Banks and other regulated financial institutions are legally required to verify the identity of every new customer before opening an account. This critical anti-money laundering (AML) requirement, referred to as "Know Your Customer" (KYC), helps prevent money laundering, terrorist financing and other financial crimes by collecting basic information from the new customer, such as the customer's name, address, date of birth and a photo ID. Additionally, banks and regulated financial institutions are required to monitor the transactions into and out of those accounts to ensure they are not facilitating illicit finance.

The Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS) Act extends KYC obligations to permitted payment stablecoin issuers. Digital asset intermediaries-such as exchanges and hosted wallet providers-are currently subject to certain AML requirements, including KYC, although they are subject to fewer requirements than banks. KYC requirements are essential first steps in combating illicit finance in the digital asset world, where transactions may be publicly transparent on the blockchain, but the identities of the individuals or companies behind those transactions may remain entirely unknown.

To further combat the use of the digital asset ecosystem to facilitate crime, policymakers should ensure that digital asset intermediaries engaged in substantially similar activities as banks are subject to equivalent AML standards. For example, these intermediaries should be required to develop effective AML programs to ensure that those entities monitor the account holder's transactions. Without addressing these gaps in AML requirements, either through regulations or via market structure legislation, the proceeds of money laundering and terrorist financing may continue to move through the U.S. digital asset ecosystem, including through payment stablecoin transactions, and eventually into the more regulated "traditional" financial system.

Hosted vs. Unhosted Wallets

Holding and transferring digital assets, including stablecoins, requires a digital asset wallet on a blockchain. Every wallet relies on a "pairing" of a public key (visible on the blockchain, serving a function similar to an account number) and a private key (kept secret, like a password) to authenticate a crypto asset and identify its owner. This structure is standard for all wallets, regardless of whether they are hosted or unhosted. However, the distinction between hosted and unhosted wallets is central to understanding the vulnerabilities that remain in the digital asset ecosystem post-GENIUS.

A hosted wallet is a service offered by a financial institution subject to KYC obligations, such as a bank or a digital asset intermediary regulated as an MSB, as described above. An unhosted wallet is software, downloadable online and not associated with a KYC-compliant institution.

Payment stablecoin transactions between hosted wallets offered by financial institutions subject to KYC requirements must be properly vetted for any illicit finance concerns. However, outside of these transactions, there are three types of transactions that would allow potential bad actors to use payment stablecoins or other cryptocurrencies to facilitate illicit activities:

1. Offshore-hosted wallets at a non-U.S. exchange, which may not be subject to the same KYC requirements as their U.S. counterparts.
2. Transactions between hosted and unhosted wallets that are not subject to KYC requirements. As one example, regulated financial institutions must record certain information for money transfers over $3,000 and retain this information for at least five years. This requirement, known as the "travel rule," was implemented in 1996 as part of the Bank Secrecy Act. Such a requirement is needed in the digital assets space, as the involvement of an unhosted wallet could deprive a regulated financial institution of information about digital assets and their sources that is important in detecting illicit activity.
3. DeFi protocols. Hosted wallets may also potentially interact with certain DeFi protocols, which by design are decentralized and lack a central authority to administer KYC and other compliance requirements. These protocols may be used to evade illicit finance controls. Some examples of DeFi protocols include "crypto mixers," which combine clean and illicit digital assets to obscure the chain between a cryptocurrency's source and its destination, as well as decentralized exchanges, which allow crypto users to trade and transact with their stablecoins or crypto directly without corresponding illicit finance safeguards. These DeFi protocols may allow terrorist financers, money launderers and drug traffickers to facilitate criminal activity.

The Solution Illicit actors and sanctioned parties are relying on unhosted and non-U.S.-hosted wallets, as well as utilizing DeFi applications, to evade detection and exploit the U.S. financial system. These persistent gaps in the regulated digital assets illicit finance framework undermine the safeguards of AML requirements, including those established by GENIUS, and hinder law enforcement and national security experts' ability to combat crime. Congress and regulators should address this critical gap in AML requirements.

How Digital Assets Reach an Illicit Actor or Sanctioned Entity