AOPP is already supported by BitBox, BlueWallet, Sparrow, and others. Or you can create financial incentives, so they use AOPP over other methods. But as a VASP, you can make demands on which wallet a user can use to facilitate withdrawals. AOPPs downside is that not all wallets are currently supporting it. But in addition to the positive aspects of ‘Manual Signing’, it's also fully automated for the VASP and the user and, with that, provides an excellent user experience and prevents address reuse. In a nutshell, AOPP is an automated variant of the ‘ Manual Signing’ method described above. Luckily there is something better than the previous methods Address Ownership Proof Protocol or AOPP for short. Education goes a long way, but that increases the burden on the VASP’s support team nonetheless. The downside is that only a subset of wallets supports this, and only advanced users know how to execute this. This method provides a cryptographically secure proof that the user controls the withdrawal address. Only the key associated with the withdrawal address is useful for this process. And the wallet needs to give the user control over which key is used to sign the message. Only a few advanced wallets support message signing. The user needs to copy the message and paste it into their wallet software. The VASP will ask the user to sign a message the VASP gives to the user. The final method we see deployed is rather good. Additionally, sending from a specific address is a non-trivial task with UTXO-based cryptocurrencies, such as Bitcoin, and often not possible with a wallet. The user is strongly incentivized to reuse addresses. The average fee paid on the Ethereum network is consistently high. The trivial amount sent is not the problem here since that could, in theory, be reimbursed. However, this method is slow and costs the user real money. This process can be fully automated on the VASP side and doesn’t suffer from the trivial pixel editing, which plagues the screenshot method. If the user can do that, he proves he controls that address. The idea is simple: Send a trivial predefined amount from the withdrawal address to the VASP. The Satoshi Test is a significant improvement on the screenshot. There is one upside to this method: the majority of the users are able to do this due to its simplicity. With video clips, the process remains the same the only difference is that the user will film their wallet software displaying the withdrawal address. Address reuse is bad for the privacy of the user and the VASP. Last but not least, this method encourages address reuse because the VASP is likely to try to avoid multiple inspections. Worse still: a fraudster could automate the manipulation entirely without a lot of effort. A screenshot is nothing more than a bunch of pixels, and these pixels are trivially manipulated. That’s not only error-prone but also expensive and slow, which is bad for the staff and the user experience of the VASP client.īesides these massive downsides, there’s also a significant risk of fraud. The most obvious one is that it requires manual work. The issues with this approach are numerous. If the address shown in the screenshot matches the withdrawal address, the employee can green-light the withdrawal. From that point on, an employee of the VASP’s compliance team can inspect the screenshot and compare it with the desired withdrawal address. Then ask the user to upload the screenshot. One of the easiest things to do is to ask the users to take a screenshot of their wallet software displaying their withdrawal address. A VASP can offer its users just one, several, or all methods. It's important to keep in mind that one method does not exclude the others. Luckily we’ve developed a foolproof alternative. Here we will explain the main techniques and explain why all of them are flawed. In order to mitigate the risk of sending funds to an undesirable address, VASPs deploy a number of techniques. Therefore the VASP runs the risk of sending funds to a sanctioned individual. The VASP has no way of knowing to whom that address belongs. In essence, the user orders the VASP to send funds to a certain wallet address. This is harder when a user withdraws coins from his VASP account to his own private wallet (also known as an unhosted or non-custodial wallet). You just mandate that VASPs exchange PII data whenever a transaction happens between the two. With transactions between VASPs, this is a relatively easy problem to solve. The Travel Rule exists for financial auditors to follow a trail. These can be mobile wallets like BlueWallet or Edge, but also hardware wallets like Trezor and Ledger. These are wallets that are not provided by any VASP. In October 2021, the final FATF Travel Rule guidance was released, and since its last March draft, more attention has been given to self-hosted wallets.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |