Why Sanctions Compliance Matters
Governments use sanctions as a primary instrument of foreign policy and national security — a coercive tool short of military force. They are applied to advance geopolitical objectives, to respond to state-sponsored aggression, and to restrict financial access to those engaged in activities that the international community deems unacceptable: narcotics trafficking, terrorism financing, weapons proliferation, human rights abuses, and systematic evasion of international law.
Being subject to sanctions typically means being cut off from the global financial system. Payment companies, banks, regulated institutions and most service providers of any kind are prohibited from interacting with sanctioned parties. Violating that prohibition poses serious consequences.
The consequences of a sanctions violation are serious on multiple dimensions. Fines can be calculated as a multiple of the value of each prohibited transaction. In the United States, OFAC administers sanctions on a strict liability basis: accidental or unknowing violations aren’t a defense. A regulated firm can be held civilly liable even if it had no knowledge that a counterparty was sanctioned at the time of the transaction. The UK adopted the same strict liability standard for financial. The EU regime applies a modestly higher threshold than the U.S. and UK, but nonetheless, there is material exposure for EU firms that fail to implement adequate screening. Criminally, wilful evasion of sanctions can attract prosecution and imprisonment across all three jurisdictions.
The scale of enforcement makes the risk concrete. OFAC’s 2023 enforcement record was the largest in its history: 17 enforcement actions totalling over $1.5 billion in settlements and penalties. The crypto sector has not been insulated — enforcement actions against virtual currency firms have resulted in some of the largest individual penalties OFAC has ever imposed, with the biggest crypto settlement alone approaching $1 billion. OFAC has been unambiguous: structural gaps in a compliance program are not a defense, and the strict liability standard means that ‘we didn’t know’ is not a complete answer to a civil enforcement action.
For crypto-asset service providers, the specific vulnerability created by self-custodial wallets is that the conventional mechanism for pre-transaction screening — checking a counterparty who has been onboarded and identified by a regulated institution — does not exist on the self-custodial side. That structural gap is what this article addresses.
Beyond the legal exposure, sanctions compliance carries a broader significance for the stablecoin and digital asset ecosystem. Stablecoin payments are in the process of establishing their credibility as a legitimate payment rail. A sanctions failure by a regulated crypto firm is not just a firm-level problem: it becomes fodder for the argument that digital asset infrastructure cannot be trusted with the responsibilities that come with operating inside the financial system. The consequences ripple outward. Users of the platform face disruption and reputational association. Partner institutions face questions about their own due diligence. Regulators draw broader conclusions about the sector's readiness. The inverse is also true: firms that demonstrate robust, technically credible sanctions compliance — that can show a pre-settlement screening architecture equivalent to what traditional payments already do — actively build the case that stablecoin payment rails belong in the regulated financial system. Sanctions compliance is not only a legal obligation. For digital assets, it is a signal of institutional seriousness.
The Hazard With Settlement First, Screening Second
Traditional payment systems handle sanctions screening before value transfers. That is not happenstance — it is the architectural principle for safe sanctions compliance.
In traditional payments, sanctions screening operates at two levels. First, at customer onboarding: every customer is screened against applicable sanctions lists — OFAC SDN, EU Consolidated, HM Treasury UK Financial Sanctions, etc. — before the customer may open an account, and re-screened periodically as those lists update. This arcitecture works because a regulated institution sits on each side of every transfer; the originating bank has onboarded and screened the sender, and the receiving bank has done the same for the recipient. Second, at the transaction level: transactions are also screened in real time before funds move, because the counterparty information embedded in the payment instruction. Both layers together produce a meaningful compliance outcome: a pre-settlement decision, made by regulated intermediaries on both sides of the payment, against verified identity data.
Blockchain payments, in their default configuration, pose challenges to both layers simultaneously.
The first layer — onboarding-based screening — does not exist when a self-custodial wallet is the counterparty. Self-custodial wallets are software interfaces; their holders are not onboarded by any regulated institution. A regulated VASP on the other side of a transfer involving a self-custodial wallet has no equivalent of the counterparty bank’s KYC file to rely on.
The second layer — transaction-level screening — is structurally impaired by the push-settlement model that standard on-chain transactions use. When a user signs a conventional blockchain transaction, the asset is broadcast and settled in a single step. If the regulated institution is on the receiving end, the stablecoin arrives before any screening can occur. Screening the sender after receipt is suboptimal compliance — the violation, if one exists, has already occurred. The regulated VASP must then follow its sanctions procedures: freeze the funds, deny all parties access, and file a blocking report with the relevant sanctions authority within the prescribed timeframe.
