Yet many crypto firms still treat KYC as an afterthought, discovering the hard way that enforcement is accelerating and the consequences are severe.
This guide covers what KYC actually means in a crypto context, why it's legally required, how the verification process works step by step, and what compliance looks like across major jurisdictions.
TLDR
- KYC (Know Your Customer) is the identity verification process crypto exchanges and VASPs must complete before allowing users to trade or transact.
- Legally mandated under the Bank Secrecy Act (US), Money Laundering Regulations (UK), and AML Directives (EU).
- Covers five stages: customer identification, document verification, liveness checks, sanctions screening, and ongoing monitoring.
- Non-compliance risks fines, loss of banking access, and platform shutdown; enforcement is tightening globally.
What Is KYC in Crypto?
KYC — Know Your Customer — is the formal process financial institutions use to verify who their customers are before allowing them to access services. For crypto exchanges and virtual asset service providers (VASPs), it's a legal requirement and the foundation of any AML program.
KYC vs. AML: Not the Same Thing
The two terms get used interchangeably, but they're distinct. KYC is the identity verification step that happens at onboarding. AML (Anti-Money Laundering) is the broader compliance program that KYC feeds into — encompassing ongoing transaction monitoring, suspicious activity reporting (SARs), and sanctions screening. KYC is the first and most foundational component of AML, not a synonym for it.
What Makes Crypto KYC Different
Traditional bank KYC happens in branches, with face-to-face interactions and physical documents. Crypto platforms onboard users globally, instantly, and entirely online. That means:
- No in-person verification — digital-first processes are the baseline, not the exception
- Global user bases spanning multiple regulatory jurisdictions simultaneously
- Pseudonymous transactions that make post-hoc tracing difficult without upfront identity anchoring
For this reason, automated screening and biometric verification are structural requirements, not optional add-ons.
Custodial vs. Non-Custodial Wallets
Not every crypto product triggers KYC obligations. The distinction hinges on custody:
- Custodial wallets (where the exchange holds users' private keys) are operated by VASPs and must comply with KYC rules
- Non-custodial or self-hosted wallets like MetaMask — where users control their own keys — generally don't, because there's no intermediary bearing legal obligations
FATF's 2021 guidance confirms that peer-to-peer transfers between unhosted wallets aren't subject to AML/CFT obligations under the FATF Standards, since those standards target intermediaries rather than individuals.
Why Crypto KYC Became Necessary
The Liberty Reserve case made the stakes concrete. In 2013, FinCEN designated Liberty Reserve as a primary money laundering concern — the first time that authority had been used against a virtual currency provider. Between 2009 and 2013, an estimated $6 billion passed through the platform, and its founder later pleaded guilty to laundering more than $250 million in criminal proceeds.
The message to regulators worldwide was clear: digital currency platforms that skip identity verification will be treated as money laundering infrastructure.
Why KYC Compliance Is Non-Negotiable for Crypto Companies
The Legal Mandate
KYC isn't optional for VASPs in any major market:
- United States: Money transmitters operating crypto platforms are regulated under the Bank Secrecy Act by FinCEN
- United Kingdom: The FCA requires cryptoasset businesses to register and comply with the Money Laundering Regulations
- European Union: AMLD5 and successive directives apply; MiCA introduces additional CASP obligations
- Canada: FINTRAC regulates crypto platforms as money services businesses
The financial consequences of getting this wrong are documented. In July 2024, the FCA fined CB Payments Limited — a Coinbase UK entity — £3,503,546 for repeatedly breaching a voluntary requirement by onboarding 13,416 high-risk customers. Those customers deposited approximately $24.9 million that flowed through $226 million in cryptoasset transactions across the Coinbase Group.
Fraud Prevention
According to the FBI's 2025 IC3 Annual Report, cryptocurrency-related complaints reached 181,565 — up 21% year-over-year — with $11.366 billion in total losses. Investment fraud alone accounted for $7.228 billion.
KYC directly reduces identity theft, account takeovers, and the synthetic identity fraud that underpins many of these schemes. You can't steal an account if the platform tied it to a verified, biometrically confirmed identity from the start.
