EBA Requires More than a "Check" for Self-hosted Wallet Proofs

TL;DR 

• A €30k scam case involving Foris DAX MT Limited exposed flaws in checkbox self-hosted wallet verification methods.
• Checkbox-based ownership confirmations are not Travel Rule compliant per the EBA and the TFR.
• Regulators expect a proof of control via a technical means, not user declarations.
• Lack of proper verification enables fraud, poor counterparty due diligence, and missed risk signals.
• CASPs must adopt technical verification methods (e.g. AOPP or Satoshi Tests)
• Solutions like AOPP make compliance fast, seamless, and user-friendly

The Case of ASF 062/2025 KJ v Foris DAX MT Limited Summarised 

In a recent ruling by Malta’s Office of the Arbiter for Financial Services, the Malta-based Foris DAX MT Limited was fined 40% of the losses suffered by the complainant.  

Insufficient Self-hosted Wallet Verification Practices by Foris DAX MT

In the case, ASF 062/2025 KJ v Foris DAX MT Limited, the complainant, KJ, reported losses of approximately EUR 30 000 after falling victim to a scam. Funds were transferred from the complainant’s wallet to a self-hosted wallet believed to be controlled by the scammer. 

The complainant argued that the platform, Foris DAX MT Limited, failed to meet EU’s Travel Rule regulatory requirements set forth in the Transfer of Funds Regulation (TFR) 2023/1113. 

Per the TFR, if a self-hosted wallet owner sends or receives more than EUR 1000 to or from their own wallet using a CASP, the CASP will need to collect proof that the customer controls the self-hosted wallet.

Additionally, Recital 39 of the TFR Recast provides that: “In the case of a transfer to or from a self-hosted address, the crypto-asset service provider should collect the information on both the originator and the beneficiary, usually from its client.” 

In this instance, the platform required the user (the complainant) to confirm wallet ownership by selecting (ticking) a box, with no further verification being performed.

Why Checkbox Verification Approaches Are Not Compliant 

The TFR mandates CASPs to collect ownership proofs when transferring to or from a self-hosted wallet address for transactions exceeding EUR 1000, batched transactions totalling to this amount, and in instances in suspected money laundering and terrorism financing. 

The European Banking Authority (EBA) has also clarified what constitutes a reliable verification method in its guidelines; CASPs need to prove control of the wallet. Methods to prove this control include: 

• unattended and attended verifications, as specified in the EBA’s guidelines;  
• sending of a predefined amount set by the CASP, from and to the self-hosted address to the CASP’s account, for example a Satoshi Test;
• requesting the customer to digitally sign a specific message into the account and wallet software with the key corresponding to that address, for example AOPP; 
• other suitable technical means as long as they allow for reliable and secure assessment and the CASP is fully satisfied that it knows who owns or controls the address.

Customers clicking a box to confirm ownership is a declaration of ownership, and not a reliable proof per the EBA’s requirements. 

Further Failures Seen in the Checkbox Approach  

The case of ASF 062/2025 further highlighted the failures of a checkbox approach. The complainant admitted to just checking the box due to a poor understanding of the topic:

“At the time, I hardly had any knowledge about external wallets. I didn't understand all these things.”

Following the instructions of the scammer, the complainant confirmed that he controlled the fraudulent self-hosted wallet address where the assets were destined to be sent. 

Whether this act was completed in good faith or not is not the issue; what it does illustrate is that CASPs cannot rely on this method, even if it was in line with the TFR and EBA’s requirements. 

This approach enables users to claim ownership over a wallet address even if it is controlled by a CASP, creating a significant risk of non-compliance, as the required data may not be transmitted to the relevant counterparty. 

Many wallet owners are reluctant to complete ownership processes due to the cost and the complexity of the process. As a result, when presented with a simpler option, as seen with this case, many users opt for it. 

What Does This Mean for CASPs?

This case presented many nuances, but looking at the bigger picture, 2 points emerged. 

1. CASPs must present their customers with a self-hosted wallet verification method that is not a declaration, but a proof produced by a technical means. 
2. There is no easy way out. As much as a compliance team wants to keep their customer journey as uninterrupted as possible to ensure customer satisfaction, technical wallet proofs are a must.  
   
   

How 21 Analytics Assists CASPs Across the Globe 

21 Analytics’ Travel Rule solution, 21 Travel Rule, offers CASPs the option of the Satoshi Test, Manual Signing and AOPP as technical means to prove wallet ownership. Each of these methods requires the customer to actively prove wallet ownership via a demonstration. 

However, AOPP is chosen by CASPs worldwide due to its great user experience and security for all parties involved, from the compliance operators to the end users. 

Read more about 21 Analytics’ wallet verification methods. 

AOPP: A 1-Click Solution that Is Compliant 

AOPP replaces manual, error-prone processes with a fully automated, cryptographic proof of ownership, allowing users to complete verification directly within their own wallet through a simple, intuitive flow. 

Instead of copying messages, transferring assets, or navigating complex steps, the proof is generated and sent instantly to the 21 Travel Rule’s Compliance Dashboard. Allowing for the verification to be completed within seconds without manual review, while still providing tamper-proof assurance of wallet control. 

Compared to traditional methods, this removes friction for both compliance teams and users, embedding Travel Rule requirements seamlessly into the transaction experience. 

From a user perspective, the process takes only one-click and occurs within the normal transaction flow, meaning it doesn’t feel like a separate compliance hurdle, while also avoiding unnecessary exposure of personal data or address reuse, making it inherently more privacy-preserving. 

AOPP directly addresses the issue highlighted in the case of ASF 062/2025 KJ v Foris DAX MT Limited: the failure of a checkbox-based verification. 

The check box approach poses both technical and customer behavioural issues (users will more often than not take the easiest path, even if it leads to incorrect or risky confirmations). AOPP aligns that behaviour with compliance by maintaining the same simplicity of one click, but replaces this click with a cryptographic proof of control. 

Instead of relying on what the user says, it captures what they can demonstrably do, ensuring that the fastest and easiest action is also the correct and compliant one. 

Ensure Travel Rule compliance with 21 Analytics and AOPP.