What is KYC (Know Your Customer)?
KYC, or Know Your Customer, is the set of identity verification procedures that financial institutions, cryptocurrency exchanges, and other regulated entities must perform to confirm a customer’s identity and assess their risk profile before establishing a business relationship. KYC is a foundational component of every anti-money laundering (AML) compliance program and a legal requirement enforced by FinCEN, the Financial Action Task Force (FATF), and financial supervisory authorities across jurisdictions worldwide.
In the cryptocurrency industry, KYC requirements apply to virtual asset service providers (VASPs)—including exchanges, custodians, wallet providers, and stablecoin issuers—that must verify customer identities before enabling financial transactions. As institutional adoption of digital assets accelerates and frameworks like the EU’s Markets in Crypto-Assets Regulation (MiCA) take effect, robust KYC processes have become a competitive requirement for crypto businesses, not just a regulatory checkbox. Chainalysis data shows that 45% of all crypto transfers exceed $10M in value, underscoring the scale of activity that KYC programs must cover.
The KYC process typically involves three core components: a Customer Identification Program (CIP), Customer Due Diligence (CDD), and ongoing monitoring. Together, these procedures help financial institutions and crypto platforms detect financial crimes, prevent terrorist financing, and maintain the integrity of the financial system.
Why does KYC matter?
Regulatory Mandate and Legal Obligation
KYC is not optional. Financial institutions and crypto platforms operating in regulated jurisdictions must implement KYC procedures to comply with anti-money laundering laws. In the United States, the Bank Secrecy Act (BSA) and the USA PATRIOT Act require all financial services providers to verify the identity of customers at account opening. FinCEN enforces these KYC regulations, and failure to comply can result in significant penalties, enforcement actions, and loss of operating licenses.
Globally, FATF Recommendations establish the international standard for KYC requirements. FATF guidance extends KYC obligations to VASPs, including cryptocurrency exchanges, NFT marketplaces, DeFi platforms operating as intermediaries, and stablecoin providers. The EU’s MiCA regulation, now in effect, imposes specific crypto KYC requirements across all 27 member states, while the FATF Travel Rule mandates that VASPs share originator and beneficiary information for transactions above specified thresholds.
Preventing Financial Crime
KYC checks are the first line of defense against money laundering, terrorist financing, fraud, and sanctions evasion. By verifying the customer’s identity and assessing their risk profile at onboarding—and continuously throughout the business relationship—financial institutions can identify suspicious activity before it escalates. Without robust KYC, criminal actors exploit platforms to move illicit funds. Chainalysis has analyzed over $40 billion in known illicit activity, much of it flowing through platforms with weak or absent KYC procedures.
Building Trust in Cryptocurrency
For the crypto industry, KYC compliance is a gateway to institutional trust. Banks, asset managers, and payment providers increasingly require crypto partners to demonstrate robust KYC programs before establishing banking relationships or integrating digital asset services. The 73% of financial institution leaders who say banks will lose competitive advantage without crypto innovation are looking for partners they can trust—and KYC compliance is the baseline. Strong KYC programs also reduce reputational damage and protect customer experience by keeping bad actors off platforms.
How Does KYC Work? Key Components
The KYC process is built on a risk-based approach: higher-risk customers receive more scrutiny, while lower-risk customers move through streamlined verification. The following components form the backbone of every KYC program.
Customer Identification Program (CIP)
The Customer Identification Program (CIP) is the first step in the KYC process. CIP requires financial institutions and crypto platforms to collect and verify basic customer information at account opening: legal name, date of birth, address, and an identification number (such as a Social Security number, passport number, or national ID). Document verification typically involves checking a government-issued ID—passport, driver’s license, or national identity card—against authoritative databases.
For crypto platforms, CIP usually involves uploading identity documents, completing biometric authentication (facial recognition or liveness checks), and verifying proof of address through utility bills or bank statements. CIP establishes the foundational identity record that all subsequent KYC procedures build on.
Customer Due Diligence (CDD)
Customer due diligence (CDD) assesses the risk profile of each customer based on their identity, source of funds, expected transaction patterns, geographic location, and industry. Financial institutions and crypto platforms assign risk ratings that determine the level of ongoing monitoring a customer receives. CDD is a regulatory requirement under the Bank Secrecy Act, FATF Recommendations, and MiCA.
CDD includes verifying the customer information collected during CIP, understanding the nature and purpose of the business relationship, and screening the customer against sanctions lists and adverse media. The distinction between KYC and CDD is often misunderstood: CDD is a component of KYC, not a separate process. KYC is the umbrella; CDD is the risk assessment layer within it.
