Wallets and Regulation

There is no bank in crypto. You control your keys and your assets, which means you are your own bank. However, you didn't build that bank, nor did you design the cryptography that creates your private keys. This introduces risks that may not have been addressed if you had built the bank yourself.

In the United States, the government insures your assets in a bank up to $250,000 in case the bank fails and your money disappears. This means that if you have more than $250,000 in one bank, you lose the difference above the insured amount.

The government can insure your assets because there are laws governing this process, along with a financial backstop at the business level in case a bank fails and customers lose their money due to risks beyond their control. Additionally, there is a chance of systemic risks affecting multiple banks, which may or may not be within the banks' control. These laws provide greater financial security.

Most banks don't hold all the funds their customers deposit, but the blockchain does. You access your blockchain assets through a wallet, but the wallet doesn’t hold your assets—it is merely an access point. When you create a wallet, you generate a private key and a seed phrase. If you use one wallet brand, you can input your private key or seed phrase into another wallet brand to access the same assets. This level of interoperability doesn’t exist in the physical world, making blockchain wallets a unique domain for regulation.

Cryptography may not need regulation, but it must be understood so that applicable laws can be implemented and updated as needed. Zero-day vulnerabilities exist, and while laws don’t need to change in a single day, they must adapt to new education and mitigation techniques derived from these vulnerabilities.

What makes up the function of a wallet and what functions are able to even regulated and why?

Wallets are created differently and serve various purposes, requiring careful consideration of their regulation. There are several types of wallets, including:

• Single-Signature Wallets: Require only one signature to authorize transactions.
• Multi-Signature Wallets: Require multiple parties to sign a transaction though each wallet is an independently controlled and operated wallet.
• Multi-Party Computation (MPC) Wallets: Use collaborative cryptographic techniques for transaction approval, distinct from multi-signature wallets like those from Gnosis Safe.

Wallets can also be categorized as:

• Hot Wallets: Internet-connected wallets, such as browser-based, bowser extensions, or app-based wallets.
• Cold Wallets: Not connected to the internet. Some, like Ledger, can connect through an app, while others, like hardware security modules (HSMs), are never internet-connected, offering unique security profiles. When you create a wallet, the blockchain generates a private key, and your wallet derives a seed phrase from it. These keys and phrases are presented and stored differently—sometimes permanently, sometimes temporarily. These processes require regulatory oversight to protect consumers and their assets.

When creating a wallet, the blockchain generates a private key, and the wallet then interprets and displays a corresponding seed phrase. Both the private key and seed phrase are critical to asset security. Their generation, storage, and presentation to the user require careful regulatory attention, including guidelines for:

• Secure Key Generation Methods: Ensuring that the cryptographic libraries and random number generators used are audited, certified, and free from known vulnerabilities.
• Seed Phrase Display Practices: Requiring that the seed phrase never be transmitted unencrypted over the internet, that users are warned to back it up securely offline, and that wallet providers disclose how seed phrases are handled internally.
• Temporary vs. Permanent Storage: Establishing rules around where and how the private key and seed phrase can be cached, stored, or backed up—especially if they are ever retained on the provider’s infrastructure.

Key Principles Might Include:

• Security by Design: Regulators would require that wallets be developed following industry best practices for encryption, key generation, and access controls. Similar to existing cybersecurity standards (e.g., ISO 27001), wallet developers would need to prove they follow secure development lifecycles and conduct routine external audits.

• Adaptability and Continual Improvement: Regulators and industry participants collaborate to update guidelines as new threats emerge. This iterative approach is inspired by the way safety standards evolve in industries like aviation or automotive manufacturing. As zero-day vulnerabilities arise, the regulation encourages rapid patching, transparent communication, and proactive standards updates.

• Developer and Provider Accreditation: Legislation could require wallet developers and organizations to obtain and accreditation or license issued by a regulatory body. Achieving this would entail meeting minimum standards in cryptography implementation, code auditing, user experience safeguards, and secure key handling.

