Know Your Customer (KYC)

The foundational step where a user's identity is confirmed using official documents. This typically involves:

• Document Collection: Submission of government-issued IDs (passport, driver's license).
• Biometric Verification: Use of facial recognition or liveness checks to match the person to the document.
• Data Validation: Cross-referencing submitted information with trusted databases.

The ongoing process of assessing a customer's risk profile. It involves:

• Risk Categorization: Classifying customers as low, medium, or high risk based on factors like location, transaction patterns, and occupation.
• Beneficial Ownership: Identifying the natural persons who ultimately own or control a legal entity client.
• Ongoing Monitoring: Continuously reviewing transactions to ensure they are consistent with the customer's known profile.

A critical component where customer data is checked against global watchlists and sanctions lists to prevent illicit finance. This includes:

• PEP Screening: Identifying Politically Exposed Persons who may pose a higher risk.
• Sanctions Lists: Checking against lists from bodies like OFAC, UN, and EU.
• Adverse Media: Screening for negative news related to financial crime.

The regulatory requirement to maintain detailed records of all KYC/AML procedures. Key aspects are:

• Data Retention: Storing identity documents, transaction records, and risk assessments for a legally mandated period (often 5+ years).
• Audit Readiness: Ensuring all processes are documented and reproducible for regulatory examinations.
• Data Privacy: Securing sensitive personal information in compliance with regulations like GDPR.

The principle that the intensity of KYC measures should be proportionate to the assessed risk. This means:

• Simplified Due Diligence (SDD): For low-risk customers (e.g., retail clients in regulated jurisdictions).
• Enhanced Due Diligence (EDD): For high-risk customers, requiring additional information, senior management approval, and more frequent monitoring.
• Dynamic Adjustments: Ability to escalate or de-escalate scrutiny based on changing customer behavior.

KYC is a legal requirement for regulated financial institutions, including centralized crypto exchanges (CEXs) and custodial services. The process involves collecting and verifying:

• Government-issued ID (passport, driver's license)
• Proof of address (utility bill, bank statement)
• Biometric data (in some jurisdictions)

This creates an audit trail linking a real-world identity to a blockchain address, fulfilling Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) obligations.

For platforms like Coinbase, Binance, and Kraken, KYC is mandatory for account creation and full functionality. The typical flow is:

1. Document Submission: User uploads ID and a selfie.
2. Automated Verification: AI-powered systems check document authenticity and liveness.
3. Sanctions Screening: The user's details are checked against global watchlists (e.g., OFAC).

Failure to complete KYC restricts features, often limiting withdrawals, trading pairs, or deposit amounts.

Most DeFi protocols (e.g., Uniswap, Aave) are non-custodial and do not require KYC, as they are software running on smart contracts. However, regulatory pressure is increasing through:

• Front-end KYC: Regulators may target the interface (website/app) users access.
• Protocol-Level Proposals: Ideas like "zero-knowledge KYC" use cryptographic proofs to verify eligibility without revealing identity.
• Privacy Coins: Assets like Monero (XMR) and Zcash (ZEC) are designed to obscure transaction details, presenting a direct challenge to KYC/AML frameworks.

The Financial Action Task Force (FATF) Travel Rule requires Virtual Asset Service Providers (VASPs)—which include exchanges and custodians—to share sender and recipient KYC information for transactions above a threshold (often $/€1000). This creates significant technical challenges for cross-border crypto transfers, leading to solutions like:

• Travel Rule protocols (e.g., TRP, IVMS 101)
• Inter-VASP messaging systems to securely transmit required data.

An emerging paradigm that uses blockchain to give users control over their verified credentials. Instead of submitting documents to every service, a user obtains verifiable credentials (e.g., a KYC attestation from a trusted issuer) and can present cryptographic zero-knowledge proofs to prove they are verified without revealing the underlying data. Projects like Ontology and Sovrin are building infrastructure for this privacy-preserving approach to compliance.

KYC requirements are not uniform and vary significantly by jurisdiction, creating a complex landscape for global crypto businesses.

• Stringent: The EU (with MiCA), the UK, and Singapore have comprehensive frameworks requiring strict KYC for VASPs.
• Evolving: The United States applies a patchwork of state (NY BitLicense) and federal (FinCEN) rules.
• Restrictive: Some countries like China have banned crypto exchanges entirely.
• Permissive: A few jurisdictions have more lenient or unclear rules, though FATF guidance is pushing for global standardization.

Customer Due Diligence (CDD) is the process of collecting and assessing information about a customer to evaluate their risk profile. It is the practical implementation of KYC principles. CDD involves:

• Standard CDD: Basic identity verification for lower-risk customers.
• Enhanced Due Diligence (EDD): Additional scrutiny for higher-risk customers (e.g., Politically Exposed Persons (PEPs), high-net-worth individuals, or customers from high-risk jurisdictions).
• Ongoing Monitoring: Continuously reviewing transactions and updating customer information. CDD measures help institutions understand the nature of the customer's activities and ensure they are consistent with the expected risk profile.

