Fenergo, a leading SaaS financial technology solutions company, asked financial institutions what they saw as the most dangerous business risks in 2023 and how they would invest to mitigate them. According to the results, financial crime is one of the most pressing issues faced by these institutions.
As reported by Coindesk, the year 2022 witnessed crypto users losing $4 billion to various scams, rug pulls, and hacks. Although the losses decreased notably in 2023, crypto users still fell victim to fraudsters, losing around $2 billion. To combat these challenges, crypto companies need to adopt more effective measures to mitigate risks and prevent fraud. One of the measures is KYC (Know Your Customer), which we will define in this article.
What does KYC mean in crypto?
Know Your Customer (KYC) is a process used by financial institutions to make sure they know who they're dealing with before opening a new account. KYC aims to prevent fraud, money laundering, and other illegal activities. It also helps these institutions comply with regulations like customer due diligence (CDD) and anti-money laundering (AML) laws under the Bank Secrecy Act (BSA).
Some crypto companies are considered like banks under the law and have to follow BSA regulations because they convert regular money (like US dollars) into cryptocurrency (like Bitcoin). That's why having a KYC program is crucial for them to remain compliant.
In the crypto world, KYC requires a few steps to confirm a customer's identity and check for any suspicious activity before giving access to a crypto exchange, wallet, or other platforms.
Let's break down the usual crypto KYC checks
The cryptocurrency KYC process involves four key elements:
- Customer identification program (CIP)
The CIP is the first step when a new customer wants to open an account. Its purpose is to verify the customer's identity using specific information such as name, date of birth, address, and identification number. For corporate customers, this information is needed for all authorized signers. KYC verification in crypto includes comparing government-issued IDs (like driver's licenses or passports) with official databases to ensure authenticity.
- Customer due diligence (CDD)
Once the customer's identity is confirmed, CDD assesses the risk they pose by screening against government watchlists (like global Politically Exposed Person (PEP), Special Interest Person/Entity(SIP/SIE), Relatives and Close Associates (RCA), and terrorist lists) and reviewing past transactions, credit history, and geographic location. Additional documents are required for business customers, such as executive bios and annual reports, to understand their activity and potential future actions.
- Enhanced due diligence (EDD)
If CDD identifies potential risks based on factors like location, transactions, business nature, or political exposure, EDD is conducted. This involves gathering more documentation, investigating fund origins, monitoring transactions, and conducting on-site visits to understand the customer's profile thoroughly.
- Ongoing monitoring
As customers' businesses evolve, regular monitoring is essential to detect any suspicious activity or changes in risk profiles. This includes analyzing new partnerships, business ventures, supplier relationships, media coverage, and leadership changes using analytics tools to flag potential issues for review by risk management teams.
The collection of personal information raises questions about data security and privacy. Read here to learn how to comply with CCPA and GDPR, and deal with privacy challenges.
What problems does KYC solve for the crypto industry?
Beyond just meeting the Bank Secrecy Act requirements, KYC plays a critical role in keeping the crypto industry safe and reliable by tackling various important challenges.
Global compliance
Rules for cryptocurrency trading and investment vary widely from country to country, making compliance a tricky task. KYC processes help crypto platforms verify user location and identity, allowing them to tailor their services to meet local regulations. This prevents accidental breaches of foreign laws while ensuring compliance in permitted operating regions.
Defending against scams
Scams involve fraudsters manipulating victims into revealing personal information, often leading to account takeovers or fund transfers using cryptocurrencies that are hard to trace. KYC can limit malicious actors' ability to exploit crypto platforms. Platforms with robust KYC measures can trace fraudulent transactions back to scammers, increasing the chances of catching them in the act.
Addressing identity theft and synthetic ID fraud
Identity theft using stolen IDs from the dark web is prevalent in the crypto industry. The FTC received 5.7 million total fraud and identity theft reports, 1.4 million of which were identity theft cases in 2023. Synthetic identity theft, where fraudsters use a mix of real and fake information to create fraudulent identities, is also on the rise. Crypto platforms are prime targets for identity theft fraud due to irreversible transactions. An effective KYC process will help to overcome such risk.
