21 Analytics logo
Request a Demo
Can VASPs Verify Third-Party Self-hosted Wallets for Transactions
Back Button Icon
Back

Can VASPs Verify Ownership of Third-Party Self-hosted Wallets?

02 May, 2025

Jurisdictions that implement the Travel Rule mandate the identification and verification of transaction counterparties, which includes self-hosted wallets. Third-party self-hosted wallets create significant hurdles as the wallet owner is not a direct customer of the Virtual Asset Service Provider (VASP).

Below, this scenario and its challenges are discussed as they represent a common uncertainty for VASPs seeking regulatory compliance.  

Issues with Third-Party Self-hosted Wallet Transactions 

A crucial requirement of the Travel Rule regards transactions involving self-hosted wallets, also known as private or non-custodial. These are blockchain addresses handled by the owner of the crypto funds themselves, not custodied by a VASP (e.g, crypto exchange or broker). The law now demands the identification of the wallet owner, as well as the verification of their ownership over the wallet.

Identification means collecting information on the wallet owner, who is the beneficiary of a withdrawal or the originator of a deposit to the VASP. When this person is a customer of the VASP, they have likely already undergone know-your-customer (KYC), a due diligence process that VASPs usually perform when onboarding a new customer. 

If this person hasn't been KYC’ed yet, they will likely do so because they have chosen the firm as their crypto provider. This may involve the VASP collecting information like the customer’s full name, address, date of birth, and similar identifying data.

Read: The Complete Guide to Know-Your-Customer (KYC)

Verification of the wallet ownership can be required in specific circumstances and be performed in different ways, depending on the local regulations. In Europe, for instance, VASPs only need to request it in transactions over EUR 1000. The European Banking Authority (EBA) allows for four methods. At 21 Analytics, we support all of them, and mostly recommend AOPP, which enables users to cryptographically sign a message to verify ownership.

However, when a third party owns the self-hosted wallet, for example, a friend of the VASP's customer, fulfilling the compliance steps is challenging, as the VASP has no direct relationship with the wallet owner. To understand some of the issues, we will illustrate these scenarios below.  

Example 1: Depositing from a Third-Party Self-hosted Wallet to a VASP

In this scenario, funds are sent from a self-hosted wallet owned by a third party to a VASP. For example, John, the third party, sends funds from his self-hosted wallet to Jane’s VASP account, where she is a customer. 

In order to be compliant, before crediting the deposited funds to Jane, Jane’s VASP would need to:

  • Collect John's Travel Rule information, which likely includes full name, date of birth, and/or residential address;

  • Verify John's identity;

  • Verify John's ownership over the self-hosted wallet that sent funds to Jane.

Example 2: Transfers from a VASP Account to a Self-hosted Wallet Owned by a Third Party

When funds are sent from a VASP-hosted account to a self-hosted wallet owned by a third party, the identification of the recipient is also required. To illustrate, this is the case when  Jane sends funds from her VASP-hosted account to John’s self-hosted wallet. John does not have an account at John's VASP.

In order to be compliant, before executing the withdrawal of Jane's funds to John's wallet, the VASP would need to perform KYC procedures on John, assess the risk of engaging with him and verify his ownership over the self-hosted wallet that will receive the funds.

Effect on Transfers FROM A VASP
Transfers from a VASP Account to a Self-hosted Wallet Owned by a Third Party and Vice Versa

Issues with Verifying Third-party Wallets

Therefore, significant obstacles become clear, mainly due to the non-existent previous relationship between the self-hosted wallet owner and the VASP executing the transaction. 

First, there is no incentive for the third party to go through a KYC process with a service provider they do not plan to use for their own transactions. This entails sharing Personally Identifiable Information (PII) and has risks for an individual, especially those more aware of cybersecurity. 

In addition, the wallet owner would also have to share a proof of wallet ownership, a data point that ties the onboarded person's profile with their wallet address. This is an extended risk to the privacy of their financial activity since the public blockchain allows uncovering historic transactions based on an address. Hence, a lot about a person's blockchain transactions can be learned by a cybercriminal who has unauthorised access to this information.

From the VASP's perspective, identifying and verifying the third party might also be undesirable, as the firm needs to dedicate resources to do so. This includes, for example, time spent by the compliance team and compliance checks in different sanctions systems. Usually, these are investments to cultivate a long-term relationship with a customer, and considering this is not the case with third-party self-hosted wallet transfers, the VASP may conclude this is not worthwhile for the business.

Finally, even if the VASP decides to engage with third parties, the firm may find it challenging to operationalise these compliance processes. How should it initiate communication with the wallet owner? In this unique case, the VASP will likely have to add some friction to collect this information from their customers and dedicate a channel of communication with people who are not onboarded. This may impact the business’ risk programmes, opening new scam and fraud opportunities.

How Can VASPs Enable Transactions to Third-party Wallets?

In practice, most Travel Rule-compliant VASPs limit interaction only to self-hosted wallets of their customers, which can be easily enforced with appropriate Travel Rule solutions and dedicated technology for self-hosted wallet verification, like 21 Travel Rule's AOPP.

In withdrawals, the customer would receive the transaction from the VASP in its own self-hosted wallet, from which they can freely send the funds wherever they would like, including to a third-party self-hosted wallet. 

In the case of deposits, the same logic applies: the third party first transfers to the self-hosted wallet owned by the person with a VASP account, and this person then sends it to the VASP.

Although this may add an extra step, it represents less friction and saves time and resources for every party involved: users and the VASP. It also reflects a similar approach in traditional finance, where only customers of a bank can withdraw money from their accounts. With cash on hand, they can then distribute it privately to whoever they would like. Just like cash, self-hosted wallets are not entities under AML supervision and enable their users to transact permissionlessly.

Written by:
About Hannah
Copy
Link Icon
Back Button Icon
Back
Copy
Link Icon
21 Analytics offers Software Solutions for Virtual Asset Service Providers.
Privacy Policy      Press
Poststrasse 22, Zug, Switzerland     |     info@21analytics.ch
Cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.
Accept