While the ethos of cryptocurrency may be partly rooted in anonymity, mass adoption and the subsequent increase in fraudulent activities, such as money laundering and terrorism financing, has forced legislators to step in and fill the regulatory void.
Binance and Coinbase, both leaders in crypto trading worldwide, are just two major players that have decided to enforce strong KYC policies, in order to comply with AML and KYC regulations, along with regulatory framework, MiCA. When registering on one of those platforms, users will invariably need to provide a government-issued ID, take a photo identification selfie, as well as provide additional personal data.
This KYC step will be, for many crypto users a relatively new experience. They will surely have undergone KYC in their traditional banking experience, but in the crypto realm, this will be an alien concept, or even the anthithesis of what they expect from a crypto platform experience. Many may look for platforms that have not implemented KYC. But in doing so, they are facing major risk. Let’s first start by looking at what exactly is KYC, and KYC verification.
What is KYC verification?
KYC verification refers to the mandatory step that companies take to ensure their customers are who they say they are. While KYC verification has been a legal requirement for industries like financial services for decades, increasing numbers of other sectors, such as gambling and crypto are beginning to adhere to the same stipulations and regulations.
Discover more about KYC verification on our comprehensive ‘What is KYC’ overview page.
What is KYC in crypto?
A KYC process for a crypto platform is, for all intents and purposes, very similar to a KYC process for a traditional banking service. This is because the goal is the same: to identify and verify customers, and carry out periodic monitoring of account transactions. There are, however, some key differences, that are mainly based on the type of customers using the platform, and their expectations for more streamlined and technologically-enhanced processes.
As traditional banks still tend to rely on in-person interactions, the expectation of a traditional banking experience is for bank staff to check documents, and cross reference photo identity with the applicant onsite. This is especially the case with high value products like iSAs.
As crypto platforms, however, are all exclusively online, firms must onboard customers and complete the KYC process completely digitally. Customers therefore assume and expect a faster, sleeker and more secure cutomer experience of KYC, especially for a community where KYC requirements are only a relatively recently development. To offer a superior online experience, while proactively preventing increased risk of online fraud, crypto firms must therefore employ specific verification tools, such as AI-enabled document verification, advanced biometric selfies and video liveness checks.
One of the major differences between KYC for crypto and KYC for traditional banking is how each does transaction monitoring, and ongoing Customer Due Diligence. When dealing with suspicions of fraudulent activity, like fraud or money laundering, banks can stop or reverese transactions and easily block accounts, but due to the decentralized nature of crypto, transaction monitoring is more complex, by design. Crypto firms must therefore rely on blockchain analytic tools to trace origin and movement of funds.
Why do some crypto users avoid KYC?
People bypass KYC requirements on crypto platforms for multiple reasons. Sometimes, they’re specific to a country or region. For example, in 2018 in India, a 30% crypto tax was imposed, leading many Indian crypto users to exchange crypto and rupee themselves.
Other times, they’re more general. These reasons include:
- Some users believe identity verification goes against the ethos of cryptocurrency;
- Some users fear that submitted documents could be sold to a third party;
- General concerns over data privacy
- Others may want to avoid sanctions, embargoes, or PEP screening lists;
- Illicit organizations looking to access crypto exchanges to launder money;
- Other users may want to evade tax;
- Underage users looking to trade cryptocurrencies.
For these reasons and more, some users may resort to dubious methods to avoid KYC checks.
However, bypassing KYC and identity verification is likely to have not only serious consequences for crypto users, but also cause regulatory difficulties for crypto operators.
Upcoming regulatory regimes.
The Markets in Crypto Assets (MiCA) regulation, which received a majority 517 votes from European Parliament lawmakers in favor of the crypto licensing regime in April 2023, aims to protect investors and preserve financial stability, while allowing for greater innovation in the crypto asset sector.
MiCA will not apply to non-European crypto service providers unless they target EU investors or offer their services in the EU. However, national competent authorities in the EU may require non-European crypto service providers to obtain a MiCA authorization if they provide cross-border services into the EU.
Countries, such as the UK are devising their own national regulatory framework for the crypto market. Read more on UK’s proposed crypto regulations in our blog.
