Bank Account vs Crypto Wallet

What is the difference between a bank account and a crypto wallet? A compliance guide for professionals in the Netherlands.

This article compares a bank account and a crypto wallet. On the surface they serve a similar purpose: storing and transferring value. But beneath that surface they are fundamentally different instruments, both legally and in terms of compliance risk under Dutch and EU law.

For compliance professionals working in the Netherlands, the intersection of bitcoin, AML obligations, and the Wet ter voorkoming van witwassen en financiering van terrorisme (Wwft) has become impossible to ignore. This guide covers the essentials: what a wallet actually is, how ownership works, what MiCA and the Transfer of Funds Regulation (Travel Rule) now require, and where the compliance blind spots lie.

Means of Payment

The euro is legal tender issued by a sovereign state and backed by the European Central Bank. Its supply is managed by central bank policy and there is no fixed ceiling on how much can be created. Governments and central banks can, and regularly do, issue more of it. This is by design: monetary systems need that flexibility to respond to economic conditions.

Bitcoin operates on a completely different principle. It is a decentralised means of exchange, governed not by any authority but by code. Its most defining feature, from a monetary perspective, is scarcity. The total number of bitcoins that will ever exist is hard-capped at 21 million. That limit is written into the protocol and cannot be changed by any government, central bank, or developer. It is not a policy. It is mathematics.

The smallest unit of a euro is one cent. Bitcoin is divisible down to 100,000,000 units per coin. Those smallest units are called satoshis, or sats, named after Bitcoin's pseudonymous creator Satoshi Nakamoto.

The core monetary difference: euro supply is managed by institutions and can expand without a defined ceiling. Bitcoin supply is fixed by code at 21 million coins and cannot be altered by anyone. This distinction shapes the entire risk profile of the asset.

Bitcoin Supply

New bitcoins enter circulation through a process called mining. Miners validate and record blocks of transactions on the blockchain and receive a block reward in return. That reward is designed to decrease over time: every 210,000 blocks, roughly every four years, the reward is cut in half. This event is known as a halving.

The current block reward, following the fourth halving in April 2024, is 3.125 bitcoins per block. As of late 2025, approximately 19.7 million of the 21 million bitcoins have already been mined. The final bitcoin is projected to be mined around the year 2140, after which miners will only earn transaction fees.

There is no mechanism to create more bitcoin beyond that ceiling. No central authority can expand the supply in response to economic pressure, political decisions, or any other factor. That is a feature, not an oversight.

For compliance purposes: because bitcoin cannot be issued by any authority, there is also no authority that can intervene if something goes wrong. There is no government guarantee on bitcoin holdings, no compensation scheme if a platform fails, and no institution that steps in to protect a client who loses access to their funds. If a client's bank goes under, their deposits are protected up to a certain amount by law. If a crypto platform collapses, there is no equivalent protection. Clients carry the full risk themselves, and that needs to be part of any client risk conversation.

Money Supply: Euro vs. Bitcoin

In the eurozone, the total amount of money in circulation runs into the tens of trillions of euros when you account for bank deposits, savings, and related instruments. Central banks track this through monetary aggregates. These figures shift constantly, reflecting new lending activity, policy decisions, and the broader management of the economy.

There is no fixed upper limit to this supply. That is not a flaw. Fiat monetary systems are designed to be flexible so that money supply can be adjusted to support economic growth, manage inflation, or respond to a crisis. The European Central Bank has the tools and the mandate to do exactly that.

Bitcoin's model is the direct opposite. Every unit that will ever exist is already accounted for in the code. No one can issue more. No committee can vote to expand the supply. In that sense, bitcoin behaves more like a finite natural resource than a currency managed by a central bank.

A client holding euros in a bank account benefits from deposit protection schemes, central bank oversight, and the backing of a sovereign state. A client holding bitcoin has none of those protections. These are categorically different risk profiles, and your risk assessment under the Wwft should reflect that.

Bank Account

A bank account in the Netherlands and across the EU is identified by an IBAN: International Bank Account Number. The Dutch IBAN consists of the country code NL, two check digits, a four-character bank code, and a ten-digit account number.

Every bank account is held in the name of a legal or natural person. Only authorised individuals can operate the account: the account holder, an authorised representative, or a legal proxy. The bank intermediates every transaction. It can freeze the account, block access, and cooperate with law enforcement under defined legal conditions.

That intermediation is both a protection and a point of control. It is precisely what makes bank accounts traceable, recoverable, and manageable from a compliance and law enforcement perspective. The bank knows who holds the account. The regulator can compel the bank to act. That chain of accountability does not exist in the same way with crypto.

