The Markets in Crypto-Assets Regulation establishes a complete licensing framework for crypto-asset service providers operating within the European Union. MiCAR only deals with one side of the equation: the regulated middlemen/intermediaries. What happens when these intermediaries interact with self-hosted wallets which are addresses and/or crypto accounts controlled or maintain directly by individuals without any help of a third party? This question is answered not by MiCAR itself, but by its companion legislation: Regulation 2023/1113 on information accompanying transfers of funds and certain crypto-assets, commonly known as the Transfer of Funds Regulation or TFR. The framework that emerges is one of enhanced due diligence rather than prohibition, creating a regulatory middle ground that has drawn both praise for its pragmatism and criticism for its compliance burden. This regulation reveals a pattern consistent with the broader MiCAR framework: rather than creating oversight mechanisms tailored to decentralized systems, the EU routes crypto-asset activity through existing banking-integrated intermediaries.
Regulation 2023/1113 establishes significant requirements for blockchain analysis & risk mitigation, even concerning transactions involving self-hosted wallets. While not explicitly mandating automated blockchain analysis, the regulation’s requirements effectively necessitate some form of in-house screening capabilities (enhanced due diligence measures).
Key regulatory provisions suggest that CASPs must implement systematic blockchain monitoring:
- For transactions over €1.000 involving self-hosted addresses, CASPs must “take adequate measures” to verify ownership/control of the address (Article 14(5)).
- The regulation requires CASPs to identify “unusual or suspicious patterns of transactions” & “situations of higher risks” involving self-hosted addresses (Recital 45). Such pattern recognition and risk assessment inherently implies the need for blockchain analysis tools.
- When dealing with self-hosted addresses, CASPs must collect information about both the originator and beneficiary (Recital 39), usually from their client.
The Regulation’s language regarding information collection for self-hosted wallet transfers is notably flexible. Recital 39 states that CASPs should collect information “usually from its client” a wording choice that implies this is not an exhaustive source. This interpretation is further supported by the Regulation’s emphasis on effective risk management and the need to identify “unusual or suspicious patterns of transactions” (Recital 45), which would be difficult to achieve relying solely on client-provided information.
CASPs are obligated to collect the clear names of both the originator and beneficiary when dealing with self-hosted addresses, with this information typically gathered from the CASP’s client. In addition to collecting the names, CASPs must also verify the accuracy of this information, but only under the specific circumstances of exceeding € 1.000.
On February 7, 2022, a proposed amendment to the regulation introduced Recital 27b, which states: In the case of a transfer of cryptoassets from or to a crypto-asset wallet not held by a third party, known as an ‘unhosted wallet’, the crypto-asset service provider or other obliged entity should obtain and retain the required originator and beneficiary information from their customer, whether originator or beneficiary. The crypto-asset service provider should verify the accuracy of the information only with respect to its customer and is not expected to verify the required information with respect to the originator or beneficiary behind the unhosted wallet. However, if the crypto-asset service provider is or becomes aware that the information on the originator or beneficiary that is an unhosted wallet is inaccurate, or where the information on the originator or beneficiary that is an unhosted wallet is missing or is incomplete, or where the transfer of crypto-assets is required to be considered suspicious based on the origin or destination of the involved crypto-assets, the crypto-asset service provider should, on a risk-sensitive basis, assess whether a transfer of crypto-assets should be rejected or suspended and whether it is to be reported to the Financial Intelligence Unit (FIU) in accordance with Directive (EU) 2015/849.
Directive 2015/849 describes these corresponding obligations as follows (in summary – Articles 13 & 14): Identification and verification of both the customer and beneficial owner’s identity, understanding the purpose and nature of the business relationship, and conducting ongoing transaction monitoring are core requirements. Identity verification must be completed before establishing a business relationship or executing transactions, with limited exceptions where completion during relationship establishment is permitted if there is low risk and business continuity needs to be maintained. For example, when opening a new bank account, a financial institution must verify the customer’s identity through reliable and independent sources (such as government-issued identification documents), understand the intended purpose of the account (personal savings, business operations, etc.), and implement ongoing monitoring systems to ensure transaction patterns align with the stated purpose. Notably, obliged entities must apply these measures using a risk-based approach, demonstrate their appropriateness to competent authorities, and in cases where compliance with CDD requirements cannot be achieved, must refrain from proceeding with the transaction or relationship and consider filing a suspicious transaction report. This regulatory framework emphasizes the need for thorough initial verification while allowing for practical business considerations, provided that adequate risk management measures are in place.