• Specialized Training: Developers may need to complete specific courses in applied cryptography, secure coding practices, threat modeling, and regulatory compliance. These could be offered by accredited institutions and updated regularly to reflect emerging threats and best practices.

• Structured Consumer Education Reguirements: Legislation could require that every accredited wallet provider deliver standarized user education as part of the onboarding process. This could include interactive modules covering seed phrase management, safe key storage, phishing awareness, and instructions for verifying wallet authenticity. Additionally, support channels should be available to help users respond to breaches or key-compromise events.

• Transparent Documents and Guides: A central repository of best practices, updated regulatory guidelines, and consumer-focused security resources can be maintained by a governing body. Wallet providers would be required to link to this repository, ensuring even novice users have easy access to trusted educational materials.

• Regulatory Oversight Agencies: Just as financial regulators oversee banking standards, specialized agencies or departments within existing financial oversight bodies could be established to monitor wallet providers’ compliance, audit code submissions, and enforce penalties for non-compliance.

DRAFT LEGISLATION

A Bill

To establish minimum security and accreditation standards for cryptocurrency wallet providers, require ongoing professional education for developers, mandate structured consumer education, and provide for regulatory oversight to protect consumers and strengthen the security of digital asset ecosystems.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE. This Act may be cited as the “Digital Wallet Security and Accreditation Act of 20__”.

SEC. 2. FINDINGS AND PURPOSES. (a) Findings.— Congress finds the following: (1) Digital asset wallets enable users to exercise direct control over private keys and seed phrases, functioning as personal financial access points outside of traditional banking structures. (2) The unique nature of digital wallets introduces heightened consumer risk, including the potential for cryptographic vulnerabilities, user error in key management, and a lack of standardized disclosures. (3) Establishing minimum professional standards for wallet developers and requiring accreditation, periodic code audits, and continuing education will enhance consumer trust and promote robust security practices. (4) Providing users with structured, standardized educational materials regarding private keys, seed phrases, and best security practices will further protect consumers from fraud, loss, and misuse. (5) A flexible, principle-based regulatory framework, informed by evolving cybersecurity threats, will ensure that standards adapt over time while preserving the innovation and interoperability characteristic of digital asset markets.

(b) Purposes.— The purposes of this Act are to: (1) Improve consumer protection through the regulation of wallet providers and developers. (2) Establish mandatory accreditation, ongoing professional education requirements, and professional liability standards for wallet developers and providers. (3) Mandate transparent disclosures, secure key generation practices, and safe handling of private keys and seed phrases. (4) Require structured consumer education to promote secure wallet usage and mitigate risks. (5) Provide for regulatory oversight, enforcement mechanisms, and adaptability to emerging threats.

SEC. 3. DEFINITIONS. For purposes of this Act: (1) Digital Wallet; Wallet Provider.— The term “digital wallet” or “wallet” means any software, firmware, or hardware-based interface that facilitates access to digital assets on a blockchain, including hot wallets, cold wallets, single-signature wallets, and multi-party computation (MPC) wallets. A “wallet provider” means any entity engaged in developing, distributing, or maintaining such wallets for end users. (2) Private Key.— The term “private key” means a unique cryptographic value that grants control over associated digital assets on a blockchain network. (3) Seed Phrase.— The term “seed phrase” means a human-readable representation of a private key or a root key that can be used to derive multiple private keys and restore access to a digital wallet. (4) Accredited Developer or Provider.— The term “accredited developer or provider” means a wallet developer or provider that has met all accreditation standards established under this Act and maintains active compliance with continuing education and auditing requirements.

SEC. 4. ACCREDITATION AND PROFESSIONAL STANDARDS FOR DEVELOPERS AND PROVIDERS. (a) Initial Accreditation Requirements.— (1) Code Review and Auditing.— A wallet provider seeking accreditation under this Act shall submit its codebase to a certified third-party auditor for security testing, verification of cryptographic implementations, and review for known vulnerabilities. (2) Security by Design.— Accredited wallet providers shall demonstrate adherence to secure development lifecycles, encryption best practices, and industry cybersecurity standards equivalent to or exceeding ISO 27001. (3) Professional Training.— Key personnel in accredited organizations shall complete initial training on applied cryptography, secure coding practices, key management principles, compliance requirements, and threat modeling.

