When a bank wires $50 million to another bank, both sides are known. Correspondent relationships, regulatory identifiers, and audit trails confirm that the entity on the other end is who it says it is.
Crypto has no equivalent. A wallet address is a string of characters with no identity, no license number, and no jurisdiction attached. When an institution sends digital assets to an address provided by a counterparty, it is relying on the counterparty's claim that they control it. The blockchain will settle the transaction regardless of who is on the other end.
This gap between how institutions want to use digital assets and what the compliance infrastructure can actually verify is becoming harder to ignore as more regulated capital moves on-chain.
What the Travel Rule Does and Does Not Solve
The FATF Travel Rule, now enforced across the US, EU, UK, Singapore, Hong Kong, and dozens of other jurisdictions, requires VASPs to exchange originator and beneficiary information on qualifying transfers: names, wallet addresses, identification numbers, and in some cases dates of birth and physical addresses.
This works when both sides are regulated entities with compliance teams and messaging protocols. The data gets exchanged, the records get kept, and the obligation is met.
The problem starts at the edges. When a customer withdraws to a self-hosted wallet, there is no counterparty VASP to exchange data with. The customer says the wallet is theirs. Maybe it is. The VASP has no protocol-level way to independently confirm that. The same problem appears in reverse on inbound transfers from unknown wallets.
The Travel Rule addresses information exchange between institutions. The underlying question of whether a given wallet address is actually controlled by the entity it is attributed to remains open.
How Wallet Ownership Is Verified Today
The industry has developed several methods, none of which is perfect.
Cryptographic signature verification is the strongest available. The wallet owner signs a challenge message with their private key, proving control of the address. This can be automated through protocols like AOPP, where the VASP generates a challenge, the user signs it, and the proof returns programmatically. The limitation is wallet support. Many hardware devices and mobile wallets either do not support message signing or make it cumbersome enough that average users struggle with it. Coverage is improving, but remains uneven.
Satoshi tests take a different approach. The VASP and customer agree on a micro-transfer from the wallet within a defined window. If it arrives as expected, it serves as practical evidence of control. This works across all wallet types but requires an on-chain transaction with fees, encourages address reuse, and only confirms the ability to send from the address rather than exclusive control of the private key.
Screenshots and self-declaration sit at the bottom. The customer provides a screenshot of their wallet interface or checks a box affirming ownership. These exist because some jurisdictions accept them, not because they provide meaningful assurance.
The regulatory direction is converging. The EU's Transfer of Funds Regulation requires wallet ownership verification for transactions above EUR 1,000. Switzerland's FINMA has required it since 2019. Hong Kong mandates cryptographic signature testing. Germany, Singapore, and Liechtenstein all have their own variations, but the trend across all of them points toward cryptographic proof as the expected standard.
Where the Real Gap Lives
Wallet ownership verification, even done well, addresses only the first layer. It confirms that a specific person controls a specific address at a specific point in time. That is useful, but is insufficient for the decisions institutions actually need to make.
Consider a fund administrator settling a large OTC trade. The counterparty provides a wallet address and claims it belongs to their treasury. A cryptographic signature confirms control. The Travel Rule obligation is technically met. But the fund administrator still does not know whether that wallet has received funds from sanctioned entities, interacted with mixing services, is associated with other high-risk wallets, or whether the counterparty's stated purpose for the wallet is consistent with its on-chain behavior.
Proving control and proving that the address is clean are two different things, and most compliance workflows treat them as if they are the same.
The Travel Rule focuses on identity. Sanctions compliance focuses on addresses. Institutional risk management needs both, along with behavioral history, entity mapping, and continuous monitoring. Today, these pieces live in separate systems, managed by different vendors, updated on different timelines, and rarely wired together into a single workflow.'
As a result, institutions end up assembling their counterparty risk picture from fragments: wallet ownership through one tool, address screening through another, transaction history through a third, and entity assessment through a fourth. Each step adds latency, and the composite picture is only as current as the oldest data source in the chain.
What a Complete Framework Looks Like
The individual components exist. The problem is that they have not been pulled together.
A complete counterparty verification framework needs four layers: wallet ownership attestation through cryptographic proof of control; real-time address screening against sanctions lists and known illicit address clusters; entity-level risk assessment that scores the counterparty organization across security posture, compliance status, financial health, and operational integrity; and continuous monitoring that keeps watching the address after the initial check, rather than treating verification as a point-in-time event.
Most institutions have pieces of the first two. Entity-level scoring of the counterparty organization is rare. Continuous post-verification monitoring is rarer still, which means that the compliance picture starts degrading the moment the initial check is complete.
Why This Matters Now
Institutional adoption is scaling. BlackRock's IBIT crossed $40 billion in net inflows in 2025. JPMorgan issued commercial paper on Solana. Goldman Sachs launched tokenized money market funds. These are production deployments with real counterparties and real compliance exposure.
Regulatory expectations are tightening in parallel. The EU's zero-threshold Travel Rule is in effect. Hong Kong requires cryptographic wallet verification. The US GENIUS Act mandates reserve backing and audits for stablecoins. Enforcement agencies are looking more closely at the gap between what institutions claim about counterparty due diligence and what they can actually demonstrate.
And the threat environment has gotten harder to dismiss. Bad actors are using mainstream infrastructure, the same rails that institutional participants rely on. Distinguishing sanctioned flows from legitimate ones requires deeper and more continuous counterparty intelligence than most compliance stacks were designed to deliver.
The counterparty problem is solvable. The cryptographic primitives, the on-chain data, and the entity-level intelligence all exist. The work that remains is integrating them into platforms that give institutions a complete picture of who they are transacting with, and keep that picture current after the transaction settles.
CertiK's Skynet Enterprise platform provides entity-level risk scoring for VASPs and digital assets, AML screening powered by billions of labeled addresses, and continuous on-chain monitoring designed for institutional-grade counterparty due diligence. To learn more, visit certik.com.
Q&A
What is the counterparty problem in crypto?
In traditional finance, both sides of a transaction are identified through correspondent relationships and regulatory infrastructure. In crypto, a wallet address carries no inherent identity. When an institution sends funds to an address, it relies on the counterparty's claim of ownership with no protocol-level way to independently confirm it.
Does the Travel Rule solve this?
Partially. The Travel Rule requires VASPs to exchange originator and beneficiary information on qualifying transfers. This works between regulated entities but breaks down when one side of the transaction is a self-hosted wallet with no counterparty VASP to exchange data with.
How is wallet ownership verified today?
Three main methods. Cryptographic signature verification is the strongest, where the wallet owner signs a challenge with their private key to prove control. Satoshi tests use micro-transfers as practical proof. Screenshots and self-declaration are the weakest and exist mainly because some jurisdictions still accept them.
Why is wallet attestation alone not enough?
Proving someone controls an address does not tell you what that address has done. It does not reveal whether the wallet has received funds from sanctioned entities, interacted with mixers, or is linked to other high-risk wallets. Institutional compliance requires control verification plus address screening, entity risk assessment, and continuous monitoring.
What does a complete counterparty verification framework include?
Four layers: wallet ownership attestation (cryptographic proof of control), real-time address screening (sanctions and illicit activity checks), entity-level risk assessment (scoring the counterparty organization), and continuous monitoring (ongoing surveillance for changes in risk profile after the initial verification).