Wallet, Public Key and Private Key

The word wallet is something of a misnomer. A crypto wallet does not store bitcoin the way a physical wallet stores cash. Bitcoin never leaves the blockchain. What changes is which address controls it. Think of a wallet as a keychain: it holds the cryptographic keys that prove control over an address and authorise transactions from it.

A wallet has two components:

The public key is the address on the blockchain. It is visible to anyone, comparable to an IBAN. It is the address to which bitcoin can be sent, and every transaction involving it is permanently recorded and publicly visible on the blockchain.

The private key is the secret. It is a cryptographic string, often represented as a 12 or 24-word seed phrase, that proves control and authorises outgoing transactions. Whoever holds the private key controls the bitcoin at that address. There is no password reset and no institution to call.

One point that is often overlooked in compliance assessments: there is no rule that says a wallet belongs to one person. A private key or seed phrase can be shared, copied, or known to multiple people at the same time. It could be a group of friends managing a shared fund, siblings who inherited assets together, business partners, or any other arrangement. Unlike a bank account, which is registered to a named holder with defined authorised users, a blockchain wallet has no such registry. Control is simply a matter of who has the key.

This has direct consequences for KYC and UBO identification under the Wwft. When a client presents a wallet address, you cannot assume from the address alone that you are dealing with a single individual or a single legal entity. The actual controller may be one person, several people, or an informal arrangement that does not map neatly onto any standard customer category. This must be investigated, not assumed.

For AML purposes: the public key is your reference point for transaction monitoring. The private key is where actual control of the asset resides. Those are not the same thing, and closing the gap between them is one of the central challenges of crypto compliance under the Wwft and MiCA.

Ownership

Ownership of a bank account is clear. Your name is on it, the bank holds your money under a contractual arrangement, and legal frameworks protect your claim up to defined limits. If something goes wrong, there are institutions and legal processes you can turn to.

Ownership of bitcoin works differently. It is not a claim against any institution. It is cryptographic control. Whoever can produce the correct private key can move the bitcoin, regardless of any broader question of who morally or legally should own it.

Under Dutch and international property law, bitcoin can be recognised as an asset capable of ownership. But the mechanism of that ownership is purely technical. Holding the private key is the functional equivalent of holding the asset. There is no registry, no title, and no intermediary to appeal to.

The most important conceptual shift for compliance professionals new to crypto: in traditional finance, ownership is recorded and enforced by institutions. In the crypto world, ownership is enforced by mathematics. The implications for KYC, UBO identification, and asset tracing under the Wwft are significant and should not be underestimated.

Not Your Keys, Not Your Coins

When a client stores bitcoin on an exchange or with a custodial wallet provider, they do not hold the private keys. The platform does. This is called a custodial arrangement. The client trusts the platform to keep the bitcoin safe and to allow withdrawals when requested.

That trust is not always well placed. If the platform is hacked, becomes insolvent, or freezes withdrawals, the client may have no way to recover their funds. This is not a theoretical risk. It has happened at scale, more than once:

• Mt. Gox (2014): 850,000 bitcoin lost following a hack. Customers waited years for partial compensation through lengthy insolvency proceedings.

• QuadrigaCX (2019): The founder died as the sole person with access to the cold wallets. The funds were never recovered.

• FTX (2022): One of the world's largest crypto exchanges collapsed amid fraud. Billions in client funds were gone.

In each of these cases, clients who trusted a platform with their bitcoin lost access to it because they did not hold their own keys. This is the origin of the phrase: not your keys, not your coins.

This is also why MiCA introduced a mandatory requirement: custodial wallet providers must keep client assets strictly separate from the company's own assets at all times. Mixing the two pools, even temporarily, creates a situation where client funds can be used to cover company liabilities. That is exactly the scenario that contributed to the FTX collapse. Asset segregation is not a technical formality. It is a fundamental client protection, and under MiCA it is now a legal requirement.

For comparison, access to a bank account can also be restricted, but through defined and legally governed processes: internal bank policy decisions, sanctions-related freezing orders, court-ordered attachment, or criminal asset seizure. Each of these comes with legal oversight and the right to challenge the decision. In an unregulated custodial crypto arrangement, none of those safeguards exist.

MiCA now requires all licensed custodial wallet providers to hold client assets separately from company funds. When assessing a custodial provider under the Wwft, verify that they hold a valid MiCA licence and have documented asset segregation procedures in place. If they cannot demonstrate either, that is a significant red flag for your risk assessment.