The Travel Rule is a specific AML regulation requiring Virtual Asset Service Providers (VASPs)—such as cryptocurrency exchanges—to share originator and beneficiary information for transactions exceeding a certain threshold (e.g., $3,000 in the U.S.). It extends traditional bank wire transfer rules to the crypto ecosystem. Compliance requires:

• Identifying the sender (originator) and receiver (beneficiary).
• Securely transmitting this KYC information between VASPs.
• Maintaining records. This rule creates significant technical and interoperability challenges for decentralized protocols and has led to the development of solutions like the InterVASP Messaging Standard (IVMS 101) and proprietary VASP-to-VASP communication networks.

Proof of Personhood is a cryptographic or sybil-resistance mechanism that aims to verify a unique human identity without necessarily linking it to real-world identity documents (a key distinction from KYC). The goal is to prevent bot manipulation and ensure fair distribution in decentralized systems. Approaches include:

• Biometric verification (e.g., Worldcoin's orb).
• Social graph analysis and web-of-trust models.
• Government-issued e-ID integration. While KYC is a regulatory tool for financial compliance, Proof of Personhood is often a technical tool for governance, airdrops, and resource allocation in DAOs and blockchain networks, focusing on uniqueness rather than legal identity.

The foundational component of KYC, a Customer Identification Program (CIP) is a set of procedures a financial institution must follow to verify the identity of a person opening an account. Key requirements include:

• Collecting Personally Identifiable Information (PII) such as name, date of birth, address, and identification number.
• Verifying this information using reliable, independent source documents or data.
• Maintaining records of the information used for verification.
• Determining if the customer appears on any government lists of known or suspected terrorists.

Anti-Money Laundering (AML) is the broader regulatory and legal framework designed to prevent criminals from disguising illegally obtained funds as legitimate income. KYC is a critical first step within an AML program. Key AML activities include:

• Transaction Monitoring: Continuously screening transactions for suspicious patterns.
• Suspicious Activity Reporting (SAR): Filing reports with financial intelligence units (e.g., FinCEN).
• Sanctions Screening: Checking customers against government-issued lists of prohibited entities.
• Risk-Based Approach: Applying enhanced due diligence for higher-risk customers.

Decentralized Identity (DID) is a blockchain-based approach to identity management where users control their own verifiable credentials without relying on a central authority. This technology offers a potential paradigm shift for KYC by enabling:

• Self-Sovereign Identity (SSI): Users hold and present credentials (like a verified KYC attestation) from their digital wallet.
• Selective Disclosure: Sharing only the specific data required (e.g., "over 18") rather than a full document.
• Reusable KYC: A single verified credential can be used across multiple services, reducing friction.
• Privacy Preservation: Minimizes the exposure and centralized storage of sensitive PII.

The Travel Rule is a critical AML regulation requiring Virtual Asset Service Providers (VASPs) to share sender and recipient information during cryptocurrency transactions above a certain threshold (e.g., $/€1,000). It mandates:

• Originator Information: The sending VASP must obtain and transmit the originator's name, account number, and physical address.
• Beneficiary Information: The receiving VASP must obtain and verify the beneficiary's name and account number.
• Inter-VASP Communication: Secure transmission of this data, often using protocols like the InterVASP Messaging Standard (IVMS 101). Non-compliance poses significant legal and operational risks for crypto businesses.

Zero-Knowledge Proofs (ZKPs) are cryptographic methods that allow one party (the prover) to prove to another (the verifier) that a statement is true without revealing any information beyond the validity of the statement itself. Applied to KYC, ZKPs enable:

• Privacy-Preserving Verification: A user can prove they are a verified, accredited, or sanctioned individual without revealing their underlying identity data.
• Proof of Compliance: A service can demonstrate it has performed KYC checks without exposing customer PII.
• Minimal Data Transfer: Supports the principle of data minimization required by regulations like GDPR.

On-chain analytics involves using specialized software to track, cluster, and analyze blockchain transaction data. It is a crucial post-KYC tool for ongoing due diligence and AML compliance. Core functions include:

• Address Clustering: Linking multiple wallet addresses to a single entity or service.
• Transaction Graph Analysis: Mapping the flow of funds to identify patterns and connections.
• Risk Scoring: Assigning risk scores to wallets based on their interaction with high-risk entities (mixers, darknet markets).
• Source of Funds (SoF) Verification: Tracing the origin of deposited funds to assess legitimacy. Tools like Chainalysis, Elliptic, and TRM Labs are industry standards.