The FATF on Stablecoins and Self-Hosted Wallets: Part 2

This blog, to be read in conjunction with The FATF on Stablecoins and Self-Hosted Wallets: Part 1, tackles the threats and vulnerabilities of stablecoins per the FATF’s Targeted Report on Stablecoins and Unhosted Wallets.

The second part of the blog provides guidance on how regulators and virtual asset service providers (VASPs) can mitigate these risks in practice, according to the FATF. It concludes with further questions financial institutions should ask when selecting a Travel Rule solution to better manage stablecoin exposure.

TL;DR 

• Stablecoins have grown rapidly due to their fast settlement, low transaction costs, and seamless cross-border functionality. 
• Their efficiency and liquidity have also made them attractive for illicit activity. 
• The most significant risks arise when stablecoins move outside regulated intermediaries, particularly through P2P transfers and self-hosted wallets, where AML/CFT controls may not apply.
• Additional vulnerabilities stem from cross-border structures, interoperability across blockchains, pseudonymous addresses, and layering through multiple wallets, all of which limit regulatory visibility.
• Regulators and VASPs are responding with risk-based mitigation measures, including enhanced due diligence for self-hosted wallets, restrictions on transfers, customer identification at issuance or redemption, and the use of blockchain analytics tools.
• When selecting a Travel Rule solution, VASPs should prioritise wallet ownership verification, blockchain risk scoring, sanctions screening, and the ability to distinguish between VASP-hosted and self-hosted wallets before transactions occur.

Stablecoin Challenges Discussed with Proposed Solutions

Why Stablecoins Are Attractive for Illicit Activity

Due to their faster settlement, lower transaction costs, cross-border capability, and interoperability across blockchains, stablecoin usage has grown exponentially since the first USD-pegged example appeared in 2014. 

By 2025, there were over 259 stablecoins in circulation, with a market capitalisation of USD 316 billion. As it stands, stablecoin activity has surpassed Bitcoin activity by threefold, accounting for up to 30% of all on-chain transactions. 

Unfortunately, due to stablecoins’ many benefits, they have also become a tool for illicit activity. According to blockchain analytics, stablecoins accounted for 84% of the USD 154 billion in illicit virtual asset transaction volume in 2025, surpassing Bitcoin as the primary asset used in cybercrime-related transactions. 

As it stands, stablecoins are frequently used either to receive proceeds of crime or in the final stage of converting illicit funds to fiat currency.

The Threats and Vulnerabilities Attached to Stablecoins and Self-hosted Wallets

Stablecoins create several AML/CFT vulnerabilities across their lifecycle, but the most significant risks arise from peer-to-peer (P2P) transfers and the use of self-hosted wallets.

Because stablecoin ecosystems operate across borders, issuers may establish themselves in jurisdictions with weaker regulatory frameworks, creating supervisory gaps. Risks are further increased by the interoperability of stablecoins: many can operate across multiple blockchains. For example, Tether (USDT) functions across the TRON, Ethereum and Solana blockchains.

Because of this interoperability, stablecoins may be issued, distributed, or supported by different entities across different jurisdictions, making it difficult for authorities to determine compliance responsibilities or obtain relevant customer information.

P2P Transfers and Self-Hosted Wallet Risks

However, the most significant regulatory challenge emerges once stablecoins circulate outside regulated intermediaries. P2P transfers between self-hosted wallets do not require a regulated financial institution and therefore do not fall under AML/CFT obligations. 

In other words, no customer data is collected, no suspicious transactions are reported, and no addresses are screened for sanctions. 

Although blockchain transactions remain visible, the addresses involved are pseudonymous. Criminal actors can exploit this by frequently generating new wallet addresses and abandoning old ones, which complicates attribution and monitoring. 

While blockchain analytics do play a positive role in address monitoring, if an address is fresh, even the most advanced analytics tools cannot add value to it. 

Cross-Border Movement and Layering Techniques

The risks associated with P2P transfers and self-hosted wallets are further amplified in cross-border transactions, where near-instant settlement allows funds to move across jurisdictions before authorities can intervene.

While VASPs are often required to collect originator and beneficiary information under Travel Rule requirements when interacting with self-hosted wallets, threat actors may bypass these controls by routing funds through multiple layers of self-hosted wallets before reaching a regulated touchpoint. 

This layering can significantly reduce the visibility of regulated intermediaries and limit their ability to monitor suspicious activity.

Monitoring Limitations and the Role of Issuers

Another structural limitation concerns suspicious transaction reporting. In purely P2P activity, there may be no obligated entity responsible for filing a report, potentially allowing illicit activity to go unreported. 

Even where VASPs monitor transactions involving their customers’ self-hosted wallets, they may have limited visibility over activity that occurs further along chains of self-hosted wallets that are transactionally distant from Travel Rule-covered wallets.

In this context, stablecoin issuers may play a complementary enforcement role. Law enforcement authorities may request issuers to freeze wallets suspected of holding misused stablecoins. Issuers may also monitor transactions associated with identified addresses and, where permitted by the relevant legal framework, submit suspicious transaction reports to financial intelligence units.

Together, the cross-border nature, interoperability, pseudonymity, and disintermediated structure of stablecoin transactions significantly limit authorities’ visibility and enforcement capabilities within the stablecoin ecosystem.