Enhanced Due Diligence (EDD)
Enhanced due diligence is required for higher-risk customers: politically exposed persons (PEPs), customers from high-risk jurisdictions, complex ownership structures, and accounts with unusual transaction patterns. EDD goes beyond standard CDD by requiring deeper investigation into the source of wealth, source of funds, and the rationale behind expected financial activities.
In crypto, EDD may be triggered by exposure to mixers, sanctioned addresses, darknet market connections, or high-risk counterparties identified through blockchain analytics. Financial institutions must document their EDD findings and maintain enhanced ongoing monitoring for these accounts. EDD is one of the most critical KYC requirements—regulators scrutinize EDD procedures heavily during examinations.
Simplified Due Diligence (SDD)
Simplified due diligence is the lower end of the risk-based approach, applied to customers assessed as low risk. SDD allows reduced verification requirements—fewer KYC documents, less intensive source-of-funds checks—but does not eliminate the obligation to monitor for suspicious activity. SDD is common for retail-level crypto transactions in low-risk jurisdictions where the customer risk is minimal and the product type is straightforward.
Regulators permit SDD only when a documented risk assessment justifies it. If a customer’s risk profile changes, the institution must escalate from SDD to standard CDD or EDD.
Politically Exposed Persons (PEP) Screening
Politically exposed persons (PEPs) are individuals who hold or have recently held prominent public functions—heads of state, senior politicians, military officers, judiciary officials, and their immediate family members and close associates. PEPs present higher corruption and bribery risk, requiring enhanced due diligence and enhanced monitoring throughout the lifecycle of the business relationship.
Crypto platforms must screen for PEPs during onboarding and on an ongoing basis. PEP screening databases are updated continuously, and a customer who was not a PEP at account opening may become one later. Failing to identify and appropriately manage PEP relationships is a common finding in regulatory examinations.
Beneficial Ownership Identification
Identifying the ultimate beneficial owners of corporate accounts is a core KYC requirement. The U.S. Corporate Transparency Act (2024) and EU Anti-Money Laundering Directives require disclosure of beneficial ownership for legal entities. Financial institutions must identify any individual who directly or indirectly owns or controls 25% or more of a legal entity (thresholds vary by jurisdiction).
In crypto, beneficial ownership requirements extend to identifying the controllers behind legal entity accounts at exchanges and custodians. This is particularly important for institutional accounts, OTC desks, and corporate treasury operations involving digital assets.
eKYC (Electronic KYC)
eKYC refers to digital identity verification processes that use technology—biometric scanning, facial recognition, document OCR, database checks, and artificial intelligence—to verify customer identities remotely. eKYC is the standard for crypto exchanges and fintech platforms, which onboard customers entirely online without in-person verification.
eKYC solutions enable faster onboarding while maintaining regulatory compliance. The verification process typically takes minutes rather than days, reducing customer drop-off. However, eKYC systems must be robust enough to detect fraudulent identity documents, deepfakes, and synthetic identities. As crypto KYC requirements expand globally, eKYC adoption is accelerating across all financial services providers.
KYC Onboarding
KYC onboarding is the initial identity verification process new customers complete before accessing financial services. In crypto, this typically involves uploading a government-issued ID, completing a selfie or liveness check for biometric authentication, providing proof of address, and agreeing to terms of service.
Friction in the onboarding process—excessive documentation, long verification times, manual review—is a primary driver of customer drop-off. Studies show that onboarding abandonment rates exceed 50% when KYC procedures take more than 10 minutes. Balancing regulatory requirements with customer experience is one of the central challenges of KYC program design. The most effective KYC onboarding flows use automation and risk-based tiering to streamline low-risk account opening while applying appropriate scrutiny to higher-risk customers.
Perpetual KYC / Ongoing Monitoring
Perpetual KYC (pKYC) represents a shift from one-time identity verification to continuous customer monitoring. Instead of periodic KYC refreshes—typically every one to three years—perpetual KYC systems continuously update customer risk profiles based on new data: changes in transaction patterns, updated sanctions lists, new adverse media, changes in beneficial ownership, and shifts in geographic exposure.
In crypto, perpetual KYC is enabled by real-time blockchain analytics. Chainalysis KYT (Know Your Transaction) continuously monitors on-chain activity, flagging changes in customer risk in real-time rather than waiting for the next scheduled review. This approach closes the gap between periodic KYC refreshes where customer risk can change significantly without detection.
KYC Remediation
KYC remediation is the process of updating or correcting incomplete, outdated, or non-compliant customer records. Remediation programs are often triggered by regulatory examinations, audit findings, changes in KYC regulations, or mergers and acquisitions that combine customer databases with different data standards.