Regulations that apply to crypto companies in Europe.
Fifth Anti-Money Laundering Directive (5AMLD)
The 5AMLD, issued in January 2020, requires crypto asset service providers (CASPs) to comply with anti-money laundering (AML) and counter-terrorist financing (CTF) regulations. CASPs must conduct customer due diligence (CDD), implement risk-based AML programs, and report suspicious transactions to the relevant authorities.
Markets in Crypto-assets Regulation (MiCA)
MiCA is a regulation aimed at creating a comprehensive regulatory framework for crypto assets in the EU. It introduces requirements for issuers of crypto assets, crypto asset service providers, and digital asset custody providers. It aims to establish a consistent and harmonized approach to regulation across EU member states.
General Data Protection Regulation (GDPR)
GDPR, in effect since May 2018, applies to crypto companies that handle personal data of individuals within the EU. It imposes obligations on data controllers and processors, including obtaining consent, implementing data protection measures, and ensuring the rights of data subjects are respected.
Payment Services Directive 2 (PSD2)
PSD2, implemented in January 2018, regulates payment services within the EU. It affects crypto companies that provide payment services or interact with traditional payment systems. PSD2 establishes requirements for strong customer authentication (SCA) and imposes obligations on payment service providers.
Capital Markets and Securities Directive (MiFID II)
MiFID II, in effect since January 2018, applies to crypto companies that provide investment services, such as crypto exchanges or platforms offering crypto derivatives. It introduces requirements for authorization, investor protection, transparency, and reporting.
Various Tax Regulations
Crypto companies operating in Europe must comply with tax regulations applicable to cryptocurrencies. Tax treatment can vary across countries, but typically involves reporting crypto transactions, capital gains taxation, and potential value-added tax (VAT) obligations.
Electronic Money Directive (EMD) and Payment Services Directive (PSD)
The EMD and PSD provide a regulatory framework for electronic money institutions (EMIs) and payment service providers (PSPs). Crypto companies offering services such as crypto wallets, prepaid cards, or remittance services may fall under these directives and must comply with their provisions.
It is important to note that regulations and their application can vary across EU member states. Companies should closely monitor updates from regulatory authorities, seek legal advice, and ensure compliance with the relevant regulations in the jurisdictions where they operate.
Common crypto compliance mistakes.
There are several compliance mistakes that many new crypto companies make when they first launch. These mistakes can lead to legal and financial difficulties, damage to reputation, and hinder long-term growth. Some of the most common mistakes that new crypto firms make with their compliance programs include:
Lack of regulatory compliance.
Ignoring or underestimating the importance of regulatory compliance is a common mistake. Crypto companies need to understand and adhere to the legal and regulatory requirements of the jurisdictions in which they operate.
Failure to comply with Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations, securities laws, tax obligations, and other relevant regulations can result in hefty fines, legal actions, or even shutdowns. Read more about how the dangers of money laundering in the crypto sector in our latest blog, ‘How criminals leverage non-compliant crypto exchanges for money laundering.’
Inadequate security measures.
Crypto companies must prioritize security due to the highly sensitive nature of the data they exchange. Failing to implement robust security measures, such as strong encryption, secure key storage, and comprehensive cybersecurity protocols, can leave them vulnerable to hacking, theft, and fraud. Breaches can result in significant financial losses, legal liabilities, and erosion of user trust.
Poor risk management.
Effective risk management is crucial in the volatile world of cryptocurrencies. Companies need to identify and assess risks related to market fluctuations, operational vulnerabilities, technological risks, and regulatory changes. Failing to implement risk management strategies, such as diversifying investments, establishing contingency plans, and conducting regular risk assessments, can leave companies exposed to unexpected losses and instability.
Poor governance and internal controls.
Establishing strong corporate governance practices and internal controls is essential for the long-term success of crypto companies. Inadequate governance structures, such as a lack of independent board members or conflicts of interest, can create reputational risks and regulatory scrutiny. Weak internal controls, including inadequate financial reporting or weak auditing practices, can lead to financial mismanagement, fraud, or non-compliance with regulatory requirements.
