What Is Crypto KYC and Why Do Exchanges Need It in 2025?

Crypto companies, often known as virtual asset service providers (VASPs), have become a visible part of the financial system over the last decade, with terms like “Bitcoin” and “Ethereum” becoming household phrases all over the world. 

According to the FATF, a VASP is a business that conducts virtual asset (i.e., crypto asset) activities or operations on behalf of another person, including exchanges between virtual assets and fiat currencies, exchanges and transfers between forms of virtual assets, the safekeeping of virtual assets, and the provision of financial services related to virtual assets. These may be known by other names on a national level, such as crypto asset service providers in the EU, money services businesses in the US, cryptoasset businesses in the UK, and digital payment token providers in Singapore.

However, as businesses come up with new ways to use virtual assets, money launderers, terrorists, and other criminals have also turned to crypto. This has prompted governments to bring crypto service providers under the scope of Anti-Money Laundering (AML) and Combating the Financing of Terrorism (CFT) regulations. In line with such regulations, governments now require crypto businesses to implement CDD and KYC procedures for their clients.

What is KYC in cryptocurrency?

In many countries, crypto businesses need to comply with AML and CFT regulations. This means applying Customer Due Diligence (CDD) procedures which, among other things, include Know Your Customer (KYC) checks. 

KYC checks aim to identify and verify clients before allowing them access to services or conduct occasional transactions. The minimum information required during the onboarding process is:

• The client’s full name
• Residential address
• Date of birth

The above information then gets compared to government-issued documents submitted by the client.

Since AML and CFT regulations vary drastically by jurisdiction, clients may have to submit other types of personal data (such as the place of birth, nationality, tax code, etc). For example, in the Guidance for the UK Financial Sector, the UK Joint Money-Laundering Steering Group indicates that the information collected as part of the KYC processes may also include wallet addresses and transaction hashes.

During the onboarding process, KYC checks in the crypto industry usually consist of the following steps:

• Identification—the process of acquiring the client’s personal data
• Liveness check—the process of determining whether the client is a real person
• Verification—the process of cross-comparing personal data to government-issued documents
• Address verification—the process of determining whether the client comes from the claimed region to define if the client is from a high-risk country or not
• Risk scoring—determining the risk category of the client based on the steps above

To conduct KYC quickly and properly, crypto services often make use of specialized third-party solutions for this process.

An example of automated KYC that’s completed in three stages within seconds.

Why do crypto companies need KYC compliance?

KYC is a legal obligation that, in most jurisdictions, applies to the crypto industry as well. For example, KYC compliance that now affects crypto companies is legally mandated in the US by the Bank Secrecy Act and AMLD6 in the EU. Therefore, most crypto service providers do not allow their customers to buy cryptocurrency or withdraw funds until they pass a KYC check. 

However, there are still some crypto services that allow clients to trade without passing KYC. These are usually decentralized, unregulated exchanges, or exchanges from countries where AML regulation is weak. Some exchanges can set withdrawal limits, where KYC is only needed when such limits are exceeded.

In addition to combating money laundering and terrorist financing, KYC can help crypto companies by:

• Fighting fraud and identity theft
• Providing transparency
• Ensuring trust among both customers and partners

In contrast, here are the risks of leaving out KYC at a crypto service:

• Increased risk of criminal activity
• Non-compliance with AML regulations that may be applicable
• Close attention from regulators
• Lack of trust from partners and customers.

The Crypto Travel Rule: How it relates to KYC

The Travel Rule is a widely discussed topic in the crypto space and demonstrates a change in attitudes to crypto, with attempts at more standard regulation in the field. In summary, the Travel Rule is an obligation requiring the originating VASP (the party sending the crypto) to collect and verify data about the originator and beneficiary, before sending this to the beneficiary VASP (the party receiving the crypto). 

The beneficiary then verifies this information against the data obtained during KYC processes, and fulfills any remaining Travel Rule requirements before proceeding with the transfer. Upon receiving transaction details, the beneficiary VASP cross-checks the beneficiary’s information provided by the originating VASP against its previously collected KYC data.

Information about the originator and beneficiary, such as their name, address, date of birth, and often their wallet address (this may be described as the account number in legal documentation), “travels” with the transaction between VASPs or financial institutions, hence the name of the “Travel Rule.”

Despite potential confusion between the Travel Rule and KYC processes, the Travel Rule is only indirectly related to KYC and these are two parallel, independent obligations. 

Typically, KYC processes are first conducted when opening an account, such as with a VASP, along with other CDD obligations. Later, whenever a user initiates a crypto asset transfer, Travel Rule requirements may apply, depending on factors such as transaction thresholds and jurisdictions.

The Travel Rule recommends that VASPs like crypto exchanges be required to send and verify originator and beneficiary details whenever a certain value of crypto assets is transferred. While this value is typically over 1,000 USD/EUR, countries are free to set their own thresholds and some countries have no thresholds at all, like the UK. 