Transactions and the Travel Rule

A bank transaction flows through a regulated chain. It goes from the sender's bank, through correspondent banks if needed, to the recipient's bank. Every step is logged, every party is identified, and the system is designed for traceability. Transactions can, under defined conditions, be reversed.

A blockchain transaction works differently. It is broadcast to a decentralised network, validated by miners or validators, and permanently written to the public ledger. It cannot be undone. It is pseudonymous, meaning transactions are linked to public key addresses rather than to named individuals, but it is not anonymous. Every transaction is visible to anyone who knows where to look.

This pseudonymity is the core compliance challenge. The blockchain gives you full transaction transparency, but converting on-chain addresses into real-world identities requires additional tools: blockchain analytics platforms, KYC data from exchanges, and regulatory reporting mechanisms. The data is there. Extracting it takes work.

Since 30 December 2024, the Transfer of Funds Regulation (TFR), the EU's Travel Rule for crypto, is fully in force in the Netherlands. Under the Wwft and the TFR, crypto-asset service providers must collect and share the identifying information of both sender and recipient for every crypto transaction, with no minimum threshold. This is a stricter standard than the threshold that applies to traditional wire transfers. There is no grace period and no minimum amount below which the obligation disappears. As of February 2025, the AFM confirmed that CASPs are now formally classified as financial institutions under the Wwft, with all corresponding obligations.

Cold Storage

Cold storage means keeping the private key entirely offline. The most common form is a hardware wallet: a small physical device that stores the private key, signs transactions offline, and requires a PIN to operate. It never exposes the private key to an internet-connected device.

Every hardware wallet generates a seed phrase at setup: a sequence of 12 or 24 words that can reconstruct the private key if the device is lost or damaged. That seed phrase is the backup. If both the device and the seed phrase are lost, the bitcoin is gone. There is no recovery process and no one to contact.

Cold storage wallets fall outside the scope of MiCA. Because the user holds their own private key and no third party acts as custodian, there is no regulated entity involved. That means no licence requirement, no oversight, and from a compliance perspective, no regulated intermediary to ask questions of.

When a client uses a cold storage or self-hosted wallet as the source or destination of funds, enhanced due diligence is required under the Wwft and the AFM's CASP guidance published in May 2025. You cannot verify the transaction history through a regulated intermediary because there is no intermediary. Blockchain analytics tools and thorough source-of-funds documentation become your main instruments. The AFM explicitly lists self-hosted wallets as a key supervisory concern due to the anonymity risk they carry.

Bitcoin as Open Source Protocol

One aspect of bitcoin that is frequently misunderstood in compliance discussions is its nature as open source software. Bitcoin Core, the primary software implementation of the Bitcoin protocol, is released under the MIT licence. Anyone in the world can read the code, propose changes, and verify exactly how the protocol works. No company owns it. No single developer controls it.

This matters for compliance professionals for a specific reason: it means the rules of bitcoin, including the 21 million supply cap, are publicly verifiable by anyone. There is no board of directors that could vote to change the supply. There is no CEO who could issue a statement reversing a transaction. The protocol does what the code says, and the code is public. This is sometimes called trustless: you do not need to trust any institution because you can verify the rules yourself.

It also means that no single entity is responsible for bitcoin in the way a company is responsible for its products. When a compliance question arises about who controls bitcoin, the honest answer is: no one does, and everyone can verify it. That is a fundamentally different accountability model from anything that exists in traditional finance.

For AML purposes, the open source nature of the protocol is also relevant because it means the transaction rules are transparent and immutable. A miner cannot secretly alter a transaction after the fact. A developer cannot quietly change the supply. What you see on the blockchain is what happened, and no one can change the record once it is confirmed.

The open source nature of Bitcoin means the protocol rules are publicly auditable. There is no hidden authority that can alter the ledger or expand the supply. This transparency is one of the reasons blockchain analytics can be so effective for AML investigations: the complete transaction history is public, permanent, and cannot be revised by any party.

MiCA and the New EU Regulatory Framework

The Markets in Crypto-Assets Regulation (MiCA) is the most significant development in European crypto regulation to date. It replaces a fragmented set of national rules with a single, harmonised framework covering crypto-asset issuers and service providers across all EU member states. For Dutch compliance professionals, MiCA sits alongside the Wwft rather than replacing it.

MiCA was introduced in stages:

• 30 June 2024: Rules for stablecoins, specifically asset-referenced tokens and e-money tokens, became applicable.

• 30 December 2024: Full application for all crypto-asset service providers, including custodial wallet providers, exchanges, and portfolio managers.

