
Self-hosted Wallet Verification Methods: An Overview
With the increased adoption of the FATF’s Travel Rule, many jurisdictions have included self-hosted wallets in their Travel Rule implementations. [Self-hosted wallets are not provided (or hosted) by VASPs; instead, they can be mobile wallets like BlueWallet or Edge, or hardware wallets like Trezor and Ledger.]
The Travel Rule exists for financial auditors to follow a trail. With transactions between VASPs, this is a relatively easy problem to solve. VASPs are mandated to exchange PII data whenever a transaction occurs between them. This is harder when a customer withdraws digital assets from their VASP-hosted account to their own private wallet (self-hosted wallet).
In essence, the user orders the VASP to send funds to a certain wallet address. The VASP has no way of knowing to whom that address belongs, so it runs the risk of sending funds to a sanctioned individual.
VASPs can deploy several techniques to verify self-hosted wallet ownership and mitigate the risk of sending funds to an undesirable address. Here, we will explain the main methods, with their pros and cons.
It's important to keep in mind that one method does not exclude the others. A VASP can offer its users just one, several, or all methods.
Address Ownership Proof Protocol (AOPP)
21 Analytics developed AOPP as a solution to the issues presented to VASPs and their customers when using pre-existing wallet ownership proof methods.
AOPP is an automated variant of the ‘Manual Signing’ method, facilitating the wallet ownership proof process for both VASPs and their customers. It is free, and there are no mining fees like in a Satoshi Test, so the chances of address reuse are minimal to nonexistent. Moreover, it is tamperproof, making it a safer option than visual proofs.
Proving wallet ownership with the 21 Travel Rule software is efficient: Customers can prove ownership using the easy-to-use AOPP Portal. With just a few clicks, the proof is generated and submitted to their VASP within seconds, allowing the customer to continue transacting uninterrupted.
Currently, AOPP supports more than 400 wallets, including Trezor, Ledger, and MetaMask. Additionally, it supports six chains: Bitcoin, Ethereum, Binance Chain, Solana, TRON, and Polygon, covering over 2,400 digital assets.
To learn more about AOPP, read AOPP Explained.
Download the AOPP Portal Guide
Manual Signing
Manual signing is a more secure and less time-consuming wallet-proof method; however, it has a few downsides.
A VASP customer will be requested to sign a message issued by the VASP. The VASP customer then needs to copy the message and paste it into their wallet software. Only a few advanced wallets support message signing. Also, the wallet needs to give the wallet user control over which key is used to sign the message. Only the key associated with the withdrawal address is useful for this process.
While this method provides a cryptographically secure proof confirming that the wallet user controls the withdrawal address, the negative is that only a subset of wallets supports this method, and only advanced users know how to execute it. Education goes a long way, but that increases the burden on the VASP’s support team.
To learn more about Manual Signing, read Manual Signing Method Explained.
The Satoshi Test
The Satoshi Test is a popular method to prove wallet ownership; in fact, many jurisdictions have mandated that proof of ownership be obtained via a technical means, like a Satohi Test or other automated methods, like AOPP.
For a Satoshi Test to be successful, a VASP customer must send a small predefined amount from the withdrawal address to the VASP. If the customer can do that, it proves address ownership. While effective, many VASPs have noted that the Satoshi Test is time-consuming when not fully automated, as compliance teams need to review and respond to the proof manually.
21 Analytics considered these concerns and developed the Satoshi Test Portal, which automates the process for VASPs and provides a more straightforward user experience for customers.
Read: 21 Travel Rule and the Satoshi Test Portal
Some downsides to the Satoshi Test do still remain; customers are not reimbursed for the mining fees incurred in the transaction and depending on the network, this fee can be considerably high. For example, the Ethereum network routinely touches $10. Due to these costs, customers are strongly incentivised to reuse addresses. Additionally, sending from a specific address is not easy with UTXO-based cryptocurrencies, such as Bitcoin, and is often impossible with a wallet.
To learn more about the Satoshi Test, read the Satoshi Test Explained.
Visual Proofs: Screenshots and Video Clips
One of the simplest ways to ascertain self-hosted wallet ownership is via a visual proof. In this example, VASP customers take a screenshot or video of their wallet software displaying their withdrawal address and upload it.
From that point on, an employee of the VASP’s compliance team can inspect the visual proof and compare it with the desired withdrawal address. If the address shown in the visual proof matches the withdrawal address, the compliance team can green-light the withdrawal.
This approach has numerous issues. The most obvious one is that it requires manual work. That’s error-prone, expensive, and slow, which is bad for the compliance team and the customer's user experience.
Besides these downsides, there’s also a significant risk of fraud. Visual proofs can be easily manipulated without a lot of effort. This method also encourages address reuse because the VASP will likely try to avoid multiple inspections. Address reuse is bad for wallet users and the VASP's privacy.
There is one upside to this method: most customers can use it due to its simplicity and familiarity.
To learn more about Visual Proofs, read Visual Proof Explained.