UK payment providers offer Mastercard linked to no-KYC crypto wallets

Two UK payment services providers (PSPs) are marketing Mastercard debit cards linked to non-custodial crypto wallets. PSPs Mercuryo and Baanx , both authorised by the Financial Conduct Authority (FCA), began offering the products last year. Know Your Customer (KYC) checks are not needed to establish non-custodial wallets, and transaction activity using them is not subject to monitoring.

New European Union rules prohibit non-custodial self-hosted wallets, and some observers have pointed out the possible financial crime risks for card providers.

“The question for Mastercard becomes: where did the money come from?” said Patrick Tan, general counsel at ChainArgos, a blockchain intelligence company in Singapore. “Ask the card issuer and they won’t know either because they don’t host these wallets, they’re self-hosted. These are like prepaid gift cards.” He added that this led to the risk such wallets could be used for money laundering.

KYC easy to beat

Card providers and crypto exchanges may require identity checks, but non-custodial wallet providers do not. Privacy and control (“my keys, my crypto”) are a few of the reasons non-custodial wallets were created and became popular after the FTX exchange collapsed in 2022. Non-custodial wallet holders can receive funds from other wallets without going through an exchange or a payment provider.

There are plenty of ways to buy crypto anonymously and without KYC promoted online. Research shows that vetted PSP accounts are easily bought online and there is a black market for KYC on Facebook, where groups offer existing accounts as well as passports, identification and selfie videos.

The FCA did not comment on these products but noted that firms have financial crime compliance obligations under the Money Laundering Regulations.

Wallet data is private

Baanx, which is a UK e-money directive (EMD) firm and FCA-registered crypto asset firm, offers a debit card linked to MetaMask’s non-custodial wallet. MetaMask keeps “wallet data private” unless the owner gives permission to share it. Transactions using MetaMask are registered on the Ethereum blockchain and publicly available but accounts on that network are pseudonymous, according to MetaMask’s website.

Tan at ChainArgos challenges the claim that non-custodial wallets are truly non-custodial. “Their allegedly self-hosted wallets are self-hosted or non-custodial until a transaction happens. Then the wallet provider takes custody of the assets — even if it is only for a second — to figure out where to route the order. If I’m determining where the order goes, I’m a broker,” he said.

A MetaMask spokesperson said the company has partnered with “vetted providers”, which have the required regulatory authorisations in jurisdictions where the card is available. “Local affiliates” and Mastercard are responsible for ensuring compliance with applicable financial regulations, including KYC and anti-money laundering (AML) checks, and transaction monitoring, the spokesperson added.

According to a Mastercard spokesperson, these cards are subject to strict compliance protocols, including KYC and compliance with local laws and regulations in the regions they are used. “Cryptocurrencies still don’t move through our network. Our crypto partners convert the digital assets on their end to traditional currencies, then transmit them through to the Mastercard network,” the spokesperson said.

Baanx did not respond to emails from Compliance Corylated.

‘We don’t know how you spend itʼ

Crypto and payments firm Mercuryo markets Spend, its crypto Mastercard, with the tagline “we don’t know how you spend it. you know”.

Spend is embedded into a non-custodial wallet, meaning its users can store and manage the keys to their crypto holdings. It is compatible with 40 cryptocurrencies, including Ethereum and Solana, according to Mercuryo. The company is also planning a card linked to a MetaMask wallet.

“At present, our non-custodial wallet partners have not launched the Spend Mastercard crypto debit card. Spend has full ID verification and robust KYC and AML protocols in place. In addition, blockchain analytics are deployed to identify risks in user transactions. Regulatory compliance is important to us as a business and central to everything we do,” said Mercuryo’s spokesperson.

Mercuryo has UK e-money institution (EMI) permissions from the FCA through Moneytea and Monetley. It is registered as a virtual asset service provider in Spain, Italy and Croatia, but is not yet licensed under the EU Markets in Crypto-Assets (MiCA) regime. In 2023, Mercuryo advertised “No KYC flow” on its website, which enabled users to buy up to 700 euros-worth of crypto without identity verification. It also offered customers a solution whereby if they had passed KYC once, they could reuse it.

Travel rule  

The Financial Action Task Force (FATF) travel rule is an AML measure that requires any crypto transactions over a certain threshold to be accompanied by customers’ personal information. Currently, credit, debit or prepaid card transactions for purchasing goods or services are exempt from the rule, but the card number must accompany all transfers flowing from the transaction. This exemption does not apply to person-to-person transfers carried out using a credit, debit or prepaid card, according to FATF.

In 2027, new EU rules will require apply to most crypto sector firms, setting them tighter due diligence requirements alongside other high-value dealers. The package, adopted last May, also sets a 10,000 euro limit on cash payments. The same rules bring in a ban on self-hosted, non-custodial wallets and “anonymity-enhancing coins”.