(b) Continuing Education and Recertification.— (1) Periodic Recertification.— Accredited developers shall complete continuing professional education credits on an annual or biennial basis, covering new cryptographic standards, emergent threats (including zero-day vulnerabilities), secure update mechanisms, and regulatory changes. (2) Professional Liability Insurance.— Accredited providers shall maintain professional liability coverage or participate in a regulated risk pool to ensure consumer compensation in the event of systemic security failures attributable to the provider’s negligence.

(c) Ethical and Professional Conduct Standards.— (1) Ethical Code.— Accredited developers and providers shall adhere to a code of conduct emphasizing user privacy, timely vulnerability disclosures, and cooperation with regulators and law enforcement in investigating breaches. (2) Penalties for Non-Compliance.— The regulatory authority established under section 6 may revoke or suspend accreditation for failing to meet these professional standards.

SEC. 5. CONSUMER EDUCATION REQUIREMENTS. (a) Mandatory Onboarding Education.— (1) Standardized Modules.— Accredited wallet providers shall present standardized, easily understandable educational content during the user onboarding process. Such content shall include guidance on seed phrase management, offline backup techniques, phishing awareness, verifying wallet authenticity, and recognizing fraudulent applications. (2) Ongoing User Awareness Updates.— Providers shall periodically prompt users to review and update their knowledge of best security practices, particularly following significant regulatory or technological changes.

(b) Central Repository of Resources.— (1) Publicly Accessible Repository.— A governing body designated under section 6 shall maintain an online repository of best practices, regulatory guidelines, frequently asked questions, and consumer-focused security tips. (2) Provider Linkage.— Accredited providers must maintain a direct, accessible link to this repository within their wallet interface, ensuring all users can access trusted information at any time.

SEC. 6. REGULATORY OVERSIGHT AND ENFORCEMENT. (a) Establishment of Oversight Authority.— (1) Designation.— The Secretary of [Designated Agency] shall designate a “Digital Wallet Security Board” (DWSB) or rely on an existing financial technology oversight division to administer, monitor, and enforce the provisions of this Act. (2) Duties.— The DWSB shall develop accreditation criteria, certify third-party auditors, issue guidance on compliance, and enforce penalties against non-compliant providers.

(b) Compliance and Audits.— (1) Regular Audits.— Accredited providers shall undergo periodic audits to ensure ongoing compliance with accreditation standards and consumer education requirements. (2) Penalties.— The DWSB may assess civil penalties, issue cease-and-desist orders, or pursue suspension or revocation of accreditation for violations. (3) Appeal Process.— Providers shall have the right to appeal enforcement actions through an administrative review process, with judicial review available thereafter.

SEC. 7. EXCEPTIONS AND SPECIAL RULES. (a) Exemptions.— The DWSB may establish de minimis thresholds or limited exemptions for wallet developers who serve a small user base or research institutions focusing solely on non-commercial, academic cryptographic research, provided such exemptions do not materially undermine consumer protections.

(b) Pilot Programs.— The DWSB may authorize pilot programs to test novel cryptographic techniques, user interface improvements, or emerging best practices under controlled conditions, granting temporary waivers from specific requirements as necessary.

SEC. 8. RELATIONSHIP TO OTHER LAWS. (a) Consistency With Existing Financial Regulatory Frameworks.— Nothing in this Act shall be construed to limit the application of existing financial, consumer protection, or data privacy laws. (b) Harmonization.— The Secretary of [Designated Agency] shall coordinate with other relevant agencies to avoid regulatory duplication and ensure harmonious integration with existing cybersecurity and consumer protection standards.

SEC. 9. EFFECTIVE DATE. This Act shall take effect 1 year after the date of enactment, except that the Secretary of [Designated Agency] may promulgate rules and regulations as necessary to carry out this Act beginning on the date of enactment.