In crypto, KYC remediation may involve retroactively verifying customers who were onboarded under less stringent standards during the industry’s early years. As KYC requirements have tightened globally, many exchanges have undertaken large-scale remediation programs—re-verifying millions of existing accounts. Remediation is resource-intensive but essential: regulators view incomplete customer records as a material compliance deficiency.
KYC Automation
KYC automation uses artificial intelligence, machine learning, and digital identity solutions to streamline identity verification, document verification, risk scoring, and ongoing monitoring. Automation reduces manual review burden, accelerates the verification process, and improves consistency—critical for crypto platforms processing thousands of new customer verifications daily.
Automated KYC systems can extract and verify data from identity documents, cross-reference customer information against sanctions and PEP databases in real-time, assign risk scores based on configurable rules, and flag anomalies for human review. KYC automation does not replace human judgment for complex cases but dramatically improves operational efficiency by routing only the highest-risk cases to manual analysts.
How is KYC used in crypto compliance and blockchain investigations?
Generic banking KYC programs stop at identity verification. In crypto, KYC is the starting point for a deeper layer of compliance: connecting verified identities to on-chain activity. This is where the KYC process extends into blockchain-powered risk intelligence.
Connecting Identity to On-Chain Activity. When a customer completes KYC at a cryptocurrency exchange, their verified identity becomes linked to deposit and withdrawal addresses. This creates the bridge between real-world identity and pseudonymous blockchain transactions—enabling compliance teams and law enforcement to trace the flow of funds across the blockchain.
KYC as the Foundation for Transaction Monitoring. KYC verification at onboarding is only the beginning. Effective crypto compliance requires continuous transaction monitoring (KYT) that screens every deposit, withdrawal, and transfer against known risk indicators. KYC data provides the context for interpreting transaction alerts: the same $50,000 deposit has a different risk profile depending on the customer’s verified identity, source of funds, and transaction history.
VASP Compliance and the FATF Travel Rule. The FATF Travel Rule requires VASPs to exchange originator and beneficiary information for crypto transfers above specified thresholds. This means KYC data collected by one exchange must be shared with the receiving exchange—creating a compliance chain that depends on robust KYC at every node. VASPs with weak KYC procedures become compliance bottlenecks for the entire ecosystem.
KYC Challenges in DeFi and Self-Hosted Wallets. Decentralized finance (DeFi) protocols and self-hosted wallets present unique KYC challenges. Permissionless DeFi platforms may not have a centralized entity to collect KYC, and self-hosted wallets allow users to transact without intermediary verification. Regulators are increasingly focused on these gaps—the FATF has signaled that DeFi platforms with governance tokens or administrative control may qualify as VASPs subject to KYC obligations. For self-hosted wallets, many jurisdictions now require VASPs to collect additional information about unhosted wallet transactions above certain thresholds.
Law Enforcement Cooperation and KYC Data. When financial crimes involve crypto, law enforcement agencies rely on KYC records held by exchanges to identify suspects, trace stolen funds, and build prosecutable cases. KYC data—combined with blockchain analytics—has been instrumental in recovering billions of dollars in stolen cryptocurrency and disrupting criminal networks. Over 100 government agencies worldwide use Chainalysis tools to connect on-chain evidence to identities established through KYC.
KYC vs. AML: What’s the difference?
KYC and AML are related but distinct concepts. Understanding the difference is essential for compliance teams building or evaluating their programs.
KYC (Know Your Customer) is the process of verifying a customer’s identity and assessing their risk profile. It answers the question: Who is this customer, and what risk do they present?
AML (Anti-Money Laundering) is the broader framework of laws, regulations, policies, and procedures designed to prevent criminals from disguising illegally obtained funds as legitimate income. AML programs include KYC, transaction monitoring (KYT), suspicious activity report (SAR) filing, sanctions screening, and compliance officer oversight.
The key distinction: KYC is a component of the AML program. AML is the umbrella that encompasses KYC, KYT, SAR filing, sanctions screening, and compliance officer responsibilities. An effective AML program requires robust KYC, but KYC alone does not constitute AML compliance. A platform can have perfect KYC onboarding and still fail its AML obligations if it lacks transaction monitoring, fails to file SARs, or ignores sanctions requirements.
| KYC | AML | |
| Scope | Customer identity and risk assessment | Full anti-money laundering program |
| When | Primarily at onboarding + ongoing updates | Continuous, across the customer lifecycle |
| Components | CIP, CDD, EDD, ongoing monitoring | KYC + KYT + SAR filing + sanctions + training |
| Regulatory basis | BSA/CIP Rule, FATF Rec. 10, MiCA | BSA, AMLD, MiCA, local AML laws |
Risks and common misconceptions about KYC
Misconceptions
“KYC means the government is tracking all my crypto.” KYC data is collected and held by the financial institution or VASP—not by the government. Law enforcement can request KYC records through legal process (subpoenas, court orders), but KYC does not mean blanket government surveillance of crypto transactions.