• 30 December 2024: Transfer of Funds Regulation entered into force with no transitional period.

• 17 January 2025: Digital Operational Resilience Act (DORA) applied to all MiCA-licensed entities, covering IT risk management and cybersecurity.

• 2 May 2025: The AFM published a specific annex to its Wwft and Sanctions Act guidelines for CASPs, clarifying AML/CFT expectations including self-hosted wallet handling and Travel Rule compliance.

In the Netherlands, the transition period was deliberately short. CASPs operating before 30 December 2024 were required to be fully licensed by the AFM no later than 1 July 2025. The DNB issued the first MiCA licences on 30 December 2024 and now focuses on prudential supervision and AML monitoring. Any provider operating without a licence after the transition deadline is doing so outside the law.

Under MiCA, custodial wallet providers must meet the following requirements:

• Hold a valid MiCA licence issued by the AFM in the Netherlands.

• Keep client assets strictly separated from the company's own assets at all times.

• Apply KYC and CDD procedures in line with both the Wwft and MiCA requirements.

• Implement full Travel Rule compliance, collecting and transmitting sender and recipient data on every transfer.

• Meet DORA standards for IT resilience, including documented risk management and incident reporting.

• Report unusual transactions to the Financial Intelligence Unit Netherlands (FIU-NL).

Self-custody wallets, where the user holds their own private key, remain outside MiCA's direct scope. A person managing their own keys is not a CASP and does not need a licence. This is an intentional boundary. But it also means that self-custody interactions in a professional or client context require more scrutiny, not less, precisely because there is no regulated intermediary in the chain.

MiCA draws a clear line. Custodial providers are regulated, licensed, and required to follow the Travel Rule and Wwft obligations. Self-custody wallets sit outside that perimeter entirely. Knowing which side of that line your client is on is the first question in any crypto-related CDD assessment in the Netherlands.

Loss and Theft

If a bank card is lost or stolen, the account holder can call the bank, block the card, and work through a recovery process. Unauthorised transactions can often be reversed. There are legal protections and institutional processes at every step.

If a private key or seed phrase is lost, there is no recovery process. The bitcoin associated with that key becomes permanently inaccessible. It is not stolen. It is not destroyed. It simply sits on the blockchain, unreachable, forever. Estimates suggest that somewhere between 17% and 20% of all bitcoin ever mined has been lost this way.

Theft is equally irreversible. If a private key is stolen or compromised, the attacker can move all associated bitcoin instantly. Unlike a fraudulent bank transfer, there is no chargeback mechanism and no institution that can freeze the transaction. Once confirmed on the blockchain, it is done.

For compliance professionals advising clients: the absence of any recovery mechanism is not just a product feature to disclose. It is a material risk that belongs in your client risk assessment and your CDD file. Whether clients manage their own keys or use a custodial platform, the risks involved have no direct equivalent in traditional financial services and should be explained clearly and documented accordingly.

Conclusion

A bank account and a crypto wallet both allow you to hold and transfer value. Beyond that, the similarities are limited.

A bank account sits within a layered framework of legal protection, institutional oversight, and regulatory control. A wallet, particularly one in self-custody, sits outside that framework entirely. The euro is issued by institutions with the flexibility to expand supply as needed. Bitcoin is issued by a protocol, capped at 21 million coins, with no authority capable of changing that.

For the compliance professional in the Netherlands, the essential takeaways are:

• Custodial wallet providers are now regulated CASPs under MiCA, must hold an AFM licence, segregate client assets, and comply with the Wwft and Travel Rule.

• Self-custody wallets fall outside MiCA and outside the standard compliance perimeter, making them a higher-risk interaction that requires enhanced due diligence.

• The Travel Rule applies to all crypto transfers by CASPs with no minimum threshold, stricter than the rules for traditional transfers.

• Control of bitcoin means control of the private key, not a name on a register.

• A wallet address can be controlled by one person or many. You cannot determine that from the address alone, and this must be investigated as part of your UBO assessment.

• Loss of the private key means permanent loss of the asset, with no recovery mechanism and no institutional backstop.

• Bitcoin is open source: its rules are public, auditable, and cannot be changed by any single party. This makes blockchain evidence reliable but also means there is no authority to appeal to.

Understanding how wallets and keys actually work is not background knowledge for crypto specialists. It is foundational knowledge for any compliance professional whose clients hold, transfer, or interact with crypto assets in the Netherlands. The Wwft and MiCA frameworks are in place. The obligation now is to apply them correctly.