June 29, 2022

The United States and the United Kingdom on unhosted wallets — an ocean apart?

Earlier this month, the U.K.’s HM Treasury issued a final response to consultation related to AML/CFT and provided an update on how the financial regulator has decided to approach the cryptocurrency travel rule, which mandates that crypto businesses are required to share the names of both transaction senders and receivers.

The final report states that the UK government does not believe transactions involving unhosted wallets — that is, crypto wallets that are not hosted by a crypto exchange or other financial institution — should not be automatically viewed as higher risk and are often used for legitimate purposes, explaining that, "Instead of requiring the collection of beneficiary and originator information for all unhosted wallet transfers, crypto businesses will only be expected to collect this information for transactions identified as posing an elevated risk of illicit finance."

The final report modifies a proposal that would have required crypto businesses to collect personal data — known as “KYC” or “know-your-customer” information — from all individuals holding unhosted wallets that were recipients of crypto transfers. The change was made in response to HM Treasury’s consultation held between July and October 2021 with public and private sector entities, during which stakeholders questioned both the ability and the need for crypto businesses to collect information from all unhosted wallets.

The latest from HM Treasury is an ocean away from what we saw at the end of 2020 from the U.S. Treasury Department.

As a reminder, it was late December — the holidays in full swing, Bitcoin hovering around a record $30K, with Coinbase still considering an IPO — when the U.S. Treasury Department dropped a Notice of Proposed Rulemaking (NPRM) with a 15-day turnaround proposing that crypto businesses would be required to submit reports, keep records, and verify the identity of customers using unhosted wallets with Treasury Secretary Mnuchin saying, at the time, “The rule, which applies to financial institutions and is consistent with existing requirements, is intended to protect national security, assist law enforcement, and increase transparency while minimizing impact on responsible innovation.” The unhosted wallets rule needed to be expedited according to the NPRM, because of “significant national security imperatives” including crypto and unhosted wallets’ role in ransomware, money-laundering and other illicit activity. TRM Talks hosted FinCEN Acting Director Michael Mosier and former DOJ Money Laundering Chief Jai Ramaswamy to discuss the NPRM and its ramifications.

Despite the initial fire drill-style turnaround time, on January 15, 2021, Treasury provided an extension and then another until the proposal was eventually tabled. However, it seems as if Treasury is still considering unhosted wallets. In January 2022, the unhosted wallets rule found its way into the semiannual agenda of regulations signaling that Treasury is still working on the issue. Specifically, the agenda reads, "FinCEN is proposing to amend the regulations implementing the Bank Secrecy Act (BSA) to require banks and money service businesses (MSB) to submit reports, keep records and verify the identity of customers in relation to transactions involving convertible virtual currency (CVC) or digital assets with legal tender status ('legal tender digital assets' or 'LTDA') held in unhosted wallets, or held in wallets hosted in a jurisdiction identified by FinCEN.” A timetable in the section suggests FinCEN aims to finalize the rule by the end of August, if it chooses to finalize it at all.

Unhosted wallets popped up again from the house that Hamilton built when Deputy Treasury Secretary Wally Adeyemo, in a speech at Coindesk’s Consensus, mentioned both the Travel Rule and unhosted wallets as issues Treasury is closely examining, explaining, “We’re focused on arriving at a regulatory approach to the Travel Rule that will strike the right balance between allowing the market to continue innovating when it comes to payments systems and technologies, while also ensuring these innovations are not abused or used to undermine our shared interests.”

On unhosted wallets, the Dep Sec explained, "Because unhosted wallets are effectively just addresses on a blockchain, it can be difficult to determine who really owns and controls them—creating opportunities to abuse this heightened anonymity. Financial institutions need to know who they are transacting and doing business with to make sure they are not making payments to criminals, sanctioned entities, or others."

In a fireside chat with Coindesk’s Nikhilesh De, the Deputy Secretary did not want to “get ahead of the rulemaking process” on unhosted wallets but did indicate that Treasury “understands and respects the need for, and the desire to [have] privacy, but we need to make sure that we're also in a place where we're not creating avenues where those who want to move funds illicitly are able to use digital assets more than traditional assets. . . . That's why we think that thinking about the travel rule and the unhosted wallet rule make sense. But we want to do it in a way that addresses the fact that the thing we know that the way we solve these challenges, the way we address them, is about innovation and making sure that we give you the room to innovate within a regulatory architecture that allows us to protect our national security, consumers, investors and financial stability.”

So what does all this mean? It means that regulatory views continue to evolve on unhosted wallets. Even the Financial Action Task Force (FATF) — the U.N. of Money Laundering — tempered its stance on unhosted wallets recently toning down language from draft guidance which suggested denying licensing to crypto businesses that transact with unhosted wallets in favor of enhanced due diligence to meet a risk-based approach. However, FATF’s most recent guidance, unlike the UK’s final report, does say that in the case of unhosted wallets — where there is not an originator or beneficiary institution — a virtual asset service provider (VASP) must still collect the required information with respect to their customer.

The U.K.’s recent guidance is likely closer to what we could see globally as a measured approach to unhosted wallets. HM Treasury certainly does not say that unhosted wallets do not present a risk. To the contrary, the regulator says that, “there is not good evidence that unhosted wallets present a disproportionate risk of being used in illicit finance. Nevertheless, the government is conscious that completely exempting unhosted wallets from the Travel Rule could create an incentive for criminals to use them to evade controls.” Therefore, HM Treasury lands on the need for a risk-based approach to unhosted wallets.

Why are regulators moving toward a risk-based approach rather than more draconian measures? One likely reason is that they are coming around to the idea that with tools like TRM it's actually possible to assess illicit finance risk without knowing the identity of the wallet holder. With TRM a VASP can proactively screen for high-risk wallets associated with 80 categories of fraud and financial crime aligned to FATF’s predicate offenses, including explicitly sanctioned addresses and addresses associated with sanctioned entities, continuously monitor those wallet addresses, and link wallets to real-world entities. Regulators are getting comfortable that without next generation tools, there are ways to mitigate risk without stifling innovation.

For much more from HM Treasury, tune in for TRM Talks on July 7 to learn about the UK’s approach to the travel rule, unhosted wallets and crypto regulation with James Gillespie, Policy Advisor, Sanctions & Illicit Finance at HM Treasury.

About TRM Labs

TRM provides blockchain intelligence to help financial institutions, cryptocurrency businesses, and public agencies detect, investigate, and manage crypto-related fraud and financial crime. TRM's risk management platform includes solutions for transaction monitoring and wallet screening, entity risk scoring - including VASP due diligence - and source and destination of funds tracing. These tools enable a rapidly growing cohort of organizations around the world to safely embrace cryptocurrency-related transactions, products, and partnerships.

‍

Want more content like this?