The Complete Guide to Know-Your-Customer (KYC)

In financial regulations, anti-money laundering (AML), know-your-customer (KYC), and customer due diligence (CDD) work together to prevent fraud and money laundering by ensuring businesses have enough information about their customers.

The crypto ecosystem has increased the importance of KYC, especially with regulations like the Travel Rule. This article will explain everything a crypto-asset service provider (CASP) needs to know about KYC. It will define AML, KYC and CDD, look at the relationship between the 3, and explain KYC within the Travel Rule and KYC processes in the EU.

Everything a CASP Needs to Know about KYC, AML and CDD

How Do KYC, AML and CDD Tie Together? 

All 3 processes have the purpose of preventing fraud, money laundering, and other illicit activities by ensuring that businesses have sufficient information about the individuals or entities they are dealing with.

AML stands for anti money-laundering and encompasses a comprehensive framework of statutes, regulations, and protocols, crafted to defeat the concealment of unlawfully acquired funds. This framework involves practices like monitoring transactions and disclosing suspicious activities and is usually defined at state level. 

KYC, know-your-customer, and CDD, customer due diligence, are facets of the AML process. KYC is the initial phase of customer verification, validating their identities. With the verified data from the KYC process, CDD can occur. CDD is the continued effort to monitor existing customers and the potential risks of money laundering or terrorist financing they may present.

What Is Anti-Money Laundering (AML)?

Anti-money laundering (AML) processes are the procedures and measures financial institutions and other regulated entities implement to prevent, detect, and report activities associated with money laundering and other financial crimes. These processes are designed to comply with regulatory requirements and mitigate the risks posed by money laundering, terrorist financing, and other illicit activities.

What Is Know-Your-Customer (KYC)?

Know-your-customer (KYC) is the process a financial institution must follow before allowing a customer to use its services. It involves scrutinising a customer's background information to establish the risk posed by the customer through collecting and verifying identity documents, such as government-issued IDs, passports, or utility bills.

What Is Customer Due Diligence (CDD)?

The KYC process is the collection and verification of a customer’s data before the offer of financial services. Its purpose is to assess the person’s identity. On the other hand, customer due diligence (CDD) identifies the level of risk the customer presents to the business and is an ongoing process. 

CDD can be divided into 3 levels: simplified due diligence, standard due diligence and enhanced due diligence.  Simplified due diligence is applied to low-risk customers. In contrast, enhanced due diligence is for high-risk customers and can involve gathering additional information, for example, the source of funds to evaluate the potential risk.   

What Is KYC in Crypto?

In crypto, KYC refers to the process by which cryptocurrency exchanges and other crypto-related businesses verify the identity of their users. This process is similar to KYC procedures in traditional finance and serves the same purpose of preventing fraud, money laundering, and other illicit activities.

When users sign up for an account on a cryptocurrency exchange or platform, they are typically required to provide personal information such as their name, address, date of birth, and government-issued identification documents (e.g., passport, driver's licence). The exchange then verifies this information to ensure the user's identity is legitimate.

CDD and the Travel Rule 

Regarding the Travel Rule (Recommendation 16), the Financial Action Task Force (FATF) states that for virtual asset transfers: “Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers.” 

According to the FATF’s glossary, accurate implies that the data has been verified for accuracy [page 59]; in other words, the VASP would have to employ a CDD process to do so.

CDD and the Travel Rule in Europe

For instance, the EU’s implementation of the Travel Rule, the Transfer of Funds Regulation (TFR), calls for CASPs to apply KYC processes in the following examples:  According to Article 14, before transferring crypto, originating CASPs must verify the below information

• “the name of the originator;

• the originator’s distributed ledger address, in cases where a transfer of crypto-assets is registered on a network using DLT or similar technology, and the crypto-asset account number of the originator, where such an account exists and is used to process the transaction;

• the originator’s crypto-asset account number, in cases where a transfer of crypto-assets is not registered on a network using DLT or similar technology;

• the originator’s address, including the name of the country, official personal document number and customer identification number, or, alternatively, the originator’s date and place of birth; and

• subject to the existence of the necessary field in the relevant message format, and where provided by the originator to its crypto-asset service provider, the current LEI or, in its absence, any other available equivalent official identifier of the originator.”

Moreover, before funds are made available to their customers, CASPs will need to verify the accuracy of the beneficiary information.  In both cases, verification of the information means customer due diligence, as stated in the EU Travel Rule. Allowing either:

"(a) the identity has been verified in accordance with Article 13 of Directive (EU) 2015/849 and the information obtained pursuant to that verification has been retained in accordance with Article 40 of that Directive; or

(b) Article 14(5) of Directive (EU) 2015/849 applies to the originator."

The data collection requirements above also apply to transfers involving self-hosted wallets; the CASP is not, in principle, required to verify the information on the user of the self-hosted address. However, when a CASP’s customer transacts over EUR 1000 with a self-hosted wallet, the CASP must collect proof that that customer controls the self-hosted wallet. This is a separate process from CDD. 

See the EU's Travel Rule Workflow for more information. 

The EU AML Authority (AMLA)

The EU will assemble the new EU AML Authority (AMLA). The AMLA will be responsible for the central coordinating body for national authorities, ensuring consistent and accurate application of EU regulations within the private sector. AMLA will also bolster the analytical capabilities of Financial Intelligence Units (FIUs) to combat illicit financial activities, enhancing their effectiveness as a crucial information source for law enforcement agencies.

Read more about the EU’s AMLA. 

KYC Beyond the Travel Rule 

The Travel Rule aside, KYC in the crypto space has become increasingly important as regulators worldwide pass licensing, registering and Travel Rule regulations, bringing cryptocurrency exchanges and other crypto-related businesses under stricter requirements.  For example, South Africa still needs to implement the Travel Rule but requires exchanges to conduct KYC processes.

In Conclusion 

Compliance with KYC requirements helps exchanges maintain legal compliance and fosters trust among users and regulators, laying the foundation for sustainable growth and success in the digital age.

By implementing robust KYC processes, businesses can safeguard themselves against financial crimes, ensure compliance with regulations, and enhance their overall reputation.