As digital assets become increasingly mainstream, one question keeps everyone up at night: how do you treat transfers between hosted and unhosted wallets when regulatory guidance is…? Well, you know exactly how it is.
Both wallet types are legitimate — yet they carry very different risk profiles and visibility. In the world of AML/CFT, the shift from traditional bank-account custody to self-custody raises a simple but critical question: who really has the keys — and the data?
As digital assets become increasingly mainstream, one question keeps compliance teams up at night: how do you treat transfers between hosted and unhosted wallets when regulatory guidance remains murky? Both wallet types are legitimate — yet they carry very different risk profiles and visibility. In the world of AML/CFT, the shift from traditional bank-account custody to self-custody raises a simple but critical question: who really has the keys — and the data?
Understanding Hosted vs Unhosted Wallets
A hosted wallet is operated by a regulated third-party — typically a crypto exchange, custody provider or VASP — which holds the private keys on behalf of the user, applies KYC/AML, and acts analogously to a bank account.
By contrast, an unhosted wallet (also called self-custody or non-custodial) places full control of the keys in the hands of the user.
This difference isn’t just technical — it fundamentally alters how traceability, identity and risk are handled by institutions that engage with crypto.
Regulatory Landscape & What It Means for Compliance
Globally the obligation to monitor and mitigate risk remains with the regulated entity — even when the counterparty uses an unhosted wallet. For example, the Financial Action Task Force (FATF) highlights that transactions involving unhosted wallets may be “attractive to illicit actors due to anonymity, the lack of limits on portability, mobility, transaction speed, and usability”.
In the EU, via the Markets in Crypto‑Assets Regulation (MiCA) and the related Transfer of Funds Regulation, crypto-asset service providers (CASPs) will need to verify ownership of unhosted wallets when certain thresholds apply.
While many jurisdictions (especially the U.S.) still lack clear rules for unhosted-wallet interactions, institutions can no longer wait for perfection. The regulatory expectation is already shifting.
Practical Risk-Management Approaches for Institutions
Given the ambiguity, institutions must adopt a risk-based approach rather than a one-size-fits-all ban on unhosted wallet use. A key tactic is to deploy blockchain analytics to ask not whose wallet is this? but rather, what risk does this wallet carry? According to the Elliptic article: > “The question isn’t whose wallet it is — it’s what risks it carries.” Using blockchain analytics, compliance teams can screen wallet histories for links to sanctions, darknet markets or mixer services. Myself I did one Elliptic certification recently, and let me tell you that they can track hundreds hops away, and calculate risk of a wallet based on that.
Another effective strategy: apply tiered transaction thresholds (e.g., lower controls below €10 000, enhanced diligence above €50 000) and maintain whitelists and blacklists of self-custody addresses based on risk exposure. These tactics strike a balance between enabling access and safeguarding against illicit flows.
“The question isn’t whose wallet it is — it’s what risks it carries.”
The Outlook for AML Compliance
As the crypto-asset ecosystem matures, the real distinction will no longer be simply hosted vs unhosted — it will be visibility and behavior. Institutions must demonstrate that they can trace, assess and document flows even when a counterparty controls their own wallet. Blockchain transparency offers a new compliance frontier where on-chain analytics substitute for missing customer verification. In short: it’s not just about control of the private key — it’s about control of risk.
The sooner compliance teams build defensible, auditable processes for unhosted-wallet interactions, the better positioned they will be when national rules finally catch up.
Thanks to Elliptic for their detailed industry analysis on hosted and unhosted wallets, which continues to shape the conversation around risk-based compliance in the digital-asset ecosystem.
Sources:
- Elliptic: “Hosted vs unhosted wallets: Compliance risks and practical solutions”
- FATF: “Virtual Assets: Targeted Update on Implementation of the FATF Standards“
- Elliptic: “Unhosted wallets: crypto’s biggest compliance conundrum“
- Elliptic: “Preparing for the EU’s requirements on the Travel Rule and unhosted wallets“
Compliance Ninja 
Leave a comment