Recently, unhosted wallets have started to attract rising attention from regulators and authorities, with FinCEN and the FATF seeking to control.
Individuals have lots of choices when it comes to saving treasured cryptocurrencies. They can use a well-hosted wallet (sometimes called a custodial wallet), which involves an intermediary (a host) that usually receives, stores, and transmits the assets on behalf of their clients. For example, a centralized crypto exchange can be a hosted wallet provider, with which an individual sets up an account/wallet. In such cases, the value stored belongs to the account owner, but the funds are controlled by the wallet provider/host (pursuant to the contractual arrangement and instructions from the client).
Alternatively, cryptocurrencies can be stored in an unhosted wallet (sometimes called also a self-hosted, or non-custodial, wallet), which is effectively software installed on a computer, phone, or other devices. The funds in an unhosted wallet are controlled by an individual, without the need for an intermediary, similar to the real cash in a physical wallet.
Users of unhosted wallets can usually communicate directly with a digital currency system without the involvement of a financial institution, service provider, or another intermediary. Users of unhosted wallets can receive, send and exchange their crypto assets with other unhosted wallets, or on an exchange platform, without revealing their identity. Naturally, transactions involving unhosted wallets are more difficult to trace and scrutinize for Anti-Money Laundering and Counter-Terrorism Financing compliance.
Unhosted wallets have now started to attract increasing attention and scrutiny from authorities. The Financial Crimes Enforcement Network (FinCEN) — the United States authority with a mandate to protect the financial system from illicit use, money laundering and terrorism financing, and to promote national security — expressed the view that transactions using unhosted wallets increase AML/CTF risks. Its concerns also relate to wallets hosted by a foreign financial institution not subject to effective AML regulation — “otherwise covered wallets” — for example, from countries such as Burma or North Korea. The Financial Action Task Force (FATF), the intergovernmental policy-making body that monitors and sets international standards for AML/CTF rules, has similar concerns.
Even though data on public blockchain networks tends to be open and transparent, and could be used to help trace network activity, authorities like FinCEN do not consider this sufficient for mitigating the risks of unhosted wallets.
In December 2020, FinCEN issued a proposal called “Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets,” with a broader aim to address the illicit finance threat perceived to be brought on by unhosted or covered wallets. FinCEN proposed establishing new reporting and recordkeeping requirements, similar to the rules for traditional funds transfers.
The new requirements would be applicable to transactions involving unhosted or otherwise covered wallets, including deposits, withdrawals, exchanges, and other payments or transfers of convertible virtual currency or digital assets with legal tender status (central bank digital currencies) through a bank or money service businesses (MSBs).
According to the proposal, if a transaction exceeds $10,000 (or is one of multiple transactions within a 24-hour period that, in aggregate, exceeds that amount), the bank or an MSB will have to file a report with FinCEN and include certain information in relation to the transaction, the counterparty (name and physical address) and a verification of the identity of its customer. If a transaction exceeds $3,000, banks and MBSs will be required to keep records of the transaction and counterparty, including verifying the identity of their customer.
Shortly afterward in March 2021, the FATF issued draft guidance for a risk-based approach to virtual assets (VA) and virtual asset services providers (VASPs). It recommends that virtual asset transfers to or from unhosted wallets should be treated as higher-risk transactions by VASPs and should be subject to enhanced scrutiny and limitations.
The FATF also recommends that individual countries should understand how peer-to-peer transactions are being used in their jurisdiction, and what the potential money laundering and terrorism financing from such transactions. If these risks are considered unacceptably high, countries should aim to improve the visibility of P2P transactions and limit their exposure to them. They could achieve this through measures such as issuing guidance or imposing controls, equivalent to currency transaction reports or reporting of cross-border instrument transfers.
The FATF is very explicit that its recommendations do not place AML/CTF obligations on individuals, but on intermediaries between individuals and the financial system. Therefore, pure P2P transactions would not be subject to those obligations. However, in the case of VA transfers where only one party is an obliged entity — like a VASP, and the other is an unhosted wallet, for example, the FATF recommends that such virtual assets transfers are treated as higher-risk transactions by VASPs. The FATF is effectively seeking to extend the application of the Travel Rule to VASPs if a virtual asset transfer involves an unhosted wallet.
If a country considers the risks from P2P transactions unacceptably high, the FATF also recommends mitigating measures including enhancing on-site and off-site supervision or denying licensing to VASPs that enable unhosted wallet transactions. Countries may also oblige VASPs to accept transactions only to and from other VASPs, or place additional recordkeeping and due diligence requirements on those VASPs that accept transactions with unhosted wallets. Countries are also directed to consider additional limitations, controls or prohibitions targeting unhosted wallets. VASPs could choose to limit or prohibit transactions to and from unhosted wallets, or to or from wallets that previously carried out P2P transactions.
Beyond FinCEN and the FATF
FinCEN and the FATF are not the only authorities seeking to close the gap on unhosted wallets. For example, Switzerland and the Netherlands have already introduced stricter controls.
The Swiss Financial Market Supervisory Authority already imposes stricter requirements on transactions above 1,000 Swiss francs (approximately $1,020) involving private wallets. These requirements include identification of the party, establishing the beneficial owner and verifying such party’s power of disposal over external wallets.
In the Netherlands, the Dutch National Bank (DNB) now requires that crypto service providers looking to officially register with the central bank must demonstrate their compliance with verification requirements under the 1977 Sanctions Act. It involves establishing the identity and place of residence of the counterparty, screening it against the sanctions lists and establishing that this person or legal entity is actually the recipient or the sender. This additional requirement has been met with a lot of criticism and is now being challenged in court.
FinCEN and the FATF seem to have aligned their approach to unhosted wallets. Their proposals have yet to be finalized and have been met with intense debate and criticism. The FinCEN proposal alone received over 7,700 comments. Initially, FinCEN controversially allowed only 15 days for comments, justifying such a short consultation period with their foreign affairs function, significant national security imperatives and previous engagements with the cryptocurrency industry. However, in mid-January 2021, FinCEN reopensed the comment period for additional 15 days for reporting requirements, and 45 days for recordkeeping and counterparty reporting obligations.
By the end of January 2021, FinCEN further extended the comments period for another 60 days; comments were closed by March 29. On the other hand, the FATF consultation period ended on April 20.
A number of concerns have been raised by the stakeholders, including legal, procedural, technical and ethical issues. There are privacy issues, since uncovering an identity behind an unhosted wallet would reveal an entire log of transactions recorded on a public network, which far exceeds the information that is being collected under the Travel Rule in traditional banking transactions.
New rules would subject service providers to additional compliance obligations with regard to parties that are not their clients, and would also force individuals to disclose personal information to their counterparty’s service provider. It is not unlikely that some service providers would choose not to support transactions with unhosted wallets to avoid additional compliance burden, which would effectively amount to an indirect ban on such transactions.
There are also a number of technical and operational issues with the implementation of these requirements. For example, DNB suggested solutions for screening counterparties that include screen sharing or video conferencing at the time of logging in, signing a transaction or sending back a small amount of crypto to the provider on request, all of which raise many issues on their own and seem unfeasible.
New constitutions could also undermine financial inclusion as unhosted wallets provide opportunities for access to financial services for unbanked or underbanked population. Imposing tight protocal on unhosted wallets could also complicate things like charitable fundraising in crypto funds, since the charities do not control who makes donations and donors often wish to remain anonymous.
As the crypto market stands at around a $2 trillion market capitalization following the recent incredible bull run, there are a lot of interests at stake when it comes to additional compliance requirements. The stakeholders eagerly await the final word from FinCEN and the FATF.