← Back to Blog

Wallets and Regulation

Wallets and Regulation

Why does my wallet require regulation?

There is no bank in crypto. You control your keys and your assets, which means you are your own bank. However, you didn't build that bank, nor did you design the cryptography that creates your private keys. This introduces risks that may not have been addressed if you had built the bank yourself.

In the United States, the government insures your assets in a bank up to $250,000 in case the bank fails and your money disappears. This means that if you have more than $250,000 in one bank, you lose the difference above the insured amount.

The government can insure your assets because there are laws governing this process, along with a financial backstop at the business level in case a bank fails and customers lose their money due to risks beyond their control. Additionally, there is a chance of systemic risks affecting multiple banks, which may or may not be within the banks' control. These laws provide greater financial security.

Most banks don't hold all the funds their customers deposit, but the blockchain does. You access your blockchain assets through a wallet, but the wallet doesn't hold your assets—it is merely an access point. When you create a wallet, you generate a private key and a seed phrase. If you use one wallet brand, you can input your private key or seed phrase into another wallet brand to access the same assets. This level of interoperability doesn't exist in the physical world, making blockchain wallets a unique domain for regulation.

Cryptography may not need regulation, but it must be understood so that applicable laws can be implemented and updated as needed. Zero-day vulnerabilities exist, and while laws don't need to change in a single day, they must adapt to new education and mitigation techniques derived from these vulnerabilities.

What makes up the function of a wallet and what functions are able to even regulated and why?

Wallets are created differently and serve various purposes, requiring careful consideration of their regulation. There are several types of wallets, including:

**Single-Signature Wallets:** Require only one signature to authorize transactions.

**Multi-Signature Wallets:** Require multiple parties to sign a transaction though each wallet is an independently controlled and operated wallet.

**Multi-Party Computation (MPC) Wallets:** Use collaborative cryptographic techniques for transaction approval, distinct from multi-signature wallets like those from Gnosis Safe.

Wallets can also be categorized as:

**Hot Wallets:** Internet-connected wallets, such as browser-based, browser extensions, or app-based wallets.

**Cold Wallets:** Not connected to the internet. Some, like Ledger, can connect through an app, while others, like hardware security modules (HSMs), are never internet-connected, offering unique security profiles.

When you create a wallet, the blockchain generates a private key, and your wallet derives a seed phrase from it. These keys and phrases are presented and stored differently—sometimes permanently, sometimes temporarily. These processes require regulatory oversight to protect consumers and their assets.

How Private Keys and Seed Phrases Influence Regulatory Focus

When creating a wallet, the blockchain generates a private key, and the wallet then interprets and displays a corresponding seed phrase. Both the private key and seed phrase are critical to asset security. Their generation, storage, and presentation to the user require careful regulatory attention, including guidelines for:

**Secure Key Generation Methods:** Ensuring that the cryptographic libraries and random number generators used are audited, certified, and free from known vulnerabilities.

**Seed Phrase Display Practices:** Requiring that the seed phrase never be transmitted unencrypted over the internet, that users are warned to back it up securely offline, and that wallet providers disclose how seed phrases are handled internally.

**Temporary vs. Permanent Storage:** Establishing rules around where and how the private key and seed phrase can be cached, stored, or backed up—especially if they are ever retained on the provider's infrastructure.

A principle-based approach to wallet regulation

Key Principles Might Include:

Security by Design

Regulators would require that wallets be developed following industry best practices for encryption, key generation, and access controls. Similar to existing cybersecurity standards (e.g., ISO 27001), wallet developers would need to prove they follow secure development lifecycles and conduct routine external audits.

Adaptability and Continual Improvement

Regulators and industry participants collaborate to update guidelines as new threats emerge. This iterative approach is inspired by the way safety standards evolve in industries like aviation or automotive manufacturing. As zero-day vulnerabilities arise, the regulation encourages rapid patching, transparent communication, and proactive standards updates.

Developer and Provider Accreditation

Legislation could require wallet developers and organizations to obtain an accreditation or license issued by a regulatory body. Achieving this would entail meeting minimum standards in cryptography implementation, code auditing, user experience safeguards, and secure key handling.

Specialized Training

Developers may need to complete specific courses in applied cryptography, secure coding practices, threat modeling, and regulatory compliance. These could be offered by accredited institutions and updated regularly to reflect emerging threats and best practices.

Structured Consumer Education Requirements

Legislation could require that every accredited wallet provider deliver standardized user education as part of the onboarding process. This could include interactive modules covering seed phrase management, safe key storage, phishing awareness, and instructions for verifying wallet authenticity. Additionally, support channels should be available to help users respond to breaches or key-compromise events.

Transparent Documents and Guides

A central repository of best practices, updated regulatory guidelines, and consumer-focused security resources can be maintained by a governing body. Wallet providers would be required to link to this repository, ensuring even novice users have easy access to trusted educational materials.

Regulatory Oversight Agencies

Just as financial regulators oversee banking standards, specialized agencies or departments within existing financial oversight bodies could be established to monitor wallet providers' compliance, audit code submissions, and enforce penalties for non-compliance.