FinCEN’s Self-Hosted Wallet KYC Regulation Proposal


The Financial Crime Enforcement Network (FinCEN) – the US’ Financial Investigative Unit that combats terrorism financing and money laundering domestically and internationally – put out a proposed ruling on self-hosted wallets and their KYC requirements for transactions with VASPs in December 2020, entitled Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets.

Here we drill into the what, how and who the proposed ruling could affect.

Who would the ruling affect?

Primarily, the ruling would affect VASPs or ‘Virtual Asset Service Providers and their internal risk management and data policies.

Users that wish to transfer cryptocurrencies from centralized exchanges to a private or ‘self-hosted’ wallet will be required to give personal information about the beneficiary of the wallet in question to the VASP if the value sent is greater than 10,000 USD in one day. VASPs will additionally be required to submit and store records involving transactions with a total value of over 10,000 USD in a given reporting period, or just maintain records for transactions over 3,000 USD.

In the Requirements for Certain Transactions Involving Convertible Virtual Currency or Digital Assets proposal, FinCEN noted that, if made law, the ruling will be applied to wallets that are not subject to the Banking Secrecy Act (BSA) and located in a foreign jurisdiction. The initial foreign jurisdiction list consists of Burma, Iran, and North Korea.

What is KYC?

KYC or ‘Know-Your-Customer’ is a basic set of due diligence risk management processes that seek to gauge how much risk a financial institution or ‘obliged entity’ would have by doing business with the counterparty individual or entity.

For example, PEP or ‘Politically Exposed Persons’ are automatically placed into a high-risk category owing to their ability to influence public legislation whilst counterparties that are on the OFAC sanctions list would also be automatically red-flagged and their account(s) frozen and assets seized.

What have people said about the self-hosted wallet ruling so far?

The public comment period on the proposal for transactions between self-hosted wallets and exchanges to have KYC implementation is coming to a close.

As of the 8th of January 2021, more than 65,000 comments have been submitted from FinTech heavyweights such as Square and Coinbase, trade bodies such as the U.S. Chamber of Commerce and even CEO of Twitter Jack Dorsey pushing back against the ruling. Dorsey’s open letter laid bare the issues some in the industry feel, stating “the incongruity between the treatment of cash and cryptocurrency under FinCEN’s proposal will inhibit adoption of cryptocurrency and invade the privacy of individuals. Yet, the rule fails to explain the difference in risk. As such, this low threshold and its extension of KYC obligations beyond customer relationships is arbitrary and unjustified”.

What is a self-hosted wallet?

Self-hosted wallets are crypto wallets that owned and controlled by private individuals as opposed to those owned or controlled by financial institutions, VASPs, etc.

Typical cryptocurrency and bitcoin wallets are devices, physical mediums, programs or services that retain the public and/or private keys for cryptocurrency transactions. As well as this essential function of ‘keeping the keys’, wallets tend to also have the ability to encrypt and/or sign info. ‘Signing’ could result in executing smart contracts, a cryptocurrency transaction, id or legally signing a document, etc.

Does the proposed ruling have precedent in traditional finance?

Yes. The requirement to keep detailed records of transactions of over 10,000 USD is not dissimilar to another rule that FinCEN oversees – the Banking Secrecy Act (BSA), first brought into law in 1970. The Banking Secrecy Act requires financial institutions and obliged entities to file an IRS/FinCEN Form 8300 filing for sums over 10,000 USD – keeping the record for 5 years – and submit a Suspicious Activity Report (SAR) if a customer appears to be engaged in money laundering or other illicit activities.

In addition to FinCEN’s BSA, there is also the global AML watchdog Financial Action Task Force’s (FATF) Recommendation 16, the so-called ‘Travel Rule’, itself based on the BSA.

As the FATF’s recommendations are widely implemented by member states’ traditional finance systems and FinTech ecosystems – the Travel Rule is another regulation that VASPs must bear in mind. It also requires banks and FIs to collect customer identification information and report details for transactions above certain thresholds involving self-hosted wallets. Switzerland and Singapore are two notable jurisdictions that have implemented FATF’s Travel Rule into law.

Related regulation: FATF Crypto Guidance Update

How can VASPs prepare for the ruling?

Having a proper KYC, AML and CFT process is important to maintain a compliant operation.

Whilst in the twilight of the bitcoin and wider cryptocurrency market, regulators were in a learning process, blockchain-based business models often took the approach to keep operations going until the hammer of the regulator came down, making business harder. However, this lax compliant approach tends to eventually make operations impossible. Some basic initiatives for crypto native companies catering to US citizens and cross-border transactions passing through the US are set out below;

  • a formal system of internal controls;
  • independent testing;
  • a compliance officer, money laundering reporting officer (MLRO) or other individual responsible designated as responsible for operational compliance;
  • appropriate personnel training; and
  • proper risk-based processes for conducting ongoing Customer Due Diligence or ‘CDD’

For proper KYC due diligence process for cryptoassets, contact Coinfirm today.