It emerges that there is no specific set of data elements (phone numbers, passport, etc.) that obliged entities must maintain. Ιt is a qualitative obligation, but it should meet satisfactory levels of verifiability (e.g., cross-verification with third-party sources). There is nothing that makes the submission of a passport more appropriate than an identity card, birth certificate, or driver’s license. Similarly, the nature of a company cannot be defined through an exhaustive list, nor should the company’s articles of association be considered the only acceptable documentation. Instead, the focus is on obtaining reliable and independently verifiable information through various acceptable means that collectively establish the required level of certainty about the identity and nature of the business relationship.
While Recitals are not operative provisions in the traditional sense, their legal significance should not be underestimated. They serve as interpretative tools that reflect the legislators’ intent and reasoning. In practice, they significantly influence supervisory authorities’ guidelines and enforcement approaches, effectively functioning as soft law instruments that shape compliance expectations and regulatory oversight, while also providing insights into future regulatory developments.
It is particularly noteworthy that Recital 58 & Article 37 mandate the Commission to conduct, by July 2026, a comprehensive assessment of risks and existing measures related to self-hosted addresses. Based on this assessment, the Commission may introduce additional restrictions on self-hosted wallet transfers and strengthen the requirements for ownership verification mechanisms. As of December 2025, no preliminary studies, public consultations, or announced work streams for this assessment have been identified, and the € 1.000 verification threshold remains unchanged since the Regulation’s adoption.
1. Technical Verification Methods
Beyond collecting information from clients, the Regulation establishes clear expectations for CASPs to implement technical capabilities for analyzing blockchain data. Specifically, Recital 17 mandated the European Banking Authority to issue guidelines for CASPs addressing the utilization of distributed ledger technology for detecting the origin or destination of crypto-assets. This mandate was fulfilled through EBA/GL/2024/11 (Travel Rule Guidelines), which became applicable on December 30, 2024, and addresses DLT detection at paragraphs 77 and 87-89.
Guideline 8 of EBA/GL/2024/11 lists the acceptable methods for verifying ownership of self-hosted wallets when transactions exceed € 1.000. CASPs must employ at least one of the following: (i) a cryptographic signature proving control of the private key, a micro-transaction (commonly known as the “Satoshi test“) where the customer sends a small amount from the self-hosted address to the CASP, (ii) a digital signature using qualified electronic certificates, or (iii) other suitable technical means that provide equivalent assurance. The Guidelines make it clear that self-declaration by the customer does not qualify as adequate verification. After a self-hosted wallet has been verified, CASPs should document the verification and whitelist the address for future transfers from that customer, eliminating the need for re-verification of the same address. However, where verification fails despite employing one or more of these methods, CASPs must collect additional information using blockchain analytics, third-party data providers, or publicly available sources before deciding whether to proceed with or reject the transfer.
The consultation process that preceded EBA/GL/2024/11 revealed the depth of industry opposition to the proposed framework. Ledger, Europe’s biggest manufacturer of hardware wallet, submitted a detailed objection in February 2024 challenging both the empirical basis and proportionality of the Guidelines. Ledger citing the Chainalysis Crypto Crime Report to say that only 0.34% of all cryptocurrency transactions in 2023 were related to crime. They also said that when you take out FTX creditor claims, US sanctions-related transactions, and regular scams, the amount of money that actually went to money laundering and terrorist financing becomes “a tiny fraction of an already tiny fraction.” The company contrasted this with UNODC estimates that up to $2 trillion (5% of global GDP) is laundered every year through traditional financial systems. Ledger warned that the framework creates “a massive new honeypot of financial transaction data coupled with PII” and argued that transactions involving self-hosted wallets should be “assessed no differently from any other type of transaction.” The contrast with the United Kingdom’s approach underscores the EU’s regulatory choice. HM Treasury’s position, articulated in its 2023 consultation response, stated explicitly that “there is not good evidence that unhosted wallets present a disproportionate risk of being used in illicit finance.” The UK’s Travel Rule implementation under the Money Laundering Regulations 2017 (as amended) adopts a principles-based framework: Regulation 64G(2) requires firms to apply a risk-sensitive approach without prescribing specific verification methods. The result, documented in Notabene’s comparative analysis, is striking: UK achieved 100% Travel Rule compliance by its September 2023 deadline through industry-led guidance (JMLSG drafted, FCA validated), while EU compliance remained at 28.8% six months after the December 2024 deadline despite regulator-led prescriptive rules. The divergence reflects fundamentally different regulatory philosophies: the UK treats self-hosted wallet risk as a matter for firm-level assessment; the EU treats it as a presumptive threat requiring standardized controls [Ledger SAS Letter ||| EBA Answer].
