Since the Travel Rule was first applied to cryptocurrency by FinCEN back in 2019, and with FATF following by announcing its own related regulatory recommendations, unhosted wallets (also known as self-hosted or non-custodial wallets) have been one of the main targets for tighter scrutiny.
In October 2021, FATF finally released its Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. This updated guidance expands upon FATF’s initial 2019 guidance, including recommendations on peer-to-peer transactions – that is to say, cryptocurrency transactions that do not involve a VASP or other obliged entity – most of which are cryptocurrency transactions between two unhosted wallets. FATF clarifies that while the standards do not apply to transactions between unhosted wallets, the task force believes these types of transactions pose specific ML/TF risks and that countries should seek to understand and mitigate these risks. In addition, FATF clarified that, under certain circumstances, transactions involving unhosted wallets fall under the scope of the Travel Rule.
VASPs face numerous implementation challenges due to the difference in requirements across jurisdictions. For instance, in the EU, UK and Gibraltar, VASPs are required to collect the unhosted wallet’s information from their client. In Singapore and Germany, VASPs need to verify the identity of the unhosted wallet owner. In Liechtenstein, VASPs are required to perform enhanced due diligence, while in Switzerland, they need to verify identity as well as proof of ownership.
Many in the cryptocurrency community have expressed concerns about these measurements, stating that since the blockchain is already a public network, sharing personal information behind an unhosted wallet will reveal the complete transaction history of that client, surpassing much more the amount of information that Travel Rule collects from traditional financial institutions.
But still, VASPs must integrate solutions and develop processes that will allow them to comply with the FATF’s recommendations. This blog covers FATF’s expectations for VASPs when interacting with unhosted wallets, as well as key unhosted wallet usage trends that can facilitate VASPs’ risk analysis.
What are VASPs expected to do when transacting with non-obligated entities (such as unhosted wallets)?
1. Obtain the originator and beneficiary information from the VASP’s customer when sending or receiving a virtual asset transfer to an unhosted wallet because there is not another VASP from which to obtain the information. (¶ 295)
Since there is no other VASP from which to obtain the information when transacting with unhosted wallets, VASPs will need to collect the information from both sides of the transaction. It is important to mention that this recommendation may only apply to transactions above $1,000 USD/EUR, but this might vary depending on how different jurisdictions implement it.
In order to be compliant, VASPs need to collect all the necessary Travel Rule information (names, account numbers or wallet addresses, addresses or IDs, DOBs, POBs, etc.) without compromising user experience. Blockchain analysis solutions – like Chainalysis KYT – allow VASPs to automatically identify Travel Rule transactions to ensure frictionless data collection. In combination with solutions like Notabene, VASPs can collect the necessary data in a user friendly way, as well as automatically detect the requirements and threshold for which the transaction is subjected to based on jurisdiction.
2. Enforce AML/CTF obligations (e.g. transaction monitoring, sanction screening). (¶ 295 & 296)
Travel Rule guidance applies only above certain thresholds, which vary depending on the jurisdiction. However, VASPs are also required to perform Know Your Customer (KYC), or customer due diligence, checks and implement transaction monitoring, regardless of whether their customer’s transactions meet the Travel Rule requirements. Tools like Notabene can help compliance teams to efficiently implement the data collection and verification process about the owner of an unhosted wallet.
Integrating a Travel Rule solution with an automated transaction monitoring tool allows VASPs to immediately identify which transactions meet the Travel Rule threshold. In addition, it helps compliance teams to automatically detect if transactions are related to a potential high risk activity and take action when historical transactions become risky in the light of new regulatory information through continuous monitoring.
Implementing the right solution will enable compliance teams to adapt more efficiently to the ongoing industry changes. If a solution is flagging a high number of false positives, analysts will have to allocate time to investigating non-critical alerts, and even worse, having the wrong data could lead them to arrive at incorrect conclusions.
3. Additional risk mitigation options when interacting with unhosted wallets. (¶ 297)
FATF’s guidance considers transactions with unhosted wallets to be potentially higher risk and provides VASPs with options to treat them as such. This can range from imposing additional limitations and controls, to even avoiding interacting with unhosted wallets altogether. FATF advises VASPs to observe patterns of conduct, evaluate local and regional risk, review information and bulletins put out by regulators and law enforcement, etc., in order to form their own risk analysis and determine the risk level posed by interacting with unhosted wallets.
