Get your tickets for the 2023 Coin Center Annual Dinner – April 26 in Austin, TX

Are regulators poised to demand cryptocurrency address whitelisting? Probably not.

Rumors are circulating that regulators will soon require exchanges to only allow cryptocurrency withdrawals to “whitelisted” addresses or, worse, that withdrawals to unhosted wallets won’t be allowed at all. These rumors are exaggerated, yet they’ve been persistent over the past few weeks, so we wanted to address them directly.

As best we can tell, the rumors stem from the July 7 publication of the Financial Action Task Force’s “12 Month Review of Revised FATF Standards – Virtual Assets and VASPs,” which is not regulation or guidance, but merely a progress report on the implementation of the recommendations FATF adopted last year. (Here was our take on those recommendations at the time.) In particular, it seems this paragraph is the source of the alarm (emphasis added):

The launch of new virtual assets however could materially change the ML/TF risks, particularly if there is mass-adoption of a virtual asset that enables anonymous peer-to-peer transactions. There are a range of tools that are available at a national level to mitigate, to some extent, the risks posed by anonymous peer-to-peer transactions if national authorities consider the ML/TF risk to be unacceptably high. This includes banning or denying licensing of platforms if they allow unhosted wallet transfers, introducing transactional or volume limits on peer-to-peer transactions or mandating that transactions occur with the use of a VASP or financial institutions. As of yet, no common practises or consistent international approach have emerged regarding the use of these different tools. Accordingly, there should be further work undertaken on the extent to which anonymous peer-to-peer transactions via unhosted wallets is occurring, the approach jurisdictions can take to mitigate the ML/TF risks, the extent to which the revised Standards enable jurisdictions to mitigate these risks and to continue to improve international co-operation and coordination.

What FATF is doing here is spelling out the regulatory options available to regulators, not prescribing or recommending anything. It’s saying, if there is mass-adoption of anonymous P2P transactions, and if national authorities determine that to increase ML/TF risks, then there are options available to regulators to address those risks, such as requiring whitelisting, etc. As much as some may not like to see these options listed in black and white, regulators have always had these options, this is nothing new, and FATF is only committing here to continue studying the issue.

It should also be noted that FATF is pointing out that regulators have a range of options available, with prohibiting withdrawals to unhosted wallets being the nuclear option. Even if “whitelisting” were to be adopted, it would not necessarily lead to a result some fear, which is the bifurcation of cryptocurrency into ecosystems for “clean” and “dirty” coins. Indeed Switzerland, which is often hailed as a cryptocurrency-friendly state, already does this because the Swiss have a strict and expansive view of the “travel rule.”

In case you don’t know, the “travel rule” is a regulation that’s been in existence in the U.S. since 1995, and has always applied to transactions between regulated entities including custodial cryptocurrency exchanges. The travel rule has an analog internationally: FATF’s wire transfer rule, and last year FATF called upon member countries to apply this rule to cryptocurrency exchanges, bringing parity with longstanding US policy (an unsurprising move since the United States had the FATF presidency when it did so). It basically requires financial intermediaries like banks or cryptocurrency exchanges to send customer information when they transmit funds to another financial institution. As we said last year when FATF adopted the rule as a global standard,

Travel rule compliance is a non-trivial issue for custodial exchanges to figure out. For example, if exchanges are obligated only to send customer information to other exchanges, and a customer simply asks the exchange to send bitcoin to an otherwise unidentified Bitcoin address, then how does the exchange know whether that Bitcoin address is an exchange or an individual? How do they know whether to send customer information forward or not? It’s a rule that was clearly developed in a time before cryptocurrency networks and should be revisited. In the meantime, exchanges have been working on solutions to comply with this rule.

Two things stand out about the proposed wire transfer rule. First, it would only apply to custodial businesses, not to persons who are merely writing software, to persons providing non-custodial services, or to the network itself, which are the primary areas of focus for Coin Center. Our concern with laws and policies that affect custodial businesses is generally that they should be no different than what applies to non-crypto businesses, which is the case here. Second, this recommended rule is not really a new requirement, at least not in the United States. Exchanges in the US have been subject to the travel rule for quite some time now , and the FATF is simply recommending that such a rule be adopted by other countries.

So the travel rule, as it has applied to cryptocurrency exchanges since at least FinCEN’s May 2013 guidance and as adopted by the FATF last year, only applies to transactions between exchangers, not unhosted wallets. Switzerland, however, goes further as the Swiss regulator explains here (emphasis added):

Institutions supervised by FINMA are only permitted to send cryptocurrencies or other tokens to external wallets belonging to their own customers whose identity has already been verified and are only allowed to receive cryptocurrencies or tokens from such customers. FINMA-supervised institutions are thus not permitted to receive tokens from customers of other institutions or to send tokens to such customers. This practice applies as long as information about the sender and recipient cannot be transmitted reliably in the respective payment system. Unlike the FATF standard, this established practice applies in Switzerland without the exception for unregulated wallets and is therefore one of the most stringent in the world.

So, Switzerland has whitelisting. In practice what this means is that you can only withdraw cryptocurrency from an exchange to an unhosted cryptocurrency address that you have previously registered with the exchange and verified that you own. (See, for example, this “Proof-of-Ownership FAQ” from Swiss exchange Bitcoin Suisse.) In this way regulators can make sure that you are indeed withdrawing funds for yourself and not sending them to some unknown third-party in violation of their strict interpretation of the travel rule.

Notice, however, that once you have withdrawn the funds to your registered address you are free to send the funds to any other address you’d like; they just want exchanges to send and receive only from their customers. This is not unlike one’s relationship to a bank, which verifies your identity when you go to withdraw cash from your account. Even if this kind of whitelisting were to be adopted in the U.S. (which, from talking to many government officials, is nowhere on the horizon), it would not create bifurcated clean/dirty ecosystems. That said, fungibility is paramount to the success of cryptocurrencies and we should always be on guard against threats to it, primarily by ensuring privacy technically.

Some say they have heard that exchanges are racing to build systems to comply with the travel rule. We hope that’s the case because, as noted above, in the U.S. the travel has applied to them since at least 2013. And while we may yet see new guidance or regulation from FinCEN on the travel rule, in the U.S. at least we don’t believe unhosted wallets would be affected. So bottom line, none of this is an impending doomsday as the rumors have it.