Strategies for CASPs

Given the complexities of self-hosted wallets, CASPs must adopt robust systems and strategies to remain compliant. Some key strategies include:

• Using Blockchain Analytics: CASPs can leverage blockchain analytics to track the transaction history of self-hosted wallets and ensure that no illicit activities are involved.
• Cryptographic Verification: By using cryptographic techniques (such as micro-transactions or signing a message from the wallet), CASPs can verify ownership of self-hosted wallets.
• Enhanced KYC/AML Procedures: CASPs should employ enhanced due diligence (EDD) measures when dealing with self-hosted wallets, especially for high-value or high-risk transactions.
• Automating Compliance: CASPs can streamline compliance by integrating AML tools, such as MarketGuard, which offer automated data collection, real-time monitoring, and regulatory reporting.

Conclusion

The growing popularity of self-hosted wallets presents both opportunities and challenges for the crypto industry. While these wallets provide users with greater control and privacy, they complicate compliance with regulations like the Travel Rule. As regulators like the FATF, EU, and FinCEN continue to refine their guidelines, it’s crucial for CASPs to adopt comprehensive solutions that balance user privacy with regulatory compliance.

MarketGuard is a robust AML and KYC tool that helps CASPs navigate the regulatory landscape. With features like real-time monitoring, transaction analysis, and compliance automation, MarketGuard ensures that your business stays compliant while safeguarding financial privacy.

For more information about how we can help reach out to us. We're here to help and answer any questions you may have.

Contact us!

***

References

1. Financial Action Task Force (FATF). (2021). Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. Retrieved from https://www.fatf-gafi.org/publications/fatfrecommendations/documents/Updated-Guidance-RBA-VA-VASP.html

2. European Parliament. (2023). Markets in Crypto-Assets (MiCA) Regulation. Retrieved from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1113

3. FINMA. (2019). FINMA Guidance on the Application of the Travel Rule for VASPs. Retrieved from https://www.finma.ch/en/documentation/circulars/

4. U.S. Department of the Treasury. (2022). FinCEN's Travel Rule Guidance for Virtual Assets. Retrieved from https://www.fincen.gov/sites/default/files/2022-03/TravelRuleGuidance.pdf

5. CoinDesk. (2021). Crypto Mixers and Money Laundering: How Mixers Are Used to Obscure Transactions. Retrieved from https://www.coindesk.com/learn/crypto-mixers-how-they-work

6. Chainalysis. (2022). The Role of Mixers in Crypto Crime and Money Laundering. Retrieved from https://blog.chainalysis.com/reports/2022-crypto-crime-report

7. Samourai Wallet. (n.d.). Samourai Wallet: Enhance Bitcoin Privacy with CoinJoin Technology. Retrieved from https://samouraiwallet.com

8. Tornado Cash. (2022). The Role of Decentralized Mixers in Obscuring Illicit Crypto Transactions. Retrieved from https://tornado.cash

9. Brummer, C., & Gorfine, D. (2020). The Crypto Conundrum: Regulating Virtual Asset Service Providers under the FATF Travel Rule. Duke Law Journal, 69(8), 222-239. Retrieved from https://scholarship.law.duke.edu/dlj/vol69/iss8/3/

10. European Banking Authority (EBA). (2023). Final Travel Rule Guidelines for Virtual Asset Service Providers. Retrieved from https://www.eba.europa.eu/documents/10180/930752/Final+Guidelines+on+the+Travel+Rule

11. Financial Stability Board (FSB). (2022). Regulating Crypto-Assets: International Coordination and the Role of the Travel Rule. Retrieved from https://www.fsb.org/2022/10/regulating-crypto-assets-international-coordination

12. CryptoSwift. (2023). Travel Rule API Documentation. Retrieved from https://cryptoswift.eu/docs/travel-rule-api

13. Reuters. (2022). U.S. Government Sanctions Tornado Cash Over Money Laundering Concerns. Retrieved from https://www.reuters.com/article/us-finance-tornadocash-sanctions-idUSKCN25I1TW

14. CoinTelegraph. (2023). MiCA and the Crypto Travel Rule: European Union Tightens AML Regulations. Retrieved from https://cointelegraph.com/news/eu-tightens-crypto-regulations-with-mica-and-travel-rule