Close Menu
    Search supported by
    FATF Travel Rule Regulations and Guidelines for VASPs unhosted wallets

    Unhosted wallets: regulations crypto exchanges and banks should know

    By on Legal & Compliance

    So-called unhosted wallets have increasingly fallen under regulatory scrutiny as their permissionless nature allows for financial transactions without regulated intermediaries. An overview of the most important guidelines for crypto service providers in Switzerland and the EU as it relates to the FATF’s Travel Rule.

    Unhosted wallets fall under the scope of the Financial Action Task Force’s (FATF’s) Recommendation 16 (Travel Rule). Switzerland and the European Union (EU) have both adopted the Travel Rule with a few additions to this recommendation. These are just 2 examples; across the world, copious jurisdictions are casting their sights on unhosted wallets in an attempt to safeguard wallet users against money laundering and terrorism financing.

    Below we will provide a summary of the FATF’s Travel Rule as well as Switzerland and the EU’s implementations thereof. These summaries intend to capture the essence of the regulations and are at no time legal advice. Before diving in, below are 2 essential terms you will come across throughout the text.

    What are unhosted wallets and VASPs?

    An unhosted wallet also referred to as a self-hosted wallet, is used to store cryptocurrencies. With unhosted wallets, the wallet owner has direct access to the wallet’s private key, which is needed to conduct transactions.

    A virtual asset service provider (VASP) - referred to as crypto asset service providers (CASPs) in the EU - is an entity or person that operates for or on behalf of another person. Examples of these activities include, but are not limited to, the safekeeping of virtual assets and the transfer and exchange between various virtual assets. Banks dealing with crypto and crypto exchanges are VASPs.

    The EU’s Transfer of Funds Regulation (TFR) makes use of self-hosted wallet in place of unhosted wallet and crypto asset service provider (CASP) in place of virtual asset service provider (VASP). Unhosted wallet and VASP have been used for consistency in this text.

    In a nutshell: the FATF’s Travel Rule

    The FATF’s latest guidance clarified a VASP’s responsibility towards unhosted wallet transactions. VASPs are to obtain originator and beneficiary information as they would in a VASP-to-VASP transaction for transfers to or from unhosted wallets. According to the FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and VASPs, virtual asset transfers to and from unhosted wallets fall under the scope of Recommendation 16, and Travel Rule requirements need to be met: 

    "In instances in which a Virtual Asset (VA) transfer involves only one obliged entity on either end of the transfer (e.g., when an ordering VASP or other obliged entity sends VAs on behalf of its customer, the originator, to a beneficiary that is not a customer of a beneficiary institution but rather an individual VA user who receives the VA transfer to an unhosted wallet), countries should still ensure that the obliged entity adheres to the requirements of Recommendation 16 with respect to their customer." - FATF guidelines

    Travel Rule requirements mean the collecting, exchanging and holding of originator and beneficiary data in specific instances. As the FATF’s Travel Rule is a recommendation, jurisdictions may choose to adopt its recommended threshold of EUR 1000 or their variation thereof. When transacting over the selected threshold, irrespective of the choice of jurisdiction, VASPs are to collect the following Travel Rule information: 

    • originator and beneficiary’s names  
    • originator and beneficiary’s account numbers or unique transaction identifiers
    • originator’s address or 
    • originators’ official personal document, which includes their ID number or date and place of birth or 
    • originator’s customer ID number

    In the event of suspected money laundering or terrorism financing, regardless of the threshold, VASPs are to verify this information. 

    FATF Travel Rule breakdown / Source: 21 Analytics

    Switzerland’s application of the Travel Rule

    With a strict interpretation of the FATF’s recommendations, the Swiss Financial Market Supervisory Authority (FINMA) was one of the first regulators to publish its guidance on applying the Travel Rule to VASPs in August 2019. As per FINMA (FINMA Guidance 02/2019), payments on the blockchain:

    "A transfer from or to an external wallet belonging to a third party is only possible if, as for a client relationship, the supervised institution has first verified the identity of the third party, established the identity of the beneficial owner and proven the third party's ownership of the external wallet using suitable technical means.