To avoid these mistakes, crypto companies should invest in robust compliance programs and a dedicated compliance officer, prioritize security measures, and implement effective risk management practices. A KYC program is integral in offering a safe and secure crypto platform.
Regulatory risks of missing KYC.
While KYC processes prevent most users from signing in without proper screening, these restrictions have created a business opportunity on the black market. Indeed, for a small amount of money, marketplaces on different dark webs now offer vetted accounts on crypto exchanges and other payments services.
For prices ranging from $150-$500, you can now buy an approved account on peer-to-peer trading platforms, professional crypto exchanges, or mainstream payment services. These accounts are either created with a fake name, address, and identification documents, or with genuine data obtained by illicit means.
In an investigation from specialized news outlet, CoinDesk, fake accounts on the exchanges Binance US, Coinbase Pro, and payment services Cash App and Wirexwere were reviewed by a reporter. Analysis revealed that most accounts belonged to genuine United States and European citizens, and came with instructions on how to use VPN networks. Most importantly, it was also found that credentials for email addresses were linked to Google Voice numbers, which is sometimes used as a tool by fraudsters to create fake accounts.
Some users went to extraordinary lengths to adopt specific behavioral patterns, for example matching the geolocation of victims, or keeping to transaction limits. It is therefore likely that some users were able to access crypto wallets by using other individual’s accounts, thus evading KYC checks. Fake crypto exchange accounts are just a small subset of the global black ID market; an industry boasting more than 15 billion different types of credentials, as reported by cyber consultancy firm Digital Shadows.
Fraudsters leveraging data for illicit purposes represent a major risk for cryptocurrency platforms and service providers. Regulators including the U.S. Office of Foreign Assets Control (OFAC) have already fined cryptocurrency exchanges like BitGo for violations of U.S. sanctions programs, alleging the platform had allowed – even unknowingly – individuals from Syria, Iran, Sudan, and Cuba to access and use its trading services.
Read more about the the novel, and potentially problematic approach by new crypto platform, Worldcoin to eschew traditional customer onbroading in favour of iris scans.
KYC as a support for crypto market development.
Despite the popularity of the black market trade in verified accounts, it is still possible to mitigate those risks by leveraging robust KYC processes. However, to increase the likelihood of customer adoption, onboarding processes must remain as simple, safe and secure as any other financial service. The robustness of KYC processes must be analyzed and put to the test.
Although crypto enthusiasts might see KYC processes as a diminishing factor for adoption, Binance’s CEO Changpeng Zhao told Bloomberg that implementing such rules had had only little impact on business; just 3% of customers were lost after implementing a robust KYC process.
By using a layered approach and combining different identification methods, crypto platforms can rest assured that their customers are who they say they are. While a selfie in isolation may not keep the fraudsters at bay, when combined with video identification, in addition to collecting official documents, it forms part of a solid and robust KYC process.
KYC processes must be painless for the user, and take place in a user-friendly environment to keep the onboarding experience as seamless and intuitive as possible. Automated identity verification, powered by artificial intelligence and combined with screening mechanisms and geolocation checks, provide an unparalleled solution to mitigate risks brought by fraudsters trying to circumvent KYC processes.
Respecting these conventions will allow exchanges to participate in the democratization and mass adoption of cryptocurrencies, while deterring fraudsters.
Cryptocurrency platforms & KYC mechanisms.
Although it is still possible to buy crypto without completing a KYC check, it is a more complicated and risky thing to do (as such platforms offer no protection if something was to go wrong), when compared with an exchange that complies with KYC requirements.
Crypto firms expanding into the European market now have to comply with the European Union’s Fifth Anti-Money Laundering Directive (AMLD5). As such, platforms should take steps to enhance their KYC and AML procedures (see our Crypto KYC Page), which will ultimately benefit both the users, and the platform itself.
What can traditional banking learn from crypto exchanges? Check out our Fintech Spotlight Interview with crypto and compliance consultant, Brandi Reynolds.
Crypto in KYC — Growth through trust.
By
Jody Houton
Senior Content Manager at IDnow
Connect with Jody on LinkedIn