Crypto KYC Guide: How Virtual Assets Are Regulated

Crypto companies, or virtual asset service providers (VASPs), have become a visible part of the financial system over the last decade, with terms like “Bitcoin” and “Ethereum” becoming household phrases all over the world.Yet, as businesses come up with new ways to use virtual assets, money-launderers, terrorists, and other criminals have also turned to crypto. This has prompted governments to bring crypto service providers under the scope of Anti-Money Laundering (AML) regulations. In line with such regulations, governments now require crypto businesses to implement Know Your Customer (KYC) procedures for their clients.

What is KYC in crypto?

KYC in crypto refers to the actions VASPs take to verify client identities as part of the due diligence process and compliance with regulations.

In many countries, crypto businesses need to comply with AML regulations. This means applying Customer Due Diligence (CDD) procedures which, among other things, include Know Your Customer (KYC) checks. 

KYC checks aim to identify and verify clients before allowing them access to services, or conduct occasional transactions. The minimum information required during the onboarding process is:

• The client’s full name
• Residential address
• Date of birth

The above information then gets compared to government-issued documents submitted by the client.

Since crypto regulations vary drastically by jurisdiction, clients may have to submit other types of personal data (such as the place of birth, nationality, tax code, etc). For example, in the Guidance for the UK Financial Sector, the UK Joint Money-Laundering Steering Group indicates that the information collected as part of the KYC processes may also include wallet addresses and transaction hashes.

During the onboarding process, crypto KYC checks usually consist of the following steps:

• Identification—the process of acquiring the client’s personal data
• Liveness check—the process of determining whether the client is a real person
• Verification—the process of cross-comparing personal data to government-issued documents
• Address verification—the process of determining whether the client comes from the claimed region. The purpose is to determine if the client is from a high-risk country or not
• Risk scoring—determining the risk category of the client based on the steps above

To conduct KYC quickly and properly, crypto services often delegate the process to specialized third-party solutions.

An example of automated KYC that’s completed in three stages within approximately 50 seconds.

Why do crypto companies need KYC?

KYC in crypto is a legal obligation in most jurisdictions. Therefore, most crypto service providers do not allow their customers to buy cryptocurrency or withdraw funds until they pass a KYC check. However, there are still some crypto services that allow clients to trade without passing KYC. These are usually decentralized, unregulated exchanges, or exchanges from countries where AML regulation is weak. Some exchanges can set withdrawal limits, where KYC is only needed when such limits are exceeded.

Benefits of KYC for crypto

KYC can help crypto companies can help by:

• Preventing money laundering and terrorist financing
• Fighting fraud and identity theft
• Providing transparency
• Ensuring trust among both customers and partners

In contrast, here are the risks of leaving out KYC at a crypto service:

• Increased risk of criminal activity
• Non-compliance with AML regulations
• Close attention from regulators
• Lack of trust from partners and customers.

Is KYC mandatory for crypto?

In most jurisdictions, yes. However, the KYC obligations of crypto businesses depend on existing AML laws and how countries implement them. 

Over the past several years, AML laws have made crypto KYC checks mandatory for a wider scope of operations. For example, in 2018, the European Union included crypto-fiat exchanges and wallet providers into the scope of its AML regulations (AMLD5), meaning they must comply with the same rules as financial institutions.

Over time, more services related to virtual assets have been regulated in order to effectively combat money laundering. Therefore, countries, including some of EU members, have begun implementing services specified in the FATF Guidance 2019 and its updated Guidance 2021. These include:

• exchanging between virtual assets and fiat currencies;
• exchanging between one or more forms of virtual assets;
• transfers of virtual assets;
• safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
• participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

KYC and crypto: what’s next?

The updated FATF Recommendations require VASPs and financial institutions engaged in virtual asset transfers to follow the Travel Rule. This means collecting personal data of senders and recipients in a crypto transaction and sharing them with VASPs or financial institutions.

The FATF’s proposed threshold amounts to 1000$/€ for virtual asset transfers. If a transaction amount is lower than the threshold, VASPs can enjoy less stringent requirements. However, countries can establish their own thresholds. 

Since the Travel Rule requires VASPs to collect and verify certain information about the client, including checks against sanctions lists, the compliance process partially falls within the KYC procedure. However, Travel Rule obligations require collecting information outside the scope of KYC. Therefore, it should be noted that, despite their overlaps, KYC and the Travel Rule are separate requirements under AML regulations.

Members of FATF and FATF-style regional bodies are actively implementing the Travel Rule into their respective anti-money laundering (AML) laws. Our data indicates that 98.5% of crypto companies already integrated or plan to integrate Travel Rule solution providers.

Our research also reveals that 55% of crypto companies reported an increase in fraud-related losses connected to applicants. On the other hand, 34% stated that they noticed no change in fraud-related losses this year.

The approach to KYC may also change in the future. With the development of Web 3.0, where decentralization is one of the main components, the idea of SSI (self-sovereign identity) has emerged. So it can be assumed that regulators will be potentially implementing this approach to KYC.

Case studies

Just recently, federal prosecutors in Texas slapped 21 US citizens with criminal charges for allegedly helping transnational criminal groups launder their illicit funds using cryptocurrency. Millions of dollars were “stolen from United States fraud victims through romance scams, business email compromises, technical support schemes, and other fraud schemes.” (source)

The case highlights the importance of a comprehensive approach to fraud protection. Even with advanced deepfake detection systems, fraudsters can manipulate individuals who willingly undergo KYC verification. To effectively address this issue, a multi-layered approach that includes transaction monitoring and behavioral anti-fraud measures is crucial. At Sumsub, we use clustering algorithms to identify money mules and prevent them from extracting laundered funds.

KYC challenges 

KYC solutions can lead to issues when poorly implemented. This includes:

• Lengthy verification times
• High rates of false positives 
• Fraud going undetected
• Incompatibility with other software
• High costs.

Manual and automated KYC checks

Crypto businesses that conduct KYC checks have a choice of manual and automated procedures. Both options are useful for companies, however manual checks come with more risks.

The cons of manual KYC checks for crypto

The implementation of manual KYC checks creates challenges both for businesses and clients.

Costly and slow. If businesses employ manual KYC procedures, onboarding times likely take longer, resulting in a lower customer conversion rate.

Security risks. The manual approach leads to a higher error rate due to human involvement (a person verifying documents may not always differentiate a forged document from an authentic one).

Automated KYC solutions

One possible solution for bringing down costs and speeding up onboarding is KYC automation. Unlike the manual approach, automation allows businesses to:

• bring down associated costs by up to 43% (in Sumsub’s experience)
• speed up the onboarding process (50 sec. median verification time)
• ensure that the user has provided an authentic document
• reduction of human error
• simplify the onboarding process.

Automated KYC is performed by extracting data from provided documents, ensuring that all security features are present, and comparing the document itself to templates. Such an approach not only reduces errors, but also leads to a higher conversion rate thanks to a quick and simple onboarding process.

Crypto fraud and verification statistics (2023)

According to Sumsub’s “State of Verification and Monitoring in Crypto Industry 2023” report, the average verification time decreased among Sumsub’s crypto clients in 2023. In particular, Brazil, Mexico, and Germany stand out as the top three countries with the most significant improvement in verification time. 

---