From FinCEN in the US to MiCA in the EU, unhosted wallets and AML compliance have already been at the heart of some regulatory debates in the last few months.
What is an unhosted wallet?
An unhosted wallet is a crypto wallet that is not hosted on a crypto platform like an exchange. Instead, it allows users to store their crypto assets outside a crypto platform. There are different types of unhosted wallets, including cold wallets like Ledger and Trezor or software wallets like Exodus or Metamask.
What is a hosted wallet?
A hosted wallet is a wallet located on crypto platforms, like Binance, Coinbase, etc. It means that a third party is storing crypto assets for the users. Hosted wallets are popular because they are easy to use and fast to create.
What is the safest place to store crypto?
Hosted and unhosted wallets can be safe if users carefully use their private keys, credential information, and internet practices. However, in the case of hosted wallets, there is a risk of hacking. Indeed, if a crypto platform suffers a hack, the attacker will be able to drain the users’ wallets of their funds.
This is why it is often said that unhosted wallets are safer than others. In this case, the user is the only owner of the private keys. Hackers can’t hack unhosted wallets unless they had access to the private keys.
Are unhosted wallets a threat to AML compliance?
Unhosted wallets can represent risks in terms of money laundering and terrorism financing. Indeed, unhosted wallets do not require users to pass know-your-customer (KYC) and customer due diligence processes before using. It is, therefore, easier to use unhosted wallets to transfer illicit VA funds as it will be harder for law enforcement to trace the funds back to the criminal.
For example, the FATF considers virtual asset (VA) transactions to or from an unhosted wallet a risk factor.
In its latest 12-month review of the implementation of FATF’s standards on VAs and virtual asset service providers (VASPs), FATF states that it will continue monitoring emerging money laundering and terrorism financing (ML/TF) risks, including risks derived from unhosted wallets.
What is the crypto Travel Rule?
The Travel Rule refers to recommendation 16 from the Financial Action Task Force (FATF). It states that identity information must be collected from senders and recipients of domestic and cross-border wire transfers.
In 2019, FATF’s updated guidance for a risk-based approach to VAs and VASPs applied the Travel Rule to VASPs. Therefore, VASPs must exchange identity details and KYC information before transacting. More specifically, for each transaction, the origin VASP must share data about the sender with the destination VASP. On the other hand, the destination VASP must share data about the receiver with the origin VASP.
The FATF assesses the progress made by the public and private sectors in implementing the Travel Rule every year. However, the latest FATF’s 12-month review states only 29 out of 98 respondent jurisdictions passed Travel Rule laws, while only a few enforced them.
What is a VASP?
VASP means virtual asset service provider. It refers to companies providing services related to virtual assets like exchange or custody services. In its updated guidance, FAFT defines VASPs as:
“Virtual asset service provider means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: exchange between virtual assets and fiat currencies; exchange between one or more forms of virtual assets; transfer of virtual assets; safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.”
What does the upcoming MiCA say about unhosted wallets?
Recently, the European Committee agreed on an AML package expanding the Travel Rule to crypto-assets. The rule would require that “information on the source of the asset and its beneficiary travels with the transaction and is stored on both sides of the transfer.”
Under certain circumstances, the rule would also consider transactions from unhosted wallets to VASP-managed hosted wallets. To ensure compliance, the VASP would have had to verify if unhosted wallets belong to customers if they send or receive 1,000 euros to or from an unhosted wallet. However, P2P transfers from an unhosted wallet to another one are not within the scope of the law.
What is MiCA?
MiCA, or Markets in Crypto Assets, is an EU-proposed regulation for crypto assets. The law proposed in 2020 aims to regulate crypto assets and crypto service providers that are currently out of scope. The MiCA regulation should come into force by 2024.
How do other regulators stand on unhosted wallets?
In the UK
In June 2022, UK’s Treasury published a response to the “Amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 Statutory Instrument 2022” consultation. The Treasure’s response states that it has modified proposals regarding unhosted wallets. It would no longer require the information collection for the sender and the recipient of unhosted wallet transactions. Instead, VASPs should do so only if identified transactions represent higher risks of illicit activity.
The Treasury also states that unhosted wallet transactions do not systematically represent higher risks, and there is no sufficient evidence that they are used for illicit finance.
In the US
In late 2020, FinCEN proposed controversial unhosted rules stating that identity checks should be applied to unhosted wallet owners. After being repeatedly pushed back, the proposed rule returned to the Semiannual Agenda and Regulatory Plan in January 2022.
More specifically, FinCEN is proposing to amend the Banking Secrecy Act regulations to require obliged entities “to submit reports, keep records, and verify the identity of customers in relation to transactions involving convertible virtual currency (CVC) or digital assets with legal tender status (“legal tender digital assets” or “LTDA”) held in unhosted wallets, or held in wallets hosted in a jurisdiction identified by FinCEN.”
As per the Agenda, the rule should be finalized by September.
The crypto industry is a rapidly evolving one. And it can be difficult to keep track of emerging ML/TF trends and developing crypto AML regulations worldwide. Scorechain blockchain analytics and crypto compliance solution can help mitigate ML/TF risks and satisfy crypto AML requirements. Request a free demo to discover the solution.
Scorechain is a Risk-AML software provider for cryptocurrencies and digital assets. As a leader in crypto compliance, the Luxembourgish company has helped over 200 customers in 45 countries since 2015, ranging from cryptocurrency businesses to financial institutions with crypto trading, custody branch, digital assets, customers onboarding, audit and law firms, and some LEAs.
Scorechain solution supports Bitcoin analytics with Lightning Network detection, Ethereum analytics with all ERC20 tokens and stablecoins, Litecoin, Bitcoin Cash, Dash, XRP Ledger, Tezos, Tron with TRC10 and TRC20 tokens, and BSC with BEP20 tokens. The software can de-anonymize the Blockchain data and connect with sanction lists to provide risk scoring on digital assets, transactions, addresses, and entities. The risk assessment methodology applied by Scorechain has been verified and can be fully customizable to fit all jurisdictions. In addition, 300+ risk-AML scenarios are provided to its customers with a wide range of risk indicators so businesses under the scope of the crypto regulation can report suspicious activity to authorities with enhanced due diligence.