Regulatory Frameworks that Include Self-hosted Wallets
Nearly every jurisdiction that has implemented the Travel Rule includes self-hosted wallets within its scope. In the blog below, we list various jurisdictions that include self-hosted wallets in their frameworks, along with the references, and list the regions that don’t regulate self-hosted wallets, followed by a summary in a table format. We also explain why 21 Travel Rule is the ultimate solution for self-hosted wallets.
FATF Recommendation 16 (The Travel Rule)
For compliance purposes, VASPs must adhere to country-specific rules when transacting with self-hosted wallets as part of their AML efforts.
FATF Recommendation 16 stipulates that VASPs must still identify the owner of the self-hosted wallet if at least one obliged entity is involved in the transaction. Depending on local regulations, collecting this information may be sufficient, while in other cases, VASPs must verify the ownership of the self-hosted wallet.
Jurisdictions that Include Self-hosted Wallets in Their Regulatory Frameworks
Switzerland
FINMA, the Swiss authority responsible for financial regulation, was one of the first regulators to issue its guidance on the application of the Travel Rule to VASPs in August 2019, with a strict interpretation of the Recommendations.
FINMA Guidance 02/2019 states the following for payments on the blockchain:
“A transfer from or to an external wallet belonging to a third party is only possible if, as for a client relationship, the supervised institution has first verified the identity of the third party, established the identity of the beneficial owner and proven the third party's ownership of the external wallet using suitable technical means."
"If the customer is conducting an exchange (fiat-to-virtual currency, virtual-to-fiat currency, or virtual-to-virtual currency) and an external wallet is involved in the transaction, the customer’s ownership of the self-hosted wallet must also be proven using suitable technical means."
This regulation means that any transaction involving a Swiss-regulated entity (e.g. VASP or a bank) and a non-regulated entity (e.g. a self-hosted wallet) will demand at least an ownership proof of the wallet.
VASPs that fall directly under FINMA’s supervision - such as banks - and members of a self-regulatory organisation (SRO) have to follow the regulation. This is especially relevant considering that most Swiss VASPs are members of an SRO, notably the Financial Services Standards Association (VQF).
Per the VQF (Article 14, Paragraph 1) Regulations:
“Payment transactions to and from external wallets are only permitted where the wallets are owned by a member's own customer. The customer's authority over the external wallet must be verified using suitable technical measures. Transactions between customers of the same member are permitted.”
The European Union
The Transfer of Funds Regulation (TFR) is the European Union's implementation of the Travel Rule. Crypto asset transfers in Europe must include information on the originator and beneficiary. This information must be obtained, held, and shared with the crypto asset transfer counterparty and made available to competent authorities upon request.
Transfers involving CASPs and non-obliged entities (like self-hosted wallets) are also covered by the Regulation, which has specific requirements. For transfers between CASPs and self-hosted wallets, CASPs must ensure the transfer can be individually identified. This means CASPs need to collect the required Travel Rule information (name, physical address, and official personal document number).
Although these data points might already have been collected when the customer is onboarded, CASPs must guarantee that each transfer's originator and beneficiary can be individually identified.
The TFR Section 1, Article 14, Paragraph 5 states:
"In the case of a transfer of crypto-assets made to a self-hosted address, the crypto-asset service provider of the originator shall obtain and hold the information referred to in paragraphs 1 and 2 and shall ensure that the transfer of crypto-assets can be individually identified."
In transfers over EUR 1000, CASPs should verify whether the self-hosted address is effectively owned (or controlled) by their client.
[REGULATION (EU) 2023/1113 (38)(39)]
The United Kingdom
In the UK, Cryptoasset businesses are to first apply a risk-based approach and assess the risks the wallet address could pose according to Money Laundering, Terrorist Financing and Proliferate Financing standards, then request the Travel Rule data. If the transfer is deemed high-risk, self-wallet verification is required, with the FCA specifically citing micro-deposits (Satoshi Tests) and cryptographic signatures.
Moreover, additional originator Travel Rule data may be requested with transactions over EUR 1000 based on a risk analysis. This data can include the customer identification number, address, birth certificate number, passport number, national identity card number, or date and place of birth.
