G GOPNIK ACADEMY
Privacy 101 — Initiate · Lesson 3 of 5

MiCA, FATF Travel Rule, and what "self-hosted" means in 2026

6 min · read

Back to course

European privacy-wallet users live under two overlapping regulatory regimes: MiCA (Markets in Crypto-Assets Regulation, in force 2024) and the FATF Travel Rule (Recommendation 16, transposed into national law via TFR — Transfer of Funds Regulation).

MiCA, briefly

MiCA covers crypto-asset service providers (CASPs) — exchanges, custodians, brokers — and sets baseline obligations: KYC, AML, market surveillance, capital requirements. The Gopnik wallet itself is a self-hosted (non-custodial) wallet, so MiCA's CASP framework doesn't apply directly. But Article 70 paragraph 4 explicitly says that self-hosted wallet users retain the right to financial privacy, subject to anti-money-laundering obligations.

In practice this means:

  • You can use a self-hosted wallet to receive funds (any amount).
  • You can send up to €1000 in a single transaction without enhanced due diligence (EDD) if the recipient is also self-hosted.
  • Above €1000, the wallet must apply EDD: source-of-funds attestation, counterparty information.
  • All amounts must produce a Travel Rule message if the counterparty is a VASP (any CASP holding the recipient's keys for them).

FATF Travel Rule

FATF Recommendation 16 requires originator + beneficiary information to "travel" with every transfer above a threshold. EU's TFR sets that threshold at €1000 for VASP-to-VASP transactions; it's effectively zero (just €0) for self-hosted wallets sending to VASPs.

The data that must travel:

  • Originator: full name, account number (wallet address), country, customer ID or DOB+address
  • Beneficiary: full name, account number
  • Transaction: amount, asset, timestamp

The standard encoding is IVMS 101 (InterVASP Messaging Standard). It's a structured JSON schema that every regulator accepts.

What "self-hosted" means in 2026

A self-hosted wallet is one where the user controls the keys. Gopnik is self-hosted. So is MetaMask, Sparrow, Keplr, etc. Privacy primitives don't change this — using a stealth address or Penumbra doesn't make your wallet custodial; it just changes the visibility of the transactions.

What changes is the counterparty side. When you send to a self-hosted recipient, both sides are self-hosted and only the originator (you) needs to keep records. When you send to a VASP, the VASP needs to verify your IVMS 101 message before accepting the funds; many will reject sends without one.

The wallet's Travel Rule attestation system:

  1. Builds the IVMS 101 message inline at send time.
  2. ed25519-signs the canonical bytes using the wallet's compliance key.
  3. Persists the attestation + signature in travel_rule_attestation.
  4. Refuses to broadcast the privacy send if no attestation is present.

The regulator (BaFin, BMF, or any EU NCA) can request the attestation, verify the signature, and confirm the chain of custody — all without us having to surrender our database wholesale.

What this means at the cap level

  • €0 — €1000: Travel Rule attestation mandatory; source-of-funds attestation required; user checkbox required.
  • €1000 — €5000: Above this requires the custody.301 compound cert held simultaneously with privacy.301. Stricter source-of-funds documentation expected.
  • Above €5000: Iter-H doesn't enable this; would require the Maestro tier and partner-cert verification.

These thresholds are intentionally conservative. Other wallets (Sparrow, Wasabi) push higher caps. We picked these because BaFin's published guidance specifically calls out €1000 / €5000 as inflection points where they expect to see additional friction.

Penalty matrix

If you misuse privacy primitives — using them to evade taxes, sanctions, AML obligations — penalties under MiCA + TFR + Geldwäschegesetz (Germany's national AML law) include:

  • Administrative fines up to 5% of annual turnover or €5M, whichever is higher
  • Criminal prosecution under §261 StGB (money laundering) — up to 10 years imprisonment
  • Civil liability if your privacy use is found to have facilitated counterparty fraud

The wallet does not insulate you from any of these. Travel Rule attestation is evidence in your favour if you can demonstrate compliance; absence of attestation is evidence against you. Sign every attestation truthfully.

Next: a tour of the three privacy primitives the wallet ships.