As regulators take on the challenge of risk mitigation for unhosted crypto wallets, Crystal takes a look at recent hosted and unhosted wallet dynamics on the blockchain
Both the FATF (Financial Actions Task Force) and FinCEN (the Financial Crimes Enforcement Network) have continuously highlighted within their guidance the risks associated with unhosted wallets. The FATF introduced the Travel Rule as guidance in 2019, and the FinCEN’s proposal in December 2020 then required institutions to submit a full report for transactions involving an unhosted wallet where the value of the transaction is greater than $10,000.
This new guidance opened up a wide debate within and without the digital asset community around the treatment of “unhosted wallets” or non-obliged entities. What is an unhosted wallet?
An unhosted wallet, also known as cold storage or self-custody, allows the user to maintain a cryptocurrency balance outside of an exchange, like having banknotes in your own purse or wallet. Using a Ledger or Tresor hardware wallet, for example, or a mobile phone app such as Mycelium, or some software like Electrum. Conversely, a hosted wallet means a wallet that exists on a third-party platform, such as a verified exchange like Coinbase, Crypto.com, or Binance.
Unlike customers who rely on the custody services of FIs subject to anti-money laundering and combating the financing of terrorism (AML/ CFT) requirements to send and receive virtual currency, users of unhosted or “self-hosted” wallets can transact directly with one another and with hosted wallets using their own private keys, creating potential illicit finance risks.
The ushering in of anti-money laundering requirements into the domain of private or unhosted wallets is something most countries are only beginning to realize is both crucial and necessary to the overall security, reputation, and longevity of the blockchain industry.
There is certainly a stigma around unhosted wallets from a service provider perspective, which may not be so justified. The US Treasury stated in a 2020 FAQ that:
“Unhosted wallets enable terrorists, state-sponsored and transnational organized criminals, and cyber hackers and extorters to quickly and covertly shift large sums of money across the globe to support their illegal activities.”
They specifically drew attention to the inability to determine the person who is behind a wallet that does not exist on an exchange. This may, however, overlook the benefits to the user.
Having a self-custody wallet is widely regarded, for example, as the most secure way of storing cryptocurrencies when compared to centralized exchanges. The mantra “not your keys, not your crypto” is strongly repeated. This is a valid and justified practice as thefts from cryptocurrency exchanges are continually being reported, not to mention the high-profile scandals like QuadrigaFX, where the founder died along with access to the exchange’s resources.
But it’s not the only side of the coin. Let’s unpack what the risks are from unhosted wallets.
Is it true, that an unhosted wallet is more ‘anonymous’ than an exchange account? In part, yes.
In a peer-to-peer (P2P) transaction scenario, with no intermediary, there is no third-party reporting the transaction activity. This is less prevalent with exchanges, particularly those that allow high-value transactions or withdrawal in fiat, as KYC procedures are increasingly robust.
As a result of the debate sparked by unhosted wallet guidance, and the growing adoption of the Travel Rule by global and regional regulatory bodies, our blockchain intelligence and analytics team delved into unhosted wallet dynamics over the last two years – here’s what we found.
Crystal Blockchain reviewed crypto exchange transfers from and to hosted and unhosted wallets, to see how consumers are reacting to the Travel Rule. For this report, we looked at all deposit and withdrawal transfers of crypto exchanges on the Bitcoin Blockchain, and we categorized them by counterparty and transferred amount. We analyzed the bitcoin (BTC) amount as well as the USD amount calculated by the price on the date and time of transfer.
What we discovered was:
1. There is a trend for unhosted wallets to interact with higher risk providers; while it is not known for certain, it is considered that this is for convenience and speed rather than indicative of illicit activity. Risk levels for observed exchanges are based on the amount of crypto and fiat currency you can withdraw without KYC/ AML identification.
2. The use of unhosted wallets is similarly growing; this poses an increased challenge for VASPs as they are required to comply with Travel Rule requirements. We define unhosted versus hosted wallets by whether or not they belong to the known entity that Crystal and its clustering algorithms discovered and their (or their cluster) number of transactions (where clusters with more than 100 transactions are considered as hosted.)
3. The share of all exchange transfers over $1,000 USD has grown slightly over the past two years. The average share of such transfers in 2021 was bigger than in 2020 by 2.5%. The share of intra-exchange transfers over $1,000 USD is growing, amounting to nearly 99% of all activity during the reporting period beginning Q1 2020 to the end of Q4 2021.
We believe the main drivers behind the migration towards self-custody are:
Though VASPs are actively seeking compliance with an inter-VASP travel rule, unhosted wallets are likely to remain a key issue for both VASPs and the legislation they are required to abide by.
Based on our analysis, the Crystal team has found that there are legitimate and reasonable uses for unhosted crypto wallets, and there are also motivations for both regulators and service providers to offer the right balance of protection measures to their users against potential risk.
Keep an eye out for our upcoming reports on remittances and cryptocurrency dynamics in the wake of the Russian Federation’s invasion of Ukraine, and other global geopolitical situations.
Contact Crystal to learn more about our analytics and blockchain intelligence reporting service.