AOPP: The Safer Alternative to Visual Proofs
Self-hosted wallet verification is a must in nearly every jurisdiction that has implemented the Travel Rule. There are 3 main methods to prove ownership: visual proofs like screenshots and videos, wallet signature methods like AOPP and manual signing, and lastly, a Satoshi Test. Each method has its pros and cons regarding VASP and customer user experiences and the reliability of the method.
Regarding user experience, visual proofs are by far the easiest method for wallet users due to the familiarity of the process. However, when viewing it from a VASP’s perspective, time is wasted, and there is an added risk of human error due to the manual review element of the customer’s proof. Moreover, some jurisdictions have started disallowing this method because the proofs can be easily tampered with.
Below, visual proofs will be explained and compared with AOPP - an automated wallet signing method- along with regulations that prefer a technical means like AOPP when proving wallet ownership.
Visual Proofs and AOPP Compared
What Is a Visual Proof?
A visual proof can be a screenshot or a video showing the address the wallet owner intends to use for sending or receiving digital assets (within their wallet software). After a wallet owner records their proof, it is uploaded and reviewed by their VASP’s compliance team to complete the verification process.
The Pros and Cons of Visual Proofs Explained
As mentioned, visual proofs are the easiest and most familiar method available to VASP customers. Moreover, this process works with every wallet type. Despite these benefits, this self-hosed wallet verification process has more negatives than positives.
These proofs require time. Once submitted by the wallet owner, VASP compliance teams need to manually review the visual proof to ensure it matches the desired wallet address. Unfortunately, this aspect cannot be automated due to the vast variety of wallets available.
This manual review is not only error-prone due to the human element involved but also affects the transaction time. A transaction that could have been processed in seconds now becomes a timely affair, resulting in a negative user experience. As a solution, VASPs may encourage customers to reuse their wallet addresses to speed up the process.
From a safety perspective, address reuse is a bad practice for the VASP and customers’ privacy. Additionally, these proofs are unreliable as they can be easily edited, especially with the swift adoption of AI chatbots.
What is AOPP?
Address Ownership Proof Protocol (AOPP) is a 100% automated variant of the “manual signing” method. Wallet owners prove ownership via a link provided by their VASP* in the AOPP Portal. After the wallet owner completes the verification process, the proof is automatically uploaded, and because no review action is required from the VASP compliance team, the customer will be ready to transact, all within seconds.
The Pros and Cons of AOPP Explained
AOPP offers a great user experience for customers and VASPs. It is also more secure than visual proofs as it is a cryptographic signature. As the process is completely automated no manual review element is required. This results in a speedy transaction process for the VASP customer, zero risk of human error, and no address reuse.
From a VASP’s perspective, this method is a perfect combination of trust, as the proof cannot be tampered with, and time is saved as there is no review component. For customers, it can still be described as a familiar process - they are merely clicking on a link to prove wallet ownership. Moreover, it is fast, with wallet ownership being proved in seconds.
AOPP does have a downside. While over 400 wallets are supported, including Trezor, Ledger, MetaMask, and BitBox, lesser-known wallets may not yet support it.
*The link provided by the VASP is an automated feature. After the customer initiates their transaction, the link to the AOPP Portal is sent to them automatically. No manual sending is required from the VASP.
Download the AOPP Portal Guide
Examples of Regulations in Favour of AOPP over Visual Proofs
Many Travel Rule regulations that include self-hosted wallets in their scope demand a technical means to prove wallet ownership.
Switzerland
FINMA Guidance 02/2019 states the following for payments on the blockchain:
“A transfer from or to an external wallet belonging to a third party is only possible if, as for a client relationship, the supervised institution has first verified the identity of the third party, established the identity of the beneficial owner and proven the third party's ownership of the external wallet using suitable technical means."
"If the customer is conducting an exchange (fiat-to-virtual currency, virtual-to-fiat currency, or virtual-to-virtual currency) and an external wallet is involved in the transaction, the customer’s ownership of the self-hosted wallet must also be proven using suitable technical means."
Per the VQF (Article 14, Paragraph 1) Regulations:
“Payment transactions to and from external wallets are only permitted where the wallets are owned by a member's own customer. The customer's authority over the external wallet must be verified using suitable technical measures. Transactions between customers of the same member are permitted.”
In other words, if a transaction occurs between a Swiss-regulated entity and a self-hosted wallet, the wallet owner must provide wallet proof, which must be proved via technical means.
Read more about self–hosted wallets per the Swiss Travel Rule.
The United Kingdom
If a transfer involving a self-hosted wallet is deemed high-risk, self-hosted wallet verification is required. These verifications must be acquired via technical means with Satoshi Tests and cryptographic signatures, like AOPP being cited.
Read more about self–hosted wallets per the UK Travel Rule.
Liechtenstein
Per the TVTG, VASPs must apply EDD practices when transacting with self-hosted wallets. As part of the required EDD, VASPs need to assign the wallet to the owner via proof of ownership.
Like the UK, Liechtenstein cites the Satoshi Test and cryptographic signatures (AOPP) as its preferred method to prove wallet ownership.
FMA Instruction 2021/18 Obligations When Carrying Out TT Transfers. Section 7
Read more about self–hosted wallets per the Liechtenstein Travel Rule.
Hong Kong
When a transaction involves a VASP and a self-hosted wallet, and a higher ML/TF risk is presented, VASPs must confirm a customer’s control over the self-hosted wallet. According to 12.10.6, VASPs must use appropriate confirmation methods, such as Satoshi Tests and message signing, like AOPP.
"[...] by taking appropriate measures for example: using appropriate methods and [...] Examples of confirmation methods may include requesting the customer to perform a micropayment test of message signing test [...]"
Read more about self–hosted wallets per the Hong Kong Travel Rule.
Are you looking for a Travel Rule solution that supports self-hosted wallets? 21 Travel Rule supports over 400 different wallets and 2400+ digital assets.
Find out how to implement 21 Travel Rule and streamline your self-hosted wallet compliance journey.
Learn Everything about Self-hosted Wallets
