June 15, 2022 - 7 min read
KYC, an acronym for Know Your Customer, refers to a procedure used by financial institutions to collect and validate the identity of users of their platforms, ensuring those entities are not criminally wanted or otherwise barred from doing business with. Furthermore, the KYC process facilitates cooperation with law enforcement if there were investigations of criminal activity. This, of course, has made KYC controversial in the crypto community as significant swathes of early users were philosophically drawn to crypto’s privacy and decentralization aspects.
Compliance with KYC regulations has become an increasingly problematic issue for almost any institution that deals in finance. In addition, financial institutions often pass down those same requirements to those individuals and entities with whom they conduct business. Businesses required to comply with KYC protocols include, but are not limited to:
KYC provides assurances to local authorities and gives comfort to a platform’s users as it protects them from doing business with entities involved in illegal or outlawed activities. Periodic KYC checks also give institutions a better understanding of their customers, which can provide valuable insights like if they have moved to another jurisdiction, engaged in irregular and suspicious activities, and so on.
Mainstream adoption of crypto in particular is unlikely to happen without adherence to KYC regulations in some manner, though ideally there will be a clever solution which can provide the aforementioned assurances to stakeholders without compromising the privacy of onboarded users. Furthermore, our attention would be more effectively spent on electing leaders who will propose thoughtful and well-crafted laws which create as little friction as possible regarding growth and innovation while adequately safeguarding participants.
Traditionally, financial institutions initiated the KYC process by requiring customers to provide some basic identifying information regarding their age, country of origin, source of funds, and proof of identity. The supplied information is verified with publicly-available information about the applicant, and then checked for any suspicious anomalies.
After reviewing the supplied documentation with the relevant regulatory or law enforcement agencies, the reviewing institution will decide whether or not to conduct business with applicants. Following preliminary KYC checks, applicants are given a risk rating reflecting their likelihood to pass future KYC checks. This theoretically makes future KYC checks faster and more efficient, but can only scale to a certain extent. That is, any process which interfaces with humans and needs to be manually checked will be limited with regards to feasibly maximizing effectiveness.
Whenever an entity’s risk rating crosses above a specified threshold set by the institution, a greater level of scrutiny will be employed to investigate the source. This scrutiny is called enhanced due diligence. A few examples of factors which could adversely affect a customer’s score include:
However, it is becoming increasingly necessary that KYC is done on an ongoing and perpetual basis. Some traditional financial institutions may even choose to conduct standard ID checks at every interaction. Others use progressive risk analysis to assess the risk-level of a given transaction, making verification decisions according to algorithmic threshold levels. For example, opening an unused account suddenly making quick deposits and withdrawals might not trigger a verification check until multiple withdrawals trigger the threshold event.
Triggers can also be designed to notify institutions of relevant changes in a customer’s account worth flagging. For instance, an account would be flagged for suspicious behavior like conducting transactions from locations known for high levels of identity theft and which is not the account’s country of residence. Proactive approaches allow firms to respond to suspicious behavior quickly, facilitating cooperation with law enforcement and thwarting criminal behavior before it can proliferate.
Unfortunately, the responsibility and workload of adhering to KYC regulations of multiple stakeholders places burdensome costs on financial institutions and more importantly, young startups in the crypto space. Additionally, KYC checks need to be maintained and kept up-to-date as regulatory changes take place, world events unfold, or new products are offered which might require compliance documentation.
In other words, not only do people move and geopolitical forces evolve, but the scrutiny and types of KYC checks have and will evolve over time. This means that institutions need employees or software which can contact their customers periodically to request KYC information and remain compliant with regulations.
The burden is also shared by users, since they’re also needed to update their KYC information in a timely manner, which could result in frozen or lost funds in the case of some crypto protocols. This is especially true for multi-banked corporates and crypto firms who often receive enormous volumes of KYC requests from each of the different banks and individuals they do business with.
SWIFT’s KYC registry offers a centralized solution to handling the KYC compliance upkeep for financial institutions and their customers. In other words, a central repository that stores and keeps refreshed KYC data for entities and gives access to those needing it, but otherwise indexing and guarding it. The advantage of such a solution is that it facilitates regulatory compliance through standardization and centralization of KYC information and its exchange between the relevant stakeholders. Perhaps advances in cryptography can be applied to this end in order to mitigate the need for centralized solutions.
In recent years, KYC has been highly controversial in the crypto space, not to mention a challenging regulatory hurdle to overcome. DeFi has been mainly characterized by allowing customers to remain anonymous and therefore foregoing the KYC process, leading even centralized crypto services to remain reluctant until being nudged by regulators.
Indeed, even the most reluctant firms like Binance and BitMEX have been compelled to introduce more stringent KYC procedures at the behest of US, UK, and Japanese regulators. One by one, centralized exchanges began either adopting and enforcing the stringent KYC procedures dictated by various regulatory bodies or unceremoniously sending out notices that they were no longer serving users from certain countries of origin. Their hands were forced.
Despite adopting these KYC procedures, prosecutors in the US still charged BitMEX CEO Arthur Hayes with a variety of violations including insufficient KYC standards. The next year, BitMEX announced that all its users had been KYC’d before a $100 million settlement with US regulators.
Thus far, KYC requirements have not exactly applied to DEXs or other dApps, meaning DeFi has found itself operating in a gray legal area, though crypto opponents are now using this as a weapon of attack, like Senator Liz Warren for instance. Of course, the pretense of Russians using crypto to evade sanctions is being used as a bludgeoning legal tool to enforce compliance. Previously, dApps avoided banking regulations under the arguments that there were no parties to act as financial intermediaries, custodians, or counterparties.
Web3 KYC will require a more clever and thoughtful approach in its architectural design. Streamlined and seamless KYC that is ongoing but private will be critical to ensure that all data remains encrypted while still safeguarding users from falling out of compliance with regulators. This aligns Web3 with various legal regulations and sidesteps attacks against it for harboring money-launderers.
Nevertheless, some improvements can still be made regarding privacy protections so as to ease the anxiety of those reasonably concerned with digital identities and privacy concerns, not to mention the potential for corruption and abuses of power. Otherwise, it should be expected that regulators will crack down harshly if their stringent KYC requirements aren’t met to their satisfaction. Tradeoffs and innovations are DeFi’s only paths forward regarding the implementation of KYC measures.
Decentralized oracles should facilitate ongoing, perpetual KYC while safeguarding users privacy. This would eliminate the need for manual periodic KYC reviews so long as the checks are done using zero-knowledge safeguards. Oracles utilized for this function significantly mitigates the risk of criminal activity taking place undetected for significant periods of time.
By continuously monitoring suspicious activities using decentralized oracles and zero-knowledge cryptography, perpetual KYC refreshes guarantees and even optimizes regulatory compliance and transparency without sacrificing data privacy rights. In addition to improving the user experience, perpetual KYC demonstrates the compliance and transparency needed for Web3 to continue gaining legitimacy in the eyes of regulators worldwide.
Sign up for the Supra newsletter for company news, industry insights, and more. You’ll also be the first to know when we come out of stealth mode.