How to Mitigate the Misuse of Stablecoins 

Mitigating the misuse of stablecoins, particularly in relation to P2P transfers and self-hosted wallets, requires a risk-based regulatory approach. Although the FATF standards do not apply directly to self-hosted wallets, jurisdictions are encouraged to assess the scale and risks of P2P activity and implement proportionate mitigation measures.

Across jurisdictions, both regulators and the private sector have adopted several approaches. These include 

• limiting transfers to self-hosted wallets, 
• applying enhanced customer due diligence (CDD) when such wallets are involved,
• and using blockchain analytics tools to assess counterparties' risk profiles.

Some jurisdictions also require customer identification at the point of issuance or redemption, or restrict licensed platforms from interacting with self-hosted wallets altogether.

How to Mitigate the Misuse of Stablecoins: Suggestions from 21 Analytics 

The FATF provides helpful guidance on mitigating stablecoin misuse, particularly regarding self-hosted wallet transfers. However, 21 Analytics believes financial entities can be even more proactive by asking the right questions when implementing a Travel Rule solution.

From a practical perspective, when selecting a Travel Rule solution provider, VASPs can already safeguard themselves, and play a role in mitigating the misuse of stablecoins in transactions involving self-hosted wallets, by asking their Travel Rule solution provider the following questions:

1. Does the solution offer at least one verification method? 

When choosing a solution, it is valuable to ask the provider how the solution verifies wallet ownership. Moreover, confirm which verification methods are supported, whether verification is once-off or continuous, and how they prevent the reuse of wallet proofs.

2. Does the solution provide a risk score for the self-hosted wallet address?

Another important category is risk scoring and blockchain intelligence. Enquire whether the Travel Rule solution integrates any blockchain analytics tools.

Ask whether the platform has the capability of screening wallet addresses against sanctions lists, illicit activity databases, or high-risk typologies such as mixers, ransomware wallets, or darknet markets.

For a deeper understanding of blockchain analytics, read the List of Top Blockchain Analytics Providers.

3. Does the solution have a mechanism for recognising if an address is self-hosted or controlled by a VASP before the transaction takes place?

This step is critical for compliance, as different requirements apply depending on the type of address. 

If the address is associated with another VASP, the transaction can proceed through a Travel Rule workflow, enabling the exchange of originator and beneficiary information before settlement. 

If the address belongs to a self-hosted wallet, alternative risk mitigation measures must be applied.

Identifying this in advance gives teams time to apply the appropriate controls before funds leave the platform. This may include verifying wallet ownership, conducting enhanced risk assessments, or requesting additional information from the customer.

Pre-transaction screening also allows VASPs to block transfers if the address is linked to sanctions or other illicit activity, preventing high-risk transactions from being executed.

4. How much can be automated and controlled?

You should also ask about policy controls and risk-based enforcement. A useful Travel Rule solution should allow compliance teams to set rules for self-hosted wallet interactions. 

For example, can the platform block or delay transfers to unverified wallets? Can it require additional due diligence for high-value stablecoin transfers? 

Ask whether the system supports configurable risk thresholds and automated decisioning workflows.

In practice, the most valuable Travel Rule solution for stablecoin misuse mitigation is not simply one that transmits Travel Rule messages, but one that combines wallet verification, blockchain intelligence, transaction monitoring, and risk-based controls around self-hosted wallet interactions.

Read: How to Choose a Travel Rule Solution: FATF Guiding Questions

Parting Thoughts from the FATF

The growing adoption of stablecoins has increased their attractiveness for illicit finance. Their price stability, liquidity and ease of cross-border transfer make them particularly suitable for P2P activity outside regulated intermediaries. 

The FATF’s analysis suggests that a significant share of illicit stablecoin transactions involves self-hosted wallets, allowing actors to bypass AML/CFT controls. In some cases, stablecoins have even been used directly to purchase illicit goods without converting to fiat.

To address these risks, the FATF highlights the need for tailored regulatory frameworks for stablecoins, stronger monitoring of self-hosted wallet activity, greater use of analytics tools, programmable compliance controls within smart contracts and enhanced international cooperation among regulators and industry participants.

Sources

21 Analytics. Regulatory Frameworks that Include Self-hosted Wallets.
Available at: https://www.21analytics.co/blog/regulatory-frameworks-self-hosted-wallets/

21 Analytics. Stablecoins in the EU: What Has Changed?
Available at: https://www.21analytics.co/blog/stablecoins-in-the-eu/

Euronews. Cryptocurrency companies freeze accounts to block Hamas funding – report.
Available at: https://www.euronews.com/next/2023/10/17/cryptocurrency-companies-freeze-accounts-to-block-hamas-funding-report

FATF. Interpretive Note to Recommendation 15 (INR.15).
Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf

FATF. FATF Recommendations -  International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation.
Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/recommendations/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf

FATF. Targeted Report on Stablecoins and Unhosted Wallets – Peer-to-Peer Transactions.
Available at: https://www.fatf-gafi.org/content/dam/fatf-gafi/publications/targeted-report-on-stablecoins-and-unhosted-wallets.pdf.coredownload.inline.pdf