What is AML/KYC in Crypto?

Table of Contents

  1. Introduction
  2. AML vs KYC: How are they different?
  3. What is Anti-Money Laundering?
  4. What is Know-Your-Customer (KYC)?
  5. Inside Know-Your-Customer
  6. Who Needs to Comply with KYC?
  7. Why is AML/KYC important?
  8. Limitations of current KYC
  9. KYC in crypto in 2020

 1. Introduction

In the last few years, Know-Your-Customer (KYC) identity verification procedures have become vital to ensure that Anti-Money Laundering (AML) and Combating-Financing-of-Terrorism (CFT) efforts to curb cryptocurrencies-associated crimes are successful.

While AML regulators have targeted “traditional” money laundering since the 1930’s era of Prohibition crime bosses like Al Capone, current AML operations aim to ensure that technological innovations such as cryptocurrencies do not outpace the regulatory requirements that traditional financial assets are subjected to. Until now, the cryptocurrency industry has tried to boost AML efforts by employing KYC and Know-Your-Transaction (KYT) processes to verify the real parties behind digital identities and transaction origins. However, new regulations since 2018 by leading AML watchdogs such as the Financial Action Task Force (FATF) and the U.S.’ Financial Crimes Enforcement Network (FinCEN) shows that more is needed in 2020.

This article takes a closer look at what is meant with AML/KYC, how KYC fits in AML efforts, AML/KYC’s history, who needs to adhere to it, current KYC limitations and how the crypto industry is impacted.

lock and keyboard

A Brief History of AML Regulations

Global AML regulation is heavily influenced by the policies that shape the United States’ approach to money laundering. The cornerstones of the U.S’ fight against money laundering are two legislative acts, the foundational Bank Secrecy Act (1970) and Title III of the Patriot Act (2001) that were created to respectively combat money laundering and terrorism funding.

The BSA was a landmark law that forced financial institutions to join the government in the fight against money laundering and created the foundation for a subsequent wave of AML regulations, most notably the Money Laundering Control Act (1986), Anti-Drug Abuse Act (1988). It is still at the forefront of AML legislation today and requires financial institutions to keep track of funds exceeding $10,0000 that flow in and out of the U.S.

However, it wasn’t until the release of the Title III of the USA Patriot Act, (also known as the International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001) that the implementation of Know Your Customer (KYC), which forces financial institutions to comprehensively vet who they do business with, really took off.

The Patriot Act aimed to eradicate the funding of terrorism through the financial sector. embedded KYC, also known as the Customer Identification Program (CIP) into the BSA as part of the U.S. AML policy.

FinCEN logo
FinCEN logo source: Wikipedia

Due to the United States’ influence as the world’s leading economic powerhouse, its KYC measures soon spread globally, leading to sweeping reforms in the world’s most eminent financial jurisdictions.

 In 2018, FinCEN’s Customer Due Diligence Requirements for Financial Institutions (CDD Rule (2018) changed BSA regulations (which mandates the Patriot Act’s KYC role) to make CDD clearer to understand, allowing financial institutions to adhere to 4 principles, namely identify and verify the identity of 1) customers and 2) beneficial owners, 3) develop risk profiles by investigating customer relationships, and 4) monitoring suspicious accounts with a risk-based approach on an ongoing basis to maintain customer records.

2.AML vs KYC: How are they different?

The terms “AML” and “KYC” are often combined together or used interchangeably in finance, however, this is not totally accurate. 

Both are risk-based approaches to money laundering, but while AML and KYC software often work in tandem to whitelist customers, manage risk and monitor transactions, there is significant separation in the scope of their objectives. 

The confusion between what constitutes AML and KYC is a minefield for financial institutions, often resulting in fines and penalties. Companies have to ensure they incorporate a comprehensive AML program, not only KYC. 
Anti-Money Laundering (AML) is a complex framework of strategies, rules, and regulations to combat money laundering, while Know-Your-Customer (KYC) is a process that only identifies and authenticates the customers of financial institutions based on their perceived risk profile. 

KYC is essentially a small cog in the big AML wheel, helping financial institutions verify the real identities of their customers. AML regulations require companies to submit risk reports, perform diligence processes before accepting new customers and report suspicious activities. Regulated entities that fail to comply with AML regulations face severe penalties and possible criminal prosecution. 