Three Approaches, And Why They Fall Short
Facing this structural challenge, regulated firms have typically responded in one of three ways. None produces an adequate compliance outcome.
None of these approaches produces the optimal sanctions compliance approach: a compliance decision made before the asset moves, against sufficient counterparty information to make that decision meaningful.
The result is that a regulated institution receiving stablecoin payments from self-custodial wallets faces an exposure with no direct equivalent in traditional payments: an unscreened counterparty who can push stablecoins to the regulated VASP before any transaction screening can occur. The structural question is whether a technical mechanism exists to interpose a compliance decision point before value moves — and to do so in a way that captures enough counterparty information for that decision to be meaningful.
That mechanism exists. It is in production today.
“The compliance gap is not a technology problem. The tools to screen before settlement, and to do so against real counterparty information, are in production today.”
The Auth/Capture Model, Applied To Blockchain
The separation of payment authorization from payment settlement — commonly called auth/capture — is the foundational architecture of card payments. When a consumer taps a card, the terminal sends an authorization request to the issuing bank. The bank screens the transaction, applies fraud and sanctions logic, and returns an authorization decision. Funds move only after that compliance decision has been made. The model works because a regulated intermediary sits between the instruction to pay and the movement of value.
ERC-3009, an Ethereum token standard implemented in USDC, EURC, and other major regulated stablecoins, can be used to apply the same logic to self-custodial blockchain payments. Rather than signing a standard transfer transaction — which broadcasts and settles in a single step — the token holder signs a structured authorization message off-chain. That signed authorization is transmitted to a regulated payment processor, which performs its compliance checks before deciding whether to submit the transaction to the blockchain. Value moves only if the compliance checks pass.
Critically, ERC-3009 also creates the conditions under which counterparty information can be collected before settlement. When combined with the Travel Rule data collection flow built into WalletConnect Pay — which prompts the self-custodial wallet user to provide structured identity data as part of the payment approval step — the compliance decision is made not just against a pseudonymous wallet address, but against the identity information of the counterparty.
WalletConnect Pay Sanctions Screening End-To-End
What This Means For Your Compliance Program
"If we accept that self-custody wallets will form part of the digital assets ecosystem, then technical standards and operational processes need to be put in place to address regulatory requirements including sanctions checking. In traditional finance, sanctions checking places a significant burden on regulated firms. Each firm performs their own checks on the same transaction and there are many back and forth requests for information to disambiguate transaction details. Blockchain based payments should not seek to emulate traditional sanctions methods, but to exceed them.”
Tony McLaughlin
Founder & CEO, Ubyx · Co-author, Self-Custodial Wallets in a Regulated World
The Broader Position
The structural argument that self-custodial blockchain payments are incompatible with sanctions compliance has never been about the regulatory obligation — it has been about the assumed absence of a technical mechanism to fulfill it. ERC-3009 corrects that assumption.
A framework that excludes self-custodial wallets from regulated payment rails on sanctions grounds does not eliminate the risk — it relocates stablecoin payment activity to venues where the pre-settlement compliance check that ERC-3009 enables no longer applies. The regulated institution loses visibility. The compliance gap widens. The public blockchain’s inherent auditability — one of its most genuinely useful properties for supervisory purposes — is squandered.
The better approach is the one that regulated payments have used for decades: a regulated intermediary, interposed between instruction and settlement, making a compliance decision before value moves. The technology to apply that model to self-custodial stablecoin payments — extended with real counterparty identity data collected at the point of payment — is in production. The remaining question is whether regulated firms will build it into their payment flows before the next enforcement action lands.
This piece is part of a six-part series drawing on the case studies in Self-Custodial Wallets in a Regulated World, in collaboration with Ubyx and other ecosystem partners. Next: how ERC-3009 gives blockchain payments an auth/capture model that compliance officers in traditional payments already understand.
Both capabilities referenced are in production: ERC-3009 authorize-and-capture within the WalletConnect Pay payment flow, and pre-settlement sanctions screening on originating and beneficiary wallet addresses. The full paper — Self-Custodial Wallets in a Regulated World: A Practical Framework for Compliance and Co-existence — is available by filling out this form.