Why targeting regulation at unhosted wallets is a pointless endeavour
In the FATF’s ’12 Month Review of Revised FATF Standards — Virtual Assets and VASPs’ published back in July of this year, a worrying proposal was included:
“This includes banning or denying licensing of platforms if they allow unhosted wallet transfers, introducing transactional or volume limits on peer-to-peer transactions or mandating that transactions occur with the use of a VASP or financial institutions” FATF Report
Whilst there exist no current proposals from the FATF on this, it is clear that they intend to review this in June 2021. In this piece I therefore aim to make clear why targeting regulation at unhosted wallets is not only misdirected and infeasible, but also threatens to undermine the very tenets cryptocurrency was built upon.
My writing on the crypto industry usually focuses on technical explainers, however there are dark clouds on the horizon that must be addressed in order to avoid damaging regulation which negatively impacts the industry, the services within and all crypto citizens. It is the responsibility of those knowledgeable of the industry to ensure regulators take heed of our warning and hope that this results in a seismic shift in policy making; away from a top down approach to a more collaborative process which creates more appropriate policy and risk mitigation. Fundamental to this is a sound understanding amongst the regulator community of these new technologies in order to ensure the nuances of blockchain technology are embraced within policy rather than made dissonant with a copy-paste approach from existing regulation.
What is an Unhosted Wallet?
A cryptocurrency address can be thought of akin to an email address — a pseudo-anonymous string of numbers and letters which can be used to send and receive cryptocurrency. As with an alias email address such as firstname.lastname@example.org, it is only possible to know who this address belongs to if they have revealed it is theirs.
As with an email address, a password must be used to access the associated emails. In blockchain parlance this is referred to as a ‘private key’ and, like a password for an email account, third party knowledge of this private key would allow them to access and potentially spend any funds in the associated cryptocurrency wallet.
A private key is also just a string of numbers and letters, so can be written down on a piece of paper, given to a trusted custodian service or written online and stored safely in an encrypted database by a wallet provider.
The term ‘unhosted’ is applied to all situations where this private key is managed personally and not by a 3rd party service or company. We have all heard the story of that one ‘friend of a friend’, who bought bitcoin years back, and would be a millionaire if only he hadn’t misplaced the scrap of paper that his private key was scrawled on.
Technical Infeasibility of Regulating Unhosted Wallets
As outlined above, a private key is simply a string of numbers and letters. Furthermore it is created through a mathematical process which can be run on any computer by anyone. Attempting to regulate the use or creation of unhosted wallets is therefore an attempt to prohibit the use of this mathematical function and the storage of the associated output value in a means decided by the user. This would be comparable to regulation which prohibits or attempts to restrict a person dancing. There is no physical restriction which can be imposed and it is possible for someone to do this in the privacy of their own home, so an impossible task to police.
The technical infeasibility of this is further compounded by the fact that simply examining a cryptocurrency address does not reveal whether the associated private key is held with a 3rd party or personally. As such, a policy which seeks to prohibit interactions with unhosted wallets requires divination or would require the user to prove the location of their private key. Such an act could compromise the private key itself and therefore lead to a loss of funds for users. It may also create potential opportunities for nefarious actors to steal private keys, and therefore funds, by posing as legitimate businesses requiring proof of fund storage.
Furthermore, as blockchains are decentralised networks, they require a majority (or even supermajority) consensus for protocol changes. Therefore, any regulation which seeks to mandate that transactions occur with the use of a Virtual Asset Service Provider (VASP) or financial institutions must look to gain sufficient industry support that this can be enforced at the blockchain level, since peer-to-peer transactions are the very foundation of existing blockchain implementations, and removing this ability would require a protocol upgrade (or downgrade as the case may be). Evidently this challenges the ethos and purpose of cryptocurrencies so it would be safe to assume this would not gain sufficient industry backing. As such, it would be an unimplementable and unenforceable policy.
Regulating unhosted wallets on a technical level is therefore infeasible from a regulatory enforcement perspective, risks the loss of clients funds through the exposure of their private keys and requires the consensus of a community which would need to turn its back on the principles of which it was founded.
Appropriate Risk Management
So why has this regulation been proposed in the first place?
The FATF are looking to try to reduce criminal access and use of cryptocurrencies, a goal which in of itself is of course supported. However, simply storing a private key personally does not indicate criminal activity. Instead the risk of money laundering and financial crimes emanates from the activity of the associated address. The same is evidently true of a hosted private key, as such it is not the location of the private key which carries the risks, but the activity of the address. It is therefore reductionist to label all unhosted wallets with a higher risk of money laundering, sanctions evasion or criminal activity simply because the private key is held within the private possession of the owner rather than a 3rd party.
