As regulators take on the challenge of risk mitigation for unhosted crypto wallets, Crystal takes a look at recent hosted and unhosted wallet dynamics on the blockchain
Crypto regulatory authorities and the unhosted wallets challenge
Both the FATF (Financial Actions Task Force) and FinCEN (the Financial Crimes Enforcement Network) have continuously highlighted within their guidance the risks associated with unhosted wallets. The FATF introduced the Travel Rule as guidance in 2019, and the FinCEN’s proposal in December 2020 then required institutions to submit a full report for transactions involving an unhosted wallet where the value of the transaction is greater than $10,000.
This new guidance opened up a wide debate within and without the digital asset community around the treatment of “unhosted wallets” or non-obliged entities. What is an unhosted wallet?
An unhosted wallet, also known as cold storage or self-custody, allows the user to maintain a cryptocurrency balance outside of an exchange, like having banknotes in your own purse or wallet. Using a Ledger or Tresor hardware wallet, for example, or a mobile phone app such as Mycelium, or some software like Electrum. Conversely, a hosted wallet means a wallet that exists on a third-party platform, such as a verified exchange like Coinbase, Crypto.com, or Binance.
Why are unhosted wallets deemed risky and targeted by this guidance?
Unlike customers who rely on the custody services of FIs subject to anti-money laundering and combating the financing of terrorism (AML/ CFT) requirements to send and receive virtual currency, users of unhosted or “self-hosted” wallets can transact directly with one another and with hosted wallets using their own private keys, creating potential illicit finance risks.
The ushering in of anti-money laundering requirements into the domain of private or unhosted wallets is something most countries are only beginning to realize is both crucial and necessary to the overall security, reputation, and longevity of the blockchain industry.
The current stigma around unhosted crypto wallets: valid or invalid?
There is certainly a stigma around unhosted wallets from a service provider perspective, which may not be so justified. The US Treasury stated in a 2020 FAQ that:
“Unhosted wallets enable terrorists, state-sponsored and transnational organized criminals, and cyber hackers and extorters to quickly and covertly shift large sums of money across the globe to support their illegal activities.”
They specifically drew attention to the inability to determine the person who is behind a wallet that does not exist on an exchange. This may, however, overlook the benefits to the user.
Having a self-custody wallet is widely regarded, for example, as the most secure way of storing cryptocurrencies when compared to centralized exchanges. The mantra “not your keys, not your crypto” is strongly repeated. This is a valid and justified practice as thefts from cryptocurrency exchanges are continually being reported, not to mention the high-profile scandals like QuadrigaFX, where the founder died along with access to the exchange’s resources.
But it’s not the only side of the coin. Let’s unpack what the risks are from unhosted wallets.
Is it true, that an unhosted wallet is more ‘anonymous’ than an exchange account? In part, yes.
In a peer-to-peer (P2P) transaction scenario, with no intermediary, there is no third-party reporting the transaction activity. This is less prevalent with exchanges, particularly those that allow high-value transactions or withdrawal in fiat, as KYC procedures are increasingly robust.
As a result of the debate sparked by unhosted wallet guidance, and the growing adoption of the Travel Rule by global and regional regulatory bodies, our blockchain intelligence and analytics team delved into unhosted wallet dynamics over the last two years – here’s what we found.
Risky unhosted wallet dynamics and growing adoption of the Travel Rule
Crystal Blockchain reviewed crypto exchange transfers from and to hosted and unhosted wallets, to see how consumers are reacting to the Travel Rule. For this report, we looked at all deposit and withdrawal transfers of crypto exchanges on the Bitcoin Blockchain, and we categorized them by counterparty and transferred amount. We analyzed the bitcoin (BTC) amount as well as the USD amount calculated by the price on the date and time of transfer.
What we discovered was:
1. There is a trend for unhosted wallets to interact with higher risk providers; while it is not known for certain, it is considered that this is for convenience and speed rather than indicative of illicit activity. Risk levels for observed exchanges are based on the amount of crypto and fiat currency you can withdraw without KYC/ AML identification.
2. The use of unhosted wallets is similarly growing; this poses an increased challenge for VASPs as they are required to comply with Travel Rule requirements. We define unhosted versus hosted wallets by whether or not they belong to the known entity that Crystal and its clustering algorithms discovered and their (or their cluster) number of transactions (where clusters with more than 100 transactions are considered as hosted.)
3. The share of all exchange transfers over $1,000 USD has grown slightly over the past two years. The average share of such transfers in 2021 was bigger than in 2020 by 2.5%. The share of intra-exchange transfers over $1,000 USD is growing, amounting to nearly 99% of all activity during the reporting period beginning Q1 2020 to the end of Q4 2021.
We believe the main drivers behind the migration towards self-custody are:
- A greater understanding of the security implications posed by hosted wallets; following several high-profile security incidents involving major VASPs, it is assumed that more individuals are taking realistic measures to protect their funds from loss or theft.
- Increased requirements for KYC and AML compliance at VASPs, falling under greater scrutiny may have driven some away from centralized exchanges due to individual concerns over data security and privacy.
- Other factors, such as the availability of the currency types available on exchanges may also be moving more unhosted wallets away from lower-risk VASPs; as the risk appetite of larger exchanges reduces, so too does the number of coin types supported as due diligence becomes more stringent. In these cases, users looking for ‘emerging’ projects are likely to seek somewhere with lower barriers to entry.
Though VASPs are actively seeking compliance with an inter-VASP travel rule, unhosted wallets are likely to remain a key issue for both VASPs and the legislation they are required to abide by.
Unhosted wallets: legitimate use case, but not without certain risks
Based on our analysis, the Crystal team has found that there are legitimate and reasonable uses for unhosted crypto wallets, and there are also motivations for both regulators and service providers to offer the right balance of protection measures to their users against potential risk.
Keep an eye out for our upcoming reports on remittances and cryptocurrency dynamics in the wake of the Russian Federation’s invasion of Ukraine, and other global geopolitical situations.