While the TFR is directly applicable across all EU member states without national transposition, several national competent authorities have issued supplementary implementation guidance throughout 2025. The Netherlands’ AFM published an Annex to its AML/CFT Guidelines specifically for CASPs in May 2025, treating self-hosted wallets as a “key supervisory concern” requiring enhanced due diligence. Germany’s BaFin released updated Interpretation and Application Guidance in July 2025, confirming that self-declaration does not qualify as adequate ownership verification. France’s AMF adopted Position DOC-2024-08 implementing the EBA Travel Rule Guidelines, while Austria’s FMA published comprehensive TFR FAQs addressing the transitional treatment of VASPs.
Articles 14(1) and 14(2) require crypto-asset service providers of the originator to ensure that transfers of crypto-assets are accompanied by specific information about the originator and beneficiary, such as the name, address, crypto-asset account number, and other identification details. According to paragraph 3, in the case of a transfer of crypto-assets not registered on a network using DLT or similar technology and not made to or from a crypto-asset account, the crypto-asset service provider of the originator shall ensure that the transfer is accompanied by a unique transaction identifier. According to paragraph 4, the information shall be submitted in advance of, or simultaneously or concurrently with, the transfer of crypto-assets and in a secure manner.
Article 14(5) stipulates that in the case of a transfer of crypto-assets made to a self-hosted address, the requirements mentioned in the previous paragraph are not precluded.
2. The Person-to-Person Exclusion
The exclusion of person-to-person crypto-asset transfers from regulatory oversight is explicitly supported by Article 2(4) of the Regulation. To understand the scope of this exclusion, we should examine the specific regulatory text from Article 2(4) of Regulation 2023/1113: “This Regulation shall not apply to a transfer of crypto-assets where […]: (b) the transfer constitutes a person-to-person transfer of crypto-assets carried out without the involvement of a crypto-asset service provider.” Additionally, the regulation specifically defines this in Article 3(13): “‘person-to-person transfer of crypto-assets’ means a transfer of crypto-assets without the involvement of any crypto-asset service provider“
The exclusion specifically applies to pure peer-to-peer crypto transfers where no crypto-asset service provider is involved at any point in the transaction. This means transfers occurring directly between self-hosted wallets are outside the scope of the regulation. This exclusion represents not a regulatory gap but rather a practical necessity, as evidenced by Recital (58) of the Regulation, which acknowledges the considerable risks and technological and regulatory complexities associated with self-hosted addresses.
The regulatory exclusion of P2P transfers should be viewed in context with the broader regulatory strategy. While pure P2P remains unregulated, the moment any CASP becomes involved, comprehensive regulations apply. This perspective suggests a pragmatic approach to regulation – focusing on achievable oversight while acknowledging the limitations of regulating purely decentralized activities.
Among other rules and concepts, Regulation 2023/1113 also amends Directive 2015/849. Particularly through the introduction of Article 19a to that Directive, which mandates CASPs to identify and assess risks associated with transfers to and from self-hosted addresses and to apply mitigating measures commensurate with these risks. The involvement of a CASP effectively creates a point of oversight where due diligence can be performed; without such intermediation, transactions would remain entirely peer-to-peer and outside the reach of regulatory supervision, primarily due to the lack of practical oversight tools and mechanisms.
