Part II - Have Money, Will Apply Travel Rule: The Death Knell for Unhosted Wallets

In this second part, we analyze the travel rule as part of the proposed Transfer of Funds Directive (TFR) and its practical implications.

AML Orthodoxy

The travel rule is best understood as part of the prevailing Anti-Money Laundering (AML) orthodoxy which sees regulatory reporting as the key to combating crime.

There are three key provisions:

  1. Collect, verify and report transactions involving unhosted wallets

    Combined with MiCA’s broad definition of who is considered a Crypto-Asset Service Provider (See Part I), the application of the travel rule as it stands creates a requirement for CASPs who receive or send transactions to a unhosted wallet to collect, store and verify information on the other party - i.e. the owner of the unhosted wallet who is not a customer of the CASP - in order to process the transaction. An unhosted wallet is defined as “a crypto-asset wallet address that is not held or managed by a provider of crypto-asset transfers”.1

    Such reporting is done automatically for all transactions over EUR 1,000 vs. the EUR 10,000 threshold for fiat transactions, and includes all such transactions, not just the ones that are deemed suspicious as is the case with current fiat banking rules.

  2. Central register of wallet owners

    In addition, the proposals contemplate the creation of a government registry linking blockchain addresses to their owners and counterparties, and a public registry of “non-compliant” CASPs and “high risk” wallet addresses.2

  3. A ban


    Finally, the TFR imposes a ban on CASPs interacting with certain DeFi protocols and decentralized exchanges.3

All in all, the proposed travel rule for crypto assets treats citizens who hold crypto different from those who hold fiat, since every crypto transaction would be subject to the travel rule, which has unintended - and no doubt intended! - consequences.

Between theory and practice

Even if the theory could be supported by the facts (in Part III, we share evidence that that the current AML approach has failed), the above reporting requirements are roundly impractical.

It is unimaginable that banks would ever accept an equivalent rule in which they are required to collect, store and verify information on their counterpart who is not a customer of theirs, or a rule that asks them to report every transactions over EUR 1,000.

Pascal Gauthier, the CEO of Ledger, puts it as follows:

Imagine you have a wallet, your leather wallet, and you’ve got cash in it. Now every time that you’re going to pay in cash somewhere, you’re going to have to flash your ID … and they’re going to note your name.

Pascal Gauthier, CEO, Ledger.com

We can only assume that by tilting the field in its favor via the influence it has over the E.U. legislative process, TradFin intended to stifle DeFi by burying its service providers in more red tape than it could ever cope with itself.

An unintended consequence of the proposed regulations is that crypto transactions, similar to other activities that have been outlawed in the past (e.g. alcohol during the Prohibition) will be pushed into illegality, which in turn may diminish user protections and lead to an economic no man’s land in which well-meaning participants will be deemed criminals merely by seeking the ease and speed new technology affords them.

The practical result may possibly be a massive shrug by the crypto community in Europe who, like tax-dodgers, may calculate that ignoring the rules comes with a low risk of getting caught.

So much for civics in Europe!

Sue the E.U.

Apart from being impractical, we believe the proposed travel rule is unlawful and should be challenged if it survives.

Reporting every interaction that exceeds EUR 1,000 which involves a crypto-asset service provider effectively introduces a mass-surveillance regime that fundamentally infringes people’s right to financial freedom and privacy.

We base our claim of unlawfulness on the European Court of Justice (ECJ) April 8, 2014 decision to struck down EU Directive 2006/24 requiring the collection, retention, and disclosure to competent government authorities of all telecommunications traffic (phone, email, internet) in order to facilitate the prevention and prosecution of crime.4

The Court found the Directive - which has a striking similarity with the proposed TFR - to be an unlawful invasion of privacy incompatible with the Charter of Fundamental Rights of the European Union.

The court called the directive “a wide-ranging and particularly serious interference with those fundamental rights […], without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.”

Time to act

On 6 April, the travel rule proposal by the E.U. Parliament’s Joint Committee went into a first reading of the parliamentary plenary and is now set to go to the next stage of the legislative process – a “trilogue” between the European Parliament, the European Commission (call it Europe’s executive branch) and the Council of the EU, which represents its Member States.5

The Byzantine nature of the European decision making process does not guarantee a favorable outcome, and decisions are much more difficult to influence at the trilogy stage vs. the amendment drafting stage.

In particular, transactions between unhosted wallets, despite private keys remaining with their owner, could still be brought into the travel rule regime if the developers of the decentralized apps and smart contract protocols on which such wallets rely are deemed CASPs under MiCA’s expansive definition.

Rather than using the simple test of who controls the private keys to a wallet to determine whether it is unhosted or custodied, by seeking to include the providers of the underlying wallet technology as intermediaries and hence CASPs, the proposed travel rule could potentially include all peer-to-peer transactions between unhosted wallets.

If in addition to financial transactions such unhosted wallets are also used for non-financial applications such as peer-to-peer messaging, social media apps, music streaming etc, this would mean all privacy is out of the window: all wallets would then have been “white-listed” through forced - rather than voluntary, “self-sovereign” - disclose of their owner.

Such disproportionality would not only contradict Europe’s genuine concern for people’s privacy and individual rights, it leads Europeans and anybody who interacts with European CASPs down a direct path towards a China-style Orwellian techno-surveillance state.

In Part III, we will bring further grounds on which we hope a degree of balance can be reinserted in the proposed rules, and ways to get there.


  1. Art. 3 TFR.

  2. Articles 16, 18 ad TFR.

  3. Art. 18 aa TFR.

  4. Judgment of the European Court of Justice (Grand Chamber), Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others (April 8, 2014), Joined Cases C‐293/12 and C‐594/12.

  5. Readers who want to consult the Urtexte can trace the progress and timetable of the proposals here together with the full Joint Committee’s deliberations.

Subscribe to The Otonomist newsletter and stay updated.

Don't miss anything. Get all the latest posts delivered straight to your inbox. It's free!
Great! Check your inbox and click the link to confirm your subscription.
Error! Please enter a valid email address!