Know Your Crypto Customer: KYC Requirements for Digital Assets

Know your customer (KYC) is a critical element of every anti-money laundering (AML) and customer due diligence (CDD) program to prevent financing of terrorism and illicit transfers of funds. How can it work for crypto users?

‍FinCEN’s Final Rule in the US and AMLD 5 and AMLD 6 in Europe made it clear that virtual currencies, including the exchanges on which they trade, are subject to anti-money laundering legislation. So, monitoring and screening your customers’ profiles through a KYC protocol is essential to avoid servicing criminals and scammers, particularly those on prohibited sanctions lists.

KYC is meant to serve as guardrails for digital assets and cryptocurrency exchanges and custodian services not only to avoid money laundering in their operations but also to protect against the risks inherently posed to consumers and investors. It’s meant to help contribute to the health of the crypto industry as a whole.

But how does KYC fit into the blockchain environment, especially where the premise is relative anonymity and decentralization?

‍In this article, we’ll cover:

• What do we know about crypto KYC requirements today?
• What are the challenges with requiring KYC for crypto?
• How will KYC requirements for crypto be approached?

What do we know about crypto KYC requirements today?

Transaction monitoring of the chain of activity is one of the most tangible compliance items for virtual currency business entities today. The latest enforcement actions show that SEC, FinCEN, and CFTC have collected several billions of dollars over the years for crypto-related AML violations and fraud.

This means as a crypto firm, your BSA/AML compliance program around registered securities offerings has to be stringent. You need to be screening and blocking every transaction that might be sanctioned. Third-party or internally developed blockchain analytics products and services for additional control measures are permitted to use, but they have to be compliant.

From a regulatory standpoint, here is what we know about KYC requirements in the US so far:

• The Financial Action Task Force (FATF) sets the standards for AML laws globally.
• According to FATF, virtual asset service providers (VASPs), such as cryptocurrency exchanges, stablecoin issuers, and in some cases DeFi protocols and NFT marketplaces, are required to establish effective know-your-customer checks and continuously monitor transactions for suspicious activity.
• KYC may not be compulsory for all crypto-only exchanges, but these processes should be implemented to manage the risk of money laundering and terrorist financing.
• To complete KYC exchange processes, users need to submit their full name, date of birth, address, social security number, and phone number or email address.

What are the challenges with requiring KYC for crypto users?

Cryptocurrency is built on the basis of not needing to know who someone is to have a transaction with them. Because crypto transactions are traceable on the blockchain, breaking crypto’s anonymity by keeping KYC data on customers can jeopardize users’ financial privacy and attract hackers.

• Crypto is very strong on anonymity and, in a non-face-to-face environment, knowing your customers is a big challenge. This complicates matters considerably in what concerns CDD and KYC programs. How do you determine what constitutes a risk in a crypto environment?
• Another challenge with the crypto space is that it moves fast, it operates 24/7, and it’s borderless. So the challenge is to make sure that there is continuous monitoring of customer activity and, when using automation tools to ID your customers, that these tools have the right capabilities for regulatory compliance.
• The speed at which the crypto industry operates means that the challenge is not only to have policies and controls that actively mitigate risks, but also that are faster operationally. If the onboarding takes too long, the customer may go to someone else.

How will KYC requirements for crypto be approached?

The wheels are already turning on industry-proposed solutions for putting KYC on the blockchain by loading users’ personally identifiable information in encrypted form and unlocking it for those authorized to check credentials. There are solutions like Verite, an open-source framework for proving identity claims in Web3 without exposing sensitive personal information.

It’s best to start with some form of KYC now, rather than wait until official rules and guidelines come in – that might not happen for a while, yet fines for AML violations are already being enforced.

Regology’s Director of Financial Services Industry, Esteban Santana, advised in the recent webinar on crypto: “…many businesses will either be ill-prepared waiting to see how things turn out with the Order or wait until the last day to catch up once regulations are announced. Success depends on preparedness – you either fail to plan or plan to fail.” He recommends:

“Ensure your organization has policies, controls, and procedures that effectively manage risk; this can be accomplished with an AML and know-your-customer compliance management program that not only keeps track of changes but provides associated risks and objectives to minimize risks. If your organization offers a new business product, the KYC and AML are critical regulations for crypto businesses to fully comply with, starting today - don’t wait!”

To gain more clarity around digital assets, download our free eBook on The State of Crypto Regulations & Compliance.