Germany
Transactions with self-hosted wallets fall under Germany’s implementation of the Travel Rule if an obliged entity is involved in the transfer of virtual assets. Therefore, peer-to-peer transfers are excluded.
Obliged entities must assess and determine the transfer's AML/CFT risks using risk-appropriate measures that ensure traceability. According to Section 4 KryptoWTransferV, collecting, storing, and checking the wallet’s owner's name and address is risk-appropriate. Therefore, proof of ownership must be carried out.
However, this is poised to change by 30 December 2024 when Germany becomes aligned with the European Union's Travel Rule (Transfer of Funds Regulation).
Liechtenstein
Per the TVTG, TT service providers (VASPs) must apply enhanced due diligence practices when transacting with self-hosted wallets. This includes clearly assigning the wallet to the beneficiary via proof of ownership, which can be performed by a Satoshi Test or cryptographic signature.
FMA Instruction 2021/18 Obligations When Carrying Out TT Transfers. Section 7
Singapore
When dealing with self-hosted wallets, VASPs should collect information on both the beneficiary and the originator and be prepared to provide this information to authorities upon request.
Additionally, they must apply enhanced due diligence for transactions involving self-hosted wallets. This includes determining the purpose of the transaction, conducting customer due diligence on the beneficiary and its beneficial owner, performing additional checks to manage the risk of impersonation (such as verifying ownership of the wallet), and enhancing the monitoring of customer accounts.
Hong Kong
Section 12.14 of the Guideline on Anti-Money Laundering and Counter-Financing of Terrorism (For Licensed Corporations and SFC-licensed Virtual Asset Service Providers) stipulates that self-hosted wallets are covered by Hong Kong’s Travel Rule.
The Securities and Futures Commission (SFC) mandates that customer data be collected for transfers to/from self-hosted wallets (12.14.2). Moreover, VASPs should assess the level of risk associated with the transfer and implement appropriate risk-mitigating measures. In the event of suspected risk, the financial institution (VASP) must ascertain wallet ownership via a confirmation method, such as a Satoshi Test (12.14.3).
| Jurisdiction | Supporting Regulation |
|---|---|
| Switzerland | www.finma.ch/en/news/2019/08/20190826-mm-kryptogwg/ |
| The European Union | eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1113&qid=1719601183244 |
| The United Kingdom | www.legislation.gov.uk/uksi/2017/692/contents |
| Germany | www.recht.bund.de/bgbl/1/2023/135/VO |
| Liechtenstein | www.fma-li.li/files/list/fma-instruction-2021-18-obligations-when-carrying-out-tt-transfers.pdf |
| Singapore | www.mas.gov.sg/-/media/mas-media-library/regulation/guidelines/amld/guidelines-to-notice-psn02-on-aml-and-cft---dpt/guidelines-to-psn02-dated-2-april-2024.pdf |
| Hong Kong | www.sfc.hk/-/media/EN/files/LSD/Gazette/GN-3120-of-2023.pdf?rev=b3655bfe799a41a5987981a2f55706a9 |
Jurisdictions that Exclude Self-hosted Wallets in Their Regulatory Frameworks
As it stands, Bermuda, Canada, the United States, and South Korea do not include self-hosted wallets in their regulatory frameworks.
21 Travel Rule: The Solution for Transfers with Self-hosted Wallets
It’s crucial to have a reliable and user-friendly method for customers to provide ownership proofs. Without an ownership-proof solution and relying only on their customer's self-declaration, VASPs risk transferring to other VASPs unknowingly. Effectively, is a breach of the Travel Rule.
Reduce risks; don’t rely on incomplete data from blockchain analytics; use a wallet verification method to ascertain address ownership with 100% accuracy.
21 Travel Rule boasts 4 wallet verification methods. While you may not need to leverage all 4 options, you can select the method you are most comfortable with, or that benefits your team and customers the most.
21 Travel Rule supports over 400 different self-hosted wallets and more than 2400 tokens, so you are guaranteed to find a fit for your business.
To find out more about our self-hosted wallet offering, reach out to us. If you are unsure where to get started on your compliance journey, reach out to us. And if you want to chat about Travel Rule solutions, we are here for that, too.