Likewise, using a hosted wallet does not mitigate much of the criminal risk that we are referring to. One need look no further than the infamous crypto exchange BTC-e which is accused of laundering $4b worth of crypto, the use of Wasabi wallet to launder 22% of the 2020 Twitter hack funds, and the 2019 report from blockchain analytics firm Chainalysis, which found that $2.9 billion worth of crypto was laundered through exchanges.
VASPs themselves pose the highest risk of money laundering. This is unsurprising when they are the primary method by which fiat and crypto can be interchanged, cash remains king to criminals and even SWIFT admits that cryptocurrencies play a very limited role in money laundering compared to fiat currencies. The UN’s Office on Drugs and Crime reports that around 2–5% of global GDP is laundered through cash alone, worth $800 billion to $2trillion — this is still significantly more than the total market cap of all cryptocurrencies, at just over $500 billion.
As such, targeting regulation at unhosted wallets is misguided if done in an attempt to mitigate the risk of crypto-assets being used for money laundering. Instead, stronger and more appropriate regulation should be targeted at where this activity is occurring — VASPs.
Furthermore, by essentially forcing users to hold their crypto funds with a 3rd party, the responsibility of safekeeping is placed on these service providers and whilst traditional banks have been the chosen intermediary for asset safekeeping, crypto service providers have a less favourable and successful reputation. Throughout 2019, there were numerous hacks and theft which led to over $4b in user funds being siphoned to criminals and notable examples of private key mismanagement such as the sudden death of the QuadringaCX founder which resulted in $145m worth of crypto being inaccessible to its legal owners. Whilst these situations were executed via a mix of targeted phishing campaigns, social engineering exercises, and poor security practices by both the individuals and companies, it is clear that holding funds with a 3rd party carries risks of asset safety. This is especially the case with differing data management and cybersecurity practices across the globe, and therefore vastly different standards in service quality and security. This is understandably why many legitimate and law abiding crypto holders choose to keep their crypto in an unhosted wallet — whether written down safely on a piece of paper and stored in their home, or by using a reputable hardware provider such as a Ledger or Trezor.
One could also rightly question whether a move towards centralised services managing our crypto funds is a step backwards from the core tenets of blockchain technology with the promises of decentralisation and disintermediation. Imposing regulation which seeks to prohibit this ability for the safekeeping of assets, or denying access to those who choose this safekeeping method, therefore encourages the use of potentially less secure service providers and is an assault on the core principle of decentralisation.
Moreover, it denies a right, as we have in fiat, to hold our funds privately in our purses, safety deposit boxes or even under our mattress. Introducing regulation on personally held private keys would be akin to introducing a regulation banning the use of a purse or mandating the use of a financial institutional endorsed purse — unproportional and unsuitable for mitigating financial risks.
It cannot be overstated that a regulation on unhosted wallets would have damaging consequences for financial inclusion — a core principle underpinning cryptocurrencies and blockchain technology.
Not only would this force users to store their funds with potentially vulnerable services but as regulatory mandated, this would also likely be a charged service, forcing those already on the fringes of financial access to be priced out of cryptocurrencies altogether.
Additionally, it risks encouraging totalitarian and corrupt governments to impose further regulation on the control or even forfeiture of crypto assets. This is especially worrying in countries such as Venezuela where crypto is being used as a safe harbour against government [caused] hyper inflation or Nigeria where crypto is being used to protest against endemic police corruption. As such, manadating that users must hold their crypto with a 3rd party service, leaves it at the mercy of forfeiture from a government imposed crackdown.
It is therefore in the interests of financial freedom and inclusion that regulation should not be mistargeted at a storage mechanism, but instead at the crypto service level where appropriate compliance and risk mitigations can be put in place where the vast majority of crypto activity is already taking place.
Fortunately, voices denouncing the regulation of unhosted wallets grow louder across the industry and recent publications from the Blockchain Association and former DoF official Jai Ramaswamy have helped bring this conversation further into the mainstream. However with the next round of FATF guidance expected in June 2021 and unhosted wallets and peer to peer transactions in the firing line, we need to ensure that the industry guides the conversation towards a more sensible outcome. In fact, the FAFT themselves have also admitted that a more collaborative approach is needed on this topic.
We cannot be passive observers when it comes to regulation in our industry and we must ensure we’re steering regulators and policy makers in a direction which helps ensure crypto can be safely used by all. We must do this to avoid the equally unsavory potential futures where crypto is either taken advantage of by criminals and nefarious actors, or regulated out of service and stopped from being the tool of financial inclusion, financial liberty and future money we know it can be.
It’s therefore clear that regulating unhosted wallets does not further the cause of mitigating criminal use and access to cryptocurrencies, nor is it a technically feasible or implementable policy. Instead, policy should focus on bolstering compliance oversight and risk mitigation with the services and products operating in the cryptocurrency industry — specifically VASPs.
(All views expressed are the authors own and do not necessarily reflect that of their employer or any associated organisations.)