This approach is reflected in the comments of Assita Kanko, EU MEP, during the Parliament Procedure on 19 April 2023. She stated: “Another contentious issue has been the partial inclusion of unhosted wallets. Again, the Member States made the first move in the general approach. The point is the following: we already agree that crypto-asset service providers, the banks and trading houses of crypto need regulation. We also concluded that peer-to-peer transfers, the decentralised part of the crypto world, should stay out of the scope, even if I understand that my S&D colleague Paul Tang disagrees. But what about the interaction between crypto wallets hosted by CASPs and the unregulated private wallets? In order to prevent a massive loophole, we decided to apply the travel rule to those interactions as well. This is not fundamentally different from identifying yourself when making cash deposits or withdrawals from your bank account. Will this create a dual system and push crypto holders and traders into the unregulated world? I don’t think so. The verification burden on CASPs is very limited. We are not going to be as strict as some other countries are already today.“
This signifies that the regulation aims to address risks within the regulated crypto ecosystem, not to impose blanket surveillance on all crypto transactions. I believe and I hope that the limited regulation of P2P transactions appears to represent a strategic choice to maintain EU competitiveness in the global crypto market while focusing regulatory resources where they can be most effective. This seems like a carefully balanced approach that aims to prevent regulatory arbitrage while ensuring the EU remains an attractive jurisdiction for crypto innovation. For example, Stefan Berger in the same meeting stated that “The world isn’t waiting for us. In America, billions of dollars are invested in metaverses each year…” and L. Pereira empasized “Europe missed the innovation train when the internet emerged and failed to lead the platform internet revolution. Now, catching up isn’t enough. We must be the locomotive of innovation and lead this new era of Web 3.0 financial technologies.”. For sure, the usage of terms like metaverses betrayed that some members’ research quality matches that of underpaid tech journalists, this nonetheless provides a good indication to bet that the EU will likely maintain its current approach to Unhosted Wallets for the next five years.
This prediction appears validated by subsequent legislative developments. The Anti-Money Laundering Regulation (AMLR, Regulation 2024/1624), adopted in May 2024 and applicable from July 2027, will prohibit CASPs from maintaining anonymous accounts or handling privacy-preserving crypto-assets. However, Article 79 AMLR explicitly states that it “does not apply to users, nor to manufacturers of hardware or software wallets or providers of self-hosted wallets.” Self-hosted wallets thus remain lawful under EU law; transactions involving them trigger enhanced due diligence requirements rather than prohibition.
The €1.000 verification threshold has drawn criticism from industry stakeholders. Ledger, in its formal submission to the EBA consultation, argued that the rules “stringently negatively hinder the key principles of proportionality, privacy and financial freedom” and warned that the framework creates “a massive new honeypot of financial transaction data coupled with PII.” Elliptic observed that the EU’s requirement for Travel Rule compliance on all transactions “goes even beyond the FATF Standards, which only require Travel Rule information sharing on transfers over 1.000 euros.” Industry data indicates that EU-based CASPs are 55% more likely to prohibit transactions with self-hosted wallets compared to the global average, with 15.4% implementing complete prohibitions versus 9.9% globally.
The December 2025 partnership between Revolut and Trust Wallet illustrates this regulatory paradox in commercial practice. The integration permits EU users to purchase crypto-assets through Revolut’s MiCA-licensed infrastructure and receive them directly in a self-custodial Trust Wallet, marketed as providing “full control of assets from the moment of purchase.” Yet the regulatory reality is more nuanced. Revolut, operating under its Cyprus-issued MiCA license, must apply the full TFR compliance framework: customer identification, ownership verification for transfers exceeding €1.000, transaction monitoring, and regulatory reporting. The user’s wallet address becomes permanently linked to their verified identity in Revolut’s systems and, through blockchain analytics, potentially identifiable by any CASP conducting due diligence on future transactions involving that address. What remains of self-custody is genuine but circumscribed: the user holds private keys (protection against exchange insolvency), accesses DeFi protocols directly, and eliminates counterparty risk. What has been forfeited is the pseudonymity that the term “self-hosted” once implied. The partnership thus demonstrates that under TFR, self-custody has become a gated endpoint rather than an alternative pathway: users may hold their own keys, but only after traversing the regulated intermediary that EU law now interposes between fiat currency and crypto-asset ownership.
The EU has realized that so-called ‘unhosted’ wallets are one way to expand the ratchet of surveillance. Relatively few people use cryptocurrency, and an even smaller portion of those store their own keys and host their own wallets. If governments can secure these controls on sovereign transactions today, they can exert them in the future when many more may turn to cryptocurrency. Exchanges may decide to simply not do any business with a self-hosted wallet. This would not ban self-hosting, but it would cut off much of the crypto economy to those who wish to store their own keys.