In April 2024, Shakeeb Ahmed — an ex-Amazon security engineer who admitted to stealing over $12.3M from two cryptocurrency exchanges using exploits — was sentenced to three years in prison. He attacked two decentralized cryptocurrency exchanges. In the first case, he used fake pricing data to generate approximately $9 million worth of inflated fees, then withdrew those fees in the form of cryptocurrency. In the second case, he exploited the smart contract vulnerabilities within the cryptocurrency exchange, Nirvana, to buy cryptocurrency at prices below the intended rates, which he promptly resold back to Nirvana at inflated prices. The $3.6 million, which was fraudulently acquired by Ahmed, constituted all of Nirvana's holdings, leading to its closure shortly after the attack.
To obscure the origin and ownership of the stolen funds, Ahmed engaged in extensive laundering techniques. These included executing token-swap transactions, transferring fraud proceeds from the Solana blockchain to Ethereum through deceptive means, converting fraud earnings into Monero, a highly anonymous cryptocurrency, utilizing foreign-based cryptocurrency exchanges, and leveraging cryptocurrency mixers like Samourai Whirlpool.
This case once again reminds us how important AML/KYC Compliance is for crypto companies.
What are the consequences of KYC non-compliance?
Failure to comply with AML/KYC requirements for the cryptocurrency field can lead to significant financial losses and, in certain instances, compel companies to halt their operations.
For example, in 2023 the founder of the cryptocurrency exchange platform Bitzlato, Anatoliy Legkodymov, admitted guilt in transferring and laundering criminal funds. The prosecutor's office noted that Bitzlato promoted itself as an exchange with minimal user identification and allowed accounts to be registered under "dummy persons." The prosecution added that the team was aware of criminals using their service. As part of the plea deal, Legkodymov agreed to shut down Bitzlato and relinquish any claims to approximately $23 million associated with the exchange's seized assets.
By 2023, the cryptocurrency industry surged to the top position of fines, facing fines exceeding $5.8 billion for inadequate AML programs. For example, Binance pleaded guilty to anti-money laundering and agreed to pay more than $4 billion in settlements with several U.S. law enforcement agencies.
Just in March, U.S. federal prosecutors charged crypto exchange KuCoin with violating anti-money laundering laws. KuCoin ran its money-transmitting business serving more than 30 million customers without implementing a KYC or anti-money laundering AML program until 2023. Even after implementing KYC in 2023, it did not apply to existing customers.
In 2025 cryptocurrency exchange BitMEX was fined $100 million after the U.S. Commodity Futures Trading Commission (CFTC) and the Financial Crimes Enforcement Network (FinCEN) discovered significant deficiencies in its anti-money laundering (AML) and know-your-customer (KYC) practices. The company's failure to implement an effective AML/KYC program meant it allowed customers to trade anonymously, without verifying their identities or assessing potential risks associated with the funds being transferred on its platform.
Potential consequences of non-compliance in the cryptocurrency industry include:
- Fines. Businesses found guilty of AML/KYC violations may be subject to significant monetary fines imposed by regulatory authorities. Depending on the severity of the violations, these fines can range from thousands to millions of dollars.
- License suspension or revocation. Regulatory bodies have the authority to suspend or revoke the operating licenses of crypto businesses that do not comply with regulations. This action can effectively halt their operations and lead to severe reputational damage.
- Criminal prosecution. In serious cases of non-compliance, individuals associated with the business may face criminal charges.
- Asset confiscation. Authorities have the power to seize assets or funds involved in suspicious or illicit transactions linked to non-compliant businesses. This can further impact the financial stability of the business and its stakeholders.
Regulatory agencies worldwide have ramped up their enforcement actions, prioritizing investor protection and maintaining market integrity as key objectives. 2024 must be the year of deep AML/KYC measures implementation to avoid potential non-compliance risks, monetary losses, and reputational damage.