    If the customer is conducting an exchange (fiat-to-virtual currency, virtual-to-fiat currency, or virtual-to-virtual currency) and an external wallet is involved in the transaction, the customer’s ownership of the external wallet must also be proven using suitable technical means." - FINMA Guidance

    According to this regulation, any transaction involving a Swiss-regulated entity (such as a bank, financial institution, or VASP) and an unhosted wallet will require a wallet's ownership proof. The rule must be followed by all VASPs, not just those directly supervised by FINMA, like banks, but also those belonging to a Self-regulatory Organisation (SRO). This is pertinent given that most Swiss VASPs are members of an SRO, notably the Financial Services Standards Association (VQF). As per the VQF (Art. 14, Paragraph 1) Regulations: 

    "Payment transactions to and from external wallets are only permitted where the wallets are owned by a member's own customer. The customer's authority over the external wallet must be verified using suitable technical measures. Transactions between customers of the same member are permitted." - VQF Regulations

    In other words, for transfers to or from an unhosted wallet belonging to an already onboarded customer, VASPs must confirm that the customer has the authority to dispose of the assets stored there through proof of ownership via a technical means, for example, a Satoshi Test or via Address Ownership Proof Protocol (AOPP). Furthermore, originator and beneficiary information is to be exchanged for all transactions, irrespective of the value. 

    The EU’s approach to the TFR

    The Transfer of Funds Regulation (TFR) is the EU’s implementation of the FATF’s Travel Rule. VASPs operating or offering services to members of the EU will need to adhere to the regulation. (As per REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on Markets in Crypto-assets, and amending Directive (EU) 2019/1937). 

    The TFR is still to come into force. Once active, European VASPs will have 18 months to get their compliance regimes in order. Moreover, once implemented, it will apply to the transfers of funds in any currency or crypto assets sent or received by a payment service provider, a crypto-asset service provider, or an intermediary service provider (brokers and custodians) established in the European Union. However, like Switzerland, it will not apply to person-to-person (P2P) transfers. A P2P transaction is between 2 natural persons without the aid of a VASP, e.g. a transaction to and from an unhosted wallet without VASP assistance. Nor will it apply when the originator and beneficiary are payment service providers or a VASP acting on their behalves. 

    The EU has elected to have a zero threshold, meaning all transfers must comply with the Travel Rule. That is, originator and beneficiary information need to be exchanged. Although there are some exceptions: less information must be exchanged for transfers under EUR 1000. For transactions under EUR 1000, originator VASPs are to exchange: 

    • originator and beneficiary’s names  
    • originator and beneficiary’s account numbers or unique transaction identifiers

    For transactions over EUR 1000, suspected money laundering or terrorism financing, and multiple transactions from the same wallet VASPs are to collect, exchange, and store the below information: 

    • originator and beneficiary’s names  
    • originator and beneficiary’s account numbers or unique transaction identifiers
    • originator and beneficiary’s LEI numbers (if available) 
    • originator's blockchain address
    • originator’s address 
    • originators’ official personal document, which includes their ID number or date and place of birth
    The EU Transfer of Funds Regulation (TFR) breakdown / Source: 21 Analytics

    In the event of unhosted wallets, VASPs are to apply enhanced due diligence techniques and are to collect wallet ownership proofs**  when: 

    • the transaction is over EUR 1000
    • the wallet owner is a client of the VASP  
    • the wallet owner is not a customer of the VASP; the wallet owner will need to be onboarded as a customer before wallet ownership proof is to be collected 

    What do VASPs need to do?

    VASPs should start formulating their plan of action - for example, anticipating as many Travel Rule scenarios as possible - while they have the time before regulations are implemented to hit the ground running once the regulations are passed. Once the regulations are in place, delayed actions can impact the ability to do business or result in fines. 

    **wallet verification methods will be discussed in detail in the following publication. 

    Share.

    About the author

    21 Analytics provides Travel Rule Compliance Software that enables transactions with VASPs and unhosted wallets, with guaranteed data protection. Founded by Bitcoiners working in the blockchain industry since 2014, 21 Analytics leverages its knowledge and experience to advance its ethos of combining compliance with data protection.

    Related Articles

    dobalance