“Knowing the customer’s identity is enough for compliance.” Identity verification is only the first step. Compliance requires ongoing monitoring, transaction screening, SAR filing, and risk management throughout the customer lifecycle. KYC without KYT leaves critical gaps.
“DeFi doesn’t need KYC because it’s decentralized.” Regulators are closing this loophole. FATF guidance indicates that DeFi platforms with identifiable governance or control mechanisms may be classified as VASPs and subject to KYC obligations. The regulatory direction is clear: decentralization does not automatically exempt platforms from compliance requirements.
“KYC drives away customers and hurts business.” While friction exists, the data suggests otherwise. Platforms with strong KYC programs attract institutional customers, secure banking relationships, and avoid the catastrophic costs of enforcement actions. The potential risks of skipping KYC—billion-dollar fines, criminal liability, platform shutdown—far outweigh the cost of customer onboarding friction.
Risks
KYC data breaches remain a serious concern. Identity documents collected during KYC are high-value targets for attackers. Financial institutions and crypto platforms must implement robust data security—encryption, access controls, data minimization—to protect customer information.
Regulatory fragmentation across jurisdictions creates compliance complexity. KYC requirements differ between the U.S., EU, UK, and APAC—and crypto-specific rules are still evolving. Platforms operating across multiple jurisdictions must navigate overlapping and sometimes conflicting regulatory requirements.
Exclusion of underbanked populations is an unintended consequence of strict KYC requirements. Customers without government-issued ID, proof of address, or formal banking history may be excluded from financial services. This tension between financial inclusion and compliance is an active area of regulatory discussion.
Outdated customer records create compliance gaps. Without perpetual KYC or regular remediation programs, customer risk profiles become stale, and platforms may fail to detect changes in risk that occurred after initial onboarding.
Real-world examples of KYC in crypto
KYC Enforcement Failures
BitMEX — $100M Settlement (2021). BitMEX, a major crypto derivatives exchange, agreed to pay $100 million to settle charges with FinCEN and the CFTC for willfully failing to implement an adequate KYC program. The platform allowed customers to trade without identity verification, enabling money laundering and sanctions evasion. BitMEX’s founders faced criminal charges.
Binance — $4.3B Settlement (2023). Binance, the world’s largest cryptocurrency exchange by volume, paid $4.3 billion—the largest penalty in crypto history—to resolve charges from the DOJ, FinCEN, and OFAC. Among the violations: Binance failed to implement adequate KYC procedures and allowed users in sanctioned jurisdictions to access the platform. The company’s CEO pleaded guilty to violating the Bank Secrecy Act.
Robinhood Crypto — $30M Fine (2022). The New York Department of Financial Services fined Robinhood Crypto $30 million for significant deficiencies in its AML and KYC programs, including inadequate transaction monitoring and insufficient staffing for compliance operations.
KYC-Enabled Investigation Successes
Bitfinex Hack Recovery — $3.6B (2022). The DOJ recovered $3.6 billion in Bitcoin stolen from the Bitfinex exchange—the largest financial seizure in U.S. history at the time. KYC records at exchanges where the suspects attempted to cash out, combined with blockchain analytics, enabled investigators to identify and arrest the suspects.
Hydra Market Takedown (2022). German and U.S. law enforcement seized Hydra, the largest darknet marketplace, and $25 million in Bitcoin. KYC records at fiat off-ramp exchanges helped investigators trace and identify operators and major vendors.
Pig Butchering Scam Disruptions (2023–2025). Chainalysis investigations into pig butchering scams—romance-based investment fraud schemes—have relied on KYC data at exchanges where victims deposited funds and where scammers attempted to convert crypto to fiat. These investigations have led to seizures exceeding $100 million and dozens of arrests globally.
How Chainalysis helps organizations implement and strengthen KYC
Chainalysis extends KYC from onboarding-stage identity verification into ongoing, blockchain-powered risk intelligence. Where traditional KYC tools verify who a customer is, Chainalysis solutions reveal what that customer does on-chain—creating a complete risk picture across the customer lifecycle.
