Transacting with Self-hosted Wallets as a VASP: Questions & Answers
Today, 21 Analytics held an online session with cryptocurrency regulatory experts to discuss requirements for CASPs in Europe when transacting with self-hosted (unhosted) wallets.
This is a timely matter since the Transfer of Funds Regulation, which implements the Travel Rule in Europe, has just been approved and will be transposed into law in the upcoming months. The recording of the event is available on YouTube.
With so many insights shared on what changed and how to comply with the latest regulations, there was little time to cover the questions from the audience. So we compiled every doubt from the attendees on this blog post to answer what could also be the concerns of so many in the crypto ecosystem.
This is not legal advice. Let's go through them:
Why were P2P transfers (via non-custodial wallets) excluded from the legislation? Is it going to change in the near future?
Answer: This has also been asked at our previous event on Travel Rule in the EU. According to Jannes De Jong, Head of Unit at the European Parliament, there are basically two main reasons why they were excluded. First, there currently is no way to control or regulate P2P. Any directly applicable rules would not be enforceable since self-hosted wallet addresses are owned and controlled by users, not licensed financial institutions. Lastly, a self-hosted wallet can, in some regard, be considered equivalent to a physical purse - when the owner gives cash from it to another person, there are no directly applicable regulations to that fund's flow, and the government may never know.
Regulation already includes stricter AML/CTF checks and requirements. If the idea behind the regulation is to reduce money laundering and terrorism financing cases, why do we oblige CASPs to collect huge amounts of data that is potentially vulnerable to external breach?
A: According to Valeria Cusseddu, Policy Adviser at the European Parliament, those AML/CFT checks already require the collection of data about clients. They should be kept for five years and then deleted. CASPs will need to comply with cybersecurity requirements introduced with Digital Operational Resilience Act (DORA) regulation - which should be formally adopted by November 2022.
The recently proposed update on the Transfers of Funds Regulation (TFR) defined self-hosted address to mean "a distributed ledger address not linked to either of the following: a) crypto-asset service provider; b) an entity not established in the EU and providing similar services."
Does this mean that licensed/unlicensed CASP established in a third country would be deemed as a 'self-hosted address' and thus restricted to verified first-party transfer only?
A: No. Valeria Cusseddu explains; the definition means that a wallet not linked with a provider of services in crypto-assets, either established in the EU (CASP) or outside the EU, is a "self-hosted address". If there is a link with a non-EU licensed or unlicensed VASP, this means that the address is not a self-hosted address and the counterparty enhanced due diligence should apply.
The reason why there is a different approach is that: in the case of first-party transfers, a verification/proof of ownership is performed in the context of a client relationship. Whereas in the case of third-party transfers, a verification/proof of ownership would require the CASP to onboard the self-hosted wallet owner as a client because there cannot be a verification outside a client relationship.
Regarding the requirement of self-hosted wallet verification in cases over EUR 1000: is this per transaction, per day, per year, per address, or per user?
A: The threshold for self-hosted wallet verification is per transfer, as stated on the regulatory text. However, it is important to note that it also applies if a transfer below EUR 1000 appears to be linked to other transfers of funds which together would exceed EUR 1000.
When it comes to self-hosted wallets, the location of the user is widely unknown. Is there a way or software to check user locations to help CASPs comply with the sanctions?
A: While there may be information on the risk of self-hosted wallet addresses via blockchain analytics, we do not believe there are ways to check the geographical location of their users. However, these could be identified through Know-Your-Customer (KYC) processes during the onboarding of clients.
What happens if a transfer from a CASP to a Self-Hosted Wallet is not to the CASP's customer's self-hosted wallet but to a third-party, and the CASP is not able to get enough information from the user?
A: There are two situations. In the case of a transfer from a CASP's client (originator) to a third-party self-hosted wallet, the CASP cannot execute the transfer unless it is able to collect the complete required information (full name and DLT address). In the case of a transfer received by the CASP's client (beneficiary) from a third-party self-hosted wallet, if information is missing or incomplete, the CASP of the beneficiary should decide on a risk basis whether to execute or block the transfer.
The CASP should also take into account missing or incomplete information, as well as potential inaccurate information, when assessing whether the transfer should be reported as suspicious to the FIU in accordance with AMLD5.
What is the treatment for Travel Rule for licensed/unlicensed CASP established in a third country outside the EU? Does unlicensed/licensed CASP fall under the definition of 'self-hosted address' of the recently proposed update to the Transfer of Funds Regulation, and thereby restricted to verified first-party transfers only?
A: Valeria Cusseddu also explains how business relationships between CASPs should be handled: the amended AMLD5 introduces specific requirements to conduct due diligence on the non-EU counterparties for the purpose of establishing a business relationship. So the CASP will need to make an assessment of the non-EU entity, including whether it is a registered entity or not, and if it applies AML minimum standards.
Is performing ownership proof through AOPP more or less difficult if the user does not have MetaMask or a browser-based wallet?
A: Proving ownership of your address with AOPP is extremely straightforward and usually takes less than a minute to be completed, regardless if the wallet is based on hardware or only software, if it is browser-based or not. Learn more.
Is AOPP a protocol to verify self-hosted wallets that is integrated into a transaction monitoring system like Chainanalysis and an onboarding system?
A: AOPP is a protocol that allows CASPs to verify the ownership of self-hosted wallets. It solves a different problem than Chainalysis or any other blockchain analytics software.
Could you clarify the approach to the verification of self-hosted wallets with regard to third-party versus first-party transfers?
A: CASPs should identify if the self-hosted wallet involved in a transfer is owned by their own client (first party) or by someone not onboarded by the CASP (third party). If the transfer involves its own customer and exceeds EUR 1000, the CASP must verify that said person has ownership of or controls the address. The reason why there is a different approach is that: in the case of first-party transfers, a verification/proof of ownership is performed in the context of a client relationship. Whereas in the case of third-party transfers, a verification/proof of ownership would require the CASP to onboard the self-hosted wallet owner as a client because there cannot be a verification outside a client relationship. It was considered that the challenges to verify third-party self-hosted wallets would lead to a de facto ban of third party transfers and a loss of traceability, which runs against the logic of the regulation. In the future, however, technology may offer the possibility to rely on third-party identifiers to ensure the information is verified at some point in the chain.
Is there no diligence required on self-hosted wallets for transactions under EUR 1000? How can you identify risk without verifying every client?
A: According to Valeria, the due diligence obligations apply without any threshold, also below EUR 1000. This means every client will always need to be verified, but there is no requirement for the CASP to also "onboard" every self-hosted wallet as a "client". Only self-hosted wallets held by clients can be verified in the context of a customer-business relationship. The third-party wallets are treated like counterparties.
What are the parameters and the identification tools or measures to identify and conduct due diligence on the self-hosted wallets?
A: The European Banking Authority (EBA) will develop guidance on the criteria and means for verification of self-hosted wallets. This is mentioned in the updated text of the regulation, and was also brought up by Valeria Cusseddu during her presentation.
Is BTC supported by AOPP?
A: Yes, all crypto assets can be supported by AOPP. Read more about AOPP.
How can AOPP be integrated into Chainalysis?
A: AOPP is a standard from 21 Analytics. Learn more here.
The biggest benefit of this event - and so many others we plan on hosting - is to share knowledge openly. To bring regulators and the industry together, tackling the biggest challenges the crypto ecosystem is facing.
You can find an easy guide to navigate the Transfer of Funds Regulation here.
If there is any other point that you would like to see answered, don’t hesitate to contact us.