By Eddie Ponce - Compliance and Crypto Industry Expert
You’ve likely heard the phrase, “Know Your Customer (KYC),” before. KYC is a layered identity verification approach that often compares credentials like account information with additional personally identifiable information (PII) and even placement in databases like sanctions lists. In the banking world, a Customer Identification Program (CIP) serves a similar purpose. But what about KYC for cryptocurrency? Surely this less-regulated financial market has a different approach to identity verification? In fact, the reality is that most crypto exchanges and platforms require stringent identity verification, too. So just what does KYC mean for crypto?
KYC is at heart of anti-money laundering because crypto criminals are evolving
KYC and CIP requirements are at the center of anti-money laundering (AML) regulations that govern financial services firms. That’s because people running money laundering rings are adept at stealing identities or even creating synthetic identities from a hodgepodge of sources like stolen, made-up info and information purchased on the dark web. Criminals use ever-successful approaches like phishing and spoofing to acquire the PII needed to mimic someone’s identity.
Complicating matters for the KYC process is the fact that fraudsters are becoming ever-more sophisticated in their methods of illicit activity. Just recently, for example, a fraudster imitated Apple to obtain the passcode to someone’s crypto wallet. What’s worse is that modern criminals also understand how to take advantage of people at their most vulnerable, which can be seen with phone calls mimicking the IRS then asking for back taxes advising people of missed payments. Criminals know exactly what buttons to press to extract personal information from even the most savvy among us.
Crypto users are of course no different and are just as prone to falling for these varied phishing and spoofing scams. Increasing the risk is the fact that many people — including nearly half of US and UK residents surveyed in this cyberthreat awareness study — are ignorant of their personal risk of cybercrime. This lack of awareness makes crypto exchange and other digital platform users even more appealing targets for financial criminals.
Lastly, at the crypto industry’s inception, many exchanges, custody and wallets providers didn’t initially establish robust identity verification processes that were commonplace in the traditional brick and mortar financial services industry. As such, the creation of synthetic identities was given the opportunity to become more commonplace due to the lack of fraud-detection and KYC verification processes common place in the traditional financial services industry.
But all that is changing.
New global requirements mandate KYC for crypto
Regulators are directing more of their attention toward cryptocurrency exchanges and the industry in general. In Europe, for example, the 5th anti-money laundering directive (AMLD5) is geared toward improving the EU’s anti-money laundering and counter terrorism financing efforts. Notably, the directive now includes “providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers.”
Updated guidance from the global Financial Action Task Force (FATF) compels virtual asset service providers (VASPs) to adhere to stringent anti-money laundering regulations. These VASPs must demonstrate “effective procedures to identify and verify, on a risk basis, the identity of a customer, including when establishing business relations with that customer.”
In short, various governments worldwide have already implemented new KYC in crypto regulations to combat money laundering and terrorist financing. Among these various requirements, these regulations tell crypto service providers that they must have sound and effective identity verification processes in place.
An effective KYC program stops crypto related fraud in its tracks
When used appropriately, KYC verification for cryptocurrency customers helps stop financial crime in its tracks. Consider a traditional bank transaction. John Doe goes in-person to a branch where a teller asks for their ID and login information. The teller can also see, in real-time, that John is who he says he is. That’s essentially the KYC philosophy.
In the digital financial services world of neobanks, VASPs, etc., that sort of in person identity verification isn’t of course feasible. However, that doesn’t change the expectation that the KYC philosophy will still apply, so, with the continued growth of the digital financial services sphere, greater reliance is placed on technology to effectively apply an equivalent set of controls to all digital financial services customers, especially crypto (given the irreversibility of blockchain transactions).
Digital KYC processes help deter fraud by making virtual transactions seem more like their in-person counterparts. For example, some cryptocurrency exchanges ask for a password, a login code, and a selfie for identity verification purposes. That’s the crypto exchange or wallet’s way of asking if John is really John.
Adding KYC processes and requirements to the crypto world adds multiple layers of verification (both upfront and behind the scenes) to every onboarding process and each transaction that is executed. Even if a scammer steals John Doe’s crypto exchange login information, they will be hard-pressed to take a selfie that looks like John, pass a liveness test, provide multi-factor authentication or meet device ID specificity unique to the authenticated customer.
We need infrastructure and education for widespread, effective KYC verification
Crypto usage and digital banking for financial institutions are skyrocketing, but so is fraud. Global regulators have made a stand, amending anti-money laundering laws to include VASPs, along with clarifying to traditional financial institutions transitioning to the digital realm that the same requirements apply.
With that in mind, what else is needed to ensure the effective adoption of a digital KYC program to continue to stamp out fraud across the global digital financial services landscape?
In short, infrastructural improvements and education.
Compliance with KYC rules requires a baseline source for authenticating John Doe’s identity. In some countries, government-issued IDs or PII can serve as that baseline. In other locations, establishing an identity baseline is more challenging. The good news is that technology has allowed us to use biometrics (like the login selfie required for crypto platforms) to identify people without official government-issued IDs. Organizations like the UN’s Biometric Identity Management System are helping to bring this to various regions globally.
The next piece of the puzzle is education about KYC, crypto and financial crime. For example, less tech-savvy individuals might not understand how or why a platform can send them ads for the exact shoes they wanted. For those who weren’t raised with smartphones or the internet, this sort of functionality may seem magical. Also, blockchain and cryptocurrencies as a whole have suffered a great deal of incorrect perceptions which go from being the funding source of all illicit activity to customers effectively being “cloaked” to ensure identities were hidden from all. As a result, when people are afraid or simply don’t understand technology, they’re less likely to use it to their benefit.
KYC processes and requirements must continue to evolve to stop criminal activity
The global pandemic has shown us that non face to face transactions are a new normal (that all industries must contend with to some degree) and digital KYC in crypto processes are only becoming more and more commonplace as fraud evolves and smartphones become a key dependency to our day to day transactions. The adoption of digital KYC requirements and protocols could have stemmed the unemployment fraud that skyrocketed during the last two years and the same can be said for the rise in health insurance fraud. With crypto, as more interest blossoms, so too will the fraud that goes with it. In all these cases, compliance with KYC regulations will go a long way toward preventing fraud.
So, each time someone takes a selfie or uses their thumbprint to access digital tools, it becomes a little bit easier to see how we can extend effective KYC verification even beyond the realm of financial transactions and cryptocurrency exchanges. With the increasing improvement in technology, even the anecdotal statement that multi-factor authentication or other KYC protocols “create unnecessary friction to the user experience” will soon disappear.
For crypto, KYC means that crypto exchanges and transactions will be that much safer and secure. Tools like biometrics and multi-factor authentication help ensure that criminals have a harder time mimicking real customers. They make digital interactions feel like traditional in-person conversations with bank tellers and match an individual’s behavior against a baseline of validated “identity truths” that will create an experience that is even more effective than the traditional human process of yesteryear.
As criminal activity changes, KYC techniques will have to evolve to keep pace. It will be exciting to see how identity verification changes over the coming years, especially in a burgeoning and revolutionary industry like crypto.