InsightPublished on June 24, 2026

Self-hosted wallets: the “electronic briefcase” and the verification duty for banks and CASPs

In late 2025 the Bank of Italy called the self-hosted wallet an electronic briefcase. Unlike cash it leaves traces. Reading the public ledger is now a method the regulator recognises. For financial institutions the question is no longer whether but how.

Self-hosted wallets: the “electronic briefcase” and the verification duty for banks and CASPs

In late November 2025 the Bank of Italy described the self-hosted crypto wallet with an image destined to stick: a genuine "electronic briefcase", able to hold high values and to keep them stable over time thanks to stablecoins. For European banks and CASPs, handling the flows to and from these addresses is no longer a matter of internal policy but has become a requirement prescribed by the regulator. There is one detail, though, that turns the perspective around: unlike cash, the electronic briefcase leaves traces. Blockchains are public ledgers and reading them is one of the methods the regulator considers valid for verifying these transfers. Crypfy does exactly this.

1. From the cash briefcase to the “electronic briefcase”

In a public address in November 2025 the Bank of Italy brought into focus the problem that today keeps anyone working in crypto compliance awake at night. The self-hosted wallet (also referred to as unhosted), allows value to be held and moved without going through an intermediary that performs anti-money-laundering checks. It operates directly on blockchains, in what the Authority describes as a condition of pseudo-anonymity.

The image works because it is immediate. Today a criminal can replace the classic briefcase of high-denomination banknotes with an “electronic briefcase”. And compared with the old version it is far worse: it holds vastly higher amounts and fits entirely on a USB stick or a phone (or, more simply still, on a sheet of paper with twelve words). It crosses borders with no need for customs declarations.

There is then a second layer, the one that changes the very nature of the problem: stablecoins. By anchoring their value to an official currency they remove the volatility typical of other cryptocurrencies. The electronic briefcase is therefore not only roomy. It is also as stable as cash. It is no coincidence that the Bank of Italy has labelled stablecoins a “red risk” for the anti-money-laundering system.

2. A confirmation coming from the Supervisor

One point in particular should interest anyone operating in the sector.Reporting the first exchanges between the Supervisor and Italian CASPs, the Bank of Italy notes that operators would already be adopting two types of measures: whitelists of authorised wallets and tools for analysing the public blockchain ledgers, able to bring to light transactions linked to cybercriminal groups, to sanctioned entities or to parties in high-risk jurisdictions.

The point, in commercial terms, lies entirely here. The Authority is not imagining a future scenario. It is photographing the control infrastructure that the market is already building. And it is the same category of tools that Crypfy offers, with one significant difference: not a licence to run with internal resources, but a managed service.

3. What the regulation requires

The European framework is fairly straightforward: the rules on the so-called Travel Rule and the related Guidelines of the European Banking Authority, applicable since 30 December 2024, establish that a CASP, when a client operates from or towards a self-hosted wallet (the term used in the EBA Guidelines), must in essence do three things.

Understand who you are dealing with. Recognise that the counterparty uses a self-hosted address and profile its risk before the transaction is completed. For this step the regulator expressly names blockchain analysis and third-party data among the usable tools.

Verify the link with the client above a certain threshold. For transfers equal to or above EUR 1,000, the CASP must ascertain that the address truly belongs to its client, or that it is controlled by the client. There are several ways to do this: a remote check showing the address, the sending of a small test amount (dust) to and from that address, the cryptographic signing of a message with the corresponding key, or other equivalent technical means. None of these methods works well in every situation. For this reason what truly matters is not adopting one, but being able to switch from one to another depending on the wallet and the level of risk. Once the verification is passed, the address can be placed on a whitelist and no longer needs to be checked for every new operation, provided that monitoring is kept in place to remove it if the risk profile changes.

Assess and mitigate the risk. Here, particularly when the address belongs to a third party, the regulator again recognises blockchain analytical data and reliable and independent sources as elements that contribute to treating the verification as fulfilled.
The thread that holds the three steps together is the risk-based approach: measures must be calibrated to the real threat, without going so far as to paralyse operations nor easing so far as to leave them exposed.

Alongside this safeguard sits a second one, in force since 30 December 2025. A more recent set of EBA Guidelines, distinct from those on the Travel Rule, requires the CASP to screen, against the applicable restrictive measures, all parties to each crypto-asset transfer and, where available in the official lists, the very wallet addresses linked to sanctioned subjects.

For a Compliance officer the meaning is clear: on-chain analysis is not a tolerated shortcut, but a method the regulator sets down in black and white among those permitted, just like controlled whitelisting. The question is no longer whether to adopt it, but how to make it reliable, independent and above all demonstrable before the Supervisor.

4. How Crypfy turns the obligation into a managed process

Crypfy's value lies in translating all of this into a flow that the Compliance team can govern without having to turn itself into a department of on-chain analysts.

The first step is to know the address even before operating. The Wallet Risk Intelligence module assigns each address a risk score accompanied by its reason codes: exposure to mixers, passage through cross-chain bridges, proximity to clusters already known as malicious, contact with sanctioned entities or critical jurisdictions, so as to establish the nature and profile of the address before the transaction sets off.

Then comes the actual decision, to be taken before signing. The Transaction Firewall analyses the operation in real time and returns an immediate operational response: ALLOW, REVIEW, BLOCK, consistent with the logic of preventive control and with the relevant threshold. This is where the risk-based approach becomes concrete: most legitimate operations pass without friction, the analytical effort concentrates on the cases that truly deserve it. No blanket blocks that irritate legitimate clients, no pointless checks that clog the team.

Whitelists, in turn, must be kept alive. Addresses already verified remain on the authorised lists with continuous monitoring and automatic removal as the risk changes. In this way placement on a list is never final.

Finally the verification must be supported with independent evidence. Multi-source enrichment brings precisely those reliable and independent data needed to close the verification when the address belongs to a third party.

There is then an aspect that weighs more than it might seem. Crypfy is a European partner, with cloud and team in the EU. On the question of data residency and data protection the difference from overseas solutions is not a detail.

5. The proof that really counts: the audit trail

In an inspection what counts is not what you did. What counts is what you can prove you did. Every decision produced by Crypfy is recorded with its reasons, the version of the rule applied and the timestamp. From that log it can be exported as evidence for those handling Compliance.

This mechanism meets three needs at once: it documents who the verified addresses belong to, it keeps track of the measures taken (a point that proves useful the day a report or an exchange with the authorities is needed) and it satisfies the operational resilience and event-logging requirements that the European framework, through DORA, has made binding, within a supervisory setting that in Italy is shared between the Bank of Italy and CONSOB.

A note on institutional counterparties. For legal entities the Legal Entity Identifier, the LEI code, is the most reliable identifier: unique, public and verifiable internationally. It is treated as the preferred reference by the transfer regulation itself and integrating it into the verification flows makes the identification of counterparties cleaner and cuts down false positives.

The next step

The Crypfy team supports banks, payment providers and CASPs in mapping the obligations on the flows they handle every day and in making them truly operational, without weighing down internal structures. Book a call

Note. This contribution is intended for information and analysis purposes. It does not constitute legal advice and does not replace the assessment of a specific case. The references to the Bank of Italy address of 28 November 2025 and to the acts of the European authorities serve as citations of the official sources; for the full texts, please refer to the documents published by the Bank of Italy, EBA and ESMA. The regulatory framework referred to is up to date as at the publication date and may change over time.