Most countries are late to implement regulations based on the initial Travel Rule guidance, but some nations have already been putting updated regulations in place in response to the most recent FATF guidance released in March 2021. One of the most relevant consequences is the requirement for non-custodial address ownership proof. What does this mean? Let’s understand what it solves and how it is a crucial factor to cryptocurrency compliance.
The Main Cause: The Sunrise Issue
As some countries require the exchange of beneficiary and originator information from Virtual Asset Service Providers (VASPs), VASPs in those Travel Rule regulated jurisdictions found themselves prevented from compliantly operating international transactions. Since their counterparties are not yet obliged to do the same, there simply is no way to have all the data needed. This is what some in the Travel Rule ecosystem call the “Sunrise Issue”; as the sun rises at different times in different countries, the FATF Travel Rule will be live in some jurisdictions before others, which can prevent the early adopters to, in fact, adopt it.
This, undoubtedly, led to changes in the operations of VASPs in FATF Travel Rule regulated countries. In Switzerland, for instance, a country where the Travel Rule sun rose early as requested by the Swiss Financial Market Supervisory Authority (FINMA), VASPs decided to discontinue most international transfers, as it was not possible to guarantee the correct information would be sent by their counterparty VASPs.
Therefore, since the sunrise issue became clearer, those companies began to only allow incoming and outgoing transactions involving other Swiss VASPs or, most commonly, non-custodial wallets (also known as unhosted or private wallets). Their customers use non-custodial wallets as a workaround when needing to transfer cryptocurrency from Switzerland to other VASPs based in other countries, as this was the only option left.
Illustration of the Non-Custodial Wallets Usage as an Alternative to VASP-to-VASP Transfers from FATF Travel Rule Regulated Countries to Non-regulated Ones
However, to achieve the traceability Travel Rule aims for, VASPs are also expected to know and verify information about the owner of such non-custodial wallets; otherwise, companies must not perform transactions. Following FINMA’s requirements, VASPs can only send or receive transactions from or to non-custodial wallets if the owners of such wallets are their clients withdrawing virtual assets, which is also the case for other countries’ implementations of the Travel Rule, such as Singapore and Germany.
Now, this is a brand new challenge to all companies in the space. Maybe an even bigger one than FATF Travel Rule, and VASPs have been creating workflows to perform the diligence regulators demand.
Methods for Proving Non-custodial Wallet Ownership
1 - The Screenshot Method
The most basic and sensitive to fraud one is the wallet screenshot method. As the name suggests, the owner of the wallet manually sends to the VASP, usually via email, an image of their wallet containing the address to which the customer wants to send the virtual assets. By far, this is the approach with the most improvement points. First, an image of the screen showing the wallet can be easily tampered with. Second, this method imposes a challenging experience for the user, requires manual labour since a staff member needs to verify each image, and, with the different kinds of unhosted wallets existent, this is not possible to automate.
2 - The Satoshi Test
Another common practice is the so-called Satoshi test. This is a small transfer of a digital asset from the unhosted wallet to the VASP within a limited time frame. The method has several drawbacks. Actual money is transferred, which is undesirable from a customer perspective and an accounting perspective. It is also slow in general and confirmation times are unpredictable, interrupting the flow of the user.
3 - The Message Signing
The third technique to implement wallet verification relies on the basic technical capabilities of any cryptocurrency. After the customer tells his VASP which address should be verified, the VASP sends a message containing a unique piece of text, which commonly includes this customer information and their claim of ownership. The customer must then sign this message with the same private key which underpins the address, thus attesting control of the address.
This method allows automation and is less time-consuming. However, most crypto users will face difficulties to perform it, as only specific wallets offer message signing and it requires a deeper understanding of how cryptocurrencies work.
Address Ownership Proof Protocol further builds upon this concept, automating the verification and adding substantial improvements to data protection and user experience.
How Does the Address Ownership Proof Protocol (AOPP) Work?
The protocol creates a single-click experience, being the easier, faster and more secure way to prove non-custodial wallets ownership to VASPs.
With AOPP, a VASP can provide their customers with a link (or QR-code for mobile) that will immediately send an ownership proof message to their non-custodial wallets of preference. Then, the user can easily access their wallet and sign the message, which will be sent back to the VASP automatically, allowing the withdrawal to follow as desired. You can see it in action with Bitbox’s implementation of AOPP below:
Advantages of AOPP
One of the main challenges VASPs face when implementing any extra compliance step is how to keep the user experience as simple as possible. The alternatives discussed earlier fail at that, while AOPP allows a self-service interaction, saving the user and the compliance team’s time and money.
Opposite of the message signing method, AOPP connects the VASP to the wallet in the background without having the user copy and paste the address, which reduces the risk of man-in-the-middle (MITM) attacks.
An Automated Future
Being easy to implement in non-custodial wallets, AOPP has been gaining popularity and becoming available to more cryptocurrency users since the beginning of 2021 (you can check which ones it supports here). This adoption enables VASPs to offer a better experience to their clients while building efficient and user-friendly compliance processes that do not hurt their profitability.
AOPP was spearheaded by 21 Analytics, as we are always focusing on the new challenges our clients face to help improve their crypto service offerings. If you are interested in optimizing your company’s wallet ownership proof tactics, reach out to us here and see it in action.