Financial services are a rapidly evolving industry, with a fast-paced environment that often elicits the attention of financial regulators. Blockchain is no different; since an anonymous person or group by the name of ‘Satoshi Nakamoto’ revolutionized a thousands’ year-old way of recording transactions, this new technology came to redesign legacy financial services and develop new ways of utilizing financial concepts. In turn, such a technology has caused regulators to react by finding secure ways to manage adverse situations and diminish the spread of malicious actors. One such way is implementing KYC (Know Your Customer) measures.
Know Your Customer
KYC or “Know Your Customer” is a risk-based approach that is mandated by regulatory bodies (such as SEC, FINRA) and is carried out by financial institutions to identify and authenticate the customers they do business with, based on their perceived risk profile. KYC policies help mitigate the risk of being exploited by bad actors (both intentionally and unintentionally), in order to conduct illicit behavior (such as money laundering, terrorism funding, etc). In the process, clients are required to provide identity credentials in order to use the company’s services. The requirements that must be fulfilled depend on the financial institutions’ activities, and can be divided into two main categories: Facts and Behaviors.
Facts: They serve to establish what the institution knows about the customer and includes personal information such as names, surnames, ID’s, phone numbers, email and physical address. This information can then be used to create behavior profiles and assign expected behavior parameters.
Behavior: Uses facts premises to verify that transactions adhere to corresponding laws and to report suspicious activities for further investigation to the necessary authorities.
There are two main mitigation layers, where one builds on top of the other. Customer Due Diligence (CDD) includes background checks on potential clients prior to the onboarding stage, with its main objective being the understanding of the risk that the new client brings to the business. Enhanced Due Diligence (EDD), on the other hand, conducts a thorough investigation on higher-risk customers, occasionally identified by CDD. This sophisticated process falls outside of CDD and can usually be subjective by nature, depending on the risk tolerance profile of the company.
KYC ≠ AML
A common misconception regarding KYC is it being the same as Anti-Money Laundering (AML). Even though these principles and practices are often combined and usually go hand in hand, it’s inaccurate to categorize them as being ‘the same’. While KYC is a process that identifies and authenticates the clients of financial institutions, AML is a far more complex framework of strategies, rules and regulations with the specific purpose of combating money laundering. ‘KYC is but a small cog in the AML wheel’ . Therefore, AML regulations require thorough risk reports, as well as reports of suspicious activities. AML non-compliant entities face severe penalties (up to criminal prosecution), whereas KYC compliance is more gentle in disposition.
KYC State of Affairs
As initially mentioned, the developments of new financial technology applications based on blockchain made it difficult for regulatory bodies to swiftly adapt and set new rules. The fact that asset classes differ among applications has only hardened the task.
The case of KYC in the world of cryptocurrencies could be considered odd. Most cryptocurrency exchanges allow user registration without carrying out any KYC practices when onboarding them (CypherTrace research found that 56% of virtual asset service providers have weak or porous KYC processes ). A self-regulation process governed these platforms for quite some time, and are only nowadays including KYC procedures as a standard. Centralized exchanges that provide cryptocurrency-fiat trading pairs are usually the ones that comply with the most regulatory requirements , while decentralized exchanges (those with no central authority, governed by smart contracts) usually don’t. The aforementioned report  also found that over 90% of DEX had deficient KYC scores, with 81% having little to no KYC measures .
Cryptocurrency exchanges’ KYC efforts can be grouped into three categories (no KYC, basic KYC and full KYC)  and sorted as a spectrum of KYC total information. As we move towards the far end of the range, capabilities and functionalities of accounts are unlocked, and limits on operations are taken out (no withdrawal limits for example).
As cryptocurrencies continue to evolve and new blockchain-based financial services continue to appear, the question of how regulatory bodies will choose to keep track of transaction information in order to control for malicious players will be essential. Will it be possible to slow down the revolutionary machine or will existing financial systems have to yield some control and swim with the current? Time will tell.