Combating the Financing of Terrorism (CFT)

Combating the Financing of Terrorism (CFT) is a procedural set that investigates, analyzes and deters the funding of terrorism activities, helping authorities to bring terrorists to justice and isolate terror-promoting countries. CFT came to prominence after September 11 (2001) and is so closely intertwined with AML efforts, the G20 watchdog the Financial Action Task Force (FATF) refers to its policy as AML/CFT, as covered by its 40+9 Recommendations

3. What is Anti-Money Laundering (AML)?

Anti-Money Laundering (AML) is a comprehensive set of processes, regulations and rules that together cohesively combat money laundering, terrorism funding and other financial crimes such as identity fraud.

AML aims to detect and disrupt money laundering activities, which normally happen in 3 stages: Placement, layering and integration.

Led by AML watchdogs like the Financial Action Task Force (FATF), countries develop their own measures to combat domestic money laundering, and policies can differ greatly from country to country. 

A financial institution’s AML policy should adhere to its domestic AML regulations and usually include these processes:

  • KYC procedure: Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD)
  • Risk-based anti-money laundering policies
  • Ongoing risk assessment and monitoring
  • AML Compliance training for company staff
  • Internal Audits and Controls

4. What is “Know Your Customer” (KYC)?

“Know Your Customer” (KYC) is a compliance process that financial institutions and certain companies employ to collect identity-establishing credentials from new customers who open accounts at their firms. It is a preventative measure that helps to clamp down on money laundering, terrorism funding and other criminal behavior like fraud. For example, in traditional finance, a new customer has to share his identification document (such as a passport) before opening a bank account, while in the cryptocurrency industry, users who want to register an account at a digital exchange need to upload their ID documents, which include a current picture of themselves and more. 

The KYC compliance process usually aims to establish a system for effective risk management, transaction monitoring, and customer acceptance policies, so that the company can be protected and ascertain the true origins of a new customer’s funds. There is no standardized KYC format that applies to all businesses. Instead, regulators largely leave it up to financial institutions to decide what information they collect.

KYC can be divided into two standard risk-mitigation layers that are recognized and used around the world. These are Customer Due Diligence (CDD) and Enhanced Customer Due Diligence (EDD). Customer Due Diligence is a basic procedure to identify and profile new customers, while EDD is conducted on higher-risk customers through additional questioning and profiling. 

Customer Due Diligence (CDD)

Customer Due Diligence, man drawing on a window
Customer Due Diligence (Source:ivezic.com)

KYC Customer Due Diligence (CDD) is a KYC process where a financial institution does a background check on a potential new customer prior to onboarding. CDD is done in order to understand the risk a new customer brings to your business, which may include illicit financial behavior, AML/CFT transgressions or a poor credit history.

Enhanced Due Diligence (EDD)

Enhanced Customer Due Diligence (usually referred to as either EDD or ECDD) is, as its name suggests, a more sophisticated KYC process that conducts a deeper risk assessment when dealing with a potentially high-risk or high-net-worth new customer or partner. EDD focuses on areas of investigations that fall outside of the capabilities of the more basic CDD process. It is usually conducted manually by skilled compliance officers and can be quite subjective by nature, based on the financial institution’s risk tolerance. 

EDD sprung into existence with the USA PATRIOT Act of 2001, where financial institutions such as offshore and private banks were suddenly required to conduct a better screening of their clients. 

What are the requirements for Enhanced Due Diligence? 

Section 312 of the Patriot Act requires that institutions:

 “shall establish appropriate, specific, and, where necessary, enhanced due diligence policies, procedures, and controls that are reasonably designed to detect and report instances of money laundering through those accounts.”

In a 2006 article in ACAMS Today (Association of Certified Anti-Money Laundering Specialists), AML specialist Peter Warrack suggested that in order to mitigate various risks and establish regulatory compliance, EDD procedures should:

  • be consistent, 
  • be “rigorous and robust” ( documented in detail and immediately accessible to regulators)
  • achieve “reasonable assurance” when assessing the customer’s risk rating
  • identify adverse risk and information
  • gauge the customer’s ability to launder money and fund terrorism. 

5. Inside Know-Your-Customer

What are the objectives of KYC?

The KYC process helps financial institutions (FIs) like banks and cryptocurrency exchanges mitigate the risk of being intentionally or unintentionally exploited by bad actors in order to conduct illicit financial behavior, launder money or fund terrorism. It also fosters a better understanding between the FI and its customers, helping to manage expectations and determine the best investment options available. 

When conducting a KYC assessment before doing business with a new customer, a financial institution (FI) needs to look at two elements, namely facts and behaviors:

Facts: FI’s try to establish what they know about the customer and the information that was provided. Is it accurate, and can it be used to create expected behavior parameters when compared with their whole customer base?

Behaviors: Once KYC facts have been verified to be accurate, FI’s can next start to focus on the customer’s behavior, to see if their transactions adhere to the law and remain in line with the previously established facts. If their behavior is not as expected, then either the “facts” have been erroneously reported or there are suspicious activities happening that should be further investigated and likely reported to authorities. 