Market Access and Institutional Partnerships
KYC compliance also determines what markets and partners your platform can access. Payment networks, institutional investors, and sponsor banks will not work with crypto platforms that lack credible KYC programs. Mastercard's Crypto Credential framework, for example, requires VASPs to undergo compliance checks and accept identity verification standards before joining the network — cutting off non-compliant platforms from fiat on/off ramps and mainstream payment infrastructure entirely.
The Compliance Expertise Gap
Building a defensible KYC program requires director-level expertise: someone who understands BSA/AML, FATF recommendations, the Travel Rule, and jurisdiction-specific rules. That knowledge doesn't come cheap, and most early-stage crypto firms can't justify a full-time BSA Officer or CAMLO hire.
Fractional compliance leadership fills that gap. Fraxtional has worked with crypto exchanges, wallet providers, and DeFi platforms across the US, UK, and EU, placing named fractional CAMLOs and BSA Officers who take actual ownership of AML obligations rather than serving in a purely advisory capacity. Engagements run on three models:
- On Demand — project-based, for discrete compliance needs
- Subscription — monthly retainer for ongoing program support
- Fractional Advisory — dedicated director with named title use (BSA Officer, CAMLO, and similar)
One Head of Compliance at a crypto lending platform put it directly: "Fraxtional came in, cleaned up our AML framework, and helped us pass review faster than we expected."
How the Crypto KYC Process Works
Compliant KYC is a five-stage process that begins at onboarding and runs for the life of the account.
Step 1 — Customer Identification
The starting point is collecting personally identifiable information (PII). Under 31 CFR 1020.220, US-regulated institutions must collect at minimum:
- Full legal name
- Date of birth
- Residential address
- Identification number (for US persons, a taxpayer ID; for non-US persons, a passport number or equivalent government-issued document)
Other jurisdictions may require nationality, place of birth, or source of funds information.
Step 2 — Document Submission and Verification
Users submit government-issued photo ID (passport, driver's license, or national ID card) plus proof of address (utility bill, bank statement). Automated tools using OCR and AI cross-reference submitted documents against known templates, check security features, and flag inconsistencies that might indicate forgery or tampering.
Step 3 — Liveness Check and Biometric Verification
A verified document means little if someone else submitted it. Liveness detection requires users to submit a selfie or short video, confirming that the person presenting the ID is physically present rather than a stolen photo or deepfake.
The EBA's remote onboarding guidelines require liveness verification for unattended remote onboarding, with biometric matching using strong, reliable algorithms.
Step 4 — Sanctions and PEP Screening
Before an account goes live, the verified identity is cross-checked against:
- Global sanctions lists: OFAC (US), HMT (UK), UN, EU consolidated list
- Politically Exposed Persons (PEP) registers
- Adverse media databases
Any match requires escalation, enhanced due diligence, or account rejection depending on risk level.
Step 5 — Ongoing Monitoring
Onboarding verification is where KYC begins, not where it ends. Compliant platforms re-screen accounts against updated watchlists, monitor transaction patterns for suspicious activity, and file SARs when thresholds or behavioral indicators are triggered.
The Travel Rule extends this obligation further: for virtual asset transfers above $1,000 (USD/EUR), originating VASPs must pass originator and beneficiary information to the receiving VASP — following the same logic as wire transfer rules that apply to traditional banks.
KYC Regulations Across Key Jurisdictions
United States
Crypto platforms operating as money transmitters register with FinCEN as Money Services Businesses (MSBs) and comply with the Bank Secrecy Act. Core obligations include:
- A written AML/KYC program
- Suspicious Activity Reports (SARs) for transactions that meet reporting thresholds
- Currency Transaction Reports (CTRs) for physical cash transfers exceeding $10,000
State-level money transmitter licenses can layer additional KYC requirements on top of federal obligations — particularly in states like New York, which requires a BitLicense for crypto businesses.
United Kingdom
The FCA requires cryptoasset businesses to register before offering services to UK customers. Registration brings ongoing obligations under the Money Laundering Regulations, including customer due diligence, transaction monitoring, and SAR reporting to the National Crime Agency.
European Union
AMLD5 (2018) brought crypto-to-fiat exchanges and custodian wallet providers under EU AML law. AMLD6 tightened those rules further. MiCA, which came into full effect in 2024, requires crypto asset service providers (CASPs) to include AML/CFT risk controls as part of their authorisation applications — and permits authorisation withdrawal if those systems fail.
