What Every Crypto Project Needs to Know About KYC and AML Regulations

Table of Contents

Shapeshift, one of the most popular decentralized cryptocurrency exchanges, recently announced that it would start collecting members’ data and that its “membership program” would soon be mandatory for all users. Implementation of this membership program brings an official end to anonymous trading on the previously private peer-to-peer trading platform.

Shapeshift CEO, Erik Voorhees, an early adopter of Bitcoin and a respected figure in the crypto community, was clearly disappointed with this move and hinted that the decision was in direct response to regulatory pressure.

As unfortunate as this move is, it comes as no surprise to Crypto Law Insiders. We’ve written before about increasing regulatory crackdown on crypto exchanges and other “on and off ramps” where crypto and fiat are exchanged.

Regulators may not be able to stop the use of crypto entirely, but they will take action where they can to prevent criminal activity, particularly money-laundering and terrorist financing. As a result, we’ve seen the introduction of a number of “anti-money laundering” (AML) and “know your customer” (KYC) laws in the crypto ecosystem that call for greater user transparency and place constraints on anonymous transactions.

For crypto-related businesses, it’s important to be aware of this regulatory trend and prepare for it. Taking precautions in advance will help avoid expensive and time-consuming regulatory investigations into your business activities.

So what are these requirements and how do they affect crypto-related businesses?

Anti-Money Laundering (AML)

Anti-money laundering (AML) laws are part of a broader government initiative to tackle criminals that use financial institutions to conceal their activity. The goal of AML is to prevent criminal activity like tax evasion and drug trafficking, where illicit funds are often funneled through legal channels to obscure illegal activity.

AML regulations were adopted globally in 1989 with the formation of a Financial Action Task Force to set international standards for fighting against money laundering. As part of compliance with these regulations, financial institutions are obliged to monitor suspicious activity, report transactions over $10,000 and verify the origin of funds on behalf of the US government. Even if you are not based in the US, these rules may still apply if you have any transactions that involve US institutions.

Know Your Customer (KYC)

Know Your Customer (KYC) laws are a subset of AML. As the name suggests, these laws involve verifying the identity of an institution’s customer. In the aftermath of 9/11, these laws were made significantly stricter as a means of combating terrorist financing and in the years since have expanded their reach even further.

There are three key elements of KYC, which are the Customer Identification Program (CIP), Customer Due Diligence (CDD) and Counter-Terrorism Financing (CTF). Each element comes with its own set of hefty compliance requirements.

Customer Identification Program (CIP)

The Customer Identification Program (CIP) explicitly requires financial institutions to verify customers’ identities. While each institution is left to develop its own practices, this usually involves requests for common documents such as driver’s licenses and passports.

However, in certain cases, this may also extend to more specific evidence such as certified articles of incorporation, a government-issued business license, partnership agreements, trust instruments, information from a consumer reporting agency or public database, and/or financial statements.

Customer Due Diligence (CDD)

Customer Due Diligence (CDD), by contrast, is far less specific and more invasive than basic evidence of identity. Like with AML regulations, it aims to identify “suspicious” customer behavior based on the customer’s transaction history. This can be done through monitoring transfers, international transactions, and interactions with offshore financial centers.

Though due diligence isn’t explicitly required by law, financial institutions are required to report any suspicious activity to the Financial Crimes Enforcement Network (FinCEN). The penalties for an institution that fails to comply can be crippling, so all err on the side of caution by over-gathering customer data.

In many cases, this will lead institutions to request a wide range of customer data including details about a customer’s occupation, the source of his or her funds, details on business operations, financial statements and other information that will assist the institution in determining whether the customer is engaged in legal activity.

Counter-Terrorism Financing (CTF)

Regulated entities are also required to have Counter-Terrorism Financing (CTF) measures to go hand-in-hand with their AML practices. These include a number of further checks including transaction monitoring, risk profiling, and on-going transaction screening with the goal of rooting out any potential funding for “terrorist” activities.

Data points on a customer’s interaction with a regulated entity are gathered to provide a profile of behavior for every customer. When a customer’s behavior falls outside the scope of his or her profile, financial institutions are expected to file suspicious activity reports, which are examined by regulators for further investigation.

What does this mean for Crypto Law Insiders?

When crypto transactions are anonymous, governments lose the ability to completely track and control the financial activities of their citizens. Obviously, this is a concern to regulators who are tasked with preventing criminal activity. While personal privacy is a right, this right often takes the back seat to government regulation.

Although governments are mainly helpless to regulate the use of crypto altogether, they are still able to regulate the points where crypto is exchanged with fiat currency. Thus, we are seeing increased regulation at the ‘on and off ramps’ between crypto and fiat. In particular, crypto wallets and exchanges are under close scrutiny.

After seeing a decentralized P2P exchange like Shapeshift pushed to implement stricter KYC AML checks, every player in the ecosystem should be prepared to face increased regulatory pressure as well. The bottom line is that any crypto-related business that touches fiat should start implementing KYC AML policies today. Waiting until a regulatory agency comes knocking is a big mistake because when they knock, it’s usually loud and unpleasant.

Dean Steinbeck

Dean Steinbeck

Dean Steinbeck, Managing Director of Crypto Law Insider, is the leading authority on legal issues related to cryptocurrency and blockchain technologies.