More and more authorities around the world are taking the FATF recommendation seriously and now legally require this information to be taken for transfers of cryptocurrencies like Bitcoin and Ethereum as part of AML laws. This is similar to what is already often required for some transfers of fiat currencies.

Сompliance with the Travel Rule is essential in many authorities to access crypto services. Since it requires VASPs to collect and verify information about clients, including checks against sanctions lists, this compliance process partially falls within the KYC procedure. However, Travel Rule obligations require collecting information outside the scope of KYC. As such, despite their overlaps, KYC and the Travel Rule are separate requirements under AML regulations.

Suggested read: What is the FATF Travel Rule? The Ultimate Guide to Compliance 

In short, the Crypto Travel Rule expands on KYC obligations to tackle criminal actors taking advantage of the perceived anonymity of crypto. Like KYC obligations, the legal interpretations of the Travel Rule, if it is implemented at all, vary from authority to authority. 

Sumsub’s Travel Rule compliance solution

Navigating increasingly complicated regulatory landscapes is evermore essential for VASPs, requiring robust compliance solutions. To ensure smooth operations, crypto businesses need to partner with a provider capable of supporting a wide range of protocols and an extensive network of VASPs.

Sumsub has the biggest connectivity on the market, with five protocols on board (CODE, GTR, TRP, Sumsub, and Sygna). With over 1,700 VASPs in its ecosystem and more than 10,000 assets supported, Sumsub’s Travel Rule solution provides comprehensive compliance tools to help service providers efficiently meet regulatory requirements.

Sumsub’s platform includes features for identity verification, transaction monitoring, AML screening, and regulatory reporting, allowing VASPs to comply with the Travel Rule and other mandates while maintaining a seamless and efficient user experience. Additionally, Sumsub effectively manages the “Sunrise Period” and other challenges related to Travel Rule implementation across different jurisdictions.

The key benefits of Sumsub’s Travel Rule solution are:

• Smooth integration with other Sumsub products: Use the Travel Rule solution alongside user verification, transaction monitoring, and AML check features for detailed transaction information.
• Popular data exchange protocols: Supports TRP, GTR, CODE, Sygna, and Sumsub custom protocol and email notifications to streamline Travel Rule data exchange. The system automatically chooses the fastest and easiest method to obtain counterparty data.
• Unhosted wallet verification: Assesses whether the unhosted wallet is owned or controlled by the originator or beneficiary.
• VASP attribution: Identifies if the virtual asset transaction is with a VASP or an unhosted wallet and establishes the counterparty VASP’s identity.
• Screening against watchlists: Checks virtual asset transaction participants against global sanctions lists (OFAC, UN, HMT, EU, DFT, etc.) and adverse media.
• Secure ecosystem: Provides access to the latest verification data and documentation related to other Travel Rule ecosystem members for quick transaction confirmations.
• Simple solution for interoperability and sunrise issues.
• Extensive functionality: Allows you to configure specific fields for data exchange to comply with regulations.
• Crypto wallet scoring: Enables automated transaction rejection based on the wallet’s status.

Emerging trends: KYC in DeFi, NFTs, and the Metaverse

Projects related to decentralized finance (DeFi), non-fungible tokens (NFTs), and the metaverse are increasingly drawing attention. Future compliance with KYC processes consequently faces significant challenges in terms of an ensuing conflict between safety, anonymity, and legal obligations. As a key part of Web3 is decentralization and increased user control via self-sovereign identity (SSI), this naturally leads to a hurdle regarding KYC compliance, which requires details to be shared. 

There is an argument to be made that the point of DeFi is a lack of centralization, so naturally, it is largely unregulated at present. However, there have been recent controversial calls such as those by the US Treasury and IRS to require KYC from DeFi protocols.  

Meanwhile, the concept of the metaverse or the merging of the physical and digital domains powered by blockchains raises another similar conflict between anonymity, safety, and KYC compliance. While it is unclear what the metaverse will look like, there are signs that authorities like the EU already want to ensure KYC procedures are followed to protect metaverse users. 

The rapid advances of AI and deepfakes also look to pose significant challenges to KYC compliance, as well as opportunities for improving efficiency in detecting fraud.

Furthermore, due to public concerns regarding NFTs and their environmental impact, another emerging trend is the adoption of energy-efficient consensus mechanisms like Proof of Stake (PoS) and other endeavors to promote green blockchain practices. With this in mind, there is the potential for verification procedures to be more widely used to prove green credentials are genuine.

Case studies

Many criminals seek to take advantage of the perceived anonymity of crypto, which is partly why Sumsub’s verification procedures are so essential for VASPs. 