How is a KYC policy created? 

Companies that implement KYC usually build their policy around 4 core pillars:

  • Customer Acceptance Policy
  • Customer Identification Procedures
  • Monitoring of Transactions
  • Risk Management

Based on these pillars, a KYC investigation normally involves the following parts:

  • Collecting and studying personally identifiable information (PII), known in the U.S. as a CIP (Customer Identification Program). 
  • Screening of the PII (which usually includes the real name, address, birth date and more of the customer) against worldwide AML/CFT or Politically Exposed Person (PEP) lists and adverse public information (such as media reports).
  • Determining the risk a customer poses in terms of money laundering, terrorism funding, and other illicit behavior. 
  • Creating and assessing a client profile based on their financial history
  • Monitoring a customer’s transacting against expected behavior standards, based on the profiles of the customer and their peers. 

6. Who Needs to Comply with KYC?

In order to verify the identity of a new potential customer, financial institutions like banks need to check (and periodically review) a user’s identifying documents. Let’s take a look at what is required from different parties. 

KYC and Customers

First off, new customers will need to submit requested documents, which may include: 

Identity documents

  • Photo ID document issued by government
  • Driver’s Licence
  • Passport
  • Voter identification card
  • Social security Number
  • Permanent Account Number (PAN) card

Proof of Address

  • Utility bill
  • Recent bank statement
  • Rental agreement

KYC and Traditional Banking

In addition to these basic KYC measures, banks need to also undertake periodic record updates, assign a risk level to each customer and monitor their transactions. 

According to Forbes, banks should collect KYC data from account holders or entities with which it has a business relationship, beneficiaries that use professional intermediaries like stockbrokers and chartered accountants as well as any associated person or entity that poses a risk to the bank.

Banks should at a minimum employ these KYC and AML Best Practice tips to ensure due diligence and protect the security of their operations:

  • Randomly request and collect multiple identification sources from high-value clients during the first onboarding procedure
  • Place a higher-risk score on users that are identified as politically exposed persons (PEP)
  • Undertake simple but random ID checks on customer accounts throughout their duration.

KYC and the Investment Industry (FINRA Rule 2090)

Financial Industry Regulatory Authority (FINRA)
Financial Industry Regulatory Authority (FINRA) Logo (Source:cnbc.com)

When it comes to the financial investment industry in the U.S. , it uses specific KYC measures that comply with the Financial Industry Regulatory Authority (FINRA)’s KYC Rule 2090 (Know Your Customer) and Rule 2111 (Suitability). These rules are not just there to please regulators but also help financial institutions better understand the needs and limitations of their customers and treat them fairly. 

FINRA is a non-governmental Self-Regulatory Organization (SRO) that ensures financial institutions comply with the Bank Secrecy Act. FINRA is in turn regulated by the SEC.

FINRA’s KYC Rule 2090 determines that a broker should use “reasonable effort” when dealing with customers. This extends to essential record-keeping and knowing who else can authorize transactions on the customer’s behalf. 

KYC and the Crypto Industry

With the crypto industry only a decade old and still largely unregulated, it took a few years for KYC procedures to make its appearance. 

However, with FinCEN’s recent definition of many crypto-related enterprises as “money service businesses (MSBs), and the joint warning it issued with the Commodity Futures Trading Commission ( CFTC) and Securities and Exchange Commission SEC in November 2019, stating that crypto businesses need to comply with the Bank Secrecy Act (BSA) or face the consequences, it is clear now that exchanges will need to seriously ramp up their compliance efforts to escape punitive measures from authorities.

KYC in crypto: Usually after registration, not before

Probably the biggest difference between crypto exchanges and traditional financial institutions is that crypto exchanges usually apply KYC after, not before, a user is signed up.

A leading blockchain analytics company recently reported that a 3rd of the top 120 exchanges have weak KYC verification systems and that 2 out of 3 exchanges lack strong KYC programs. This is especially problematic when considering the new FATF Recommendation 16 requirement that virtual asset service providers (VASPs) like exchanges collect and share beneficiary and recipient transaction data with each other where transmittals over $1000 are made. 

This is certain to make a majority of exchanges non-compliant with the FATF’s “crypto Travel Rule” and force these VASPs’ countries to take strong action against them.

What types of KYC processes are used by exchanges?

Most crypto exchanges allow users to register an account without conducting a full KYC onboarding process. As exchanges control the amount of crypto that can be deposited and withdrawn from their custodial platforms, most exchanges use a tiered level-system where a user is forced to provide more information in order to add or withdraw a bigger amount of cryptocurrency. 