Chainalysis Address Screening provides wallet-level risk assessment at the point of KYC onboarding. Before approving a new customer, compliance teams can screen their deposit addresses for exposure to sanctioned entities, darknet markets, ransomware, stolen funds, and other illicit activity across 1,000+ assets and protocols including DeFi and Layer 2 networks.
Chainalysis KYT (Know Your Transaction) extends KYC into continuous transaction monitoring. KYT screens every transaction in real-time against risk indicators, generating risk-based alerts that reduce false positives by up to 90% compared to rules-based systems. KYT ensures that the risk assessment begun at KYC onboarding continues throughout the customer relationship—enabling perpetual KYC powered by on-chain data.
Chainalysis VASP Risking enables counterparty due diligence at the entity level. Financial institutions can assess the KYC and compliance posture of crypto platforms they interact with—evaluating whether a VASP’s own KYC procedures meet regulatory standards before establishing business relationships.
Chainalysis Reactor is the investigation tool that activates when KYC and KYT flag potential risks. Reactor enables compliance teams and investigators to trace fund flows across blockchains, visualize transaction patterns, and build evidence packages for SAR filings or law enforcement referrals. Reactor’s analysis has been validated under the Daubert standard in U.S. courts—a unique structural advantage that no other blockchain analytics provider offers.
Chainalysis Academy has certified over 50,000 professionals in blockchain analytics and crypto compliance, helping financial institutions and VASPs close the expertise gap in their KYC and AML teams.
Frequently asked questions about KYC
Q: What is KYC (Know Your Customer)?
A: KYC (Know Your Customer) is the set of identity verification procedures that financial institutions and crypto platforms must perform to confirm a customer’s identity, assess their risk profile, and comply with anti-money laundering regulations. KYC typically involves collecting identity documents, verifying customer information against authoritative databases, and conducting ongoing monitoring throughout the business relationship.
Q: What is KYC in crypto?
A: KYC in crypto refers to the identity verification process that cryptocurrency exchanges, custodians, and other virtual asset service providers (VASPs) must implement before allowing customers to trade, deposit, or withdraw funds. Crypto KYC requirements are mandated by regulations including the Bank Secrecy Act, FATF Recommendations, and MiCA, and typically involve uploading government-issued ID, completing biometric verification, and providing proof of address.
Q: What is the difference between KYC and AML?
A: KYC is a component of AML. KYC focuses on verifying the customer’s identity and assessing their risk, while AML (anti-money laundering) is the broader compliance program that includes KYC, transaction monitoring, SAR filing, sanctions screening, and compliance oversight. An effective AML program requires robust KYC, but KYC alone does not constitute full AML compliance.
Q: What is enhanced due diligence (EDD)?
A: Enhanced due diligence (EDD) is an elevated level of KYC investigation applied to higher-risk customers, including politically exposed persons (PEPs), customers from high-risk jurisdictions, and accounts with complex ownership structures. EDD requires deeper analysis of source of wealth, source of funds, and the rationale behind expected financial activities. In crypto, EDD may be triggered by blockchain analytics identifying exposure to sanctioned addresses, mixers, or darknet markets.
Q: What are the three components of KYC?
A: The three core components of KYC are: (1) Customer Identification Program (CIP)—collecting and verifying basic identity information; (2) Customer Due Diligence (CDD)—assessing the customer’s risk profile and understanding the business relationship; and (3) Ongoing Monitoring—continuously reviewing customer activity and updating risk assessments throughout the relationship lifecycle.
Q: What happens if I refuse KYC?
A: If a customer refuses to complete KYC verification, financial institutions and crypto platforms are legally required to deny service. Regulated entities cannot onboard customers whose identity has not been verified. Some decentralized platforms currently operate without KYC, but regulators are increasingly extending compliance requirements to these services.
Q: What are KYC documents?
A: Common KYC documents include government-issued photo ID (passport, driver’s license, national ID card), proof of address (utility bills, bank statements, tax documents), and in some jurisdictions, proof of source of funds. For corporate accounts, KYC documents also include business registration certificates, articles of incorporation, and beneficial ownership declarations.
Q: Is KYC mandatory in the USA?
A: Yes. KYC is mandatory for all financial institutions and money services businesses operating in the United States under the Bank Secrecy Act and the USA PATRIOT Act. FinCEN enforces KYC regulations, and crypto exchanges operating in the U.S. must implement KYC programs as a condition of their state money transmitter licenses and federal registration.
See how Chainalysis helps you stay compliant and secure. Request a demo.
Explore Chainalysis Address Screening for wallet-level KYC risk
Read the 2026 Crypto Crime Report
See how Chainalysis KYT extends KYC into ongoing transaction monitoring