As an example of the considerable costs possible due to failure to comply with AML requirements, the 2024 case of the FCA fining CB Payments Limited, part of Coinbase, a sum of £3.5 million reveals the major financial and reputational risks posed to VASPs. 

A comprehensive approach to KYC compliance is also crucial as fraudsters are constantly looking for weaknesses to exploit, which can often involve significant criminal syndicates. A UK-led investigation in 2024, for example, revealed a $1 billion money laundering network that had allowed organized crime groups, drug dealers, and cybercriminals to convert illicit cash into cryptocurrency. 

Even with advanced deepfake detection systems, fraudsters can manipulate individuals who willingly undergo KYC verification. To effectively address this issue, a multi-layered approach that includes transaction monitoring and behavioral anti-fraud measures is crucial. At Sumsub, we use clustering algorithms to identify money mules and prevent them from extracting laundered funds.

Below are case studies of how Sumsub has helped clients with its fast and efficient solutions:

Challenges of implementing KYC in crypto

KYC processes can lead to issues when poorly implemented. This includes:

• Lengthy verification times
• High rates of false positives 
• Fraud going undetected
• Incompatibility with other software
• High costs.

Crypto businesses that conduct KYC checks have a choice of either using only manual procedures or having assistance from automated procedures. Both options are useful for companies, however, relying on manual checks alone comes with more risks.

The cons of manual KYC checks for crypto

Relying solely on manual KYC checks creates challenges both for businesses and clients.

Costly and slow: If businesses only employ manual KYC procedures, onboarding times likely take longer, resulting in a lower customer conversion rate.

Security risks: A solely manual approach leads to a higher error rate due to human involvement (a person verifying documents may not always be able to differentiate a forged document from an authentic one).

Top automated KYC solutions for crypto

One possible solution for bringing down costs and speeding up onboarding is KYC automation. Unlike relying solely on a the manual approach, automation allows businesses to:

• bring down associated costs by up to 43% (in Sumsub’s experience)
• speed up the onboarding process (50 sec. median verification time)
• ensure that the user has provided an authentic document
• reduce human error
• simplify the onboarding process.

Automated KYC is performed by extracting data from provided documents, ensuring that all security features are present, and comparing the document itself to templates. Such an approach not only reduces errors, but also leads to a higher conversion rate thanks to a quick and simple onboarding process.

Sumsub makes this process even simpler with its KYC-compliant Non-Doc Identity Verification service. This means users can verify their identities without the need to scan any documents, allowing them to onboard within 4.5 seconds.

Risks for non-compliant crypto platforms

If a crypto platform does not comply with KYC obligations, its risk varies depending on a range of factors, including the authorities responsible for administering penalties. In short, non-compliant crypto platforms are either at risk of legal, reputational, and security consequences themselves, or pose a financial or security risk to their users.

Non-compliance also runs the risk of reputational damage to VASPs and could even lead to platforms being banned altogether in certain countries. Conversely, compliance may help VASPs attract investors and gain access to fiat currencies, both helping their reputation and liquidity.  

KYC and the State of the Crypto Industry (2025)

Sumsub’s “State of the Crypto Industry” report for 2025 paints a clear picture of an industry at a turning point, showing the need for KYC compliance. A key takeaway is that despite the tightening of regulations, fraud is on the rise, with a 48% increase in fraud rate around the world on average.

Fraud is up in every single region of the world other than APAC, where the fraud rate is down 23%. However, in Africa, it is up a staggering 112%, followed by the US and Canada (up 86%), and the Middle East (up 79%).

Meanwhile, there have been legislative updates to address the rise in use of crypto, such as the EU-wide harmonization of Travel Rule requirements and progression toward Travel Rule compliance in countries like Turkey and Argentina. 

Tighter restrictions affecting crypto in jurisdictions around the world is a major theme in 2025, demonstrating how many countries are working hard to tackle the risks posed by non-compliance with regulations.

Going forward into 2025, Sumsub’s report shows how quickly things are changing and how essential it is to be aware of these changes to avoid falling foul of new laws or increasing exposure to risks.  

FAQ

• Is KYC mandatory for crypto businesses?

  In most jurisdictions, KYC is necessary for crypto platforms in accordance with AML/CFT laws.

• What are key KYC compliance requirements?

  Key KYC compliance requirements vary from jurisdiction to jurisdiction, but generally it is essential to collect and verify data to make sure people are really who they say they are. This data is checked against databases like sanctions lists and AML lists to prevent criminal activity.

• How does automated KYC improve onboarding?

  Automated KYC allows for onboarding in compliance with regulations within a matter of seconds, making it easier to detect fraud while minimizing the likelihood of human error.

• What are the risks of not implementing KYC?

  KYC obligations are in place to mitigate fraud, money laundering, and other criminal actions. Failure to comply with KYC obligations can put businesses at risk of legal consequences like fines and even closure. This can also damage a business’s reputation among users and investors alike.