BIS Warns Crypto Self-Custody Could Become New AML Loophole

A new Bank of International Settlement (BIS) paper argues that self-custodied crypto could become the next weak point in anti-money laundering enforcement if regulators tighten rules around other payment rails without closing the gap around user-controlled wallets. The core concern is straightforward: when one channel becomes harder to use, illicit flows do not disappear. They move.

BIS Warns About Self-Hosted Crypto Wallets

Using the EU as its main case study, the paper says self-hosted wallets occupy a particularly sensitive position because they do not rely on an identifiable intermediary to perform customer due diligence, monitor transactions or file suspicious activity reports. That is the design distinction the authors keep returning to.

“Self-hosted wallets are a type of wallet that is entirely controlled by the user, without reliance on an intermediary. Validation of self-hosted cryptoasset transactions takes place on a permissionless public blockchain, with no individual intermediary being accountable for updating accounts.” On that basis, the paper says self-hosted crypto payments, absent additional measures, present one of the lowest probabilities of detection and enforcement.

The paper goes a step further. It says self-hosted wallets may, in practice, be even more attractive for illicit use than cash. Cash still offers the lowest level of oversight by design, the authors argue, but physical constraints matter: it is bulky, harder to move at scale and riskier to store or transport. Self-custodied crypto does not have those same frictions, which means the portability and cross-border speed of digital assets can amplify the compliance gap once intermediaries drop out of the picture.

That framing feeds into what the paper calls the “waterbed effect.” “Differences in the probability of detection … can lead to arbitrage between payment instruments. This could be called a waterbed effect: if the water is pressed down in one area, it pops up in another. Over time, this dynamic weakens the overall effectiveness of AML/CFT frameworks and necessitates regulatory and supervisory intervention.” In the crypto context, the point is not simply that self-custody carries risk, but that uneven regulation can actively redirect bad actors toward it.

The EU example is central to that argument. Hosted crypto wallets are now much more tightly folded into the bloc’s AML architecture through the broader cryptoasset service provider, or CASP, framework, updated monitoring obligations and the Travel Rule regime. The paper notes that wallets and services enabling anonymisation are being pushed out of the regulated perimeter.

Self-hosted wallets, by contrast, are treated more indirectly: transactions involving them are not subject to due diligence and transaction monitoring unless a CASP is on one side of the transfer. In those cases, CASPs must assess money laundering and terrorist financing risk and apply mitigating measures.

What makes that asymmetry notable, the authors say, is that cash has a hard backstop the self-custody segment does not. Their comparison table states it plainly: cash in the EU is subject to a €10,000 transaction limit, while self-hosted crypto assets face “no transaction or holding limits.” The paper’s conclusion is that this difference “may provide an incentive for malicious actors to shift from cash to self-hosted crypto asset wallets.”

At press time, the total crypto market cap stood at $2.37 trillion.

Featured image created with DALL.E, chart from TradingView.com

Editorial Process for bitcoinist is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict sourcing standards, and each page undergoes diligent review by our team of top technology experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.