3. The Regulatory Roadmap: Article 37
The current verification framework is explicitly provisional. Recital 58 of the TFR acknowledges that “transactions with self-hosted addresses entail inherently higher risks” and concedes that “the landscape of crypto-asset markets is evolving rapidly.” Article 37 mandates the Commission to conduct, by 30 June 2026, “a comprehensive assessment of the risks and existing measures relating to transfers to and from self-hosted addresses, including an assessment of whether additional restrictions are necessary.” Critically, Article 37(2) empowers the Commission to impose such restrictions via delegated act; a legislative mechanism that bypasses Parliamentary procedure, enabling rapid regulatory escalation without the deliberative process that accompanied the TFR’s original adoption. The regulatory endpoint may not be verification but effective gatekeeping approaching prohibition: transaction caps, mandatory whitelisting, or categorical restrictions on certain wallet types remain within the Commission’s delegated authority.
4. Entry into Force & Transitional Provisions
Regulation (EU) 2023/1113 was adopted on May 31, 2023, and published in the EU Gazette on June 9, 2023. The Regulation entered into force twenty days after its publication (June 29, 2023), and its full application began on December 30, 2024.
Member States were required to transpose the amendments to Directive (EU) 2015/849 by December 30, 2024.
The transitional period for CASPs to address technical limitations in messaging systems expired on July 31, 2025, meaning full technical compliance with information transmission requirements is now mandatory. The EBA explicitly rejected industry arguments that MiCAR’s transitional provisions exempted firms from TFR obligations, stating that “non-compliance with Regulation (EU) 2023/1113 is not accepted.“
The regulatory interaction between MiCAR and TFR is now clearly established in practice: MiCAR provides the CASP licensing framework while TFR mandates AML/CFT transaction monitoring. ESMA’s Supervisory Briefing on CASP Authorization, issued on January 31, 2025, reinforced these dual compliance requirements, specifying that CASP authorization applications must include TFR compliance policies, self-hosted wallet verification procedures, and transaction monitoring systems. The briefing emphasizes that no CASP should be deemed “low risk” and requires thorough evaluation of AML/CFT controls during the authorization process.
5. Conclusions
The regulatory requirements discussed above (verification, information collection, risk assessment) translate into operational power held by CASPs. This power operates at three levels. First, point-of-access control: CASPs determine whether a wallet is “verified” and therefore eligible for transactions; unverified wallets are functionally blocked. Second, ongoing monitoring control: CASPs maintain whitelists per Guideline 86 and may de-whitelist addresses deemed high-risk, effectively suspending user access without formal prohibition. Third, information control: CASPs collect and retain wallet ownership data, creating audit trails accessible to regulators and eliminating the pseudonymity that self-custody once implied.
The TFR would create a massive new honeypot of financial transaction data coupled with P[ersonally] I[dentifiable] I[nformation]. Paired with the inherent transparency of public blockchains, it is simply a recipe for disaster. With your blockchain address and your home address, criminals could see exactly how much crypto you own and choose whether to attack you virtually, through hacking, phishing or other online frauds, or physically, by means of robbery, kidnapping, and extortion. The TFR’s intrusion into law-abiding citizens’ private financial lives will suppress freedom and erode public trust in EU institutions.
These powers are not incidental to AML compliance. They represent a structural return to the intermediated, surveillance-based payment architecture that blockchain technology was designed to circumvent. The essay entitled “EUR Stablecoins and MiCAR: A Critical Assessment of the EU’s Regulatory Architecture” identified MiCAR’s systemic risk paradox: regulation designed to reduce risk concentrates it within the banking system through mandatory reserve deposits. This article reveals a complementary control paradox: regulation designed to prevent ML/TF evasion concentrates oversight power within banking-integrated CASPs. Both mechanisms achieve the same outcome; the reintegration of crypto infrastructure into banking intermediation. Stablecoin reserves must flow to credit institutions (Article 36 MiCAR). Self-hosted wallet transactions must flow through licensed CASPs (Regulation 2023/1113). Every pathway between fiat currency and crypto-asset ownership now routes through the regulated banking perimeter.
