The Financial Action Task Force (FATF) guidance on Virtual Assets and Virtual Asset Service Providers
(VASPs) explicitly highlights that transactions involving unhosted wallets (wallets not held or
controlled by a regulated entity) pose a high inherent risk for money laundering and terrorist
financing. This is because unhosted wallets are more difficult to monitor and control, lack identifiable
customer information, and are often exploited for illicit activities.
The DFSA AML Module, aligned with FATF recommendations, mandates that Relevant Persons
incorporate this risk into their business-wide risk assessments. The increased volume of transactions
to and from unhosted wallets should therefore be assigned a high inherent risk rating to trigger
enhanced controls such as enhanced due diligence (EDD) and transaction monitoring.
Supporting extracts include:
FATF Guidance on Virtual Assets (October 2021) states: "Unhosted wallets or transactions with them
represent a high risk of ML/TF due to limited or no access to identifying information."
DFSA AML Module (AML/VER25/05-24) Section 4.1 & 6.1 on Risk-Based Approach: mandates firms to
assess and rate risks posed by customers and products, explicitly including virtual assets and
unhosted wallets as high risk.
COB Module also requires heightened controls and disclosures when dealing with transactions
involving unhosted wallets【AML/VER25/05-24: Sections 4.1, 6.1, COB/VER45/05-24: Sections 6.13,
15.6】.
Thus, option D (High) is the correct risk rating.