Although optional, this additional recommendation is also highly concerning for the continuity of the industry adoption. Unhosted wallets play a key role in the cryptocurrency ecosystem and they are often used for legitimate use cases – individuals as well as exchanges use them to securely move funds and hold long term investments.
Blockchain analysis tools can provide VASPs with the appropriate data regarding unhosted wallets to conduct their risk assessment, mitigate risks and back their decision in front of the regulators.
What the data says about unhosted wallets
In December 2020, when the Treasury’s 72-page NPRM for transactions with unhosted wallets and certain foreign jurisdictions came out, Chainalysis analyzed the data on cryptocurrency transactions involving unhosted wallets.
The data shows that the majority of the funds held in unhosted wallets often come from VASPs and are related to investing purposes or are the vehicle for individuals or organizations to move funds between regulated exchanges.
It is important to mention that the 2021 data didn’t vary significantly in comparison to the 2020 analysis. There are still three trends related to the usage of unhosted wallets.
1. The vast majority of the bitcoin funds transferred to unhosted wallets came from VASPs
During Q3 of 2021, almost 83% of the bitcoin sent from an unhosted wallet to another unhosted wallet originated from cryptocurrency exchanges, and only 2% came from illicit services. This means that in the vast majority of cases law enforcement can investigate illicit activity related to unhosted wallets by working with cryptocurrency exchanges, which are obligated entities, and obtain KYC information from them through legal process.
2. The majority of bitcoin sent to non-VASPs are eventually sent to a VASP
A high number of the transfers sent and received by unhosted wallets have VASPs on the other side of the transaction. If cryptocurrency is being used for illicit purposes, eventually criminals will need to cash their illicit proceeds out. This means going through a cryptocurrency exchange (we can see this behavior reflected in our data). As long as they are in a country that regulates cryptocurrency exchanges – and this list is growing – exchanges will collect KYC information. Access to this information is vital to financial crime investigations.
During Q3 2021, the percentage of funds that were not sent to an exchange service decreased from 29% to 18% in comparison with Q2 2020. While the percentage of funds sent to exchanges increased from 62% to 71%. This means that crypto holders moved the funds they were holding inside unhosted wallets to an exchange, maybe to take out some profits due to the crypto bull market we experienced this year.
3. The transaction activity levels among unhosted wallets highly suggests that their primary use is for investment
After funds are deposited to an unhosted wallet from an exchange, the percentage of bitcoin moved to another unhosted wallet in a given month is significantly low. The majority of the bitcoin stays in the original wallet for a long period of time. On average, the funds originated from a VASP to unhosted wallets move only once a month, which likely indicates that the primary use case is investment.
Chainalysis’ robust blockchain dataset provides key insights into the role of unhosted wallets in the cryptocurrency ecosystem. If the main purpose of these regulatory requirements is to decrease illicit transactions and avoid money laundering, targeting unhosted wallets may not accomplish the intended objective.
What our blockchain analysis data makes clear is that unhosted wallets are not inherently risky and unhosted wallets do not inhibit law enforcement’s ability to investigate the illicit use of cryptocurrency. Blockchain analytics can inform risk analysis and compliance programs so that risks can be mitigated responsibly and effectively by compliance teams.
Travel Rule guidelines have already been released by the regulators and VASPs have a deadline to build compliance programs to comply with it. We know this process can be overwhelming, but luckily, there are many available solutions to facilitate this process for VASPs, and there will likely be many more as the cryptocurrency industry continues to overlap with the traditional financial system.
Chainalysis and Notabene have created an integrated solution that helps VASPs save time and money while looking to meet the complete Travel Rule requirements and build their own risk assessment on unhosted wallets.
Our integration covers a variety of compliance needs that can simplify the technical and operation integration process. Notabene’s end-to-end Travel Rule solution provides counterparty wallet identification tools, a VASP due-diligence directory, and a secure dashboard to help financial institutions manage counterparty risks without hindering user experience. In conjunction with Chainalysis, VASPs can immediately identify counterparties’ wallet types, get automatic transaction alerts on risky activity and perform continuous monitoring, all in one place.
Choosing the right partners can save compliance teams time, resources, and protect the company from additional regulatory scrutiny or even fines.