Often though, for users with small portfolios, no KYC is needed, much to the chagrin of regulators, who are aware that criminals can spread their assets over hundreds of individual accounts. While this situation was prevalent a few years back, recent regulations and punitive actions by authorities such as FinCEN vs BTC-e have forced most reputable exchanges to employ at least some type of KYC protocol.

Crypto exchanges’ KYC efforts generally fall in one of 3 categories:

  1. No KYC- an exchange allows a new user to open an account without any KYC check, but with very limited functionality (e.g. no withdrawals)
  2. Basic KYC- an uploaded ID document and photo, with a fixed small deposit and withdrawal limit
  3. Full KYC – Users who want to deposit, withdraw and transmit large sums of crypto need to complete a more comprehensive KYC verification.

7. Why is KYC/AML important?

KYC/AML enforcement and other regulatory requirements are beneficial to both financial institutions and their users. It allows financial businesses to mitigate risk, improve the security of their systems, protect their integrity and keep bad actors off their books, thus keeping regulators happy and at bay. This, in turn, fosters greater trust and reassurance with their customers.

Used effectively, KYC can help financial institutions replace obsolete verification systems, perform a number of very beneficial services, such as screening and registering new users and ensure that high-profile transmittals are fully compliant.

KYC Leaks in Crypto

KYC on a crypto exchange
KYC on a crypto exchange (Source:steemit.com)

In addition to exchange hacks, 2019 saw a number of prominent exchanges like Binance, BitMEX and Coinbase suffer KYC data scandals. In August 2019, a hacker claimed to have intercepted the KYC details of 60,000 Binance users after a hack in 2018. Following a BitMEX mishap where users’ email addresses were exposed, an analyst questioned the wisdom of storing mass amounts of Personally Identifiable Information (PII) on centralized servers, in lieu of the security risks for phishing and identification fraud it exposes users to. 

8. Weaknesses of AML/KYC

While KYC implementation provides a worthy boost to global AML/CFT efforts, regulators made it clear in 2019 that isn’t enough. The reason for this is simple. While KYC, when done correctly, helps to put a name and face to a public blockchain address, its static nature and inconsistency as applied by individual VASPs, limits its scope.

While its next evolutionary stage, Know Your Transaction (KYT) has successfully iterated AML in crypto further by investigating the origins of funds and suspicious transmittals and tying them to real identities, there is still a real need, at least for authorities, as encapsulated in the FATF’s Recommendation 16 on Wire Transfers, that a standardized identification protocol is introduced to help facilitate compliant transmittals between all exchanges. This will help to discourage criminals from using VASPs and separate reputable exchanges from fly-by-night operations.

9. AML/KYC and crypto in 2020

In order to remain relevant in 2020 and beyond, KYC processes are in need of a more automated and standard approach that relieves administrative pressure on exchanges as well as simplifies the procedure for users who demand a more user-friendly experience.

Possible innovations that come to mind include a universal KYC system where VASPs can access external records to cross-reference new users for previous flags. Also, the ability to encrypt KYC and transmittal data, but share it with law enforcement when required in line with regulatory expectations, would help to preserve the integrity of data privacy efforts.

While trade-offs will have to be made, an improved KYC regime will help lay a much stronger foundation on which to help build the future of compliant virtual assets.

Written by Werner Vermaak

About CoolBitX and Sygna Bridge

CoolBitX’s Sygna Bridge is a first-to-market travel rule solution and alliance network that is live and being used by our VASP partners to share compliant originator and beneficiary transmittal information.

This image has an empty alt attribute; its file name is sygna-bridge-gif-1024x439.gif

Sygna Bridge completed a successful production test report (Big 4 audited) earlier this year, which was presented to the FATF Contact Group in May 2020. Sygna Bridge now also supports the IVMS101 messaging standard.

CoolBitX has signed MoUs with 18 VASPs worldwide and recently joined forces with Elliptic in a combined quest to help crypto companies comply with the FATF Standards.

For enquiries on the FATF Travel Rule and our Sygna Bridge solution for VASPs, please contact us at info@sygna.io.

Disclaimer: CoolBitX provides these blog posts for general educational purposes only. Information on this blog does not constitute professional legal or financial advice and should not be considered as such. The author or company may update the information on this article at any time without prior notice and do not guarantee the work to be up to date and accurate. To the best of our knowledge the information provided here is factual at the time of writing.

Why Should VASPs Comply with the FATF's R.16 "Travel Rule"?

FATF's Crypto Travel Rule vs AML/KYC: How They Differ and Work Together