Canada
FINTRAC regulates Canadian crypto platforms as MSBs under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Obligations include KYC at onboarding, ongoing monitoring, Large Virtual Currency Transaction Reports (LVCTRs), and Travel Rule compliance for qualifying transfers.
For crypto firms operating across multiple markets, that regulatory patchwork creates real operational risk. Thresholds differ, reporting formats don't align, and registration requirements vary by country — which is why multi-market compliance programs rarely run on a copy-paste basis.
Key Challenges of KYC in Crypto
User Friction vs. Compliance Rigour
Thorough KYC protects the platform. Slow, clunky KYC drives users to unregulated alternatives. Research from Signicat found that 68% of consumers abandoned a digital onboarding application in 2022. For crypto exchanges competing on speed, that abandonment rate is a real commercial risk.
Automated KYC is the answer. OCR-based document scanning, real-time sanctions screening, and AI-powered liveness detection can compress verification from days to minutes without sacrificing accuracy or defensibility.
Data Privacy and Breach Risk
KYC generates a concentrated trove of sensitive data: passport scans, selfies, proof of address, biometric identifiers. That makes crypto exchanges attractive targets.
- Under GDPR (EU) and UK GDPR, KYC data is personal data and must be processed lawfully, stored securely, and retained only as long as necessary
- The ICO confirms that names, identity numbers, document images, and biometrics all fall within the UK GDPR's personal data definition
- Firms must conduct data protection impact assessments for biometric processing and implement technical and organisational security controls proportionate to the sensitivity of the data held
The Compliance Expertise Gap
Most crypto startups launch with engineers, product managers, and growth teams — not a seasoned compliance director. Yet building a defensible KYC program requires specific expertise across several areas:
- Which FATF recommendations apply to your business model
- How to structure a Travel Rule implementation for your transfer volumes
- What a FinCEN examination actually looks for
- How MiCA's CASP authorisation requirements interact with your EU onboarding flows
That knowledge takes years to develop and costs more than most seed or Series A budgets can absorb in a full-time hire.
Fraxtional's directors hold CAMS, Certified Bitcoin Professional, Certified Ethereum Professional, and Certified Cryptocurrency Investigator credentials, and have built AML frameworks for cryptocurrency exchanges, Bitcoin ATM networks, and wallet providers across multiple jurisdictions. Through a fractional advisory engagement, a crypto startup can access a named CAMLO or BSA Officer on a monthly retainer, scaling hours up or down as regulatory complexity or funding cycles change.
Typical engagements run three to nine months, with deliverables spanning KYC/KYB program design, SAR workflows, Travel Rule implementation, and audit-ready documentation.
A co-founder of a crypto wallet described the experience plainly: "We had an AML policy, but it didn't hold up during a sponsor bank review. Fraxtional fixed it within days and helped us avoid a delay in onboarding."
Frequently Asked Questions
What is KYC for crypto?
KYC (Know Your Customer) in crypto is how exchanges and virtual asset service providers verify user identities before enabling trading or withdrawals. Platforms collect government-issued ID and personal information to prevent fraud, money laundering, and terrorist financing.
Do you need KYC to buy crypto?
On most regulated centralised exchanges, yes — KYC is required before buying, trading, or withdrawing cryptocurrency. Some decentralised exchanges (DEXs) and crypto ATMs operate without KYC, but those channels carry greater regulatory and security risks for users.
What documents are typically required for crypto KYC?
Standard requirements include a government-issued photo ID (passport or driver's licence), proof of residential address (utility bill or bank statement), and in most cases a selfie or short liveness video for biometric verification.
Is KYC the same as AML in crypto?
No. KYC is a component of a broader AML program — it handles identity verification at onboarding. AML covers the full compliance picture: ongoing transaction monitoring, suspicious activity reporting, and sanctions screening beyond the initial identity check.
What happens if a crypto company doesn't comply with KYC requirements?
Consequences range from regulatory fines and licence revocation to exclusion from banking networks and platform shutdown. The FCA's 2024 action against CB Payments Limited is a clear sign that regulators now treat KYC failures as enforcement priorities, not technical oversights.
