Applying the Travel Rule with Unhosted Wallets: What Developments Should Be Considered?
In the realm of virtual assets, the application of the Travel Rule to transfers involving unhosted wallets presents a complex regulatory landscape, with varying requirements across jurisdictions.
Unhosted wallets, which are self-managed and do not rely on a third-party custodian, pose a significant challenge for regulators due to their operation outside of the traditional Virtual Asset Service Provider (VASP) regime.
Financial Action Task Force Fast Force (FATF) recommends that data on the beneficiary and the originator be collected, risks be assessed, and mitigating measures be taken for transactions involving unhosted wallets. However, the lack of a recipient VASP complicates the process of passing beneficiary data.
In many jurisdictions, when crypto is sent to an unhosted wallet, the originating VASP is still required to collect and verify sender information. This includes full personal details, wallet addresses, and identity data, and checking against sanction lists. However, the sending platform is not typically required to provide personal data to the recipient.
Many jurisdictions impose thresholds for additional due diligence related to unhosted wallets. For example, in the European Union under the Transfer of Funds Regulation (TFR), transfers to unhosted wallets exceeding €1,000 require the crypto-asset service provider (CASP) to verify the wallet ownership, commonly via wallet authentication methods like message signing.
Real-time data sharing and recordkeeping are also crucial for compliance and suspicious activity detection. For unhosted wallet transactions, compliance generally rests with the sending VASP to gather and report required data to regulators, even if they cannot pass data to the recipient.
The inconsistent global landscape, with some countries requiring full transaction reporting regardless of size and others only triggering Travel Rule obligations above a certain amount, adds to the complexity of compliance for cross-border transfers involving unhosted wallets.
In the US, the specific application of the Travel Rule to unhosted wallets is less clarified in recent legislation. While the GENIUS Act imposes AML requirements on stablecoin issuers, it does not explicitly address unhosted wallet treatment or peer-to-peer transfer duties under the Travel Rule.
Non-compliance, particularly involving unhosted wallets, risks significant penalties including fines, license revocation, criminal liabilities, and reputational damage in major jurisdictions such as the US, EU, and Asia-Pacific.
In Hong Kong, due to AML risks in peer-to-peer transfers involving unhosted wallets, regulators expect licensees to verify the identity of stablecoin holders, either by the licensee, supervised financial institutions, or reliable third parties.
To address these challenges, companies like Sumsub have partnered with leading Blockchain Analytics providers to assist in identifying risks associated with unhosted wallets. Sumsub's Travel Rule solution allows unhosted wallet controllers to securely prove they own or control the unhosted wallet using a cryptographic signature.
Enhanced Due Diligence (EDD), including enhanced transaction monitoring measures, is required in jurisdictions like Liechtenstein and Hong Kong. Regulatory requirements for transactions involving unhosted wallets differ by jurisdiction, making it essential for compliance programs to adapt constantly to local regulations and enforcement trends.
- The application of the Travel Rule to unhosted wallets in the realm of virtual assets presents a complex regulatory landscape, with technology playing a crucial role in facilitating real-time data sharing and recordkeeping for compliance purposes.
- Businesses dealing with virtual assets need to understand the varying requirements across jurisdictions, particularly the need for Finance sector regulations like Anti-Money Laundering (AML) measures to manage risks associated with unhosted wallets.
